The Question I Ask Before Anything Else - What Would the HDC say?

Before we implement anything, a new service, a new process, a new staff member taking on a new responsibility, I ask myself a set of questions. What is the worst possible scenario here? What would the Health and Disability Commissioner say about how we handled it? What would the Privacy Commissioner say about how we protected patient information? What would the Medical Council or Nursing Council say about how we defined and supervised clinical scope? And most fundamentally of all, how does this impact our patients, and how do we make this as safe as possible for the people we are here to serve and the team delivering that care? If I can answer all of those questions clearly and confidently, we proceed. If I cannot, we are not ready, and we go back and build the thing that makes the answer clear before we move forward. That is not pessimism, it is the most practical form of clinical governance I know.

Most practices think about risk after something goes wrong. I think about it before anything goes right. The practices that end up in front of the HDC, or facing a Medical Council inquiry, or managing a Nursing Council complaint, are almost never the ones that were careless. They are the ones that assumed. They assumed the role was clear enough, they assumed the team member knew what to do, they assumed the protocol covered the situation, they assumed the process would hold under pressure. Assumptions are how practices get into trouble, and protocols are how they stay out of it. The difference between a practice that survives a difficult incident and one that is permanently damaged by it is almost never clinical skill. It is documentation, process clarity and the ability to demonstrate that the practice had a system, and that the system was followed.

My framework is simple, and it is to work backwards from the worst case. When I am introducing a new service or onboarding a team member into a higher responsibility role, I start at the end. I imagine the worst thing that could reasonably happen. A patient deteriorates. A medication error occurs. A procedure goes wrong. A staff member acts outside their scope. Patient records are accessed by someone without authority. A data breach exposes sensitive health information. Would the HDC find that the practice had appropriate clinical protocols in place? Would the Medical Council be satisfied with how this clinician's responsibilities were defined? Would the Nursing Council find that scope was clearly documented? Would the Privacy Commissioner find that patient information was collected, stored and shared lawfully and appropriately? And above all of those, would a patient who experienced this situation feel that the practice genuinely did everything it could to keep them safe? I work backwards from every one of those questions to build the thing that makes the answer yes, every time.

Privacy is not an IT problem, it is a clinical governance problem. The Privacy Commissioner is not just interested in whether your software is secure. They are interested in whether your team understands their obligations, who can access patient information, when, for what purpose and with what authorisation, whether you have a documented process for managing a breach, and whether consent processes are clear and record keeping is appropriate. In a busy practice, privacy risks are not usually the result of malicious intent. They are the result of habit, convenience and assumption, a team member who pulls up a patient record out of curiosity rather than clinical need, a conversation about a patient in a corridor within earshot of others, a result sent to the wrong fax number because the process was not checked. None of those feel like a breach when they happen. All of them are.

This is the question that sits underneath all of the regulatory ones. The HDC, the Medical Council, the Nursing Council and the Privacy Commissioner all exist because of what happens to patients when practices get things wrong, and the way to avoid them is not to manage regulatory risk, it is to genuinely ask, at every decision point, how this impacts the people we are here for. How does this new service impact our patients? Is it safe? Do they understand what they are consenting to? Do they know what to expect, what the risks are and who to contact if something concerns them? Is the information we hold about them being protected as carefully as the clinical care we deliver? How does this process impact our staff? Are they clear on what they are expected to do? Do they have the training to do it safely? Do they know what to do when something goes wrong? Are they protected by a system that has thought ahead, or exposed because the practice assumed they would figure it out? A practice that asks these questions before making decisions will almost always build the right system.

Building the system that makes the answer yes means written protocols, not a general understanding but a written, version controlled, signed off document specifying exactly what happens, who is responsible for each step, the escalation pathway, and the documentation requirement at every stage. It means clear role definitions, not job titles but documented descriptions of what this person is authorised to do, what sits outside their scope, who they report to and what the clinical oversight structure looks like. It means defined responsibilities, because the gap between thinking you were doing that and thinking someone else was doing that is where patients are harmed and careers are ended, and explicit, written responsibility allocation closes that gap. It means privacy processes understood by every team member, who can access records, when and why, how a breach is managed, what consent looks like and where it is documented. And it means a near miss reporting culture, because a near miss is a system failure that did not reach the patient, an opportunity to fix the gap before it does, and it should be treated as a gift.

Knowing the protocol is not the same as being able to execute it under pressure, so I run drills, I run scenarios, and I put teams through the situations they hope they will never face, a patient collapse, an anaphylactic reaction, a medication dispensing error, a patient presenting with undisclosed risk factors, because the time to find out that your team does not know what to do is not when it is actually happening. The goal of a drill is not to scare the team. It is to make the correct response so automatic that fear does not override it, so that instead of a folder of procedures on a shelf you have people who can execute under pressure because they have done it before.

I do a comprehensive risk assessment of every scenario, every single one, not a general sense of what might go wrong but a structured, deliberate assessment across every realistic risk, clinical, operational, privacy, compliance, workforce and reputational. What happens if this procedure goes wrong at step three? If this team member is absent and someone else covers without adequate briefing? If a patient discloses something unexpected mid procedure? If the cold chain fails overnight and nobody checks until morning? If a staff member is asked to do something outside their scope by a clinician who does not realise it is outside their scope? A risk assessment is not a form you fill in once and file, it is a living document reviewed when services change, staff change, processes change and when something nearly goes wrong, and in most practices I walk into it either does not exist or has not been touched in three years.

If a team is not prepared to face those questions, I do not work with them. I have worked with practices that wanted the credential of good governance without the substance of it. They wanted a folder of policies they could point to. They were not ready to sit with the discomfort of hearing an honest answer about where their systems were falling short, not ready to stop offering a service that could not be delivered safely, and not ready to put the patient's safety above the convenience of the status quo. Clinical governance cannot be built around a leadership team that is not genuinely committed to it. The system is only as strong as the people who uphold it when something is inconvenient, expensive or uncomfortable to address. The hard question asked in a planning meeting is infinitely better than the same question asked by the HDC after a complaint, and the practices that understand that are the ones worth building and the ones I choose to work with.

The questions I ask every time are what the worst possible scenario is, what the HDC would say, what the Privacy Commissioner would find, what the Medical Council or Nursing Council would say if they looked at this tomorrow, and most importantly how this impacts our patients and our staff, and whether we have made it as safe as possible for both. If the answers make me uncomfortable, I have more work to do. If the answers are clear, documented, practiced and defensible, we are ready, and that standard does not change regardless of how busy the practice is, how experienced the team is or how unlikely the worst case seems, because the unlikely cases are the ones that happen without warning.

The regulators are not the reason I work this way. The patients and the team are. Keeping them safe is the whole point, and the regulatory framework just confirms that the thinking is right.

Petrina Couper is the founder of CouperMed, a medical marketing and strategy consultancy supporting GP clinics, plastic surgeons and aesthetic practices across New Zealand. Clinical governance, compliance and operational safety are built into every engagement. Book a free discovery call at coupermed.com.

Previous
Previous

I Left Him There and I Left Him There. And It Was the Right Thing to Do.

Next
Next

The Accountant Problem No-one Talks About