Convert your FHIR JSON -> XML and back here. The CDA Book is sometimes listed for Kindle here and it is also SHIPPING from Amazon! See here for Errata.

Wednesday, November 9, 2011

Federal Turf Battles on EHR Safety? Not Really

The IOM Report commissioned by ONC came out in preprint yesterday.  I took a quick read through it last night and today, and thought I would share some of my observations.  Before I get started, just a reminder that the opinions posted here are my own, not those of my employer or any other organization that I volunteer with.

I'm not going to do a detailed review of the report.  All-in-all, I found the 197 page document pretty decently done and rather comprehensive on first read [even though I don't come to quite the same conclusions as the report authors on every detail ;-)].

I was somewhat amused by this discussion on page ix in the Preface:
 "...but came to the realization that the information needed for an objective analysis and assessment of the safety of health IT and its use was not available.  This realization was eye-opening and drove the committee to consider ways to make information about the magnitude of the harm discoverable." 
The lack of evidence wasn't a surprise to me.  After reading through the NIST report on safety, and the evidence it and other referenced papers provided, it was clear to me that specific studies on EHR safety are needed.  The IOM report cites (p. 1-5) some of that same material, which I previously reviewed here.

Later on the same page, it reports:
"Definitive evidence was not available in many areas, such as determining what the roles of specific private- and public-sector actors should be, and how regulation would impact innovation in this area."
Certainly, the FDA has quite a bit of experience on the impacts of regulation on medical devices, both in hardware and software.  As I think about departmental systems that support patient monitoring, and PACS solutions (both highly regulated).  I know that these are not "out-of-the box, turnkey devices" (p. S-10), but are rather highly configurable software products.  I also know of several software systems from multiple manufacturers that are both classified as medical devices subject to FDA regulation and which are also certified for meaningful use.  I would expect that the FDA would have some input on the impacts of its regulation on innovative solutions, and would be interested in what they have to say.

While the report itself focuses on Health IT that is "not a medical device", one type of Health IT that fits into the report, but is a medical device was recently reclassified by the FDA.  The recent Medical Device Data System rule from the FDA reclassified certain types of devices from Class III (the most restricted) to Class I (the least restricted).  The FDA provided this guidance on requirements for manufacturers and developers of these devices. I've summarized the requirements below (but read the FDA guidance for the real details):
  1. Register and list the regulated products (software versions)
  2. Implement a quality management system
  3. Report on Adverse events
Some of the recommendations in the IOM report are nearly identical:
Recommendation 5: All health IT vendors should be required to publicly register and list their products with ONC, initially beginning with EHRs certified for the meaningful use program. (p. S-7)
Recommendation 6: The Secretary of HHS should specify the quality and risk management process requirements that health IT vendors must adopt, with a particular focus on human factors, safety culture, and usability. (p. S-7)
Recommendation 7: The Secretary of HHS should establish a mechanism for both vendors and users to report health IT–related deaths, serious injuries, or unsafe conditions. (p. S-8)
Sound familiar?  I do have to laugh just a little about the comments regarding "duplication" of existing efforts (p. 6-14) since the FDA's registration process and database predates ONCs CHPL.  Coordination of these two systems would surely be valuable, as would any adverse event reporting capability, since there are products out there already that are both regulated and certified.

One recommendation 6, the report notes that FDAs process is not well suited to Health IT, and recommends something a bit different. Given that the EHR really is a platform, this idea seems like it might have some value.  Perhaps this could be an alternate classification for the FDA?

Other reports in the media seem to think that IOM doesn't think FDA is the right place to manage EHR Patient Safety.  In several places, I've seen references to "capability ... but ... lack of capacity" (e.g, p. 6-23).  And then I read this:

Recommendation 9a: The Secretary of HHS should monitor and publicly report on the progress of health IT safety annually beginning in 2012. If progress toward safety and reliability is not sufficient as determined by the Secretary, the Secretary should direct the FDA to exercise all available authority to regulate EHRs, health information exchanges, and PHRs. (p. S-10)
Recommendation 9b: The Secretary should immediately direct the FDA to begin developing the necessary framework for regulation. Such a framework should be in place if and when the Secretary decides the state of health IT safety requires FDA regulation as stipulated in Recommendation 9a above. 
(p. S-10)
It certainly sounds like the IOM thought that FDA was at least the right place to develop the regulatory framework.  I think what IOM is really getting at here is that they was a "Lean" process for dealing with Health IT and Patient Safety, so as not to be perceived as interfering as much with innovation and adoption.  Quite honestly, I think the "anti-FDA" press on this report is way over-sensationalized.

Interestingly enough, there are already voluntary reporting programs available. It would seem important that HHS coordinate with these organizations, and build from, rather than duplicate these existing efforts.  I almost missed the references to these efforts in the report in my initial read through.  They were mentioned briefly (p 6-24) with respect to the "Patient Safety Organization" (PSO) program, but only by acronym.


  1. Keith, great summary,

    As you know many EHR on the market are hacked together parts for multiple systems and rush to market solutions. of all things software, EHR are a medical device and must be regulated in some way by someone. I agree on the process that the FDA uses except for the cost and time to market that kills small innovative business. Yes, their ruling on MDDS was good for older large companies like GE, EPIC... but very hard on small companies. The MDDS ruling in my mind was a hugh fumble and has lead some to the anti-FDA movement. Much of the rule covered moving and displaying of data from a device. As we know guaranteeing the integrity of data in transmission is one of the must simple thing that can be done in software, e.g., TCP/IP Checksums. And on the subject of voluntary, I must laugh.

    Jeff Brandt

  2. Jeff,

    I think the whole "FDA" as an innovation killer is a lot more FUD than anything else. Those three letters come up, and just about everyone runs away in fear. Most of it is just that in my opinion.

    I do think a make-over and more education is certainly needed, and some of the processes could be more streamlined for the "little-guy" [big-guys would benefit too]. That could be one result of the IOM report.