Abstract
The current commercial health information technology (HIT) arena encompasses a number of competing firms that provide electronic health applications to hospitals, clinical practices, and other healthcare-related entities. Such applications collect, store, and analyze patient information. Some vendors incorporate contract language whereby purchasers of HIT systems, such as hospitals and clinics, must indemnify vendors for malpractice or personal injury claims, even if those events are not caused or fostered by the purchasers. Some vendors require contract clauses that force HIT system purchasers to adopt vendor-defined policies that prevent the disclosure of errors, bugs, design flaws, and other HIT-software-related hazards. To address this issue, the AMIA Board of Directors appointed a Task Force to provide an analysis and insights. Task Force findings and recommendations include: patient safety should trump all other values; corporate concerns about liability and intellectual property ownership may be valid but should not over-ride all other considerations; transparency and a commitment to patient safety should govern vendor contracts; institutions are duty-bound to provide ethics education to purchasers and users, and should commit publicly to standards of corporate conduct; and vendors, system purchasers, and users should encourage and assist in each others' efforts to adopt best practices. Finally, the HIT community should re-examine whether and how regulation of electronic health applications could foster improved care, public health, and patient safety.
Introduction and background
The health information technology (HIT) industry, currently in the midst of extraordinary growth, actively transforms the way that we collect, store, use, and analyze health information. Correspondingly, the corporations that develop and sell electronic health record systems, associated devices, and health-related software applications face a complex suite of obligations—to patients, clinicians, shareholders, and society.
This article presents a report commissioned and approved by the AMIA Board of Directors. It briefly surveys the challenges that HIT vendors face; discusses the roles that ethics and related considerations can play in health informatics; and makes a number of recommendations regarding vendor contracts, ethics education, health information system user groups, best practices, marketing of health information systems, and regulation and oversight of the industry.
A concluding section, “Next Steps,” makes the case that the issues identified in the report deserve continued attention. The conclusion itemizes many issues that our field must address, ranging from stakeholder responsibilities and defect reporting, to meaningful use standards and unintended consequences. An appendix provides suggestions for further reading (see www.jamia.org).
Framing the issue
Developers and vendors of computer applications have enabled, fostered, and influenced the growth and evolution of HIT, and how healthcare organizations adopt and deploy it. Developers and researchers in academia, government, and industry have contributed substantially to improving information collection, analysis, transmission, and use in clinical care and research. Commercial vendors of HIT systems have an unprecedented dual opportunity to satisfy concurrently the demands of investors and markets while contributing to the improved health of individuals and of populations.
Complexity characterizes and makes matters difficult for a process that relies on competition to produce new, or at least better, devices and drugs. Not only must a corporation that sells HIT-related devices seek to turn a profit, but it must do so in competition with others. This competition hinges on quality, price, and other considerations of the marketplace. It is further shaped by other factors, requiring skillful management of liability and risks, increasing system complexity, public relations, industry standards, and best practices.
Some HIT vendors incorporate contract language that commits their customersi to particular stances with respect to indemnity and error management. Specifically, hospitals and other purchasers of HIT systems are sometimes contractually obligated to indemnify vendors for malpractice or personal injury claims against hospitals or clinicians, even when those events are not caused or fostered by the purchasers. Some purchasers must contractually agree to adopt vendor-defined policies that prevent the disclosure of HIT system errors, bugs, design flaws, and other hazards. A publication laying out these concerns has aroused intense interest and discussion.1 Moreover, that report elicited renewed discussion about a major and longstanding issue in the HIT domain, namely, the extent to which the HIT industry should be subject to various additional kinds of oversight, regulation, or control, and by whom.
The AMIA Board of Directors appointed a task force in September 2009 to provide an assessment of these issues and to make recommendations to AMIA leadership—and, by extension, to the HIT community. This document contains the resulting analysis and recommendations.ii
Ethical, legal, and social issues
For-profit manufacturers of healthcare products are bound by values which may at times conflict. For instance, as entities in a marketplace, they are duty-bound to provide a financial return to those investors who have contributed resources in anticipation of their success. Yet, as developers and manufacturers of products that affect the health of people, they are no less obligated to ensure, to the extent possible, that their products are safe and effective, and beneficially support patients and those who treat and care for them.
