IOM report poised to shape EHR safety regulation

EHR safety will likely get new scrutiny in the wake of an Institute of Medicine report. It remains to be seen if the FDA, ONC, TJC or some other entity will do the watchdog work.

If the Institute of Medicine (IOM) report Health IT and Patient Safety: Building Safer Systems for Better Care

has the same impact as its predecessor 1999 To Err is Human report on medical errors had, and continues to have, then it's time for technology developers and health care executives to buckle in and prepare for what could be a rocky regulatory ride toward building safer health information systems.

While the 1999 report talked about how hospitals can improve safety within their own facilities, the latest IOM study spotlights health IT software developers, with emphasis on those writing electronic health record applications. The EHR safety report puts much of the onus on vendors and uses words such as "nonpunitive" when talking about the end-users at health care providers, who the report said need a mechanism to publicly report health IT adverse events that cause serious injury, death or unsafe conditions.

Specifically, the IOM authors cited as roadblocks to transparency in reporting problems -- and ultimately, roadblocks to improving EHR safety -- the nondisclosure and indemnification agreements EHR vendors make their customers sign.

"These things could get in the way of free flow of information that allows us to really understand the current situation and may inhibit or induce some fear in people sharing data," said Paul Tang, a member of the IOM Committee on Patient Safety and Health Information Technology that authored the report, speaking in the press conference.

That, in turn, "creates less information than we'd like to have in order to fully characterize the safety impact that HIT systems have," added Tang, who also is chief innovation and technology officer at the Palo Alto Medical Foundation.

Adverse events reporting remains a contentious issue in health care, as providers are reluctant to disclose information that could lead to both vendor and patient lawsuits and technology vendors worry about proprietary disclosures making their products less competitive. Despite providers’ commitment to safety and high quality of care, a number of transparency initiatives by advocates and federal programs, such as patient-safety organizations, to increase reporting has not led to a far-flung change of heart in the industry since the 1999 safety report was released.

Still, if the latest IOM report can throw light on EHR customer confidentiality agreements and help make them a thing of the past, it will have made its mark on health care, said Chilmark Research founder John Moore in an interview.

"[These agreements] absolutely hamstring the industry when you're not able to report on these issues," Moore said, adding that he doesn't believe sharing adverse event reports would reveal much proprietary information about an EHR system, if any at all. "I think it's a travesty that EHR vendors have been able to get away with this for as long as they have."

Health IT industry advocate The Health Information Management Systems Society, said in a statement that the IOM report didn't go far enough in pointing out how much less safe paper-based systems are than their electronic counterparts, and that the IT industry already has been working toward making electronic systems safer.

"Through our ability to convene all stakeholders to uncover and solve real-world problems, HIMSS has uncovered many patient safety-related IT lessons learned, and can articulate the perils of poorly-conceived or implemented health IT," HIMSS President and CEO H. Stephen Lieber said in the statement. "We will use the IOM's report as a lens through which we can further focus our patient-safety initiatives to -- first -- prevent unintended harm from the use of health IT."

One possible remedy came from IOM report coauthor Ashish Jha, M.D., Harvard associate professor of health policy. Writing in the Nov. 10 issue of the New England Journal of Medicine, Jha suggested that EHR systems themselves should offer adverse event reports and, furthermore, that CMS should make such functionality a meaningful use requirement.

Getting the federal government involved in EHR safety

The IOM’s "To Err is Human" report spurred a flurry of government and professional activities to push health care providers into making safety improvements. Given the institute's pull in the industry, this latest report could do the same for vendors and other EHR developers.

The report recommends the ONC form a Health IT Safety Council to spearhead the improvement of EHR safety. At the same time, it said that the FDA should design a regulatory framework for policing EHR safety. In the event that the ONC council doesn't spur vendors and other stakeholders to loosen their grip on safety data and chip in together to make health IT safer, then the FDA could quickly step in and execute its regulatory framework plan, IOM said.

Potential mandatory regulation could be a pretty big stick backing up the ONC's more voluntary safety-council carrot, said Michelle Dougherty, director of practice leadership for the American Health Information Managers Association (AHIMA). She also said that while she agrees that vendor confidentiality agreements can inhibit transparency in EHR safety data, she thinks a key part of the report -- which called for better workforce training and developing implementation guidance for EHR systems -- would also help them function more safely in the hospital environment.

"That could contribute as well to the patient safety side," Dougherty said. "I think it should be an additional focus providers can take."

The report also recommended that the U.S. Department of Health and Human Services Secretary Kathleen Sebelius publish an action and surveillance plan for health IT safety within 12 months, monitor progress in improving it and report publicly on an annual basis. For his part, National Health IT Coordinator Farzad Mostashari, M.D., said his office will beat that deadline.

Part of that plan could be testing safety for installed EHR systems, as designed by standards agencies such as the American National Standards Institute and the Association for the Advancement of

Medical Instrumentation. The IOM report suggested that The Joint Commission could monitor hospital EHR testing and documentation as part of its safety accreditation process.

That should be a wakeup call to hospitals, Dougherty said, as the IOM report gives them a path to self-policing EHR safety -- and if they don't, they could be subject to FDA regulation.

What CIOs can do now to bolster EHR safety

While the IOM report looks toward the future, there is an EHR adverse event database up and running right now -- EHRevent.org -- which funnels reports back to their respective vendors. The site is administered by PDR Secure, one of many federally sanctioned patient safety organizations.

Edward Fotsch, M.D., CEO of PDR Network LLC, which oversees PDR Secure, said the IOM report wasn't surprising, in that it said neither that EHRs are perfectly safe nor that they're unsafe enough to prompt a return to paper-based medical records. He added he wished there would have been another "middle ground" recommendation that tied EHR safety testing to meaningful use certification, or the loss thereof.

The IOM report should raise awareness of EHR safety issues and remind health care providers that they, just like vendors, are accountable for it, according to Nancy Dickey, M.D., past American Medical Association president and chair of the nonprofit patient advocacy group iHealth Alliance, a PDR Network partner organization. That should spur them to report more issues at the EHRevent.org site, she added.

Fotsch said providers should prepare frontline clinicians with answers to the question that the highly publicized IOM report may put on the tips of many patients' tongues -- are EHR systems safe?

"You have to have good answers to that, [along the lines of] 'Yes, these systems have been in place and have been operating for years, and we're investing in this because, in total, they make our processes better,'" he said.

Dickey advised CIOs buying health IT systems in general -- and new EHR systems in particular -- to invest with vendors that appear to be as concerned with patient safety as they are. That manifests itself in a straightforward method for reporting software glitches and getting vendor support to solve those issues.

Interoperability between software systems is becoming a huge issue, AHIMA's Dougherty added. Health care providers should not just assume that "everything's been taken care of" by the vendors. During implementations, providers should more correctly assume that there will be problems.

Being proactive in looking for problems, rather than just passively assume things will work, will help improve safety. "There is a role for testing and monitoring on a continuing basis," Dougherty said.

That includes monitoring interfaces to determine how practitioners are seeing the information that is displayed, testing interoperability and even testing reporting features and methodologies for accuracy. "Having a process that allows those issues to be vetted and addressed is going to be critical," she added.

Let us know what you think about the story; email Don Fluckinger, Features Writer.

Dig deeper on Patient safety and quality improvement

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.