Showing posts with label healthcare IT certification. Show all posts
Showing posts with label healthcare IT certification. Show all posts

Home Posts filed under >healthcare IT certification

Defense Attorney Lies Under Oath In Sworn Filing to Protect Hospital's Health IT

At my Aug. 7. 2012 post "Malpractice Attorney Puts ONC-Authorized Testing and Certification Bodies (ATCBs) at Risk of Litigation?" I wrote:

 ... I returned to the U.S. to find that the defense attorney for the hospital where my mother was severely injured, and then died as a result, is once again raising an absurd issue in objections to the medical malpractice Complaint that was refiled within the Statute of Limitations for technical reasons.   The President Judge of the county where the case is filed had dismissed this complaint (among many others) some time ago:

(ii) Plaintiffs Software Design Defect Claims are Preempted by the Federal HITECH Act

... To the extent Plaintiff attempts to bring a common law product liability claim against [name redacted] Hospital for required use of EMR software [see addendum below - ed.], such a claim is barred due to Federal Preemption of this area with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 42 U.S.C. 201, 300, et seq.

Specifically, the design, manufacture, specification, certification and sale of EMR in the United States is a highly regulated industry under the jurisdiction of the Department of Health and Human Services (HHS). The HHS draws its statutory authority to design and certify EMR as safe and effective under the HITECH act as amended. Id.

The Supremacy Clause of the United States Constitution, article VI, clause 2, preempts any state law that conflicts with the exercise of federal power. Fid. Fed. Say. & Loan Ass’n v. de la Cuesta, 458 U.S. 141, 102 S. Ct. 3014 (1982). “Pre-emption may be either express or implied, and ‘is compelled whether Congress’ command is explicitly stated in the statute’s language or implicitly contained in its structure and purpose.” Matter of Calun Elec. Power Co-op., Inc., 109 F.3d 248, 254 (5th Cir. 1997) citing Jones v. Rath Packing Co., 430 U.s. 519, 525 (1977).

In this case, to impose common law liability upon [name redacted] Hospital for using certified EHR technology, which was in compliance with federal law and regulations for Health Information Technology, would directly conflict with Congress’ statutory scheme for fostering and promoting the implementation and use of EHR 

I really don't think Congress intended HIT to maim and kill patients with impunity.  In any case, this assertion was thrown out in its entirety several months ago, but here it is again in a new set of objections.  I find its reappearance remarkable.  I also wonder if the industry is behind it.

What I didn't post is the reply to this nonsense that was presented to the court by Plaintiff (me), via Plaintiff's counsel after my analysis of this passage, in a Memorandum of Law to the court Dec. 5, 2011:

... HHS does not regulate the design, manufacture, specification, certification, and sale of EMRs or any other clinical information technology. The HITECH Act itself does not establish standards and certification criteria for health information technology, but instead establishes the HIT Standards Committee to implement such specifications and standards for certification. HITECH Act § 3003, 42 U.S.C. § 300jj-13.

The initial set of standards specifications and certification criteria were not published until July 28, 2010, approximately 2 months after Mrs. Silverstein entered [name redacted] Hospital. Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 75 Fed. Reg. 44589 (July 28, 2010). Therefore, it would have been impossible for [name redacted] Hospital’s EMR system “to be in compliance with federal law and regulations for Health Information Technology” during the time of Mrs. Silverstein’s admission.

These facts were filed with the Court and delivered to the defense on Dec. 5, 2011 regarding health IT certification.  An Affidavit/Certificate of Service to the defendants was also filed with the Response and Memorandum of Law as is customary, and are noted on the Prothontary website.  No "I didn't receive it" excuse is possible...

The facts about health IT "certification" are trivial to verify. 

As the hospital admission where my mother was injured, and the injury itself, were in May 2010, "using certified EHR technology in compliance with federal law and regulations for Health Information Technology" was not possible at that time.  (Not to mention the facilities' EHR's were not actually "certified" until December 2010 via the ONC database of certified systems.)

