How hospitals can prepare for CMS’s new patient safety rule

CMS has a talent for dropping “simple” requirements that somehow turn into a cross-department scavenger hunt.
The latest patient safety change is no exception: CMS is moving beyond “report the outcome” and into
“show us the safety backbone you’ve built to prevent harm in the first place.”

If your hospital already has strong Quality Assurance/Performance Improvement (QAPI), a real culture of safety
(not the poster in the hallway), and patients who are treated like partners instead of spectators, you’re ahead.
If notgood news: this is a fixable problem. The even better news: preparing for CMS’s new patient safety
rule can make care safer, reduce costly adverse events, and improve staff morale… all at the same time.
(Yes, sometimes compliance work actually helps. Don’t tell anyone; it’ll ruin our reputation.)

What CMS changed: the “patient safety rule” hospitals are talking about

In the FY 2025 IPPS/LTCH PPS final rule, CMS adopted a new Patient Safety Structural Measure (PSSM)
for hospital quality reportingbeginning with the CY 2025 reporting period and affecting the
FY 2027 payment determination. This measure is designed to assess whether hospitals have the
structures and culture in place to prioritize safety (not just whether bad outcomes happened).

PSSM is attestation-based, organized into five domains, and made up of multiple statements
inside each domain. You attest “yes” or “no” to each statement, then CMS scores your hospital by domain.
Importantly, it’s an “all statements required” approach per domainpartial credit doesn’t count.

Translation: this isn’t about writing a prettier policy. It’s about proving you’ve built a system that reliably
prevents harm, learns from errors, engages patients and families, and makes leadership accountable.

Why a structural measure is a big deal (and why CMS is doing it)

Outcome measures (falls, CLABSI, readmissions, etc.) matter, but they can be slow to change and noisyespecially
for smaller hospitals or specialized services. Structural measures aim to evaluate the “inputs” that create safer
outcomes: leadership behaviors, governance, learning systems, transparency, and patient partnership.

CMS explicitly ties this approach to a systems-based view of safety and best practices in patient safetymeaning
harm is often a system failure, not a “bad apple” clinician problem. In plain English: if your system makes it hard
to do the right thing and easy to do the wrong thing, the system is the bug.

The five domainswhat CMS expects you to be able to truthfully attest to

PSSM is framed around five priority domains thattogetherdescribe a mature, high-reliability patient safety program:

• Leadership commitment to eliminating preventable harm
• Strategic planning and organizational policy
• Culture of safety and a learning health system
• Accountability and transparency
• Patient and family engagement

Each domain contains multiple statements (think “specific practices”). The practical takeaway: your preparation should
look like a structured gap assessment against these domains, with evidence attachedboard minutes, dashboards, training
records, patient engagement artifacts, event review workflows, and improvement documentation.

Step-by-step: a practical preparation plan hospitals can start now

Step 1: Name an executive owner and create a small “PSSM command team”

Pick one accountable executive (Chief Quality Officer, CMO, CNOsomeone who can make decisions and move resources),
then form a lean working group: Quality/Patient Safety, Nursing, Medical Staff leadership, Risk Management,
Infection Prevention, Patient Experience, and IT/Data Reporting.

Don’t create a committee the size of a small town. Create a team that can meet weekly for 8–12 weeks, make decisions,
and build evidence.

Step 2: Do a domain-by-domain gap assessment (and be brutally honest)

Print the measure statements (or load them into a tracker), and for each one ask:

1. Can we honestly attest “Yes” for the measurement period?
2. What evidence proves it?
3. If “No,” what is the smallest reliable change that makes it “Yes” going forward?

Pro tip: “We do this sometimes” is not a yes. A yes is “We do this consistently, the process is defined,
and we can show documentation.”

Step 3: Build an “evidence binder” that doesn’t make surveyors cry

Whether you call it a binder, a SharePoint folder, or “The One Folder to Rule Them All,” your goal is the same:
organize proof so you can respond quickly and consistently. Structure it by the five domains and store:

• Policies and charters (board safety committee, QAPI plan, disclosure policy)
• Minutes showing leadership review (board, MEC, quality council)
• Dashboards (harm events, near misses, action tracking, time-to-review)
• Training records (just culture, event reporting, teamwork training)
• Patient/family engagement artifacts (PFAC minutes, co-design examples)
• Improvement work (RCA/learning reviews, PDSA cycles, sustainment checks)

How to prepare for each domain (with specific, real-world moves)

Domain 1: Leadership commitment to eliminating preventable harm

CMS is looking for visible, measurable leadership commitmentespecially at the governing board level.
Strong preparations include:

• Board-level safety oversight: a standing agenda item on patient harm, with trend review and action follow-up.
• Leadership accountability: safety metrics incorporated into executive performance evaluation (and yes, compensation if applicable).
• Resourcing safety: dedicated time and staffing for infection prevention, patient safety, data reporting, and improvement work.
• Leader standard work: executive safety rounding, participation in event reviews, and “close the loop” expectations.

