FDA, EHREvent, NIST: Who’s up for an EMR Supercop gig?

Posted on November 15, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

Last week I wrote wondering who will police EMRs and EHRs. With the release of IOM’s report recommending the creation of a different federal agency to serve as EMR watchdog, this topic has been generating buzz in healthcare circles. I’m by no means an expert in healthcare IT or policy matters but the discussion surrounding this topic has helped me think things through better than last week. Commenter Don Fluckinger answered the blog post with the first comment on the post – saying “these guys” and pointing to EHREvent.org. Commenter Carl Bergman said the FDA, which is already tasked with gathering adverse events for medical devices, might be the ideal go-to-agency for software adverse events as well. It is my understanding that medical software would receive Category 3 classification, if FDA were to provide the oversight.

IOM’s approach has been to suggest the creation of a non-regulatory, NTSB-like body. IOM’s rationale for undercutting FDA’s role has been that FDA classification system might stifle health IT innovation. (I’ve only had the time to read the very first few pages summarizing the rest of the IOM report, so I’m not sure if/how they address these concerns later.)

Here’s what I don’t get: What’s the point of creating yet another powerless body to issue guidelines? If there’s already a body with regulatory and oversight powers that covers your domain, has a large database of medical device related adverse events, why can its capabilities not be extended further to medical software as well? Further, why are health IT vendors exempt from any slaps on the wrist?

No offense to anyone, but from what I’m reading about EHRevent.org, I don’t see much to recommend them: John says they “are not going to have high enough profile to be able to really collect the reports… a reporting system is great, but if no one knows to report something there, then it’s not worth much. Plus, if someone reports something but the organization doesn’t do anything with that information, it’s not very meaningful”. Valid question but I think there could be some easy workarounds for the problem of not knowing how/where to report shouldn’t be a major issue. Healthcare IT just needs the software equivalents of those “How’s my driving?” flaps adorning the backs of 18-wheelers. The bigger question is what happens when the EMR system fails? Who pays? How much? How does the vendor ensure the failure doesn’t happen again? Do we learn from the cumulative mistakes of the industry? Time will tell.