IOM Drops Long-Anticipated Report on Health IT and Patient Safety Washington was abuzz this week with the release of the Institute of Medicine’s 197-page report "Health IT and Patient Safety: Building Safer Systems for Better Care.” The much anticipated report said that current market forces are not adequately addressing potential risks associated with use of health IT and that more attention needs to be brought to patient safety and EHRs. IOM made ten recommendations (.pdf), including the need for HHS to develop a multi-stakeholder strategy within one year to “assess the impact of health IT on patient safety and minimizing the risk of its implementation and use.” Another recommendation would establish two new federal bodies: the HHS Health IT Safety Committee would set criteria for the safe use of HIT; while an independent federal agency modeled after the National Transportation Safety Board would investigate incidents. These recommendations were given in light of “mixed opinion on how FDA regulation would impact the pace of innovation but identified several areas of concern regarding immediate FDA regulation.” Some members of the report favored a scheme that gave FDA the authority to regulate EHRs as “Class III” devices – the most strictly regulated of medical devices – while others felt the FDA would likely restrict market innovation in health IT, which could also jeopardize patient safety.
However, Recommendation 9a states: “If progress toward safety and reliability is not sufficient as determined by the Secretary, the Secretary should direct the FDA to exercise all available authority to regulate EHRs, health information exchanges, and PHRs.” And 9b follows: “The Secretary should immediately direct the FDA to begin developing the necessary framework for regulation. Such a framework should be in place if and when the Secretary decides the state of health IT safety requires FDA regulation as stipulated in Recommendation 9a above.” See also, Dr. Farzad Mostashari’s response to the IOM report in a blog post on the ONC’s website.
ONC Advisory Group Seeks Comments on Exchange Specifications Through a post on the Federal Advisory Committee Blog this week, the Health IT Standards Committee (HITSC) is seeking comments from anyone who has experience exchanging information through the Nationwide Health Information Network (NwHIN) using Exchange specifications and protocols. On September 28, 2011, the HITSC provided recommendations regarding standards and specifications for the nationwide health information network, via a transmittal letter (.pdf). As part of the transmittal letter, HITSC recommended that ONC perform further assessment of industry adoption, and deployment, operational, and administrative complexity of the Exchange specifications – especially from those who have implemented these specifications in organizations other than Federal agencies, and from organizations that have implemented a technology stack different from that represented in the Exchange specifications. ONC requests feedback on fourteen questions ranging from wanting to know the business function supported by Exchange in your organization to asking how easy or difficult the Exchange specifications were to understand, interpret, and implement. Find out more information on the Request for Comment here.
HIPAA Compliance Audits on the Horizon According to the HHS Office of Civil Rights, a pilot audit program to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards has begun. A three-step process has been in development since July and a test of twenty initial audits will begin in November and go through April, OCR indicated on its website. The OCR responded by saying the audit program launched Nov. 4 with the sending of notification letters to five of the first 20 entities to be audited. The OCR intends to complete upwards of 150 audits by the end of calendar 2012. According to OCR, audits are primarily a compliance improvement activity. The Office will review the final reports, including the findings and actions taken by the audited entity to address findings and the aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem, the Office said, “OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.”