Will this make healthcare technology SAFER?

Starting in 2022, the Centers for Medicare & Medicaid Services (“CMS”) will require hospitals to measure themselves against the Office of the National Coordinator for Health IT’s (“ONC”) Safety Assurance Factors for EHR Resilience (“SAFER”) guides. CMS is implementing this requirement through its programmatic authority.[1]

This is legally significant because it may create a discoverable paper trail (or relevant lack thereof) on how hospitals manage their health IT. Patient safety issues due occur in health IT: for example, two systems might read a single prescription in a different way. Often, the prescribing system interacts with at least one vendor who sits between it and the receiving pharmacy system, such as Surescripts. In between, clinical codes are translated, including those controlling for dosage and medication. Messing up one of those fields can lead to a patient’s death, although luckily it is often caught by pharmacists, clinicians, or their patients.

The legal significance of the SAFER guides is that in such a dispute, a plaintiff’s attorney could introduce as evidence of the standard of care. The guides are extensive and worth reading. They cover the following subjects:

1. High Priority Practices (e.g. storing lab results in a standard format)
2. Organizational responsibilities
3. Contingency planning
4. System configuration
5. System interfaces
6. Patient identification
7. Computerized Provider Order Entry with Decision Support
8. Test Results Reporting and Follow Up
9. Clinician Communication

The guides can be found at the following link:

https://www.healthit.gov/topic/safety/safer-guides

Hospitals and other healthcare organizations should look at these guides when drafting and implementing their policies and procedures that govern their Protected Health Information (“PHI”), and health data in general. The presence and implementation of such policies and procedures can go a long way to demonstrating that the provider organization met “the duty of care.”

The simply presence of this requirement by CMS will lead to more sophisticated hospitals interacting with their EHR vendor and checking their practices against the guides’ requirements. Often the hospital’s practices are defined or constrained by what their vendor may offer. I can see in certain situations where the plaintiffs’ bar might target both the hospital and health IT vendor.

Health IT vendors, maybe even more than hospitals, should take note of the guides’ requirements if only because of how their products are designed: in a modern a way. Data translations issues, especially for software that is deployed through “the cloud,” would generally replicate the same error over and over again because the same instance of software is running on each user’s computer. Hospitals with on-premise systems may or may not be similar: it is possible that the health IT vendor or its partner implemented the health IT the same across multiple sites of the same hospital system. A health IT vendor or EHR developer should develop their patient safety policies around at the following requirements:

1. Enable REPORTING by both employees and customers.
2. CAPTURE each complaint discretely and document its resolution. Ultimately, you will want a report of all internal and external patient safety complaints, their status, and resolution.
3. When receiving a patient safety complaint, describe it in detail and document the severity level communicated.
4. Ensure that patient safety complaints are managed EXPEDITIOUSLY. Ideally, they should be reviewed and responded to within twenty-four hours of receipt.
5. Have clinicians make clinical calls. Your health IT company should have licensed medical staff on call to determine and/or confirm whether a patient safety issue actually exists.
6. COMMUNICATE with your customers, often, and upon verification of any patient safety issue. You will save lives and cut down any legal exposure.
7. TRAIN your employees. Anybody customer facing should be able to identify and properly escalate a patient safety complaint.
8. REPORT on events through your organization, and regularly identify areas where you can regularly IMPROVE.

Better safe than sued and sorry.

---

[1] Namely, CMS will implement the requirement as a part of the Protect Patient Security component of the hospital Medicaid and Medicare Promoting Interoperability programs.