As new providers begin to incorporate electronic health record systems into their practices, policymakers are wrestling with how and whether to regulate devices to ensure they do not lead to costly errors or deadly misses in patient safety.
It's a thorny problem because not only must EHRs perform safely within individual physicians' practices, but they also connect to other systems and networks to complete shared applications ranging from physicians orders to test result inquiries.
The effect of interconnected health information systems, combined with uneven levels of provider competency with health IT tools, has policymakers scrambling to find the right oversight formula to hold vendors accountable, protect patient safety and enable innovation.
"These products are interconnected with one another into networks of varying degrees of complexity," said Dr. Jeffrey Shuren, director of the Center for Devices and Radiological Health of the Food and Drug Administration, which oversees health IT software under its charter to regulate medical devices.
The FDA recognizes the potential of health IT to improve patient safety and believes that "a framework of federal oversight of health IT needs to be put in place to assure patient safety," he said at a February health IT policy committee meeting.
Among healthcare providers and vendors, "there is trepidation about FDA" regulating health IT, Shuren allowed, but so far the agency has "largely refrained from enforcing our regulatory requirements with respect to health IT devices."
Earlier this year health IT firms were concerned Congress would enter the fray when Sen. Chuck Grassley (R-Iowa) wrote to 31 hospitals and 10 health IT vendors asking them how they handled patient safety related to the use of electronic health records.
Grassley, the senior Republican on the Senate Finance Committee, which oversees Medicare and Medicaid, said he wanted to resolve problems before physicians and hospitals apply to receive federal incentive payments starting in 2011 for adopting electronic health records under the HITECH Act. He has not said what he will do with his findings.
Above all, the healthcare industry wants to avoid FDA becoming a market gatekeeper, with the potential to hold back the speed of the market.
In a March meeting, Dr. Paul Tang, vice chairman of HHS's health IT policy committee, strove for balance, saying, "pre-market approval has the risk of impeding innovation, but post-market surveillance as a mandatory aspect may be something we can have." Tang is also chief medical information officer of the Palo Alto Medical Foundation.
The challenge is how to create, "in a minimally invasive way," an environment where both vendors and users can report problems and learn from them on behalf of the entire healthcare community, Tang said.
Among the panel's recommendations are to create a patient safety database, for which providers, vendors and patients could confidentially report incidents and near misses. An organization would be set up to investigate serious incidents and share findings with healthcare providers. The results could also be used to improve certification criteria for EHRs, Tang said.
Overall, the health IT community believes patient safety begins at home" and in the hands of individual physicians who may or may not be equipped to handle the devices properly.
"It's amazing what an end user can do to a system to not make it work," said Marc Probst, the chief information officer at Intermountain Healthcare and a member of HHS's Health IT Policy Committee.
Safety problems tend to gravitate around networks and devices, he said, citing an incident at Intermountain when service personnel exposed a medication dispensing system to a virus, which crashed the system. In that case, Intermountain's ability to rapidly warn users offset any further potential safety risks.
"I think there is a lot of local responsibility for health IT safety that vendors can't keep up with," Probst said. "No one's going to have the same IT environment."
A key factor is that physicians are simply not trained to use EHR systems, which exposes them to risk. As in the airline industry, such training should be mandated, said Dr. Neil Calman, president and CEO of New York's Institute for Family Health, who is a member of the Health IT Standards Committee.
"With the Federal Aviation Administration, if a new plane or equipment comes out, pilots have to be trained and their competency is tested," he said. "We need to test that competency with EHR systems the same way we would test that in a hospital if we were teaching somebody how to do a spinal tap."
Paul Egerman, chairman of a panel that is making patient safety recommendations to the Health IT Policy Committee, recommended that a feedback or notification button be coded into health IT devices to capture and report potentially misleading or confusing data encountered by providers.
"You lose a lot of information when you have to write it down and report it later," he said.
Policy committee members also suggested the healthcare industry take advantage of the health IT certification process to lock-in patient safety best practices.
The EHR certification process could be strengthened by incorporating elements of FDA's Quality System Regulation, which the agency requires for certain medical devices to assure that they are designed well and that the correct processes are in place.
To make patient safety more robust, health IT certification organizations can also evaluate for potential safety hazards and track and share the results so the industry can learn from it, which is different from FDA's device process, he said.
"While we have concerns, we've also seen that the FDA has valuable experience that could help the ONC accomplish its goals," Egerman said.
Despite the risks, researchers and providers said EHRs vastly improve the existing quality of U.S.medical care, where errors are a near-epidemic.
"What could harm patients the most is not implementing these systems at all. The most important thing we can do is implement these systems safely and correctly," Egerman said.
