Wednesday, November 9, 2011

The IOM Report on Health IT Safety

A recent report from the Institute of Medicine (IOM),  “Health IT and Patient Safety: Building Safer Systems for Better Care”, introduces a new health care related term, "Health IT-assisted care", defined as "health care and services that incorporate and take advantage of health information technologies and health information exchange for the purpose of improving the processes and outcomes of health care services. Health IT–assisted care includes care supported by and involving EHRs, clinical decision support, computerized provider order entry, health information exchange, patient engagement technologies, and other health information technology used in clinical care”. And the IOM report, as its title implies, is recommending strategies to ensure that health IT-assisted care is safe for patients.

The IOM report presents a comprehensive literature review regarding the status of health IT as it pertains to patient safety from every conceivable angle, starting with the manufacturing process and drilling down into product selection, implementation processes, training, and actual use of EHRs and other health IT products. As most folks who follow the health IT industry know all too well, the report concludes that data concerning the effects of health IT on patient safety is currently scarce and inconclusive. Nevertheless, the scarcity of data and the “sparse evidence pertaining to the volume and types of patient safety risks related to health IT” did not prevent the committee from acquiring “the sense that potentially harmful situations and adverse events caused by IT were often not recognized and, even when they were recognized, usually not reported”. That maybe so and again it may be that what we see is all there is to see. Either way, “[t]he committee believes the current state of safety and health IT is not acceptable; specificactions[sic] are required to improve the safety of health IT”. To that end, the report presents 10 recommendations to the Secretary of Health and Human Services (HHS).
  1. HHS should create and publish an action plan in the next 12 months to assess the risk of health IT for patient safety and begin mitigation through education, research, standardization and the testing and accreditation of health IT products. Suggested organizations for funding and carrying out these activities are ONC, AHRQ and NLM.
  2. HHS should insure that health IT vendors freely exchange information regarding issues as they pertain to patient safety. This is where the infamous gag clauses in EHR contracts should be addressed.
  3. ONC should work with public and private sectors to make user reports of patient safety issues publicly available. NCQA and JCAHO are amongst the suggested implementers.
  4. HHS should fund the creation of a new Health IT Safety Council to evaluate criteria for measuring safety of health IT.
  5. ONC should require all health IT vendors to publicly register with the agency.
  6. HHS should define mandatory quality management processes for health IT vendors. ONC, FDA and certification bodies are suggested organizations for administering a compliance process.
  7. HHS should establish a mechanism for reporting adverse events which is mandatory for vendors and voluntary for users. Reports should be collected analyzed and acted upon.
  8. Congress should create an independent federal entity, similar to the National Transportation Safety Board (NTSB), to investigate the reports collected in item 7 above.
  9. HHS should monitor progress and if found lacking, should direct the FDA to exercise its full authority to regulate health IT. The FDA should immediately begin preparing the infrastructure for this eventuality.
  10. HHS should support cross disciplinary research of safety aspects of health IT, such as user centered design, safe implementation methods, sociotechnical systems, and effects of policy decisions on health IT.
This is a very impressive and very well-reasoned list of tactical and strategic initiatives, but it also presents some difficulties. First, reporting adverse events is a prerequisite to almost all activities recommended by the committee. It is not clear how such reporting is to be implemented when malpractice suits are a consideration. The report suggests that reports should be kept private, even anonymised, and that users should be protected from punitive actions. Does this protection extend to legal action? If the report-collection agency becomes aware that a patient died due to preventable error, should the patient’s family be notified? Should malpractice attorneys be allowed to review this public information and subpoena the identifiable data? Second, all ten recommendations made by IOM require significant funding and it is not clear where the monies should come from at the moment. The recommendation in item 9 above, that the FDA readies itself for full regulation of health IT as a contingency plan if all else fails, seems duplicative and particularly wasteful. Somehow the committee seems to believe that FDA regulation, unlike regulation by multiple disjointed organizations, would negatively affect anticipated innovation in health IT.

Speaking of the FDA, the immediate question, of course, is why do we need a 137 page report from the IOM to figure out how and who should oversee patient safety? The Food and Drug Administration (FDA) is currently overseeing patient safety issues arising from surgery-assisted care, radiology-assisted care, pharmaceutical-assisted care, implantable device-assisted care and all sorts of other types of assisted care. Most recently the FDA published its proposal to oversee mobile device-assisted care (phones, tablets and laptops). How and why is health IT-assisted care different? How is a medication dosing calculator on an iPhone different than the same calculator in an EHR? How is an iPhone connected to a blood pressure cuff different than an EHR connected to a blood pressure cuff?

To my immeasurable delight, the IOM report contains the answer in the Dissent Statement of Dr. Richard Cook. While the IOM report is recommending that health IT be regulated and monitored by a smorgasbord of existing or yet to be created organizations, none of which have the required expertise to tackle the task, and all of which will need to be heavily funded for this endeavor, with the FDA as a last resort measure, Dr. Cook proposes to allow the FDA to do its job in the first place.  Dr. Cook’s simple and straightforward recommendation is to have HHS “direct the FDA to exercise its authority to regulate health IT, including all EHRs and associated components, and health information exchanges, as Class III medical devices”. While possessing all salient characteristics of a Class III device, “health IT is on track to be a medical device used for every person in the United States” [italics in the original], which makes it both urgent and imperative to have health IT regulated and monitored properly and Dr. Cook's conclusion succinctly sums it all up: "health IT is a medical device. It should be regulated as a medical device now and should have been regulated as a medical device in the past".

No comments:

Post a Comment