Has your organization adopted strategies around risk management?

Most healthcare executives have traditionally interacted with healthcare risk management professionals (risk managers) on two levels. The first revolves around the purchase of insurance, particularly the cost of insurance. The second revolves around the resolution of adverse events.
While both of these functions are key to the risk managers’ role, the challenges for risk managers today do not stop there. Four concepts of particular interest are increasing the importance of healthcare risk management to today’s healthcare organizations: transparency, patient safety, technology and enterprise risk management.

Transparency is Necessary
In recognition of the need to demonstrate accountability to their employees, their customers and the public, many organizations adopt strategies around the concept of transparency. In healthcare risk management, one example of transparency is the disclosure of adverse events. In particular, healthcare organizations accredited by the Joint Commission are expected to inform patients and their families about unanticipated outcomes of care, treatment and services. However, this simple concept of providing information to patients when something goes wrong often raises a number of questions. For example, what constitutes an “unanticipated outcome” that needs to be disclosed? What is involved in making a proper disclosure? Who should be involved in making a disclosure? Will disclosure serve as an admission of liability or an invitation to bring a lawsuit?

Because risk managers are experienced in dealing with adverse events after they become known, they can often play a valuable role in encouraging and facilitating proper disclosure. Disclosing such information in a sensitive and responsive manner can often help facilitate the later resolution of a patient’s claims, if they arise. In addition, with their knowledge of the claims and litigation process, they may be in an excellent position to provide guidance to healthcare professionals who are concerned about the impact of disclosure on their professional careers.

To support this role of the risk manager, the American Society for Healthcare Risk Management (ASHRM) has provided risk managers with comprehensive tools and guidance on proper disclosure since the Joint Commission standards were first adopted in 2001.

Patient Safety
Since the publication of the Institute of Medicine’s report To Err is Human: Building a Safer Health System in 1999, the concept of patient safety has held new meaning for healthcare organizations. For risk managers, prevention and reduction of loss to patients have long been techniques for controlling the risks of an organization. It is sometimes claimed that the role of risk managers is to put the assets of the organization first, but that ignores the value that risk managers place on keeping patients – and staff – safe and free from harm. Therefore, an effective patient safety program makes for a more effective risk management program.

There is also a recognized opportunity in patient safety to learn from mistakes. As a result, there are currently mandatory reporting requirements in several states, and the federal Patient Safety and Quality Improvement Act of 2005 has introduced the concept of a voluntary reporting system using patient safety organizations. Regulations describing the qualifications and operations of patient safety organizations are were expected in the fall of 2007, but have not yet been finalized.

Healthcare risk management data, such as that found in claims and event reporting systems, may be of significant use to other healthcare professionals in making healthcare organizations safer for patients. There are several challenges, however, that need to be addressed:

• Claims and event data have traditionally been treated confidentially. However, to be useful to others, such data needs to be shared outside of the healthcare risk management and legal departments. In the absence of appropriate peer review and/or legal protections for such sharing, an executive decision needs to be made that the value of sharing such data within (and without) the organization outweighs any risk of discovery in litigation. Although legal counsel can give guidance about the risk of discovery, it is ultimately a business decision of the organization as to whether that risk is outweighed by the perceived benefit of using such data to impact patient safety.
• Claims and adverse events need to be investigated in a thorough and consistent manner, so that the information obtained is complete and accurate. Also, information that may be of value in the defense of a claim may not be what is needed to get at the root cause of the problems that caused the injury. Just as incomplete documentation in a medical record may impair the defense of a malpractice claim, an incomplete investigation may result in data that are of little or no use to others.
• The information needs to be classified in a consistent manner, so that the data can be compared across the organization (and across other organizations). Such data classification systems, often referred to as taxonomies, allow for “apples to apples” comparisons of events. Without such guidance, staff may classify similar events differently depending on varying perceptions of what happened.

In response to these challenges, ASHRM has undertaken a Data for Safety initiative, which is designed to determine best practices for investigating, classifying and using claims and event data for actionable knowledge, in order to give risk managers and others the tools they need to use in an environment that is promoting more and more public reporting and information sharing.

