BlueSynergy Associates, LLC
  • Home
  • ABOUT
    • About You
    • About Us >
      • Twitter Feed
    • About DNV GL Healthcare
  • Services
    • Advising
    • Contract Auditing/Surveying
    • HIPAA / HITECH
    • Risk
    • Training/Education
  • Resources
    • Original Articles >
      • Accreditation Articles
      • Audits/Surveys Articles
      • Communication Articles
      • Cyber Risk / Cyber Security Articles
      • Education Articles
      • Medical Staff Articles
      • Process Articles
      • Risk Articles
      • Quality/Quality Tools >
        • ISO 9001:2015 FAQ's
    • Shared articles >
      • HBR article- Hospitals can't improve without better management systems
      • Becker's- 3 Ways hospitals can improve profitability in 2016
    • Past Newsletters (Progress Notes-PRN)
  • Tools
    • Prioritization Matrix
    • Heat Maps
    • Preliminary Risk Assessment
  • Revenue Cycle
  • Contact Us

Knowledge Management in your Accreditation

12/20/2017

1 Comment

 
      I continue to be amazed at the hidden jewels in our hospital accreditation requirements, there by design yet oftentimes not apparent.  One of my newest amazements is knowledge management. 

     What is knowledge management (KM)?  One common definition is “the process of capturing, distributing, and effectively using knowledge.”  A more comprehensive definition might be “knowledge management is a discipline that promotes an integrated approach to identifying, capturing, evaluating, retrieving, and sharing all of an enterprise’s information assets. These assets may include databases, documents, policies, procedures, and previously un-captured expertise and experience in individual workers” (from Gartner Group).

     KM is a concept that’s been around for about 20 years.  It’s a term that has its origins in the succession planning world.  In the business world, succession planning has become a strategic priority.  In order to maintain a competitive level of performance, organizations must not only determine, maintain and use available knowledge, they must also work diligently to gain additional knowledge to maintain their ability to achieve their purpose and strategy.

     In our healthcare world, we work feverishly every day to keep patients safe and keep abreast and compliant to the mountain of regulations, requirements that we are “subjected” to in healthcare.  This isn’t an easy task in our profession.   Did you know the average age of a neurosurgeon is over 60, a heart surgeon is 55 and hospital administrator is 57.  These averages are actually lower than they were 5 years ago and give us a brief sigh of relief for the immediate future.  The question is how will our knowledge be determined and maintained for those activities that we do in our hospitals that is not taught in school but gained through experience.

     Our risk-based hospital accreditation from DNV GL gives us a structure to travel down this path.  Here’s the flow of requirements from the most elementary perspective.  Our accreditation details the requirements of determining and maintaining the knowledge that we need to have to perform our hospital jobs.  I call this the “what” we need to know to deliver patient care and run our hospitals.  This is Organizational Knowledge (ISO 9001:2015, clause 7.1.6).  Then we need be sure that those persons working in our processes know “how” to use this knowledge to do their jobs (clinical, organizational, etc.).  This is Competence (clause 7.2).  Again, persons working in our processes need to be aware of how their performance, good or bad, affects our ability to meet our objectives.  Awareness is the “why” knowledge management (clause 7.3).

     As well, our accreditation addresses KM from the what, how and why perspectives.  The next two requirements from ISO ensure that we manage knowledge from a process perspective, including how we communicate (ISO 9001 clause 7.4) and how to control what we document for communication (clause 7.5).  Communication runs up, down and all throughout your hospital, based on your governance and organizational structure.  There are multiple venues in this structure for KM.  Most visibly, KM is achieved through documentation.  We have a long history (much of it checkered) of documentation in our accreditation.  Using it effectively is the challenge…I’ll use the term “right sized” to describe how to best manage Documented Information with regard to KM.
​
     In today’s hospital business environment, we cannot afford any slack in our knowledge management.  We need every resource we can afford (and some we cannot) to ensure patient safety, consistency in our care, compliance to a plethora of rules and laws and many others, all the while focusing on our purpose and strategy.  It’s a bit of a comfort and maybe even a surprise, that our accreditation gives us the platform to manage knowledge.  In my next article, I’ll discuss how we can use the platform from DNV GL to optimize KM for your hospitals.

Bio:
Ted Schmidt is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates, LLC. BlueSynergy Associates maximize innovation, experience and customer perspective to reduce risk and make hospitals a safer environment. He currently advises and instructs hospitals in quality, risk, safety and environmental management systems. He can be reached by email at tschmidt@bluesynergyassociates.com. Follow BlueSynergy on LinkedIn and Twitter
1 Comment

Risk-based thinking in healthcare 2.0

1/4/2017

1 Comment

 
    In my May 2015 article on Risk-Based Thinking (RBT), I discussed the current state of healthcare related to risk and our current performance as a profession.  Since that article, there have been other journal articles that showed improvements in our performance, related to risk, which we all know translates to patient safety.  Today I see that 241 hospitals appeared on the CMS HAC (Hospital Acquired Conditions) list for the third year in a row

    Rather than repeat the performance data detailed in the last article, I’ll spend more time on the benefits of implementing, maintaining and improving an integrated process and risk based management systems as part of your accreditation.
  
