In April 2025, the CDC released a press statement titled “Sharp Rise in Dangerous Drug-Resistant Bacteria,” reporting that NDM-producing carbapenem-resistant Enterobacterales infections had surged more than 460 percent in the United States between 2019 and 2023. The same window saw Candida auris clinical cases rise roughly five-fold. For US infection preventionists, that single trajectory reframes the annual infection risk assessment from a binder exercise into a strategic control.
| The Practitioner Cheat Sheet on Infection Risk Assessment |
| An infection risk assessment is a documented IPC process that estimates which patients, procedures, locations, and populations face elevated probability of healthcare-associated infection, then ties each estimate to a specific prevention control. It is the upstream input that decides where surveillance dollars go and which audits run weekly. The IPC committee defends every line of the annual plan from it. |
| On any given day in the United States, roughly one in 31 hospital patients has at least one healthcare-associated infection, per the CDC point prevalence surveillance. The CDC estimates about 687,000 HAIs per year in US acute care hospitals and approximately 75,000 annual deaths, with annual direct costs of $28 to $45 billion. Infection risk assessment is the lever that drives those numbers downward. |
| Joint Commission introduced National Performance Goals effective January 1, 2026, replacing the prior National Patient Safety Goals chapter and elevating infection risk assessment, high-consequence infectious disease preparedness, and hand hygiene as the three core IPC activities US hospitals must demonstrate annually. |
| CMS reduced payments for 724 hospitals under the FY 2025 Hospital-Acquired Condition Reduction Program, with a 1 percent Medicare payment cut for the worst-performing quartile. Four of the six HAC measures are infection-related: CLABSI, CAUTI, colon and abdominal hysterectomy SSI, and MRSA bacteremia. |
| The CDC 2024 NHSN national progress report logged year-over-year reductions of 11 percent in C. difficile infection, 10 percent in CAUTI, 9 percent in CLABSI, 7 percent in MRSA bacteremia, 4 percent in colon SSI, and 2 percent in ventilator-associated events, while abdominal hysterectomy SSI rose 8 percent against the 2015 baseline. |
| Antimicrobial-resistant infections cause more than 2.8 million infections and 35,000 deaths in the United States each year. NDM-producing carbapenem-resistant Enterobacterales infections rose more than 460 percent between 2019 and 2023, and Candida auris clinical cases roughly quintupled from 2019 to 2022, sharpening the focus on emerging-pathogen risk assessment. |
| Joint Commission consolidated its IC standards from 12 standards with 51 elements to 4 standards with 14 elements, effective July 1, 2024, shifting survey focus from documentation review to practical implementation of infection risk assessment, hand hygiene, and IPC program structure. |
Infection risk assessment is the documented IPC process US healthcare facilities use to identify which patients, procedures, settings, and populations face elevated probability of healthcare-associated infection. The output routes those probabilities into specific prevention controls.
The CDC estimates about one in 31 hospital patients has an HAI on any given day, driving roughly 687,000 infections, 75,000 deaths, and a $28 to $45 billion direct cost burden each year. This guide gives US infection preventionists, quality leaders, and risk managers a working definition of infection risk assessment, the regulatory anchors that survive Joint Commission and CMS survey scrutiny, the data inputs that produce a defensible annual plan, and the operational pitfalls that produce citations. The framework maps cleanly to ISO 31000:2018 risk analysis and into an enterprise risk management framework applied to clinical operations.
Figure 1. The US infection risk assessment landscape in numbers that drive board attention.
What an Infection Risk Assessment Actually Is
An infection risk assessment estimates how likely infection events are across the populations and services a facility provides. It identifies the specific drivers behind that probability and ties each driver to a prevention control with an owner attached.
The output is not a paragraph in a binder. It is a ranked, dated, signed risk register that drives the year’s surveillance plan and capital request list.
The Working Definition of Infection Risk Assessment
The IPC team pulls HAI surveillance data, community pathogen pressure, procedural volumes, device utilization ratios, active construction projects, staffing patterns, and population vulnerability. Those inputs feed a scoring tool.
Each scored risk triggers a control tier that sets audit frequency, training intensity, capital priority, and the committee escalation path. A list of generic hazards is not an infection risk assessment.
