|Home | About | Journals | Submit | Contact Us | Français|
Electronic health records (EHRs) have potential quality and safety benefits. However, reports of EHR-related safety hazards are now emerging. The Office of the National Coordinator (ONC) for Health Information Technology (HIT) recently sponsored an Institute of Medicine committee to evaluate how HIT use affects patient safety. In this paper, we propose the creation of a national EHR oversight program to provide dedicated surveillance of EHR-related safety hazards and to promote learning from identified errors, close calls, and adverse events. The program calls for data gathering, investigation/analysis and regulatory components. The first two functions will depend on institution-level EHR safety committees that will investigate all known EHR-related adverse events and near-misses and report them nationally using standardized methods. These committees should also perform routine safety self-assessments to proactively identify new risks. Nationally, we propose the long-term creation of a centralized, non-partisan board with an appropriate legal and regulatory infrastructure to ensure the safety of EHRs. We discuss the rationale of the proposed oversight program and its potential organizational components and functions. These include mechanisms for robust data collection and analyses of all safety concerns using multiple methods that extend beyond reporting; multidisciplinary investigation of selected high-risk safety events; and enhanced coordination with other national agencies in order to facilitate broad dissemination of hazards information. Implementation of this proposed infrastructure can facilitate identification of EHR-related adverse events and errors and potentially create a safer and more effective EHR-based health care delivery system.
Recent passage of the American Reinvestment and Recovery Act (ARRA) incentivizes health care providers and organizations to implement electronic health records (EHRs) at an unprecedented pace to meet reimbursement timelines. EHR implementation is difficult, costly, time-consuming, and might lead to unintended consequences.1 Post-implementation evaluation often reveals that EHR implementations do not meet minimum safety guidelines,2-4 a concern that is even more pressing now. The aggressive timeline proposed in the ARRA bill does not allow adequate customization of EHR systems to local workflows.5,6 Furthermore, clinicians increasingly share control of complex processes with computers; in some instances, they assume a higher-level oversight role and allow computers to make routine decisions and carry out appropriate actions (e.g., the computer automatically generates a lab order when certain medications are being ordered).7,8 As more advanced clinical decision support (CDS) is embedded into existing EHRs, clinicians and their patients are increasingly reliant upon decisions generated by these systems.9-11 The increasing scope and complexity of tasks that clinicians can perform using EHRs, combined with unprecedented pressure to rapidly adopt these systems, can create a potentially hazardous environment for patient safety.
Reports on EHR-related hazards are now emerging.12-22 Koppel et al. identified 22 types of errors in the computerized provider entry system within their EHR.12 Many EHR-related hazards occur at the “blunt end” of the healthcare system,23 with potential to affect large numbers of patients if not corrected. For instance, we identified a single software configuration error in the EHR that resulted in a lack of timely notification of abnormal test results to several providers, thus affecting a large number of patients.15 In light of these types of reports, the Office of the National Coordinator for Health Information Technology (ONC) recently sponsored an Institute of Medicine committee to “review the available evidence and the experience from the field on how the use of health information technology (HIT) affects the safety of patient care.”24 Two national databases have also been recently created to facilitate reporting of EHR-related incidents.25,26 These early EHR hazard reporting initiatives, though important, are insufficient by themselves to address the multitude of complex EHR- related safety concerns.21,27,27 Furthermore, EHR certification by the ONC Authorized Testing and Certification Bodies (ONC– ATCBs)28 does not guarantee that EHRs will actually be implemented and work as planned, therefore, ongoing system evaluations and modifications are necessary. At present, it is unclear which single agency is responsible for EHR oversight. Thus, we believe it necessary to establish an independent organized national infrastructure to actively monitor and improve the safety of EHR systems. In this paper, we propose the creation of a national EHR oversight program to provide dedicated surveillance of EHR-related safety events and to promote learning from identified hazards, close calls, and adverse events. We provide an overview of a proposed program and its rationale and discuss its potential organizational components and functions. Although our recommendations might not cover all aspects of EHR-related hazards, they are a starting point to stimulate the much needed discussion and debate in this area.