The makers of HIT systems therefore confront many of the same challenges as counterparts in the pharmaceutical and medical device industries. Indeed, the intersection of corporate duty and patient-centered obligations involves two large areas of normative analysis, namely, business ethics and bioethics. Responsible companies foster an internal culture of ethics and at the same time recognize duties to customers and shareholders.
Ethics is the study of morality, or judgments, or standards about the rightness or wrongness of actions. Within specific professions, applied ethics serves to identify, clarify, and resolve moral issues, conflicts, and controversies that arise in professional practice. Applied ethics can teach or hone skills used to address these issues, especially when values are in conflict and when reasonable people (might) disagree. “Ethics” is not synonymous with “virtue.” For instance, information about a couple with discordant HIV statuses might be drawn from a database and used to warn the partner who is HIV-negative—or the information might be withheld to protect the privacy of the partner who is HIV-positive. Being a good or virtuous person will not help identify the correct action. In such situations, applied ethics provides tools for critical analysis and decision-making by professionals and others.
In civil society, morality and ethics guide the law. Ethics precedes the law. The reason murder, for instance, is illegal is because it is recognized to be wrong. It would be wrong even in the absence of a legal or criminal justice system. Ethics guides public policy in the same way. How, for instance, should businesses balance duties to shareholders, employees, and society? Applied ethics provides ways to answer such questions.
In health informatics, ethical issues address appropriate uses and users of decision-support systems, privacy and confidentiality, consent for secondary use of clinical and genetic information in databases, accountability or responsibility for errors, and so on. A thoroughgoing commitment to ethics should influence standards for education, practice, and business applications. Many issues in bioethics and business ethics arise for HIT professionals. Policy issues include efforts to balance the forces that drive a free-market system with the needs of clinicians, patients, researchers, public health workers and officials, and others.
Ethical and policy issues for electronic health applicationiii vendors and users
The recommendations in this report constitute an effort by AMIA to address and help resolve issues surrounding vendor-user contracts and subsequent interactions. These issues include:
the identification of vendor and user duties to protect patient safety and improve healthcare quality;
responsibility for and mechanisms of identifying and correcting errors in product design and manufacture, device installation, and subsequent modification and use;
marketing practices;
the extent to which governments should regulate electronic health systems and software.
The Task Force met in person and by teleconference six times between September 2009 and June 2010. Discussions were candid and wide-ranging. While there was unanimity among members about the primacy of patient safety, there was disagreement about the extent to which recommendations might be regarded as onerous by the HIT vendor community, in part by virtue of adding to what some regarded as an excessive, regulatory burden.
The recommendations here, however, were approved by consensus of the Task Force members and, subsequently, by vote of the AMIA Board of Directors. One of the recommendations is that the panel, or some successor, should undertake analyses aimed at identifying best practices, if not ethical standards, for those who manufacture, sell, and use the tools of health information technology.
The recommendations fall under the following headings:
contract language;
education and ethics;
user groups;
best practices;
marketing;
regulation and oversight of the industry.
The report also includes a bibliography and an online appendix itemizing suggestions for further reading (see www.jamia.org). The authors welcome comments and questions about this report; please direct them to the Task Force chair, whose email address appears on the first page of this article.
Recommendations
Contract language
The standard of transparency, in conjunction with uncontroversial duties to increase the growth of biomedical knowledge, entails that certain provisions should or should not be included in contracts governing the sale, lease, or use of HIT systems. The Task Force finds and/or recommends that:
Contracts should not contain language that prevents system users, including clinicians and others, from using their best judgment about what actions are necessary to protect patient safety. This includes freedom to disclose system errors or flaws, whether introduced or caused by the vendor, the client, or any other third party. Disclosures made in good faith should not constitute violations of HIT contracts. This recommendation neither entails nor requires the disclosure of trade secrets or of intellectual property.
