Wednesday, September 18, 2013

EMR Defects That Injure and Kill, and Litigation: A Hospital Is Paying a Huge Hourly Rate for This?

At my Oct. 2011 post "A Diary of EHR-Initiated Tragedy" I wrote that:

... I've realized that these past posts, when integrated for an upcoming investigation, tell a story that is probably not uncommon in hospitals today. They form a sort of Diary of EHR-Initiated Tragedy.

Sadly, this Diary was my account of my own mother's EHR-related injuries.

There is a new chapter brewing.

In the latest objections to the Complaint against the hospital and its agents, the retained defense attorney proffered this argument:

(ii) Plaintiff's Software Design Defect Claims are Preempted by the Federal HITECH Act.

• To the extent Plaintiff attempts to bring a common law product liability claims against defendant hospital for required use of EMR software, such a claim is barred due to Federal Preemption of this area with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 42 U.S.S. 201, 300 et seq.

• Specifically, the design, manufacture, specification, certification and sale of EMR in the United States is a highly regulated industry under the jurisdiction of the Department of Health and Human Services (HHS). The HHS draws its statutory authority to design and certify EMR as safe and effective under the HITECH act as amended. Id. [See note below - ed.]

• The Supremacy Clause of the United States Constitution, article VI, clause 2, preempts and state law that conflicts with the exercise of federal power. Fid. Fed. Sav. & Loan Ass'n v. de la Cuesta, 458 U.S. 141m 102 S. Ct. 3014 (1982). "Pre-emption may be either express or implied, and 'is compelled whether Congress' command is explicitly stated in the statute's language or implicitly contained in its structure and purpose." Matter of Cajun Elec. Power Co-Op., Inc., 109 F.3d 248, 254 (5th Cir. 1997) citing Jones v. Rath Packing Co., 430 U.S. 519, 525 (1977).

• In this case, to impose common law liability upon defendant hospital for using certified EHR technology, which was in compliance with federal law and regulations for Health Information Technology, would directly conflict with Congress' statutory scheme for fostering and promoting the implementation and use of EHR.

In other words, the HITECH Act gives hospitals free license to implement clinical information technology poorly with impunity, based on cases in banks, power companies and meat-packing plants, and HHS certification means HHS has found HIT is safe and effective.

[Note]: On "... The HHS draws its statutory authority to design and certify EMR as safe and effective under the HITECH act as amended." HHS does not design or certify EMRs. Is that assertion just made up out of thin air?

Regarding "to the extent Plaintiff attempts to bring a common law product liability claims against defendant hospital for required use of EMR software", that's just made up. There is no requirement for the use of EMR software.

On HIT "certification" implying safety and effectiveness, not exactly. "Certification" is entirely irrelevant. I had previously written here that:

"Certification" of health IT is not validation of safety, usability, efficacy, etc., but a pre-flight checklist of features, interoperability, security and the like. The certifiers admit this explicitly. See the CCHIT web pages for example. ("CCHIT Certified®, an independently developed certification that includes a rigorous inspection of an EHR’s integrated functionality, interoperability and security.")

Health IT "certification" is not like Underwriters Laboratories (UL) certification of appliances. ("Independent, not-for-profit product safety testing and certification organization ... With more than a 116-year proven track record, UL has been defining safety from the public adoption of electricity to new breakthroughs that help protect our future. UL employees are committed to safeguarding people, places and products in new and innovative ways for today’s borderless world.")

"Highly regulated industry?" I guess that's why the Institute of Medicine just completed a report that concluded that health IT safety is unacceptable, that regulation is lacking, and that the health IT industry best get its act together voluntarily, or FDA will have to step in:

... the push [by the Administration] is occurring so far without any agency really ‘watch dogging’ the safety of health IT — the software, hardware and systems that record and manage patients’ health information. These expensive devices by and large have not gone through any regulatory checks for safety in the way that food, drugs and other medical technology must; most of that oversight is handled by the FDA. But at the moment, no one is required to report instances of harm caused by health information devices and no government agency currently monitors their safety.... The current state of safety and health IT is not acceptable; specific actions are required to improve the safety of health IT. The first eight recommendations are intended to create conditions and incentives to encourage substantial industry-driven change without formal regulation. However, because the private sector to date has not taken sufficient action on its own, the committee believes a follow-up recommendation is needed to formally regulate health IT. If the actions recommended to the private and public sectors are not effective as determined by the Secretary of HHS, the Secretary should direct the FDA to exercise all authorities to regulate health IT.

