Methodology & scope

Estimated 4 min read

In this review, we were tasked with undertaking a high-level holistic review of Healthylife’s risk exposure arising from Hola Health’s pharmacy and prescribing functions. We must note that our focus on the review of Hola Health—not how Healthylife engages, controls or works with Hola Health; a separate review of Healthylife’s approach to engaging 3rd parties would be a more appropriate forum for this.

Therefore, our approach is focussed on identifying risks borne by Hola Health on the proviso that many of these are inherited by Healthylife, albeit usually based on reputational risk rather than legal risk.

To identify risks borne by Hola Health, we’ve first established the universe, then carved this down to the most relevant actors in the “Hola Health ecosystem” (per Key theory and concepts). Given our focus on pharmacy and prescribing, these key actors are Patient, Doctor, Pharmacy, Delivery Partner, and Hola Health itself.

By interrogating each of these key actors and the policy/process that identifies and treats risk arising from them, we can form a holistic view of risk exposure. For example, we establish the conceptual lifecycle of a pharmacy in the ecosystem, review the supporting processes (onboarding, maintenance, offboarding, exception handling, etc.) and assess whether these processes sufficiently capture and treat risk—we’re seeking to identify where continuity between policy and operations isn’t upheld.

In assessing Hola Health itself, we’re focussed on two primary aspects: how Hola Health manages itself (its governance), and how Hola Health’s systems (software, people) support the implementation of adopted policy.

While we aren’t conducting a management review per se, reviewing some elements of management helps us to understand how risk is managed in Hola Health. For example, we scrutinise the flow of personally identifiable information (Personally Identifiable Information (PII)) and protected health information (Protected Health Information (PHI)) between various actors and systems, and importantly the treatments that have been applied. We review the management structure, how Hola Health considers and treats risks when standing up programs like Quitmate and its weight management initiatives.

Moreover—and potentially more importantly—we explored how potential future programs would be considered by Hola Health management (for example, the integration of AI technology) and therefore we can form a view on how Healthylife may be exposed to risk under this partnership over the medium-term.

Our review also serves to document the distribution of risk—both real and perceived—across the Hola Health ecosystem. We establish this view from defining and reviewing:

• The defined policy and process to support risk management, and potential gaps

• The clarity in each actor’s role and responsibility within the ecosystem

• The broader compliance with legislation and regulatory bodies

• The mechanisms through which quality implementation of the adopted policy/compliance efforts by these actors are monitored and/or enforced, e.g. do contractual service level agreements (SLAs) with pharmacies reflect Hola Health’s position on how the pharmacy treats risk? Are contracts sufficiently transferring risk to the right entity?

• How risks are identified, policies are developed, and mechanisms are chosen/implemented in a structured manner

• The management of broader ecosystem, notably the systems and data generated by these actors and systems.

Through these elements, we can define which entities carry risk and provide Healthylife a clear view on residual risk and overall posture within the Hola Health business for consideration.

It’s important to note the scope and limitations of this analysis; this review was conducted in a compressed timeframe (less than one month), and thus our focus was on areas where we were most likely to uncover adverse risk to Healthylife. Further, we acknowledge parallel reviews ongoing within the Hola Health business, covering other business functions; cybersecurity and legal reviews are out-of-scope, for example.

Ordinarily, we would couple this high-level review with a detailed analysis to prove the discussed policy/process/risk treatments were truly adopted and effective. For example, statistical analysis on the outcomes of a process would enable us to comment on the true effectiveness of a risk treatment — this has been scoped out for this time-sensitive review. Our approach delivers comprehensive coverage in the timeframe available, but additional investigatory opportunities should be considered to confirm the findings and further improve the risk posture.

The culmination of our efforts is a comprehensive report, presented in a consumable “Q&A” format for review by both Hola Health and Healthylife stakeholders, facilitating informed decision-making and risk mitigation strategies.