Honeybadger Solutions LLC

Hospital Security Management Plan & Joint Commission

Hospital security management plan concept showing layered protection around emergency, pharmacy, nursery, and behavioral health zones in navy and gold

A hospital Security Management Plan is the written framework required under The Joint Commission’s Environment of Care standard EC.02.01.01, describing how the organization identifies and controls security risks across the facility. A compliant plan defines sensitive areas, assigns security roles and staffing, addresses workplace violence, sets response procedures and drills, and is formally evaluated each year for scope, objectives, performance, and effectiveness — not a binder written once and shelved.

Surveyors do not fail a hospital for owning a security policy; they fail it for a plan that does not match reality. The emergency department logs assaults that never reach the risk assessment. The infant-abduction procedure names a code that half the night shift cannot recite. The behavioral-health unit was renovated but the ligature-risk review was never updated. The annual evaluation is a signature page with no data behind it. This guide is written for the hospital administrator, chief nursing officer, safety officer, general counsel, and security director who must build and defend a Security Management Plan that survives a Joint Commission survey — and, far more importantly, actually protects patients, staff, and visitors. It covers what the standard requires, how the risk assessment is really done, how elite programs secure the emergency department, pharmacy, nursery, and behavioral-health units, what the current workplace-violence standards demand, and how staffing, drills, and documentation come together into a defensible whole.

What is a hospital Security Management Plan?

A Security Management Plan (SMP) is one of the written management plans that make up The Joint Commission’s Environment of Care (EC) chapter — alongside safety, hazardous materials and waste, fire safety, medical equipment, utility systems, and emergency management. The security plan is the document in which a hospital states, in a way it can prove, how it protects people and property, controls access to spaces that require it, manages the movement of patients and visitors, and responds when a security event occurs. It is both a compliance instrument and an operational blueprint.

The distinction that trips up organizations is that the plan is not the point — the process it describes is. Joint Commission accreditation, and the Centers for Medicare & Medicaid Services Conditions of Participation that sit beneath it, are performance-based. A beautifully written plan describing controls the hospital does not actually run is worse than useless: it is documented evidence that leadership knew what to do and did not do it. A world-class SMP is a living management system with an owner, measurable objectives, data that feeds an annual evaluation, and a clear line from identified risk to funded control.

What does The Joint Commission actually require?

The core security requirements live in the Environment of Care standard EC.02.01.01, supported by orientation and education standards, the leadership chapter, and — since 2022 — a dedicated set of workplace-violence-prevention requirements. Stripped to its essentials, an accredited hospital must be able to demonstrate the following. Confirm exact element-of-performance numbering against the current edition of The Joint Commission manual, as standards are revised.

  1. A written plan for managing security. The hospital identifies its security risks, assigns responsibility, and describes how it will control those risks across the environment of care.
  2. Identification of security-sensitive areas. The organization designates areas that require enhanced protection — typically the emergency department, pharmacy, newborn and pediatric units, behavioral-health areas, cashier and records functions — and implements controls appropriate to each.
  3. Control of access and movement. Procedures govern how patients, staff, visitors, and vendors are identified and how their access to sensitive areas is managed.
  4. A response to security incidents. The plan defines how the hospital responds to and reports security events, including procedures for infant abduction, violent or combative individuals, and other emergencies.
  5. Staff orientation and education. Personnel are trained on their security roles and responsibilities at orientation and on an ongoing basis.
  6. Workplace-violence prevention. A defined program to prevent, respond to, track, and analyze workplace violence, with leadership oversight and staff training.
  7. Monitoring and annual evaluation. The hospital collects performance data, and at least annually evaluates the plan’s scope, objectives, performance, and effectiveness — using the result to improve the program.

The seventh item is where many programs quietly fail. The annual evaluation is not a formality; it is the mechanism by which the plan is supposed to learn. A surveyor who asks “show me how last year’s incident data changed this year’s plan” is testing whether the management system is real.