Thus, the defense attorney by re-issuing this claim in August 2012 (to the new judge overseeing the case re-filing) is now knowingly lying to the Court in sworn filings, in order to harass, cause unnecessary delays in litigation, and needlessly increase the cost of litigation while collecting hourly fees for production of frivolous and untrue assertions.

The attorney is also making a mockery of the court system in the locality where the case is being heard, and also insulting the judges' intelligence.

These are the lengths to which hospitals and defense attorneys seem to be willing to go in defense of health IT.  I find this remarkable (but not surprising).

It will be interesting to see how the judge responds to an attorney knowingly trying to blow smoke up his behind.

-- SS

Addendum:  Also pointed out in earlier filings was the fact that use of EMR's is not "required."   It seems the defense attorney, besides being a liar, has a thick skull.

-- SS

Malpractice Attorney Puts ONC-Authorized Testing and Certification Bodies (ATCBs) at Risk of Litigation?

I am jet-lagged after returning from Sydney, Australia, where I delivered one of the keynote addresses at the Health Informatics Society of Australia annual conference, HIC 2012 (http://www.hisa.org.au/page/hic2012/).

My theme in a talk entitled "Critical Thinking on Building Trusted, Transformative Medical Information:  Improving Health IT as the First Step" was health IT trust and safety.  I was actually invited in 2011 but could not attend; I was helping care for my mother, who was severely injured due to a HIT-related mishap in 2010.  Her death in 2011 allowed me to attend now on re-invitation.

More on my presentation later.


A beautiful view of the Sydney Harbour Bridge and Opera House, taken with a mere Canon SX110IS.  Click to enlarge.


In the meantime, I returned to the U.S. to find that the defense attorney for the hospital where my mother was severely injured, and then died as a result, is once again raising an absurd issue in objections to the medical malpractice Complaint that was refiled within the Statute of Limitations for technical reasons.   The President Judge of the county where the case is filed had dismissed this complaint (among many others) some time ago:


(ii) Plaintiffs Software Design Defect Claims are Preempted by the Federal HITECH Act

... To the extent Plaintiff attempts to bring a common law product liability claim against [name redacted] Hospital for required use of EMR software, such a claim is barred due to Federal Preemption of this area with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 42 U.S.C. 201, 300, et seq.

Specifically, the design, manufacture, specification, certification and sale of EMR in the United States is a highly regulated industry under the jurisdiction of the Department of Health and Human Services (HHS). The HHS draws its statutory authority to design and certify EMR as safe and effective under the HITECH act as amended. Id.

The Supremacy Clause of the United States Constitution, article VI, clause 2, preempts any state law that conflicts with the exercise of federal power. Fid. Fed. Say. & Loan Ass’n v. de la Cuesta, 458 U.S. 141, 102 S. Ct. 3014 (1982). “Pre-emption may be either express or implied, and ‘is compelled whether Congress’ command is explicitly stated in the statute’s language or implicitly contained in its structure and purpose.” Matter of Calun Elec. Power Co-op., Inc., 109 F.3d 248, 254 (5th Cir. 1997) citing Jones v. Rath Packing Co., 430 U.s. 519, 525 (1977).

In this case, to impose common law liability upon [name redacted] Hospital for using certified EHR technology, which was in compliance with federal law and regulations for Health Information Technology, would directly conflict with Congress’ statutory scheme for fostering and promoting the implementation and use of EHR 

I really don't think Congress intended HIT to maim and kill patients with impunity.  In any case, this assertion was thrown out in its entirety several months ago, but here it is again in a new set of objections.  I find its reappearance remarkable.  I also wonder if the industry is behind it.

As per numerous posts in this blog, such assertions are false - and likely knowingly so in this situation.  (In that case, this would be an even more serious matter.)

