Just two weeks ago, I expressed concern that a cyber attack on unprotected medical devices can infect the electronic health records to which they are connected, causing the EHR to malfunction and the data to become corrupted.
But is blogger-physician Westby G. Fisher, M.D.--aka, Dr. Wes--correct when he suggests that EHRs themselves should be seen as medical devices?
He states in his blog post that EHRs, like other man-made medical devices, are not perfect. He notes that they're full of documentation problems, they can spew useless and "potentially lethal" information and that updates are "routinely deployed without real-world real-life testing."
"The potential to introduce unintended yet potentially lethal errors into patient care is huge," Fisher warns. "More importantly, since nearly every person in the United States will soon have their medical data housed within these systems, the number of people that could be adversely affected by these systems is much larger than what we've seen with our recent defibrillator malfunctions."
He suggests that EHRs be viewed as medical devices, and that an EHR registry be created to report adverse outcomes caused by these software problems, akin to the ICD registry to report incidents involving implantable cardioverter defibrillator procedures.
Of course, Fisher is not the only stakeholder that has suggested that EHR safety incidents be monitored and investigated. Not long ago, the venerable Institution of Medicine (IOM) recommended that a watchdog agency be created to do so, and that EHR vendors be required to register their products.
Clearly EHRs need more oversight than they're currently receiving, not only regarding safety issues but also regarding usability, functionality, HIPAA compliance and coding errors.
But actually reclassifying EHRs as "medical devices" may have adverse, untended consequences. If an EHR is a medical device, then it comes under the jurisdiction of the Food and Drug Administration (FDA), which oversees the safety of all medical devices, from tongue depressors to ones with software and microchips. That means that EHRs will be subject to FDA requirements, including a lengthy premarket approval process and post market monitoring.
That may sound good in theory, but the IOM in its report on EHR safety specifically recommended that the FDA not be put in charge of EHR oversight due to concerns regarding FDA's lack of expertise in health IT and lack of investigative capabilities. The IOM also noted that such a move would adversely affect innovation, since the product shelf life for health IT was different from that of conventional medical devices. IOM called for a more flexible approach, and suggested that the U.S. Department of Health & Human Services create an independent agency to monitor EHR safety issues instead.
Thus far, the FDA has opted not to view EHRs as medical devices, although it does intend to regulate mobile applications that it sees as medical devices. The FDA also already uses EHR data to monitor medical devices in its "mini sentinel" pilot program, although the program doesn't monitor the EHRs themselves.
Reclassifying EHRs as medical devices also would subject them to a brand-new tax. A little-known provision of the Affordable Care Act requires the IRS to impose a 2.3 percent excise tax on all medical devices at the point of sale beginning in January 2013. So if EHRs are medical devices, they'll become even more pricey for the providers who buy them.
So let's not jump on this bandwagon without giving the issue careful thought. - Marla