A New ECRI Institute Study On Health Information Technology-Related Events

As I wrote here, I was a reviewer of the report in the PA-based, ECRI Institute-conducted study "The Role of the Electronic Health Record in Patient Safety Events."  ECRI studied the Pennsylvania Patient Safety Reporting System database for HIT-related errors.   

The ECRI Institute is an independent organization renowned for its safety testing of medical technologies and reporting on same, and that "researches the best approaches to improving the safety, quality, and cost-effectiveness of patient care."  I've mentioned it and its bylaws in this blog in the past as a model for independent, unbiased testing and reporting of healthcare technologies.

The full report in PDF is at this link.  In the report, the Pennsylvania Patient Safety Authority analyzed reports of EHR-related events from a state database (the Pennsylvania Patient Safety Reporting System or PA-PSRS, pronounced "PAY-sirs") of reported medical errors and identified several major themes.

My review input led to a discrete "limitations" section.  Also, my invited July 2012 presentation to the PA Patient Safety Authority "Asking the Right Questions: Using Known HIT Safety Issues to Improve Risk Reporting and Analysis" with ECRI in attendance (link to PPT here) on the danger of limited datasets due to systematic impediments to information diffusion was apparently taken seriously. 

ECRI decided to do something about the knowledge gap, and they asked the right questions.

They've just released this summary of a new study they conducted.  I have a few comments which follow:
  

ECRI Institute PSO Uncovers Health Information Technology-Related Events in Deep Dive Analysis

Data transfer, data entry, system configurations, and more identified as serious problem areas
 
PLYMOUTH MEETING, Pa., Feb. 6, 2013 /PRNewswire-USNewswire/ -- The federal government is spending about $19 billion to encourage hospitals, physician practices, and other healthcare organizations to invest in their health information technology (HIT) infrastructure with the goal of improving patient safety and quality through the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Concerned about the unintended consequences of HIT and the potential for errors to cause patient harm, ECRI Institute Patient Safety Organization (PSO) recently conducted a PSO Deep Dive™ analysis on HIT-related safety events. Their just-released 48-page report identified five potential problem areas, which can be assessed with the accompanying toolkit. The report and toolkit are available for purchase [appx. $350 U.S. - ed.] without membership in ECRI Institute PSO.

"Minimizing the unintended consequences of HIT systems and maximizing the potential of HIT to improve patient safety should be an ongoing focus of every healthcare organization," says Karen P. Zimmer , MD, MPH, FAAP, medical director, ECRI Institute PSO.

Based on [voluntary - ed.] reports submitted to the PSO from participating organizations, ECRI Institute PSO experts identified the following key HIT-related problems:

• inadequate data transfer from one HIT system to another
• data entry in the wrong patient record
• incorrect data entry in the patient record
• failure of the HIT system to function as intended
• configuration of the system in a way that can lead to mistakes

To collect enough reports for meaningful evaluation, ECRI Institute PSO asked participating organizations to submit standardized data about HIT events during a nine-week period. This enabled ECRI Institute PSO to identify patterns and trends from the aggregated data and share the findings, as well as its recommendations. The data in the PSO Deep Dive represents only that collected using the Agency for Healthcare Research and Quality (AHRQ) HIT Common Formats.  [Not the improved formats developed by AHRQ in their IT Hazards Manager project, still in development - ed.]  ECRI Institute PSO data encompasses over 800 HIT-related events.

According to the report, HIT must be considered in the context of the environment in which it operates during the three phases of any HIT project: planning for new or replacement systems, system implementation, and ongoing use and evaluation of the system. "Shortsighted approaches to HIT can lead to adverse consequences," caution the authors.

"Healthcare organizations should consider the findings and recommendations in the PSO Deep Dive as part of their effort to achieve those goals," adds Zimmer.

The HIT PSO Deep Dive findings were published in a 48-page report and toolkit with self-assessment questionnaire and action plan form available to all ECRI Institute PSO Members and its partner PSO members. The table of contents of the report is available for free viewing/download. Additional information will be presented in ECRI Institute PSO's Monthly Brief free e-newsletter March edition; go to www.ecri.org/psobrief to sign up. The full report and toolkit are also available for purchase.

For questions about this topic, or for information about purchasing the report, please contact ECRI Institute PSO by telephone at (610) 825-6000, ext. 5558; by e-mail at pso@ecri.org; by fax at (610) 834-1275, or by mail at 5200 Butler Pike, Plymouth Meeting, PA 19462-1298, USA.

From the free linked TOC document:

Key Recommendations

• Enlist leaders’ commitment and support for the organization’s health IT projects.

• Involve health IT users in system planning, design, and selection.

• Conduct a review of workflow and processes to determine how they must be modified.

