Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

FDA, EHREvent, NIST: Who’s up for an EMR Supercop gig?

Posted on November 15, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

Last week I wrote wondering who will police EMRs and EHRs. With the release of IOM’s report recommending the creation of a different federal agency to serve as EMR watchdog, this topic has been generating buzz in healthcare circles. I’m by no means an expert in healthcare IT or policy matters but the discussion surrounding this topic has helped me think things through better than last week. Commenter Don Fluckinger answered the blog post with the first comment on the post – saying “these guys” and pointing to EHREvent.org. Commenter Carl Bergman said the FDA, which is already tasked with gathering adverse events for medical devices, might be the ideal go-to-agency for software adverse events as well. It is my understanding that medical software would receive Category 3 classification, if FDA were to provide the oversight.

IOM’s approach has been to suggest the creation of a non-regulatory, NTSB-like body. IOM’s rationale for undercutting FDA’s role has been that FDA classification system might stifle health IT innovation. (I’ve only had the time to read the very first few pages summarizing the rest of the IOM report, so I’m not sure if/how they address these concerns later.)

Here’s what I don’t get: What’s the point of creating yet another powerless body to issue guidelines? If there’s already a body with regulatory and oversight powers that covers your domain, has a large database of medical device related adverse events, why can its capabilities not be extended further to medical software as well? Further, why are health IT vendors exempt from any slaps on the wrist?

No offense to anyone, but from what I’m reading about EHRevent.org, I don’t see much to recommend them: John says they “are not going to have high enough profile to be able to really collect the reports… a reporting system is great, but if no one knows to report something there, then it’s not worth much. Plus, if someone reports something but the organization doesn’t do anything with that information, it’s not very meaningful”. Valid question but I think there could be some easy workarounds for the problem of not knowing how/where to report shouldn’t be a major issue. Healthcare IT just needs the software equivalents of those “How’s my driving?” flaps adorning the backs of 18-wheelers. The bigger question is what happens when the EMR system fails? Who pays? How much? How does the vendor ensure the failure doesn’t happen again? Do we learn from the cumulative mistakes of the industry? Time will tell.

EMR Software and EHR Audit Trails

Posted on September 26, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

This morning, I read about a case that engaged me on many, many levels. On the Health Care Renewal blog, blogger InformaticsMD has a fascinating post on a medical malpractice and how EMRs allow this to happen. Here are the key points noted by the blogger:

  • Samuel Sweet, a health 62 year old, was admitted to University of Pittsburgh Medical Center (UPMC) with a headache. It turned out to be a treatable amount of bleeding in the brain. He died three days after he was admitted, on May 16, 2009, much to the surprise of his family with whom he had been conversing only six hours earlier.
  • Apparently, Mr. Sweet had been intubated. His breathing tubes were removed on the day of his death, and it was soon apparent that he could not breathe on his own. Doctors tried to intubate him again, but could not do so, and this resulted in his death.
  • At UPMC, difficult intubations cases must be flagged as such in the EMR. The patient’s record from the EMR then displays a bright yellow banner on top, noting the intubation problems. This is done so that when physicians change, the attending physician is alerted to the problem, and consults with prior notes in order to fix the problem. “Difficult intubation” was not noted in Mr. Sweet’s record.
  • A civil case against UPMC was filed by Mr. Sweet’s family. Some detective work later, their defense team alleges that a full three days after Mr. Sweet’s death, after a post-mortem meeting, Dr. Simmons, a QA official from UPMC “accessed” the UPMC EMR system, and apparently entered data stating that Mr. Sweet was a patient with difficult intubation. The defense has audit trail evidence from the EMR to back their claims. They further allege that when that action failed to post-facto flag his existing records with yellow warning banner, Dr. Simmons tried to retract the “diff intub” entry, and unfortunately for him, even that cancellation of status was logged.

While I am fascinated by InformaticsMD’s write-up, I don’t fully agree with the apparent conclusion reached – namely that “EMR’s can detract from a clear narrative, and facilitate spoliation and obfuscation of evidence presented.”

I would argue to the contrary – that because there is an EMR, there is even an audit trail possible. And rather than facilitating “spoliation and obfuscation of evidence”, the EMR audit trail has shown up whatever tampering was involved. If UPMC simply had a paper based system, think about how much easier it would be to create paper records on official stationery, without date/time stamps I may add, post-facto.

EMRs can also be designed to meet certain additional needs – for example, a lock-down feature that locks down patient records from editing once a patient is flagged as deceased. There is no real counterpart for such a feature in the paper records world. Other lessons learned: If you’re springing for an EMR, it makes sense to know what metadata is being logged, and how you can access them – a pickle Dr. Simmons would have clearly avoided had he been IT savvy enough.

But a word to the wise: even an audit trail isn’t fool-proof. And if you’re in the market for an EMR, here’s a key difference between a “free” EMR somewhere on the cloud, or a pricier product on your own servers, administered by a savvy IT administrator on your payroll. Who administers the data makes a huge difference – if you own the database and your IT administrator has access to the database itself, you *can* manipulate any audit records generated from the EMR front end. Conversely, you must research what your vendor administered EMR is doing with your data, and what checks the vendor has on its IT staff.

Read more about the Sweet case on the Health Care Renewal blog.