For example as I pointed out at my Feb. 2012 post Hospitals and Doctors Use Health IT at Their Own Risk - Even if "Certified", ONC-Authorized Testing and Certification Bodies (ATCB's) answered my questions about safety, legal indemnification etc.  Their work has nothing to do with certifying HIT as safe by their own admission.

Also, as in my April 2011 post FDA Decides Regulating Implantable Defibrillator Medical Devices a "Political Hot Potato"; Demurs and my Nov. 2011 post IOM Report - "Health IT and Patient Safety: Building Safer Systems for Better Care, the HIT industry is unregulated.

On the HIT regulation issue, IOM has itself stated in no uncertain terms that HIT is non-regulated (not "a highly regulated industry") in their report to HHS.  For instance, in the aforementioned 2012 report they state (as one example):

... If the Secretary [of HHS] deems it necessary for the FDA to regulate EHRs and other currently nonregulated health IT products, clear determinations will need to be made about whether all health IT products classify as medical devices for the purposes of regulation. If FDA regulation is deemed necessary, the FDA will need to commit sufficient resources and add capacity and expertise to be effective.

I won't even address the claim that the HITECH Act represents or intended to represent Federal pre-emption of state common law rights.   It's without merit, and actually absurd.

Worst of all, statements in legal dockets that "HHS draws its statutory authority to design and certify EMR as safe and effective under the HITECH Act" (in reality, private non-governmental ONC-Authorized Testing and Certification Bodies or ATCB's are appointed by ONC to "certify" HIT features and functionality to be compliant with "Meaningful Use" guidelines and do not test for safety or efficacy) potentially puts those private ATCB's at risk for being named defendants in lawsuits where HIT was found unsafe and/or ineffective if upheld.

I am sure the ATCB's and ONC would not be happy about that.

-- SS

WSJ "There's a Medical App for That—Or Not" - Misinformation on Health IT Safety Regulation?

There's a health IT meme that just won't die (patients may, but not the meme).

It's the meme that health IT "certification" is a certification of safety.

I expressed concern about the term "certification" being misunderstood even before the meme formally appeared, when the term was adopted by HHS with regard to evaluation of health IT for adherence to the "meaningful use" pre-flight features checklist.  See my mid-2009 post "CCHIT Has Company" where I observed:

HIT "certification." ... is a term I put in quotes since it really is "features qualification" at this point, not certification such as a physician receives after passing Specialty Boards.

The "features qualification" is an assurance that the EHR functions in way that could enable an eligible provider or eligible hospital to meet the Center for Medicare & Medicaid Services' (CMS) requirements of "Meaningful Use."  No rigorous safety testing in any meaningful sense is done, and no testing under real-world conditions is done at all.

I've seen the meme in various publications and venues.  I've even seen it in legal documents in medical malpractice cases where EHR's were involved, as an attempted defense.

Now the WSJ has fallen for the health IT Certification meme.

An article "There's a Medical App for That—Or Not" was published on May 29, 2012.  Its theme is special regulatory accommodation for health IT in the form of opposition to FDA regulation of devices such as "portable health records and programs that let doctors and patients keep track of data on iPads."

In the article, this assertion about health IT "certification" is made:

... The FDA's approach to health-information technology risks snuffing out activity at a critical frontier of health care. Poor, slow regulation would encourage programmers to move on, leaving health care to roil away for yet another generation, fragmented, disconnected and choking on paperwork.

The process already exists for safeguarding the public for computers in health care. It's not FDA premarket review but the health information technology certification program, established under President George W. Bush and still working fine under the Obama Health and Human Services Department. The government sets the standards and an independent nonprofit [ATCB, i.e., ONC Authorized Testing and Certification Bodies - ed.] ensures that apps meet those standards. It's a regulatory process as nimble as the breakout industry it's meant to monitor. That is where and how these apps should be regulated.

It's a wonderful meme.  Unfortunately, it's wrong.  Dead wrong.

