Threat Assessment
Threat Case Management: Monitoring and Closure
A threat assessment doesn't end at the first meeting. Learn how a healthcare team manages a case over time — monitoring, review triggers, and a defensible closure decision.
A threat assessment is not an event; it is a case. The first team meeting produces an assessment and a management plan, but the concern itself unfolds over days or weeks — escalating, de-escalating, or simply persisting. The work that happens between the initial decision and a deliberate close is case management, and it is the half of the process facilities most often neglect. A concern that is assessed once and then drifts is exactly the record that reads badly later: a situation the facility knew about and stopped tracking. This article covers how a healthcare threat assessment team manages a case over time, monitors it, and closes it defensibly.
#Why the case does not end at the first meeting
The five-step process ends with "documentation and follow-up" for a reason: follow-up is where management actually happens. A management plan adopted on Monday means nothing if no one checks on Friday whether it is working, whether the concern has grown, or whether the assumptions behind it still hold. Treating the assessment as a one-time evaluation produces two failures at once — a clinical failure (a deteriorating situation goes unwatched) and a compliance failure (no record that the facility continued to manage what it identified).
The Joint Commission's workplace violence requirements (effective Jan. 1, 2022 for hospitals) and Texas HSC Chapter 331 both frame follow-up as part of a functioning program. Case management is how follow-up becomes real rather than a line in a policy.
#The elements of active case management
Managing a threat case over time involves a small, repeatable set of elements:
| Element | What it means in practice |
|---|---|
| Named case owner | One person accountable for the case until closure |
| Management plan | The specific measures in force, each with an owner |
| Review cadence | Scheduled re-checks proportionate to the level of concern |
| Monitoring signals | What the team is watching for — escalation or de-escalation |
| Re-activation triggers | Defined events that bring the case back to the full team |
| Running record | A contemporaneous log of checks, changes, and decisions |
The level of concern sets the intensity. A higher-concern case warrants a tighter review cadence and more active monitoring; a lower-concern case may be reviewed less often but is still owned and tracked. The point is that every open case has an owner, a cadence, and a record — none are left to chance.
#Monitoring without surveillance creep
Monitoring a case must stay within the facility's compliance and clinical-coordination lane. The team watches for changes through the information it legitimately has — care-team observations, reported contacts, the warning behaviors and pre-incident indicators staff are trained to notice — and shares that information under the minimum-necessary, lawful-basis discipline that governs all threat-case information. It does not conduct surveillance, investigation, or off-campus tracking; those are not the function of a healthcare threat assessment team, and a record that suggests otherwise undermines both the rails and the program's credibility. Monitoring means staying informed and reviewing on cadence — not policing a person.
#Adjusting the plan as the situation moves
Case management is dynamic. A review may reveal the concern is escalating, calling for stronger measures or a law-enforcement decision; or de-escalating, allowing measures to be relaxed. Either way, the change is a documented team decision, not an informal drift. Recording why the plan changed — what new information drove it — is what makes the case read, in any later review, as a managed situation rather than a series of unexplained adjustments.
#Closing the case deliberately
Closure is a decision, not a default. A case does not close because time passed, the patient was discharged, or the employee left — those events may change the concern but do not, by themselves, resolve it. The team closes a case when it deliberately concludes the concern has resolved or de-escalated to a level routine measures can manage. A defensible closure records:
- The closure decision and the team members who made it.
- The rationale — what changed, and why routine measures now suffice.
- A re-activation trigger — the specific event or signal that would reopen the case.
- Record retention — the closed case stays in the confidential file per the retention rule.
The re-activation trigger is what keeps closure honest: closing a case is not erasing it. If the same person resurfaces with a new concern, the prior record is available and the case can reopen with full context.
#Why closure discipline is a litigation safeguard
Picture two records in discovery. In the first, a concern was assessed once and the file simply stops — no follow-up, no closure, no rationale. It reads as a threat the facility noticed and abandoned. In the second, the case shows scheduled reviews, documented adjustments, and a deliberate closure with a stated rationale and a re-activation trigger. It reads as a situation the facility managed to a reasoned conclusion. The difference is entirely in the case-management discipline, and it is decisive — which is why closure belongs in the standard for documenting threat assessments defensibly.
#Feeding the program
Closed cases, de-identified, are program intelligence. Aggregated, they tell the WVP committee where concerns concentrate, which measures worked, and what the worksite analysis should address. Case management is therefore not only about the individual situation — it is the data layer that lets the program learn, the loop that Chapter 331 and the Joint Commission expect a living program to demonstrate.
#How VIGILO helps
VIGILO helps facilities build case management, monitoring, and closure into a documented threat assessment program — owner accountability, review cadence by level of concern, re-activation triggers, and a defensible closure standard — within the written WVP plan and policies and supported by staff education. The process is kept current through an annual program review, and for Texas facilities it aligns with HSC Chapter 331. To see where your follow-up and closure discipline stands, start with the Chapter 331 compliance checklist.
VIGILO provides compliance, training, and consulting assistance and supports survey-readiness and preparedness; it does not guarantee safety outcomes and does not provide security guard, patrol, surveillance, or investigative services. Monitoring is limited to lawful information-sharing within the facility's care and operations functions. Sources: The Joint Commission Workplace Violence Prevention requirements (incident reporting, tracking, trending, and follow-up; effective Jan. 1, 2022 for hospitals); Texas Health & Safety Code Chapter 331 (SB 240, 88th Leg., 2023) and 26 TAC §133.55; HHSC PL 2024-10; OSHA Publication 3148.