   Let’s start with some brief definitions.  Risk is defined as the effect of uncertainty on achieving objectives.  Risk-based thinking is not defined in our DNV-GL accreditation (specifically in ISO 9001:2015), but it was defined in a pre-cursor document to the 2015 version...and I like this definition.  Risk-based thinking is defined as the “process of considering risk qualitatively and possibly quantitatively when planning, implementing and managing a quality management system”. Aviation and nuclear industries use this definition of risk as it relates to operational and organizational processes.  This broadens some of the traditional definitions of risk (finance or legal) in healthcare. 
 
   We know that we are still very “siloed” in our hospitals.  We really understand our processes in our own silo, yet we are “under-aware” of the critical interactions our processes have with processes in other silos!  Negative issues manifest mostly when our efforts or our final products do not meet the need of the person or service in the next process.  This is a very real risk. 
 
     We need our processes to produce repeatable outcomes, based on process design, not on individual heroics.  Basic process management (understanding the processes and their sequence and interaction, which is a foundational element of your DNV-GL NIAHO accreditation) will enable you to better control and sustain those processes, especially those that require a high degree of consistency. You must include a risk consideration and work to improve consistency in those processes with the greatest risk.
 
     Hospitals should create a risk management framework, a defined organizational structure to manage risks, to help create better outcomes.  By creating a risk framework, integrated with our processes, we can produce a safer environment for our patients.  The need for heroics is diminished, since our processes are no longer “people- dependent”.
 
      While it is not a difficult process, it is the discipline to make these changes that is difficult.  Many of our contemporaries may not be open to change, so that hurdle must be addressed early. 
 
     Here’s how a sound, mature process and risk-based system can help you manage some current challenges. 
 
Value-based purchasing:  Moving to a “pay for performance” reimbursement model is the number one item keeping hospital CEOs and CFOs up at night in 2016.  Using the basic foundation that ISO 9001 presents, a closed-loop system for sustainability and improvement, a hospital can better manage contracted staff and ensure more consistent outputs of clinical services.  This also includes the ancillary or support activities, such as purchasing, EVS/EMS, Sterile Processing, etc., that can indirectly affect clinical outcomes.
 
HIPAA Compliance:  Now that fines are being levied for breaches (thanks to HITECH), maintaining privacy has become a real liability to our bottom line.  Using your design requirements to create and improve processes that factor in the risk of failure, you can best manage your IT, human factors and the interfaces between both.  Using the same closed-loop system described above, you can check the degree of effectiveness routinely before an event might  occur.
 
ICD-10 implementation: Implementing ICD-10 was a major undertaking.  There was a lot of confusion and anxiety associated with the change.  Working in an environment that manages processes well, (business as well as clinical) can ease the concerns brought about by changes such as ICD-10 implementation.  You have a defined approach for managing change that will create reasonable assurance that you considered all potential risks and worked to overcome all significant roadblocks. Additionally, the new requirements for awareness, specifically, the negative effect of non-conformance on the organizational objectives, increases internal communication and can reach across silos to ensure we're all doing the right thing.
 
MACRA: The uncertainty that this change is bringing in 2017 can be managed through similar requirements described above in value-based purchasing, etc.  In fact, most significant changes that occur in hospitals, can be managed effectively by optimizing the foundational elements of your DNV-GL accreditation.  By nature of the design of the quality management system being integrated into your hospitals business processes and strategic direction, the benefits just need to be identified and realized.
 
     Also, consider implementing an advanced level of internal auditing that works into your accreditation,  called Value-added auditing (VAA).  Value-added auditing provides a more mature and thorough look at all of your processes (clinical, financial, managerial and support) and can provide a prospective view (not just retrospective as internal audits have been historically) of your hospital operations. 
 
     We have to move from the silos we have created and understand how our processes affect other processes, directly and indirectly.  Inserting a risk management framework (risk-based thinking) into our process management will begin to optimize your accreditation.
 
     Commercial aviation made this leap to next level process and risk management years ago.  Having worked with NASA during these changes, specifically after the Columbia disaster, I understand how they broke down their silos and worked as a true system.  Though not perfect, they manage their processes and associated risks at the right level to gain that assurance that the mission will be a success.  Our patients deserve the same, clinically and financially.  If we don’t manage our business processes, we can go broke trying to help our patients.  If we don’t manage our clinical processes, we can go broke trying to defend ourselves in court. 
 
Ted is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates.  He advises and instructs hospitals in quality, risk and environmental management systems.  Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration.  He is a Senior Member of ASQ and a certified Lead Auditor in quality management systems by Exemplar Global.  He can be reached by email at tschmidt@bluesynergyassociates.com. 
1 Comment

Ransomware in healthcare organizations: Human Factor

10/9/2016

0 Comments

 
By: Jeff Harris, RPh

       Bob is a hockey fan. His Facebook timeline is filled with posts about his favorite team and his search for tickets. Bob also works in the department of Health Information Services for a major hospital in a large city. One day Bob receives an email at work informing him that he has won two tickets to the upcoming semi-finals in which his beloved team will be top seeded. Finally entering in every contest for free tickets that popped up on social media had paid off! He eagerly clicks on the link but nothing seems to happen. The next week the hospital's network is down and a shadowy group is demanding thousands of dollars to unlock critical records.
 
