Best HIT Manufacturing Practices (Text Version)
On September 14, 2009, Bob Elson made this presentation at the 2009 Annual Conference. Select to access the PowerPoint® presentation (291 KB).
Best HIT Manufacturing Practices
Is Regulation Necessary?
AHRQ Annual Meeting, Bethesda, MD, 9/14/09
Bob Elson, MD, MS (firstname.lastname@example.org)
President, Clinical Systems Design, LLC, Shaker Heights, OH.
Affiliated Researcher, MetroHealth Center for Healthcare Research and Policy*,
*Any opinions expressed herein reflect the personal opinions of Dr. Elson. They are not intended to represent the opinions or policy of the MetroHealth Center for Health Care Research and Policy.
An image of a comic strip shows two birds on a branch above a person with mouth wide open to catch falling snowflakes. The text in the comic strip says, from one bird to the other, "Hey-are you thinking what I'm thinking?"
Best Manufacturing Practices for HIT
- State of the (quality control) market.
- Best practices (variation).
- Opportunity lost.
- Emerging landscape.
State of the Union (Quality Control)
- Some (wide-scale) production examples:
- Auto stop orders, juxtaposition errors, inappropriately flagged abnormals.
- Not just commercial systems (VA, "home-grown").
- Lack of consistent surveillance, labeling, client communications
- Industry is not immature, early lifecycle or teetering on the brink
- Market cap of big 5 public (Cerner, McK, Siemens, GE, Eclipsys = $283B).
- ~500 hospitals fully CPOE-adopted, many since mid-90s, some on 2nd.
- 500M CPOE orders / yr (SWAG; Nobody knows).
- 70M prescriptions / yr routed electronically; doubling year over year.
Best Practices (cGMPs*)
- Design and testing (especially human factors).
- Defect handling (where safety rubber really hits the road).
- Surveillance (nothing even remotely systematic).
- Org structure (lack of necessary checks and balances).
- Structure → process → outcome
- Unacceptable variation in HIT software quality can be directly attributed to manufacturing structural and process variations.
*FDA. Medical Devices: Current Good Manufacturing Practice (CGMP) Final Rule. Vol 21 CFR Parts 808, 812, and 820. Federal Register. 1996; 61(195):52601-52662. http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=820
Window Closing on Self-Regulation?
- 1986: The FDA states its HIT risk allocation rationale*
- 1994: FDA moves blood bank IT systems to high risk.
- 1996: FDA feigns retreat from yet-to-be-codified '86 position.
- 1997: AMIA, CHIM, AHIMA and others push back**
- '86 position should be written into doctrine.
- Local oversight committees.
- Voluntary product registration, adverse event reporting, labeling.
- Vendor best manufacturing practices guide "in progress" by CHIM.
- (2009: None of above happened, including codification by FDA, though unofficial doctrine still governs FDA risk-allocation policy for HIT***)
*Young FE. Validation of medical software: present policy of the FDA. Ann Intern Med. Apr 1987;106(4):628-629.
**Miller, Gardner et al. Recommendations for responsible monitoring and regulation of clinical software systems. JAMIA 1997;4:442-457
***See Section II of: http://www.fda.gov/OHRMS/DOCKETS/98fr/E8-2325.htm
Learned Intermediary: Valid for HIT?
- Basis for categorizing HIT as Class I device (lowest risk), but:
- Legal doctrine developed to protect pharmaceutical manufacturers from liability related to malprescribing, not to protect HIT vendors from liability related to adverse events due to user errors.
- Quite contrary to systems theory of human error*; implies that software can't systematically (and predictably) drive user error rates.
- Importantly, this FDA pseudo-doctrine - as articulated by Young in '86 - was developed for a very narrow set of HIT functions (specifically, A.I.-based diagnostic and treatment recommendations), not for the typically full-featured** HIT of today (or of '97, for that matter).
- What was AMIA thinking in '97 when it "commended" Young?
- Did the end (no FDA reg of HIT!!) justify the means (learned intermediary), no matter how distasteful? Probably so, but a post hoc analysis is overdue.
*Ironically, systems theory was heavily invoked in the 1990s in order to justify why HIT was necessary in the first place - especially CPOE (see Berwick DM. A primer on leading the improvement of systems. BMJ. Mar 9 1996;312:619-622).
** e.g., info retrieval / display, documentation, order communication, other workflow + CDS.
It's the User's Fault...
Intelligent Intervening Provider
(aka "learned intermediary")
Evolving Regulatory Landscape
- Lack of regulation + indemnification = no accountability
- By the way, CCHIT's mission has little to do with ensuring public safety.
- Policy agenda tied up w/ MU, privacy/security, workforce.
- Missed opportunity for resource allocation during ARRA "ask" period.
- Fear of spooking the funders (shame on us for not bringing up safety).
- Legal and non-HIT engineering communities speaking out
- Hoffman & Podgurski. Harv Rev Law & Tech. Feb '09 and http://works.bepress.com/sharona_hoffman/7/
- Sweden* and the EU.
- FDA's MDDS proposal, otoh, newly endorses past approach**
*Improving patient safety in the EU: Many Medical Information Systems should be classified as Medical Devices. 2009. http://www.lakemedelsverket.se/english/All-news/NYHETER---2009/Improving-patient-safety-in-the-EU-Many-Medical-Information-Systems-should-be-classified-as-Medical-Devices/
**r/c move MDDS from Class III to Class I; http://www.fda.gov/OHRMS/DOCKETS/98fr/E8-2325.htm
- AMIA Task Force (on vendor contracting; not on regulation).
- If stick with HIT-as-low-risk approach, need a new framework to justify it! (learned intermediary is... well... embarrassing).
- In parallel with addressing "reg vs. no reg", should be thinking about ideal components of a workable reg program
- Most impact on best practices with least resource investment.
- What can we learn from blood bank IT regulation?
- Might forced compliance to cGMPs, with auditing, be enough?
- Too late for voluntary adherence to best practices?
- Perhaps not, but usability - which CCHIT and HIMSS have suddenly embraced (that's a good thing) - is only one piece.
- Defect handling, surveillance, and org structure must also be addressed.
- 1/09: CCHIT rejected a proposed vendor best practices program.