Certification by an ATCB does not "safeguard the public."   Two ONC Authorized Testing and Certification Bodies (ATCB's) admitted this in email, as in my Feb. 2012 post "Hospitals and Doctors Use Health IT at Their Own Risk - Even if Certified".  I had asked them, point-blank:

"Is EHR certification by an ATCB a certification of EHR safety, effectiveness, and a legal indemnification, i.e., certifying freedom from liability for EHR use of clinical users or organizations? Or does it signify less than that?"

I received two replies from major ONC ATCB's indicating that "certification" is merely assurance that HIT meets a minimal set of "meaningful use" guidelines, not that it's been vetted for safety.  For instance:

From: Joani Hughes (Drummond Group)
Sent: Monday, March 05, 2012 1:06 PM
To: Scot Silverstein
Subject: RE: EHR certification question

Per our testing team:

It is less than that. It does not address indemnification although a certification could be used as a conditional part of some other form of indemnification function, such as a waiver or TOA, but that is ultimately out of the scope of the certification itself. Certification in this sense is an assurance that the EHR functions in way that could enable an eligible provider or eligible hospital to meet the CMS requirements of Meaningful Use Stage 1. Or to restate it more directly, CMS is expecting eligible providers or eligible hospitals to use their EHR in “meaningful way” quantified by various quantitative measure metrics and eligible providers or eligible hospitals can only be assured they can do this if they obtain a certified EHR technology.

Please let me know if you have any questions.

Thank you,
Joani.

Joani Hughes
Client Services Coordinator
Drummond Group Inc.

The other ATCB, ICSA Labs, stated that:

... Certification by an ATCB signifies that the product or system tested has the capabilities to meet specific criteria published by NIST and approved by the Office of the National Coordinator. In this case the criteria are designed to support providers and hospitals achieve "Meaningful Use." A subset of the criteria deal with the security and patient privacy capabilities of the system.

Here is a list of the specific criteria involved in our testing:
http://healthcare.nist.gov/use_testing/effective_requirements.html

In a nutshell, ONC-ATCB Certification deals with testing the capabilities of a system, some of them relate to patient safety, privacy and security functions (audit logging, encryption, emergency access, etc.).

What was suggested in the email below (freedom from liability for users of the system, etc.) would be out of scope for ONC-ATCB testing based on the given criteria. [I.e., certification criteria - ed.] I hope that helps to answer your question.

I had noted that:

... My question was certainly answered [by the ATCB responses]. ONC certification is not a safety validation, such as in a document from NASA on aerospace software safety certification, "Certification Processes for Safety-Critical and Mission-Critical Aerospace Software" (PDF) which specifies at pg. 6-7:
In order to meet most regulatory guidelines, developers must build a safety case as a means of documenting the safety justification of a system. The safety case is a record of all safety activities associated with a system throughout its life. Items contained in a safety case include the following:

• Description of the system/software
• Evidence of competence of personnel involved in development of safety-critical software and any
safety activity
• Specification of safety requirements
• Results of hazard and risk analysis
• Details of risk reduction techniques employed
• Results of design analysis showing that the system design meets all required safety targets
Verification and validation strategy
• Results of all verification and validation activities
• Records of safety reviews
• Records of any incidents which occur throughout the life of the system
• Records of all changes to the system and justification of its continued safety

A CCHIT ATCB juror, a physician informatics specialist, has also done a guest post in Jan. 2012 on HC Renewal about the certification process, reproducing his testimony to HHS on the issue.  That post is "Interesting HIT Testimony to HHS Standards Committee, Jan. 11, 2011, by Dr. Monteith."  Dr. Monteith testified (emphases mine):

... I’m “pro-HIT.” For all intents and purposes, I haven’t handwritten a prescription since 1999.

That said and with all due respect to the capable people who have worked hard to try to improve health care through HIT, here’s my frank message:

ONC’s strategy has put the cart before the horse. HIT is not ready for widespread implementation. 

... ONC has promoted HIT as if there are clear evidence-based products and processes supporting widespread HIT implementation.

