Role of ISO-9001 in Healthcare and Patient Safety

Explore how identifying, assessing, and managing risks can enhance patient safety, streamline processes, and lead to continuous quality improvement.

ISO-9001 in Healthcare

When it comes to healthcare, a lot of articles are published on the role of NABH; whereas ISO-9001 (QMS) which forms the core of a good Quality Management System is hardly written about, even though quite a good number of hospitals and clinics are ISO-9001 certified.

I felt it would be prudent to write an article on the role of ISO-9001 in Healthcare and Patient Safety.  Even more so because the new edition ISO-9001:2015, released in September 2015, has introduced “risk based thinking” as the core concept of all quality related activities – identifying the risks that may hamper performance and at the same time identify the opportunities that may enhance performance. 

This has made it easy for the healthcare sector to align the risk elements in healthcare with patient safety, thus enhancing customer satisfaction.

Here I would like to mention that I have not given any Clause-wise explanation, rather I have tried to give a basic guideline on factors which the healthcare organisation should consider in its risk based approach, because that is the requirement of ISO-9001:2015. 

All the ISO-9001:2008 certified hospitals and clinics have time till 2018 to migrate to the new Standard. After 2018, the old version will be no more applicable.

Risk based thinking, in other words, is assessing the elements of business risk associated with healthcare services; aspects which can bring a bad name to the healthcare organisation in terms of reputation loss and at the same time lead to monetary loss, viz., adverse incidents like medication error, transfusion error, baby abduction, baby swap, bodily injury to patient due to faulty treatment, surgical mishap, fire, medical equipment breakdown, strike by employees, etc. 

Risk assessment and risk management automatically become an integral part of all patient care and support service activities; a lot of Preventive Actions are required to be implemented at every level to prevent any mishap and ensure patient safety in service delivery.

In the new Standard ISO-9001:2015, there is no provision for Preventive Action (Clause 8.5.3 of ISO-9001:2008) as because preventive action has now been made an integral part of “risk based thinking” which provides for a strong quality management system. The new Standard has provision only for Corrective Action (Clause 10.2) as a tool for further improvement, in other words, continual quality improvement.

Important aspects of “Risk Based Thinking”

  • Risk based thinking incorporates business risk.
  • Risk based thinking is all pervasive and should happen at every level of the organisation, with equal involvement of employees at every level.
  • Risk Assessment, Risk Management, Controls (Preventive Action) & Contingency Plans, Quality Objectives are integral parts
  • Provides scope for recognising opportunities for further improvement (continual quality improvement) – required for sustaining the business.
  • Periodic review of processes, plans and quality objectives is important.
  • Define your list of interested parties (stakeholders).
  • Understand the needs and expectations of the interested parties (stakeholders).
  • Risk based thinking is a team effort and should also take into consideration the needs and expectations of the stakeholders (those who are directly and indirectly involved in the processes; those who are directly and indirectly affected by the processes). Involve the stakeholders wherever possible.
  • In your risk based thinking, also consider other interlinked processes and functions which are likely to be affected, either directly or indirectly (interaction of processes).
  • Take into consideration the risks associated with services during the delivery process and also post delivery.
  • When making changes to an existing process or before implementing a new process, assess the risks involved from the business risk angle, if any.
  • It is important to test the effectiveness of the controls and the contingency plans through periodic review; and, if required make further changes.
  • Take into account the statutory and regulatory requirements.
  • Maintain records of crucial findings, recommended actions, actions taken, desired results and actual results. This is helpful in finding opportunities for improvement. 

Factors to remember while taking up Risk Based Thinking exercise:

  • Do remember that it is not always possible to eliminate a risk completely
  • It is possible to reduce the probability of a risk through implementation of proper controls (preventive actions)
  • Sometimes the risk can be “transferred”, may be by giving the job to another skilled person, or by outsourcing the function to another organisation which is specially skilled in that activity; or by any other method as deemed fit by the organisation
  • Some amount of risks may have to be retained, based on informed decision and past data
  • There must be control plans (Preventive Actions) and contingency plans (e.g., plan to tackle fire emergency if fire actually breaks out)

How risk based thinking can be aligned with the risk based approach of the healthcare sector

  • Define the processes.
  • Identify the risk elements involved in the processes.
  • Do the risk assessment of both the negative and positive aspects to find out the possibility of risks and their degree of severity and the possible outcome.
  • List the identified risks in descending order as per likelihood of occurrence, severity, risk score, legal requirements.
  • Whichever risk is significant, for that do the risk management (set objectives, device and implement appropriate controls / preventive actions).
  • Prepare a contingency plan for significant risk factors (It is important to have a contingency plan ready to tackle any untoward incident arising out of a situation in-spite of adequate preventive actions).
  • Plan periodic reviews of the controls and contingency plans.
  • Based on the review results, make changes if required.

Quality Objectives & Continual Quality Improvement

  • Risk based thinking also means opportunities for improvement. One way of achieving this is through Quality Objectives
  • Identify the opportunities and define the objectives for improvement.
  • For all critical or important processes and activities, there should be Quality Objectives (e.g., bed sore; phlebitis; needle stick injury; breakdown & up time of critical medical equipment; etc.).
  • Analyse the risks associated with the objectives (this risk assessment should be done also from the business risk point of view).
  • Lay down the course of action to achieve the objectives.
  • Make sure your quality objectives are practically achievable, measurable, and monitor-able. Once achieved, they should be sustainable.
  • There should be a review process for the quality objectives, to determine the progress made.
  • For every quality objective it is important to chart out roles and responsibilities of the staff.
  • There should be a documented plan for quality objectives.

NOTE :Statutory & Regulatory requirements cannot be made a part of quality objectives (e.g., Timely renewal of PCPNDT License, Submission of infectious diseases data to BMC in a timely manner, etc.), because these are aspects which have to be complied with mandatorily.

Outsourced services

  • Risk assessment should also be done for all the outsourced services, viz., Housekeeping, Security, Catering, Pharmacy, Blood Bank, Ambulance, Laundry, etc.
  • The outsourced organisations should also be made an integral part of such risk assessment exercises.

Reputation risk assessment
The healthcare organisation should also do a reputation risk assessment, because the healthcare sector often comes into the news for all the wrong reasons; more so because the sector deals directly with human lives.

  • Determine what could be the potential accusations.
  • Rate them as per the probability and severity (chances of occurrence and the impact).
  • Determine the control measures (Preventive Action).
  • Device contingency plan to tackle a situation in case it actually does occur.
  • Set a periodic review process for the controls and contingency plans, and make changes if required.

Apart from these general guidelines mentioned above, each healthcare organisation has its own individual specific needs based on the structure of services it provides to its patients.  The new Standard ISO-9001:2015 will help the healthcare organisation :

  • To align its specific patient safety aspects with risk based approach in a better way
  • To take actions to address the risks and opportunities that are proportionate to the potential impact on the conformity of patient care services

The new standard focuses on performance indicators (this can be considered as similar to the quality indicators of NABH).

I would like to conclude by saying that the risk based thinking of ISO-9001:2015 complements the patient safety aspects of NABH.

About the Author :
Uttia Majumdar is proprietor of  CLASS CONSULTANCY
 a Mumbai based venture offering cost effective and result oriented Consultancy & Allied Services in System Certification – ISO-9001, ISO-14001, OHSAS-18001 and NABH – to help and guide all those who seek to excel in Management System.

Ms. Uttia Majumdar
Class Consultancy, ISO & NABH Consultants & Allied Services | + posts