IOM Calls For More Government Oversight Of Health IT

The Institute of Medicine is calling for HHS to create an action plan in the next 12 months on how to minimize the patient safety risk from health information technology.

In a Nov. 8 report sponsored by HHS, IOM’s Committee on Patient Safety and Health Information Technology says HHS should publish a schedule for working with the private sector to address safety concerns. HIT safety concerns generally relate to user or system errors that could lead to adverse outcomes for patients, such as improper data entry, system crashes, or using data out of context.

“However, if the secretary determines that progress toward improving safety is insufficient within a year, [FDA] should exercise its authority to regulate these technologies,” IOM said in a Nov. 8 press release. “Concurrently, FDA should begin planning the framework needed for potential regulation so that the agency is ready to act if necessary.”

IOM also wants HHS to create an independent entity to investigate patient deaths and other adverse events related to health IT.

The report deals with health information technologies including electronic health records, health information exchanges and secure patient portals, but does not encompass medical device software.

FDA is already struggling with issues related to the regulation of health IT. Recently, the agency issued a draft guidance document on mobile medical applications that could have implications for how pharmaceutical companies offer apps like dosage calculators (Also see "Downloading Confusion: Are Mobile Drug Dose Calculators Medical Devices?" - Pink Sheet, 31 Oct, 2011.).

Additionally, questions of safety of EHR systems have arisen relative to the speed at which the meaningful use criteria are being established (Also see "Medical Groups Call For More Flexibility, Time In EHR Stage 2 Meaningful Use" - Pink Sheet, 7 Mar, 2011.). Meeting meaningful use criteria will determine whether a physician or hospital group is eligible for bonus Medicare or Medicaid payments that were made available in the 2009 stimulus package in an effort to encourage adoption.

Striving To Balance Safety, Innovation

IOM committee Chair Gail Warden, president emeritus of the Henry Ford Health System in Detroit, says the patient safety and health IT committee wants to balance public and private sector interests and improve patient safety without constraining innovation.

“Unfortunately, we were unable to resolve the issues raised by one committee member,” who wants health IT to be regulated as a Class III medical device by FDA, Warden says in the report’s preface.

“This dissent makes no mention of the very serious implications that regulation of health IT by FDA as a Class III device could have on innovation,” she explains. “We deliberated about these issues over the course of the entire study and tried at length to understand each other’s perspectives toward reaching consensus on the issues.”

If regulation is necessary, IOM recommends, “FDA should consider a new, more flexible approach outside the traditional medical device classification scheme.” IOM goes on to say responsibility for a new classification scheme would fall to FDA, not IOM.

The report includes a dissent written by committee member Richard Cook, physician, educator and researcher at the University of Chicago, who argues that rather “than being an adjunct or appendage of health care delivery, health IT is necessarily intimately woven into the fabric of patient care. Electronic medical records, digital imaging, provider order entry, and test results delivery do not ‘have an effect’ on core medical functions; they are core medical functions.”

Cook noted that in contrast to, for example, electronic medical textbooks, health IT “involves the generation, manipulation, storage and display of patient- and provider-specific data.” Indeed one of the key arguments for using EHRs and other health IT apps is the support they can offer to comparative effectiveness and other kinds of research (Also see "PCORI Should Consider Health IT In Setting Research Priorities – Board’s Weisman" - Pink Sheet, 26 Sep, 2011.). It also is being seen more broadly as a key part of health care reform (Also see "Health IT The Linchpin To Health Care Reform – Bipartisan Policy Center" - Pink Sheet, 13 Jun, 2011.).

“This need for specificity imposes special requirements on information technology,” Cook continues. “When a provider reads a laboratory result from a computer screen or enters an order for a medicine by mouse or keyboard, the patient context matters a great deal.”

The report suggests that a number of factors will determine the extent to which harm related to health information technology can be reduced. Such factors include technology design, health IT implementation, how the technology fits into clinical workflow, how it supports clinical decision making by patients and providers, as well as its overall safety and reliability.

“A better understanding and acknowledgement of the risks associated with health IT and its use, as well as how to maximize the benefits, are needed,” IOM says, cautioning that adverse events related to health IT likely go unreported.