Data for Safety is intended to provide tools and resources to risk managers to help them respond effectively to reporting requirements and obtain actionable knowledge needed to improve patient safety in their organizations.

Technology: Good or Bad?
Technology is often seen as the best solution for many existing problems. For example, computerized physician order entry (CPOE) has been touted as a significant step to reduce errors in the ordering of medications. However, a number of scholarly articles cite a whole new set of errors that can be generated by CPOE. It is noted, for example, that CPOE addresses errors of commission, but it does not prevent errors of omission. It is incumbent upon risk managers to identify and respond to these risks, but it is also important that the advocates of technology solutions are receptive to information about such risks. Often, what a risk manager sees as simply identification of a risk that can and should be addressed, the technology advocate sees as criticism or unwillingness to adopt a new technology.

Technology also brings a new set of burdens in how information is protected. When medical records were kept in manila folders, keeping track of sensitive information was straightforward. Today, however, cyber liability is an example of an area where healthcare organizations’ good intentions are leading to a whole new type of risks.

Making patient information easily accessible to physicians and others outside the organization carries with it the risk that such information may be misused or the requirements of the Health Insurance Portability and Accountability Act may be violated. Adopting e-business tools to help patients pay their bills or schedule tests or appointments online can increase the organization’s vulnerability to credit card fraud or identity theft. Providing laptops to staff requires that the staff be aware of their responsibilities to safeguard both the equipment and the information on it.

In all of these cases, recognizing the risks attendant to the adoption of any technology is important. Involving risk managers in the identification, prevention and mitigation of such risks is a prudent step in ensuring that the adoption of new technology is a step forward, not a step backward.

Enterprise Risk Management
Many healthcare organizations have begun turning to industrial concepts for improving quality and performance. From the Baldrige National Quality Award Criteria to Six Sigma to the lean manufacturing system, organization leaders are seeking ways to integrate the many disparate functions of healthcare organizations in order to improve quality, productivity and stakeholder satisfaction. In healthcare risk management, an analogous concept is Enterprise Risk Management (ERM).

ERM is a different way of looking at the risks of an organization. A traditional view of risk looks at the probability and impact of adverse events and manages them within existing corporate functions such as insurance, human resources, finance or safety. Risk is seen as an opportunity for loss to the organization, to which a standard response may be to purchase commercial insurance or engage in some other form of risk financing, such as a captive.

The ERM view of risk is “risk is capital.” Risk is seen as speculative – there is an opportunity for either gain or loss. If a healthcare firm purchases a physician’s office practice, for example, there are some “insurable” risks, such as professional and general liability, property and casualty, but there are also risks that the practice will lose (or make) money that have nothing to do with those insurable risks. To fully assess the risks of such a decision requires the broader analysis of risk contemplated by ERM.

Many healthcare organizations have recognized the benefits of management of care and services by product or service line, rather than by department or function. Likewise, ERM recognizes that risks do not exist in isolation, so they need to be managed across the organization rather than within existing corporate functions. This has resulted in the development of the role of the chief risk officer, which may be found in banking and asset management companies as well as insurance companies. However, to be a chief risk officer means that the risk manager is not just heading up the organization’s insurance function, but is also responsible for using a comprehensive and integrated framework to manage all types of risk.

ERM is still a relatively new concept in healthcare. However, if an organization has the following characteristics, ERM can be a logical extension of what the organization’s leadership is attempting to accomplish in patient safety and performance improvement in general:

• The organization utilizes multidisciplinary teams to effect change.
  
• The organization’s governing body and senior management are proactive in their approach to patient safety and performance improvement.
  
• The organization’s employees believe they can be part of the solution in improving patient care.
  
• The organization believes and acts as though errors that occur often do so because of system failures.

Achieving Safe Healthcare
Many leaders of healthcare organizations will recognize the concepts discussed here, since they are also on their own agendas. It is hoped that this brief discussion will help those leaders better understand the contributions that are and can be made by healthcare risk management professionals in order to achieve safe and trusted healthcare.