As to the assertion that "to impose common law liability upon defendant hospital for using certified EHR technology, which was in compliance with federal law and regulations for Health Information Technology, would directly conflict with Congress' statutory scheme for fostering and promoting the implementation and use of EHR", let's repeat:
There are no federal laws and regulations for Health Information Technology.

The technology is unregulated. I could design an EMR tonight and put it up for sale tomorrow. It might not qualify for federal incentives if it were not "certified" by an ONC-Authorized Testing and Certification Body (ONC-ATCB), but if I could find a buyer willing to use it, there are no laws or regulations preventing that. From the ONC FAQ here:

... In order to qualify for Medicare and Medicaid EHR incentive payments, providers must use EHR technology that has been certified by an Office of the National Coordinator for Health Information Technology-Authorized Testing and Certification Body (ONC-ATCB, or ATCB). The temporary certification program provides assurances that the EHR technology adopted by health care providers is technically capable of supporting their efforts to achieve meaningful use.

As to imposition of such a common law liability "conflicting with a Congressional scheme for promoting EHR's", that is simply irrelevant.

I note the assertion is also defamatory towards Congress, implying Congress is fine with hospitals deploying health IT with reckless abandon, and should be permitted to do so with legal impunity for the sake of their "scheme."
There's also a claim made that the defendant hospital is not on the hook for EHR defects in their installed systems, because they "don't sell or manufacture the product."

They do, however, modify, customize, maintain, and test it for proper functioning in situ (the latter if they are acting responsibly, especially since the technology is experimental and not tested/approved by FDA, not even undergoing "fast track" 510(k) approval). It should also be noted that the latter 510(k) process does not confer freedom from user liability even when it is obtained.

Even to my non-legally-trained mind, I believe the duties that hospitals owe patients include these, especially with a non-FDA approved experimental technology known to cause risk, injury and death but at a magnitude that is not known:

  • The duty to make a reasonable inspection of equipment it uses in the treatment of patients and remedy any defects discoverable by such inspection.
  • The duty to provide equipment reasonably suited for the use intended.

Finally, as it turns out, the ED EHR in question was not "certified" when my mother became injured. It was not "certified" until many months later.

Additionally, the hospital in question made its buy decision and did its implementation several years before HITECH (enacted as part of the American Recovery and Reinvestment Act of 2009) was even a twinkle in the Administration's eye.

If I were paying handsomely for legal counsel such as outlined above, I'd cringe.

Sadly, while legal obstructionism continues (as I am finding is common regarding health IT-related litigation), more patients are being injured and killed.

-- SS

10 comments:

Afraid said...

Ah if only the court's decision made sense. The law is not what is written in the federal register, it is not to be interpreted by mere humans,

The law is what the judge says, period. Get used to the outrage you may later feel when seemingly senseless edicts are passed down to you, a mere citizen.

We do not have rule of law, we have rule by lawyers.

Steve Lucas said...

I must admit to being surprised that someone would submit such a weak defense and use computer supremacy as their claim of defense.

There is also the legal theory of: Go with what you got, and they ain’t got much to go on.

Maybe they feel in some smug way they can create a whole new area of the law where what they say is true: Hospitals are harmless no matter what the situation.

Never happen, but it would be interesting to see the Fed’s reaction to a subpoena explaining the testing and certification process. I am sure they would just be thrilled to learn they are responsible for this whole process and thus liable.

The good news is judges are taking a dim view of corporate defense attorneys making things up out of thin air. Maybe, just maybe, this judge will not be impressed and hack these guys with all of the court’s resources.

