Don't Regulate EHRs Like Cars

It's hard to argue against safety. And in our lawsuit-crazy society, not taking all reasonable measures to keep the public safe is an invitation to bankruptcy. But there are two complicating issues to keep in mind when considering whether to apply an auto industry regulatory approach to medical informatics.

One is the fact that IT systems are a lot like sex. And we all know there's no such thing a safe sex, only safer sex. My point is, there's no completely safe technology, so we have to decide how safe is safe enough, and are we willing to spend the millions of dollars required to reach that level of safety?

The other complicating issue is cars are quite different than health IT. The Institute of Medicine's recent recommendation to develop a NTSB-like organization may not work as well in the context of EHRs, secure patient portals, and health information exchanges.

At its core, the debate about the dangers of health IT centers in part around Americans' unrealistic expectations of the healthcare system and misconceptions about risk. More than a few medical malpractice suits have been settled in favor of a sympathetic plaintiff who lost her newborn during delivery, not because of any wrongdoing on the part of the clinicians, but because if a baby dies, someone must be at fault. The expectation is that hospitals and doctors should provide absolutely risk-free care.

[ Today's mobile devices have transformed medical care in unprecedented ways. For an in-depth look at exactly how clinicians are using these tools, tune into the InformationWeek Healthcare Webcast The Mobile Point of Care: Making the Right Choices. ]

Similarly, too many of us don't understand the concept of relative risk. Witness the restaurant patron who orders a diet Coke along with his 2,000-calorie supersized burger and fries. Or the guy who doesn't believe smoking a pack a day will cause lung cancer but refuses to put saccharin in his coffee because "it causes cancer."

The same mathematically challenged thinking has blinded many health IT critics to the fact that the relative risk of medical errors and security breaches are probably greater in the paper world than in EHRs.

That said, we still need some hard data on how much danger patients face when they put their health in the hands of a computer. And, as the IOM report notes, there's a paucity of quantitative data. "While some studies suggest improvements in patient safety can be made [with mature health IT], others have found no effect," the report says. "Instances of health IT-associated harm have been reported. However, little published evidence could be found quantifying the magnitude of the risk."

That uncertainty is driving the movement to rein in health IT. Finding the balance between over- and under-regulation will determine the industry's fate. But at the very least, we need a better reporting system, which was one of the centerpieces of the IOM recommendations. In their words: "The Secretary of HHS should establish a mechanism for both vendors and users to report health IT-related deaths, serious injuries, or unsafe conditions."

But it's not the reporting but the regulation part of the equation that worries me. Which brings up that second complicating issue: Comparing cars to IT systems is like comparing oranges and apples. Imagining that you can regulate the two in the same way is naive.

IT systems at large hospitals and groups practices are far more complex--and malleable--than any automobile. I can't remember the last time I plugged a mouse into my car's computer and rewrote the code to adjust the idle. IT managers, on the other hand, are constantly customizing the off-the-shelf programs they buy from vendors. So who should be sued when that EHR "hot rod" causes a patient's death? Determining relative culpability is going to be a nightmare.

And speaking of lawsuits, many healthcare providers are hesitant to report adverse events for fear of legal action. One solution: EHR-generated data could be de-identified and pooled for reporting purposes, suggested David C. Classen, MD, one of the co-authors of the IOM report, in a recent interview with InformationWeek Healthcare.

If hospitals want to form accountable care organizations, they'll need to keep track of adverse events and do what they can to reduce them, Classen said. A high rate of adverse events will cost them money by increasing length of stay, readmissions, and the amount of post-discharge care required. Moreover, the Centers for Medicare and Medicaid Services will penalize them for excessive readmissions and factor inpatient complications into their reimbursement under its value-based purchasing program.

What system providers use to track and minimize IT errors and who regulates it likely will be debated over the next few months. It could be a government agency, patient safety organizations, vendors, or a combination of these. But regardless of how this shakes out, all the stakeholders still need to remember: IT systems are a lot like sex.