Skip to main content

Legal audit, other steps are needed for Y2K issue

November 1, 1999

Legal audit, other steps are needed for Y2K issue

The health care industry has been preparing for the Y2K bug for years, and now that the dreaded time is nigh, it might seem too late to do much of anything. Not so, says an expert who is advising risk managers to make good use of these last two months.

Although it is far too late to start debugging your organization’s computer systems, there still are important tasks that can be handled right up to the moment you walk out the door to a New Year’s Eve party. Most of those tasks involve double-checking to make sure you have identified potential problem areas and fully documented your efforts to become Y2K compliant, says Michael Donovan, JD, a partner with the law firm of Hancock, Rothert, Bunshoft in San Francisco.

"It’s not too late to get things done," he says. "If you haven’t started an assessment and efforts to fix your problems, you’re in trouble. But most hospitals are well into the contingency planning, and you can do a lot of that right up to the moment that time runs out."

A legal audit of your Y2K readiness should be a primary objective for any health care risk manager, Donovan says. Many have conducted them already, but a lot of risk managers will conduct them in November and December, he says. The goal of a legal audit should be to assess, from a risk management standpoint, where the organization stands with its Y2K preparations. It’s too late to do much about the problems, but the risk manager should identify exactly what the problems are and what they may mean in terms of patients and liability.

"You should document that you have assessed everything appropriately and fixes have been accomplished," he says. "If it is not possible to fix a problem or you have doubts about the success of a fix, like where you can’t assure the compliance of a medical device, then you should have workarounds in place for that problem."

The sooner you conduct the audit, the better. If a problem turns up, you will need time to resolve it or at least investigate what the repercussions might be. Donovan makes these suggestions for key issues to address in your audit:

Documentation.

It is almost inevitable that you will find some areas of your Y2K preparation in which documentation is lacking, even if the actual debugging work was performed successfully, Donovan says. He suggests that you pay particular attention to the documentation showing that medical devices have been deemed compliant by their manufacturers.

"Most organizations are relying on outside testing and verification for a lot of equipment, not their own testing, so you want to make sure you have documented that well in case there is a problem with the equipment," he says. "The risk is that if you don’t, you could be held liable for any damages from that failure. You want to be able to show that you took reasonable steps to avoid problems. If you can show that, you’re likely to avoid legal liability."

Vendors.

Part of your Y2K preparedness planning should have included checking with vendors to establish their Y2K readiness. If you have not received a satisfactory assurance from a vendor at this point, don’t hold your breath and hope it arrives at the last minute. Make sure your organization has a plan for responding to a failure by that vendor.

Other organizations’ contingency plans.

This is one area that may have been overlooked by some health care providers, Donovan says. Other organizations in the community, especially other health care providers, may have included you in their contingency plans for Y2K problems. Another hospital across town, for instance, may have designated your facility for diversion of patients if it suffers serious Y2K problems. That type of arrangement is not unusual, of course, but you need to know about it when you are assessing your own facility’s readiness.

If you have not already, Donovan suggests you contact area hospitals, nursing homes, and police, fire, and emergency services in the community to determine how your organization fits into their own contingency plans.

Consider special consent forms

Donovan says some hospitals are considering the use of a special informed consent document for the new year. The document would explain to the patient that the Y2K problem could result in some irregularities with service, such as the delivery of medical supplies or glitches in medical devices, and that the patient understands the hospital has made a good faith, reasonable effort to protect the patient from any harmful effects.

"A lot of organizations think that is a prudent thing to do at this point," he says. "I know many organizations are considering that as a part of their end-of-the-year Y2K program. Obviously, it would be good to have counsel involved in that."

Some hospitals have considered a moratorium on elective procedures at the beginning of the year until it is clear what sort of Y2K problems might occur, Donovan says. That is a serious decision to make, he says, because even a brief elimination of elective procedures could have a major impact on revenue. It could be a necessary move, however, if hospital officials determine their facility is not sufficiently prepared for Y2K.

Donovan also suggests you consider how much your facility will be pushed to capacity at the critical time. Patient care may not be affected dramatically, for instance, if one medical device fails and you have three more in backup to take its place. But if you are working near full capacity, you may not have that luxury and, therefore, the elimination of elective procedures might make more sense. Also, remember to take into account the extra patients who might be sent your way by other facilities experiencing Y2K problems.

An informal survey of Healthcare Risk Management readers indicates that most of them are confident of their preparations for Y2K, but they still are worried about liability from Y2K problems. About a third say they are stockpiling supplies, between a week’s worth and enough to last a month. Almost none of the readers surveyed indicated they have purchased additional insurance to cover Y2K problems.

The federal Food and Drug Administration recently issued an advisory saying that most med ical devices containing a computer chip will not be affected by the Y2K bug. "Only about 2,000 of the nation’s 13,500 medical device manufacturers make products that are the type that might be controlled by a computer and, therefore, potentially sensitive to Y2K problems," the FDA says. Some particular devices, however, are known to be susceptible to the glitch. The FDA provides a list of specific devices on its Web site at http://www.fda. gov/crh/yr2000.html.

Some government assessments of the health care industry suggest that some facets are not ready for Y2K. (See the stories at left and below.) From his own work with risk managers across the country, Donovan says there is some nervousness, but he thinks the industry as a whole is well-prepared.

"Like with any risk, hospital risk managers obviously are concerned. They should be, since patient care is at risk here," he says. "But even though they’re concerned, most people have done everything they can do up to this point. Now we see what happens."