       What Bob experienced is called “spear phishing”.  Regular “phishing” is to cast a wide net and see who you can “catch”, similar to sending out large amounts of spam emails and hoping that the right person will click on the link. Spear phishing, in contrast, involves targeting a specific individual who has been researched through social media or otherwise and selected based on his accessibility to desired networks 
 
       Ransomware is a type of malicious code used by hackers to encrypt a target's files, making a healthcare organization unable to access critical patient data. Once the target clicks on the link and the system is corrupted, the hackers will then offer to unlock the files for a fee in untraceable currency.
 
       How prevalent is ransomware in healthcare organizations? One poll showed that up to 75% of hospitals reported have some sort of ransomware attack in the last year. Since this was self reported, it begs the question as to how many hospitals chose to quietly pay the ransom and not to disclose the attacks.
 
   There is an entire industry devoted to stopping ransomware, and many recommendations to combat these type of attacks including: having a robust back up system, making sure ALL hardware is updated with the latest patches – even the IV pumps in storage and used only rarely, and regular vulnerability scanning and penetration testing as outlined in HIPPA and HITRUST guidelines. 
 
      I do think that the biggest factor is being ignored, the human factor. According to CompTIA, an IT industry trade association, human error is responsible for 52% of breaches in network security. Our digital lives and our work lives are becoming increasingly intertwined. Perhaps training employees like Bob in the safe use of social media at home will go a long way towards creating a culture in which safe Internet practices are second nature at home and at work. Something has to be done. A study done in September 2016 by a security firm determined that employees download malware once every four seconds. More focus on this critical area is essential if we want to stop the relentless attacks on our health care records.

0 Comments

Using your DNVGL accreditation to maintain your HIPAA compliance 

7/31/2016

1 Comment

 

By: Ted Schmidt, RPh, CERM

       With the recent changes to the enforcement of HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act), “covered entities and their business associates” (aka hospitals and their providers) will now be subject to fines/penalties for noncompliance.  Since HIPAA was enacted in 2005, the consensus is that there has been little enforcement of these requirements.  Since the advent of HITECH in 2009, there is actual language in that act that calls for enhanced enforcement.  This enforcement will come from HHS as well as the states Attorney Generals.  With all of the recent publicity regarding hospital data breaches and PHI ransoms, we can expect to see much more activity in the enforcement arena.
 
       The enforcement of the "rules" from HHSs Office of Civil Rights (OCR) is now happening and findings of non-compliance can bring the hospital or entity significant fines.  Fines and penalties can go as high at $250,000 for “willful neglect” and up to $1,500,000 for repeat offenders.   A recent article stated that a nursing home system in Pennsylvania was fined $650,000 for repeat issues related to these rules. In today’s healthcare economy, that's money that the hospital or entity could better use somewhere else. No margin, no mission!  Writer’s Note- since I first started this article, it was announced that a health system in Oregon paid a $2.7 million fine to HHS for two (2) HIPAA breaches.
 
      The HIPAA and HITECH rules can be classified into three sets, which include: Privacy (with 81 requirements), Security (with 78 requirements) and Breach Notification (with 10 requirements).  These requirements form the foundation for the enforcement audits.  Maintaining compliance to these 169 requirements is not only required, but failing to do so can increase risk to your patients AND your hospitals reputation and of course, your bottom-line.  
 
     Compliance begins with conducting a risk assessment.  Federal law states that all healthcare organizations that are covered entities or business associates under the HIPAA Privacy and Security Rules conduct a thorough and accurate Risk Assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity (45 CFR Part 164.308(a)(1)(ii)(A)).  While there is much speculation about these security risk assessments, the government does give us some insights on the conduct of these assessments.  As reported on the HealthIT.gov website, the Top 10 Myths about Conducting your Security Risk Analysis can give some structure and understanding to the scope of this activity.  This “top 10 list” dispels some rumors about the intensity, frequency and methods that must be used to conduct this risk analysis.  However, as is typical in government requirements, the government does not give specific direction on “how” to do the risk analysis, but rather, “what” has to be done.  On the same webpage (HealthIT.gov), there are other valuable resources: a Security Risk Assessment (SRA) tool and a SRA Tool User Guide.  Both of these resources are valuable and available for download.
 
      The relationship between your NIAHO accreditation and HIPAA/HITECH is more evident with the recent updates from the US Department of Health and Human Services (HHS) and the release last year of ISO 9001:2015.  There are many controls that currently exist in your accreditation (NIAHO and ISO) that affect your compliance to these rules from HIPAA/HITECH. The following list of common HIPAA/HITECH findings are coupled with existing accreditation controls that would mitigate these findings:

Common Finding #1- Business associates (aka "suppliers", aka "contractors") are a common source of noncompliance.  These persons are controlled per your purchasing and contracting controls in ISO and NIAHO.  Properly written contracts will detail specific internal controls for managing devices, PHI, computer access, etc.  Also, required re-evaluation of these business associates will ensure compliance based on data collection, analysis, evaluation and possible actions of those highest risk activities.  NIAHO GB.3 and ISO 9001:2015 (8.4) are a part of your accreditation and your management “system”.  For instance, a business associate that has performance criteria (based on risk) in their contract will have metrics associated with those performance criteria.  Using the system of ISO 9001, when those metrics are measured, analyzed and evaluated, the results dictate if action is necessary.  This action could be no action, corrective action or preventive action (aka risk avoidance/mitigation).

