Healthcare Workplace Safety Committee Requirements

For most of the last decade, “workplace safety committee” was a phrase HR departments encountered in two places: the OSHA poster on the breakroom wall, and the org chart of organizations large enough to have a dedicated safety function. It was something other companies did. There was no federal mandate, no enforcement teeth, and no consequence for not having one.

That has changed — quietly, and almost entirely through state-level legislation in healthcare. Connecticut, Ohio, and Texas now require covered healthcare employers to convene formal workplace safety committees with prescribed membership, cadence, and documentation. California’s SB-553 imposes employee-engagement requirements that function as a committee in everything but name. Virginia’s healthcare mandate (HB 2269 / SB 1162) is in effect and was expanded further by HB 1489, signed by Governor Spanberger on April 6, 2026. The general-industry HB 1919 was vetoed in 2025 and has not been resurrected, but the legislative trajectory in Virginia continues to push toward broader coverage. Pennsylvania, Oregon, and Washington have committee-mandate bills moving through their legislatures.

For a healthcare HR or compliance officer trying to read three different state statutes and reconcile them with a multi-state operating footprint, the question is not academic. The committee is the legal vehicle through which the violence prevention plan is built, reviewed, and defended. Get the membership wrong and the entire plan is exposed.

This article explains what a workplace safety committee actually is under each statute, what it has to do, and what good ones look like operationally — separate from the legal minimum.

The federal context: a vacuum, with two soft mandates

There is no federal law requiring a workplace safety committee in any industry. OSHA’s General Duty Clause requires employers to provide a workplace “free from recognized hazards” — a standard that has been used to cite employers after workplace violence incidents, but that does not specify any particular program structure.

What does exist at the federal level are two non-statutory drivers that effectively require committees in healthcare:

The Joint Commission, which accredits roughly 80% of U.S. hospitals, adopted new workplace violence prevention standards in 2022. Standard EM.12.01.01 requires hospitals to establish a worksite analysis process led by an “interdisciplinary team,” conduct annual analyses, and develop a written workplace violence prevention program. The Joint Commission does not call this a committee. In practice, every hospital that has implemented the standard has built one.

CMS Conditions of Participation for hospitals participating in Medicare and Medicaid include patient and worker safety requirements that, while not specifying a committee structure, are increasingly being interpreted to require one. CMS surveyors have begun citing facilities for inadequate workplace violence prevention programs under the existing CoPs.

The combined effect is that even in states with no statutory committee requirement, accredited hospitals already operate something that functions as one. The state laws below sit on top of that floor — and they specify membership, cadence, and authority in ways the federal soft requirements do not.

Connecticut: § 19a-490q

Connecticut was the first state in the country to mandate healthcare workplace safety committees, with Public Act 11-175 in 2011. The law applies to any healthcare institution licensed under § 19a-490 with 50 or more full- or part-time employees — which captures hospitals, nursing homes, behavioral health facilities, residential facilities for individuals with intellectual disability, and community health centers. For the broader picture of Connecticut and the other older state healthcare mandates, see our coverage of Connecticut, Maryland, Minnesota, and the older healthcare mandates.

The committee requirements are precise:

Composition. The committee must include representatives from administration, physicians, nursing and other direct patient care staff, security personnel, and any other staff the employer deems appropriate. At least 50% of the membership must be non-management employees. This 50% threshold is the operative provision. It is what distinguishes a Connecticut workplace safety committee from a management-led safety meeting.

Leadership. The committee selects a chairperson from among its own membership. The statute does not allow this role to be assigned by the employer.

Cadence. Quarterly meetings, at minimum.

Documentation. Meeting minutes and other records must be made available to all employees — not just to management or to those who attend.

Authority. The committee participates in the annual risk assessment and collaborates with the employer on the written workplace violence prevention plan. The employer cannot adopt or revise the plan without committee involvement.

The Connecticut model is the most labor-forward of the three statutes. The 50% non-management requirement and the minutes-to-all-employees requirement are not procedural details — they are structural protections designed to ensure that the committee is something other than a compliance artifact. An attorney advising a Connecticut healthcare employer on committee membership has very little room to maneuver. The numbers are the numbers.

Ohio: HB 452 / § 3727.18

Ohio’s Healthcare Workplace Safety Act, signed by Governor DeWine on January 8, 2025, took effect April 9, 2025 with full implementation required by July 9, 2025. The committee provisions are codified in Ohio Revised Code § 3727.18. For the structured compliance reference, see our Ohio compliance guide and the deeper analysis in our post on what every Ohio hospital must have in place.

