University of Quebec, Montreal, QC, Canada
Received date: February 15, 2016; Accepted date: February 19, 2016; Published date: February 25, 2016
Citation: Poba-Nzaou P. Electronic Health Record in Hospitals: A Theoretical Framework for Collaborative Lifecycle Risk Management. J Healthc Commun. 2016, 1:2. DOI: 10.4172/2472-1654.10008
Electronic health record (EHR); Risk management; System lifecycle; Collaboration; Hospital
Prior research has generated substantial knowledge about information technology (IT) risk management in general and clinical information systems in particular. Nonetheless, in recent years, important accumulated signs have shown that this wisdom, due to some limitations, might not be adequate in forging useful insights for managing risk associated with electronic health record (EHR) in a hospital context. I aim to shift thinking away from two such held major limitations of the extant literature on IT risk management: (1) one-phase focused, as opposed to considering the whole system lifecycle, and (2) client-centric or health care provider (adopting organization) view, as opposed to considering all key players (health care provider, health care payer, software vendor, payers, etc.).
In doing so, this essay attempts to draw researchers’ attention to the following issue: How should hospitals manage the risk of EHR throughout the entire system lifecycle? Drawing from Poba-Nzaou  and Poba-Nzaou and Raymond , I articulate a conceptual framework for addressing this issue and framing important questions for future research as well as generating insights for improving hospitals’ practices.
In order to cope with the unsustainable rising costs of health care, several governments in industrialized countries including the US, France, Germany and the UK, are driving initiatives through regulations or financial incentives so as to accelerate the adoption of Electronic Health Records (EHRs) by primary care providers as well as hospitals [3, 4]. Electronic Health Records (EHRs) are a growing phenomenon that is considered the cornerstone of modern healthcare systems of the current information age to the extent that, “failure to adopt an EHR system may constitute a deviation from the standard of care” . In this context, it is worth noting that there have been limited studies on EHR implementation in hospital settings  despite the fact that hospitals account for a substantial share of total health care spending. In fact, they account for over one-third in the US and Canada  and with at least 25% to 60% in the EU depending on the country .
EHR is defined as an “electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization . EHRs entail high potential benefits and high likelihood of improving individual patients and populations health outcomes (e.g. –clinical outcomes- reductions in medication errors, improved quality of care; organizational outcomes- financial and operational benefits; and societal outcomes- improved ability to conduct research, improved population health, reduced costs [10, 11] that are often challenged by their high level of risk that is persistent over time all along the EHR lifecycle as it is for other software packages [12, 13]. Implementation of clinical information systems in general and EHR in particular has had limited success . The failure of an EHR implementation or the poor management of EHR risk associated with its use may hamper a hospital’s ability to generate potential benefits in addition to putting patients’ lives at risk and wasting scarce resources. In a broad sense, the poor management of EHR risk has resulted in a high level of dissatisfaction of hospitals with their EHR systems to the extent that recent surveys have reported that about 20% of hospitals want to retire their current EHR and switch to another system [15, 16]. In more concrete terms, it has resulted in poor system usability, deficiency in important functionalities, low levels of interoperability, low levels of customizability, and high levels of system vulnerability with regard to security and privacy. In this regard, it is important to note that even successful implementations of EHR have not always generated the expected, later benefits. Hence, it is not surprising to find that, “in the excitement over [EHR], the potential risks associated with it have received less attention” . The above mentioned shortfalls faced by hospitals give rise to the following managerial and research issue: How should hospitals manage the risk of EHR throughout the entire system lifecycle? I postulate that in order to reduce the contingency of EHR failure and increase the likelihood of improving individual patient and population health outcomes, hospitals should identify and assess their associated risks, at the earliest possible moment in the system’s lifecycle, that is during the adoption phase [2, 17] in collaboration with key internal and external stakeholders; and should continue to do so persistently throughout the system’s lifecycle. Thus, it is important that researchers focus on the management of EHR risk and also investigate how hospitals today are managing [EHR] risk – “what works, what does not and why” .