Hospitals, physician purchasers, and other users should understand that commercial products' screen designs and descriptions of software-supported workflows represent corporate assets developed at a cost to software vendors. Unless doing so would prematurely prevent disclosure of flaws, users should consider obligations to protect vendors' intellectual property and proprietary materials when disclosing (potential) flaws. Users should understand and accept their obligation to notify vendors before disclosing such features, and be aware of the range of remedies available to both the purchaser and the vendor in addressing safety issues. Equally, or more important, users should consider obligations to protect patient safety via such disclosures.
Because vendors and their customers share responsibility for patient safety, contract provisions should not attempt to circumvent fault and should recognize that both vendors and purchasers share responsibility for successful implementation. For example, vendors should not be absolved from harm resulting from system defects, poor design or usability, or hard-to-detect errors. Similarly, purchasers should not be absolved from harm resulting from inadequate training and education, inadequate resourcing, customization, or inappropriate use.
While vendors have legitimate corporate interests and duties (eg, to shareholders), contract language should make explicit a commitment by all parties to patient care and safety, and, as applicable, to biomedical research and public health.
Vendors should be protected from claims in which a facility (hospital, medical office, practitioner, etc) causes errors that cannot reasonably be attributed to a defect in the design or manufacture of a product, or to vendor-related problems in installation, updating, or configuration processes. Similarly, vendors should not be held responsible for circumstances in which users make foolish or intentional errors.
“Hold harmless” clauses in contracts between Electronic Health Application vendors and purchasers or clinical users, if and when they absolve the vendors of responsibility for errors or defects in their software, are unethical. Some of these clauses have stated in the past that HIT vendors are not responsible for errors or defects, even after vendors have been informed of problems.
A collaborative system or process of third- or neutral-party dispute resolution should be developed. Contracts should contain language describing a process for timely and, as appropriate, transparent conflict resolution.
Contracts should make explicit a mechanism by which users/clients can communicate problems to the company; and vendors should have a mechanism for dealing with such problems (compare in this regard the processes in place for adverse event and device failure tracking by implantable medical device manufacturers).
Contracts should require that system defects, software deficiencies, and implementation practices that threaten patient safety should be reported, and information about them be made available to others, as appropriate. Vendors and their customers, including users, should report and make available salient information about threats to patient safety resulting from software deficiencies, implementation errors, and other causes. This should be done in a way easily accessible to customers and to potential customers. This information, when provided to customers, should be coupled with applicable suggested fixes, and should not be used to penalize those making the information available. Disclosure of information should not create legal liability for good-faith reporting. Large HIT systems undergo thousands of revisions when looked at on a feature-by-feature basis. Requirements that the vendor notify every customer of every single feature change on a real-time basis would have the unintended result of obscuring key safety risks, as customers would have to bear the expense of analyzing thousands of notifications about events which are typically rare. Therefore, vendors should notify customers as soon as possible about any product or configuration issues (1) of which they are aware and (2) which pose a risk to patients.
Education and ethics
HIT vendors and their customers should understand that safe and successful uses of HIT systems require significant education about how to install, configure, and use the products. This education should involve a collaboration between vendors and customers, and should be targeted to users, programmers, analysts, and others as needed.
Safe and successful HIT systems further require ethics education, which has become a standard part of professional development in the corporate world. Vendors of Electronic Health Application systems and their clients should adopt enterprise-wide ethics education to parallel that required of healthcare organizations for accreditation.iv The size of the institution should determine how it implements this requirement. Smaller institutions, including small clinical practices, cannot always mount and sustain an internal ethics and HIT training program, especially if they have no other ethics training available. Contrarily, large and mid-size entities should incorporate ethics education into their ongoing continuing education efforts. Smaller institutions should be encouraged to develop partnerships with other health systems, as well as academic linkages that might assist with providing ethics education. This education should emphasize business ethics and corporate compliance (not just the latter), and should address the following topics, among others:
general business ethics and corporate social responsibility;
ethics of contracts and agreements;
ethical issues arising in the development, manufacture, sale, and maintenance of hospital- and other institution-specific IT systems, made appropriate for relevant employees—issues to be addressed might include patient safety; workflow and workarounds; disclosure of system defects versus intellectual property; privacy, confidentiality and security challenges.