A concrete example: if falls with injury are rising on a med-surg unit, the board should see the data, approve priority
actions (bed alarms, rounding redesign, PT consult triggers), and request a sustainment check in 60–90 days.

Domain 2: Strategic planning and organizational policy

This is where patient safety stops being a slogan and becomes a strategy. Hospitals should:

• Embed safety into the strategic plan with specific goals (e.g., reduce preventable harm index, improve safety culture scores).
• Standardize high-risk processes (med reconciliation, high-alert meds, surgery/time-outs, handoffs).
• Integrate safety into enterprise risk management so operational risk and patient harm are managed together.
• Align QAPI priorities to high-risk/high-volume/problem-prone areas with measurable outcomes.

If your strategic plan mentions “excellence” but never names the harms you’re targeting, it’s time to get specific.
CMS likes nouns and numbers.

Domain 3: Culture of safety and a learning health system

The difference between a hospital that learns and a hospital that repeats mistakes is usually psychological safety:
staff must believe they can report problems without getting blamed into silence.

• Adopt or strengthen a Just Culture approach (clear distinctions between human error, at-risk behavior, reckless behavior).
• Measure culture using a validated safety culture survey, then act on results at unit level.
• Run regular safety huddles that surface defects early (supply issues, staffing concerns, near misses).
• Use learning reviews that focus on systems improvements, not finger-pointing.
• Invest in teamwork training (handoffs, closed-loop communication, escalation, debriefs).

Specific example: after a near-miss wrong-dose medication event, a learning review identifies two system issues:
look-alike packaging and a confusing MAR display. The fix includes barcode workflow redesign, pharmacy packaging changes,
and a quick-reference guidethen an audit confirms sustained improvement.

Domain 4: Accountability and transparency

CMS expects hospitals to track, analyze, and act on medical errors and adverse eventsplus make accountability real.
This starts with a reporting system people actually use.

• Improve event reporting: easy entry, mobile-friendly if possible, and clear definitions of what to report.
• Speed matters: define timelines for triage, review, RCA/learning review initiation, and action assignment.
• Close the loop: reporters should receive feedback so reporting doesn’t feel like shouting into space.
• Transparency with patients: standardize disclosure processes and document that they occur reliably.
• Visible accountability: unit-level dashboards, action tracking, and escalation when fixes stall.

A practical move: create a “72-hour rule” for serious safety eventstriage and initial review within 72 hours,
with an executive sponsor assigned the same week.

Domain 5: Patient and family engagement

This domain is where many hospitals overestimate performance. Engagement is not “we gave them a brochure.”
It is partnershippatients and families helping design safer care.

• Patient and Family Advisory Council (PFAC) with real influence and documented input.
• Co-design of safety interventions (e.g., discharge education redesign, bedside shift report scripts).
• Include patients in safety work: involve PFAC reps in policy review, signage clarity testing, and improvement teams.
• Support speaking up: scripts and signage that invite patients to ask about meds, hand hygiene, and identity checks.

Example: a hospital reduces discharge-related medication errors by co-designing a “teach-back” workflow with patients,
simplifying the med list language, and adding a pharmacy follow-up call for high-risk meds.

Reporting logistics: don’t let the paperwork be your downfall

CMS requires hospitals to submit PSSM information annually via the CDC’s National Healthcare Safety Network (NHSN).
Build a submission calendar and assign responsibilities nowbecause “we’ll remember in April” is how organizations
end up stress-eating granola bars in conference rooms.

A good operational approach:

• Define the measurement period and confirm which changes count as “Yes” during that time.
• Track evidence monthly, not once a year (a lightweight monthly evidence capture prevents year-end chaos).
• Run a pre-submission review with Quality, Compliance, and leadership sign-off.
• Document your rationale for each attestation (especially for borderline items).

How to align PSSM with existing CMS Conditions of Participation (and avoid duplicate work)

Most hospitals already have CMS-required QAPI obligations that include tracking medical errors and adverse patient events,
analyzing causes, and implementing preventive actions. The smartest preparation is to connect PSSM work to existing QAPI,
infection prevention, and patient experience structures instead of building a parallel universe.

