Journal of Health Care Communications Open Access

Keywords

Electronic health record (EHR); Risk management; System lifecycle; Collaboration; Hospital

Prior research has generated substantial knowledge about information technology (IT) risk management in general and clinical information systems in particular. Nonetheless, in recent years, important accumulated signs have shown that this wisdom, due to some limitations, might not be adequate in forging useful insights for managing risk associated with electronic health record (EHR) in a hospital context. I aim to shift thinking away from two such held major limitations of the extant literature on IT risk management: (1) one-phase focused, as opposed to considering the whole system lifecycle, and (2) client-centric or health care provider (adopting organization) view, as opposed to considering all key players (health care provider, health care payer, software vendor, payers, etc.).

In doing so, this essay attempts to draw researchers’ attention to the following issue: How should hospitals manage the risk of EHR throughout the entire system lifecycle? Drawing from Poba-Nzaou [1] and Poba-Nzaou and Raymond [2], I articulate a conceptual framework for addressing this issue and framing important questions for future research as well as generating insights for improving hospitals’ practices.

Introduction

In order to cope with the unsustainable rising costs of health care, several governments in industrialized countries including the US, France, Germany and the UK, are driving initiatives through regulations or financial incentives so as to accelerate the adoption of Electronic Health Records (EHRs) by primary care providers as well as hospitals [3, 4]. Electronic Health Records (EHRs) are a growing phenomenon that is considered the cornerstone of modern healthcare systems of the current information age to the extent that, “failure to adopt an EHR system may constitute a deviation from the standard of care” [5]. In this context, it is worth noting that there have been limited studies on EHR implementation in hospital settings [6] despite the fact that hospitals account for a substantial share of total health care spending. In fact, they account for over one-third in the US and Canada [7] and with at least 25% to 60% in the EU depending on the country [8].

EHR is defined as an “electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization [9]. EHRs entail high potential benefits and high likelihood of improving individual patients and populations health outcomes (e.g. –clinical outcomes- reductions in medication errors, improved quality of care; organizational outcomes- financial and operational benefits; and societal outcomes- improved ability to conduct research, improved population health, reduced costs [10, 11] that are often challenged by their high level of risk that is persistent over time all along the EHR lifecycle as it is for other software packages [12, 13]. Implementation of clinical information systems in general and EHR in particular has had limited success [14]. The failure of an EHR implementation or the poor management of EHR risk associated with its use may hamper a hospital’s ability to generate potential benefits in addition to putting patients’ lives at risk and wasting scarce resources. In a broad sense, the poor management of EHR risk has resulted in a high level of dissatisfaction of hospitals with their EHR systems to the extent that recent surveys have reported that about 20% of hospitals want to retire their current EHR and switch to another system [15, 16]. In more concrete terms, it has resulted in poor system usability, deficiency in important functionalities, low levels of interoperability, low levels of customizability, and high levels of system vulnerability with regard to security and privacy. In this regard, it is important to note that even successful implementations of EHR have not always generated the expected, later benefits. Hence, it is not surprising to find that, “in the excitement over [EHR], the potential risks associated with it have received less attention” [5]. The above mentioned shortfalls faced by hospitals give rise to the following managerial and research issue: How should hospitals manage the risk of EHR throughout the entire system lifecycle? I postulate that in order to reduce the contingency of EHR failure and increase the likelihood of improving individual patient and population health outcomes, hospitals should identify and assess their associated risks, at the earliest possible moment in the system’s lifecycle, that is during the adoption phase [2, 17] in collaboration with key internal and external stakeholders; and should continue to do so persistently throughout the system’s lifecycle. Thus, it is important that researchers focus on the management of EHR risk and also investigate how hospitals today are managing [EHR] risk – “what works, what does not and why” [18].

