Editor’s Note: Regulation and Health IT

By Susan Carr

Although the federal government has recently devoted tremendous resources to promoting health information technology (health IT), debate about certification, standards, and best practices for safe use continues. In early April, three federal agencies contributed a new report to the growing literature about how to ensure the safety of health IT and more questions to an already lively discussion.

The FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework resulted from the Food and Drug Administration Safety and Innovation Act (FDASIA), which required the FDA to work with the Office of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC) to propose a regulatory strategy for health IT “that promotes innovation, protects patient safety, and avoids regulatory duplication.”

The FDASIA report’s “risk-based framework” divides health IT products into three categories distinguished by function and level of risk to patient safety. Administrative health IT, such as billing, coding, and scheduling, poses minimal risk. Health IT that provides “health management” functions, such as care documentation, information exchange, medication management, and clinical decision support, poses safety risks that are “generally low compared to the potential benefits.” Medical devices, such as robotic surgery, radiation treatment planning, computer-aided diagnosis, and alarm notification for bedside monitors, pose the highest risk. The FDSAIS report recommends maintaining the status quo for regulation of these categories, with FDA oversight of medical devices only.

The FDASIA report’s characterization of information systems and clinical decision support as “low risk” raised eyebrows and turned up the heat under prior discussions about regulatory distinctions between medical devices and information systems and the proper role of the FDA. Just one month prior to the report’s release, the FDA recalled an anesthesia information system because  “use of this affected product may cause serious adverse health consequences, including death.” That action raises questions about the definition of a medical device and seems to contradict the FDASIA characterization of information systems as posing “generally low” risk. Future interoperability between devices and electronic health records will only increase the need for better clarity of these destinctions and regulatory responsibility. For an in-depth discussion of the anesthesia recall and the questions it raises, I recommend William Hyman’s March 19, 2014, post and discussion in the comments on Tim Gee’s blog: 
medicalconnectivity.com. Gee’s feature in this issue on clinical alarm safety 
(pg. 46) further illustrates the risk and complexity of medical device management.

For the two categories of relatively low risk, the FDASIA report relies on the ONC to ensure the safe design, manufacture, and use of technology by establishing standards and certification, fostering a culture of safety, encouraging reporting, and establishing a learning environment for continual improvement. As positive as those efforts sound, coherent improvement efforts are likely to be challenged by the confusion about definitions and regulatory responsibility.

The FDASIA report is available on each of the agencies’ websites. The agencies invite public comment on the report and plan to hold a public meeting for discussion in May. Stay tuned.

Carr, S. (2014). Regulation and health IT. Patient Safety & Quality Healthcare, 11(2), 6.