Search the KHIT Blog

Sunday, November 21, 2010

First, Do No "Hold Harmless"

I read a very interesting post the other day, "The Fine Print," written by one of my favorite heath care blogging colleagues, Margalit Gur-Arie, regarding the
"alleged contracting practices of EHR vendors and their notorious “hold harmless” clauses, which indemnify the EHR vendor from all liability due to software defects, including liability for personal injury and death of patients. What this means in plain English is that if a software “bug” or incompetency caused an adverse event, and if you (or your hospital) are faced with a malpractice suit, the EHR vendor cannot be named a co-defendant in that suit and you cannot turn around and bring suit against the vendor for failure to deliver a properly functioning product."

"The AMIA paper also asserts the existence of contractual terms preventing users and purchasers from publicly reporting, or even mentioning, software defects, including ones that may endanger patient safety..."

Wow. Assertions of blanket indemnity, coupled with a "gag order"? Is this something regarding which our REC provider clients be made aware during EHR vendor selection and contract negotiation? (Beyond things such as practice "data ownership" and -- relatedly -- EHR "source code escrow"?) How substantive is the liability concern?

The grist for this post was the recent publication of an American Medical Informatics Association (AMIA) Board Position Paper entitled "Challenges in ethics, safety, best practices, and oversight regarding HIT vendors, their customers, and patients: a report of an AMIA special task force." (PDF)
"...Some vendors incorporate contract language whereby purchasers of HIT systems, such as hospitals and clinics, must indemnify vendors for malpractice or personal injury claims, even if those events are not caused or fostered by the purchasers. Some vendors require contract clauses that force HIT system purchasers to adopt vendor-defined policies that prevent the disclosure of errors, bugs, design flaws, and other HIT-software-related hazards..."

One commenter made this observation on Margalit's post:
"I'm still waiting to see an installation of any EMR be fully tested by either the vendor or the organization who purchased it."


All of which set me to reflecting on my first professional technical paper, written in 1988 during my tenure as an environmental radiation lab programmer and quality control analyst.

While those days were a time prior to indoor plumbing in IT terms, some of the points still resonate. As I began the paper:
"... [vendor] makes no representations or warranties with respect to the content hereof, and specifically disclaims any implied warranties or merchantability or fitness for any particular purpose for both this manual and the product it describes. Furthermore, [vendor] reserves the right to revise this publication and make changes in the content hereof without obligation to notify any person of any such revision or changes..."

"In less than a decade, microcomputers and software applications have become ubiquitous, indispensable tools in business, industry, and the sciences. The end-user faces a bewildering array of options with respect to makes, models, peripherals, and software compilers, libraries, firmware, and applications packages. since the foregoing disclaimer may be found in the product documentation of virtually every commercial microcomputer hardware and software vendor, the end-user must blend the array of options, possible algorithmic deficiences, and system incompatibilities into a comprehensive product. The user assumes -- usually unwittingly -- the cumulative responsibility for assuring a quality output..."

Twenty three years later, the core liability concerns remain. And, still, the "user assumes -- usually unwittingly -- the cumulative responsibility for assuring a quality output."

The lab wherein I worked did a signification volume of "forensic-level" analysis, i.e., much of our output was destined for use as evidence in radiation contamination and dose-exposure liability litigation
. Consequently, we turned over every rock, pebble, and grain of sand in search of conditions inimical to legally-defensible data "quality." Our Technical Director in particular, Dr. James Dillard (my mentor on this and other projects), had amonished us to never take computer-generated results at face value. He was fond of saying "you get what you INspect, not what you EXpect." As I note on my website preface citing and linking my paper:
You enter some numerical data into a computer and get some results back out. Do you simply assume they are "accurate" and report them to the client? Not in our lab. For example, even assuming your data and formula/function entries into a spreadsheet are correct, does it thereby necessarily invariably follow that the calculated results will be so?