Why Infection Risk Assessment Is Not a Compliance Checkbox
HAIs are not an inevitable feature of acute care, even though many US clinicians still discuss them that way. A properly executed infection risk assessment identifies the modifiable drivers of an individual facility’s risk profile, which is the only basis for prevention that will move the standardized infection ratio.
Skip the structured assessment and any IPC program collapses into generic precautions that the CDC NHSN progress report will flag with stagnant or rising SIRs the next reporting cycle. From a risk discipline standpoint, infection risk assessment maps directly to the identify-analyze-evaluate-treat sequence at the heart of ISO 31000:2018.
The same logic appears in a guide to risk assessment methodology and across clinical risk management practice. A risk you have not measured against a defensible baseline is one you cannot treat, which is why IPC programs without a structured annual infection risk assessment underperform their peers on NHSN benchmarks.
Why Infection Risk Assessment Matters Across US Healthcare
Patient outcomes, payment penalties, accreditation exposure, and litigation risk all sit downstream of the infection risk assessment. The clinical case is decisive on its own.
A central line-associated bloodstream infection, a colon SSI, or a C. difficile outbreak on a hematology unit each turns an admission into prolonged stay, secondary morbidity, and in many cases a death the family will never accept as inevitable.
The Financial Case for Infection Risk Assessment
CMS treats certain HAIs as preventable Hospital-Acquired Conditions and reduces reimbursement for hospitals in the worst-performing quartile. The CMS Hospital-Acquired Condition Reduction Program cut Medicare payments by 1 percent for 724 hospitals in FY 2025. The infection risk assessment is the upstream control that decides which quartile a facility ends up in, and the CFO has every right to ask the IPC committee to defend that link line by line.
Infection Risk Assessment Under Joint Commission and CMS Scrutiny
The Joint Commission National Performance Goal #5 on infection prevention and control requires accredited hospitals to run an infection risk assessment that annually identifies and prioritizes risks for infection, contamination, and exposure across patients, staff, and the populations served. Joint Commission surveyors look for evidence the assessment was completed, scored, documented, and actually drove the IPC annual plan.
The gap between a written plan and a process that runs is where most citations originate. For risk leaders, infection risk assessment sits at the intersection of clinical risk, regulatory compliance, and financial stewardship.
The same data point that prevents a CLABSI closes a CMS reimbursement gap and a Joint Commission survey finding simultaneously. The pattern echoes how to conduct a risk assessment applied to a clinical IPC context, with NHSN data taking the role that financial loss data takes in operational risk.
Figure 2. HAI distribution by type from the CDC 2023 point prevalence survey, the input every infection risk assessment should anchor on.
Key Components Every Infection Risk Assessment Must Capture
HAIs rarely trace to a single cause. Real infection events combine pathogen pressure with device exposure, procedural complexity, staffing intensity, environmental conditions, and patient vulnerability.
Those variables interact in ways a one-page checklist cannot describe. IPC professionals trained on a real infection risk assessment learn to read the factors together, weighing how they amplify one another. The table below summarizes the components an annual infection risk assessment has to cover to survive a surveyor walk-through.
| Component category | Common inputs | Why it matters in an infection risk assessment |
| Population vulnerability | Patient acuity mix, immunocompromise prevalence, neonatal and oncology census, dialysis-dependent volume | High weight. Vulnerability multiplies the impact of every other risk driver. Drives surveillance prioritization and isolation capacity planning. |
| Pathogen and community pressure | NHSN trend data, local microbiology lab antibiogram, county and state health department alerts, AMR organism prevalence | High weight. Tracks the moving baseline against which the IPC program is measured. C. auris, NDM-CRE, and seasonal respiratory viruses each demand different controls. |
| Procedures and device utilization | Central line days, urinary catheter days, ventilator days, surgical volumes by procedure, endoscopy reprocessing volumes | High weight. Device-day denominators drive every NHSN CLABSI, CAUTI, and VAE calculation, so the infection risk assessment is where utilization stewardship begins. |
| Environmental and construction risk | ICRA matrix for active projects, water management plan status, ventilation maintenance, terminal cleaning audit data | Moderate to high weight. Construction and water exposures produce outbreaks that bypass standard surveillance. ICRA is a named subset of the annual infection risk assessment. |
| Staffing and competency | IPC FTE coverage, hand hygiene compliance audits, fit testing currency, onboarding completion rates | Moderate weight. The most elegant control fails if the staff who execute it are short-handed, undertrained, or operating outside scope. |
| Past performance and prior events | Prior NHSN SIRs, sentinel events, outbreak after-action reviews, complaint data, surveyor findings | High weight. A repeat finding is the strongest signal that a control did not actually take. Every infection risk assessment must close the loop with prior cycles. |
Population Vulnerability in Infection Risk Assessment
Population mix is the multiplier that turns every other risk factor real. A community hospital with a heavy oncology and bone marrow transplant census faces a different infection risk profile than an orthopedic specialty hospital, even if the CLABSI rates look identical on the dashboard. The infection risk assessment captures the share of immunocompromised, neonatal, dialysis-dependent, and long-stay patients, then weighs every other driver against that vulnerability profile.
