UPI is running a story today about the patient safety risks inhere in some clinical information systems, and making a case for regulatory oversight. The focus of the story is the paper published in Pediatrics about the University of Pittsburg Children's hospital experience with Cerner's PowerOrder CPOE (the new fancy term for "order entry"). In a post last week about the study, I noted the consensus of those I read and talk to was that the unintended consequences were a result of configuration, implementation and operational decisions made by the hospital rather than defects or poor design of the application.

Yong Han, of the University of Michigan Medical School in Ann Arbor
and lead author of the journal article, told United Press International
he was especially concerned about the software aspect of the problem.

"Medical software directly impacts patient care, for better or
worse, and there are no checks and balances for it right now," said
Han, who formerly worked at the Pittsburgh hospital.

"I could get together with my friends at MIT, whip up a program, put it on the market and no one could stop me," he said.

"Drugs or medical devices must go through some degree of inspection
and evaluation to determine whether the manufacturer's claims are
substantiated. There's no such process for medical-software programs at
the current time, and I think there needs to be," Han argued.

This creates the impression that Han wants to blame the vendor for all the problems that were encountered. UPI interviews another Cerner PowerOrder client who reports using the application, "with no difficulty." Rather than get into to merits of the study it self, which Jim Fackler of Cerner does quite effectively in the UPI story, other points need to be made.

The most obvious point is that risk management and quality assurance are important in both software development before the sale, and just as important during implementation, configuration and when operating decisions are made after the sale. Thus the problem "pierces the veil of commerce," a barrier that the regulatory efforts of the FDA have yet to breech (nor are the anxious to do so). Another point is that while Han and his friends from MIT are no doubt pretty sharp, they probably don't have the tens or hundreds of millions of dollars that would be required to develop and field a product against Cerner and their peers; the days of bringing a new major HIT application to market by a start-up, a la Gerber Alley, are behind us.

One of the regulatory work products (draft stage) that was reviewed at this weeks networkable medical device study group meeting I participated in this week was a document from Japan that aims to provide regulatory oversight for the very safety reasons that Han alludes to in the quote above. (I'll post an electronic version of the document when I get it.) Regulating health care IT vendors addresses only half the problem. Applying regulatory oversight to users is new territory that could be easily muffed up. At a time when there is increasing demand for clinical information systems and automation at the point of care, shouldering the costs of a new regulatory burden could be disastrous. Prospective buyers can expect falling reimbursement for their services in the future; information technology needs to experience some innovation and commoditization in order to make the adoption of all this technology affordable.

One approach, which I think is likely to be taken, is to classify clinical information systems a class 1 medical device. This would limit the regulatory burden to use of the FDA's Quality System Regulation in the development of software. Vendors should already be doing this to ensure a quality product, but in my experience many corners are rounded in unregulated software development in an effort to fund more features and (in a misguided attempt) to shorten the time to market. The end user problem could be addressed in the same way our study group settled on, a consensus standard that provides a process to manage risk in product and organizational configuration and use.

UPDATE: Here's another take in a Reuters Health article (registration required) by Will Bogg, M.D. With the new information in the Reuters story, the study raises questions about safety and effectiveness in product development and in product deployment - my recommendation/prognostication still stands.

UPDATE: I've been exchanging email with Dr. Han, and he's not happy with how he's been quoted in stories about the CPOE study. Dr. Han made it clear that he is a physician end users, and not an IT expert. In his interviews, he was simply asking the question whether clinical software should be regulated, not making a pitch for regulatory oversight. Journalism is about the story and a point of view rather than the actual events, and the UPI spin is certainly more dramatic.