Risk management is a standard management concern in most industries. Executives follow a portfolio of risks to a company and try to minimize the problems and potential costs. Healthcare has begun to apply the concept in some novel ways that anyone with a MBA healthcare degree will find important. Rather than focus on internal risk, some healthcare organizations have begun to see risk as effectively extending to patients, insurance companies, and corporations. For example the company Healthcare Interactive tracks risk in employer wellness programs.
[T]he complexities surrounding the business of helping companies assemble wellness plans and the benefit design they choose is fueled by big data and risk analysis tools. Those decisions can have a big impact on how effectively companies can trim their healthcare costs. Healthcare Interactive works with payers and health systems to determine the wellness goals and incentives to include in wellness plans.
In this case, the risk is in the form of how specifics of plan design and implementation affect the behaviors and ultimate health outcomes of employees. Healthcare Interactive has raised $8 million in funding to date. A provider could easily extend the concept. Risk management could help identify the most important mix of services a hospital or HMO might offer in a new clinic, based on a data analysis of demographics and medical histories. (The analysis itself would need risk management to avoid information disclosure that could be a HIPAA violation.) Even in more internal use, improved and increased risk management could help many providers. Specific areas like information security risk are often lacking. Security audits have begun to raise awareness of the potential dangers and costs of non-compliance with regulations.
“A lot of organizations or some organizations tend to think that compliance is sufficient, so once they’ve achieved that level of compliance they can start to focus on other efforts,” [risk management firm Stroz Friedberg Vice President George McBride told HealthITSecurity.com]. “But compliance doesn’t always equal security.”
And internal security, compliance, and governance eventually turn outward again. A provider using vendors and outsourced services should undertake audits, site visits, and assessments to ensure that a business partner doesn’t become the weak link in the compliance chain. A data breach or service failure at a third party doesn’t excuse the initial healthcare provider or provide a legal shield. The concept of risk management in healthcare organizations needs to expand into all aspects of operations and through every business relationship. Only then will providers have control over patient outcomes, customer loyalty, costs, compliance, and legal liability.