Ethical standards
Vendors and clients should hew to—and publicly announce their commitment to—widely recognized and uncontroversial standards for corporate conduct, and education about these standards. These principles include transparency, veracity, and accountability. It is recognized that these values are sometimes vague and often require elaboration. Thus, for instance, a commitment to transparency does not entail a duty to divulge trade secrets or intellectual property. These standards sometimes even conflict with each other, or with other values. It follows that for a public and credible commitment to these standards, vendors and clients (healthcare organizations) should put in place processes (including education, as above) to ensure a consistent stance. In healthcare organizations, these commitments—in conjunction with issues in clinical ethics—confer obligations on ethics committees. It is therefore also recommended that:
Vendors and clients create internal ethics processes and entities to take responsibility for HIT-related education, consultation, and policy creation and review when they engage in these activities. These functions parallel those identified by the Joint Commission and the American Society for Bioethics and the Humanities for healthcare organizations.
These ethics processes and entities should be distinct from existing mechanisms for corporate compliance (under Sarbanes–Oxley,2 for instance).
If appropriate for their size and mission, vendors and client institutions contribute to the growth of biomedical knowledge by conducting HIT research—analogously to the research missions of pharmaceutical and medical device manufacturers. The results of this research should be published according to standards and conventions for biomedical sciences. Authors of scientific reports should not be prevented from identifying devices, tools, and systems by name in publications.
User groups
Purchasers and users of Electronic Health Application systems, as well as other stakeholder groups, comprise user groups to share information, data, and news about successes, challenges, failures, and so on. Many user groups are product- or vendor-specific. In some cases, these groups may be seen as mechanisms for collaborating with stakeholders, which can include members of professional groups and provider organizations, as well as users. The Task Force recommends that:
The user community should identify, or develop and provide, resources such as pointers to (i) contract tool kits, (ii) organizations or consortia which smaller practices and institutions could join for group negotiation, and (iii) similar organizations or practices with which to share experiences.
Processes for ensuring the fair, reliable, and, as appropriate, transparent reporting of defects should be established.
The HIT community should identify a “trusted broker” to recommend or develop such processes.
Best practices
Health IT vendors, system purchasers, users, and others comprising the HIT community should encourage and assist institutions and clinical practices in their efforts to adopt systems optimized for high-quality healthcare and patient safety. The means by which this might be accomplished include:
Creating vendor-supplied information technology that flexibly integrates with varying workflows in client organizations.
Adapting institutional workflow to match the changes associated with information technology adoption, giving adequate resources to staff training, and assuring that software configurations are based on clear requirements and are thoroughly tested.
Developing sample contracts, with a “menu” of choices for wording and explanation of the pros and cons of each.
Encouraging a consensus development process or standard setting process for vendor contracts, reporting forms, and kindred instruments.
Establishing a bulletin board, database, listserv, etc, where questions could be posted, experiences could be shared, etc.
Identifying common or widely recognized risks and harms and the means to reduce or prevent them.
Publicizing and improving on existing resources that function like a “Consumer Reports” for HIT systems.
Collaborating with other organizations on these issues.
Marketing
There are situations in which HIT vendors pursue joint marketing agreements with institutions that adopt vendors' products and by which these institutions become a part of the vendors' marketing program, often in exchange for discounts, payments, stock options, or favorable treatment by the vendor. In at least some cases, these agreements include provisions whereby healthcare institutions that serve as demonstration sites for particular products receive compensation when other institutions adopt products from the same vendor. The Task Force notes that such agreements might place the “referring” institutions in a conflict of interest, and therefore recommends that:
Any such conflicts should be eliminated or managed, including disclosure, according to current standards.
Where such agreements are made, they should include a provision whereby any payment or other compensation contingent on the sale of a system to another party must be disclosed to that other party.
