Laws require risk management in hospitals, especially in order to improve patient safety. Nevertheless, many hospitals find this difficult.
This article presents the most important regulatory requirements and provides tips for implementation.
The most important risks for patients include:
Patients, as well as medical staff and other people such as visitors, are also exposed to general risks:
Hospitals themselves and other operators are also exposed to risks:
In order to manage the risks for patients in particular, hospitals in Germany must comply with many legal requirements:
Section 135a of the German Social Code (SGB V) obliges hospitals to provide quality assurance for the performance they deliver. According to Section 136, the Federal Joint Committee determines which criteria a quality management system must fulfill.
The Federal Joint Committee (G-BA) is the highest decision-making body of the joint self-administration of doctors, dentists, psychotherapists, hospitals, and health insurance companies in Germany. In the form of guidelines, it determines the benefits catalog of the statutory health insurance (SHI) for more than 70 million insured persons. It thus determines which medical care services are reimbursed by the SHI. The Federal Joint Committee also decides on quality assurance measures for the outpatient and inpatient areas of the healthcare system.
The G-BA has also set minimum standards for risk management and error reporting systems, which hospitals must report on in their quality reports in accordance with § 136b. § 135a directly mentions the "internal and cross-institutional risk management and error reporting systems."
It is worth mentioning the German Social Code V § 75c, which explicitly addresses IT security and thus indirectly requires risk management.
Details of the error reporting systems are determined by the Federal Joint Committee in its "üFMS-B" determinations. In its quality management guideline (QM-RL), the G-BA determines these error reporting systems as particularly important components of quality and risk management.
The quality management guideline is binding for panel doctors and hospitals. It requires
§ Section 2 of the directive requires that "risks should be recognized and problems avoided through the identification of relevant processes, their safe design and their systematic presentation (...)."
The guideline does not explicitly address medical technology or IT. One exception is the requirement for information security and data protection. However, the risks posed by a lack of IT security represent a significant part of the risks in hospitals.
Compared to ISO 14971, the requirements of the guideline on risk management are not very specific.
The Patients' Rights Act also aims to reduce risks and errors in treatment. The Patients' Rights Act requirements have been incorporated into the German Civil Code and the German Social Code V (see above).
The Medical Devices Operator Ordinance (MPBetreibV) sets out requirements for the installation, operation, use, and maintenance of medical devices and is therefore aimed at operators such as hospitals.
The MPBetreibV obliges these operators to perform risk management in two ways:
1. They must control risks in their organizations.
2. They are part of a higher-level system for risk control, which is why they are obliged to report risks.
The requirement to ensure safety can be found, for example, in Section 4 of the MPBetreibV:
Interconnected medical devices and medical devices with accessories, including software or medical devices connected to other objects, may only be operated and used if they are suitable for this purpose, taking into account their intended purpose and the safety of patients, users, employees, or third parties.
Source: MPBetreibV § 4, Section (4)
The regulation thus forms the legal basis for obliging hospitals and other healthcare providers to perform risk management as soon as they connect medical devices or integrate them into an IT network:
The requirement to demonstrate the suitability of a "combination" for the safety of patients, users, and third parties can be fulfilled in two ways:
The instructions for use of a blood pressure monitor state that the device transmits the measured values via a data interface that can communicate with any common HIS. The operator can then refer to such information. If a combination is not described, the operator creates a system for which he himself must take responsibility.
This means that if an operator such as a hospital networks a medical device such as an ultrasound imaging device with the IT network in order to send and exchange data, the hospital must consider how it can prove that Section 4 of the MPBetreibV is fulfilled.
When integrating an ultrasound device into the IT network, DIN EN 80001-1 can be used to prove that this networking is safe for patients, users, and third parties via the risk management in the hospital described in this standard.
Read more about DIN ISO 80001-1 and controlling IT risks in hospitals here.
The MPBetreibV only uses the term "risk" in § 6 Medical Device Safety Officer. This person must report risks associated with medical devices, as required by the Medical Device User Notification and Information Ordinance.
For diagnostic laboratories in hospitals, § 9 of the MPBetreibV requires a quality assurance system to be set up at least in accordance with Part A of the "Richtlinie der Bundesärztekammer zur Qualitätssicherung laboratoriumsmedizinischer Untersuchungen" (Rili-BÄK). The Rili-BÄK requires "risk-based quality assurance" and a description of risk management.
Hospitals that manufacture in-house medical devices and IVDs must comply with Article 5, paragraph 5 of the MDR and IVDR respectively. This includes the implementation of Annex I of the respective regulation with the risk management requirements set out therein. For hospital laboratories, compliance with the ISO 22367 standard is recommended in order to meet the requirements.
Article 35 of the GDPR describes the need for a data protection impact assessment. This, in turn, requires a risk assessment and evaluation.
Article 32 (1) of the GDPR explicitly refers to the probability of occurrence and severity of the risks.
As required by the G-BA, a risk management system should be part of the overarching quality management system. The risk management system should have the following elements:
The "top management," typically the executive board, must demand risk management in the hospital and promote a culture of error.
For risk management to actually take place in the hospital, it must be embedded in the processes of the QM system. Examples of such processes are:
As required by the G-BA, an error reporting system (Critical Indicent Reporting System, CIRS) is needed to systematically collect (also anonymously) information about errors and learn from them.
Top management must provide sufficient resources (people, equipment) for all of these elements.
Effective risk management requires that employees have the necessary competencies to, for example
Risk management is a team task in which doctors must be just as involved as nursing staff and experts in quality management, medical technology, and IT.
"The fish rots from the head". This also applies to risk management.
The hope will be dashed that the introduction of a tool is the end of the task. Nor will the hope be fulfilled that a functioning error reporting system alone proves the legal requirements for risk management.
The requirements for risk management in hospitals and other facilities may also have an impact on manufacturers of medical devices and IT solutions:
MDR Annex I, Section 23 (ab)
Risk management in hospitals must be an integrated part of quality management.
Reasons:
Conversely, good risk management will not only reduce risks but also contribute to the hospital's success because good quality pays off.
Risk management is a matter for the boss, even in hospitals.
Change history