Best HIT Manufacturing Practices

1. Best HIT Manufacturing Practices Is Regulation Necessary?AHRQ Annual Meeting, Bethesda, MD, 9/14/09 Bob Elson, MD, MS (bob.elson@gmail.com) President, Clinical Systems Design, LLC, Shaker Heights, OH Affiliated Researcher, MetroHealth Center for Healthcare Research and Policy*, Cleveland, OH *Any opinions expressed herein reflect the personal opinions of Dr. Elson. They are not intended to represent the opinions or policy of the MetroHealth Center for Health Care Research and Policy. 

3. 2 Best Manufacturing Practices for HIT State of the (quality control) market Best practices (variation) Opportunity lost Emerging landscape

4. 3 State of the Union (Quality Control) Some (wide-scale) production examples: Auto stop orders, juxtaposition errors, inappropriately flagged abnormals Not just commercial systems (VA, �home-grown�) Lack of consistent surveillance, labeling, client communications Industry response to Koppel* findings is illustrative Would we have seen the same thing if report had been about 22 ways that Goodyear** tire design coupled with inflation pressure causes blowouts? Industry is not immature, early lifecycle or teetering on the brink Market cap of big 5 public (Cerner, McK, Siemens, GE, Eclipsys = $283B) ~500 hospitals fully CPOE-adopted, many since mid-90s, some on 2nd 500M CPOE orders / yr (SWAG; Nobody knows) 70M prescriptions / yr routed electronically; doubling year over year

5. Best Practices (cGMPs*) Design and testing (especially human factors) Defect handling (where safety rubber really hits the road) Surveillance (nothing even remotely systematic) Org structure (lack of necessary checks and balances) Structure ? process ? outcome Unacceptable variation in HIT software quality can be directly attributed to manufacturing structural and process variations 4

6. Window Closing on Self-Regulation? 1986: The FDA states its HIT risk allocation rationale* 1994: FDA moves blood bank IT systems to high risk 1996: FDA feigns retreat from yet-to-be-codified �86 position 1997: AMIA, CHIM, AHIMA and others push back** �86 position should be written into doctrine Local oversight committees Voluntary product registration, adverse event reporting, labeling Vendor best manufacturing practices guide �in progress� by CHIM (2009: None of above happened, including codification by FDA, though unofficial doctrine still governs FDA risk-allocation policy for HIT***) 5

7. Learned Intermediary: Valid for HIT? Basis for categorizing HIT as Class I device (lowest risk), but: Legal doctrine developed to protect pharmaceutical manufacturers from liability related to malprescribing, not to protect HIT vendors from liability related to adverse events due to user errors Quite contrary to systems theory of human error*; implies that software can�t systematically (and predictably) drive user error rates Importantly, this FDA pseudo-doctrine � as articulated by Young in �86 � was developed for a very narrow set of HIT functions (specifically, A.I.-based diagnostic and treatment recommendations), not for the typically full-featured** HIT of today (or of �97, for that matter) What was AMIA thinking in �97 when it �commended� Young? Did the end (no FDA reg of HIT!!) justify the means (learned intermediary), no matter how distasteful? Probably so, but a post hoc analysis is overdue. 6

8. It�s The User�s Fault�

9. Evolving Regulatory Landscape Lack of regulation + indemnification = no accountability By the way, CCHIT�s mission has little to do with ensuring public safety Policy agenda tied up w/ MU, privacy/security, workforce� Missed opportunity for resource allocation during ARRA �ask� period Fear of spooking the funders (shame on us for not bringing up safety) Legal and non-HIT engineering communities speaking out Hoffman & Podgurski. Harv Rev Law & Tech. Feb �09 and http://works.bepress.com/sharona_hoffman/7/ Sweden* and the EU FDA�s MDDS proposal, otoh, newly endorses past approach** 8

10. What�s Next? AMIA Task Force (on vendor contracting; not on regulation) If stick with HIT-as-low-risk approach, need a new framework to justify it! (learned intermediary is�well�embarrassing) In parallel with addressing �reg vs. no reg�, should be thinking about ideal components of a workable reg program Most impact on best practices with least resource investment What can we learn from blood bank IT regulation? Might forced compliance to cGMPs, with auditing, be enough? Too late for voluntary adherence to best practices? Perhaps not, but usability � which CCHIT and HIMSS have suddenly embraced (that�s a good thing) � is only one piece Defect handling, surveillance, and org structure must also be addressed 1/09: CCHIT rejected a proposed vendor best practices program 9