Thursday, August 2, 2007

Compliance vs. Risk Management

One of the first realizations I had when I started researching risk management in eHealth is the need for a paradigm shift from what I call a "compliance mindset" to a "risk management mindset".

The compliance mindset says that if you following all of the prescribed laws and standards, everything will be OK. The risk management mindset says that you need to understand the world around you, you need to understand your eHealth program, and you need to understand all of the risks associated with implementing the eHealth program into your environment. The risk management mindset then insists that you do something about those risks.

eHealth has been caught up in the compliance mindset, particularly with respect to privacy and security. Unfortunately, our legislators and standards setters have only tackled part of the risk issue associated with eHealth. While we have privacy legislation in most jurisdictions, and while standards are emerging for eHealth security, we miss many eHealth risks.

The biggest gaps in my mind are around safety risks and the many project and business risks associated with eHealth.

I personally have never seen an eHealth project fail because of a privacy issue (though breaches have caused grief for eHealth managers and the unfortunate victims). I have however seen many eHealth initiatives fail because of project and business risks that were completely predictable, but invisible to those who operated in the compliance paradigm. Poor project management, business models that failed to address the needs of all stakeholders, poor understanding of the end-user environment, inadequate funding and poor procurement practices top my list of factors that have caused eHealth projects to fail.

The safety issue is the sleeper here. The only reason we haven't seen more safety issues is that we have only just begun to implement eHealth into the clinical environment. Early experience around CPOE suggests that implemented well CPOE can reduce medical errors. Implemented poorly, CPOE can kill. As eHealth rolls out I believe we will see more and more serious safety issues. As of yet there is no structured process for assessing safety risk in eHealth (although draft safety standards for health IT software are in development at ISO TC215/WG4). But even these standards will address only part of the safety issue.

Compliance with legislation and standards is a good thing. Legislators and standards setters are to be lauded for their efforts. But it isn't enough. If eHealth is to succeed we need to tackle the full range of risk issues associated with health IT and the human and business systems that surround it.


Michael Martineau said...

Over the last few months I have heard more than one person involved in eHealth projects suggest that privacy legislation and privacy rules in their organization were overly restrictive. These people felt that the laws and rules were addressing the concerns of a very small percentage of the population and that most people trusted their healthcare providers to share personal information as needed to diagnose an ailment or to deliver care. They wondered aloud whether privacy concerns were unduly impeding eHealth projects.

Perhaps looking at privacy from a risk perspective rather than compliance perspective might promote a more productive discussion. Is there, for example, certain health information that is of less concern to people if released? Does the same level of protection need to be applied to all health information? I haven't yet formed an opinion but I am hearing others ask these questions.

Brendan Seaton said...

I agree with Michael's comment. I have spent much of the past few years focussed on the privacy issue and have come to the conclusion that in our drive for literal compliance with legislation, we have over-engineered our eHealth systems... Much to the detriment of other risk issues such as safety. I have spent as much as $250K on PIA's and TRA's for a project leaving not a penny for safety. My analysis of privacy issues also tended to show that most privacy issues stemmed from broader business issues such as the weakness of eHealth business and governance models which proved to be the root causes of the privacy problems and more likely to sink the eHealth project.

Take a look at my February 16th post "How Serious is Privacy Risk?" for more.