Pathogen and Community Pressure in Infection Risk Assessment
Pathogen pressure is the moving baseline. The same hospital can run a clean SIR against one organism and lag against another inside a single fiscal year, particularly as drug-resistant pathogens emerge unevenly across regions.
The CDC Antimicrobial Resistance Threats 2021-2022 update documents six hospital-onset AMR infections rising 20 percent combined during the pandemic, with NDM-CRE and C. auris driving the sharpest local spikes.
A serious infection risk assessment pulls the antibiogram and local health department data. Local context shifts the calculus.
A hospital downstream of a long-term acute care facility with endemic carbapenem-resistant organisms inherits a transfer-driven exposure pattern that a standalone facility does not face. Infection risk assessment captures these regional flows by name, with specific referral facilities and transfer volumes documented in the methodology section. The same approach echoes scenario based risk assessment applied to communicable disease, and the CDC Candida auris page tracks the emerging-pathogen flows that drive these regional transfers.
Procedure and Device Utilization in Infection Risk Assessment
Device-day exposure is where the math gets specific. Central line, urinary catheter, and ventilator days are the denominators behind every CLABSI, CAUTI, and VAE rate, and stewardship of those days is the cheapest infection prevention control any IPC program can buy.
The CDC 2024 NHSN progress report credits exactly this kind of denominator stewardship for the year-over-year reductions in CLABSI, CAUTI, and VAE between 2023 and 2024. Surgical volumes and complexity drive the SSI exposure surface.
The 2024 NHSN report flagged an 8 percent increase in abdominal hysterectomy SSI against the 2015 baseline even as colon SSI improved 4 percent, illustrating that an aggregated SSI rate hides procedure-specific risk. Mature infection risk assessment unpacks the SSI bucket by procedure category and routes each subcategory to its own audit cadence. The same logic appears in operational risk management applied to physical-plant and procedural exposures.
Environmental and Construction Risk in Infection Risk Assessment
Environmental drivers are often the easiest to overlook inside a hospital running at high occupancy. Active construction, water system disruptions, ventilation imbalance, and lapses in terminal cleaning each produce outbreaks that bypass standard surveillance.
The Infection Control Risk Assessment (ICRA) is a named subset of the broader annual infection risk assessment, governed by ASHE, FGI Guidelines, and Joint Commission EC standards, and triggered for every renovation that disturbs ceilings, walls, or HVAC. Water management is the under-appreciated cousin of construction risk.
Legionella prevention plans, governed by CMS QSO-17-30 and ASHRAE 188, sit inside the infection risk assessment process and must be reviewed at least annually. A water management plan filed as a maintenance document rather than an IPC document is how Legionella exposures show up during routine plumbing work. The same exposure logic appears across operational risk management framework patterns in adjacent industries.
How a Defensible Infection Risk Assessment Methodology Works
US healthcare organizations do not rely on clinical intuition for infection risk assessment. Standard methodologies from APIC, CDC, and Joint Commission produce repeatable scores that survive both surveyor scrutiny and turnover in the IPC team.