Common Finding #2- Improper disposal of PHI.  Controls regarding disposition and protection of documented information (soft and hard copy) exist and all employees should be educated in this process.  This finding is strongly supported in your accreditation in ISO 9001 control 7.5.3.1.b (documented information adequately protected-which by the way includes soft and hard copy), 7.5.3.2.a & d (distribution and access of documented information and retention and disposition) and in NIAHO MR.4 (medical record confidentiality).

Common Finding #3- Hacking of computer systems.  Controls regarding maintenance of the infrastructure (hardware and software), addressing risk (which includes cyber-risk) and opportunities (ISO 6.1.2) as well as Physical Environment (PE.1) all require maintaining infrastructure from hacking.  

Common Finding #4- Lack of authorization for disclosing PHI.  There are controls to protect and safeguard patient property (ISO 9001 8.5.3), which includes PHI.  There are also controls in Medical Records (MR.4) to assure confidentiality of patients’ medical records.

      There is a silver lining that can be found in all of this complexity that we call hospital life…and that is your current accreditation provides the foundation for managing these potential, although common, HIPAA/HITECH non-compliances.  
 
     When you look at the basic structure of your accreditation, you’re reminded that it is built around the ever popular and ever effective, Plan, Do, Check, Act (PDCA) model.  This foundational structure is created to allow for full integration of a multitude of current other systems in your hospital, such as occupational health and safety, risk, environmental management, energy management, business continuity and even corporate social responsibility.    Managing your HIPAA/HITECH requirements should be no exception, as it relates to organizational risk.
 
      Your Security Risk Assessment (SRA) should be a part of an enterprise Risk Management system, not a risk assessment in it’s own silo.  There is too much opportunity for leaving white space blank, increasing redundancy and miscommunication when your HIPAA/HITECH risk assessment only considers the HIPAA/HITECH requirements.   The effect that other processes (risk and operational) have on your HIPAA/HITECH outcomes is mostly unknown until you consider risk from an enterprise perspective.  For instance, if you allow business associates to access your computer network remotely, are you certain that their access is appropriately protected so as not to compromise your network?  That’s how Target and Home Depot got hacked of their credit card data.  Could your business associates unknowingly leave a gate open when they leave your network? In either case, your hospital is now vulnerable and your hospital is responsible to pay any penalty for a PHI breach.
 
      Risk is risk no matter where it falls in your compliance requirements such as OSHA, FDA, HHS, DEA, state requirements, etc. HIPAA/HITECH risk, therefore, should be fully integrated with all hospital risk processes.  Risk should also be fully integrated at all levels, from the strategic level down to the transactional level.  In short, risk management for HIPAA/HITECH should be part of an enterprise risk management system. 
 
      We’ve seen the unsafe and embarrassing results of not managing our processes on an enterprise level (remember the IOM study “To err is Human”) and we’re still trying to dig out of that mess.  Fast-forward over 15 years and we’re still dealing with the same patient safety issues.  Why is that?  Aren’t we dedicated, smart people who come to work every day to help our patients?  We have failed in managing our processes properly but now we are hearing all about enterprise risk management.  To be certain, our risk management attempts will fail if we do not properly manage our processes and properly integrate risk with these processes.
 
     There are a multitude of management systems that are designed to help you manage your PHI that are integrated systems.  These include ISO 27001, Sans Top 20, COBIT 5 and NIST has several options to consider.  The primary consideration should be that your risk and process management systems be fully integrated into one system that covers your business as well as your clinical processes.  You’d never believe that your current accreditation meets this need.

Ted Schmidt is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates, LLC.  BlueSynergy Associates maximize innovation, experience and customer perspective to reduce risk and make hospitals a safer environment. He currently advises and instructs hospitals in quality, risk, safety and environmental management systems.  Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration.  He is a Senior Member of the American Society for Quality and a certified Lead Auditor in quality management systems by Exemplar Global. 
1 Comment

aligning your strategic vision with your business objective

6/30/2016

1 Comment

 
By: Ted Schmidt, R.Ph., CERM
 
      With all of the changes in healthcare reimbursements, how do you ensure that your hospital is properly funded to meet your financial/operational needs while achieving your hospital’s vision? These changes are especially concerning for Hill-Burton hospitals, Safety Net hospitals, and faith-based hospitals that serve a disproportionate share of indigent patients.
Picture
        Hospital resource changes in the last 3-5 years have been challenging.  Meaningful use, value-based purchasing, ACO’s, ICD-10, patient safety issues, cyber security all require additional resources that may not have been budgeted and funded.  In addressing these needs, your hospital’s focus on its vision may become fragmented.
 