Steve Lucas

InformaticsMD said...

Steve Lucas writes:

it would be interesting to see the Fed’s reaction to a subpoena explaining the testing and certification process. I am sure they would just be thrilled to learn they are responsible for this whole process and thus liable.


One wonders if this hospital signed a "hold vendor harmless" clause with the HIT vendor.

If so, and the hospital claims immunity, they condemn their own medical staff to undue legal jeopardy - in violation of hospital executive fiduciary responsibilities.

But I wrote that before - in July 2009 in JAMA.

-- SS

Afraid said...

Well we shall see if logic prevails. Just take into account one thing, there is a separate dictionary used in the court. They don't use Webster's definitions for words, so what you see as a "dim view" could be business as usual, making it look one way and ruling the other.

Steve Lucas said...

The hold harmless clause would explain this convoluted legal fiction.

On a personal note: I am sure that the most junior member of the legal team is walking around quite proud of themselves, and will explain how important they are, all the time making more than my just retired attorney wife who spent 30 years working on children’s issues.

Steve Lucas

Anonymous said...

When ARRA/HITECH went into effect for national rollout of EHR technology, there was insufficient scientific evidence, EHR certification safeguards, or governmental regulation in place to ensure reasonably safe EHR use. No one really knows the magnitude of the patient safety impacts of this rollout, then or now. For provider organizations still using paper-based processes, no one knows with certainty the magnitude of patient safety impacts associated with those paper-based processes relative to their IT-based counterparts.



With many commercial EHRs in use by US healthcare providers today, I'm not so certain that introducing legal disincentives against HIT vendor businesses selling defective software will have as great a long-term positive impact on patient safety today as it would have had in pre-ARRA days.



If the outcome of your mother's case results in new case law that disfavors continued use of a vendor's EHR software there should be positive impacts - assuming nothing unintended goes wrong along the way. But there anecdotally documented, and many more undocumented, cases where substantial and unintended impacts to patient safety occur when the state of IT integration in a healthcare organization's complex socio-technical landscape is disrupted.



If the outcome of your mother's case makes an HIT vendor liable for damages associated with a defective version of EHR software only, the vendor can work to resolve the defect in a later version customers will have the option to upgrade to. The change management and sociotechnical impacts of upgrading software on customer organizations can significantly increase patient safety risks during the software implementation phase of the upgrade.



If the short and long-term impacts of the case result in the hospital's HIT vendor going out of business, patients are then again placed under even greater safety risks as the hospital, and possibly other customers previously contracted with the vendor, undertake even more severe change management challenges associated with adoption of an entirely new EHR software package from other vendors. The vendor going out of business may become less fiscally capable of providing technical support to its customers - negatively impacting patient safety in other ways.



Or, the outcomes of the case may motivate healthcare providers to abandon EHRs and revert back to paper-based patient care methods.



Putting an HIT vendor out of business, or discouraging such business, can indirectly introduce or propagate unintended patient safety risks that may be worse than the risks associated with the particular software defect(s) being addressed in the case.



The net effect of putting an HIT vendor out of business may not result in saving more lives and reducing the number of patient injuries associated with healthcare practice (with or without IT). The net effect depends on many factors including, but not limited to, the number of vendor customers impacted, severity and actual frequency of IT use errors associated with software defects, severity and actual frequency of paper use errors, provider organization resilience for IT change, and software implementation outcomes.



No one really knows the nationwide patient safety impacts of activities that introduce, exclude, or remove HIT from healthcare organizations. But obtaining that knowledge may now have to depend in part on people doing good scientific research on the patient safety impacts of putting HIT vendors out of business.

Informatics Student

Seven Signs of Ethial Collapse said...

That is the logic all of these devils use: better the devil you know than the devil you don't.

I love the impliation we see all over our town: don't put any pressure on the loal healtcare system because it employs many.

Ends justify means arguments need to be pointed out because they can appear so rightious.

But remember, the final sign of ethial collpase is a belief that good works make up for bad.

InformaticsMD said...