Pick a method and stay with it. Consistent application beats methodology shopping, and an explicit link from the score to the IPC annual plan beats both.
| Methodology | Primary use | Scoring approach | What the method captures |
| APIC Risk Assessment Tool | Acute care, ambulatory, long-term care | Probability x impact x preparedness, 1-3 each | Standardized categories: high-consequence pathogens, device-associated risks, procedural risks, environmental risks, staff risks |
| CDC Core IPC Practices | All inpatient and outpatient settings | Gap analysis against named core practices | Hand hygiene, PPE, injection safety, environmental cleaning, sterilization, reprocessing, surveillance, training |
| Joint Commission IC Assessment Tool | Joint Commission-accredited organizations | Practice-level implementation evidence | IC program structure, IPC risk assessment, high-consequence disease readiness, hand hygiene compliance |
| ICRA Matrix (ASHE / AIA) | Construction and renovation projects | Patient risk group x construction activity matrix, Class I-IV | Project-specific controls: barriers, ventilation, traffic, cleaning, monitoring frequency |
| Greenberg risk assessment | Long-term care facilities | Resident vulnerability x exposure score | Resident acuity, device utilization, antibiotic stewardship, transmission-based precaution capacity |
Figure 3. CDC 2024 NHSN national progress report SIR changes by HAI type, the headline output that infection risk assessment programs are measured against.
APIC Tools in the Infection Risk Assessment Toolkit
The Association for Professionals in Infection Control and Epidemiology (APIC) publishes the most widely used standardized infection risk assessment tools in US practice. APIC’s templates score probability, impact, and preparedness on a one to three scale, producing a numeric risk score for each named risk category. The output drives committee prioritization, annual goal selection, and budget defense for the IPC program.
Joint Commission Infection Risk Assessment Expectations in 2026
Joint Commission’s National Performance Goals effective January 2026 name three critical IPC activities the survey will probe: infection risk assessment, preparedness for high-consequence infectious diseases, and hand hygiene compliance against CDC or WHO guidelines. The IC chapter consolidation from 12 standards with 51 elements to 4 standards with 14 elements, live since July 1, 2024, signals that surveyors now expect demonstrated implementation, not documentation depth.
Choosing the Right Infection Risk Assessment Methodology for the Setting
Setting drives methodology choice. Acute care hospitals anchor on APIC plus the Joint Commission IC Assessment Tool, with ICRA matrices triggered for every renovation.
Ambulatory surgery centers use the APIC outpatient template plus CMS infection control survey worksheet. Long-term care facilities lean on the Greenberg tool plus CMS QAPI requirements.
Dialysis centers use the CMS conditions for coverage IC worksheet. Standardize on one toolset by setting, version-control the templates, and reject local variants.
Building an Annual Infection Risk Assessment Plan That Survives Survey
Assessment without an annual plan is paperwork. The value of an infection risk assessment lives in the intervention sequence and the surveillance commitments it triggers.
The scored risk register has to become a dated plan with owners attached, signed off by the IPC committee and endorsed by the medical executive committee. CDC infection control core practices supply the prevention content; the annual plan turns that content into a calendar.
Figure 4. Emerging drug-resistant threats whose growth rates the annual infection risk assessment now has to weight explicitly.
Surveillance Targets Inside the Annual Infection Risk Assessment
Surveillance targets are the most visible output of the annual infection risk assessment. The plan should publish the HAI categories under continuous surveillance, the device-day denominators tracked, the SIR benchmark for each category, and the thresholds that trigger escalation to the IPC committee. That list flows directly from the prior year’s risk scores and prior NHSN performance, not from a generic template carried forward without edits.
High-Consequence Pathogen Readiness in the Annual Plan
High-consequence infectious disease readiness is now a Joint Commission performance goal in its own right and earns dedicated space in the annual infection risk assessment. Plan elements include isolation room counts and capacity, PPE par levels with burn-rate scenarios, fit-testing currency by unit, donning and doffing drill cadence, lab specimen-handling protocols, and coordination paths to state health department and CDC. Pulling forward the 2020 COVID-era language without an actual review will get the section cited.
Hand Hygiene and Core Practice Audits in the Annual Plan
Hand hygiene has been on the Joint Commission goal list since 2004 and rose to a National Performance Goal in 2025. The annual infection risk assessment has to document the audit methodology, the target compliance rate, the sampling cadence, unit-level reporting, and the remediation pathway when units underperform.
CDC or WHO guideline adherence is the explicit reference. Quarterly audits at low sample size produce clean-looking dashboards that change nothing on the floor.
