THE EVOLUTION OF RISK MANAGEMENT IN HEALTH CARE

Risk management in health care emerged as a result of the malpractice crisis of the 1970s. Healthcare institutions realized that the corporate world had a way of addressing the financing or transfer of risk through the purchase of insurance and created a specific position for a risk manager to manage the relationships around those decisions. As malpractice verdicts and settlements continued to rise, healthcare administrators recognized the potential value of developing a more proactive approach. Even as the insurance crisis was coming to an end, there was an increased sense of the importance of managing or eliminating the clinical risks that had resulted in a rise in the costs of insurance. Professionals with clinical experience were hired with the hope that they could identify the systemic problems in specific clinical areas (primarily obstetrics, anesthesia, and the emergency department), engage clinicians and educate them about the need to modify specific behaviors, and work collaboratively with others on the clinical and administrative teams to help design environments that would be more conducive to the delivery of safe care. Although at times successful—for example, the dramatic changes in safety associated with the delivery of anesthesia and the enhancement of patient quality in that specialty—generally the hard work did not pay off. The insurance market softened, as cyclical markets do, and many risk managers were again able to demonstrate their value by successfully negotiating risk transfer arrangements with steadily declining costs.

Now we are faced with even more significant challenges: the insurance market is again tightening in response to a dramatic escalation in malpractice verdicts and settlements,² some appropriately attributed to juries with no real understanding of the issues they are being asked to evaluate and others seemingly closely related to an industry under considerable stress. Many markets are consolidating, becoming insolvent, or electing to cease their underwriting of medical malpractice risk. Others are increasingly selective and costly when making a decision about offering coverage.³ In addition, the events that occurred on 11 September 2001 in the US caused many markets to reconsider their business strategy. In all likelihood this event will further increase prices and decrease the amount of insurance protection available. In the light of these dramatic changes, we propose that, rather than trying to rely on what has been learned from the past, risk managers should attempt to chart a new future.

Although the hairsplitting continues around the data presented in the first IOM report, and healthcare practitioners and researchers continue to argue about the precise numbers of patients who die from or suffer medical errors annually,⁴ many would suggest that the actual number is less important than the fact that anyone dies needlessly from preventable medical error.

The Institute of Medicine's most recent report “Crossing the quality chasm”⁵ helps answer these questions associated with the difficulty in creating safer health care by pointing out the obvious: “Trying harder will not work. Changing systems of care will”. The US healthcare system has continued safety and quality problems because it relies on outmoded systems of work. Poor designs set the work force up to fail—regardless of how hard they try—and the fragmentation and hierarchical structure of most healthcare organizations impedes the ability of our organizations to make true and lasting progress. These barriers may be compounded by the fact that risk management often performs its function in a manner that is not fully integrated into the structure of the organization, so changes may be episodic and unit or incident focused and not sustained and organization wide. No one will argue that we all seem to be working harder, but are we working smarter, are we prioritizing effectively and doing the work that really matters to our organizations and the patients they serve, and are we able to create a business case justifying the need for change based on a sound and realistic economic analysis?

An important initial step in the promotion and understanding of patient safety will be to develop a reporting tool that can be used by all staff to report adverse events and near misses and simultaneously to create a culture in which such reporting is encouraged and rewarded.

“. . . medical errors are inherent in the work of healthcare providers”

Historically, one of the most significant sources of risk management was the patient incident or the lawsuit that often followed. Even proactive risk management activities often were instituted only after a problem, or a provider was identified as high risk. When an adverse event was reported it was the top priority to meet with all parties involved in the treatment of the patient, record the information, and counsel them not to repeat the information to anyone else. Protecting the financial security of the hospital and the reputation of the hospital was the number one goal. Risk managers were primarily focused on managing the adverse events. In some organizations occurrence reports were evaluated and trends were identified, but the goal was not necessarily to develop corrective action proactively based on the identified trends. What is now increasingly clear and has been a theme in many of the discussions related to patient safety and medical error is that medical errors are inherent in the work of healthcare providers. “The evidence is overwhelming. Medical errors most often result from a complex interplay of multiple factors; only rarely are they due to the carelessness or misconduct of single individuals. Yet, in the past, rather than addressing those underlying system design (emphasis added) faults, error prevention strategies have relied almost exclusively on enhancing the carefulness of the caregiver.”⁶ What needs to change is the way in which risk management is orientated. We must be part of a team that constructs a root cause analysis of systems and structures in advance of those risks actually materializing, so embedding a risk management discipline into the fabric of healthcare operations and corporate and strategic planning.

The value of occurrence reporting in risk management has long been debated. Many risk managers did not believe that there was any value in reviewing hundreds of reports each month. “What value are they? The really significant adverse occurrences are “phoned in” immediately after they happen. Why waste time reviewing all of the minor occurrences that didn't result in anything bad happening to the patient?” These risk managers were not looking at the reports as the “horoscope” of what was to come. Instead of identifying the “near misses” and performing a root cause analysis and criticality analysis on the near misses, they dismissed these reports as “just numbers” and some even said “a waste of time”.