But what’s clear is that we are experimenting…with lives, privacy and careers.

... I have documented scores of error types with our certified EHR, and literally hundreds of EHR-generated errors, including consistently incorrect diagnoses, ambiguous eRxs, etc.

As a CCHIT Juror, I’ve seen an inadequate process. Don’t get me wrong, the problem is not CCHIT. The problem stems from MU.

EHRs are being certified even though they take 20 minutes to do a simple task that should take about 20 seconds to do in the field.  [Which can contribute to mistakes and "use error" - ed.] Certification is an “open book” test. How can so many do so poorly?

For example, our EHR is certified, even though it cannot generate eRxs from within the EHR, as required by MU.

To CCHIT’s credit, our EHR vendor did not pass certification. Sadly, our vendor went to another certification body, and now they’re certified.

MU does not address many important issues. Usability has received little more than lip-service. What about safety problems and reporting safety problems? What about computer generated alerts, almost all of which are known to be ignored or overridden (usually for good reason)?
 
The concept of “unintended consequences” comes to mind.

All that said, the problem really isn’t MU and its gross shortcomings, it is ONC trying to do the impossible:

ONC is trying to artificially force a cure for cancer, basically trying to promote one into being, when in fact we need to let one evolve through an evidence-based, disciplined process of scientific discovery and the marketplace.

Needless to say, as was learned at great cost in past decades, a "disciplined process" in medicine includes meaningful safety regulation by objective outside experts.

Further, the certifiers have no authority to do important things such as forcibly remove dangerous software from the market.  An example is the forced Class 1 recall of a defective system as I wrote about in my Dec. 2011 post "FDA Recalls Draeger Health IT Device Because This Product May Cause Serious Adverse Health Consequences, Including Death".   Class 1 recalls are the most serious type of recall and involve situations in which there is a reasonable probability that use of these products will cause serious adverse health consequences or death.

In that situation, the producer had been simply advising users (in critical care environments, no less) to "work around the defects" that could indicate incorrect recommended dosage values of critical meds, including a drug dosage up to ten times the indicated dosage, as well as corrupt critical cardiovascular monitoring data.  As I observed:

... I find a software company advising clinicians to make sure to "work around" blatant IT defects in "acute care environments" the height of arrogance and contempt for patient safety.

Without formal regulatory authority to take actions such as this FDA recall, "safeguarding the public" is a meaningless platitude.

It's also likely the ATCB's, which are private businesses, would not want the responsibility of "safeguarding the public."  That responsibility would open them up to litigation when patient injuries or death were caused, or were contributed to, by "certified" health IT.

I have in the past also noted that the use of the term "certification" might have been deliberate, to mislead potential buyers exactly into thinking that "certification" is akin to a UL certification of an electrical appliance for safety, or an FAA approval of a new aircraft's flight-worthiness.

The WSJ needs to clarify and/or retract its statement, as the statement is misinformation.

At my Feb. 2012 post "Health IT Ddulites and Disregard for the Rights of Others" I observed:

Ddulites [HIT hyper-enthusiasts - ed.] ... ignore the downsides (patient harms) of health IT.

This is despite being already aware of, or informed of patient harms, even by reputable sources such as FDA (Internal FDA memo on H-IT risks), The Joint Commission (Sentinel Events Alert on health IT), the NHS (Examples of potential harm presented by health software - Annex A starting at p. 38), and the ECRI Institute (Top ten healthcare technology risks), to name just a few.

In fact, the hyper-enthusiastic health IT technophiles will go out of their way to incorrectly dismiss risk management-valuable case reports as "anecdotes" not worthy of consideration (see "Anecdotes and medicine" essay at this link).

They will also make unsubstantiated, often hysterical-sounding claims that health IT systems are necessary to, or simply will "transform" (into what, exactly, is usually left a mystery) or even "revolutionize" medicine (whatever that means).

Health IT is a potentially dangerous technology.   It requires meaningful regulation to "safeguard the public."  How many incidents like this and this will it take before that is understood by the hyper-enthusiasts?

