The compliance conversation about healthcare workplace violence tends to center on the states with the newest laws — California with its 2024 general industry mandate, Ohio with its 2025 hospital security plan requirement, Texas with its 2023 eight-facility-type mandate (post-SB 463). These are the states generating press coverage, client inquiries, and compliance anxiety.
They are not the only states with active requirements. Connecticut has had a healthcare workplace violence prevention law since 2011. Maryland, Minnesota, New Jersey, Maine, and Louisiana have had requirements for years — some going back a decade or more. These laws do not generate headlines. They also do not expire.
Multi-state health systems that have been focused on California, Ohio, and Texas compliance in recent years may have let their programs in these older-mandate states drift. The laws have not changed — or in Connecticut’s case, have been strengthened — but the programs built to comply with them may not have kept pace. This article covers what each law requires and where the most common gaps appear in organizations that have had programs in place for years but have not reviewed them recently.
What These Laws Have in Common
The six states covered in this article share a common legislative DNA. Most of them were enacted between 2008 and 2015, influenced by the same body of OSHA guidance on healthcare workplace violence prevention and the advocacy of healthcare worker unions — particularly the American Federation of Teachers Healthcare division, which has documented the legislative language and requirements of these laws in detail.
The American Federation of Teachers has described the framework these laws share: they require healthcare employers to develop prevention programs in collaboration with frontline workers, mandate risk assessment and data evaluation, and require program review and improvement to reduce the frequency and severity of assaults. That framework — written plan, risk assessment, training, incident documentation, employee involvement, anti-retaliation — appears in every one of these states with varying degrees of specificity.
The variation is in the details: which facility types are covered, how prescriptive the committee requirements are, what incident documentation must capture, and what enforcement mechanism the state uses. Understanding those details is what separates a defensible program from one that technically exists on paper but would not withstand regulatory or legal scrutiny.
Connecticut — Public Act 11-175 (2011), Updated 2024
Connecticut was among the first states in the country to enact a comprehensive healthcare workplace violence prevention law. Public Act 11-175, which took effect October 1, 2011, covers all healthcare institutions licensed by the Connecticut Department of Public Health with 50 or more full- or part-time employees — including hospitals, nursing homes, behavioral health facilities, substance abuse treatment facilities, and community health centers.
Connecticut’s law is notable for the specificity of its committee requirements. Covered employers must establish and maintain an ongoing workplace safety committee composed of representatives from administration, physician, nursing and other direct patient care staff, and security personnel. At least 50% of committee members must be non-management employees. The committee must meet at least once per quarter, and minutes and records from its proceedings must be maintained and available.
The committee’s primary deliverable is an annual written workplace violence prevention and response plan, which must be developed collaboratively and updated each January. The plan must address procedures for recognizing and responding to workplace violence, patient care assignment adjustments following an incident of intentional abuse or threat (excluding behavior that is a manifestation of the patient’s condition), and access to a second employee when a staff member has been threatened or abused and requests additional support.
Incident documentation requirements are specific: covered employers must maintain records of workplace violence incidents and report them to the Connecticut Department of Public Health annually — now by February 1 of each year under a 2025 update. A separate provision requires reporting any assault or related offense to local law enforcement within 24 hours, with a specific exception for conduct that is a clear and direct manifestation of a patient’s disability.
Public Act 24-19 (2024) added a requirement that certain facilities — hospitals, chronic disease hospitals, nursing homes, behavioral health facilities, and multicare institutions receiving reimbursement under the Connecticut medical assistance program — must adopt workplace violence prevention standards consistent with the Joint Commission’s workplace violence prevention standards. This is a meaningful addition for facilities that might have been meeting the technical requirements of the 2011 law while falling short of Joint Commission expectations.
The most common compliance gap in Connecticut: committee composition drift. Committees that were properly constituted at launch but have experienced member turnover without documentation of replacement often no longer meet the 50% non-management requirement or no longer hold quarterly meetings with documented minutes. For a health system that has been operating a Connecticut program for ten or more years, the gap between how the committee was described in the original plan and how it actually functions today is frequently substantial.
Maryland — Health-General Article § 19-319
Maryland’s healthcare workplace violence prevention requirements are codified in the Health-General Article of the Maryland Code. The law covers hospitals and related healthcare institutions, requiring them to adopt and implement workplace violence prevention programs that include a written plan, risk assessment, training, and incident reporting to the Maryland Department of Health.
Maryland’s law is less prescriptive than Connecticut’s in terms of committee composition and documentation requirements, but the core program obligations — written site-specific plan, hazard assessment, employee training, and incident recordkeeping — are substantive requirements that cannot be satisfied by a document that was created at the time of initial compliance and has not been reviewed since.