     Fortunately, some of you may already have the architecture in place to help keep your focus, namely, your DNV-GL accreditation. By bundling NIAHO℠ with ISO 9001, DNV-GL creates the best platform for hospitals to address their clinical needs and achieve their Vision in a disciplined, proven system of management.  Here’s how it works:
 
     ISO 9001:2015 is part of your accreditation.  So, your accreditation requires hospitals to align their strategic and business processes with the quality management system.  Your accreditation also requires you to integrate your process management with your risk management.  Other requirements include creating and managing objectives (operational as well as financial); measuring your performance to your objectives; analyzing and evaluating your performance; and responding to your performance for improvements as needed. 
 
     Your hospital’s vision, mission and values are fundamental to success.  You need to know where you are going and whom you are going to serve…your vision.  You need a plan to get where you are going.  Strategic, tactical and operational plans are paramount to define your mission to achieve your vision.  And your hospital and personal values are those attributes that are key to your success.
 
     If you have a vision: “to be the healthcare provider of choice in the community” or  “to deliver care to the poor and underserved in the community”, your vision needs to be realized.  Your accreditation allows you to create high level objectives that will help you fulfill your vision.  The objectives created for the mission should always cascade from the vision objectives.  These mission objectives can be strategic (deploy homeless initiative in our community), tactical (develop and deploy teams of clinicians and social workers), or operational (teams focus on primary needs for women and children, specifically maternal and new baby services).  Your values will give you those attributes needed to be successful, personally and collectively. Many hospitals measure the degree of implementation of their values in their employee performance evaluations and surveys.
 
     You use risk-based thinking (RBT) to focus on what’s most important so you can maximize your resources.  RBT is nothing more than employing some activity to determine what could prevent you from achieving your objectives. Once you know where to create objectives and what objectives to create, fulfilling the objectives is achieved by creating more objectives at the lower layers.  These objectives cascade down to the lowest layer so that everyone’s work helps achieve your overall objective.
 
     To illustrate, the owner of any NFL team has to have full faith and confidence in his/her general manager. If the general manager is in lock-step with the head coach, the synergy is evident.  Together they manage the talent (current and future), the salary cap, the PR, etc.  When the same head coach is in lock-step with the team captain, then the players all work to help achieve the objectives.  In today’s NFL, a half-step taken incorrectly can ruin a play. One play can win or lose a game. It’s that predictable.  More over, the likelihood of the team achieving its vision is greatly enhanced when all of these layers align and the player taking the half-step is aware of the importance of that half-step.  It’s the same in hospitals.
 
     The old phrase in healthcare, “no margin, no mission” still applies today. Communicating your vision at all layers is as important as the objectives you need to achieve to reach your vision.  Cascading your objectives can help ensure your hospitals remain financially and operationally sound.  If you get it right at the high layer (the NFL team owner or the governing body in hospitals), you will have success at the operational layer.   The means for managing these objectives at all layers lies in your accreditation.  How about that?  You’re already paying for your accreditation!

Ted is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates.  BlueSynergy Associates maximize innovation, experience and customer perspective to reduce risk and make hospitals a safer environment. He advises and instructs hospitals in quality, risk and environmental management systems.  Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration.  He is a Senior Member of ASQ and a certified Lead Auditor in quality management systems by Exemplar Global.  He can be reached by email at tschmidt@bluesynergyassociates.com or by calling toll free at 844-424-7825.
 
​
​
1 Comment

alarm fatigue

5/24/2016

2 Comments

 
By: Jeff Harris, RPh

       In the mid 1960's, a man witnessed an awful multi-car pileup in San Francisco. That man also happened to have a PhD in psychology and was an inventor as well and he decided to do something about rear end collisions. The result was a third brake light installed at the top of the rear window in automobiles. Testing showed that the addition of the third light reduced rear end collisions by 50 to 60%.
Picture
Alerts designed to notify us of increased risk of an adverse outcome are all around us. My daughter's car has an indicator that notifies her when the tire pressure is low.

      I get a notification from my cell phone provider when our data limit is approaching. Arguably, the industry with the most alerts in in the modern hospitals. Physician order entry systems flag potential medication problems which is fine, but one study put the number of alerts physicians at one hospital must override to successfully input a medication at a whopping 17,000 per month. Pharmacists at the same hospital had to deal with 175,000 alerts per month. It sounds bad, until you consider a different study that looked at nurses in an ICU unit processing 381,560 alerts per month. That's 12,700 blinking, shrieking or otherwise annoying alerts 
a day. In one of the most understated examples of modern nomenclature, this is known as “alert fatigue”, which suggests it is an annoyance, rather that a safety issue.
 
       Clearly, it is a safety issue. A 2011 Boston Globe investigation found 200 deaths nationwide due to alarm fatigue. There are numerous case reports about heart monitors being turned off because of over-sensitive alarms followed by patient deaths because the alarm wasn't turned back on. It's easy to pass judgment in these cases, but how would you deal with 12,700 alarms to process in a day?
 