Multidisciplinary Roles in the Infection Risk Assessment Workflow
Infection prevention does not belong to any single discipline. The most effective US programs coordinate a team where each member contributes specific expertise to a shared infection risk assessment and a shared annual plan. Without that coordination, a high-quality assessment can sit unused because no one owns the intervention sequence the scores trigger.
| Role | Infection risk assessment contribution | Output that drives the annual plan |
| Infection preventionist (IP) | Owns the methodology, scoring, documentation, and committee presentation | Risk register, surveillance plan, audit schedule, committee minutes |
| Healthcare epidemiologist | Provides clinical interpretation of HAI surveillance and outbreak signals | SIR analysis, outbreak after-action, antibiogram review, policy direction |
| Hospital pharmacist | Leads antimicrobial stewardship inputs to the infection risk assessment | Antibiotic days of therapy, restriction policy, AMR trend integration |
| Environmental services lead | Documents terminal cleaning compliance and ATP audit data | Cleaning audit results, training currency, supply standardization |
| Facilities and engineering | Owns ICRA execution, water management plan, ventilation maintenance | ICRA closure rates, Legionella testing logs, HVAC maintenance evidence |
| Quality and risk management | Integrates infection risk assessment into enterprise risk register and committee structure | Board reporting, sentinel event linkage, regulatory tracking |
Patient and Family Engagement in Infection Risk Assessment
Patient and family engagement is no longer optional in any high-performing US IPC program. Patients who understand hand hygiene expectations, isolation precautions, and why an invasive device should come out today participate at meaningfully higher rates than patients given generic discharge instructions. The annual infection risk assessment lists the patient-facing materials, signage, and bedside coaching protocols expected on each unit, and tracks their refresh cadence by quarter.
The Three Lines Model Applied to Infection Risk Assessment
For risk managers overseeing IPC programs, the multidisciplinary structure maps onto the three lines of defense model. Unit-based clinical staff and the IPC team form the first line, owning the assessment and the bedside controls.
Quality, risk management, and the IPC committee form the second line, providing oversight, data analysis, and policy guidance. Internal audit and external surveyors form the third line, evaluating program effectiveness and compliance against named standards.
How Often an Infection Risk Assessment Should Be Conducted
Reassessment frequency should reflect the instability of the underlying risk profile, not administrative convenience. Two hospitals with identical baseline scores can move in opposite directions inside a single quarter if pathogen pressure, construction activity, or census mix shifts. US guidance from Joint Commission, CMS, and CDC converges on the same operating rule: complete the formal infection risk assessment annually, refresh between cycles whenever a trigger event occurs, and document every refresh.
Annual Cadence for Infection Risk Assessment in Acute Care
Joint Commission and CMS expectations require an annual infection risk assessment for accredited hospitals and CMS-certified facilities, with refreshes triggered by significant census shifts, construction activity, outbreak events, and new high-consequence pathogen exposures. Many programs add a mid-year formal review, treating the calendar as a unit-level control rather than a documentation step. Annual sign-off by the IPC committee and the medical executive committee converts the assessment into governance.
Trigger-Based Infection Risk Assessment Refreshes
Trigger events demand off-cycle infection risk assessment refreshes regardless of annual cadence. Trigger categories include construction or renovation starts, outbreaks of any reportable pathogen, sustained NHSN SIR worsening, a sentinel event tied to an HAI, a new service line opening, water system disruption, regulatory survey findings, and emerging-pathogen alerts from state or federal health departments. These triggers sit inside the how often should risk assessments be conducted rhythm IPC committees already manage.
Financial and Regulatory Stakes of Infection Risk Assessment
For US healthcare executives and clinical risk managers, the financial case for disciplined infection risk assessment is direct. CMS’s non-payment policy for preventable HAIs means those care costs are uncompensated, and Hospital Compare and Care Compare publish the metrics publicly. Poor performance shapes reputation, performance-based payment contracts, and value-based care arrangements simultaneously.
CMS Hospital-Acquired Conditions and Infection Risk Assessment
CMS’s Hospital-Acquired Conditions list treats certain HAIs as preventable and refuses incremental reimbursement. The categorization carries through to the Hospital-Acquired Condition Reduction Program, which reduced payments for 724 hospitals in FY 2025 by 1 percent each.
