The following series of articles appeared in the Journal Prospective Risk Management In Healthcare. It is not, to my knowledge, available online. All disclaimers apply.

Risk Assessment Takes Center Stage

Snooze on Year 2000 Preparations Now, Expect Legal Insomnia Later

Techno-geeks, move over. The healthcare industry has entered the last year of preparation for Year 2000 (Y2K), and proactive risk managers need to step to the forefront to assess compliance efforts from a risk perspective and focus their organization's senior management, when necessary, on contingency planning and recovery.

When the clock strikes midnight on Dec. 31, 1999, anything with a computer chip and a two-digit date code has the potential to go into some sort of meltdown. Industry media reports indicate that most healthcare organizations are lagging woefully in their Y2K compliance efforts.

True or not, with less than a year to go until D-day, "most healthcare systems don't understand that their entire organization is at risk, and it's now time to protect them legally as opposed to just thinking it's a technical solution," stressed Dennis Gallitano, JD, co-chair of the information technology law practice at Rudnick & Wolfe in Chicago. "It's physically impossible to ensure that something is going to be Year 2000 compliant 100 percent."

"This fundamentally is a risk management issue," agreed Joel Ackerman, BS, MBA, executive director of the independent, non-profit, member-supported RX2000 Solutions Institute (http://www.rx2000.org/) in Minneapolis. "And as we get closer to 2000, the risks seem to be getting larger rather than smaller because we're starting to understand the problem more."

For most healthcare organizations, "you will have a Year 2000 problem, you will have Year 2000 liability--the only question that remains is how much," said Gallitano.

A Smorgasbord For The Plaintiffs Bar

According to attorney Lori Iwan, Esq., the partner in charge of the Y2K practice at Williams & Montgomery in Chicago, healthcare organizations need to brace for claims of alleged negligence based on:

-mistakes with patient records;

-biomedical device failures; and

-failure of the physical facilities.

Further, publicly held healthcare firms, more so than private concerns, should prepare for a surge of director and officer claims that could allege either misrepresentation of or failure to disclose the company's Y2K status, as well as possible claims alleging that delays in addressing the issue resulted in increased compliance costs.

With these potential claims in mind, Iwan suggested healthcare risk managers would do well to review their organization's Year 2000 compliance efforts to ensure they dovetail with three General Accounting Office reports: Year 2000 Computing Crisis: An Assessment Guide; Year 2000 Computing Crisis: A Testing Guide. Exposure Draft; and Year 2000 Computing Crisis: Business Continuity and Contingency Planning (http://www.gao.gov/y2kr.htm).

"I anticipate that these government documents will form the framework for the standard of care in litigation," said Iwan. "Any business claiming ignorance or failing to comply with these protocols will likely have an uphill battle in court."

Time For Gear-Shifting

The heavily interdependent nature of the nation's healthcare system means that total Y2K compliance is the equivalent of dreaming the impossible dream. So no matter what their compliance status, healthcare organizations that haven't done so already "need to start shifting a good amount of their attention to contingency planning and recovery," said RX2000's Ackerman.

Healthcare concerns now must identify mission-critical functions, if they haven't done so already, and establish contingency plans in case those critical aspects of the business fail. (One risk management professional at a West Coast academic medical center defines mission-critical in the healthcare setting as: 1) life safety for patients and staff; and 2) patient care.)

Time is of the essence: Some failures could have begun this Jan. 1 and may occur throughout 1999 as computers reading multiple 9s or attempting to process data about the year 2000 (scheduling patient visits, perhaps) and patient age begin to shut down, Iwan pointed out. (Also, Year 2000 efforts have a fixed deadline: Jan. 1, 2000. So in this last year, risk managers should avoid assessing projects by a "percentage complete" label, warned J.W. "Woody" Taylor, a White Plains, N.Y.-based partner in the healthcare consulting practice at KPMG Peat Marwick. Instead, look at how many staff days of effort are left, he advised.)

Y2K contingency planning resources specific to the healthcare industry to date have been a relatively scarce commodity. Both Iwan and Ackerman recommended the GAO model as a good starting point.

With time short, risk managers should pay extra attention to departments that serve patients with life-threatening conditions, such as the intensive care unit, the pediatric ICU and the emergency department.

A key emphasis should be mission-critical biomedical devices and systems within those departments: testing and repairing or replacing noncompliant equipment, as well as devising potential workarounds where possible. Other stress points include the facilities and business relationships needed to run those life-or-death departments.

"Human failures are something to be watching for also," Ackerman pointed out. For example, "do your nurses know how to calculate a drip rate?" asked Dwain Shaw, director of information services/Year 2000 project director at the Medical College of Georgia (MCG) in Augusta. Risk managers need to make sure educational in-services and dry runs are scheduled as needed so staff can be as prepared as reasonably possible.

[End of article. I will also reproduce the following articles, all from the above Journal. Look for them in the next day or two:

Y2K Standard Of Care Checklist

Y2K Insurance May Be A Protection Pipe Dream

Review Y2K Document Management To Ensure Protections

The Testing Time Bomb: Not Testing Could Mean Explosion of Punitive Damages

Emphasize The ED [Emergency Department] In Y2K Contingency/Disaster Planning

Inadequate Y2K Planning Will Hurt: Take A Hard Look At Facilities' And Business Partners' Mission-Critical Roles]

-- Steve Hartsman (hartsman@ticon.net), February 18, 1999

Answers

Thanks Steve,

I'll e-mail this link to a few health care people.

Leska, oh Leska ...

Diane

-- Diane J. Squire (sacredspaces@yahoo.com), February 18, 1999.