Because EHR-related safety issues are an emerging area of knowledge, an EHR safety oversight program should involve robust data gathering and data analysis components. Both mechanisms should be overseen by a new independent board specifically charged with ensuring safety of EHRs nationally. Many useful lessons have been learned from the success of the National Transportation Safety Board (NTSB),29 which could provide a model for a Congressionally-funded independent EHR safety board. Data gathering activities would necessitate an infrastructure for collecting adverse events and near-misses from various sources, whereas the analytic component would be charged with analyzing the collected information and developing and disseminating preventive strategies on a national scale. The national program should be supported by close collaboration with institutional-level safety initiatives, such as EHR safety committees.30 This organizational scheme is reminiscent of the unified and cohesive safety program used by the Department of Veterans Affairs National Center for Patient Safety (NCPS), which is charged to lead the VA’s patient safety improvement initiatives.31
At the institutional level, multidisciplinary EHR safety committees, including a designated EHR patient safety officer, could perform two essential functions: 1) investigate all known EHR-related adverse events and near-misses32 and report them to the national board using standardized methods;33 and 2) perform routine safety self-assessments, including tests of all EHR components and applications and “prospective risk assessments” to proactively identify new risks.34,35 Because providers in smaller practices might not have resources for these functions, their respective local health information exchanges,36 independent physicians’ associations,37 regional extension centers,38 quality improvement organizations,39 or accountable care organizations could house the needed technical resources. Many institutions and practices also have existing legal and risk management infrastructure that can be leveraged to perform these functions. These locally housed investigational and risk assessment initiatives will likely reveal many site-specific, contextual issues that affect EHR safety and these issues could then be addressed at the institutional level without the need for national interference.
At the national level, the proposed board would be charged with analyzing event reports from institutions and investigating major EHR-related incidents (such as those associated with harm to a large number of patients). Aggregate analysis of reports could be used to identify common unsafe conditions for specific EHRs and to inform widely released recommendations to mitigate risks. The board would have both investigative and regulatory components and functions. Potential other roles for the board may include the development of newer error surveillance methods,40 validation and oversight of EHR safety self-assessment procedures and on-site EHR safety inspections (perhaps in collaboration with hospital certification/accreditation organizations), and dissemination of safety guidelines41 and benchmarks. The board would work closely with EHR certifying organizations42 (and thus indirectly with EHR vendors) to improve EHR design and implementation and with other governmental agencies (such as National Institute of Standards and Technology [NIST] and ONC) to coordinate EHR-related rules and regulations. Some of the key functions of such an oversight program are described in the sections below.
Voluntary reporting could continue to be an important source of data about EHR patient safety risks.18 However, existing FDA databases for medical device errors43-46 appear to be seldom used for reporting EHR-related incidents47 and a multi-pronged approach to improve reporting is needed. First and foremost, vendor contracts need to be free of non-disclosure or gag clauses 48,49 in order to encourage users and institutions to report errors and adverse events. Second, at the institutional level, standardized models of data collection50 should be used (e.g., through systems such as the HIT Hazards Reporting Model [Hazard Tracker]).51 Third, error reporting initiatives should be integrated nationally. For instance, medical professional insurance carriers and the not-for-profit iHealth Alliance52 recently created PDR Secure™, a website that allows users to report EHR-related safety issues. Patient safety organizations are also working to develop a common format for reporting EHR problems.33 Additional safety events should be aggressively solicited from EHR-related sentinel events reported to Joint Commission, reports to the vendors, and reports from users, the media, and EHR certifying organizations. Lastly, “major EHR adverse events” need to be defined and their reporting should be mandated.
