
Hospital security is the discipline of protecting patients, staff, visitors, infants, controlled substances, and protected health information across a 24/7 clinical environment where care can never stop. In Phoenix, a mature program aligns with IAHSS Healthcare Security Industry Guidelines, The Joint Commission’s Environment of Care standards, CMS Conditions of Participation, and OSHA workplace-violence expectations, delivered through trained, licensed officers, a written security management plan, and continuous risk assessment.
Healthcare is not corporate security with scrubs. A hospital is simultaneously a public building that cannot lock its front doors, a pharmacy holding Schedule II narcotics, a nursery, a psychiatric holding area, a morgue, and often the single most volatile emergency department in its ZIP code. The people who protect it must move fluidly between calming a grieving family, managing a combative patient in restraints, running a weapons-response drill, and documenting a chain of custody that will survive cross-examination. Below, Honeybadger Solutions lays out how elite hospital security programs actually run in Phoenix, where mediocre ones fail, and the criteria a security director, general counsel, or chief nursing officer should use to evaluate any provider — including us.
What standards actually govern hospital security in Arizona?
Four bodies of guidance shape every credible hospital security program, and none of them operate in isolation. Treating any one as the whole picture is the first sign of an immature program.
The International Association for Healthcare Security & Safety (IAHSS) publishes the Healthcare Security Industry Guidelines and design guidelines that function as the sector’s professional consensus — covering staffing models, security-sensitive areas (emergency, behavioral health, maternity, pharmacy, forensic care), officer training, and use of force in a care setting. IAHSS guidance is qualitative and risk-based rather than a checklist, which is precisely why it demands experienced interpretation.
The Joint Commission’s Environment of Care (EC) standards and the Emergency Management chapter require accredited hospitals to identify security risks, protect vulnerable populations (notably newborns and pediatric patients), control access to sensitive areas, and demonstrate that the program is monitored and improved over time. Surveyors do not want to see a binder; they want to see a living process with data, drills, and corrective action.
CMS Conditions of Participation tie patient rights, safe restraint and seclusion practice, and a safe environment directly to Medicare reimbursement — meaning a security failure can become a survey deficiency with financial and licensure consequences. OSHA’s guidance on preventing workplace violence in healthcare establishes the expectation of a written prevention program, hazard assessment, worker training, and incident tracking; under the General Duty Clause, employers must furnish a workplace free of recognized hazards, and violence against healthcare workers is a recognized hazard.
The through-line: these authorities expect a documented, assessed, trained, and continuously improved program — not a guard at a desk. That is the bar Honeybadger’s healthcare and hospital security practice is built to clear.
How is a security management plan and hazard/vulnerability assessment built?
The Security Management Plan (SMP) is the governing document The Joint Commission and CMS expect to see, and the Hazard Vulnerability Analysis (HVA) is the evidence base beneath it. A strong SMP names accountable ownership, defines security-sensitive areas, sets response protocols for each emergency code, specifies officer qualifications and training, and describes how performance is measured. The HVA ranks threats — workplace violence, infant abduction, active assailant, elopement, civil disturbance, controlled-substance diversion, environmental events — by probability and impact so resources follow real risk rather than anecdote.
The most common failure we see in Phoenix facilities is a plan written once for accreditation and never touched again, disconnected from the actual incident data the department already collects. A world-class assessment reconciles three data streams: reported security incidents, clinical event reports (assaults on staff frequently hide inside patient-safety systems), and physical walk-throughs of every shift — because a lobby that is controlled at 2 p.m. is wide open at 2 a.m. Honeybadger’s security consulting team builds the SMP and HVA as connected, revisable instruments, then maps each finding to a specific, staffed control. See our deeper treatment in building a Joint Commission-ready security management plan.
How do you prevent and respond to workplace violence in the ED and clinical areas?
Emergency departments concentrate the sector’s violence risk: intoxicated and psychiatric presentations, long waits, grief, gang activity, and the fact that the ED never closes and rarely turns anyone away. OSHA frames workplace-violence prevention as a management system, not an incident response, and elite programs treat it the same way — engineering controls, administrative controls, training, and measurement working together.
Engineering controls include controlled ED entry, weapons-detection strategy, ballistic protection at triage and registration, duress alarms tied to a monitored response, sightlines that eliminate blind corners, and safe-room design in high-risk consultation areas. Administrative controls cover visitor management, behavioral-flagging of patients with a documented violence history, and clear post orders. But the differentiator is officer capability: verbal de-escalation and crisis-intervention training that resolves the overwhelming majority of encounters without physical contact, combined with lawful, care-appropriate use of force and defensible documentation when contact is unavoidable. A guard who escalates a psychiatric patient is a liability; an officer who talks a crisis down protects the patient, the nurse, and the hospital’s license.