Payments or gifts to individuals and institutions, including institutional officials, clinicians, etc, should be disclosed. Alternatively, they should be addressed by entities' internal mechanisms for managing conflicts of interest and commitment, perhaps along the lines of the “rebuttable presumption” standard endorsed by the Association of American Medical Colleges. The goal of the standard is “to ensure that institutions systematically review any financial interest that might give rise to the perception of a conflict of interest, and further, that they limit the conduct of human subjects research by financially interested individuals to those situations in which the circumstances are compelling.”3
Regulation and oversight of the industry
The idea of additional regulation or oversight of HIT vendors continues to be a source of intense controversy. The US Food and Drug Administration has recently asked a network of hospitals to report data on safety issues raised by adoption of HIT systems; the American Reinvestment and Recovery Act (ARRA) of 20094 calls for increased data evaluation to accompany the allocation of economic stimulus funds directed to HIT adoption; Sen. Charles Grassley of the US. Senate Committee on Finance has requested information from hospitals and vendors about HIT adoption and interactions with the HIT vendor community; the Health Information Technology Policy Committee, a federal advisory committee, has made recommendations regarding certification to the Office of the National Coordinator (ONC)5; and the ONC has proposed the establishment of certification programs “for purposes of testing and certifying health information technology.”6
In 1997, AMIA, in conjunction with other leading organizations,v called for local oversight of clinical software systems and adoption by HIT system developers of a code of good business practices. This important document also recommended that “FDA regulation should exempt most clinical software systems and focus on those systems posing highest clinical risk, with limited opportunities for competent human intervention.”7
It is clear that health information systems are increasingly large and complex, and that both vendors and users of their systems share responsibility for product safety and effectiveness. The challenge, as ever, involves identifying the appropriate amount of regulation, simultaneously to foster innovation and to protect and improve patient safety.
Since 1997, the extraordinarily rapid growth of HIT system adoption, the direct digital links between patient physical monitoring systems and HIT, and, moreover, the role of government in fostering that adoption, suggests that additional work—if not ongoing assessment—is necessary. Therefore, the Task Force recommends that AMIA join with other stakeholders to revisit the role of governmental and other formal regulation and governance of institutions that manufacture and use health information systems—including, but not limited to, electronic health records, personal health records, computerized provider order entry systems, electronic medication administration record systems, and laboratory systems.
Next steps
The recommendations herein are wide-ranging, and some should be regarded as first approximations of future, more comprehensive and perhaps sustained analyses. Moreover, the Task Force recognizes the increased attention these issues now receive from governmental, professional, and scientific organizations. Therefore, the Task Force recommends that AMIA ensure that either this group or a successor group undertakes the analysis of determining the next steps. Concurrently, AMIA should identify appropriate stakeholders to participate in the process. Given the potential expense involved, AMIA should seek funding to support the undertaking.
The analysis should address the following areas of major concern:
Identify and define a framework of best practices which should reflect the importance of patient safety and the needs of clinicians, researchers, the public health community, vendors, and start-up initiatives.
Give special attention to the role of legislation governing, and requiring the regulation of, HIT systems.
Develop “practice guidelines” to ensure that HIT systems continuously function as claimed, including ongoing in situ testing, evaluation, and other quality control responsibilities with regard to all products and upgrades as they are actually used in each institution over the product life.
The analysis should also take the following into consideration:
Defect and hazard reporting and management.
Development of tools to identify loci of defects and hazards (eg, in manufacture, implementation, use, etc).
Responsibilities of manufacturers and vendors.
Responsibilities of hospitals and other institutions, clinicians and other users and, regarding personal health records, patients.
Possible effects on HIT purchasers and HIT vendors of any new FDA regulations when combined with the numerous in-process ARRA “Meaningful Use” and temporary and permanent certification regulations.
Time commitments for HIT/EHS users to meet “meaningful use” and “Evaluation & Management” documentation requirements and the implications of this time and effort on patient safety and access, as well as fair apportionment of legal and moral responsibility and accountability.