• Evaluate the ability of existing IT systems within the organization to reliably exchange data with any health IT system under consideration.

• Conduct extensive tests before full implementation to ensure that the health IT system operates as expected.

• Provide user training and ongoing support; educate users about the capabilities and limitations of the system.

• Closely monitor the system’s ease of use and promptly address problems encountered by users.

• Introduce alterations to a health IT system in a controlled manner.

• Monitor the system’s effectiveness with metrics established by the organization.

• Require reporting of health IT-related events and near misses.

• Conduct thorough event analysis and investigation to identify corrective measures.

My comments are these:

• The ECRI study, report and recommendations are quite welcome.

• The case reports received were apparently voluntary and probably "conservative" and understated as hospitals are not happy to release data on problems and harms that can lead to, or support, litigation.  

• The study was just 9 weeks long, and with a limited set of healthcare organizations participating.  800 HIT-related events were identified. 

•  The relevant issues discovered in the events, as summarized in the bullet points above, are capable of causing clinician distraction, incorrect decisions, "use error" (as opposed to "user error", see here), patient harm, and death.  (I am aware of such issues in the press including harms and deaths, as readers here have read at links such as these and these and these and these, and others about which I am providing expert-witness consultation and cannot share.)
  

• I believe ECRI has now begun to peer below the water level, through the muck of industry control of the narrative, of what FDA CDRH leader Jeffrey Shuren MD JD referred to as "the tip of the iceberg" - i.e., the current level of knowledge of health IT difficulties, defects and harms. 

• The report is yet another red flag for a far more robust (and mandatory, in my view) post-marketing surveillance of health IT.  

• Those who claim these findings are "anecdotes" (as here) are looking increasingly foolish and cavalier.

Finally, readers of this blog have been reading about these issues for years.  You heard it here first.

-- SS 
 

A Significant Additional Observation on the PA Patient Safety Authority Report "The Role of the Electronic Health Record in Patient Safety Events" -- Risk

At a Dec. 13, 2012 post "Pennsylvania Patient Safety Authority: The Role of the Electronic Health Record in Patient Safety Events" I alluded to risk in a comment in red italics:

... Reported events were categorized by their reporter-selected harm score (see Table 1). Of the 3,099 EHR-related events, 2,763 (89%) were reported as “event, no harm” (e.g., an error did occur but there was no adverse outcome for the patient) [a risk best avoided to start with, because luck runs out eventually - ed.], and 320 (10%) were reported as “unsafe conditions,” which did not result in a harmful event. 

The focus of the report is on how the "events" did not cause harm.  Thus the relatively mild caveat:

"Although the vast majority of EHR-related reports did not document actual harm to the patient, analysts believe that further study of EHR-related near misses and close calls is warranted as a proactive measure."

It occurs that if the title of the paper had been "The Role of the Electronic Health Record in Patient Safety Risk", the results might have been interpreted far differently:

In essence, from from June 2, 2004, through May 18, 2012 (the timeframe of the Pennsylvania Patient Safety Reporting System or PA-PSRS database), from a dataset highly limited in its comprehensiveness as written in the earlier post, there were approximately 3,000 "events" where an error did occur that potentially put patients at risk.

That view - risk - was not the focus of the study.  Should it have been?

These "events" really should be called "risk events."

It is likely the tally of risk events, if the database were more comprehensive (due to better recognition of HIT-related problems, better reporting, etc.) would be much higher.  So would the reports of "harm and death" events as well.

That patient harm did not occur from the majority of "risk events" was through human intervention, which is to say, luck, in large part

Luck runs out, eventually.

I have personally saved a relative several times from computer-related "risk events" that could have caused harm if I were not there personally, and with my own medical knowledge, to have intervened.  My presence was happenstance in several instances; in fact a traffic jam or phone call could have caused me to have not been present.

What's worse, the report notes:

Analysts noted that EHR-related reports are increasing over time, which was to be expected as adoption of EHRs is growing in the United States overall.

In other words, with the current national frenzy to implement healthcare information technology, these "risk events" - and "harm and death events" - counts will increase.  My concern is that they will increase significantly.

I note that health IT is likely the only mission-critical technology that receives special accommodation regarding risk events.  "If the events didn't cause harm, then they're not that important an issue" seems to be the national attitude overall.

Imagine aircraft whose avionics and controls periodically malfunction, freeze, provide wrong results, etc., but most are caught by hyper-vigilant pilots so planes don't go careening out of control and crash.  Imagine nuclear plants where the same occurs, but due to hypervigilance the operators prevent a nuclear meltdown.

Then, imagine reports of these "risk events" - based on fragmentary reporting of pilots and nuclear plant operators reluctant to do so for fear of job retaliation - where the fact of their occurrence takes a back seat to the issue that the planes did not crash, or Three Mile Island or Chernobyl did not reoccur.