And so it came to be express policy (reflected in our "IT/ORL Software Quality Assurance SOP" I had a hand in writing) that we thoroughly test every software application -- in-house developed and commercial (off-the-shelf and 3rd-party custom-developed alike) -- and every computer wherein they would be installed for use in generating client-reportable results.

Complex as all of that was, those were the bucolic ancien days of relative computing simplicity. Today's hyper-connected, mobile world of 24/7 exponentially increasing digital apps and platforms -- from the client-server to the "Cloud" -- presents a potential host of new challenges.

Given the considerable complexities comprising Health Information Technology (very little of which go to actual mathematical computing, it should be noted), these challenges are already within the crosshairs of the Medical Liability people. Recall, again, my prior citation of the Brouillard article.

Brouillard concludes:
"Although EHRs have now achieved mainstream, clinical adoption, EHR-related liability trends have not developed fully. At this early point, we can discern some potential liability areas. In an early EHR implementation stage, source of truth issues and expansion of liability issues may arise. In using EHR systems, the evolving standards of care for clinical documentation and work-arounds pose risks. Security as mandated by data breach laws or retention and storage issues involving e-discovery liability and data integrity have also emerged as important areas."

Consequently, it is rather unsurprising that Counsel for EHR vendors would insist on boilerplate blanket "Hold Harmless" beg-offs. I rather doubt such stipulations would survive the first serious court test, given a case (assuming a jury trial) wherein a patient was harmed as a result of a documentable software flaw that prevented a provider from being made aware of an exigent patient circumstance (or induced a provider to take injurious action she would otherwise have not absent the software flaw). Moreover, I am with AMIA on this point:
"f. “Hold harmless” clauses in contracts between Electronic Health Application vendors and purchasers or clinical users, if and when they absolve the vendors of responsibility for errors or defects in their software, are unethical." [pg 3]


To be fair, one principal reason for attempts at fine print "hold harmless" inoculation goes to the civil litigation reality of "Joint and Several Liability" -
Joint and several liability is a form of liability that is used in civil cases where two or more people are found liable for damages. The winning plaintiff in such a case may collect the entire judgment from any one of the parties, or from any and all of the parties in various amounts until the judgment is paid in full. In other words, if any of the defendants do not have enough money or assets to pay an equal share of the award, the other defendants must make up the difference.

e.g., if you are found to be perhaps only, say, one percent "liable" (exacerbated by the fact that civil liability is determined by subjective "more-likely-than-not" "preponderance" criteria), but your relatively deep pockets finds you with 100% of the attachable assets via which to satisfy a judgment, well...

So, what're really perhaps at play here are the relative deep pockets of EHR vendors vis a vis the materially shallower ones of individual potential defendant physicians.


"Medical errors and adverse events may result from individual mistakes in using EHRs (e.g., incorrectly entering information into the electronic record) or system-wide EHR failures or “bugs” that create problems in care processes (e.g., “crashes” that prevent access to crucial information)." [pg 2061]

' the use of EHRs grows, failure to adopt an EHR system may constitute a deviation from the standard of care. The standard of care is usually defined by reference to what is customary among physicians in the same specialty in similar settings. Once a critical mass of providers adopts EHRs, others may need to follow..." [pg 2065]

Medical Malpractice Liability in the Age of Electronic Health Records Sandeep S. Mangalmurti, M.D., J.D., Lindsey Murtagh, J.D., M.P.H., and Michelle M. Mello, J.D., Ph.D. n engl j med 363;21 November 18, 2010