Informatics student,

Can we agree what you are saying is that we should allow proven-defective/harmful medical devices to flourish because regulation/change as in pharma, when a drug like thalidomide is withdrawn from market, theoretically might cause even worse outcomes due to "sociotechnical complexities" in hospitals?

The argument you proffer deviates so far from accepted medical ethics and the ethics of human subjects research (e.g., as at http://ohsr.od.nih.gov/guidelines/index.html including The Belmont Report, Nuremberg Code, World Medical Association Declaration Of Helsinki, Guidelines for Conduct of Research Involving Human Subjects at NIH, 45 CFR 46 - Protection Of Human Subjects, etc.) that perhaps you best go into Veterinary Informatics rather than Medical Informatics.

-- SS

Anonymous said...

InformaticsMD said:

"perhaps you best go into Veterinary Informatics rather than Medical Informatics"

Your career advice is welcome, but not necessary. It is rejected and off topic.

Your argument simply and eloquently supports removal of
proven-defective/harmful HIT medical devices on the basis
of accepted medical ethics and the ethics of human subjects research.

A person understanding my argument would realize that, unlike recalls of unsafe drug products, recalls of defective HIT products cannot be implemented quickly without patient safety risks resulting from difficult-to-quantitate socio-techical complexities associated with implementing and deinstalling HIT software. Patient safety risks associated with the complex socio-techical process of HIT implementation cannot be dismissed lightly, and are given much attention in healthcare informatics textbooks and research.

A person understanding my argument would also question the
scientific soundness of using paper-based records over even slightly defective HIT of unknown patient safety risk in medical practice. Just because paper-based methods made it into medical practice first does not mean they should not be subjected to the same level of scientific scrutiny as HIT-facilitated methods. If patients were informed of the errors that do occur using paper-based methods, would they consent to receiving treatment at a paper-based facility?

I hope that any lawsuit that leads to a large HIT vendor going out of business also has as a net effect an improvement in patient safety, after balancing the positive effects of removing the vendor's defective software against the negative effects associated with
mandatory deinstallation of this software at hundreds of customer sites. Hopefully the defect(s) being addressed are of high enough safety risk, and documented incidence of severe harm, to achieve an overall
positive impact. For an HIT vendor of any customer base size, this would be the ethically correct thing to do (right means) but may end up achieving the wrong end, if too many customers are impacted too quickly.

--Informatics Student

InformaticsMD said...

Informatics student wrote:

"Your argument simply and eloquently supports removal of
proven-defective/harmful HIT medical devices on the basis
of accepted medical ethics and the ethics of human subjects research."


Agreed.

A person understanding my argument would realize that, unlike recalls of unsafe drug products, recalls of defective HIT products cannot be implemented quickly without patient safety risks resulting from difficult-to-quantitate socio-techical complexities associated with implementing and deinstalling HIT software

Yes, they can. It requires the resources and the backup systems (paper, if need be) that should be present in any system engineered to take into account possible failure.

A 2007 Medical Records Institute survey of about 800 health IT stakeholders is summarized in the Modern Healthcare article “Failure, de-installation of EHRs abound” at this link. Nineteen percent of respondents indicated they either have experienced the actual abandonment of an EMR system or are now going through a de-installation, and some had actually gone back to paper. I believe these results markedly under-represent true problem rates, as the sample size was small and health IT stakeholders are quite reluctant to share such negative information due to internal healthcare organization and health IT industry backlash.

A person understanding my argument would also question the
scientific soundness of using paper-based records over even slightly defective HIT of unknown patient safety risk in medical practice.


"Slightly defective HIT of unknown patient safety risk?"

Pointing out the obvious, if the risk is unknown, we cannot declare it "slightly defective."

Aside from the fact that your last statement is logically fallacious, most medical errors have little to do at all with documentation, I repeat, this is not how medical ethics works. We do not introduce unknowns on the hope they work better than something else. We do not know IT reduces errors over paper.

On the basis of your logical and ethical errors, I suggest you go back to your studies.

-- SS