Risk management in hospitals and at other operators

Laws require risk management in hospitals, especially in order to improve patient safety. Nevertheless, many hospitals find this difficult.

This article presents the most important regulatory requirements and provides tips for implementation.

1. Typical risks in a hospital

a) Risks for patients

The most important risks for patients include:

• risks due to incorrect diagnoses and treatments, e.g., medication errors and complications during operations
• risks due to inadequate care, which can lead to pressure sores, for example
• risks due to a lack of hygiene standards (or compliance with them), which in turn favors infections
• risks due to unsafe or incorrectly used and connected medical devices
• risks due to inadequate data protection, which leads to the disclosure of personal data due to malicious external attacks as well as internal errors

b) Risks for all people in the hospital

Patients, as well as medical staff and other people such as visitors, are also exposed to general risks:

• risks from lack of occupational safety, which include risks from gases, poisons, radiation, syringes, and falls
• risks due to violence and theft
• risks from fire (e.g., flammable gases) and electrical energy

c) Risks for the hospital as an organization

Hospitals themselves and other operators are also exposed to risks:

• financial risks, in particular, due to uncertain financing, rising prices, and lawsuits
• regulatory risks, as the healthcare sector is a highly regulated market
• risks due to the shortage of skilled workers and a lack of affordable equipment and consumables
• other business risks, such as political decisions

2. Legal requirements for risk management in hospitals in Germany

In order to manage the risks for patients in particular, hospitals in Germany must comply with many legal requirements:

a) German Social Code V

Section 135a of the German Social Code (SGB V) obliges hospitals to provide quality assurance for the performance they deliver. According to Section 136, the Federal Joint Committee determines which criteria a quality management system must fulfill.

The G-BA has also set minimum standards for risk management and error reporting systems, which hospitals must report on in their quality reports in accordance with § 136b. § 135a directly mentions the "internal and cross-institutional risk management and error reporting systems."

It is worth mentioning the German Social Code V § 75c, which explicitly addresses IT security and thus indirectly requires risk management.

b) Requirements of the Federal Joint Committee (G-BA)

Details of the error reporting systems are determined by the Federal Joint Committee in its "üFMS-B" determinations. In its quality management guideline (QM-RL), the G-BA determines these error reporting systems as particularly important components of quality and risk management.

The quality management guideline is binding for panel doctors and hospitals. It requires

• quality management with the phases Plan - Do - Check - Act (Fig. 1),
• risk management systems, and
• error reporting systems in medical care, including in the context of operating theaters, medical technology, hygiene, and drug therapy safety.

§ Section 2 of the directive requires that "risks should be recognized and problems avoided through the identification of relevant processes, their safe design and their systematic presentation (...)."

The guideline does not explicitly address medical technology or IT. One exception is the requirement for information security and data protection. However, the risks posed by a lack of IT security represent a significant part of the risks in hospitals.

Compared to ISO 14971, the requirements of the guideline on risk management are not very specific.

c) Patients' Rights Act

The Patients' Rights Act also aims to reduce risks and errors in treatment. The Patients' Rights Act requirements have been incorporated into the German Civil Code and the German Social Code V (see above).

d) Medical Device Operator Ordinance (MPBetreibV)

The Medical Devices Operator Ordinance (MPBetreibV) sets out requirements for the installation, operation, use, and maintenance of medical devices and is therefore aimed at operators such as hospitals.

The MPBetreibV obliges these operators to perform risk management in two ways:

1. They must control risks in their organizations.

2. They are part of a higher-level system for risk control, which is why they are obliged to report risks.

ad 1: Control risks

The requirement to ensure safety can be found, for example, in Section 4 of the MPBetreibV:

Interconnected medical devices and medical devices with accessories, including software or medical devices connected to other objects, may only be operated and used if they are suitable for this purpose, taking into account their intended purpose and the safety of patients, users, employees, or third parties.

Source: MPBetreibV § 4, Section (4)

The regulation thus forms the legal basis for obliging hospitals and other healthcare providers to perform risk management as soon as they connect medical devices or integrate them into an IT network:

• The connection, combination, or integration may only take place within the scope of the intended purpose of the manufacturer of the medical device.
• The connection, combination, or integration may only take place if it is proven that it is suitable for the safety of patients, users, and third parties.

The requirement to demonstrate the suitability of a "combination" for the safety of patients, users, and third parties can be fulfilled in two ways:

• Appropriate hospital risk management documentation
• The manufacturers themselves legitimize certain combinations by communicating the intended purpose of the individual products.
   