When an adverse event occurred

Following the occurrence of an adverse event, the risk manager began to develop the points that could be used by defense counsel in the event that a claim or lawsuit was filed. Interviews with staff were held one on one. There was no team meeting to discuss the occurrence and the possible cause. There was no attempt to bring everyone together to discuss each person's role in the patient's care and in the end result. Each person was brought into a room, interviewed, and reminded not to discuss the “case” with anyone. The caregivers were advised about how to talk to the patient about the unexpected outcome. Any discussions were too brief and vague. No one was told to be dishonest when speaking with the patient but, on the other hand, no one was told to be completely and totally honest and forthright. Even with statistics showing that more patients were motivated to sue because they did not believe that the physician had given a full explanation of what occurred, complete disclosure is a difficult sell for the risk manager and for legal counsel for the hospital. Although legal counsel do not advocate dishonesty when talking to the patient, they are reluctant to agree to a formal policy that dictates that the caregiver discloses any medical error or any treatment that results in an unexpected outcome. This fear is grounded in the belief that disclosure could erode the protection of that information from discovery—that protection historically provided under state peer review law and the attorney client privilege. An official policy may not be necessary, but it offers a method of communicating what the hospital wants its staff to do in the event of an unexpected outcome.

CHALLENGES OF HEALTH CARE RELATED TO CREATING A CULTURE OF SAFETY

The major dysfunctions cited in one report (and consistent with many other reports including the second IOM report) are listed in box 1 and could provide a starting point for risk managers to assess their challenges for the future.⁷

ROLE OF JCAHO IN PROMOTING SAFETY AND ERROR REDUCTION

The Joint Commission on Accreditation of Healthcare Organization (JCAHO), an independent organization that evaluates and accredits healthcare organizations and healthcare programs throughout the US, has recently promulgated patient safety standards that took effect on 1 July 2001.⁸ Critical areas of focus of these standards relate to (1) providing leadership, (2) improving organizational performance, and (3) information management and patient rights, training and education. While the JCAHO standards are typically not the driving motivator for risk management activities, the moral and business case for making these areas of focus central to any risk management strategic plan seems evident. They provide a good template for beginning to create a culture of safety.

Providing leadership

Much has been said about the importance of strong committed leadership in advancing the principles of patient safety and risk reduction. The risk manager needs to be more fully engaged in providing leadership to the organization that will enable it to make sound business decisions that balance fiscal accountability with quality of patient care and error reduction. This can only be accomplished by the collection and aggregation of data that represent the total cost of risk presented by a specific behavior, the cost of managing or eliminating that risk, and the identification of benchmarks so that risk managers and the organizations in which they work can more precisely develop a strategic plan.

An economic analysis that considers the cost of risk to be greater and more inclusive than the total amount spent in claims and settlements and on purchasing insurance or to self-fund an insurance program are essential. Medical errors carry a high financial cost. The IOM report estimates that medical errors cost the US approximately $37.6 billion each year, about $17 billion of which is associated with preventable errors. About half of the expenditure on preventable medical errors is for direct healthcare costs.⁹ These costs are seldom considered when attempting to prioritize the risks facing an organization. The risk manager must take the lead in developing a strategic plan for patient safety and present this to the leadership.

Organizations such as the Leapfrog Group (box 2) have begun to develop cost/benefit analyses associated with the institution of specific safety measures.¹⁰ As part of that analysis they consider system inefficiencies and their cost both in labor and patient outcomes. The risk management process could and should include such factors.

In addition, it will become increasingly important for healthcare executives (and risk managers) to establish firm epidemiological links between presumed (and accepted) causes and adverse events.¹¹ This evidence based risk management process will force a more analytical approach to risk management principles and practices and will enable the risk manager and the organization to focus change in those areas that are clearly associated with risk of harm.

Improving organizational performance

The creation of a high reliability organization is fundamental to patient safety. High reliability organizations rely on the reduction in variability through standardization of equipment and procedures, consistent clear leadership committed to safety and excellence, and an open non-punitive reporting culture. The risk management process is grounded on these same principles. Often, however, the risk manager does not have a seat at the table when specific organizational strategies or challenges are discussed. In addition, although most risk managers have become quite adept at performing root cause analysis after an adverse event has been identified, they are not used to performing a root cause analysis on an organizational activity being contemplated before an injury occurs. In fact, they may not see the necessity of getting involved in many of the organization's most pressing strategic decisions, despite the fact that the solutions presented or contemplated may create more long term problems than they solve. As risk managers we should become increasingly involved in what has been termed “failure mode effect analysis”, an assessment process used by engineers to examine the steps in the process where there is (or might be) undesirable variation (“failure modes”). For each identified failure mode, the possible effects on patients and the potential seriousness of those effects should be analyzed. The identification of potential negative effects should then drive a process of redesign of the underlying system or process to minimize the risk of that failure mode from developing or to protect patients from the effects of the failure mode. This type of analysis is described as part of the new JCAHO safety standards.⁸

Information management

In the past the paper report form was sometimes the only format used to report occurrences. Risk managers found that, in order to learn about more of the near misses and the minor occurrences, other methods of reporting had to be offered.

