Health IT Risk-Based Framework ProposedAgencies' Recommendations Take into Account Security
Federal regulators have released a long-awaited proposed framework for addressing safety risks involved in using healthcare information technology, including electronic health records and medical devices. The report takes into account that cybersecurity can play a role in ensuring the safe use of health IT.
Addressing privacy and security risks is the shared responsibility of vendors and other healthcare stakeholders, the report notes, downplaying the need for more regulations.
"Privacy and security issues are equally important across the lifecycle of the health IT products and across the different types of health IT functionality," says Bakul Patel, a senior policy adviser at the FDA. "As we have said in the past, cybersecurity is a shared responsibility to assure that proper systems are in place to address privacy, security and safety of medical devices," says Patel, who was the FDA's point person in the development of the framework proposals.
While the report acknowledges that the FDA provides regulatory oversight over medical devices, it proposes no new classes of health IT to fall under the FDA's jurisdiction.
"The proposed health IT framework is based on risk to patients, and under that framework, the FDA intends to focus its oversight on those health IT products that pose a greater risk to patients if they don't work as intended," Patel says. "Higher-risk medical device functions are already regulated by the FDA and would continue to be regulated by the FDA on any platform - for example, mobile."
The proposal calls for the creation of a public-private entity - the Health IT Safety Center - that would serve as a "trusted convener" of health IT stakeholders, including vendors and healthcare providers. The center would "identify the governance structures and functions needed for the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts."
Concerning the center's role, the report notes: "Vendors, health IT developers, healthcare providers and healthcare organizations should report serious health IT-related safety events to a trusted source that can aggregate and analyze information and disseminate findings."
The 34-page report was prepared by the Department of Health and Human Services' Food and Drug Administration and Office of the National Coordinator for Health IT, as well as the Federal Communications Commission. The report was called for under the Food and Drug Administration Safety and Innovation Act.
The agencies are seeking public comment on the proposals for 90 days. Then, they'll convene a public meeting before finalizing a strategy and recommendations.
"These proposals advance the idea that we all have an obligation in a mature digital healthcare infrastructure that is secure and ensures patient safety and privacy," says Dale Nordenberg, M.D., founder of the Medical Device Innovation, Safety and Security Consortium.
"This is an important report that clearly recognizes that a massive investment has been made in rapid adoption of health IT by healthcare providers across the system, and with that comes an element of risk," he says. "This report is not deep in prescriptive dos and don'ts. This framework is about taking the mass adoption of health IT and helping it to mature into a robust, safe, secure and private infrastructure."
In the report, the agencies propose "the creation of an agile, narrowly-tailored, risk-based health IT regulatory framework that primarily relies on ONC-coordinated activities and private-sector capabilities, and focuses on health IT functionality rather than on the platforms on which it resides."
"There are a number of areas that need clarification and that will occur during the comment period," says Julian Goldman, M.D., who co-chaired an advisory subgroup of a FDASIA workgroup that crafted recommendations for ONC relating to the risk-based framework. "In particular, the ... safety center initiative is of primary importance and must be fleshed out."
Goldman notes that among issues that need to be discussed is whether breaches caused by "HIT gaps" should be reported to ONC.