Santa Rosa Consulting has a great series of webinars on medical device connectivity and related issues, and I've been tapped for the October webinar. My topic revolves around the likely regulation of EMRs by the FDA and the potential impacts such a change might have on providers and manufacturers.

The following is my first take on the topic, and serves as a description of webinar. Any suggestions, points of view and links to relevant content on the Web (news stories, blog posts, regulations, etc.) is welcome.

Register for this webinar here, to be held on October 27, 2010 from noon to 1pm EST.

The Case for Regulating EMRs

From a quarter century point of view, it seems inevitable that the HIT industry will be regulated by the FDA. Look past all the hand waving and hyperventilating caused by this suggestion, and one sees that the HIT industry is already regulated by the FDA. For examples, look no further than blood bank software and PACS. The Center for Biologics Evaluation and Research (CBER) started regulating blood bank software via the premarket submission process in 1996. From their inception, the FDA considered PACS as accessories to diagnostic imaging modalities, and thus regulated. (Many PACS components have since been reclassified in recognition of their independence from imaging modalities.)

These examples aside, the HIT industry has pretty much avoided FDA scrutiny by claiming they're just automating administrative tasks and paperwork (i.e., workflow around the paper chart).With the advent of decision support systems tied to CPOE and other applications, "administrative" HIT systems have come to be increasingly recognized as a source of patient safety risk. See Margalit Gur-Arie's post at the KevinMD blog.Perhaps the story that's created the most buzz about the danger of EMRs is this Huffington Post piece from April, 2010.

On February 25, 2010, at a HHS panel meeting, Jeff Shuren reported:

The Food & Drug Administration has received 260 reports of health IT-related malfunctions with the potential for patient harm in the past two years, including 44 reported injuries and six reported deaths, said Dr. Jeffrey Shuren, director of FDA’s Center of Devices and Radiological Health.

Vendors, patients, clinicians and facilities voluntarily reported the problems but, because of that, “they may represent only the tip of the iceberg in terms of the HIT-related problems that exist,” he said at a Feb. 25 hearing of the Health IT Policy Committee’s adoption and certification work group, a Health and Human Services Department advisory panel.

Because there is no legal requirement for providers or manufacturers to report patient deaths or injury (or "near misses") due to EMR and related software, many believe these numbers represent the tip of the iceberg.

All of this has generated a growing call for the FDA regulation of EMRs. As HIT system architect Shahid Shah observed:

Yikes. We see all this focus on “meaningful use” but almost no discussion on safety critical systems and how the government will ensure that software being built is being built right and with high quality. Without stricter regulations like we have on medical devices, I’m afraid we won’t get the safety attention we need to bring to bear.

Regulators at the FDA and manufacturers have been grappling with how best to regulate software since the mid 1990s and before. With the advent of the iPhone, the topic of the potential regulation of smart phones is heard with increasingly frequency.Many of the issues here are related or similar to those revolving around EMR regulation.

The FDA's been spending some quality time thinking about all this. As evidence, there's this interesting analysis of HIT adverse events into 4 categories. Of course, the optimal solution to these patient safety issues continues to be debated by HHS and FDA -- who both want to claim the mantle of "EMR regulator."

Impact on Manufacturers

Three words: Quality, System, Regulation. In some cases, software buyers don't want to know how the sausage gets made. It is common practice for HIT vendors to:

  1. Write software without documented and complete requirements
  2. Have little or no traceability between requirements and testing
  3. Provide little or no post market surveillance of installed products

That's not to say that all HIT vendors, or all EMRs represent egregious examples of these product quality shortcomings -- they don't. But vendors will likely have to implement some sort of basic quality system to improve software quality. Meaningful post market surveillance is a no-brainer. And should regulators be more aggressive, there could be requirements for human factors engineering to optimize usability.

All of these changes will impact how products are delivered and costs. There will be no more quick and inexpensive product customization to win a sale. And the time between product releases will increase in an effort to wring as many latent software defects out of the code as possible. A mechanism for product recalls is also likely. And all of these potential changes will somehow roll downhill on to providers.

Impact on Providers

The safety and effectiveness of an EMR extends beyond writing code or even the initial implementation and configuration, as implied by this quote from the Huff Post piece:

Justin Starren, a physician who oversees technology at the Marshfield Clinic in Wisconsin, lays out the dilemma starkly: “Computers are strong medicine. Done well, they are wonderful; done poorly they can kill people,” he said.

How an EMR is used, managed and supported by the customer has a significant impact on patient safety. This will impact both costs and operations (which again, impacts costs). Here's my summary list of provider impacts:

  1. Higher purchase price from HIT vendors (but probably not a lot, due to competition).
  2. Much higher operating costs, though providers should be able to leverage some IEC 80001 investments.
  3. Providers will be challenged when it comes to modifying purchased EMRs if they are a regulated medical device.
  4. Risk management will need to be beefed up considerably - better governance, better documentation, deeper more substantial risk management focus.
  5. Change control will also need to be brought up a few notches in many organizations, and expect to be driven by product recalls and other post market surveillance results.
  6. Interoperability and connectivity between 1) similar systems in other provider organizations, 2) between information systems in the enterprise, and 3) between EMRs and medical device systems all add complexity and risk to broader HIT systems.
  7. Test, test, test! The system of systems (#6 above) installed in any one location is unique and has never been tested by any one manufacturer - just manufacturers testing their own bits and pieces.
  8. The slow trickle of IT people currently leaving hospitals for banks, big box retailers and other IT-intensive and low-risk employers will grow considerably.

All this begs the question of what providers (and HIT vendors) should do in anticipation of the inevitable? These are substantive changes impacting strategic plans, purchase plans and daily operations. I'll be recommending best practices for providers in the webinar.

Let me leave you with another question: When EMRs are regulated medical devices, does that mean that IT will report to Biomed?

There will be much more in the webinar on October 27, 2010. Hope to see you then!

UPDATE: Here's the link to the webinar on Santa Rosa Consulting's site. This topic has proven of such interest that I've written a more in-depth story for Patient Safety & Quality Healthcare magazine. I'll post a link when it goes up some time in February.

UPDATE: Here's the link to the story I wrote for PSQH magazine on FDA regulation of EMRs, titled The Case For Regulating EMRs.