That, in fact, seems to be the culture of health IT.

I submit that the major focus that needs addressing in health IT is risk - not just confirmed body counts.

-- SS

Pennsylvania Patient Safety Authority: The Role of the Electronic Health Record in Patient Safety Events

The Pennsylvania Patient Safety Authority has released a report "The Role of the Electronic Health Record in Patient Safety Events."  A press release is at this link, and the full report in PDF is at this link.  In the report, the Pennsylvania Patient Safety Authority analyzed reports of EHR-related events from a state database of reported medical errors and identified several major themes.

The report was prepared with the assistance of Erin Sparnon, Senior Patient Safety Analyst the ECRI Institute near Philadelphia.  The ECRI Institute is an independent organization renowned for its safety testing of medical technologies and reporting on same, and that "researches the best approaches to improving the safety, quality, and cost-effectiveness of patient care."  I've mentioned it and its bylaws in this blog in the past as a model for independent, unbiased testing and reporting of healthcare techonlogies.

Regarding the Patient Safety Authority:

The Pennsylvania Patient Safety Authority was established under Act 13 of 2002, the Medical Care Availability and Reduction of Error ("Mcare") Act, as an independent state agency. It operates under an 11-member Board of Directors, six appointed by the Governor and four appointed by the Senate and House leadership. The eleventh member is a physician appointed by the Governor as Board Chair.  Current membership includes three physicians, three attorneys, three nurses, a pharmacist and a non-healthcare worker.

The Authority is charged with taking steps to reduce and eliminate medical errors by identifying problems and recommending solutions that promote patient safety in hospitals, ambulatory surgical facilities, birthing centers and certain abortion facilities. Under Act 13 of 2002, these facilities  must report what the Act defines as "Serious Events" and "Incidents" to the Authority.

The Authority maintains a database of serious events and incidents:

Consistent with Act 13 of 2002, the Authority developed the Pennsylvania Patient Safety Reporting System (PA-PSRS, pronounced "PAY-sirs"), a confidential web-based system that both receives and analyzes reports of what the Act calls Serious Events (actual occurrences) and Incidents (so-called "near-misses").

Cutting right to the chase, the paper's summary:

As adoption of health information technology solutions like electronic health records (EHRs) has increased across the United States, increasing attention is being paid to the safety and risk profile of these technologies. However, several groups have called out a lack of available safety data as a major challenge to assessing EHR safety, and this study was performed to inform the field about the types of EHR-related errors and problems reported to the Pennsylvania Patient Safety Authority and to serve as a basis for further study. Authority analysts queried the Pennsylvania Patient Safety Reporting System for reports related to EHR technologies and performed an exploratory analysis of 3,099 reports using a previously published classification structure specific to health information technology. The majority of EHR-related reports involved errors in human data entry, such as entry of “wrong” data or the failure to enter data, and a few reports indicated technical failures on the part of the EHR system. This may reflect the clinical mindset of frontline caregivers who report events to the Authority.

Results:

... Reported events were categorized by their reporter-selected harm score (see Table 1). Of the 3,099 EHR-related events, 2,763 (89%) were reported as “event, no harm” (e.g., an error did occur but there was no adverse outcome for the patient) [a risk best avoided to start with, because luck runs out eventually - ed.], and 320 (10%) were reported as “unsafe conditions,” which did not result in a harmful event. Fifteen reports involved temporary harm to the patient due to the following: entering wrong medication data (n = 6), administering the wrong medication (n = 3), ignoring a documented allergy (n = 2), failure to enter lab tests (n = 2), and failure to document (n = 2). Only one event report, related to a failure to properly document an allergy, involved significant harm.

A significant "study limitations" section was included that addressed: 

• Issues regarding reporting statutes of the PA-PSRS errors database; 

• lack of awareness of EHRs as a potential contributing factor to an error;

• limitations of narrative reporting affecting both the types of reports queried and the tags applied (the study used textual data mining methodolgies);

• query design of the study; and

• the need for further refinement of the machine learning tool used in creating the working dataset, which may have missed relevant cases.

Some of these impediments to knowing the magnitude of extant HIT issues are also present in the 2008 Joint Commission Sentinel Events Alert on HIT, the 2010 FDA internal memorandum on HIT Safety, and the 2011 IOM report on the same topic.

(The IOM report specifically observed that the "barriers to generating evidence pose unacceptable risks to safety.") 

The major obstacle to this study in my view, though, was the nature of the dataset.  The database is for general reporting of medical errors, and it contains no specific fields or reminders about EHRs or the known ways in which they can contribute to, or cause, medical mistakes.  

The attempt was made, as acknowledged in the study, to glean information about EHR-related events from, in large part, textual analysis of narrative in the hopes that the reporter recognized the role of IT, and reported it using terms that could be detected by the search algorithms.  In other words, the data was not "purposed" for this type of study.  

