Clinical
Understanding the level of Clinical risks involved for the APIs requested and the controls required to be in place.
Pātiki and Waharua Kōpito patterns
Determining Risk Score
Clinical Criticality of Care
The types of clinical information/data you want to access will have varying levels of clinical risks. This is determined by how critical this data is to make clinical decisions in a clinical setting.
|
Clinical Criticality of API Data |
Data Type |
Example |
|---|---|---|
|
1 |
Publicly available information, Information aiding health care delivery |
eg. HPI ID, Practitioner ID, Death notification, Entitlement, financial information, address |
|
2 |
Lower Risk Personal & Clinical Information |
eg. Immunisation record, Planned events |
|
3 |
Less Significant Clinical Information |
eg. Diagnosis, Problem List, Historical data, social history |
|
4 |
Significant Clinical Decision-making Information |
eg. Allergies, Labs, Medicines, Current & Relevant data |
|
5 |
Identity-related Information |
eg. Name, DOB, Identifiable IDs, Gender |
Clinical Use Case
Different functionality available within the API can lead to varying levels of clinical risks
|
Use Case Risk Tier |
API Functionality |
Example |
|---|---|---|
|
1 |
Search / Read |
eg. Displaying read-only view of planned events |
|
2 |
Update / Edit |
eg. Updating an existing allergy information to add more detail |
|
3 |
Create / Add to |
eg. Adding a new allergy |
|
4 |
Use information in Clinical Decision support |
eg. using the output on an algorithm to change clinical care |
|
5 |
Delete |
eg. Can remove existing data |
Clinical Risk Score Matrix
This is a combination of API use case (functionality) and the clinical criticality of care of the information requested.
| LOW | MEDIUM | HIGH | EXTREME |
|
|
|
(2) API Clinical Criticality |
||||
|
|
|
1 |
2 |
3 |
4 |
5 |
|
(1) Use Case |
5 |
11 |
16 |
20 |
23 |
25 |
|
4 |
7 |
12 |
17 |
21 |
24 |
|
|
3 |
6 |
8 |
13 |
18 |
22 |
|
|
2 |
3 |
5 |
9 |
14 |
19 |
|
|
1 |
1 |
2 |
4 |
10 |
15 |
|
Onboarding Controls
Depending on the clinical risk of the clinical data & use case, you will either fall in Low, Medium, High or Extreme’ category of clinical risks. For each level of risks, varying degree of mandatory controls are expected in order to gain production access to the API.
|
Requirements |
Low |
Medium |
High |
Extreme |
|
Your organisation must be accredited for the RNZCGP Foundation Standard. |
YES |
YES |
YES |
YES |
|
Your organisation must have processes for identifying and managing clinical risks and issues. This includes details of processes for escalating significant risks that include preventing, identifying, evaluating, mitigating and controlling for digital clinical risks. |
YES
|
YES
|
YES
|
YES
|
|
Your organisation must have a process for reporting and managing clinical incidents/adverse events including details for escalating significant incidents. |
YES |
YES |
YES |
YES |
|
Do you have a clinical incident register and matrix utilised to assess clinical incidents? |
NO |
YES |
YES |
YES |
|
Your organisation must have a process for notifying Te Whatu Ora / Hira team in the event of an incident/adverse event, including ongoing issues and closing the loop. |
YES |
YES |
YES |
YES |
|
Your organisation must have a process for notifying users/consumers in the event of an incident/adverse event, including ongoing issues and closing the loop. |
YES |
YES |
YES |
YES |
|
Your organisation must have had input from clinical risk management experts into your risk and incident management plan. |
NO |
NO |
NO |
YES |
|
Your organisation must have a clinical risk register and matrix utilised to assess clinical risks. |
NO |
YES |
YES |
YES |
|
Your product must have had input from a clinician subject matter expert. |
NO |
YES |
YES |
YES |
|
Your organisation must have release documents available for the current version of your product that include details on the clinical risks and potential treatments that your consumers can adopt in their implementation? |
NO |
YES |
YES |
YES |
|
Your organisation must have a person responsible for managing digital clinical risks and approving the risk acceptability criteria for your product/s. |
NO |
NO |
NO |
YES |
Determining Risk Score
|
1. Clinical Use Case Risk Tier (Clinical Decision Support) |
2. API Risk Tier (Clinical Criticality of Care) |
||
|---|---|---|---|
|
1 |
Search / Read |
1 |
Publicly available information, |
|
2 |
Update / Edit |
2 |
Lower Risk Personal & Clinical Information |
|
3 |
Create / Add to |
3 |
Less Significant Clinical Information |
|
4 |
Use information in Clinical Decision support |
4 |
Significant Clinical Decision-making Information |
|
5 |
Delete |
5 |
Identity-related Information |