Introduction

In June 2024, Healthylife engaged Vaxa to review Hola Health, an online telehealth and pharmacy delivery provider. The scope of the review was centred on Hola’s risk management and approach to clinical governance, with particular focus on risk treatment/controls and potential risk transfer to Healthylife.

The review was undertaken in two phases:

1. The first phase was a desktop review of the policy/process/frameworks within Hola, namely those related to governance and risk management.
2. The second phase involved a site visit and interviews with key staff members, and dry-runs of relevant processes.

The scope of the engagement and time allocated allowed for these two phases to be undertaken. This report does not comprise a detailed compliance analysis or review.

For example, we’re unable to categorically confirm the policies are being followed in practice, as this would require a detailed data analysis in accordance with sampling methodologies e.g. statistical sampling, which was outside the scope of this review. However, given we interviewed key staff members and conducted dry-runs of relevant processes—including cross-checking statements amongst several stakeholders—we believe the findings are still indicative of the current state of clinical governance and risk management at Hola.

Should Healthylife require a more detailed review of elements spanning network/application design (for scalability), cybersecurity, business development approach, or data activation approach, then Vaxa always remains ready to support these requirements.

Executive summary

On the basis of our findings in the attached report, we summarise Hola Health’s risk and clinical governance posture as follows:

1. Hola Health, as an organisation, recognises the need to mitigate/treat/control risks. The operate with a risk register and have clear evidence of many risk controls embedded into the day-to-day operations of Hola.
2. However, there are areas for improvement, particularly in the areas of systematic risk identification and risk treatment.
   • For example, while recognition of “technology” risk (data breach, for example) is strong, there isn’t a systematic method to recognise risks in other areas, including clinical risks.
   • Even if Hola Health isn’t legally responsible for the clinical decisions of it’s doctors (which is perhaps dubious given their status as the employer of the doctors delivering care), Hola must consider itself responsible for the clinical governance of its platform and services. While Hola ensures the practitioners it employs are qualified, competent and aligned with Hola’s values at the time of onboarding, Hola must continue to ensure this is the case throughout their employment at Hola. The same extends to all other partners.
   • For avoidance of doubt, we did find evidence of Hola Health taking steps to manage some of these risks. Our concern stems from the “dangerous mindset” that because Hola Health employs qualified practitioners, the risks are managed because “doctors want to protect their reputation” or “they’re professionals”; Hola should monitor the effectiveness of these controls and not rely on the assumption that they are effective.
   • We believe that Hola Health should take a more active role in identifying and managing these risks, particularly through the use of data to identify and treat risks and potential patient harm.
   • At the very least, Hola needs to adopt a more systematic method to identify and treat risks from all perspectives on a regular schedule, and we would suggest this includes risks from Healthylife’s perspective, too.
3. Hola Health is well placed to systematically manage its risks, especially given they own and operate their platform essentially end-to-end; other telehealth providers are limited to the capabilities of their software vendors, but Hola Health has the ability to make changes to their platform as they see fit.
   • For example, Hola can actively restrict prescription of drugs of dependence (or set specific criteria regarding this).
     • Note: currently Medirecords is used for prescribing functionality (only), but Hola has advised this system will be retired soon for their in-house solution. In recognition of this pending change, we have not assessed the risk controls in place for Medirecords, as the risk controls with the in-house system would likely be as good as or better than Medirecords.
   • As Hola has essentially unfettered ability to collect and analyse data, they can use this data to identify and treat risks in a way that many other telehealth providers can’t (or at least, not as easily).
   • This is a significant advantage and one that can be leveraged to greatly improve the risk management and clinical governance of the organisation, as well as to grow.
4. It’s a fair assessment to say Hola collects a lot data, but doesn’t truly activate it all.
   • Hola Health has taken some early steps towards better utilising their data/software stack for effective risk control and operational efficiency.
   • Management is cognisant of this fact, and on the basis of our discussions with senior management, we’re comfortable that Hola has a pathway to improve this.
   • This is a comprehensive task and will require a significant investment in time and resources, but does bring with it significant benefits.
5. Hola is reasonably well-placed to exhibit control over it’s partners’ (doctors, delivery partners, pharmacists) use of the platform, both technically and contractually.
   • However, in line with the above, we believe this should be more actively managed and potentially expanded with e.g. a more robust, measurable Service Level Agreement (SLA) with partners that better exerts control over the quality of service provided by partners.
   • We also saw evidence of Hola Health actively considering their growth/scaling strategy in the context of resources required; Hola Health demonstrated to us that they weren’t just going to “throw more people at the problem” but were actively considering how to scale their operations in a way that was sustainable and effective—which is a positive sign for a long-term partner like Healthylife.

A full list of risks uncovered during the review can be found in the Risk Register.

Recommendations

Our full list of recommendations are in the Recommendations Register, but we summarise our overall view on recommendations below. It should be noted that this is our view, and made without the benefit of a full understanding of the Hola Health and Healthylife arrangements.

1. Better management of the lifecycle of doctors specifically, and recognition of the varying levels of risk they pose at different points of the lifecycle and when providing different services. This is on the basis of Hola directly employing these doctors, and so most closely wears the risk of their actions in contrast to pharmacists (employed by the pharmacy) and delivery partners (employed by the delivery partner, and reasonably low risk to start with).
2. A more systematic approach to risk identification and treatment to ensure all risks are captured and treated, not just the obvious ones. In a similar vein, implementation of a quality management system (e.g. ISO9001 or similar) would be beneficial to ensure Hola upholds quality standards as required of each stakeholder in the ecosystem.
3. Better activate the collected data both for risk treatment and for operational efficiency; plenty of data is collected and could be used for some powerful insight into emerging trends. Some data is already well-used e.g. for forecasting of doctor demand, so Hola has a good foundation to build on.
4. More active management of partners, particularly through the use of a more robust SLA after a systematic risk review but also through better implementation of the end-to-end “managerial chain” as outlined in the key concepts section of this report.
5. Continue to invest in data/technical security. Any system that collects data—especially sensitive data like Hola—is inherently risky and will always be so. Hola has demonstrated they’re committed to this, but it’s a never-ending task and one that requires constant vigilance and investment. While we cannot comment on any specific elements of the technical security of Hola, we would like to see a better approach to managing the Bring Your Own Device (BYOD) devices used by doctors to access the platform, and a more robust approach to managing the data stored on these devices.

Next steps

We would welcome the chance to discuss these findings and recommendations with Hola Health and Healthylife in more detail, as well as to assist with the ongoing implementation/monitoring of these recommendations to a standard suitable for Healthylife’s risk appetite.

If you have any questions or would like to discuss these findings further, please don’t hesitate to contact the Vaxa team.

Next

Key concepts & theory