Enterprise Risk Management in Healthcare
Enterprise risk management (ERM) may be thought of as a process imbedded into an organization that is devoted to finding and managing all the types of risks encountered. This chapter provides an overview of risk management principles and how organizational risk is assessed in a practical manner using risk domains and the Risk Score. Topics in this chapter include the importance of culture and creating a culture of prevention; the risk assessment survey; the role of the chief risk officer and risk manager; disclosure and informed consent; information technology, security, and the Health Insurance Portability and Accountability Act; formal risk reporting and Patient Safety Organizations; and patient safety evaluation systems (PSES).
KeywordsEnterprise risk management (ERM) ISO 31000 Risk domain Patient safety Failure mode effect analysis (FMEA) Key risk indicator (KRI) Surgical risk Safety culture Risk assessment Disclosure Risk officer Risk manager Patient safety organization (PSO) Patient safety evaluation system (PSES) HIPAA Business associate Covered entity Common formats
- 1.Carroll RL et al. Enterprise risk management: a framework for success [Internet]. American Society for Healthcare Risk Management. http://www.ashrm.org/pubs/files/white_papers/ERM-White-Paper-8-29-14-FINAL.pdf.
- 2.International Organization for Standardization [Internet]. Geneva, Switzerland. http://www.iso.org/iso/home/standards/iso31000.htm.
- 3.Seiden S, Barach P. The risk management handbook for health professionals, review. Risk Manag. 2003;3(5):59–61.Google Scholar
- 4.Lilford R, Chilton PJ, Hemming K, Brown C, Girling A, Barach P. Evaluating policy and service interventions: framework to guide selection and interpretation of study end points. BMJ. 2010;341:c4413.Google Scholar
- 5.Flink M, Ohlen G, Hansagi H, Barach P, Olsson M. Beliefs and experiences can influence patient participation in handover between primary and secondary care—a qualitative study of patient perspectives. BMJ Qual Saf. 2012:1–8. doi: 10.1136/bmjqs-2012-001179.
- 6.www.EY.com: Turning risk into results. Managing risk for better performance. c2013–2014;(3). http://www.ey.com/GL/en/Services/Advisory/Turning-risk-into-results-How-leading-companies-turn-risk-into-results#.Vi0nDIQ2LIo.
- 8.Baker D, Battles J, King H, Salas E, Barach P. The role of teamwork in the professional education of physicians: current status and assessment recommendations. Jt Comm J Qual Saf. 2005;31(4):185–202.Google Scholar
- 9.Phelps G, Barach P. Why the safety and quality movement has been slow to improve care? Int J Clin Pract. 2014;68(8):932–5.Google Scholar
- 11.Barach P, Cantor M. Adverse event disclosure: benefits and drawbacks for patients and clinicians. In: Clarke S, Oakley J, editors. The ethics of auditing and reporting surgeon performance. Cambridge Press; 2007. pp. 76–91. ISBN: 13:9780521687782.Google Scholar
- 13.Joint Commission on Accreditation of Healthcare Organizations. Disclosing medical error: a guide to an effective explanation and apology. Joint Commission Resources. Oakbridge Terrace, IL; 2007, 36p.Google Scholar
- 14.Cohen JR. Toward candor after medical error: the first apology law. Harv Health Policy Rev. 2004;51:21–4.Google Scholar
- 15.Cantor M, Barach P, Derse A, Maklan C, Woody G, Fox E. Disclosing adverse events to patients. Jt Comm J Qual Saf. 2005;31:5–12.Google Scholar
- 16.Aaltonen M, Vainio H. Foreward. In: Proceedings of the International Symposium on Culture of Prevention-Future Approaches. Helsinki: Finnish Institute of Occupational Health; 2014Google Scholar
- 17.Suomaa L. Symposium opening speech. In: Proceedings of the International Symposium on Culture of Prevention-Future Approaches. Helsinki: Finnish Institute of Occupational Health; 2014.Google Scholar
- 18.Barach P, Berwick D. Patient safety and the reliability of health care systems. Ann Intern Med. 2003;138(12):997–8.Google Scholar
- 19.www.ey.com: Health Industry Post: Population Health Management. 2014; (3). http://www.ey.com/Publication/vwLUAssets/Health_Industry_Post_population_health_management/$FILE/Health_Industry_post.pdf.
- 20.Cyber Risk Management in Healthcare TMGMA Coastal Bend [Internet]. 2015. https://cbmgma.com/pdf/tmgma-coastal-bend-web.pdf.
- 21.Health and Human Services Office for Civil Rights. Understanding Health Information Privacy [Internet]. http://www.hhs.gov/ocr/privacy/hipaa/understanding.
- 22.Health and Human Services Office for Civil Rights HIPAA Rules for Covered Entities and Business Associates [Internet]. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities.
- 23.Health and Human Services Office for Civil Rights. HIPAA Privacy, Security, and Breach Notification Program [Internet]. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit.
- 24.Boston Children’s Hospital Settles Breach Allegations [Internet]. http://www.mass.gov/ago/news-and-updates/press-releases/2014/2014-12-19-boston-childrens.html.
- 25.Health and Human Services Office for Civil Rights. Data Breach Results in $4.8 Million HIPAA Settlements [Internet]. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/jointbreach-agreement.html.
- 26.Health and Human Services Office for Civil Rights. How OCR Enforces HIPAA Privacy Rules [Internet]. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html.
- 27.Tony Scott, CISA, Technical Financial Solutions (TFS) Presentation at Health Connect Partners Conference in Los Angeles, October 2015.Google Scholar
- 28.PSO AHRQ Program Brief Network of Patient Safety Databases [Internet]. https://pso.ahrq.gov/sites/default/files/wysiwyg/npsd_data_brief_0715.pdf.
- 29.Health and Human Services Office for Civil Rights PSQIA Statute and Rule [Internet]. http://www.hhs.gov/ocr/privacy/psa/regulation.
- 30.Common Formats for Surveillance—Hospital [Internet]. http://www.gpo.gov/fdsys/pkg/FR-2014-02-18/html/2014-03492.htm.
- 31.Federal Register Volume 79 Number 47, Page 13746 [Internet]. http://www.gpo.gov/fdsys/pkg/FR-2014-03-11/pdf/2014-05052.pdf and http://www.hqinstitute.org/post/cms-finalizes-pso-reporting-requirements.
- 32.Cassin B, Barach P. Making sense of root cause analysis investigations of surgery-related adverse events. Surg Clin N Am. 2012;92(1):101–15. doi: 10.1016/j.suc.2011.12.008.
- 33.Barach P, Small DS. Reporting and preventing medical mishaps: lessons from non-medical near miss reporting systems. Br Med J. 2000;320:753–63.Google Scholar
- 34.Health and Human Services Office of the Inspector General. Hospitals incident reporting systems do not capture most patient harm [Internet]. http://oig.hhs.gov/oei/reports/oei-06-09-00091.pdf.