CMS & ISO 9001 – The Impulse Toward Quality in Healthcare

CMS & ISO 9001 – The Impulse Toward Quality in Healthcare

CMS and ISO 9001

The Impulse Toward Quality in Healthcare

By Wes Chapman, Steve Maker, and Mario Martinez • April, 2013


This is the first of two white papers on ISO 9001 in healthcare. This paper provides a historical perspective, an overview of the purpose and principles of ISO 9001, and a brief look at the potential of ISO 9001 to transform healthcare delivery in the U.S. now that accreditation and certification under its standards have been embraced by CMS. The second paper will take a closer look at the process required to successfully implement ISO 9001.


In 2008, a revolution started in healthcare quality – ISO 9001:2008 entered the fray when the Centers for Medicare and Medicaid Services (CMS) approved Det Norske Veritas (DNV) as a deeming authority for Medicare payments. DNV was the first new deeming authority named by CMS in over 40 years, and ISO 9001 – considered the gold standard for quality improvement systems – played a key role in the decision. DNV had just completed development of a system it calls the National Integrated Accreditation of Healthcare Organizations (NIAHO), which it will use to accredit hospitals under CMS’ Conditions of Participation (CoPs). NIAHO combines the CoPs standards with the ISO 9001:2008 quality standards developed by the International Organization for Standardization (ISO). Healthcare providers must meet the CoPs quality and safety standards in order to be reimbursed for treating patients under Medicare and Medicaid; in 2008, ISO 9001 became the best system available to achieve that accreditation and maintain the standards necessary to keep it.

Quality improvement, along with cost reduction and payment reform, has been an elusive goal in the complex environment of healthcare delivery. Traditional quality tools like Lean and Six Sigma have proven difficult to adapt from their roots in straightforward process environments such as auto manufacturing. ISO 9001 provides the overarching management structure needed to incorporate these types of tools into a more encompassing quality management system suited to healthcare organizations. ISO 9001 is designed for service providers as well as manufacturers. ISO 9001 is focused on customer requirements and satisfaction, and there is certainly no industry that should be more customer-focused than healthcare. ISO 9001 is flexible, allowing each healthcare provider to develop and implement a quality management system appropriate to its structure, methods, and organizational culture. And ISO 9001 requires continuous improvement in order to remain certified, which means continuous benefit to the healthcare provider, to CMS, and to the patients.

The Deeming Authorities

Several other organizations have deeming authority from CMS (see the table, below), but one in particular – the Joint Commission (TJC, formerly JCAHO) – has handled the majority of hospital applicants in the 40 years since Medicare was created. In fact, TJC was the only deeming authority named in the initial law. Until very recently, TJC had not incorporated ISO 9001 into its accreditation process, nor had it offered ISO 9001 certification separately. DNV does offer full certification under ISO 9001 in addition to CoPs accreditation under NIAHO. By granting deeming authority to DNV, CMS (which is itself ISO 9001 certified) seems to have signaled its determination to control rising health care costs in the U.S. without reducing the quality of care. In fact, this is almost a standing order to hospitals to improve care without backsliding.

Accreditation Organizations with   CMS Deeming Authority
Accreditor Scope of Authority # of accredited customers (CoPs) ISO connection
The Joint Commission Hospitals, Labs, Durable Medical Equipment, Home   Health, Hospice, other Around 5,000 hospitals and over 10,000 other   institutions Affiliated with SGS to offer the option of ISO   certification to members
DNV Healthcare Critical Access Hospitals (CAH), Acute Care Hospitals   (ACH) Around 300 hospitals (over 1200 though DNV   international groups) Requires ISO 9001 certification within three years
American Osteopathic Association (HFAP) CAH, ACH, Ambulatory Surgical Center, Behavioral   Health, Lab Around 230 hospitals and 200 other institutions No ISO relationship
ACHC Home Health, Hospice, Durable Medical Equipment   (DMEPOS) No hospitals, 8,700 DMEPOS, 1,400 Home Health, and 300   Hospices ISO-certified itself but not offering ISO certification   to clients

TJC has seen the opportunity and responded. In 2011, it announced an agreement with the Geneva-based ISO registrar SGS Group to offer ISO 9001 certification, in addition to CoPs and the other accreditations it offers. Due to its organizational roots and long affiliation with CMS, TJC can claim over 20,000 U.S. clients, of which over half are hospitals or home care organizations, though TJC/SGS has yet to announce any ISO 9001 clients. Depending on the source, DNV is working with somewhere between 250 and 300 clients in the U.S., for both CoPs accreditation under NIAHO and ISO certification. Globally, they have certified over 1200 healthcare organizations under ISO 9001 to date.

