EMR shutdown highlights vulnerability in health care IT

Imagine that Elon Musk had decided to buy Epic instead of the platform formerly known as Twitter. Imagine that he had developed his own EMR and informed every Epic user that they should watch their email for their assigned migration dates to the system he had developed, to be completed in the next 60 days. Anyone who has ever participated in the installation of a first EMR or the migration to a second knows that this would result in an unimaginable level of disruption to health care operations in many hospitals in the United States and around the world.

I am writing because this is an unimaginable scenario, but there is nothing at all under existing law to prevent it. It is happening now to users of an EMR system primarily used by psychiatrists. This system was acquired by another company in April of 2023. The acquiring company announced last week that they are shutting the system down. Users were instructed to sign up to be assigned the date of their migration to the new system and informed that their accounts would be deleted 30 days after their migration date.

I don’t know what is in Epic’s contract with its users. But I suspect that, like the contract with me, there is no promise to continue operations in perpetuity, and I understand that’s not something that can ever be required of a private company.

This has opened my eyes to a vulnerability that we all share. The HITECH Act of 2009 required a major sector of the U.S. economy to put its records, its functioning, and its ability to care for the health of the nation into the hands of software vendors whose products met requirements for meaningful use. There was no requirement in the law for the stability of operations of those companies. It’s time to give them some responsibility under the law for the critical role that they now play in public safety and commerce in the U.S. At least as it applies to the cessation of operations, vendors of electronic medical record systems should be regulated as public utilities.

Regulations might include requiring adequate notice of shutdown, to allow for the selection, purchase, and installation of alternative software, along with the orderly migration of data, workflow redevelopment, and training of staff. The law could specify different timeframes for “adequate notice” depending on the size of the affected organization. Vendors could be required to demonstrate that they have the capacity to provide a copy of a user’s data in an organized and usable form in the event that they cease operations or to demonstrate the dedicated capacity and funding to keep their existing software running in read-only mode for the time the law requires for the retention of medical records. The law could require that users who wished to undertake to transfer a working copy of the software and their own data to their own servers be given that option at prices reflecting the fact that the software would, at that point, be an abandoned asset for the vendor.

Others may have better ideas; I hope that this article opens a broader discussion. For software companies that may bristle at the thought of this kind of regulation, please remember that the HITECH Act gave your industry an accelerated entry into a privileged space. I am sure that there are many dedicated software developers who are committed to acting responsibly in that space. Given the recent experience of about 4,500 psychiatrists, we need more formal safeguards.

Cathleen Gould is a psychiatrist.


Source link

About The Author

Scroll to Top