According to Health Care Risk Management standards outlined by ASHRM and the American Hospital Association Certification Center, the risk management department should establish formal policies addressing core operational responsibilities. Coordination of responses to subpoenas is a critical function involving legal compliance, protection of privileged information, and collaboration with counsel. Departmental accountability for occurrence reporting is essential to ensure proper event identification, investigation, and trending. Additionally, defining the risk management reporting process to the governing body supports board oversight and enterprise risk management responsibilities.
Responses to freedom of information requests, however, are generally governed by legal, compliance, or public information offices, particularly in public institutions subject to open records laws. While risk management may provide input if records involve claims or adverse events, primary responsibility for handling such requests typically resides outside the risk management department.
Health Care Operations objectives emphasize clearly defined departmental scope, structured reporting relationships, and alignment with governance responsibilities. Therefore, while subpoena coordination, occurrence reporting, and board reporting are appropriate policy areas for risk management, responses to freedom of information requests fall outside its primary policy development scope.
