I was wondering if any other DHBs/PHOs services have developed a systematic process to identifying, evaluating and placing controls for clinical risks in regards to IT products and change requests?
I have often found that change requests come through with a generalized statement about a potential risk to justify the need for the change and I am interested in in the process other organisations have to quantify, score and mitigate the risks?
Do IT projects require a specialized clinical risk framework or can the organisationâs general risk management framework be used?
Hi @amscroggins
I canât speak for what is currently used but some years ago we used FMEA as a risk assessment framework as part of CDHBâs eMeds implementation process. I was guided by the quality/patient safety office on the process. We had 3 user representative groups (medical, nursing, pharmacy). From memory, it was resource heavy but worth doing.
At TDHB we chose to use the standard risk matrix as that was what everyone was used to using. This then flows into the request prioritisation process. We also have an overarching question around if the issue is identified as a organisation risk and on the risk register and if it is the priority is boosted. Happy to share our process.
Hi @amscroggins
At the last place I worked we split things into causes/hazards/controls.
Causes were things about the software, hazards were the bad outcomes they could cause, controls were things that could mitigate the bad outcomes (be they software features or internal staff processes).
Each cause could have multiple hazards, each hazard could have multiple controls - but not vice versa.
So an example would be
Cause1 med admin chart shows only three days of administrations
Hazard 1 .1- a prescriber might double dose a patient not realising they have had previous doses
Hazard 1.2 - a prescriber might prescribe an interacting medication not realising another medication was on the chart
Control 1.1.1 alerts fire for all concurrent duplicate therapy medications
Control 1.1.2 prescribers are encouraged to scroll through the week of the chart
EtcâŚ
Each hazard was then score against a risk matrix of 1-5 'how likely is this to happenâand 1-5 âhow bad would it be if it did happenâ
Those two numbers were multiplied to give the risk score. There were different required levels of action for each tier of Risk scores.
Wondering if you have had a conversation with @nick.baker who did some work on some Design Principles earlier this year. Nick is a Paediatrician in Nelson
Iâve just attended a session at the UK Digital Health Summer School in Leeds on this, so what follows are my notes on how this is currently done in the UK. It provides a useful framework. Question is - should we follow this specific framework for IT projects, or should we use our existing processes for assessing risk?
Clinical Safety of Health IT Solutions in the UK
Section 250 of the Health and Social Care Act 2012 specifies two standards specifically related to Health IT Systems:
These must be followed where provision or use of information has the potential to cause harm to patients or service users.
This covers all health IT systems which could potentially cause harm to patients
including telehealth, mobile apps, and medical devices.
The following are not covered by these standards:
Information governance, financial reporting, statistical reporting tools
Clinical Safety Officer
Each NHS trust has a Clinical Safety Officer (CSO). This personâs role is specific to the clinical safety of Health IT Systems. The CSO:
Must be a clinician who is currently registered with a professional body.
Must be knowledgeable in risk management and its application to clinical domains.
Must make sure that the processes defined by the clinical management process are followed.
Identifying hazards involves looking at:
What can go wrong?
How serious would it be?
How likely is it?
What should be done about it?
Controlling hazards involves:
Training
Business process change
Design
Testing
We already use similar tools to identify and mitigate risk in other areas. When my son was at kindergarten, the teachers had to perform a hazard assessment and plan for every kindergarten outing. Surely we should be doing this for Health IT solutions as well?
Hi @amscroggins we use our organisation risk management policy for IT products and change requests. This includes all risks being assigned a committee where they are reviewed. The frequency of review being dependent on the level of risk.
Iâm also interested in the UK model though @damon thanks for sharing.
Thanks for sharing @AnniMek, we used a very similar model to our clinical risk/governance group when I was at Orion Health. A significant limitation to the group was the lack of practicing clinicians as most clinical reps hadnât practiced in many years. That said, I felt there was significant benefit from also having some technical representatives present at the meeting to build context and share knowledge of clinical implications as well as understanding technical limitations/alternatives.
@amscroggins if you havenât already, another suggestion Iâd have is to look at ISO/TC 215
There is a brand new version (released last month) of the standard relating to specifies the risk assessment necessary to protect remote maintenance activities, taking into consideration the special characteristics of the healthcare field such as patient safety, regulations and privacy protections.
We have just gone through a prioritisation exercise for our âsmall projectsâ and used risk in that context with the expectation that if risk is identified it has also been documented. I am always taken aback when projects use risk to try to get over the line but have actually not had that risk formally documentedâŚ