It’s very hard to estimate how many U.S. hospitals have achieved ISO 9001 certification already. In addition to DNV’s 300 or so clients working toward that end, a few healthcare organizations have already achieved it through other means. Two of them – Physician’ Clinic of Iowa (PCI) and the Office of Medical Services (MED) of the U.S. Department of State – are well documented in the book Using ISO 9001 in Healthcare (Levett and Burney, ASQ Quality Press, 2011). As the public becomes more concerned about quality and more aware of the high standard indicated by ISO 9001, we can expect to see more and more certification logos on hospital web sites and letterhead, and with them, higher quality throughout the healthcare system.

Introducing ISO and ISO 9001

“ISO is just quality on steroids.”
(Director of the QMS in a 700-bed hospital working with DNV Healthcare)

ISO can refer to the International Organization for Standardization or to the standards it produces. The organization has its roots in mechanical engineering. It was founded as the International Federation of the National Standardizing Associations in 1926, disbanded in 1942, and reformed under the current name in 1946, after the dust from World War II had settled. Then and now it was an international organization made up of its member nations’ standards organizations (the U.S. representative being the American National Standards Institute, or ANSI), and its sole purpose is to develop standards for an expanding variety of industries. In addition to standards, it publishes technical reports, specifications, and related documents, most of which are developed by a network of 2,700 committees, subcommittees, and working groups.

ISO 9001 began life in 1959 in the form of a quality/inspection-based standard for the U.S. Defense Department. With much revision and expansion, it became an ISO standard in 1979. In 1987, a new revision emerged as ISO 9000, which continued to evolve, being republished in 2000 as a management system standard suitable for both manufacturing and service industries. ISO 9000 specifies the fundamentals and vocabulary underpinning ISO 9001, a quality system standard, which evolved in parallel with ISO 9000. The latest revision is ISO 9001:2008.

ISO 9001 is a respected and widely accepted framework already used to improve quality, improve value delivered to customers, and reduce costs by:

  • CMS, which is rated as the most effective healthcare payer in the U.S.
  • The American Society for Quality (ASQ)
  • The automotive industry, which has continually and dramatically improved quality over the past 50 years in its race with Japanese and German manufacturers
  • The aeronautics industry, where good quality controls have made aircraft safer and where bad quality controls produced the Dreamliner
  • Manufacturing in general
  • Franchises, which use ISO 9001 to replicate operational improvements
  • Multinationals, which use ISO to replicate their successes, while still allowing for flexibility across different regions
  • And now healthcare

What is ISO 9001?

ISO 9001 is often referred to as a quality system, but technically it is not. As stated above, it is a quality system standard. It has also been described as a meta-management system. This is a fine point to argue, but keeping it mind can help avoid confusion over what ISO 9001 offers.

ISO 9001 does not describe a specific quality tool, like Lean or Six Sigma. Instead, it specifies the types of components a quality system must have in order to improve processes and increase value. For example, one of its requirements it to create a Quality Manual, but it does not provide a rigid outline or table of contents. Instead, it states eight principles that underlie effective quality management and then defines the processes required to incorporate those principles into a quality management system. ISO 9001 leaves it up to each organization to develop the Quality Manual that is most appropriate to its own operations. It is not a how-to book; it shows you how to write your own how-to book.

The eight principles in ISO 9001 are:

  • Customer focus
  • Leadership
  • Involvement of people
  • Process approach
  • System approach to management
  • Continual improvement
  • Factual approach to decision making
  • Mutually beneficial supplier relationships

Customer Focus refers to patients, of course, but also to their families and all the other stakeholders involved in healthcare delivery. That includes outside providers to whom you refer patients, payers, vendors, and your own staff. Each of these groups has its own set of (sometimes conflicting) expectations and needs. ISO 9001 makes customer focus the first requirement under Management Responsibility:

Top management shall ensure that customer requirements are determined and are met with the aim of enhancing customer satisfaction. (Section 5.2, page 4, ISO 9001:2008(E))

Note that the standard specifies determining the customers’ requirements and also, by implication, determining if they were satisfied by the services they received. The exact methods used to discover and document this information are left to the quality team to define.

Leadership refers to a firm commitment from management to adopt the ISO 9001 standard for quality improvement. The principles and processes described provide a framework for the quality system, but the strategy, objectives, and leadership role models must come from within the organization.