Many patient safety programs now offer, in addition to the paper form, anonymous reporting, telephone reporting, Intranet (or web based) reporting, and paging a risk manager, giving the busy healthcare professional access to a variety of reporting methods. A telephone call is probably the easiest way to report and the risk manager can complete the paper or electronic form based on the call. Another way of gathering information is to join with the performance improvement staff and train them to identify potential problems and patient safety issues when doing prospective or retrospective audits.

There is a wealth of information to be found when reviewing charts. Others in the hospital may audit charts or identify patient safety issues in their day to day routine. It is a matter of educating the healthcare professional in what to look for and the importance of taking a role in the patient safety initiative. It is equally important to develop a common taxonomy around error reporting so that consistency is maintained both in identifying the event and summarizing the causal factors contributing to it (see Appendix).

WEIGHING THE BENEFITS OF DISCLOSURE AGAINST THE RISKS OF DISCOVERY

The risk manager then has to decide what to do with the information. Risk managers and other healthcare executives have long recognized both the power and the peril of healthcare information. “Whether hospitals successfully turn the corner or find themselves reduced to rubble by information management gone awry remains to be seen. Regardless of which scenario plays out, however, bringing computers into the care process and using automation to slice through the bureaucracy are increasingly viewed as strategic and clinical imperatives.”¹² On the one hand, risk managers are aware of the need to protect sensitive information to ensure patient confidentiality and to keep specific information gathered for a specific purpose out of the hands of those who might use it inappropriately or incorrectly for other purposes but, on the other, many risk managers fight the release of data that could enable enhanced learning opportunities because of the fear that more harm will be created than benefit received. The need to balance these concerns has been heightened with the recent enactment of the HIPAA.¹³ In addition, calls from the public mandating disclosure of error and the sharing of sensitive risk management data with state and national accrediting and licensing agencies have become the subject of much debate. Most individuals advocate that such disclosure is both operationally necessary to further the study and reduction of error and ethically necessary in keeping with the relationship that providers owe to their patients. Legislation pending in Washington that would mandate the disclosure of errors, but would also allow that information to be protected from discovery, may soon help to alleviate some of these concerns.

Risk managers must play a role in deciding what to share and with whom, and to assist the organization in designing a policy for merging the many data sources available in healthcare organizations so that a true picture of risk and benefit can be appreciated. They can also assist in the education of their defense counsel on how to develop an affirmative defense to the potential use of error rate data by opposing counsel. Clearly, healthcare organizations must focus more aggressively on their efforts to reduce error and to share what they have learned with others. They must be willing and able to explain how they were prepared to assume the risk of some of these data being used against them in favor of creating a safer environment for patients and providers.

Changes in the focus of healthcare risk management are identified in table 1.

CONCLUSION

The challenges have never been greater, the work force never smaller, the technology more complicated, the patients' demands never higher but, despite all of these tensions, healthcare professionals and those who assist them in managing the risks associated with their responsibilities must continue to remember that, every day, patients and their families entrust their lives to them. They owe it to their patients to be worthy of that trust. If they are unwilling or unable to meet the demands of the organization and the patients and, more importantly, if they fail to recognize the unique privilege that they are provided each time a patient entrusts their life to them, they are in the wrong business. Most healthcare risk managers look forward to the opportunities ahead and are dedicated to managing their organization's risk and enhancing patient safety. The future is fraught with peril and great risk but also great reward. Those risk managers who accept change and think of new ways to embed risk management principles into their organizations to help create meaningful and sustainable change will prosper. Those who don't should get out now. They are destined to fail and to fail their organizations.

APPENDIX: DEFINITION OF TERMS USED IN TEXT

Adverse event – an injury that was caused by medical management (rather than underlying disease) and that prolonged the hospitalization, produced a disability at the time of discharge, or both. [

(p 370).]

Error – the failure of a planned action to be completed as intended or use of a wrong plan to achieve an aim; the accumulation of errors results in accidents. [

] Available at: http://books.nap.edu/html/to_err_is_human.

Failure mode effect analysis – the systematic assessment of a process or product that enables one to determine the location and mechanism of potential failures. [

(p 331).]

Incident report – a form or process used to document occurrences that are not consistent with routine hospital operation or patient care. [Cullen DJ, Bates DW, Small SD, et al. The incident reporting system does not detect adverse drug events: a problem for quality improvement.

(p 541).]

Negligence – care that fell below the standard expected of like physicians practicing in a similar environment.

Patient safety – the avoidance, prevention, and amelioration of adverse outcomes or injuries stemming from the processes of health care. These events include “errors”, “deviations”, and “accidents”. [

.]

Risk management – the term “risk management” usually refers to self-protective activities meant to prevent real or potential threats of financial loss due to accident, injury, or medical malpractice. [

(p 963).]

Root cause analysis – a process for identifying the most basic or casual factor or factors that underlie variation in performance, including the occurrence of an adverse sentinel event. [Joint Commission on Accreditation of Healthcare Organizations. Conducting Root Cause Analysis in Response to a Sentinel Event. Oakbrook Terrace, IL: Joint Commission on Accreditation of Healthcare Organizations, 1996 (p 1).]