Throughout history, healthcare’s guiding principle has been “do no harm.” That adage, of course, suggests an avoidance of risk. But it’s Leigh Hickman’s job to seek out risk and stare it in the face.
Hickman is the chief legal officer at CaroMont Health, a regional health system with a large network of physician practices, urgent care, hospice, emergency facilities, and a 435-bed regional medical center. She took on the job of creating an enterprise risk management program in 2017 for the nonprofit hospital with one clear objective: provide the best care for patients.
In this day and age, risk management in healthcare organizations has to go beyond clinical care. Hospitals, physician practices, pharmacies, and other allied healthcare providers are businesses as well, even if they’re operating as nonprofits. Considerations such as market share, governance, and human resources have to work properly and add value, not detract from it. And lest anyone assume risk management is a theoretical construct, Hickman can relate from firsthand experience that it’s really something much more pragmatic.
“A restructuring of the organization in early 2017 relegated risk management to me,” says the attorney, whose career began in medical malpractice litigation. “We thought we were doing pretty well managing clinical and related legal risks, but there were other operational roles to consider.”
As she evaluated the risk program, Hickman noted that risks were being assessed in silos, and that there were big unknowns. “I wondered if we were effectively managing them or if we had just been lucky,” she says.
Those unknowns included business concerns such as market share. Based in Gastonia, North Carolina, which is in the greater Charlotte metro area, CaroMont is surrounded by major hospital systems. As a community-based system, factors such as the distribution of CaroMont’s providers can make a major difference in how resources are utilized and how they can impact the hospital system’s overall financial health.
Hickman’s enterprise risk management steering committee followed a process that first assessed where there might be things to worry about. They surveyed CaroMont’s leadership and key managers to create a list of vulnerabilities that they could take action on in a 12–18-month time frame.
Making this work required leadership and support from the board of directors, Hickman says. The board restructured some director committees and incorporated risk management into committee and staff accountabilities. With risk being treated as a priority, staff at all levels gained a clearer understanding of how to identify and manage risk.
This comprehensive approach has already yielded cost-saving efficiencies. For example, they discovered four different departments were addressing employee safety issues in their own silos. “Just bringing people together helped us figure this out and allowed the departments to work together more efficiently and effectively,” she says.
However, it’s not always a cut-and-dried matter. EMRs are a perfect example of this concern at CaroMont. The organization is moving ahead with improvements to its EMR database, but in doing so Hickman and the company must also begin to think about cybersecurity threats.
These cybersecurity threats are a catch-22 for healthcare providers. Modernization of EMRs is necessary and incentivized in the ACA. Yet this digitization of information is then vulnerable to privacy breaches, financial exposure, and possibly even operational shutdowns. For example, a ransomware virus in July 2017 called Petya infected computers in several American hospital systems to such an extent that at least one system operating in three states disabled its entire IT system, causing the operation to revert to paper records for a time.
But rather than panic about these issues, Hickman says they go about managing risks like this methodically. “We look at industry best practices,” she says. “Everyone is concerned about cybersecurity concerns such as ransomware. We engage technology to assess risks and to put safeguards in place.” But as with other organizations on guard against this, she says their best weapon is education. “The biggest risks are with employees. We teach them to be smart when it comes to suspicious email.”
Hickman’s measured approach to risk management has established her as a trusted partner and leader within the industry.
“Leigh is an outstanding professional and a true asset to CaroMont,” the medical malpractice team at Shumaker, Loop & Kendrick LLP said in a statement. “She is an innovative, efficient, confident, and bold leader. It is a pleasure to work with her.”
Hickman and her team at CaroMont know that being risk averse does not equate to an avoidance of innovation and progressive approaches to healthcare delivery. In fact, CaroMont was an early adopter in the ACA’s accountable care organization (ACO) program, which simultaneously seeks to reduce the costs of caregiving while improving patient outcomes. The savings from this program, shared with Medicare, totaled more than $11.5 million in its first three years of implementation. Quality-of-care performance results in 2016 were at or above the national mean in almost every measure. And Hickman believes that by managing risks effectively, CaroMont can continue to devote financial and staff resources to innovative programs like the ACO, which improves the care provided to patients.
Hickman says the enterprise risk management program is new enough that there isn’t an established measurement formula to gauge its success. “But I look forward to seeing how this impacts the board’s strategic thinking going forward,” she says.