Involvement of people means just that: Everyone in the organization needs to be involved in developing the quality system and making it work. This requires another commitment from management: to provide training and resources. In the complex network of processes that is healthcare delivery, it’s also important to ask and to listen to employees at every level in every department, not only because they will have information you need to know, but also so they realize the important part they play in the development, implementation, and ongoing improvement of the quality system.

The Process Approach applies to the processes of healthcare – from clinical pathways to housekeeping to buildings and grounds – and to the processes of administration and quality management. Every key process will need to be defined and managed.

A Systems Approach to Management means viewing the entire operation as a system of interrelated processes. Knowing how the processes flow and understanding how they interact to achieve specified objectives allows managers to improve effectiveness throughout the organization.

Continual Improvement is a key component in the standards. Many quality tools provide a method to improve processes, but don’t provide a system for maintaining that level of quality over time. Throughout the quality process, ISO 9001 does a very good job of asking questions and then forcing you to not only write down the answers but also follow up on delivery. This drives the process of continual improvement.

A Factual Approach to Decision Making could be stated simply as monitor, measure, and document, but ISO 9001 goes farther, to require documentation at almost every step in the quality process. At its core, a dedication to fact-based decision making means the use of impartial and auditable data. It begins with the definition of the processes in your operations and in your quality management systems, because “you can’t control a process you can’t describe.” Documentation continues throughout the implementation of your quality management system, and afterward as you monitor the daily workings of your healthcare delivery system. Documentation continues as you identify what works well and what falls short, allowing you to analyze how to adopt strengths as standard operating procedures (SOPs), and to find solutions for problems that arise in the future. Documentation still continues as you monitor the results of your solutions to guarantee they are implemented as designed and that they work.

Mutually Beneficial Supplier Relationships includes treating each other as customers, learning each other’s requirements, and verifying that both sides are satisfied with the results. In an ISO-based system, suppliers are valued partners, with the inescapable reality of shared success. Quality is not a zero sum game. ISO 9001 also requires a process in your quality system to insure that your suppliers are working at the same level of quality you are, hopefully with their own IS0 9001 certification.

Nuts and Bolts

Each of eight principles applies to the entire quality process, and they are referred to throughout the ISO 9001 document. After three brief chapters that describe the document’s scope, normative references, and terms and definitions, the document’s table of contents covers:

4)      Quality management system

5)      Management responsibility

6)      Resource management

7)      Product/Service realization

8)      Measurement, analysis and improvement

To quote from ISO’s website, the standard:

…covers all aspects of an organization’s activities, including; identifying its key processes, defining roles and responsibilities, policies and objectives, documentation requirements, the importance of understanding and meeting customer requirements, communication, resource requirements, training, product and process planning, design processes, purchasing, production and service, monitoring and measurement of products and processes, customer satisfaction, internal audit, management review, and improvement processes.

                       ISO SYstem Diagram

The second white paper will go into these processes in more detail. It’s important to realize, however, that ISO 9001 doesn’t expect you to reinvent the quality management wheel. In fact, it assumes organizations will use the standard in conjunction with other quality management tools. In our 2011 white paper, Medical Quality Systems: The Elusive Goal of Quality in Complex Systems (, we outline a system that we believe to be very effective in the complex environment of healthcare delivery. This system combines ISO 9001 with checklists and elements of the Lean and Six Sigma quality toolsets (commonly referred to jointly as “LSS”).

ISO 9001 can easily incorporate medical standards, not only those in CoPs but also clinical guidelines. We have written earlier about the importance of defining and adhering to best practice customer-related processes (i.e., clinical pathways and metrics: see A Taxonomy of Leading Oncology Organizations, and of using patient-reported outcomes (PROs: see Choosing Appropriate Metrics From a Still-Evolving Toolset, In our most recent white paper, we discuss the importance of patient education and shared decision-making (Palliative Medicine and Patient Involvement: The Heart of Patient-Centric Care, ISO 9001 goes beyond endorsing practices like these as key tools for managing and improving the quality of your healthcare delivery system – it requires them.

Properly implemented, ISO 9001 guarantees that the other tools are being used correctly and are being continually monitored to identify existing weak points that should be corrected, and to catch new problems that creep in over time. ISO 9001 will keep the system working well and improve it over time.

What Can Go Wrong with ISO 9001?

One stumbling block for healthcare providers when they first encounter ISO 9001 is the language used. There are no healthcare-specific terms. That is actually a benefit of the standard: It is flexible across and within industries. As you define your processes for daily operations and quality management and then create your Quality Manual, you use the terms that suit each process. When the standard talks about “product realization,” for example, it means “healthcare delivery.” Its “customers” are your patients and anyone else who derives value from your work.