It is axiomatic that one cannot find data that is simply not present, no matter how fancy the search algorithm.  Further, passive analysis of clinical IT risk/harms data in an industry where lack of knowledge of causation and misconceptions abound will produce only partial results that suggest further study is needed, and not give an indicator of just how incomplete the results are.

Thus, this cautionary statement was made in the new PA Patient Safety Authority report:

"Although the vast majority of EHR-related reports did not document actual harm to the patient, analysts believe that further study of EHR-related near misses and close calls is warranted as a proactive measure." 

My comments:

The report is welcome.

The most important part of the paper, I point out, is the “Limitations” section. FDA, IOM and others have made similar observations – we don’t know the true magnitude of the problem due to systematic limitations of the available data. 

Therefore, at best what is available must be deemed as risk management-relevant case reports, a “red flag” that could represent (using the words of FDA CDRH director Jeffrey Shuren regarding HIT safety), the tip of the iceberg.

It is imperative far more work be done in post-market surveillance as this technology is deployed nationally and internationally.  This is to ensure that good health IT (GHIT) prevails and bad health IT (BHIT) is either remediated or removed from the marketplace.  I had defined those in other writings as follows:

Good Health IT ("GHIT") is defined as IT that provides a good user experience, enhances cognitive function, puts essential information as effortlessly as possible into the physician’s hands, keeps eHealthinformation secure, protects patient privacy and facilitates better practice of medicine and better outcomes. 

Bad Health IT ("BHIT") is defined as IT that is ill-suited to purpose, hard to use, unreliable, loses data or provides incorrect data, causes cognitive overload, slows rather than facilitates users, lacks appropriate alerts, creates the need for hypervigilance (i.e., towards avoiding IT-related mishaps) that increases stress, is lacking in security, compromises patient privacy or otherwise demonstrates suboptimal design and/or implementation. 

An additional major factor that also contributes to lack of knowledge of EHR-related adverse events is hospital reporting non-compliance. For instance, I know of cases from my own legal consulting work and personal experience that I would have expected to appear in the database, but apparently do not.

But don’t take it from me alone. Here is PA Patient Safety Authority Board Member Cliff Rieders, Esq. on this.

From “Hospitals Are Not Reporting Errors as Required by Law, Phila. Inquirer”, pg. 4,http://articles.philly.com/2008-09-12/news/24991423_1_report-medical-mistakes-new-jersey-hospital-association-medication-safety:
  

... Hospitals don’t report serious events if patients have been warned of the possibility of them in consent forms, said Clifford Rieders, a trial lawyer and member of the Patient Safety Authority’s board.

He said he thought one reason many hospitals don’t want to report serious events is that the law also requires that patients be informed in writing within a week of such problems. So, if a hospital doesn’t report a problem, it doesn’t have to send the patient that letter. [Thus reducing risk of litigation, and, incidentally, potentially infringing on patients' rights to legal recourse - ed.]

Rieders says the agency has allowed hospitals to determine for themselves what constitutes a serious event and the agency has failed to come up with a solid definition in six years.

Fixing this “is not a priority,” he added.

This coincides with my own personal experience precisely.  In a case where my relative was permanently injured as a result of EHR-related medication error, and then died of the injuries, I never received the required report in writing from the hospital.  I also do not believe the case was reported to the Safety Authority, at least not as IT-related.

I suspect the true rates of EHR-related close calls, reversible injuries, permanent injuries and deaths is significantly higher than the limited data available suggests. That data is merely a red flag that much more education, stringent reporting requirements,  templates of known causes of error, and enforcement are needed.  (An April 2010  "thought experiment" on this issue I wrote about at "If The Benefits Of Healthcare IT Can Be Guesstimated, So Can And Should The Dangers" certainly suggested as much.)

Slides where I made those types of recommendations to the Patient Safety Authority, at a presentation I gave in July 2012 at their invitation, are at http://www.ischool.drexel.edu/faculty/ssilverstein/PA_patient_safety_Jul2012.ppt

A major concern I have is that the HIT industry will use this new report in a manner that ignores its limitations.

(Disclosure: I was an invited reviewer of this new PPSA report.)

-- SS 

Addendum Dec. 13:   

Also worth review is "Patient Safety Problems Associated with Heathcare Information Technology: an Analysis of Adverse Events Reported to the US Food and Drug Administration", Magrabi, Ong, Runciman, and Coiera, AMIA Annu Symp Proc. 2011.  

Data here came from FDA's voluntary (i.e., also tip of the iceberg) Manufacturer and User Facility Device Experience (MAUDE) database.  Ironically, the study was done in Australia using Australian grant funds.

-- SS