Context

In most industrialized countries, healthcare costs “are rising so fast that they will become unaffordable by mid-century without reforms” [19]. More specifically, if present tendencies in healthcare costs prevail by year 2050, nearly all OECD countries will devote more than 20% of their GDP on healthcare. And, by 2080 Switzerland and the United States will dedicate more than 50% of GDP on healthcare, while by 2100 almost all OECD countries will reach this level of spending [20]. This situation qualifies as being an unsustainable trend that needs to be reversed and, the implementation of EHRs within the concerned countries is seen as one of the most promising routes. However, the implementation of an EHR is highly risky. As observed recently by several horror stories reported in trade press publications, of EHR risk factor occurrences at different phases of systems’ lifecycles: hospitals forced to close; experienced unprecedented operating losses; experienced unprecedented weak operating performance due to EHR costs or failure; experienced costly data breach incidents [21-25].

Research framework of collaborative EHR lifecycle risk management

The framework in Figure 1, adapted from Poba-Nzaou [1] and Poba-Nzaou and Raymond [2], suggests that the process of EHR lifecycle can be broken down into five sub processes which are: adoption, implementation & stabilization, initial transition, use & maintenance, and shift to another EHR system or retirement. This process is influenced by two main groups of elements: a global context and a specific context. The global context is based upon the technology-organization-environment framework [26]. The specific context includes EHR undertaking specific elements such as the motivations to adopt an EHR, the stakeholders’ involvement in the process, etc. The framework also builds upon the theory of collaboration [27] and emphasizes that risk management is influenced by the collaboration – cooperation and coordination - between the key stakeholders. In this regard, it is of interest to note that key stakeholders may vary in the progression through each subsequent phase. In addition, it asserts that risk exposure as well as risk management are influenced by contextual factors; and these factors increase or decrease the exposure to risk. It implicitly assumes that risk management can be understood through the alignment or fit between a hospital’s level of exposure to EHR risk and its risk management profile. In the same manner as Poba-Nzaou and Raymond [2], risk management profile is conceptualized as a hierarchical architecture of three levels of abstractions namely principles, policies, and practices [28,29].

Figure 1: Conceptual framework of collaborative EHR lifecycle risk management.

Principles represent the highest level and act as guiding foundations to align lower, less abstract policies and practices [30]. An example of a risk management principle for implementing an EHR would be, “adapting the EHR system to local clinical processes”. Policies reflect alternative means of realizing the guiding risk management principles. While, an example of a EHR risk management policy would be, “dealing with a EHR vendor that guarantee data sharing and interoperability between the hospital and partner organizations”. Practices are specific mechanism or tools to execute policies [29]. An example of EHR adoption phase risk management practice would be “appointing a physician champion”. One advantage of the conceptualization of risk management profile as a 3-tier architecture of abstraction is that it allows one to highlight equally formal and informal risk management practices. Considering all three types of risk management practices: formal, semi-formal and informal, is consistent with empirical findings [31] and the theoretical perspective of risk [32].

I build upon my own research and prior studies and identify nine categories of risk exposure, namely: organizational, technological, usability, contractual, financial, managerial / professional, clinical, medicolegal, and liability. I will focus on only three dimensions. First, the organizational risk, which arises from the organizational environment in which the EHR system is adopted, implemented and maintained. Second, the clinical risk, which is related to the internal and external coherence of the clinical model and processes following an EHR implementation. Lastly, the technological risk, which originates from the information processing technologies required for the EHR system to operate.

I assert that the ideas and insights underlying the above framework present fruitful opportunities for various research projects including the following future research questions: What are the typical risk factors faced by hospitals throughout the main phases of the EHR life-cycle? How do hospitals manage the risk of EHR implementation and use & maintenance during the preimplementation phase? How do hospitals manage the risk of EHR post-implementation during the implementation phase? How do hospital internal and external key stakeholders collaborate in managing EHR risk throughout each phase of the system lifecycle?

In addition, it can be insightful to compare risk management associated with different EHR alternatives (an EHR supplied by a traditional single EHR vendor, a Best of breed EHR, a Cloud EHR, with an open source EHR, or an in-house developed EHR).