I've emailed the ATCB's that had responded to my aforementioned query for clarification on the WSJ assertion about their role, being that the statement is in contradiction to their earlier replies to me.  I also advised them of the potential liability issues.

However, if it turns out to be true that the ONC-ATCB's do intend themselves as the ultimate watchdog and assurer of public safety related to EHR's, that needs to be known by the public and their representatives.

-- SS

Health IT Culture: Severe Overconfidence (Arrogance?) Shows In The Industry's Very Terminology For Their Deliverables

Health IT commentator Neil Versel notes in his piece "HIMSS12 notes" at his site Meaningful Health IT News that:

I am in 100 percent agreement with something Dr. Wendy Sue Swanson, a.k.a. Seattle Mama Doc, said during an engaging presentation Monday at the HIMSS/CHIME CIO Forum. She made the astute observation that there needs to be better distinction between expertise and merely experience when it comes to celebrities being held up as “experts” in healthcare and medicine. Let’s just say that Swanson, as a pediatrician, is no fan of some of the things Jenny McCarthy and Dr. Mehmet Oz have told wide audiences.

He posted a link to his piece in a social networking site we both visit. I commented:

To that, I add "healthcare IT" where it seems anyone who's done anything with a computer in some medical setting can get away with calling themselves a "medical informatics expert" or "health IT expert." As in ham radio levels of just a few years ago, we need distinctions between novice class, technician class, general class, advanced class, and extra class.


In his piece Neil also linked to what he correctly termed "scathing critique" of the venue for HIMSS 2012 at my HC Renewal post "HIMSS Annual Meeting in Las Vegas - Fitting for People Who Gamble With People's Lives to Make a Buck?"

I replied to him via the social networking site that:

"I like to point out ironies that seem to escape others, although I have heard from other colleagues that I was not alone in finding Las Vegas a somewhat peculiar place for a medical meeting about improving health! However, others' mileage may vary."

Neil noted that he likes pointing out ironies, too, and gave as an example as the meetings held at the Loews Hotel near Vanderbilt University Medical Center, being that Loews Hotels is a corporate cousin of Lorrilard Tobacco.

Finally, Neil comments:

Popular topics this year were the expected meaningful use and ICD-10, plus the buzzwords of the moment, business analytics and big data. I’d be happy I never hear the word “solution” as a synonym for “product” or “service” again. To me, that represents lazy marketing. Get yourself a thesaurus.

I agreed, and replied that:

"Solution", the common term in IT for anything an IT department or company provides, is a one-word example of a language usage akin to 'begging the question.'

This term, in one mere word, reflects a stunning arrogance within the IT culture.

I also noted that:

... there needs to be terminological consistency. If the IT vendors can call their wares "solutions", then doctors should call their treatments and drugs "cures." Come to my office for your cure; I am a curer; I write cures, not prescriptions.

I also noted that the term "meaningful use" phrase selected by the U.S. government/HHS for EHR adoption according to printed guidelines is another example of terminology that, ante hoc, assumes its semantics are correct.

How do we know the use is "meaningful" until such use is studied rigorously and outcomes, costs. etc. assessed?

Answer: we don't.

And this administration criticized the previous one for politicizing science ... George Orwell could not have selected better terms than "meaningful use", "certified EHR", and "solution" as examples of "Newspeak" in 1984.

-- SS


Is ONC Stonewalling on the issue of HIT Certification, Safety and Liability?

At my Feb. 16, 2012 post "Hospitals and Doctors Use Health IT at Their Own Risk - Even if Certified" I wrote that an ONC-ATCB (Authorized Testing and Certification Body) replied to my email inquiry about health IT certification, safety and liability indemnification by stating that:

What was suggested in the email below (freedom from liability for users of the system, etc.) would be out of scope for ONC-ATCB testing based on the given criteria.

[That is, the criteria used in testing here - ed.]

