Determining Risk Score

Clinical Criticality of Care


The types of clinical information/data you want to access will have varying levels of clinical risks. This is determined by how critical this data is to make clinical decisions in a clinical setting.

Clinical Criticality of API Data

Data Type

Example

1

Publicly available information,

Information aiding health care delivery

eg. HPI ID, Practitioner ID, Death notification, Entitlement, financial information, address

2

Lower Risk Personal & Clinical Information

eg. Immunisation record, Planned events

3

Less Significant Clinical Information

eg. Diagnosis, Problem List, Historical data, social history

4

Significant Clinical Decision-making Information

eg. Allergies, Labs, Medicines, Current & Relevant data

5

Identity-related Information

eg. Name, DOB, Identifiable IDs, Gender

Clinical Use Case

Different functionality available within the API can lead to varying levels of clinical risks

Use Case Risk Tier

API Functionality

Example

1

Search / Read 

eg. Displaying read-only view of planned events

2

Update / Edit 

eg. Updating an existing allergy information to add more detail

3

Create / Add to 

eg. Adding a new allergy

4

Use information in Clinical Decision support

eg. using the output on an algorithm to change clinical care

5

Delete 

eg. Can remove existing data

Clinical Risk Score Matrix

This is a combination of API use case (functionality) and the clinical criticality of care of the information requested.

LOW MEDIUM HIGH EXTREME

 

 

(2)  API Clinical Criticality 

 

 

1 

2 

3 

4 

5 

(1)  Use Case 

5 

11 

16 

20 

23 

25 

4 

7 

12 

17 

21 

24 

3 

6 

8 

13 

18 

22 

2 

3 

5 

9 

14 

19 

1 

1 

2 

4 

10 

15 

Onboarding Controls

Depending on the clinical risk of the clinical data & use case, you will either fall in Low, Medium, High or Extreme’ category of clinical risks. For each level of risks, varying degree of mandatory controls are expected in order to gain production access to the API.

Requirements 

Low 

Medium 

High 

Extreme 

Your organisation must be accredited for the RNZCGP Foundation Standard. 

YES 

YES 

YES 

YES 

Your organisation must have processes for identifying and managing clinical risks and issues.  This includes details of processes for escalating significant risks that include preventing, identifying, evaluating, mitigating and controlling for digital clinical risks. 

YES 

 

 

YES 

 

 

YES 

 

 

YES 

 

 

Your organisation must have a process for reporting and managing clinical incidents/adverse events including details for escalating significant incidents. 

YES 

YES 

YES 

YES 

Do you have a clinical incident register and matrix utilised to assess clinical incidents? 

NO 

YES 

YES 

YES 

Your organisation must have a process for notifying Te Whatu Ora / Hira team in the event of an incident/adverse event, including ongoing issues and closing the loop. 

YES 

YES 

YES 

YES 

Your organisation must have a process for notifying users/consumers in the event of an incident/adverse event, including ongoing issues and closing the loop. 

YES 

YES 

YES 

YES 

Your organisation must have had input from clinical risk management experts into your risk and incident management plan. 

NO 

NO 

NO 

YES 

Your organisation must have a clinical risk register and matrix utilised to assess clinical risks. 

NO 

YES 

YES 

YES 

Your product must have had input from a clinician subject matter expert. 

NO  

YES  

YES  

YES 

Your organisation must have release documents available for the current version of your product that include details on the clinical risks and potential treatments that your consumers can adopt in their implementation? 

NO 

YES 

YES 

YES 

Your organisation must have a person responsible for managing digital clinical risks and approving the risk acceptability criteria for your product/s. 

NO 

NO 

NO 

YES