Although we emphasize reporting for initial discovery, we recognize that it is limited and often neglects minor or latent errors and near-misses; these minor incidents might not be directly implicated in an adverse event but are rich sources of information to prevent future events.29 Therefore, we propose development of additional methods to collect data.53 One possible example is automated reporting (such as that of software programs that prompt the user to automatically report an error to the developer when a software glitch is detected). Another area for development is non-voluntary surveillance approaches that rely on electronic triggers to initiate error reporting.54 For example, Koppel et al. found that orders entered by a physician and subsequently cancelled within 45 minutes were likely errors.54 We are actively investigating the creation of algorithms that could be run against a wide variety of EHR implementations to establish rates of errors and of other higher-risk scenarios (e.g., counting the number of duplicate patient records in the database or the percentage of orders entered via free text rather than via the structured data entry fields55). Methods to query large electronic repositories for safety events in near “real time” should also be developed. For example, through the newly created Sentinel System, the FDA can now query electronic health information of more than 60 million people to monitor the safety of approved medical products.56
A major adverse event related to an EHR could affect thousands of patients if not corrected rapidly. For example, in 2006 the UK National Health Service was forced to notify over 900 clinicians that their patients who were prescribed Zyban may have mistakenly been given Viagra due to an error in the dispensing pharmacy’s medication mapping table.57 Although there was no reported harm, future similar events might not be harmless. We propose that the board charged with EHR oversight should create a special investigation team dedicated to “major EHR adverse events”. Whereas most adverse event investigations could be conducted at the institutional level and reported appropriately, events with particularly broad or catastrophic impact should be investigated by the team at the national board. This strategy will ensure rapid action and wide dissemination of any significant findings. Pre-defined criteria for triggering this level of investigation could specify, for instance, the number of patients at risk for harm (or harmed) in a single incident. For example, criteria for investigation of an unplanned EHR system downtime that adversely affects patient care could include combinations of parameters such as the following:58
A dedicated multidisciplinary team of core investigators with expertise in safety, informatics, human factors, computer science, and clinical medicine should conduct these major EHR adverse event investigations. The team could also leverage the expertise of an external group of pre-screened, independent consultants composed of clinicians, statisticians, informaticians, lawyers, and human factors engineers who work on an as-needed basis. All board investigators should be given legal authority to examine all records confidentially (including system logs and patient records), to access all relevant computer systems, and to interview all personnel or patients whom they believe are essential to their investigation. If needed, error scenarios should be recreated with test patients in simulated settings using a full range of human factors engineering-based techniques for analysis.63 Rapid dissemination of identified issues and corrective actions may resemble the processes used by the Joint Commission and VA NCPS64 to issue advisories. The findings of these investigations should also be publically reported so that other vendors, healthcare organizations, and users can learn from them. To prioritize its efforts, the board could create an annual “Most Wanted List” of improvements, similar to that issued by NTSB65. Research and evaluation should also be a key component of this learning process. For instance, centralized, de-identified databases could be created to enable researchers to advance the science and evidence of EHR safety. Because many EHRs share common features and will be used nearly universally, this centralized and standardized approach to high-stakes investigations is likely be beneficial.