What I did not include in that post was the fact that some months ago, I had emailed ONC directly with the same questions, and then called them on the phone with those questions at about the same time as I inquired of the ATCB.

ONC itself never responded.

There are several possibilities:

  • They don't know the answer.
  • They don't want to respond.
  • They don't care to respond.


Dismissing possibility #1, these civil servants appear to be stonewalling on the issue.

It would be nice to hear ONC itself admit the term "certification" is a gossamer guarantee of health IT safety, efficacy and indemnification of purchasers, implementers and users from potential EHR-related liability.

I am not holding my breath.

-- SS

Addendum:

An ONC representative did get back to me on Feb. 27, but I told them my question had already been answered by ONC ATCB's.

Hospitals and Doctors Use Health IT at Their Own Risk - Even if "Certified"

Due to my observations of confusion about health IT certification [1], and due to vague or incomplete seller language that could be misinterpreted by buyers (perhaps by design), I recently asked several ONC-ATCBs (HHS's Office of the National Coordinator for Health IT-Authorized Testing and Certification Bodies) the following.

I sent this question via email to their "questions" email addresses:

"Is EHR certification by an ATCB a certification of EHR safety, effectiveness, and a legal indemnification, i.e., certifying freedom from liability for EHR use of clinical users or organizations? Or does it signify less than that?"

One ONC-ATCB provided the following in response to my request for information.


From: Trivedi, Amit V (ICSA Labs)
Sent: Thursday, February 16, 2012 11:22 AM
To: Scot Silverstein
Subject: RE: Form submission from: Contact Us

Hello Scot,

Thanks for your email. Certification by an ATCB signifies that the product or system tested has the capabilities to meet specific criteria published by NIST and approved by the Office of the National Coordinator. In this case the criteria are designed to support providers and hospitals achieve "Meaningful Use." A subset of the criteria deal with the security and patient privacy capabilities of the system.

Here is a list of the specific criteria involved in our testing:
http://healthcare.nist.gov/use_testing/effective_requirements.html

In a nutshell, ONC-ATCB Certification deals with testing the capabilities of a system, some of them relate to patient safety, privacy and security functions (audit logging, encryption, emergency access, etc.).

What was suggested in the email below (freedom from liability for users of the system, etc.) would be out of scope for ONC-ATCB testing based on the given criteria. [I.e., certification criteria - ed.] I hope that helps to answer your question.

Thanks,

Amit

Amit Trivedi
Program Manager - Healthcare
ICSA Labs, an Independent Division of Verizon Business


My question was certainly answered. ONC certification is not a safety validation, such as in a document from NASA on aerospace software safety certification, "Certification Processes for Safety-Critical and Mission-Critical Aerospace Software" (PDF) which specifies at pg. 6-7:

In order to meet most regulatory guidelines, developers must build a safety case as a means of documenting the safety justification of a system. The safety case is a record of all safety activities associated with a system throughout its life. Items contained in a safety case include the following:

• Description of the system/software
• Evidence of competence of personnel involved in development of safety-critical software and any
safety activity
• Specification of safety requirements
• Results of hazard and risk analysis
• Details of risk reduction techniques employed
• Results of design analysis showing that the system design meets all required safety targets
Verification and validation strategy
• Results of all verification and validation activities
• Records of safety reviews
• Records of any incidents which occur throughout the life of the system
• Records of all changes to the system and justification of its continued safety

Health IT testing conspicuously lacks attention to most of the aerospace software safety points above. I note that there appears to be no reasonable excuse for such omissions.

IOM has recently studied the issue of HIT safety. IOM states in a Nov. 2011 report that HIT safety and safety testing is unsatisfactory, and has recommended HHS study it as well. IOM recommends HHS annually re-evaluate whether regulation is needed to improve safety, although IOM favors industry self-policing [2].

Thus, buyers and users of even "ONC certified" health IT are not indemnified from liability due to medical errors or problems caused by the health IT.

