FTCA Quarterly Risk Management Assessments: A Crucial Tool for Community Health Centers

Health centers participating in the Federal Tort Claims Act (FTCA) program are required to implement a comprehensive risk management strategy to reduce the likelihood of adverse outcomes that could result in medical malpractice or other health-related litigation. A key component of this strategy is the completion of quarterly risk assessments.

Purpose and Importance

Quarterly risk assessments serve as a structured process to identify potential hazards within a health center's operations, departments, and services. These assessments are crucial for:

1. Proactively targeting patient safety activities

2. Prioritizing risk prevention and reduction strategies

3. Demonstrating compliance with FTCA requirements

Key Elements of Quarterly Risk Assessments

To meet FTCA requirements, health centers should ensure their quarterly risk assessments include the following elements:

Focus on Patient Safety: At least one assessment per quarter should specifically address a clinical or patient safety-related process. These risks should be those that, when addressed, are likely to reduce the risk of medical malpractice lawsuits for the organization. Performing a risk assessment on facility preparedness for an active shooter attack is a risk that should be considered and mitigated by the health center. However, this would not be considered a clinical or patient safety risk that could result in a medical malpractice claim. For FTCA quarterly risk assessments, HRSA is concerned about clinical risks.

Comprehensive Analysis: Assessments should provide identification, analysis, and evaluation of potential hazards, as well as prioritize areas needing improvement.

Action Planning: Each assessment should include an action plan with identified steps to mitigate risks and SMART goals for improvement.

Outcome Measurement: The effectiveness of action plans should be evaluated through measured outcomes.

Documentation and Reporting: Progress should be documented in a way that can be shared with the governing board and key stakeholders.

Quarterly Frequency: For FTCA coverage, health centers must have at least one clinically-focused risk assessment every quarter (Jan-Mar, Apr-Jun, Jul-Sep, Oct-Dec). If any quarter is missed, this will be considered non-compliant, and the health center’s FTCA coverage will be at risk.

Form & Function

During the summer of 2025, HRSA provided a sample Quarterly Risk Assessment Documentation Template that can be utilized by health centers. However, it is important to note that in the introduction section of this tool, ECRI writes: “This risk assessment support tool is not a risk assessment. No tool can constitute a complete risk assessment. Risk assessment is a process, and tools are only able to support it. A thorough assessment relies on clinical and professional insight to identify risk and team collaboration to analyze risk and take action to mitigate the risks identified.”

The document goes on to say that “A risk assessment is a systematic process used to identify, analyze, evaluate, and mitigate potential risks inherent in clinical processes that may negatively impact patient health and safety. Risk assessments enable health centers to prioritize areas for improvement and actively engage in implementing actions to mitigate clinical risks and enhance patient outcomes. A risk assessment is a process with several steps:

1. Identify Topic

2. Conduct Assessment

3. Evaluate Results

4. Implement Change

5. Reassess/Monitor”

Tools and Documentation

Health centers should include copies of every risk assessment tool and document that was actually used during your assessment. These materials need to give a full picture of the exact steps your health center took throughout the process.

Make sure everything you submit is complete and thoroughly documented. For instance, if you’re using a checklist like the ECRI risk assessment checklist, simply marking "yes" or "no" isn’t enough. You’ll need to add detailed notes explaining how you reached each response, what data or information you looked at, and clearly describe any risks, problems, failures, or weaknesses that came up.

Narrative Explanation

Alongside your assessment tools and supporting documents, it’s important for health centers to submit a thorough narrative. This write-up should directly address the main areas FTCA reviewers look at when checking for compliance:

Scope and Focus: Clearly state what area or problem your assessment is looking at, including which clinical or patient safety issue is being reviewed. Be sure to mention the purpose and what you hope to achieve.

Methodology: Explain how you carried out the risk assessment. This should cover who was involved, what sources of information you used, and how you collected your data.

Identification of Risks: Describe in detail how you found, organized, and ranked the specific risks. Make sure to give a clear and complete list of all the risks, issues, or failures you identified—don’t just speak in general terms.

Risk Analysis: Dive into your data and findings, showing exactly what you discovered. Discuss the seriousness of each risk, possible causes, and any patterns you noticed. Avoid vague comments—be as specific as possible, since FTCA won’t accept generalities.

Risk Evaluation: Lay out which risks are most important, and explain why you ranked them that way. Talk about factors like how urgent each risk is, how practical it is to fix, and any cost concerns.

Recommendations and Actions (Action Plan): Spell out the specific steps or solutions you’re proposing to tackle the risks you found.

Follow-Up and Monitoring Plan (Action Plan): Describe how you’ll keep track of whether your fixes are working, and when you’ll check again to see if further action is needed.

When you include a detailed explanation along with your tools and documents, it helps reviewers quickly see how your health center meets each FTCA risk assessment requirement. Tools and supporting files show what you do, but they don’t always make it obvious that you’ve covered all the required points. That’s why your narrative is so important—it fills in the gaps and makes the review process smoother. Making sure your tools and your explanation both clearly match up with the FTCA rules will make it easier to get approved and show that you’re fully compliant.

“Upstream” Focus

When considering areas of patient safety risk, health center risk managers should focus on “upstream” potential risks, health center risk trends, and near misses. If risks are not caught at these “upstream” levels, they move “downstream” to actual adverse events, resulting in, at best, patient satisfaction concerns and, at worst, patient injury, illness, or death.