Some common misperceptions include:

  • Failing to recognize what is not appropriate, not needed, or not required. In the complex environment of healthcare delivery, too many layers of complexity, sign-off, and documentation detail can overwhelm staff and management.
  • Trying to implement the entire system at once, rather than identifying and starting with the processes where improvement will provide the greatest benefit. An “all-or-nothing” policy puts such demands on resources that it, too, can overwhelm you. Typically, implementing ISO 9001 will require two to three years.
  • Failing to explain the process of change, and its benefits, to the entire organization. Everyone must understand how they, too, will benefit and why they must be involved. (The buzz word here is “buy-in”.) And senior management must be the first to buy in.
  • Assuming that “audit” is a once-a-year process by someone else, and that “follow-up” only means reading an audit report. Regular internal audits, continuous monitoring, timely analysis of problems, and rigorous follow-through are essential to the quality process.
  • Making the auditor God. In ISO 9001, one size does not fit all. The standard’s flexibility makes it your right and your duty to develop a quality system specific to your operations. Unfortunately, some auditors are too rigid in their interpretations, or are trying to create an easier job for themselves, and will insist that all of their clients use the same forms. In such a case, your response should be, “Where in the standard or my procedures am I asked to do that?”
  • Failing to recognize the importance of a robust document management system that will simplify data entry and retrieval and still be easy to change, with excellent version control so that users never see outdated forms or guidelines. Implementing ISO 9001would be a labor-intensive challenge in a paper-based world.
  • Failing to start and end with the customer’s perception of quality.

What’s Good About ISO 9001 is Good for Healthcare

ISO 9001’s eight principles outline what is needed for a good (if not great) quality management system. Several of them bear repeating.

In Medical Quality Systems: The Elusive Goal of Quality in Complex Systems, referenced above, we present the modern definition of quality:

Quality is the ability to deliver, through a consistent and efficient system, a product or service that meets or exceeds a customer’s rational value expectations. … This is a critical concept for healthcare. In industrial systems, it is possible (although not desirable) to operate with a very high scrap rate and utilize only product that meets specifications. In healthcare, each of these pieces of ‘scrap’ is a failure to treat a patient properly, resulting in waste, pain, injury, and even death.

In other words, there is no industry that should be more involved with its customers’ rational value expectations than healthcare.

We also quote W. Edwards Deming: “In God we trust; all others must bring data.” (Deming developed the Plan-Do-Check-Act quality tool and also introduced modern quality methods to Japan in the 1950s.) ISO 9001’s seventh principle restates this requirement as, “Factual approach to decision making.”

Then there is the fact that healthcare delivery is a complex, non-linear system of interacting processes. ISO 9001 specifies a systemic approach to managing such a system. It is the only way to achieve the broad oversight necessary to monitor both the individual processes and the interactions. With this systemic approach comes the flexibility to develop a system that incorporates healthcare-specific standards, guidelines, and metrics.

Finally, there is the requirement for continuous improvement. In addition to periodic audits by an outside registrar, ISO 9001 requires regular internal audits by employees who have been trained for the task. On top of that, it requires continual monitoring of your processes, followed by review and analysis of each problem and timely follow-up in the form of a corrective action that is then monitored to make sure it worked. If the outside auditor does find non-conformities, the mechanisms are in place to discover the root cause quickly, correct it, test the correction, and then report back to the auditor that the problem has been fixed. With ISO 9001, you have a meta-management system that gives you constant visibility into your performance so that you can quickly repair problems and know how you are doing at all times.

Compare this process with the typical accreditation process that takes place currently in most hospitals: a periodic inspection at annual intervals (at best), a bulky audit report, and little or no insight into the root cause and related effects of the issues that led to your failing the survey and possibly losing your accreditation.

What to Prepare For

Pay for Quality, Pay for Performance, ACOs, bundled payments, and other initiatives are here and growing. To succeed in a paradigm shift that drives healthcare delivery toward quality, hospitals need a framework that works and is easily understood. ISO 9001 provides that framework. By incorporating ISO 9001 into the CoPs accreditation process, DNV has made the standard a part of the expanding quality glossary in healthcare. The argument is hard to ignore: Succeeding with ISO 9001 gives you the best chance of being paid. This realization will ensure that hospital managers look hard at ISO 9001 and its potential for improving quality in their healthcare delivery system. By taking the next step and offering full ISO 9001 certification, DNV has also raised the bar for healthcare quality. The TJC/SGS partnership only adds weight to the argument. But, however important, this is only the first impulse in the quality revolution.