Sellers who exaggerate the value of certification or imply its meaning is akin to FDA device approval, likewise, could be faulted for making false representations about their products.

It would appear the sellers could potentially be sued for doing so by purchasers/users who themselves get into legal hot water due to EHR defects or other problems.

-- SS

Note:

[1] I believe confusion about EHR "certification" is in part due to the term itself. I raised objections to this term when it was first proposed based on my experience in pharma, suggesting what I felt was the more accurate expression "features qualification" instead.

[2] "Health IT and Patient Safety: Building Safer Systems for Better Care", Institute of Medicine of the National Academies, Nov. 2011, http://www.iom.edu/Reports/2011/Health-IT-and-Patient-Safety-Building-Safer-Systems-for-Better-Care.aspx

-----------------

Addendum March 6, 2012:

I received a response from another ONC-ATCB, the Drummond Group:

From: Joani Hughes (Drummond Group)
Sent: Monday, March 05, 2012 1:06 PM
To: Scot Silverstein
Subject: RE: EHR certification question

Per our testing team:

It is less than that. It does not address indemnification although a certification could be used as a conditional part of some other form of indemnification function, such as a waiver or TOA, but that is ultimately out of the scope of the certification itself. Certification in this sense is an assurance that the EHR functions in way that could enable an eligible provider or eligible hospital to meet the CMS requirements of Meaningful Use Stage 1. Or to restate it more directly, CMS is expecting eligible providers or eligible hospitals to use their EHR in “meaningful way” quantified by various quantitative measure metrics and eligible providers or eligible hospitals can only be assured they can do this if they obtain a certified EHR technology.

Please let me know if you have any questions.

Thank you,
Joani.

Joani Hughes
Client Services Coordinator
Drummond Group Inc.

These are direct and clear statements.

-- SS

Just Say "No" to the Term "Anecdotes"; and HIT as a Medical Metadevice

A New Year's thought: there needs to be a push in healthcare for dropping of the word "anecdote" to describe case reports of health IT-related errors.

This word even appears in the late 2011 IOM report on HIT safety (PDF), e.g., the preface:


... We found that specific types of health IT can improve patient safety under the right conditions, but those conditions cannot be replicated easily and require continual effort to achieve. We tried to balance the findings in the literature with anecdotes from the field but came to the realization that the information needed for an objective analysis and assessment of the safety of health IT and its use was not available.


The "A" word needs to be dropped from the healthcare IT lexicon, since such reports from reliable sources are in fact incident reports purposed for risk management activities.

Incident reports do not need peer review for consideration for that purpose.

Of note, I do not believe the incident reports filed in hospitals when something awry occurs are labelled "anecdotes", either.

See the Aug. 2011 post "From a Senior Clinician Down Under: Anecdotes and Medicine, We are Actually Talking About Two Different Things" for more on this topic.

And on another vein, the issue of HIT being a medical device:

As the good State Rep. Marino of my home state of Pennsylvania and others oddly proffer - that 'certification' of health IT, having nothing to do with safety or usability, relieves HIT from being a device [1] - and as the IOM itself debates exactly what to call HIT and under what guidelines to regulate it, another term/category for HIT devices is needed.

In the spirit of the naming of the UMLS Metathesaurus, and in consideration of HIT's informational governance/orchestration of other medical devices and personnel (including the 'carbon units' known as clinicians and patients) -- I suggest the term "metadevice" for HIT.

Healthcare metadevices need their own specific regulation, apart from traditional medical devices.

-- SS

Note:

[1] As in line 21- 24 on page 6 of the "Safeguarding Access For Every Medicare Patient Act" Bill (PDF) that I wrote about here. The Bill states: "CLARIFICATION OF AUTHORITY. Certified EHR’s shall not be considered a device for purposes of the Federal Food, Drug, and Cosmetic Act."

(This proposal, of course, raises the question of whether Rep. Marino believes non-certified HIT shall be considered a medical device, a topic for another time.)