FDA weighs tighter oversight of health IT apps to protect patients

The Food and Drug Administration may need to strengthen its regulation of health information technology software to address patient safety concerns, according to a report presented to a Health and Human Services Department advisory panel.

Health IT glitches have resulted in at least 44 patient injuries and six patient deaths, and that may be “only the tip of the iceberg,” said Jeffrey Shuren, director of the FDA’s Center for Devices and Radiological Health.

Currently, FDA has authority to regulate health IT software as a medical device but has not fully exercised that authority. “To date, FDA has largely refrained from enforcing our regulatory requirements with respect to health IT devices,” Shuren told the HHS Health IT Policy Committee’s workgroup on certification and adoption Feb. 25.

Even so, the FDA has received 260 reports in the last two years submitted voluntarily about health IT malfunctions that had the potential to cause harm to patients, including reports of 44 injuries and six deaths. The problems include accessing the wrong patient’s record; overwriting one patient’s information with another; loss, corruption or errors in vital patient data; errors in data analysis, such as listing of medications at incorrect doses; and incompatibility in vendor software systems, “which can lead to any of the above,” Shuren said.

Furthermore, the problems noted thus far may be underreported. Because health IT applications typically are not stand-alone devices and are interlinked within networks, their potential to affect patient safety is much greater, he added.

Given the scope of the problems, federal regulation needs to be strengthened, Shuren said. The FDA could focus on post-market safety concerns and manufacturing quality issues, or it could incorporate health IT software into its traditional regulatory framework, he suggested.

“In light of the safety issues that have been reported to us, we believe that a framework of federal oversight of health IT needs to assure patient safety,” Shuren said. “Given the FDA’s regulatory authorities and analytical tools, we could potentially, at a minimum, play an important role in preventing and addressing health IT-related safety issues, thereby helping to foster confidence in these devices.”

Meanwhile, the Veterans Affairs Department has been conducting patient safety evaluations related to health IT for at least eight years. Jean Scott, director of the Veterans Health Administration’s IT Patient Safety Office, said at the meeting that the VA initiated a comprehensive health IT patient safety program in 2002. Initially, the focus was on incident reporting, but the approach has evolved to emphasize reporting of close calls, and the rate of reporting has significantly increased, she said.

The VA’s reporting system has identified a number of software defects and problems with the potential to affect patient safety, including a defect, reported in October 2008, in which clinicians searching for patient data were erroneously fed data for the wrong patients. After receiving more than 20 internal reports, and after staff investigation to identify the defect and develop a solution, a remedy was issued within weeks.

The VA has discovered patient safety issues related to user interfaces, including automated entry tools and pop-ups. It also has identified problems with interfaces between systems.

Successful oversight of health IT for patient safety is complex and depends on openness in reporting, Scott said.

“Patient safety identified risks are not isolated events but part of a complex system,” she said. “Health care organizations must be able to openly report safety concerns. Reporting should encourage not only sentinel events and defect reporting but the ability to share EHR safety concerns to identify potential sources for medical error."