       The human brain is very good at blocking out distractions when immersed in a cognitive-heavy process. After so many overrides, a distraction is what they become. Software vendors and health care organizations are hesitant to reduce the level of alerts out of fear of liability. What would happen if, in the era of the “smart car”, the brake lights come on not when the brakes are applied, but when the algorithm decides they should come on to alert drivers behind the vehicle. Of course the auto companies would err on the side of caution, resulting in the lights being on for longer periods of time than before because of liability. How long would it take for the human brain to filter out this as a distraction? I'm thinking not very long.
 
Jeff Harris is a Pharmacist with over 25 years of leadership experience in hospital, retail, and home health environments. Due to a spinal cord injury, he is currently on long term disability.  Jeff is passionate about patient safety, risk management and cybersecurity issues in healthcare.  He continues to research and write about improving healthcare on a pro-bono basis. He can be reached by email at support@bluesynergyassociates.com. Follow BlueSynergy on LinkedIn and Twitter . 
2 Comments

Working with Conway's Law

4/27/2016

0 Comments

 
By: Eric Schulze

      In order to fully realize the benefit of process and risk management, we need to understand Conway’s Law to design better systems and processes.  ​If you were familiar with Conway’s Law, it might appear that healthcare is stuck in a viscous cycle, so how would we begin? 
​
Picture

       If you are not familiar with this term, let’s first define Conway’s Law.   Melvin Edward Conway is a computer scientist, computer programmer, and hacker who coined what's now known as Conway’s Law: "Organizations which design systems are constrained to produce designs which are copies of the communication structures of these organizations." In other words, our communication structure of our hospital constrains our ability to design better systems and processes.  I would say the Conway’s Law is applicable to our profession of healthcare.
 
     Let’s unpack this concept to discuss.  Our communication structure conveys a lot about our organizational culture.  If information flows freely between all disciplines and levels in the hospital, we are more “aware” and likely working together diligently to meet our objectives, mission, vision, etc.  If our communication structure is one that does not effectively share information, etc., we see more siloes and, therefore, less cohesion.  More communication is more stewardship; we all realize that we have a common goal and we all work together to achieve that common goal.  If this open communication structure is institutionalized and part of our culture, we achieve optimal results.  The opposite is also true. 
 
     The constraints experienced by a poor communication structure prohibit a hospital from reaching peak efficiency, possibly even effectiveness.  Effective communication is the key to managing critical and complex healthcare processes.  Managing the interfaces or “hand-offs” in a process or between processes is likely the most difficult and often the most important step.   Wasn’t it about 15 years ago that TJC implemented a standard for the nursing/clinical “hand-off” process?
 
      If our communication structure is average, do we therefore design average processes? Robust communication structures actually affect more than just process and system design.  Walk through a hospital with an effective communication structure and you will find sustainable processes producing intended results by employees that are aware of how their specific job/task affect the bigger picture.  Hospitals are tough on change.  Historically, we survived our shifts by mastering “work arounds”.  Work arounds do not exist in a well-designed process; we trust the process and the process works.  It is reliable.
 

     The most difficult components to change are the culture and communication.   Enhance communication and you enhance awareness.  Enhance awareness and you have created a platform for culture change and innovation. Process reliability is ensured through a robust process design.  The benefits to your hospital and your patients will be realized when both components are achieved. 

0 Comments

would you hire a food critic to teach you how to cook? 

3/7/2016

0 Comments

 
Picture

​or...3 reasons why your QMS and accreditation is likely frustrating you and disappointing your leadership
By: Eric Schulze, CERM

      Many hospitals have started the ISO 9001 journey. This journey probably started because the hospital wanted a fresh and new approach with their accreditation.  For the first time a hospital could begin to decide how they would meet requirements and not have to abide by a prescriptive way of doing things.

     To implement the DNV-GL accreditation requires a hospital to establish a formal quality management system (QMS). This QMS is based on the framework of ISO 9001:2008 and now requires a transition to the 9001:2015 standard. But guess what, ISO only tells you WHAT you have to do and not HOW to do it. Now the problem begins, so let’s look at these 3 reasons to gain understanding.

     Reason number 1: The original message on how to best learn and implement ISO 9001 was to send someone to an ISO 9001 Lead Auditor course.  This course is intense and overwhelming for many of the attendees. I know because I have taken the course myself and my hand never really did recover from all that writing. In addition to being a student in one of those courses, I am a trainer for the week long course. Yes, that is right, I admit it.  I am one of the few trainers for the 9001 Lead Auditor for Healthcare course in addition to the 9001 Internal Auditor course for healthcare.  The lead auditor course really is a great course. It is accredited by Exemplar Global and at the end of the course; you get a certificate which is a personal certification to the lead auditor requirements. Great! But what does that mean exactly?

      That means you have successfully completed a training course (Congratulations, you did earn it!) which is a requirement to be a lead auditor for a certification body – like DNV-GL. In addition to one of these lead auditor courses, you must perform a number of ISO 9001 audits (measured in days) where you were the lead auditor and some you may have just been a team member. Then you submit your audit log, certification number from your class, and of course a check (over $500 the first year) to one of the ISO accreditation bodies like Exemplar Global and now you are an official card carrying lead auditor for an ISO 9001 QMS (I admit I am one of those nerds). Why would you do that? Because it is a requirement to be a lead auditor for a certifying organization like DNV-GL and other registrars. It really is a great course, BlueSynergy Associates offers it for a reason and we deliver the course in-house and publicly.