Potential Risks

For every health center leader, there are many “risks” they must think about. Everything from clinical concerns to financial risks, natural disaster risks, or workplace violence. But from the perspective of FTCA, HRSA wants health centers to focus on clinical risks. These are risks that could lead to medical malpractice or patient safety claims that FTCA would cover.

Potential risks may include areas such as patient privacy, confidentiality, and HIPAA, patient abuse, infection control, poor quality or clinical outcomes, patients not having timely access to care, medication errors, negligence, misdiagnosis, delay in care, or poor clinical competence. These are risks that are possible just by the nature of providing primary healthcare services.

Trends

Risk "trends” are common “buckets” that risks fall into, uniquely for your health center. These risks may be unique to the community you serve, the services you provide, or the types of staff you employ. Maybe your health center is located in a community that has little access to tertiary levels of care, and so patients come to you very sick or in crisis, and so you are often dealing with critically ill patients. Or maybe you serve a refugee population who often present with tropical illnesses that are not endemic to your area, and there is great potential for misdiagnosis. These are “trends” in potential risks that are unique to your health center and the community you serve. Thinking about these big “buckets” of risks helps your team to narrow your focus to the risks most likely to occur in your unique environment.

Near Misses

When an error is made or almost made and caught before reaching the patient, this is what we often call a “near miss”. These types of issues are the absolute most important incidents to capture, document (in the form of an incident report, etc.), and address. “Near misses” are the last step before a patient safety concern actually reaches the patient. Sometimes we refer to a “Swiss cheese approach” to public health. The visualization of stacking up slices of Swiss cheese demonstrates that all of the slices have holes in them, but when you stack them up, some “risks” will get through the holes of maybe a few of the slices. But because there are numerous slices with holes not lining up, most of the “risks” are stopped before making it all the way through the stack of cheese slices. For “near misses,” we want to make sure as many “Swiss cheese slice” barriers as possible are preventing actual risks from reaching the patients we serve.

Adverse Events

When a patient is dissatisfied with their care (at any level), this is what we refer to as an “adverse event”. This can be as mild as a patient being upset with how a receptionist spoke to them, all the way to concern over a poor outcome, a delay in care, or a misdiagnosis. These concerns occur when risks actually impact the patient and are the issues we hope to avoid if at all possible. If a patient is harmed in any way, this indicates that some step in our risk mitigation process fell apart, and therefore, in addition to ensuring the immediate harm is addressed, the health center must also investigate and implement fixes in the “upstream” systems.

Implementation of Best Practices

To effectively implement quarterly risk assessments, health centers should consider the following approaches:

1. Utilize Various Assessment Tools: Risk assessment tools can include self-assessment questionnaires, Failure Modes and Effect Analysis (FMEA), and safety walkarounds.

2. Involve Leadership: Engage members of leadership in safety walkarounds to observe processes and gather input from employees about potential risks and concerns.

3. Create Robust Action Plans: Develop detailed plans that address identified risks and outline specific steps for mitigation.

4. Monitor Progress: Regularly track and evaluate the status of risk management goals and activities.

5. Report to the Board: Provide annual reports to the health center board and key management staff on risk management activities and progress.

But what if I missed an assessment?

Though HRSA wants continuous FTCA compliance year-round, things happen. Staff turnover, changes in leadership, or major local events will sometimes distract a health center from its regular compliance schedule, resulting in a missed quarterly risk assessment. Though this is not ideal, it is not uncommon. If you find yourself in this situation, HRSA’s FTCA Deeming Application Step By Step Guide asks health centers to take the following actions:

1. Identify the Non-Compliance Issue: Specify the exact area of non-compliance and the requirement that was unmet.

2. Provide an Explanation: Outline the reasons for noncompliance, detailing any events or circumstances that led to this issue.

3. Describe Corrective Actions: Clearly describe the actions you are taking or have taken to achieve compliance. Note that these actions must be completed within 30 days of your application submission.

4. Submit Supporting Documentation: Include documentation that demonstrates corrective actions are in progress or have been completed. This could include records, meeting notes, or other evidence of compliance efforts.

We recommend health centers create a document that clearly identifies the area of non-compliance, explains the circumstances that led to the non-compliance, and describes the actions that you are taking to make sure you have systems to prevent the issue from happening again. Finally, make sure you upload any examples of documentation that demonstrate these actions you’ve taken. Once you compile all of this documentation, upload it to the HRSA EHBs FTCA application.

Quarterly risk assessments are a vital component of a health center's risk management program under FTCA. By consistently conducting these assessments, health centers can proactively identify and address potential risks, ultimately improving patient safety and reducing the likelihood of adverse outcomes. Remember, the goal is not just compliance, but creating a culture of continuous improvement and risk awareness throughout the organization.

This author (and RegLantern LLC) is not employed by or speaking on behalf of HRSA or FTCA. None of this article should be considered legal advice. Depending on when you read this article, regulations may change. Always consult the most recent HRSA/FTCA guidance to ensure this information is still up-to-date. For specific HRSA/FTCA questions, please submit them to HRSA/BPHC through the BPHC Contact Form or call 877-464-4772, option 1, 8 a.m. to 5:30 p.m. ET, Monday-Friday (except federal holidays).

UPDATED: August 1, 2025.