In most industrialized countries, healthcare costs “are rising so fast that they will become unaffordable by mid-century without reforms” . More specifically, if present tendencies in healthcare costs prevail by year 2050, nearly all OECD countries will devote more than 20% of their GDP on healthcare. And, by 2080 Switzerland and the United States will dedicate more than 50% of GDP on healthcare, while by 2100 almost all OECD countries will reach this level of spending . This situation qualifies as being an unsustainable trend that needs to be reversed and, the implementation of EHRs within the concerned countries is seen as one of the most promising routes. However, the implementation of an EHR is highly risky. As observed recently by several horror stories reported in trade press publications, of EHR risk factor occurrences at different phases of systems’ lifecycles: hospitals forced to close; experienced unprecedented operating losses; experienced unprecedented weak operating performance due to EHR costs or failure; experienced costly data breach incidents [21-25].
Research framework of collaborative EHR lifecycle risk management
The framework in Figure 1, adapted from Poba-Nzaou  and Poba-Nzaou and Raymond , suggests that the process of EHR lifecycle can be broken down into five sub processes which are: adoption, implementation & stabilization, initial transition, use & maintenance, and shift to another EHR system or retirement. This process is influenced by two main groups of elements: a global context and a specific context. The global context is based upon the technology-organization-environment framework . The specific context includes EHR undertaking specific elements such as the motivations to adopt an EHR, the stakeholders’ involvement in the process, etc. The framework also builds upon the theory of collaboration  and emphasizes that risk management is influenced by the collaboration – cooperation and coordination - between the key stakeholders. In this regard, it is of interest to note that key stakeholders may vary in the progression through each subsequent phase. In addition, it asserts that risk exposure as well as risk management are influenced by contextual factors; and these factors increase or decrease the exposure to risk. It implicitly assumes that risk management can be understood through the alignment or fit between a hospital’s level of exposure to EHR risk and its risk management profile. In the same manner as Poba-Nzaou and Raymond , risk management profile is conceptualized as a hierarchical architecture of three levels of abstractions namely principles, policies, and practices [28,29].
Principles represent the highest level and act as guiding foundations to align lower, less abstract policies and practices . An example of a risk management principle for implementing an EHR would be, “adapting the EHR system to local clinical processes”. Policies reflect alternative means of realizing the guiding risk management principles. While, an example of a EHR risk management policy would be, “dealing with a EHR vendor that guarantee data sharing and interoperability between the hospital and partner organizations”. Practices are specific mechanism or tools to execute policies . An example of EHR adoption phase risk management practice would be “appointing a physician champion”. One advantage of the conceptualization of risk management profile as a 3-tier architecture of abstraction is that it allows one to highlight equally formal and informal risk management practices. Considering all three types of risk management practices: formal, semi-formal and informal, is consistent with empirical findings  and the theoretical perspective of risk .
I build upon my own research and prior studies and identify nine categories of risk exposure, namely: organizational, technological, usability, contractual, financial, managerial / professional, clinical, medicolegal, and liability. I will focus on only three dimensions. First, the organizational risk, which arises from the organizational environment in which the EHR system is adopted, implemented and maintained. Second, the clinical risk, which is related to the internal and external coherence of the clinical model and processes following an EHR implementation. Lastly, the technological risk, which originates from the information processing technologies required for the EHR system to operate.
I assert that the ideas and insights underlying the above framework present fruitful opportunities for various research projects including the following future research questions: What are the typical risk factors faced by hospitals throughout the main phases of the EHR life-cycle? How do hospitals manage the risk of EHR implementation and use & maintenance during the preimplementation phase? How do hospitals manage the risk of EHR post-implementation during the implementation phase? How do hospital internal and external key stakeholders collaborate in managing EHR risk throughout each phase of the system lifecycle?
In addition, it can be insightful to compare risk management associated with different EHR alternatives (an EHR supplied by a traditional single EHR vendor, a Best of breed EHR, a Cloud EHR, with an open source EHR, or an in-house developed EHR).