The Ohio statute applies to all hospital systems and to hospitals not part of a hospital system. It does not extend to nursing homes, ambulatory surgery centers, or home health agencies — narrower coverage than Connecticut or Texas.

Composition. The Ohio law contains a provision that does not appear in any other state statute: at least one team member must be a current or former patient of the hospital, or a family member of a current or former patient. Separately, at least 50% of the team must be healthcare employees who provide direct patient care.

The patient-or-family-member requirement is novel. It originated in stakeholder testimony from the Ohio Nurses Association, which argued that workplace violence prevention plans developed without patient input tend to over-rotate on security responses and under-rotate on de-escalation, environmental design, and the patient-experience factors that drive incident frequency. In practice, hospitals are satisfying the requirement by inviting members of their existing Patient and Family Advisory Councils — a structure that already exists in most accredited hospitals — to sit on the security planning team.

Authority. The team develops the security plan, participates in the annual review and evaluation, and reviews the data from the workplace violence incident reporting system that hospitals are separately required to maintain.

Risk assessment scope. Unlike Connecticut and Texas, Ohio specifies the scope of the underlying security risk assessment. The assessment must address all high-risk areas — explicitly including emergency departments and psychiatric departments — and must be conducted in consultation with the medical and nursing directors of each high-risk department. The assessment must consider trauma-level designation, patient volume, psychiatric and forensic patient volume, prior incidents, and rates of crime in the surrounding community.

For a hospital that does not currently have a Patient and Family Advisory Council, or that has one in name only, the Ohio statute creates a downstream problem: the security plan cannot be developed until the team is constituted, and the team cannot be constituted without a patient member.

Texas: SB 240 / Chapter 331

Texas Senate Bill 240 was signed by Governor Abbott on May 15, 2023 and was codified as Chapter 331 of the Texas Health and Safety Code. The compliance deadline for covered facilities was September 1, 2024, with HHSC implementing rules through 25 TAC Chapter 133 and parallel chapters for other facility types. For the structured compliance reference, see our Texas compliance guide and the deeper analysis in our post on the broadest healthcare workplace violence mandate in the country.

The Texas statute has the broadest coverage of any state committee mandate. Covered facilities include licensed hospitals, hospitals operated by exempt state agencies, licensed nursing facilities employing two or more registered nurses, licensed ambulatory surgery centers, licensed psychiatric hospitals, freestanding emergency medical care facilities, limited services rural hospitals, and home and community support services agencies employing two or more registered nurses. Senate Bill 463 in 2025 clarified the HCSSA threshold and brought additional facility types under the requirement.

Composition.The committee must include, at minimum, one registered nurse who provides direct patient care at the facility, and one facility employee who provides security services — the latter qualified by “if any and if practicable,” recognizing that smaller facilities may not employ on-site security staff.

The Texas requirement is narrower than Connecticut’s 50% non-management rule. A Texas facility can theoretically constitute a committee with two members — the RN and the security employee — and meet the statutory minimum. In practice, this is not advisable, and HHSC’s implementing rules contemplate broader membership. But the floor is a floor.

Single-system flexibility. A health care system that owns or operates more than one facility may establish a single committee for the system, provided the committee develops violence prevention plans that are distinctly identifiable for each facility. This is meaningful operational relief for multi-hospital systems, and Connecticut and Ohio do not provide it.

Authority and cadence.The committee develops the violence prevention plan, evaluates it annually, and reports the evaluation to the facility’s governing body. The Texas statute is less prescriptive than Connecticut’s about meeting frequency, but the annual evaluation cycle establishes a de facto minimum cadence.

Anti-retaliation. Chapter 331 includes explicit anti-retaliation language: facilities may not discipline, discriminate against, or retaliate against any person who in good faith reports a workplace violence incident or advises a coworker of their right to report.

What the three statutes have in common

Read alongside each other, the three healthcare committee statutes converge on a structural model:

A standing body, constituted from named functional groups, with direct-care representation as a minimum requirement, that collaborates with the employer on the violence prevention plan and reviews it annually. The committee is not advisory. It is a co-author.

The differences matter for compliance, but the underlying logic does not vary. Each statute reflects a legislative judgment that violence prevention plans developed by management without frontline input tend to fail at the point of contact — and that the only durable correction is to put frontline people in the room when the plan is written.

