The march is on across the American healthcare landscape to implement electronic health records that  also function as decision-support systems. These “advanced” electronic health records will both provide centralized records and assist providers in making care decisions such as implementing therapy and utilizing evidence-based practice on the individual patient level. And anyone that has had the opportunity to work with some of the systems out there knows that they can be pretty impressive, doing everything from risk stratification for embolic events to calculating weight-based drug dosages. While this technology continues to reshape the way medicine is practiced in the United States, it is worth making note of some interesting tactics that corporations are using with regards to risk-management. Because, inevitably, these systems are designed and used by regular people and mistakes will be made. And as often occurs in medicine, the first question will be where the liability for the mistake falls.

Health IT (HIT) companies basically use two principles that protect them when patient harm results from a failure of their IT systems. The first is the principle of the “learned intermediary,” which basically refers to healthcare providers who, because of their specialized training, are making individualized decisions based on risk/benefit profiles. As a Koppel et al (JAMA, 2005) explain,

HIT vendors thereby claim that, because they cannot practice medicine and are merely creating a software tool, clinicians are in much stronger positions to identify those errors resulting from faulty software or hardware.

The second risk-management principle that HIT companies use is  non-disclosure clauses, which basically state that healthcare providers are forbidden from sharing software faults with anyone but the vendor. While this may be a norm of the IT industry, it clearly goes against the principles of beneficence that healthcare providers ascribe to. For example, if a patient were to be harmed  due to  a faulty dosage calculator embedded in the software, not only is all liability shifted squarely onto the provider but the providers is not allowed to share that information with the medical community.

While these contractual provisions may seem like absolute nonsense to most healthcare providers, it is worth pausing and looking at it from the vendors point of view. Another study published by Koppel et al in JAMA (2005) looked at errors related to CPOE (computerize physician order entry) at a large academic medical center. Errors they identified fell into two major categories – human-machine interface flaws and information errors related to poor multi-system integration.  In English, the former boils down to poor functional design (think Windows Mobile) and the latter is a failure to make different systems work together (think roll-out of Vista).

Errors resulting from entering orders on the wrong patient because of a poor display design, accidentally ordering a medication for tomorrow instead of today because of preset dose timings, and so on – these are errors that result from how we use it. No software company is liable for mistakes made while using their software, sort of along the lines of the “buyer beware” that underlies our whole economic system. Integration errors, such as incorrect drug dosages resulting from usage of a hospital’s pharmacy warehousing and purchasing databases instead of clinical guidelines, often result from the customization that occurs when rolling out these systems at a hospital or other venue.

That being said, its hard to see how absolving a HIT vendor from all liability for any error related to its software and then keeping that error a secret is consistent with basic ethical principles of healthcare. And the letter sent by Senator Chuck Grassley (R-Iowa) to Cerner Corporation, who own the popular Eclipsys system among other things, seeking information on these practices suggests that there may be some movement on the regulatory side to reshape the relationship of HIT vendors with the healthcare system in general. In the meantime, healthcare providers need to leverage our negotiating power with the several HIT vendors out there and push for change that both creates a more open system for managing the inevitable errors that will result from this technology while giving HIT vendors more incentive to protect patients from harm.

Also contributing: Iltifat Husain