Indemnification of vendors and users for good faith actions and disclosures.
Parallels to “disclose-and-apologize” mechanisms for medical error reduction.
Unintended consequences
Task Force members are mindful of the well-motivated controversy surrounding the idea of (increased) government regulation of medical and health-related software. A majority of members, however, are of the view that (1) given the patient safety concerns on the table, (2) in light of noteworthy cases involving adverse events, and (3) because of the need to foster public trust in a rapidly expanding use of electronic health records with embedded decision-support functionality, personal health records, and research tools, some system of government oversight or regulation of health information technology needs to be given serious consideration. Although the form of any such oversight was left for further discussion, we hope that a useful framework will emerge from the additional studies recommended here.
Supplementary Material
Acknowledgments
The AMIA Board of Directors endorsed this position paper as representing the position of the Board on these topics on September 28, 2010.
Footnotes
Provenance and peer review: Not commissioned; externally peer reviewed.
In this context, the term “customers” is used advisedly. In other contexts, the terms “purchasers” or “users” are more appropriate. While the issue of which term is most appropriate in a given context is subject to further discussion, we intend no significant distinction. For instance, in some contexts we intend to refer to “users” because individual clinicians, for instance, are at issue, even though they did not purchase the system in question. In other contexts, “purchasers” are the entities in focus. Some purchasers, including clinicians who run small practices, are also users; and some purchasers are institutions such that it does not make sense to refer to them as “users.”
The authors of this report constituted the members of the task force, and their analysis and recommendations have been reviewed by the Board of Directors and approved as an AMIA Position Statement.
Electronic Health Applications comprise healthcare information and practice management systems that are intended to affect the care of patients and could have an impact on the quality and safety of care.
The HIT community should seek support to develop online and other ethics curricula to accommodate the needs of entities of varying sizes. We note in passing the existence of a number of online education programs used by small practices participating in human subjects research (generally in compliance with federal law) and, in some states, ethics requirements for continuing medical and nursing education.
The Computer-based Patient Record Institute, the Medical Library Association, the Association of Academic Health Science Libraries, the American Health Information Management Association, and the American Nurses Association.
References
- 1.Koppel R, Kreda D. Health care information technology vendors' “hold harmless” clause: implications for patients and clinicians. JAMA 2009;301:1276–8 [DOI] [PubMed] [Google Scholar]
- 2.Sarbanes–Oxley Act of 2002, PL. 107–204, 116 Stat. 745.
- 3.Task Force on Financial Conflicts of Interest in Clinical Research, American Association of Medical Colleges Protecting Subjects, Preserving Trust, Promoting Progress—Policy and Guidelines for the Oversight of Individual Financial Interests in Human Subjects Research. Washington: AAMC, 2001: 23p. [PubMed] [Google Scholar]
- 4.American Reinvestment and Recovery Act of 2009. Pub. L. 111–15.
- 5.Office of the National Coordinator for Health Information Technology Health IT Policy Committee: Recommendations to the National Coordinator for Health IT. Washington, DC: http://healthit.hhs.gov/portal/server.pt?open=512&objID=1815&parentname=CommunityPage%20&%20parentid=37&mode=2&in_hi_userid=11673&cached=true (accessed 1 Oct 2010). [Google Scholar]
- 6.Federal Register Online Washington, DC: GPO;2010 [updated 2010 March 10; DOCID:fr10mr10-17]. Volume 75, Number 46, Proposed Rules, pages 11327-11373. http://edocket.access.gpo.gov/2010/2010-4991.htm (accessed 1 Oct 2010).
- 7.Miller RA, Gardner RM. Recommendations for responsible monitoring and regulation of clinical software systems. J Am Med Inform Assoc 1997;4:442–57; also summarized in: Miller RA, Gardner RM. Summary Recommendations for Responsible Monitoring and Regulation of Clinical Software Systems. Ann Intern Med 1997;127:842–5. [DOI] [PMC free article] [PubMed] [Google Scholar]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.