Four of the six HAC measures are infection-related: CLABSI, CAUTI, SSI for colon and abdominal hysterectomy, and MRSA bacteremia. Infection risk assessment is the upstream control that determines which quartile the facility ends up in.
Joint Commission Survey Expectations on Infection Risk Assessment
Joint Commission surveyors look for evidence that the infection risk assessment was performed, scored, documented, and acted upon. The most common finding in IPC citations is a policy-practice gap.
Track completion rates and audit results monthly, route every gap through the IPC committee, and treat each one as a process failure rather than a documentation failure. The same pattern shows up across the risk management lifecycle in adjacent industries, with AHRQ patient safety guidance reinforcing the audit-data link.
Common Infection Risk Assessment Questions Practitioners Ask
Six questions surface in every US IPC program review of infection risk assessment design. The answers below reflect CDC, APIC, Joint Commission, CMS, and ISO 31000:2018 guidance current to May 2026, plus the operational patterns of US hospitals, ambulatory surgery centers, and long-term care facilities running mature programs. The WHO infection prevention and control program supplies the international anchor where domestic guidance leaves gaps.
What is the simplest definition of infection risk assessment?
An infection risk assessment is the IPC process that estimates how likely infection events are across a facility’s populations and services, identifies the drivers behind that probability, and ties each driver to a prevention control with an owner attached. CDC, APIC, and Joint Commission settle on a version of this same definition. Skip the quantified assessment and infection prevention collapses into generic precautions that consistently underperform peer programs on NHSN benchmark data.
Which infection risk assessment methodology is best for US hospitals?
APIC’s standardized infection risk assessment tool dominates US hospital practice and lines up cleanly with the Joint Commission IC Assessment Tool surveyors now use. The APIC method scores probability, impact, and preparedness on a one-to-three scale and produces a numeric risk score the committee can defend line by line. Pick one method, version-control the template, train every IPC team member on it, and reject local variants between units.
How often should an infection risk assessment be repeated?
Complete the formal infection risk assessment annually in every US accredited hospital, ambulatory surgery center, and long-term care facility. Refresh between cycles whenever a trigger event fires: construction or renovation starts, an outbreak of any reportable pathogen, a sustained NHSN SIR worsening, a sentinel event tied to HAI, a new service line, water disruption, or an emerging-pathogen alert. Document every refresh, sign every refresh, and route every refresh through the IPC committee.
Does CMS require a formal infection risk assessment?
Yes. CMS Conditions of Participation require every certified hospital and critical access hospital to operate an IPC program with surveillance, prevention, and control activities that annually identify and prioritize risks for infection, contamination, and exposure. CMS QSO memos and updated reporting requirements for COVID-19, influenza, and RSV reinforce that the infection risk assessment must reflect actual operations and current data, not a recycled prior-year document.
How does infection risk assessment differ from a quality risk assessment?
A quality risk assessment covers broad clinical and operational risk across the facility. An infection risk assessment narrows the lens to the specific drivers of HAI probability: population vulnerability, pathogen pressure, device utilization, procedural complexity, environmental conditions, and staff competency. The two assessments overlap but the infection instrument is engineered to predict and prevent a single class of outcomes, which is why generic enterprise risk scoring cannot substitute for it.
What US standards govern infection risk assessment?
Five reference points structure US infection risk assessment practice: Joint Commission Infection Control standards and National Performance Goal #5; CMS Conditions of Participation and the Hospital-Acquired Condition Reduction Program; CDC NHSN reporting and core IPC practices; APIC’s risk assessment templates and competency model; and ISO 31000:2018 for the broader risk framework. Working programs reference all five and document the crosswalk in the methodology section of the annual IPC plan.
Where Programs Stall on Infection Risk Assessment
Six failure patterns recur across US programs trying to stand up or refresh an infection risk assessment. Each one has a recognizable footprint and a fix mature programs already use.