      Question: Did you notice how I never mentioned how this course will help you plan, document, implement, and improve your 9001 QMS, especially how to transition to the new 2015 standard? - That’s right; I did not say any of those things. Here is a better option for those looking for more or better education, especially as it applies to helping a hospital move from being a reactive culture to being a proactive one – think “PRN”.  Click the “better option” link above and see what I mean.

     Reason number 2: Most of the common implementation methods that you have been exposed to came from the automotive & manufacturing industries.  I don’t consider healthcare as an industry, we don’t have smoke stacks filling the sky and we certainly do not produce standardized “widgets”. Healthcare is a profession. It is a profession in which we provide  complex services to people, our patients. When our processes fail we potentially harm a person; when manufacturing fails they make an inferior product. Big Difference!

     BlueSynergy Associates offers a FREE webinar. The webinar covers some of the changes from the 2008 standard to the 2015 standard, an intro to risk-based thinking, and some thoughts on transition planning. It is an hour in length and it is delivered entirely from the healthcare perspective.  Check it out or forward it to a friend, or even better, check it out and forward to a friend.

     Reason number 3: You hired a food critic to teach you how to become a chef! Wait, what? Let me explain. Hiring a consultant with a background primarily in surveying / auditing to provide input for your QMS is like hiring a food critic to teach you how to cook. Being a great food critic does not make you a chef. A food critic has many talents and has sampled a lot of food presumably, but knowing how to critique food does not necessarily translate to knowing how to teach someone how to cook.

     I’ll explain further. Many ISO surveyors become consultants or moonlight as consultants. This brings some benefits as well as some shortcomings (see Reason # 2 above, guess where they got their start?).  Think of a former ISO surveyor as the food critic. Their job as a surveyor is to look for compliance; are you meeting your requirements. Being compliance minded is the major drawback. Yes, they have seen many examples of how to meet a requirement (food critic), but most truly lack the experience ofhow (chef) to use ISO standards as a performance framework. If you use a chef to teach you how to cook and a food critic to tell you objectively what you are missing, you will have better outcomes. Each individual is working in an area they know best.

      Now let’s put a bow on these problems. Each year, your leadership is expected to manage costs and improve the value of care you provide to your patients.  The DNV-GL accreditation model was built with these same goals in mind. However, your QMS that is maturing, is not showing the ROI everyone had hoped and may not be maturing at the rate necessary to keep up with increasing demands on your hospitals’ needs.  Your internal audit program and all of your internal auditors are supposed to add value through the internal audits and their findings. Yes, they do have findings, but no one is necessarily sure how or if the findings are seen as a value to leadership and that the resources applied to your QMS & accreditation are producing results which are truly recognized as an asset to your hospital.    

     Your transition to the 2015 standard is the perfect time to pivot your QMS and show your leadership that accreditation doesn’t have to cost, it should pay. After all, this is likely why many hospitals left TJC and moved to DNV-GL. The 2015 QMS standard requires integration of your patient care with your strategy and business processes. This alignment will help drive high reliability as well as high value patient care.
   
​      Some questions to ponder?
  1. Do you think that simply rebranding ISO 9001:2008 courses for ISO 9001:2015 will help you realize value? 
  2. Do you think this same way of thinking will help you pivot your QMS to the original vision you had with DNV-GL?

     Thank you for your interest and time to read all the way to here.  I am passionate about what I do and I would welcome the opportunity to learn more about you and the journey your hospital is taking to sustainable improvement. I can be reached by email at eschulze@bluesynergyassociates.com and by calling me toll free at 1-844-424-7825. Your comments are always welcome.

​Until next time,
Eric 
0 Comments

Process Design for Patient Safety

2/9/2016

0 Comments

 
Picture
By: Ted Schmidt, R.Ph., CERM
February 6, 2016

 
      Recently, I wrote about the benefits of using the SIPOC diagram for process identification and process control.   As a profession, we continue to struggle with this concept of process approach or process management.  
      We too often revert back to our old practices of addressing issues by revising our procedures and conducting training on the newly revised procedure.  We should be smart enough not to keep doing the same things and expect different results.  

      Here’s a summary of the effects of our decades of managing issues by procedure changes and training: ​
  •     Medication errors occur in one-half (50%) of all surgeries
  •     One in three patients are harmed during a hospital stay and of this 33%, 7% either    die or are permanently harmed
  •     John James, Ph.D., states, “the true number of premature deaths associated with preventable harm to patients was     estimated at more than 400,000 per year”
  •     ECRI Institutes 2015 List of Top 10 patient safety concerns are all process safety related.
  •     The number of hospitals that received an "F" safety grade from Leapfrog increased from 20 in the spring to 34 this fall (2015).
 
     How does this continue to be acceptable in 2016?  I realize that many smart people are working diligently to fix these issues.  However, until we change how we look at our hospitals as a series of complex processes and begin to manage these processes, we will never make any meaningful effect on these dire statistics.  
 
