Skip to main content
Adverse events Getty Images 838949746

How to Investigate an Adverse Event

January 1, 2026

By Gregory Freeman

How you investigate adverse events can determine how valuable your efforts are in the end. Paying attention to best practices for these investigations can increase your chances of finding useful information that leads to meaningful change. Investigations should not be driven only by the fear of a malpractice claim, says Tim McGibboney, JD, senior attorney with the Clark Hill law firm in Houston.

“Potential malpractice is rarely the fire itself for risk managers; rather, it’s the smoke from a much deeper blaze in a healthcare business’s broader enterprise risk, including licensure, accreditation, reimbursement, regulatory exposure, and culture,” he says. “Treating the potential malpractice claim as only an isolated issue will cause many to miss the bigger danger. Having an appropriate compliance policy and plan in place — including a compliance officer, if feasible — is paramount to reducing exposure to and limiting occurrences of potential malpractice.”

The first priorities after an adverse event are simple and non-negotiable and should be documented in your compliance plan, McGibboney says. You stabilize and protect people, as applicable: The patient must receive appropriate care and staff and other patients must be kept safe, especially where violence or environmental hazards are involved, he says. At the same time, you preserve the record and the scene.

Importantly, this means locking down the chart or medical record and preserving medication records, monitor strips, device logs, security footage, and electronic audit trails to the extent feasible. Altering or “fixing” the chart after the fact, whether by undated late entries, deletions, or other suspicious changes, almost always proves more harmful than the original clinical error, because it undermines credibility, he says.

“Once stabilized, clinical leadership, risk management, and compliance should be notified according to compliance policy, and, for serious events, legal counsel and the malpractice carrier should be involved early to help structure the investigation and, where available, maintain privilege,” he says. “If a facility improvises at this stage, it usually pays for it later, in a regulator’s report or in front of a jury.”

A defensible investigation has to be prompt, structured, and system-focused, which means considering these components in compliance policy planning, McGibboney says. One of the most important disciplines is to separate clinical documentation from risk and quality analysis, he says. The medical record should contain a factual, timely account of what happened and what was done for the patient, written without speculation about fault.

“This is equally true for in defending against billing audits by commercial or governmental insurers. It is critical to follow billing guidelines of such insurers as they help to frame exactly what minimum standards in documentation are, not only for billing, but also in managing the medical record itself and establishing the policies on documentation,” McGibboney says. “Such policies will be critical in the ensuing investigation of any potential malpractice.”

The organization should be following a defined adverse event policy in its post-occurrence investigation, not improvising one after the fact, he says. That policy should describe how events are classified, who leads the investigation, what the timelines are for initial fact-gathering and follow-up, and how internal reporting to compliance, privacy, security, and human resources (HR) will occur. When the worst happens, a facility should be executing a plan it already knows, not writing a new one from scratch, he says.

The investigative work itself should involve understanding how the organization failed, not finding the cause or fault, McGibboney says. This requires scrutiny of whether policies were clear, current, and followed; whether staff were truly trained and competent on the processes and equipment involved; whether staffing, handoffs, and supervision were adequate; whether the electronic health record, devices, or communication systems contributed to the failure; and whether the culture allowed staff to escalate concerns before the event occurred or punished them for doing so, he says.

“A good analysis produces specific corrective actions, with responsible owners and deadlines. These steps help to identify other areas where adverse events can be reasonably expected to recur, including regulatory, accreditation, or even licensure,” McGibboney says. “For example, were the healthcare providers involved adequately trained, licensed, supervised, staffed, or experienced? Many healthcare regulatory compliance issues are raised in these areas that can impact your facility or provider license, which in turn can impact your ability to operate under your license and, more importantly, bill and receive reimbursement for your services.”

Many unprepared organizations treat an adverse event purely as a malpractice problem and ignore the downstream risks to licensure, Conditions of Participation, payer relationships, Emergency Medical Treatment & Labor Act (EMTALA) compliance, and privacy and security obligations, he says. They delay involving compliance and legal, missing the opportunity to structure privilege, design a coherent reporting strategy, and control communications, he says.

“They fail to examine whether the event points to broader structural weaknesses such as chronic understaffing, unlicensed practice, scope-of-practice violations, credentialing or privileging gaps, or financial arrangements that create incentives for unsafe behavior,” he says. “And they allow inconsistent messaging to families, staff, regulators, and insurers, which later reads as concealment even when the intent was benign.”

