3 suggestions for ONC in creating its health IT safety center

It's certainly not unusual for members of Congress to question whether an agency is overstepping its bounds. Just last week, several members of the House Energy and Commerce Committee questioned the Office of the National Coordinator for Health IT's authority to regulate health IT after the Meaningful Use program ends, as well as the extent to which it can regulate health IT at all for non-Meaningful Use initiatives.

The letter was prompted by the draft report required by the Food and Drug Administration Safety and Innovation Act (FDASIA), which calls for the FDA, in consultation with ONC and the Federal Communications Commission (FCC), to produce a report on a proposed "risk based regulatory framework" regarding health IT. The report, released in April, recommends that ONC--not the FDA--be the primary agency to spearhead health IT safety efforts and that ONC create a public/private heath IT safety center to regulate electronic health records and other HIT programs. There would be no new FDA oversight.

The lawmakers' query is an important threshold question. But they're not asking the bigger question: Assuming that ONC conjures up the authority (which it will), will this health IT safety center, as currently envisioned, be effective in improving health IT safety?

I'm more concerned about how the proposed center will operate.

The Institute of Medicine (IOM), in its report on EHRs and patient safety, recommended, among other things, that EHR vendors be required to report adverse patient safety events. The U.S. Department of Health and Human Services and ONC have steadfastly steered away from such a requirement, instead leaning towards voluntary reporting and deferring to the EHR Association's vendor voluntary code of conduct.

The draft report continues in this vein, suggesting that vendors, providers and others "should" report adverse patient safety events to the new health IT safety center, which could be "trusted." The report also asks commenters what safety-related surveillance would be appropriate.

But will that really work? Originally, adverse events were to be voluntarily reported to patient safety organizations. Even the FDASIA draft report notes that this approach didn't work for a variety of reasons, including underreporting, inadequate individual accountability and restrictions on the transparent release of safety information due to contractual limits and liability fears.

Why would it work now?

I suggest that lawmakers ask questions beyond the threshold jurisdictional one.  

Here are few suggestions I have for ONC in creating this health IT safety center:

  • Make it everyone's responsibility to report an adverse safety incident or defect that could lead to one: For instance, if an EHR design defect is discovered by a provider that could hurt a patient and the provider notifies the vendor so that the defect can be corrected, both the provider and the vendor "should" be reporting the issue; this potentially could keep issues from falling through the cracks
  • Prohibit vendors from using "gag clauses" in their EHR contracts with providers: This presumably would help providers to report patient safety incidents without fear of retribution
  • Consider making reporting mandatory, as recommended by IOM: If adverse incidents involving drugs and devices must be reported, perhaps incidents involving EHR software should be required reporting, too

The FDASIA report, the proposed health IT safety center and ONC's role are not yet set in stone. If you have suggestions about this health IT safety center and the proposed framework, now's the time to weigh in. - Marla (@MarlaHirsch and @FierceHealthIT)