References

1. Poba-NzaouPlacide (2008)Adoption process and reduced risk of implementation of ERP in SME: a multiple case study. Doctorate Thesis. Trois- Rivières, Université du Québec à Trois-Rivières.
2. Poba-Nzaou P, Raymond L (2011) Managing ERP system risk in SMEs: A multiple case study. Journal of Information Technology 26: 170–192.
3. HIMSS (2014) A Glimpse at EHR Implementation around the World: The Lessons the US Can Learn.
4. The Economist Intelligence Unit Limited (2011) Future-proofing Western Europe’s healthcare. A study of five countries.
5. Mangalmurti SS, Murtagh L, Mello MM (2010) Medical malpractice liability in the age of electronic health records. New England Journal of Medicine 363: 2060-2067.
6. Boonstra A, Versluis A, Vos JF (2014) Implementing electronic health records in hospitals: a systematic literature review. BMC health services research 14: 1-24.
7. CIHI (2013) Trends in nationalhealth expenditure, pp.1975-2012.
8. HOPE (2009) Hospitals in 27 member states of European Union.
9. National Alliance for Health Information Technology (2008) Report to the Office of the National Coordinator for Health Information Technology on Defining Key Health Information Technology Terms.
10. Menachemi N, Collum TH (2011) Benefits and drawbacks of electronic health record systems. Risk ManagHealthc Policy 4: 47-55.
11. Zlabek JA, Wickus JW, Mathiason MA (2011) Early cost and safety benefits of an inpatient electronic health record. Journal of the American Medical Informatics Association 18: 169-172.
12. Davenport TH (1998) Putting the enterprise into the enterprise system. Harvard business review 76: 121-31.
13. Flyvbjerg B, Budzier A (2011)Why your IT project may be riskier than you think. Harvard Business Review 89: 601-603.
14. Kelay T, Kesavan S, Collins RE, Kyaw-Tun J, Cox B, et al. (2013) Techniques to aid the implementation of novel clinical information systems: A systematic review. International Journal of Surgery 11: 783-791.
15. Peer 60 (2015) Community Hospital EHR Report.
16. Daly R (2015) Poll: One-Fifth of Hospital EHRs Are Poor Fits: Switching may be necessary for some hospitals to meet federal incentive program requirements and avoid upcoming Medicare penalties.
17. Klein HK, Myers MD (1999) A set of principles for conducting and evaluating interpretive field studies in information systems. MIS quarterly 23: 67-93.
18. Schmidt R, Lyytinen K, Mark Keil PC (2001) Identifying software project risks: An international Delphi study. Journal of management information systems 17: 5-36.
19. OECD (2015) Healthcare costs unsustainable in advanced economies without reform.
20. McKinsey (2008) Health care costs: A market-based view. The McKinsey Quarterly, Health Care.
21. Innes (2015) Banner scrapping $115M UA Health records system.
22. Moukheiber Z (2012) The Staggering Cost Of An Epic Electronic Health Record Might Not Be Worth It.
23. Kern C (2015) EHR Failure Forces Hospital ED Shutdown, Nurses Say.
24. Absolute Software Corporation (2015) The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices. Austin, Texas.
25. Paul L (2008) Risk and risk management in software projects: A reassessment. Journal of Systems and Software 81: 2118–2133.
26. Tornatsky LG Fleischer M (1990)The Processes of Technological Innovation. Lexington, Massachusetts: Lexington Books.
27. Gulati R, Wohlgezogen F, Zhelyazkov P (2012) The two facets of collaboration: Cooperation and coordination in strategic alliances. The Academy of Management Annals, 6: 531-583.
28. Becker B, Gerhart B (1996) The Impact of Human Resource Management on Organizational Performance: Progress and prospects. Academy of Management Journal 39: 779–801.
29. Colbert BA (2004)The complex resource-based view: Implications for theory and practice in strategic human resource management. Academy of Management Review 29: 341-358.
30. Lengnick-Hall CA, Beck TE, Lengnick-Hall ML (2011) Developing a capacity for organizational resilience through strategic human resource management. Human Resource Management Review 21: 243-255.
31. Bannerman PL (2008) Risk and Risk Management in Software Projects: A reassessment.
32. March JG,Shapira Z (1987) Managerial Perspectives on Risk and Risk Taking. Management Science 33: 1404-1418.