     Enter ISO 9001:2015, Clause 8.3 Design and development of products and services.  It’s that last word “services” that gives us the hook.  Design and development in ISO 9001:2008 only required products and “may also apply the requirements given in 7.3…of product realization processes”.  The option for processes (aka services) disappears in 2015.   This presents an opportunity to make a cultural shift in how we now address issues from a process perspective.
 
     By taking the time to understand our critical processes, their sequence and interaction, we are more capable of improving our processes.  The disciplines of Clause 8.3 will now allow us a structured method of redesigning these processes for sustainable solutions.   While this is not rocket science, it is often perceived as such.
 
     Case in point, while I was conducting training at a very respected hospital system during the height of the “Ebola Crisis”, Every participant would leave intermittently to attend training on how to manage an Ebola patient should one present to their hospital.  The individual responsible for creating and conducting the training was also in our class.  When we began using the Ebola crisis as an example of managing processes, I was shocked when that individual bolted out of the class.  We simply discussed all of the possible “inputs” to managing an Ebola patient by including the Valet Parking attendants as one possible input.  That’s when he bolted.  This respected hospital system had not considered that possible input of an Ebola patient.  Didn't Deming say that if you put a good person in a bad process, the bad process always wins?
 
     This new requirement for controlling the design and development of our processes could not have come at a better time for healthcare.  Implementing this new requirement should not be taken lightly.  The lives that it may save will help us begin to whittle away at those shocking statistics above.  Let’s make Deming’s saying passé in healthcare.  Let’s only accept what our patients expect- good processes.
0 Comments

December 23rd, 2015

12/23/2015

0 Comments

 

new staff and your document control

Picture
     First, let’s understand that document control is actually about controlling information which needs to be effectively communicated.  A controlled process needs effective communication to be capable of delivering consistent outcomes. Therefore, we decide to create documentation to support a process.
 
     In the course of 12 months, how many new staff is brought on board in your hospital? Every one of these new people, eager to be successful, is bringing some type of document control baggage with them. Your process to implement and maintain document control is not just being influenced by your hospital’s culture but by the culture of every new staff member your hospital hires - every year.
 
     Your new hires are bringing to your organization habits they formed from their previous experiences.  These experiences will include using document control software and or managing documents manually. Someone who is not comfortable with computers may be used to having paper in their hand and available whenever they want it, while someone else may be more comfortable using an electronic file. The human factor greatly influences your document control process.
“We become what we repeatedly do” – Sean Covey
 
What may contribute to document habits?
  • Paper documents in binders everywhere
  • Ability to print any document on demand
  • Poor search ability in software
  • No formal document control
  • How documents are named  
 
     Habits are part of the behavior of people. We tend to default to what we know and are comfortable with, especially during times of stress. Starting a new job with a new organization is stressful for most; in healthcare we add the additional layer of providing safe and effective patient care.
 
     Learning a new process for document control is as much about changing the behaviors of people as it is learning a new way to do something.  Typing “behavioral change” in a search engine yielded 23,200,000 results in .46 seconds.  I doubt that document control was one of the results.  If a behavioral change needs to happen to support your document control, how much time or effort is put into discovering why the habits formed in the first place?  Consider learning more about the confidence your new staff had in their formal document system and think about what habits they may have developed based on their answers. It is difficult to mitigate what you don’t know.
 
     Your document control will forever be influenced by the habits of new hires. Developing techniques to mitigate their influence from a proactive perspective and not a reactionary one will make your journey of controlling your documents a little easier.
 
     Thank you for your interest and time to read all the way to here.  I am passionate about what I do and I would welcome the opportunity to learn more about you and the journey your hospital is taking to sustainable improvement. I can be reached by email at eschulze@bluesynergyassociates.com and by calling me toll free at 1-844-424-7825. Your comments are always welcome.
​
​Until next time,
Eric
0 Comments
<<Previous

    Author

    We have a passionate vision to create meaningful change in healthcare by reducing risk and thereby providing a safer environment for patients.

    Archives

    December 2017
    January 2017
    October 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    December 2015
    November 2015
    October 2015
    September 2015

    Categories

    All

    RSS Feed

About You
About Us
Services
Education/Webinars
Resources
Blog
Contact Us

Call us toll free:
​1.844.424.7825

© 2016 BlueSynergy Associates, L.L.C.
  • Home
  • ABOUT
    • About You
    • About Us >
      • Twitter Feed
    • About DNV GL Healthcare
  • Services
    • Advising
    • Contract Auditing/Surveying
    • HIPAA / HITECH
    • Risk
    • Training/Education
  • Resources
    • Original Articles >
      • Accreditation Articles
      • Audits/Surveys Articles
      • Communication Articles
      • Cyber Risk / Cyber Security Articles
      • Education Articles
      • Medical Staff Articles
      • Process Articles
      • Risk Articles
      • Quality/Quality Tools >
        • ISO 9001:2015 FAQ's
    • Shared articles >
      • HBR article- Hospitals can't improve without better management systems
      • Becker's- 3 Ways hospitals can improve profitability in 2016
    • Past Newsletters (Progress Notes-PRN)
  • Tools
    • Prioritization Matrix
    • Heat Maps
    • Preliminary Risk Assessment
  • Revenue Cycle
  • Contact Us