How do you conduct the security risk assessment?

Every credible SMP begins with a security risk assessment, and a hospital’s assessment must be proactive and data-driven rather than a walkthrough of locks and cameras. The disciplined approach evaluates risk as the interaction of credible threats, exploitable vulnerabilities, and the consequence to patients, staff, and operations — then ranks exposures so finite security dollars go where they reduce the most harm.

A hospital assessment draws on internal incident data (assaults, thefts, elopements, missing-property reports, disruptive-behavior logs), the facility’s own crime experience and that of its immediate surroundings, the patient population it serves, and the physical characteristics of each building and unit. It examines access control and badging, video surveillance and monitoring, alarm and duress systems, lighting and sightlines, the security of infant and pediatric units, the ligature and environmental risks of behavioral-health spaces, parking and campus perimeter, and after-hours and low-staffing conditions. The output is not a punch list; it is a prioritized picture of where the hospital is most exposed and why. Guidance from the International Association for Healthcare Security and Safety (IAHSS) provides healthcare-specific design and operational benchmarks that a mature assessment references. The assessment is repeated at a defined interval and after material change — a renovation, a new service line, a serious incident, or a shift in the surrounding threat environment.

How do you secure the sensitive areas?

The heart of a hospital security program is the differentiated protection of security-sensitive areas. Each carries a distinct threat profile and demands controls matched to it; treating them uniformly is the surest sign of an immature program. The table below summarizes the primary risk and the controls a competent program applies in each.

Sensitive areaPrimary riskCore controls
Emergency departmentAssault, weapons, patient elopement, gang activityControlled entry, weapons screening where warranted, duress alarms, visible officer presence, behavioral de-escalation, secure treatment rooms
PharmacyControlled-substance diversion, theft, robberyRestricted badge access, video, audit trails, dual controls, DEA-aligned handling, diversion monitoring
Newborn / pediatricInfant abduction, patient mismatchElectronic infant-security tagging, matched banding, access control, staff photo ID, abduction (Code Pink) response
Behavioral healthSelf-harm, ligature risk, elopement, assaultLigature-resistant environment, contraband control, line-of-sight design, tamper-resistant fixtures, trained staff
Cashier / recordsRobbery, PHI theft, fraudAccess restriction, cash-handling procedure, records security, surveillance

Two areas deserve special emphasis. The infant-security program in the nursery and postpartum units is the classic Joint Commission focus: electronic tagging, matched identification banding of mother and infant, controlled unit access, staff identification, and a rehearsed abduction response are expected, and the prevention guidance published by the National Center for Missing & Exploited Children (NCMEC) is the reference standard. The behavioral-health environment is now among the most heavily surveyed spaces in any hospital: ligature-resistant design, systematic environmental risk assessment, contraband management, and staff trained in de-escalation are not optional, because the environment itself is a patient-safety control. A program that secures the front door but leaves these interior zones to generic policy will not withstand scrutiny — regulatory or real-world.

Continuous security management cycle linking risk assessment, controls, training, drills, and annual evaluation for hospital Joint Commission compliance in navy and gold

What must the workplace-violence-prevention program include?

Healthcare workers experience workplace violence at rates far above the private-sector average, and since January 2022 The Joint Commission has required a defined workplace-violence-prevention (WPV) program rather than treating violence as an incidental security matter. Federal OSHA guidance for preventing workplace violence in healthcare sets the parallel expectation under the General Duty Clause. A defensible WPV program contains several linked components that the security plan must reflect.