Practical alignment ideas:

• Make PSSM a QAPI priority for the year: one dashboard, one cadence, one action tracking system.
• Standardize definitions of “medical error,” “adverse event,” and “near miss” across departments.
• Use one improvement method (PDSA, DMAIC, Lean) consistently so teams speak the same language.
• Coordinate with accreditation (Joint Commission standards) to reduce duplicate evidence gathering.

Common mistakes hospitals make (so you don’t have to)

• Mistake: Treating PSSM as a one-time attestation task.
  Fix: Treat it as a year-round operating system: evidence capture, monthly review, action tracking.
• Mistake: Overstating “Yes” without consistent implementation.
  Fix: Require objective evidence for each statement; if you can’t prove it, improve it.
• Mistake: Leaving patient engagement to Patient Experience alone.
  Fix: Build patient/family partnership into safety work (co-design, councils, improvement teams).
• Mistake: Event reporting with no feedback loop.
  Fix: Close the loop with reporters; celebrate improvements tied to reporting.
• Mistake: “Culture of safety” that exists only during Safety Week.
  Fix: Measure culture, act on results at unit level, and make leaders visibly accountable.

Real-world experience notes : what preparation looks like when it’s actually happening

Hospitals that prepare well for CMS’s new patient safety expectations tend to follow a recognizable pattern. Not a perfect
patternhealthcare is messybut a repeatable one. Here are composite “experience notes” drawn from common approaches
organizations use when they move from compliance to real safety improvement.

1) The turning point is usually the board. Many hospitals start by delegating PSSM prep to Quality, only to discover
the measure is asking leadership-level questions: governance, accountability, strategic planning, and transparency. The successful
organizations make a clean pivot: they create (or strengthen) a board quality/safety committee, standardize what the board reviews
(harm trends, serious safety events, culture metrics, and progress on action plans), and document it. Once the board starts asking
the same three questions every month“What harm are we seeing? What did we learn? What did we change?”the rest of the system
tends to follow.

2) Event reporting improves when staff believe something will happen. A classic failure mode is a reporting system that
functions like a black hole: staff submit reports, then never hear back. Hospitals that improve quickly create a simple feedback
promise. For example: “You’ll get an acknowledgment within 72 hours, and you’ll see an update when the review is complete.”
Some organizations add a monthly “You Reported, We Improved” roundup: short, non-punitive stories of near misses and fixes.
The tone mattersless “who did it” and more “what allowed it.” That shift alone can increase near-miss reporting, which is often
the earliest sign the culture is becoming safer.

3) The hardest attestations are the ones that expose inconsistency. Many hospitals have pockets of excellence:
an ICU with strong safety huddles, an OR with consistent debriefs, a med-surg unit with reliable bedside shift report. PSSM
forces the uncomfortable question: “Is this true across the organization?” High performers respond by standardizing a few
key practices hospital-wide (daily safety huddles, escalation pathways, learning review templates, leadership rounding).
They keep flexibility for local workflows, but they stop accepting “unit-by-unit improvisation” for high-risk processes.

4) Patient and family engagement becomes real when patients help design safety. Hospitals sometimes list PFAC
membership and call it a day. The organizations that can confidently attest “Yes” bring patients into specific safety projects:
redesigning discharge instructions, simplifying medication lists, improving signage to reduce wayfinding errors, and testing
“speak up” scripts to make them feel inviting rather than awkward. A surprisingly effective move is inviting PFAC members to
review a recent safety event summary (de-identified) and ask, “What would you want explained? What would build trust?”
That exercise strengthens transparency and makes disclosure processes more patient-centered.

5) “Learning health system” sounds fancy until you turn it into a weekly habit. Hospitals that make this real schedule
a brief weekly learning review meeting: one event, one near miss, one process defect, one improvement test. The goal isn’t to do
more meetings; it’s to build repetition and follow-through. They track action items the way they track sepsis bundles: owners,
deadlines, and audits. Over time, the organization develops muscle memory for learningso PSSM becomes a reflection of how the
hospital already operates, not a special project that ends after submission.

Conclusion

CMS’s new patient safety rule is a clear signal: hospitals will be measured not only by outcomes, but by whether they’ve built
the leadership, systems, culture, transparency, and patient partnership that prevent harm. The Patient Safety Structural Measure
rewards hospitals that operationalize safety like a core business functiongoverned by the board, supported by data, strengthened
by learning, and improved with patients at the table.

Start with an honest gap assessment, build a clean evidence structure, and focus your improvements on reliabilitynot just
documentation. If you do it right, CMS reporting becomes the byproduct of safer care (instead of the other way around).