The most common gap in Maryland: plan currency. Maryland hospitals that established programs in the years following the law’s enactment often have plans that accurately describe their facilities and threat environments as they existed at the time of initial development. The hazard assessment section in particular tends to become stale as facilities expand, renovate, add new service lines, or change patient population profiles. A plan built for a 200-bed community hospital looks different from the correct plan for the same institution after it has added a behavioral health unit and an expanded emergency department.
Minnesota — Minn. Stat. § 144.566
Minnesota’s workplace violence prevention requirements for healthcare employers are codified at Minnesota Statutes Section 144.566. The law requires covered healthcare employers to implement violence prevention programs that include mandatory risk assessments, employee training, and written prevention policies.
The Minnesota statute is notable for its requirement that prevention programs be developed with employee involvement — a requirement shared with Connecticut and other states in the original group of comprehensive healthcare mandates. The intent is to ensure that the workers closest to the risk environment — bedside nurses, emergency department staff, behavioral health workers — have meaningful input into the program that is supposed to protect them.
In practice, employee involvement in plan development is the requirement most frequently satisfied nominally rather than substantively. A meeting at which staff were informed of the completed plan is not employee involvement in developing the plan. A process in which a hazard assessment subgroup drawn from clinical staff identified the specific risks in their work areas and informed the plan design is.
New Jersey — N.J. Stat. Ann. § 34:5A-1 et seq.
New Jersey’s Public Employees Occupational Safety and Health Act and associated regulations require healthcare facilities to develop, implement, and maintain workplace violence prevention programs. The law covers a broad range of healthcare settings and requires written plans, hazard assessments, training, incident recordkeeping, and annual program reviews.
New Jersey’s law also covers social service organizations alongside healthcare employers — a coverage breadth that is consistent with the federal OSHA framework for this industry sector and that means some organizations outside the traditional hospital and nursing facility categories may be covered under New Jersey law when they would not be under comparable state mandates.
The annual review requirement is where many New Jersey programs fall short. A program that was built to compliance at inception and has been renewed by signing off on the same document each year — without a substantive review of whether incident data, hazard conditions, or staffing patterns have changed — has an annual review in name only. Regulators and plaintiffs’ attorneys can distinguish between a pro forma annual renewal and a genuine program evaluation.
Maine — 26 M.R.S.A. § 570-A et seq.
Maine’s workplace violence prevention requirements under Title 26 of the Maine Revised Statutes cover hospitals and healthcare settings with elevated violence risk. The law requires covered employers to establish and maintain workplace violence prevention programs including written plans, training, and incident reporting.
Maine’s law has a notable characteristic documented by the federal OSHA rulemaking record: among the original nine comprehensive state healthcare workplace violence laws, Maine was the only one that did not include an explicit risk assessment requirement. This does not mean Maine healthcare employers are exempt from conducting risk assessments — OSHA’s General Duty Clause and the Joint Commission’s standards both require them — but it means the specific procedural trigger that drives risk assessment documentation in other states is not codified in Maine law in the same way.
For Maine healthcare employers, the practical implication is that the absence of a specific risk assessment mandate in the statute does not create a safe harbor. A facility that experiences a workplace violence incident and cannot produce documentation of a prior hazard assessment faces a negligent security claim on General Duty Clause grounds regardless of what Maine law technically requires. The better practice is to maintain a documented hazard assessment program consistent with OSHA guidelines and Joint Commission standards, independent of what the specific Maine statute requires.
Louisiana — La. R.S. § 40:2199.4 et seq.
Louisiana’s healthcare workplace violence prevention requirements are codified in Title 40 of the Louisiana Revised Statutes. The law requires covered healthcare facilities to implement workplace violence prevention programs meeting applicable requirements, including written plans, training, and incident documentation.
Louisiana’s law is among the less prescriptive of the six covered in this article in terms of specific documentation requirements and committee structures. The practical compliance question for Louisiana healthcare employers is whether their programs reflect the facility’s actual current risk environment or whether they were built to satisfy the statutory minimum and have not been substantively updated since.
Why Older Laws Create Specific Compliance Risks
The compliance risk profile for organizations with long-standing programs under older state mandates is different from the risk profile of organizations that are building programs for the first time. New compliance efforts tend to be thorough — there is organizational attention, there is legal review, there is a defined implementation project. Ongoing maintenance of a program that has existed for years tends to be less rigorous.