  • Leadership ownership. A designated leader or committee is accountable for the program, with a policy that defines workplace violence broadly — including verbal abuse and threats, not only physical assault.
  • A worksite analysis. An annual, proactive analysis of the environment and of reported incidents identifies where violence is occurring and why, feeding the security risk assessment.
  • Prevention and de-escalation controls. Engineering and administrative controls — duress alarms, controlled access, behavioral-flagging in the record, staffing adjustments — and staff trained in recognition and verbal de-escalation.
  • Reporting without fear. A system that encourages reporting of violent incidents, threats, and near-misses, explicitly protecting staff from reprisal so the true incidence is visible.
  • Post-incident response. Support for affected staff, investigation of the event, and correction of the conditions that allowed it.
  • Follow-up and analysis. Aggregate tracking and trending of incidents that informs the annual evaluation and the next cycle of controls.

The common failure mode is underreporting. When frontline staff believe that reporting a threat is futile or career-limiting, the data understates the problem, the risk assessment misses it, and controls are never funded — until an incident forces the issue. A credible program treats a healthy reporting culture as its central metric.

How should security staffing be structured?

Staffing is where the plan meets the payroll, and Joint Commission does not prescribe a headcount — it expects the hospital to justify its model against its risk assessment. The framework below reflects how a defensible staffing decision is built.

  1. Derive coverage from risk, not habit. Let the risk assessment and incident data dictate where and when officers are posted — the emergency department at night, behavioral-health units, high-traffic entrances — rather than an inherited patrol pattern.
  2. Decide the officer model. Choose deliberately among proprietary (in-house) officers, contracted security, off-duty or contracted law enforcement, or a hybrid, weighing control, cost, training, and use-of-force considerations for a healthcare setting.
  3. Define authority and use of force. Document what officers may and may not do — detention, restraint assistance, weapons policy — and ensure it aligns with law and clinical practice.
  4. Train to the environment. Healthcare security is not retail guarding: officers need de-escalation, behavioral-health awareness, infant-abduction response, HIPAA-aware conduct, and clinical-team integration.
  5. Integrate with clinical staff. The most effective programs treat security as part of the care team, with clear activation procedures so nurses and physicians can summon help instantly.
  6. Measure and adjust. Track response times, incident outcomes, and coverage gaps, and feed them into the annual evaluation to right-size staffing over time.

The point is defensibility: a hospital should be able to explain to a surveyor, an insurer, or a plaintiff’s counsel exactly why its security is staffed the way it is, and to show the data behind the decision.

What drills and exercises does the plan need?

A plan is only as good as the muscle memory behind it, and Joint Commission expects security response to be exercised, not merely written. The essential exercises for most hospitals include infant-abduction (commonly “Code Pink”) drills that test lockdown, search, and staff response; combative-person and active-assailant response, coordinated with local law enforcement; and lockdown and evacuation procedures that intersect with the emergency-management plan. Drills should be scheduled, documented, and — critically — evaluated: what worked, what failed, and what changed as a result. A drill that surfaces no lessons was not a serious drill. The strongest programs debrief honestly, record corrective actions, and re-test them, so that the response capability improves measurably year over year rather than resetting to zero with staff turnover.

How do you document and evaluate the plan?

Documentation is the connective tissue that turns activity into evidence, and in a survey, undocumented work did not happen. A defensible SMP maintains the written plan itself with a named owner and measurable objectives; the current security risk assessment; incident and workplace-violence logs with trending; training and orientation records; drill records with after-action findings; and the annual evaluation of scope, objectives, performance, and effectiveness. That annual evaluation is the keystone: it must draw on real performance data, judge whether the plan achieved its stated objectives, and drive concrete changes for the coming year. When a hospital can lay these documents side by side and show a clean line from a risk identified, to a control implemented, to a metric tracked, to an evaluation that improved the program, it has a management system a surveyor can trust — and, more importantly, one that will perform under pressure. Where a security incident does occur, a rigorous internal investigation and, where needed, digital-forensic support of camera, access-control, and system evidence turns the event into both a corrective lesson and a defensible record.

What separates a world-class hospital security program?

