Earlier this month, the HIMSS EHR association released a code of conduct for its members. The HIMSS EHR code of conduct is targeted toward developers within the association, but it is up to each member organization to adopt and implement the code of conduct as they see fit.
As such, this new code of conduct does not come from the government and was not intended as a way of further regulating healthcare provider organizations. Even so, the code of conduct could have a positive, but unintentional, impact on healthcare IT.
There isn’t really a single rule in the code of conduct that has the power to radically transform IT. However, there are a number of different rules that could potentially result in small, but important changes to the way that healthcare IT operates.
One aspect of day-to-day IT operations that could change as a result of the code of conduct is patch management. Many IT shops like to spend significant time testing patches. However, the code of conduct states that “we will notify our customers should we identify or become aware of a software issue that could materially affect patient safety and offer solutions.” If an EHR vendor notifies a healthcare facility of an issue that could have a direct impact on patient safety, then a healthcare provider knowingly jeopardizes patient safety if they choose not to deploy the patch or if they spend an excessive amount of time testing the patch.
That being the case, some organizations will likely have to rewrite their patch management policies to allow for expedited testing of patches that are specifically designed to address patient safety issues.
Another area in which the code of conduct could potentially impact healthcare IT is in the documentation and reporting of IT-related patient safety events. The code of conduct specifically states that “We will participate with one or more Patient Safety Organizations (PSOs) (and / or other recognized bodies) in reporting, review, and analysis of health IT related patient safety events”.
It is going to be really interesting to see how this particular rule from the code of conduct plays out in practice. The rule implies that EHR vendors could potentially share responsibility for IT-related patient safety events with the provider’s IT department. The rule also states that the vendor will be involved in reporting such incidents, which implies that EHR vendors may be working a lot more closely with healthcare IT than they do today. I think that for right now, establishing responsibility for patient safety incidents is a bit of a grey area, but regulations will no doubt be amended in the future to address vendor involvement.
Most of the rules in the code of conduct relate to the adherence of accepted standards. EHR standardization should eventually lead to universal portability for patient health records.
One of the most interesting aspects of the policy however, is a rule stating that vendors must provide customers with a mechanism for exporting patient data in a standardized format. Such a feature will make it vastly easier for healthcare providers to switch from one EHR system to another. In the past, some providers have expressed frustration with sub par EHR products that store patient data in a proprietary format, making it difficult to replace the product with another vendor’s product. The use of open standards and a universal data export mechanism should make migrating to a competing vendor’s product a lot more practical.
Although the EHR code of conduct is targeted toward developers, it will be healthcare providers who truly benefit from the code. The code should eventually lead to standards based systems, and universal patient health data portability. Of course, it may also mean you’ve got to get faster managing patches, but once you adjust, it will only make you more efficient.