It warns that the private-sector health IT industry “consists of a broad variety of stakeholders lacking a uniform approach, and potentially misaligned goals.” Profit motives and competition can limit shared learning and have adverse consequences for patient safety, IOM contends.

While this was seen as a reason to proceed with a “wait and see” kind of approach, Cook cited some of these concerns as key reasons why health IT should be considered a Class III medical device now and not at some point in the future. “Until now, health IT’s quality, accuracy, precision, reliability and safety have been left almost entirely to vendors,” Cook argues. “Although facilities and, to a lesser extent, users can configure and adapt health IT for their own uses, as a practical matter it is the vendors who control what health IT looks like and how it performs. While this may be reasonable for consumers or even some commercial software and hardware, it is unacceptable for health IT that must provide high-level performance in a hazardous environment. Medical practice is inherently hazardous, and devices used to care for patients are regulated.”

Cook adds that even declaring health IT to be a Class III medical device is only the start of what needs to be done in order to regulate effectively.

“Accidents involving health IT are complex events that require substantial forensic skill to detect and describe,” Cook says. Events that could have fatal consequences range from system crashes to data that appear out of context for a variety of reasons.

“We know this not so much from studies of health IT as from experience in other domains,” Cook writes. “Indeed this experience is the basis for modern methods for IT designs for use in hazardous settings. It is not surprising that such events are now being discovered in health IT. What is surprising is that those creating and promoting these large systems have neither anticipated them nor looked for them. The development of health IT is marked by an optimism about the effects of IT that are unwarranted and naïve.”

Oversight On Deployed Systems Needed

The report offers a series of recommendations that focus on issues related to patient safety. One such observation noted by the committee in the report is that “the nation needs reliable means of assessing the current state and monitoring for improvement. Currently, no entity is developing such measures.”

This led to a recommendation that HHS “should fund a new Health IT Safety Council to evaluate criteria for assessing and monitoring the safe use of health IT and the use of health IT to enhance safety. This council should operate within an existing voluntary consensus organization” such as the National Quality Forum.

Additionally, the report recommends the creation of better tools for reporting adverse events. “Regular reporting of adverse events is widely used to identify and rectify vulnerabilities that threaten safety for the purposes of learning,” the report notes. “However, learning about safety of health IT is limited because there are currently no comprehensive analyses available about health IT-related adverse events, no consequences for failing to discover and report evidence about harms, and no aggregation of data for learning.”

The committee called the creation of a non-punitive environment for reporting of adverse events “essential” and recommended that HHS “should establish a mechanism for both vendors and users to report health IT-related deaths, serious injuries or unsafe conditions.”

It went on to suggest that adverse event reporting should be mandatory for vendors and voluntary, confidential and non-punitive for users. Additionally, efforts to encourage reporting “should be developed, such as removing the perceptual, cultural, contractual, legal and logistical barriers to reporting.”

With a reporting mechanism in place, the report goes on to suggest that “HHS should recommend that Congress establish an independent federal entity for investigating patient safety deaths, serious injuries, or potentially unsafe conditions associated with health IT. This entity should also monitor and analyze data and publicly report results of these activities.”

Committee members wrote that they considered existing agencies to conduct this monitoring, including FDA, the Office of the National Coordinator for Health Information Technology, the Agency for Healthcare Research and Quality and the private sector, but concluded that “investigating patient safety incidents does not match the internal expertise of any existing entity, as the needed functions are under the jurisdiction of multiple federal agencies and efforts are generally uncoordinated and not comprehensive.”

Sharing Responsibility With Vendors

The committee also is looking for vendors to take on a role in ensuring the safety of health IT.

“Health IT safety is contingent on how the technology is designed, implemented, used, and fits into clinical workflow, requiring the cooperation of both vendors and users,” the report states. “In the absence of a single accountable party, policy makers need to act on behalf of the public good to promote and monitor health IT safety. The committee believes this is best accomplished through collaboration between the private and public sectors.”

The report notes that there is “no systematic regulation or sense of shared accountability with the public sector” and that liability is shifted to users with no mechanisms to collect and analyze data. So, in addition to recommendations geared toward the government, the committee also says “HHS should ensure insofar as possible that health IT vendors support the free exchange of information about health IT experiences and issues and not prohibit sharing of such information, including details (e.g., screenshots) related to patient safety.”