Response must be measured. Honeybadger tracks time-to-response on duress activations, assault rates against staff, and de-escalation-to-force ratios, and feeds them back into post orders and training — the continuous-improvement loop surveyors look for. Our full approach is detailed in healthcare workplace violence and code silver response.

What is a code silver response and how is it trained?
Code silver is the widely used hospital emergency code for an active shooter, armed intruder, or a person with a weapon or hostage situation. Unlike a corporate active-assailant plan, a hospital cannot simply run-hide-fight: patients on ventilators cannot flee, an OR cannot pause mid-procedure, and a locked-down NICU still needs staff inside. Code silver planning therefore blends standard avoid/deny/defend principles with clinical reality — predetermined shelter points, defend-in-place protocols for non-ambulatory units, and coordinated hand-off to Phoenix Police and fire.
Training is where programs separate. A memo is not training. Effective code silver readiness requires scenario-based drills across every shift, tabletop exercises with clinical and executive leadership, clear differentiation between a contained weapon situation and an active-shooter event, and rehearsed integration with law enforcement so responding officers are not confused about who the armed person in a uniform is. Weapons-detection posture, lockdown mechanics for each unit, and reunification procedures all need to be exercised, debriefed, and revised. Honeybadger designs and runs these drills and after-action reviews as part of the emergency-management program, coordinating with local first responders rather than working around them.
How do you prevent infant and pediatric abduction (code pink)?
Infant abduction is statistically rare but catastrophic, and both The Joint Commission and IAHSS specifically expect controls in maternity and pediatric units. Code pink (infant) and code adam / code purple (child) protocols exist because the response window is measured in minutes and depends on immediate, whole-facility coordination.
A mature maternity security program layers multiple controls so no single failure is decisive: infant electronic tagging with alarmed exits and elevator lockdown, controlled and monitored access to the unit, staff identification standards so parents know who may handle their newborn, footprinting and matched-banding of mother and infant, education for parents on never releasing the baby to unbadged individuals, and CCTV covering all egress. When an alarm sounds, officers execute immediate exit coverage while the unit performs a controlled headcount — roles that must be drilled, because the first real code pink is the worst time to learn them. Honeybadger integrates these controls and rehearses the response with clinical staff; see preventing infant abduction in maternity units.
How do you handle behavioral health, elopement, and forensic patients?
These three populations generate a disproportionate share of security workload and legal exposure, and each demands a distinct, care-first posture.
Behavioral health requires officers trained in crisis intervention who can support clinical staff during involuntary holds and restraint events without becoming the source of escalation, and who understand that CMS ties restraint and seclusion practice directly to patient rights. Patient elopement — a vulnerable or committed patient leaving without authorization — is both a safety and liability event; prevention combines behavioral flagging, controlled egress, wander-management technology, and rehearsed search protocols. Forensic and custody patients (prisoners receiving care under law-enforcement guard) require clear coordination on custody, weapons control in clinical space, visitor restrictions, and documented handoffs between corrections officers and hospital security. Getting the jurisdictional lines wrong here creates both a security gap and a chain-of-custody problem. Honeybadger’s officers are trained for all three; our elopement methodology is expanded in patient elopement prevention in behavioral health.
How does physical security protect PHI and controlled substances?
Security is not only about people — it is about the two most-targeted hospital assets: protected health information and controlled substances. HIPAA’s physical safeguards obligate hospitals to control physical access to systems and records, and a security program that ignores server rooms, medical records, workstations, and printed PHI leaves a compliant-looking front door with an open back one. Officers enforce access control to data-bearing areas, respond to tailgating and unbadged access, and support the privacy program with a physical layer. Honeybadger addresses this directly in physical security for protected health information.
Drug diversion — theft of controlled substances by staff — is one of the most under-addressed threats in American hospitals, endangering patients through undertreated pain and contaminated supplies while creating DEA and licensure exposure. Physical security supports the pharmacy’s controls with access management, surveillance of dispensing and disposal areas, and investigative capability when discrepancies surface. Honeybadger’s investigations team supports diversion inquiries with proper documentation and interview practice; the monitoring architecture is covered in drug diversion monitoring in hospitals.
What separates a reactive program from an enterprise one?
| Dimension | Reactive / understaffed program | Enterprise healthcare-security program |
|---|---|---|
| Governance | Static SMP written for the last survey | Living SMP driven by a current HVA and incident data |
| Officers | Post-standing guards, minimal healthcare training | Licensed officers trained in de-escalation, CPI, restraint support, and codes |
| Workplace violence | Incident report filed after the fact | OSHA-style prevention system with tracked leading indicators |
| Code readiness | Policy on paper, no drills | Multi-shift drills, tabletops, and after-action improvement |
| Vulnerable populations | Alarm hardware, no rehearsed response | Layered controls plus drilled code pink and elopement response |
| Measurement | None, or raw counts | Response times, assault trends, de-escalation ratios, corrective action |
| Documentation | Inconsistent, not defensible | Court-ready reporting and chain of custody |
How do you build or upgrade a hospital security program?
