Consumers increasingly are involved in healthcare payments and demand transparency. This consumerism should be incorporated into risk management programs.

  • Direct payment from patients introduces new risks for healthcare organizations.
  • Risk managers should consider expanding the scope of risk concerns.
  • Fully assessing consumerism impact can help prioritize resources.

Consumerism is a growing force in healthcare and should be incorporated into a hospital or health system’s risk management strategy, says Jane Harper, CISSP, CRISC, CRCMP, ISA, PCIP, CISA, ITIL, director of privacy and security risk manager at Henry Ford Health System in Detroit.

Healthcare consumers increasingly are interested and involved in choosing their care, wanting more information and transparency than ever before. This consumerism is changing how healthcare is provided, and risk managers must respond along with other healthcare leaders, says Harper, whose background is in enterprise risk management with a focus on operational risk.

The changing involvement of consumers affects how risk is assessed and managed, she says. Risk managers may need to expand the idea of what risks face the organization, she suggests.

“Twenty years ago, the health insurance plan you got was whatever your employer offered, but in this new world of healthcare consumerism, individuals are able to go out and pick their own plans, elect to have higher deductibles, and control more of the payment between them, the payer, and the healthcare provider,” she says. “That now expands your risk scope beyond just the traditional electronic protected health information [ePHI] assessment, malpractice insurance, and cyberinsurance. It expands to some risks that not everyone is identifying and managing yet.”

For instance, higher deductibles may lead more healthcare providers to set up credit plans. That creates a credit risk, Harper notes. Reimbursement also can be affected by consumer expectations and ratings, but Harper says few organizations are considering and addressing that risk.

With hospitals increasingly receiving direct payments from patients rather than from insurers, there are concerns such as complying with the Payment Card Industry Data Security Standard (PCI DSS), an information security standard for organizations that handle branded credit cards from the major card companies. There are similar standards for accepting checks or accepting bank transfers, Harper notes.

“We have to get away from the idea that when we talk about risk management, we’re only concerned with malpractice insurance, ePHI, patient safety. Those are essential and important concerns, of course, but they’re not the only risks facing healthcare organizations today,” Harper says. “Consumerism is forcing us to look at a wider scope of risks.”

An expanded risk management program that accounts for consumerism should include a wide array of stakeholders, Harper says. That means not just the clinical side, but the other organizational areas influenced by consumerism, such as revenue and reimbursement. Then, an important step is gauging the organization’s risk appetite and tolerance, Harper says.

“You can’t do just one. You have to determine both the risk appetite and the tolerance for risk to be effective,” she says. “That sometimes can be intimidating to certain leaders because your key stakeholders you want to include in an enterprise risk management program won’t always have a detailed understanding of risk. They don’t necessarily have to, and we shouldn’t let that frighten them away from participating.”

The risk manager and other experts who run the program can provide the education needed to make the key leaders comfortable in participating, she says.

Identify Risk Tolerance, Appetite

Once key leaders are on board, there must be a structure to identify what issues matter most to the organization, and the corresponding risk tolerance and appetite for each, she says. At Henry Ford, any identified risks are assessed for the effect they could have on more than just one category. For example, the risk may have operational impact, market impact, or credit impact.

“It gives you the full weight of the issue. We know that every organization has a budget and a set number of resources, so this allows us to prioritize how we manage risks,” Harper says. “We might determine that this risk affects us significantly in five different areas, whereas this other risk is important but affects us in only one area. If we have this amount of money and time, putting them next to each other like that helps us prioritize what work gets done and when.”

For instance, a few years ago Henry Ford considered the purchase of a governance, risk management, and compliance (GRC) tool and assessed the potential related risks. Harper and other leaders determined that not using a GRC tool meant important issues could be missed, inappropriately prioritized, or receive too much funding that could have been better spent.

“It showed us that we had issues that could affect us in many parts of our operational space — compliance risk, legal risk, making sure we’re doing reviews of our data center, many other areas. It ended up affecting four major categories and seven or eight subcategories, so naturally that rose to the top of the list of priorities,” she says. “That helped us champion with the senior leadership the purchase of a centralized GRC tool.”

Understanding and responding to consumerism can be the key to surviving the uncertain future of healthcare, Harper says. Risk managers are well advised to make themselves the organization’s experts on consumerism and incorporate the philosophy into their work, she says.

“I firmly believe that the organizations that are able to identify, quantify, and manage their risks will be the ones that emerge victorious in this era of increased consumerism,” Harper says.


  • Jane Harper, CISSP, CRISC, CRCMP, ISA, PCIP, CISA, ITIL, Director of Privacy and Security Risk Manager, Henry Ford Health System, Detroit. Phone: (800) 436-7936.