So, given that the ever-wider-spread deployment of HIT is seemingly inevitable (and, a prospect which I obviously support), what are the some of the truly salient liability risk concerns?
  • EHR "Usability" issues (PDF) that might contribute to inadequately "idiot-trapped" data input errors (including mistakes and omissions);
  • Code logic flaws that could lead to exigent "alerts" missed (or, conversely, irritating recurrent "false positive" alerts that precipitate user cynicism and apathy);
  • Relatedly, "clinical decision support" logic flaws (or simple inadequacies);
  • More general code flaws resulting in "crash" prone systems, leaving clinicians potentially in the lurch during time-sensitive points of care;
  • OS and other incompatibilities (including adverse interactions with other resident apps);
  • Math errors.
As I've previously noted, EHRs typically do very little outright math of any appreciable sophistication, so I put that last on the list (though that may indeed a bit change over time -- apps going beyond, e.g., simply doing BMI arithmetic, lab value averages, and growth chart plotting, etc). The typical EHR (at least of the ambulatory variety) is really just usually a Java or C++ (or otherwise ".net") coded GUI front end app sitting atop and hooking into a relatively complex RDBMS (typically a multi-table SQL relational database these days), one whose principal purpose is to record and then re-display (either onscreen or in print) the myriad requisite subsets of administrative and clinical data as efficiently as possible (ideally).

Nonetheless, the systems are indeed extremely transactionally complex, and, absent thorough and consistent QA (including industry consensus stds? FDA oversight?), they could be vulnerable to a host of "gremlins," the upshot of which could range from the merely exasperating-to-the-workflow to the punitive "joint-and-several liability" class-action judgment in the wake of patient harms.
I have to note yet again that ONC-ATCB EHR "certification" for Meaningful Use has to do exclusively with an application's ability to reliably record and regurgitate the MU measures, in a HIPAA-compliant manner. Nothing more. Nothing pertaining to application "quality" more broadly (and in the more truly "meaningful" sense of efficient, "usable" functionality).
I will be watching the developing law here with interest. I would also exhort all vendors and users alike to think long and hard proactively about the considerable breadth of EHR "software quality" issues.


"Physicians and other healthcare providers are increasingly relying on EHR systems for the practice of medicine. As the number of EHR system providers increases and as these systems integrate with other systems to import and exchange data, it is important to track and understand issues of concern as they develop. This will, in-turn, allow for improvement in EHRs, in patient safety, and may result in liability reduction..."




I was sifting through papers in my office today, and ran back across this law journal article I'd read a while back (PDF) and had given the thorough yellow highlighter treatment.

I should have cited this by now. Just slipped my attention. It antedates both the Brouillard and NEJM pieces. It's the first place wherein I ran across a call for FDA (or some federal entity) regulation of EHRs.
...the novel and significant risks generated by EHR systems cannot be ignored. Products with poor information display and navigation can impede rather than facilitate providers’ work. The growing capabilities of EHR systems require increasingly complex software, which heightens the danger of software failures that may harm patients...

...Thus far, the legal literature has not assessed the need for careful regulatory oversight of EHR systems akin to that required, in principle, by the Food and Drug Administration (“FDA”) for life-critical medical devices. This Article begins to fill that gap. It analyzes EHR systems from both legal and technical perspectives and examines how law can serve as a tool to promote HIT. Extensive regulations already exist to govern the privacy and security of electronic health information. Privacy and security, however, are only two of the concerns that merit regulatory attention. Perhaps even more important are the safety and efficacy of these life-critical systems. [pp. 106-107]

A good read. And, in light of the more recent news of EHR vendor "Hold Harmless" attempts, this observation near the end of the monograph is interesting:
...the threat of product liability or medical malpractice litigation could deter misconduct by both EHR system vendors and health care providers. Plaintiffs may sue providers if they suspect that they suffered poor outcomes because providers failed to implement or properly use EHR systems, for example, by neglecting to utilize decision-support features that may have averted a medical mistake. Likewise, plaintiffs might name EHR system vendors as defendants if they believe the harm is rooted at least partly in a design flaw, and health care providers might bring in vendors as third party defendants if they believe the vendors to be partially at fault. Audit logs and capture/replay would be helpful to all parties in investigating and proving their claims concerning system failures and provider negligence or lack thereof. [pg 161]

Do no "Hold Harmless."

No comments:

Post a Comment