Early in the process, compliance officers and risk managers should work with compliance and legal to map regulatory and reporting obligations that arise from the event. A serious incident may trigger mandatory or discretionary reporting under state incident-reporting laws, health department rules, Centers for Medicare and Medicaid Services (CMS) Conditions of Participation, accrediting body standards for sentinel events, licensing board requirements for the professionals involved, Occupational Health and Safety Administration (OSHA) or workplace safety rules if staff are injured or threatened, and law enforcement involvement where violence, abuse, or criminal behavior is suspected, McGibboney says.

“If information systems or data were implicated, HIPAA and cybersecurity rules may also come into play. The organization needs a deliberate decision on what must be reported, to whom, on what timeline, and with what supporting documentation. Late, incomplete, or inconsistent reporting can be as damaging as the underlying event,” he says. “The investigation should then be closed with documented action and oversight. Corrective measures should be recorded, their implementation monitored, and the organization’s course adjusted where those measures fail, including amending or adding to the organization’s compliance plan.”

One area of particular concern lately in adverse event investigation is the undisciplined use of email and text messages, McGibboney says. When staff vent about “how bad this looks,” admit fault in casual language, or accuse one another over unprotected channels, they generate discoverable material that is difficult to explain away, he says.

“Siloed investigations, where quality, HR, security, compliance, and operations all run separate inquiries without coordination, lead to inconsistent accounts and conclusions that will be exploited later,” he says. “And any retaliation or perceived retaliation against those who report concerns invites employment claims, regulatory attention, and the slow destruction of a safety culture.”

These choices matter when the investigation is later scrutinized in a malpractice case or regulatory proceeding, he says. What helps the defense is straightforward, he says. Defense counsel want to see prompt, factual, complete charting made contemporaneously with the event; evidence that the organization maintains a standing; a functional quality and safety program; a documented and structured investigation with clear findings and defined corrective actions; proof that the organization disciplines or retrains when appropriate while protecting those who report concerns; and visible alignment between written policies and the realities of clinical practice and governance.

“What hurts is equally predictable,” he says. “Gaps, inconsistencies, or obvious tailoring in documentation after the fact; informal communications that suggest blame-shifting, minimization, or intentional concealment; failures to report when required, or reporting that occurs only after a regulator, family, or the press has uncovered the event; and leadership communications that treat the incident as a nuisance instead of a serious patient-safety and compliance issue.”

In the end, the best risk-management response to an adverse event is disciplined work that is mapped out prior to the event through written compliance planning and policies that can be followed, McGibboney says.

“Stabilize those involved, preserve the record, investigate in a structured way that focusing on the enterprise as a whole, report as required, and remediate with seriousness. Organizations that build that muscle before the crisis are far more likely to withstand the litigation and regulatory scrutiny that follow. These are general observations, not legal advice; any specific event should be reviewed with counsel familiar with the relevant jurisdiction and regulatory landscape.

Trauma, emotion, and system breakdowns can collide during adverse events, says Nick Bach, PsyD, a psychologist in Louisville, KY.

To ensure that the scene is protected and that others are not placed at risk, the security of the scene should be the first action to be carried out and the preservation of evidence in its natural context, he says.

Information should only be documented as direct observations made by the person who observed, heard, or did something, and without speculation as to what caused it, Bach says.

“Healthcare workers are under emotional strain so an interview early in the process could lead to inconsistent statements or details being overlooked,” he says. “Time should be allowed for a cooling-off period, and then private, scripted interviews must be carried out in a respectful manner, ensuring that punitive actions don’t result.”

Changes to medical records should not be made, he says. If clarification is necessary, it must be written with a backtrack and timestamp and not by altering the original record.

One other big mistake is not dealing with communication failures among the healthcare team members, and this is the guts of this event.

“In medical cases, well-kept records kept punctually and in the same way across all levels of staff will stand up far better than any last minute reconstructions or legal advice,” Bach says. “Over apologizing or making an off-the-record admission, even with good intent, can be deeply harmful.”

Greg Freeman has worked with Clinican.com and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Clinician.com products. In addition to his work with Clinician.com, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.

Sources