This is the operational frame an HR or compliance officer should hold. Statutory minimums are statutory minimums. The committee’s actual job is to build a plan that works, and the membership rules are the legislature’s attempt to ensure that the people who would have to use the plan in an incident have a voice in how it is built. For a full picture of the national healthcare mandate landscape, see our national healthcare compliance guide.

What good committees actually look like

The statutes set the floor. They do not describe what works. From the practitioner side, several patterns separate the committees that produce defensible, operationally useful plans from the ones that produce binders.

The committee has a charter.A one-page document signed by the CEO or COO that establishes the committee’s authority, scope, decision rights, and reporting line to the governing body. Without a charter, the committee operates by convention, and convention erodes.

Membership is named, not generic.“Nursing representative” is not a member. Jane Doe, RN, ED Charge Nurse, with an alternate named in writing, is a member. Statutory composition rules require named individuals, not roles.

There is a documented cadence and a documented attendance record. Quarterly is the Connecticut floor. Most operating committees meet more often during plan development and risk assessment cycles, then settle into quarterly maintenance once the plan is in steady state. Attendance is tracked. Members who fail to attend without an alternate are replaced.

Minutes are produced within five business days. Connecticut requires that minutes be made available to all employees. Even where the law does not require it, doing so creates a contemporaneous record that is invaluable in any subsequent regulatory or litigation proceeding. Minutes that surface six months later, written from memory, are not minutes.

The committee owns the data.Workplace violence incident reports, near-miss reports, post-incident debriefs, and the annual risk assessment all flow to the committee. The committee’s job is not to vote on whether each incident is significant. Its job is to look at the pattern and feed the pattern back into the plan.

The committee escalates. When the committee identifies a hazard or pattern that requires investment — physical security upgrades, staffing changes, technology procurement — the committee has a documented path to the governing body. The escalation path is in the charter.

The plan is updated. The plan is documented as updated. A workplace violence prevention plan that has not been substantively revised in 24 months is, in regulatory terms, evidence that the committee is not functioning. Cal/OSHA, Connecticut DPH, Ohio Department of Health, and the Texas HHSC have all signaled that they will look at update history as a proxy for committee activity.

Common failure modes

Three patterns account for most of the committees that exist on paper but fail in operation.

The committee that meets once.A facility convenes the committee to develop the initial plan, the plan is filed, and the committee never meets again. Twelve months later, the annual review is performed by the safety director alone, with the committee’s name attached to the document. This is the most common failure mode and the easiest one to identify in an audit. Meeting minutes either exist for each quarter or they do not.

The committee that is all management.The named members include the CMO, the CNO, the security director, the COO, and the chief compliance officer. This may satisfy a statutory minimum on paper — the Texas RN-and-security threshold, for example — but it fails the spirit of every committee statute and is vulnerable to legal challenge under Connecticut’s 50% rule and Ohio’s 50%-direct-care rule. More importantly, it produces plans that read well and execute poorly, because the people who would actually implement the plan are not in the room.

The committee with no authority. The committee meets, identifies issues, makes recommendations, and the recommendations sit. Six months later the same issues are raised again. The committee has become an exhaust valve rather than a decision-making body. This usually traces to the absence of a charter or the absence of a defined escalation path to the governing body.

When you need a committee even where the law does not require one

The committee mandate is currently scoped to healthcare in most states. But the operational case for a workplace safety committee extends well beyond healthcare, and well beyond states with explicit statutes.

Any organization that has experienced a workplace violence incident, near-miss, or credible threat will be asked, in any subsequent litigation or regulatory proceeding, what its violence prevention program looked like at the time. The answer is meaningfully different if the organization can produce charter documents, meeting minutes, risk assessments, and a plan signed by a multi-disciplinary committee — versus a plan signed by an HR director.

Any organization operating in California under SB-553 must “actively involve” employees in plan development. The statute does not use the word committee. The Cal/OSHA enforcement guidance, the Joint Commission standards, and the case law that is now developing under SB-553 are all converging on a committee structure as the cleanest way to demonstrate compliance. For the on-the-ground inspection picture, see our guide to what Cal/OSHA actually looks for in a WVPP inspection.

Any organization with multi-state operations is increasingly likely to find that one of its operating states will require a committee within the next 36 months. Pennsylvania, Oregon, Washington, and several other states have active legislation. Building the committee structure once and operating it consistently is materially less expensive than retrofitting it under regulatory pressure.

The committee is not the goal. The goal is a violence prevention program that holds up — in front of an inspector, in front of a plaintiff’s attorney, and in front of a workforce that has to trust it. The committee is the most reliable mechanism we have, in 2026, for getting there.