ISO 9001 requires quality control along the entire chain of processes involved in providing healthcare services, a chain that includes verifying the quality of every subsidiary service, from housekeeping and laundry to purchased supplies to the services of outside clinical service providers. This could very well intensify the drive toward mergers and the absorption of private provider groups into hospital environments. At the very least, outside providers will feel the pressure to become certified themselves, and will be required to adhere to ISO-based systems while in hospital facilities. Either way, the quality of clinical care and the operations of the departments that provide it will both be affected.

ISO 9001, with its focus on customer requirements and perception of satisfaction, will also speed the drive for transparency in reporting patient outcomes. The standard doesn’t require management to announce its quality goals or achievements, but patients will notice the PROs, surveys, and other metrics and will begin to wonder. Wise hospital managers will make public the data behind their seals of approval. Eventually, the general public will know what to look for (both the seal and the data); if they don’t see it, they’ll demand to know why. Even providers who don’t serve Medicare/Medicaid patients will find they need to be certified in order to attract and keep patients.

Hospital managers and the quality experts on staff face two contradictory pitfalls: waiting too long to implement ISO and rushing in before they fully understand the purpose, principles, and processes of the standard. When the time comes, everyone in the organization must understand the purpose, the goal, and the part they play in succeeding. Getting the right training for management and staff will be key to the process. And every hospital will find it must strengthen and maintain its focus on customer need, perceived satisfaction, and “rational value expectation.” Luckily, ISO 9001, in its principles and requirements, clearly outlines the quality process, from the initial definition of processes through the documented follow-through on every correction made to improve on the improvements.

Implementing ISO 9001 is not a task you can delegate to a single manager or subcommittee. It is a strategic decision that affects the entire organization, top to bottom and, hopefully, for the rest of its existence. ISO 9001 – used correctly – is a transformational tool.

Wes Chapman has 20 years of ISO experience in a variety of industries, with an in depth application and focus in healthcare. He is CQM/OE and CQA certified through ASQ, is a Certified Lean Six Sigma Black Belt through the Thayer School of Engineering at Dartmouth, is certified to CPHIMS through HIMSS, and is an Adjunct Assistant Professor of Medicine at the Geisel School of Medicine at Dartmouth College, specializing in ISO based quality systems.

Steve Maker has 6 years of experience in ISO systems, with an operational focus on the integration of Lean practices with ISO. Steve is  a Certified Lean Six Sigma Black Belt through the Thayer School of Engineering at Dartmouth, is CQA certified through ASQ and is a certified Lead Auditor through DNV.

Wes Chapman
Written by Wes Chapman

9 Comment responses

  1. Avatar
    April 26, 2013

    Great, concise, terrific. I’ve already sent to several of my students. Thanks!


  2. Avatar
    August 01, 2013

    Beautifully stated! ISO will make a difference in health care.


  3. Avatar
    September 17, 2013

    Thank you. I have been looking everywhere for this information.
    Is DMV the only ISO certification body that does CMS audits? What are the ISO scopes? What is the NACE or SIC code on the ISO audit?


    • Avatar
      September 18, 2013

      Rhonda, DNV is currently the only ISO certification body offering CMS deeming capabilities as well. TJC announced a relationship with SGS, an ISO registrar based in Geneva. The scope of the ISO program offered through DNV is a full quality management system for the hospital, including all aspects of operations and care delivery. If you go with DNV to provide CMS related accreditation, you can use any ISO auditor, and you have three years to become ISO certified/compliant. Please feel free to ask any additional questions, and I can be reached through Creative Healthcare, All the Best, Wes


  4. Avatar
    November 22, 2013

    Great article. Fair and informative. Two things Wes, I would like your permission to share this article with subscribers to our mailing list, and connect with you regarding Creative Healthcare. Many Thanks. Mark


  5. Avatar
    January 27, 2014

    Hi Wes – you stand on the same soapbox as me but from a different perspective. I am a PRINCE2 practitioner which is the Project methodology compliant with ISO9001:2008 and common across the world but less in the USA so far.
    My conversation with a Hospital Association chair was interesting as he had not heard of ISO9001. An uphill struggle. I would like to be able to share your paper with my prospective clients in the west if that is OK. I will of course attribute it.


  6. Avatar
    April 09, 2014

    Hi very well explained , pl can you elaborate few points on implementation oc iso qms standards for dentistry. Regards


  7. Avatar
    April 25, 2014

    Very good information. Do you have any insights that you can share on the use of One Note to assist with document management.


  8. Avatar

    Its nice article and thanks for sharing this information.We are providing ISO certifications please contact us.