A recent survey conducted by SERMO indicated that more than one-half of U.S. physicians believe that an EHR outage or malfunction has jeopardized the health/safety of a patient (or, conversely, 43% believe these outages don’t impact safety). SERMO is a social network for physicians which includes 600,000 verified and credentialed physicians, worldwide.
According to the Office of the National Coordinator of Health Information Technology (ONC), EHR downtime impacts, documented in the medical literature, include higher medication errors, unavailability of radiology images, and cancelled appointments. An effective HIPAA Security Risk Analysis (SRA) will identify and quantify these impacts. Once documented, best practices in risk management are to present these risks to senior management, who has the spending authority to mitigate, transfer or accept these patient safety risks.
Unfortunately, too often the HIPAA Security Risk Analysis process is confined to the information technology department or compliance staff. Without sufficient input from clinical staff, who can articulate the impacts of downtime and/or other EHR malfunction, potential patient safety impacts are neither quantified nor documented. To be useful, the risk analysis should quantify impacts in dollar terms, patient safety terms and/or the impact on the organization’s reputation.
A useful resource for both the assessment process is the ONC’s SAFER guide collection. This resource consists of nine guides which identify recommended practices to optimize the safety and safe use of EHRs. These guides can be used as part of the SRA process. The SRA should further specify recommended strategies for prevention and/or mitigation. As an example, one of the SAFER guides suggests as a prevention strategy to deploy backup systems with automatic failover. Another example is a mitigation strategy to maintain a backup system for read-only access to the EHR data, combined with a set of paper forms for use during downtime.
A further flaw in the risk management process is that the SRA is often not presented to senior management. Most healthcare organizations are conducting annual SRAs because this report is required for Meaningful Use and/or MIPS Advancing Care Information. However, all too often the SRA is simply a “checklist” item completed for the purposes of compliance and/or to maximize Medicare reimbursement. The risk analysis is prepared and filed, without serious thought or mitigation action.
Senior leadership in most healthcare organizations place a high priority on patient safety. To serve the organization well, those preparing the risk analysis are advised to include safety impacts in the SRA, and to present the SRA to senior leadership. When patient safety risks and impacts are presented, senior leadership will likely be appreciative of the information.