Honeybadger uses a structured, standards-aligned sequence to stand up or elevate a program:
- Assess. Conduct a full HVA and physical security assessment across all shifts, reconciling security, clinical-event, and access data against IAHSS, Joint Commission EC, CMS, and OSHA expectations.
- Design the plan. Author or rebuild the Security Management Plan with named ownership, security-sensitive-area controls, and code protocols.
- Right-size staffing. Model officer coverage to real risk and volume — ED, behavioral health, maternity, main entrances, and after-hours — not a flat headcount.
- Train to the environment. Equip officers with de-escalation, crisis intervention, restraint support, forensic-patient handling, and code-specific roles.
- Harden the physical layer. Align access control, duress alarms, CCTV, infant tagging, and weapons-detection posture with the assessed risks.
- Drill and exercise. Run code silver, code pink, elopement, and workplace-violence scenarios across shifts with after-action reviews.
- Measure and improve. Track defined metrics, report to the EC committee, and revise the plan on a continuous cycle.
What drives the cost of hospital security?
Cost is driven far more by risk profile and capability than by headcount. The primary drivers: total coverage hours and the number of security-sensitive posts (an ED and a psychiatric unit demand continuous presence); officer qualification level (crisis-intervention-trained, healthcare-experienced officers cost more than commodity guards and are worth it in reduced liability); supervision ratio and management overhead; technology integration and monitoring; training and drill cadence; and documentation and reporting rigor. The false economy is buying the cheapest guard hour and absorbing the cost later in an assault claim, a survey deficiency, a diversion loss, or an abduction. A properly designed program spends deliberately where risk concentrates and lightens where it does not — which is exactly what the HVA is for.
How does Honeybadger staff Phoenix hospitals?
Within Arizona, Honeybadger hospital security is delivered by our own in-house, Arizona DPS-licensed, directly supervised officers — not subcontracted labor. For Phoenix facilities that means the officers on your floors are recruited, licensed, trained, and managed by Honeybadger, accountable to Honeybadger supervision and to your Environment of Care leadership. That direct-employment model is what makes consistent healthcare training, defensible documentation, and genuine continuous improvement possible; you cannot hold a rotating pool of subcontractors to an enterprise standard. Our Phoenix operations support hospitals, behavioral-health facilities, and outpatient campuses across the Valley, part of our statewide Arizona coverage. For multi-state health systems, we coordinate nationwide through a commanded network of vetted partners (CA, TX, FL and beyond) under Honeybadger direction, while the Arizona core remains our own licensed personnel. Explore the full security services practice or start with a confidential consultation.
Frequently asked questions
Are Honeybadger’s Phoenix hospital security officers your own employees?
Yes. In Arizona, our hospital security officers are Honeybadger’s own in-house, Arizona DPS-licensed, and directly supervised personnel — not subcontracted guards. That direct-employment model is what lets us guarantee consistent healthcare-specific training, defensible documentation, and accountable supervision on your units.
Which standards do you build hospital security programs around?
We align to the IAHSS Healthcare Security Industry Guidelines, The Joint Commission’s Environment of Care and Emergency Management standards, CMS Conditions of Participation, and OSHA workplace-violence-prevention guidance — integrated into a single living Security Management Plan driven by a current Hazard Vulnerability Analysis, not a static binder.
Can you support behavioral-health, ED, and forensic-patient security?
Yes. Our officers are trained in de-escalation and crisis intervention for behavioral-health and emergency-department settings, restraint support consistent with CMS patient-rights requirements, elopement prevention, and coordination with law enforcement for forensic and custody patients — including weapons control in clinical space and documented custody handoffs.
Do you handle infant-abduction and active-intruder (code pink and code silver) readiness?
We design the layered controls and, critically, drill the response across shifts. For code pink we integrate infant tagging, egress coverage, and controlled headcounts with maternity staff; for code silver we build defend-in-place protocols for non-ambulatory units and rehearse integration with Phoenix first responders, followed by after-action review.
About Honeybadger Solutions
Honeybadger Solutions is an Arizona-licensed security and investigations firm serving healthcare organizations across Phoenix and statewide, nationwide, and internationally. Within Arizona, hospital security officers are our own AZ DPS-licensed, supervised in-house guards — recruited, trained, and managed directly by Honeybadger, never subcontracted. For multi-state health systems we coordinate a commanded network of vetted partners under Honeybadger direction while the Arizona core remains our own personnel.
Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: Contact us to schedule a discreet hospital security assessment with our healthcare practice leadership.