This means that if an operator such as a hospital networks a medical device such as an ultrasound imaging device with the IT network in order to send and exchange data, the hospital must consider how it can prove that Section 4 of the MPBetreibV is fulfilled.

When integrating an ultrasound device into the IT network, DIN EN 80001-1 can be used to prove that this networking is safe for patients, users, and third parties via the risk management in the hospital described in this standard.

ad 2: Report risks

The MPBetreibV only uses the term "risk" in § 6 Medical Device Safety Officer. This person must report risks associated with medical devices, as required by the Medical Device User Notification and Information Ordinance.

Quality assurance system for medical laboratories

For diagnostic laboratories in hospitals, § 9 of the MPBetreibV requires a quality assurance system to be set up at least in accordance with Part A of the "Richtlinie der Bundesärztekammer zur Qualitätssicherung laboratoriumsmedizinischer Untersuchungen" (Rili-BÄK). The Rili-BÄK requires "risk-based quality assurance" and a description of risk management.

e) MDR and IVDR

Hospitals that manufacture in-house medical devices and IVDs must comply with Article 5, paragraph 5 of the MDR and IVDR respectively. This includes the implementation of Annex I of the respective regulation with the risk management requirements set out therein. For hospital laboratories, compliance with the ISO 22367 standard is recommended in order to meet the requirements.

f) Further requirements

Article 35 of the GDPR describes the need for a data protection impact assessment. This, in turn, requires a risk assessment and evaluation.

Article 32 (1) of the GDPR explicitly refers to the probability of occurrence and severity of the risks.

3. Implementation of risk management in hospitals

a) Best Practices

As required by the G-BA, a risk management system should be part of the overarching quality management system. The risk management system should have the following elements:

Top management

The "top management," typically the executive board, must demand risk management in the hospital and promote a culture of error.

Processes and QM system

For risk management to actually take place in the hospital, it must be embedded in the processes of the QM system. Examples of such processes are:

• process to annually readjust the risk management objectives and review the achievement of these objectives
• treatment processes that have interfaces with risk management (e.g., measures to be taken in the event of critical situations occurring)
• all processes for recording and processing errors and complaints
• processes for changing the IT landscape or medical technology
• processes for corrective and preventive actions

Infrastructure and resources

As required by the G-BA, an error reporting system (Critical Indicent Reporting System, CIRS) is needed to systematically collect (also anonymously) information about errors and learn from them.

Top management must provide sufficient resources (people, equipment) for all of these elements.

Methodology and competencies

Effective risk management requires that employees have the necessary competencies to, for example

• identify hazards, for example, with the help of FTA, FMEA, PHA
• assess risks and estimate the probability and severity of possible harm
• decide on the acceptance of risks
• identify and implement suitable measures
• orchestrate the people involved in risk management and moderate meetings
   

b) Worst Practices

"The fish rots from the head". This also applies to risk management.

• If the management believes it can delegate the issue completely, the message to the organization is clear: "Risk management in hospitals is not that important, at least not in ours."
• Managers who do not admit their own mistakes do not set a good example for an error culture.
• Emphasizing the importance of risk management but not allocating resources is dishonest or at least inconsistent.

The hope will be dashed that the introduction of a tool is the end of the task. Nor will the hope be fulfilled that a functioning error reporting system alone proves the legal requirements for risk management.

4. Impact on manufacturers

The requirements for risk management in hospitals and other facilities may also have an impact on manufacturers of medical devices and IT solutions:

• Manufacturers must specify in the intended purpose which devices their medical device exchanges which data with.
• They should specify how operators should integrate the systems and check that this integration works.
• This also includes specifying who is authorized to carry out this integration (manufacturer, operator, or third parties on behalf of the operator).
• Information from the manufacturer on the consequences (risks) resulting from faulty integration is helpful for the operator's risk management.
• Manufacturers must define the requirements for the operation of the systems, including the requirements for IT security and networks. This is also required by the MDR and IVDR:
  
  
  The instructions for use shall contain all of the following particulars:
  for [...] software [...] minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.

MDR Annex I, Section 23 (ab)

5. Summary and conclusion

Risk management in hospitals must be an integrated part of quality management.

Reasons:

• The processes are interlinked.
• Poor quality leads to risks for patients, staff, and third parties.
• Poorly trained and overworked staff increase the risks.

Conversely, good risk management will not only reduce risks but also contribute to the hospital's success because good quality pays off.

Risk management is a matter for the boss, even in hospitals.

Change history

• 2024-03-26: Requirements of the MPbetreibV for medical laboratories in chapter 2. d) and new chapter 2. e) on the requirements of the MDR and IVDR added
• 2023-12-07: Article completely rewritten
• 2018-05-02: First version of the article created