The gap between a compliant plan and a world-class one is the gap between paper and practice. Mediocre programs write to the standard and hope the survey lands on a good day; elite programs build a genuine management system in which the risk assessment reflects real incident data, sensitive areas carry controls matched to their specific threats, workplace violence is tracked openly and acted on, staffing is justified by evidence, drills produce lessons that stick, and the annual evaluation actually changes what happens next year. World-class programs also recognize that hospital security is a convergence discipline: infant tagging is a technology system, diversion is an investigative and forensic matter, workplace violence is a behavioral and legal problem, and a targeted-violence threat against a clinician can require protective intelligence and physical protection. A provider that can move across those domains — rather than selling a single product — is what turns a binder into protection.

How does Honeybadger support hospital security programs?

Honeybadger Solutions supports healthcare organizations in building and defending Security Management Plans that satisfy Joint Commission Environment of Care expectations and, more importantly, protect patients and staff in practice. Our work spans healthcare and hospital security, security consulting and risk assessment, investigations into diversion and workplace incidents, and protective and security services — delivered as one integrated capability rather than a single product. Because digital forensics, cybersecurity, financial investigation, and background intelligence are handled in-house and delivered nationally, we can connect a controlled-substance-diversion case to its forensic evidence, a workplace-violence trend to a protective-intelligence response, and a physical-security gap to a defensible, funded control.

Based in Arizona with offices in Casa Grande, Phoenix, and Oro Valley, we serve hospitals and health systems across all of Arizona, nationwide, and internationally. Where a program requires on-the-ground protective staffing or executive protection for a threatened clinician, that work is executed through our commanded, vetted-partner network, with established theaters in California, Texas, and Florida and other regions served on a mandate basis. The result is a security program a hospital can put in front of a surveyor with confidence — and rely on when a real incident unfolds.

Frequently asked questions

Which Joint Commission standard governs hospital security?

The primary requirement is Environment of Care standard EC.02.01.01, which requires a written plan for managing security risks, including the identification of security-sensitive areas and the control of access. It is supported by staff-education standards, the leadership chapter, and the workplace-violence-prevention requirements effective January 2022. Because element-of-performance numbering is revised periodically, hospitals should verify current citations against the active edition of the Joint Commission manual.

What counts as a security-sensitive area?

Security-sensitive areas are spaces that require protection beyond the general environment because of the risk they carry. In most hospitals these include the emergency department, the pharmacy, newborn and pediatric units, behavioral-health areas, and cashier or medical-records functions. The hospital designates its own list based on its risk assessment and applies controls matched to each area’s specific threat — infant tagging in the nursery, ligature-resistant design in behavioral health, diversion controls in the pharmacy.

How often must the Security Management Plan be evaluated?

At least annually. The Joint Commission requires the hospital to evaluate the plan’s scope, objectives, performance, and effectiveness once a year, using real performance and incident data. The evaluation should not be a signature exercise: it must judge whether the plan met its objectives and drive concrete changes for the next year. Material events — a serious incident, a renovation, a new service line — should also trigger review outside the annual cycle.

Does Joint Commission require a specific number of security officers?

No. The Joint Commission does not mandate a staffing ratio; it requires the hospital to determine and justify its security staffing based on its risk assessment and incident data. A defensible model derives coverage from where and when risk actually concentrates, documents officer authority and use-of-force policy, trains officers to the healthcare environment, and measures response to adjust over time. The hospital must be able to explain why it is staffed as it is.

About Honeybadger Solutions

Honeybadger Solutions is an Arizona-licensed security and investigations firm delivering intelligence-led risk assessment, security consulting, investigations, protection, and cyber services to hospitals, health systems, executives, and organizations nationwide and internationally. Digital forensics, cybersecurity, financial investigations, and background intelligence are handled in-house and delivered globally. Physical and executive protection is delivered through a commanded vetted-partner network with established theaters in California, Texas, and Florida, directed from Arizona home command.

Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: discuss a hospital Security Management Plan or Environment of Care readiness review with our team.