National Center for Health Research’s Public Comment on
Changes to Existing Medical Software Policies Resulting From Section 3060 of the 21st Century Cures Act; Draft Guidance for Industry and Food and Drug Administration Staff; Availability
[FDA-2017-D-6294]
The National Center for Health Research is a nonprofit research center staffed by scientists, medical professionals, and health experts who analyze and review research on a range of health issues.
The draft guidance Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act removes FDA evaluation of EHRs and leaves only certification by the Office of the National Coordinator for Health Information Technology (ONC) to ensure that software is both functional for providers and safe for patients. However, ONC certification is not sufficient to protect patients from problems with EHR software. For that reason, the draft guidance as written puts patients’ lives at risk.
ONC health IT certification focuses on EHR functionality, not safety: Software flaws in diverse medical devices is an important risk to patient safety. FDA regulation monitors and minimizes these risks. The ONC Health IT Certification process focuses primarily on making sure electronic patient records include functionality that address and support “Meaningful Use” by hospitals and eligible providers. It does not ensure that the software is safe for patients. Our research recently published in Milbank Quarterly shows that software flaws in even simple electronic patient records possess real, demonstrated risks to patient care and safety.[1] For example, our analysis of FDA databases identified several electronic patient record systems (totaling over 9000 units), many of which were also certified by ONC, which were recalled because they contained serious software defects that had either caused or could cause serious harm to patients.[1]
Health IT represents a growing cybersecurity concern: The HITECH Act was successful in catalyzing national growth and adoption of EHRs. However, these same EHRs are now a critical vulnerability that can be exploited by hackers, as evidenced by the rapid growth of cybersecurity breaches for EHRs.[2] Indeed, our preliminary study of ONC’s EHR certification criteria (being presented at the American Medical Informatics Association Clinical Informatics Conference in May), suggests that only about 15-18% of certification criteria directly address privacy and security, and that cybersecurity standards were certified for EHRs roughly 51.4±24.1% (median 49.3, IQR 44.1-61.6) of the time.
Recent changes to EHR certification could further increase risks to patients: Last year, ONC described their plans to replace more than half of formal EHR certification test procedures with simple vendor self-declaration. In addition, ONC also plans to exercise enforcement discretion regarding their requirement for Authorized Certification Bodies to randomly monitor certified health IT products. Both of these issues have raised concerns from the healthcare community, including physician organizations such as the American Medical Association.[3,4]
These concerns suggest that the potential risks to patients from defective health IT-related software could increase over time.
ONC certification is insufficient to protect patients from software flaws in EHRs. There have been cases where flaws in ONC certificated software have led to patient harm. Growing cybersecurity threats and changes to the EHR certification system could further increase the risk to patients. The FDA plays a necessary role in evaluating medical software that can support or harm patient health.
In summary, ONC certification cannot substitute for the FDA’s role in ensuring the accuracy and safeguards that EHRs require. While the FDA should implement changes to align with the 21st Century Cures Act, it should do so without increasing the risks to patients.
NCHR can be reached through Stephanie Fox-Rawlings at sfr@center4research.org.
References
- Ronquillo JG, Zuckerman DM. Software-Related Recalls of Health Information Technology and Other Medical Devices: Implications for FDA Regulation of Digital Health. Milbank Q 2017;95:535–53. doi:10.1111/1468-0009.12212
- Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA 2015;313:1471–3. doi:10.1001/jama.2015.2252
- Sweeney E. Providers worry ONC’s new EHR testing requirements will ’water down’ certification. FierceHealthcare. 2017.https://www.fiercehealthcare.com/ehr/onc-ehr-certification-regulation-oversight-providers-hhs
- Sweeney E. ONC scales back EHR certification process requirements, catching industry groups by surprise. FierceHealthcare. 2017.https://www.fiercehealthcare.com/regulatory/onc-ehr-certification-health-it-himss-amia-chime-interoperability