The COSO ERM framework treats every one of these failures as a control deficiency at the governance layer. Recognize the patterns in your own register before a Joint Commission surveyor or a state health department investigator does.
| Pitfall | Root cause | Remedy |
| Annual assessment treated as binder refresh | IPC team carries forward prior-year scores without re-pulling NHSN, antibiogram, and census data | Pull fresh data each cycle. Document the refresh date on every input. Require committee sign-off on the methodology, not just the output. |
| High-risk scores not linked to a specific control | Assessment separates risk identification from intervention assignment | Map every scored risk to a named control, named owner, and audit cadence. No score without a plan. Track closure rates monthly. |
| Construction risk handled outside the IPC process | ICRA owned by facilities team in isolation from infection risk assessment | Route every ICRA through IPC review, file ICRA closure in the annual infection risk assessment binder, and audit ICRA compliance during construction walks. |
| Hand hygiene audits at low N and high frequency | Volume of audits substitutes for sampling rigor | Use direct observation with structured sampling, electronic monitoring where deployed, and unit-level reporting. Treat compliance below 90 percent as a citation risk. |
| High-consequence pathogen readiness pasted from 2020 plan | COVID-era documentation treated as evergreen | Re-validate isolation capacity, PPE par levels, fit testing currency, and drill cadence annually against current pathogen list. Document every refresh. |
| Long-term care assessment uses acute care template | Facility uses inherited corporate template without adaptation | Replace with the Greenberg LTC tool or APIC LTC template. Capture resident acuity, transmission-based precaution capacity, and antibiotic stewardship explicitly. |
Looking Ahead: Infection Risk Assessment for 2026-2028
Data integration is the first wave reshaping infection risk assessment. NHSN, EHR, microbiology lab antibiograms, and pharmacy stewardship data are converging into single dashboards that pull risk inputs in near real time.
Joint Commission and CMS surveyors will increasingly expect the annual infection risk assessment to cite live data sources, not lagging quarterly extracts pulled the week before survey. Emerging drug-resistant pathogens are the second wave.
CDC’s 460 percent rise in NDM-CRE between 2019 and 2023 and the five-fold rise in C. auris cases between 2019 and 2022 signal that the pathogen mix is shifting faster than annual risk-assessment cycles can absorb.
Expect 2027 guidance to require quarterly mini-assessments for emerging-pathogen risk, with pathogen-by-pathogen control mapping spelled out. The HHS HAI targets and metrics page tracks the policy direction in public form.
Value-based contracting is the third. ACOs and Medicare Advantage plans now negotiate quality-bonus payments tied to HAI metrics, and CMS Hospital Compare and Care Compare publish the data.
Hospitals and ambulatory practices with high-performing infection risk assessment programs capture incremental revenue, not just avoid HACRP penalties. The convergence of risk oversight with strategic planning piece traces this shift in adjacent risk domains.
Health systems that treat infection risk assessment as a live process will outpace those running it as an annual binder. The discipline rewards rigor: documented methodology, transparent scoring, owners attached to every control, scheduled refreshes, and an audit trail back to the source data.
The starting point is the assessment itself. You cannot prevent an infection event you have not measured against a real baseline.
Working with Risk Publishing on Infection Risk Assessment Programs
Risk Publishing designs infection risk assessment frameworks for US hospitals, ambulatory surgery centers, and long-term care facilities operating under Joint Commission, CMS, and state DOH scrutiny. We map the risk register, select the methodology, integrate the workflow into your broader integrated risk management approach and operational risk management framework, and document the methodology against ISO 31000, APIC, CDC, and Joint Commission guidance.
Continue reading the Risk Publishing risk-assessment library, the largest free practitioner archive of US-aligned risk content online: a step by step guide to risk assessment, definition of likelihood in risk assessment, definition of hazard and risk assessment, critical components in a risk assessment, and approaches and tools for risk identification. Adjacent reading from the framework side of the library, tied to the same ISO 31000 crosswalk this infection risk assessment piece builds on: five steps of the risk management process, key elements of a risk register, risk assessment templates, qualitative and quantitative risk assessment, and the importance of enterprise risk management piece for the executive frame.
To start a conversation about infection risk assessment program design for your facility, visit the contact page or the about page. The how to mitigate risk article maps how clinical IPC risk feeds enterprise-level reporting, and the broader scenario based risk assessment frame anchors emerging-pathogen planning, with CDC hand hygiene clinical safety guidance and CDC antimicrobial resistance fact sheets anchoring the prevention controls referenced throughout this
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.