The specific risks that emerge in older programs:
- Plan-reality divergence. The plan describes a facility as it existed at initial implementation. The facility has changed — new units, new patient populations, new staffing models, renovated physical spaces — but the plan has not kept pace. The hazard assessment section is the most common location for this divergence.
- Committee membership drift. In states that require formal committees (Connecticut, and similar requirements in other states), the committee was properly constituted at launch but member turnover has not been managed. Meeting frequency has lapsed. Minutes are not being maintained. The committee requirement is being satisfied nominally, not substantively.
- Training documentation gaps. Annual training is required in every state covered in this article. Documentation of that training — dates, attendees, content, comprehension verification — is the evidence of compliance. Organizations where training happens informally, without systematic documentation, cannot demonstrate compliance when asked.
- Incident log decay.Incident recording requirements that were followed carefully at program launch tend to become inconsistent over time. Near-misses and non-injury incidents — which are required to be recorded in most states — are the first to drop out of the log. After several years, the log reflects only the most serious incidents and is no longer an accurate picture of the facility’s violence history.
- Annual review nominalization. The annual review becomes a pro forma sign-off rather than a substantive assessment of whether the program is working. In states like New Jersey where the annual review is an explicit statutory requirement, this is direct non-compliance. In all states, it is a liability exposure — a program that has been nominally reviewed annually but has not actually been updated in response to changes in incidents, hazards, or staffing is difficult to defend in post-incident litigation.
The General Duty Clause Applies Everywhere
An important framing point for compliance officers managing multi-state programs: the state-specific requirements are the floor, not the ceiling. Federal OSHA’s General Duty Clause requires every employer, in every state, to maintain a workplace free from recognized hazards likely to cause death or serious physical harm. Workplace violence is a recognized hazard in healthcare settings. An employer that has identified a violence risk and taken inadequate action is exposed to federal enforcement independent of whether the state-specific statute has been technically satisfied.
This is particularly relevant in Maine, where the absence of a specific risk assessment requirement in the state statute could be interpreted as reducing the documentation obligation. It does not. The General Duty Clause applies. The Joint Commission standards apply. The tort liability framework applies. The state statute defines one layer of compliance obligation; it does not define the complete risk landscape.
Managing Multi-State Programs: Where to Start
For a health system that has compliant — or nominally compliant — programs in Connecticut, Maryland, Minnesota, New Jersey, Maine, and Louisiana, and is now also building programs in response to California SB-553, Ohio HB 452, or Texas SB 240, the right approach is a coordinated program audit — not a state-by-state compliance rebuild.
The audit should ask three questions for each state in the portfolio:
- Does the written plan accurately reflect the current facility — its physical layout, patient population, staffing model, incident history, and specific hazard environment?
- Are the procedural requirements being met in substance — active committee with documented meetings, genuine annual review with evidence of program updates, training with documentation meeting the statutory standard?
- Does the program meet the most demanding standard applicable — meaning is it defensible not just against the state statute but against Joint Commission requirements, OSHA General Duty Clause expectations, and the standard of care in post-incident litigation?
For most multi-state health systems, the answer to at least one of those questions will be “no” in at least one state. The question is not whether gaps exist — it is whether they are found and addressed proactively or discovered in the context of a regulatory action or a lawsuit. For a full picture of the national healthcare mandate landscape, see our national healthcare compliance guide.
Multi-state health system? Let’s audit your full program portfolio.
Kestralis Group conducts multi-state compliance assessments for health systems operating across multiple active mandates — evaluating each state program against the applicable statutory requirements and the General Duty Clause standard, delivered as a written compliance scorecard with a prioritized remediation roadmap across your full portfolio.
Schedule a consultation →Primary Sources
The statutory citations for the laws covered in this article:
- Connecticut: Public Act 11-175 as amended by PA 24-19 (2024)
- Maryland:Health-General Article § 19-319, Maryland Code
- Minnesota: Minn. Stat. § 144.566
- New Jersey:N.J. Stat. Ann. § 34:5A-1 et seq.
- Maine:26 M.R.S.A. § 570-A et seq.
- Louisiana:La. R.S. § 40:2199.4 et seq.
The OSHA Healthcare Workplace Violence page maintains links to state law summaries and federal guidance. The American Federation of Teachers legislative language guidance provides a useful framework for comparing the requirements across these older state mandates.
Older programs need current reviews.
A program that was compliant at launch may not be compliant today. Kestralis Group conducts multi-state program audits for health systems operating across the full national mandate landscape — identifying gaps, prioritizing remediation, and building coordinated programs that hold up under regulatory and legal scrutiny.
Schedule a Consultation →