In addition to providing a safety event reporting clearinghouse and a mechanism for major adverse event investigations, the new national EHR safety board must be charged with appropriate regulatory and legal authority to carry out effective oversight. No government agency is currently fully equipped to perform this function. Because of the increasing complexity and coupling of often unrelated HIT-enabled systems (e.g., from different vendors and/or organizations), the oversight board should coordinate with other agencies (such as ONC and NIST) and industrial trade associations (e.g., the Electronic Health Record Association62) in a cooperative fashion to investigate the causes and potential mitigating solutions to the problem(s) identified. This collaboration could be modeled after the aviation industry oversight provided by the Commercial Aviation Safety Team (CAST).66 Another important aspect of EHR safety oversight will be close collaboration between various state and federal agencies responsible for making and enforcing EHR-related rules, regulations, and certification standards. For example, the new “meaningful use” statute requires e-prescribing in the outpatient setting, but the federal government only recently modified laws restricting the electronic transfer of prescriptions for controlled substances.67
To ensure safety and compliance in certain high-risk areas, we recommend strategies to monitor uptake of board recommendations that are of critical importance. One way to do this will be to implement unannounced, randomly scheduled, on-site EHR safety inspections, much like the Line Operations Safety Audit (LOSA) used in aviation.68 These audits would involve interviews with key stakeholders (e.g., Chief Information Officer, Patient Safety Officer, etc.), observations of important clinical operations, and inspection of the human-computer interface as configured by the organization.69 Inspectors should be equipped with comprehensive EHR safety inspection guides consisting of a set of “red flags” (e.g., lack of evidence of computer system backups, outdated clinical decision support logic or no evidence of CDS testing) and “best practices” (e.g., pre-printed order and documentation forms for use when the EHR is unavailable, strict policies to address breaches of patient confidentiality and a robust clinician EHR training program) to help guide interviews and observations related to the respective high-risk area. All inspectors should be certified and pre-screened for financial and other conflicts of interest to ensure their impartiality. Inspectors might also build an audit approach modeled on the Leapfrog CPOE Flight Simulator.70 This simulator evaluates the decision support functionality of implemented EHR systems to measure hospital compliance with the National Quality Forum Safe Practice for CPOE.71
Although the approach should initially be non-punitive, eventually the oversight board should have authority to invoke penalties if needed to protect patients. Furthermore, penalties for responsible stakeholders for non-compliance with certain pre-set expectations (such as fines for non-reporting of major EHR adverse events, not fixing a major software bug) could only be ensured using this approach.
The proposal we present herein is ambitious, but a multifaceted and centralized approach to address EHR-related safety is perhaps the best strategy. However, this approach is challenging and any attempt to implement such an important oversight function should proceed using a carefully orchestrated, staged implementation pathway. Given the current state of affairs, some might argue that the scope and cost of the national oversight program might be beyond what is possible now. To jumpstart the creation of this program, we propose that local, institutional-level initiatives to collect and analyze data must be bolstered immediately. This would help characterize the various types and frequencies of EHR-related errors and adverse events. These initiatives must be synergistic with rigorous research to improve the “basic science” of EHR-related safety and simultaneously inform the creation of the national oversight program. Taking this approach would ensure that there is adequate strength of the evidence to justify the scope and cost of implementation of the independent national board, which clearly will take longer to get established. While it might be premature for us to lay out the precise implementation strategy of the entire proposed program, we propose two immediate next steps to advance this agenda:
Technological advances give rise to increasingly complex and multifaceted errors in healthcare. EHR-related errors must be conceptualized, analyzed, and mitigated using a robust oversight infrastructure. We propose the creation of a national oversight program which relies on local institution-level EHR safety data collection and analysis, and ultimately leads to the formation of a centralized, non-partisan, multi-disciplinary board specifically charged with ensuring EHR safety. If implemented, the proposed infrastructure could help to identify and reduce EHR-related adverse events and errors and create a safer and more effective EHR-based healthcare delivery system.
Dr. Singh is supported by an NIH K23 career development award (K23CA125585), the VA National Center of Patient Safety, Agency for Health Care Research and Quality, a SHARP contract from the Office of the National Coordinator for Health Information Technology (ONC #10510592), and in part by the Houston VA HSR&D Center of Excellence (HFP90-020). Dr. Sittig is supported in part by a grant from the National Library of Medicine R01-LM006942 and by a SHARP contract from the Office of the National Coordinator for Health Information Technology (ONC #10510592). These sources had no role in the preparation, review, or approval of the manuscript.
We thank Annie Bradford, PhD, for assistance with medical editing.
The views expressed in this article are those of the authors and do not necessarily represent the views of the Department of Veterans Affairs or any of the other funding agencies. Dr. Classen is an employee of CSC, a technology services company.