HIStalk Interviews Dean Sittig, PhD, Professor, UTHealth

Dean F. Sittig, PhD is professor of biomedical informatics at The University of Texas Health Science Center at Houston and a co-author of the SAFER (Safety Assurance Factors for EHR Resilience) Guides that were developed for the Office of the National Coordinator.

Describe the SAFER Guides and their purpose.

Following the IOM report in 2012 on patient safety and health IT, ONC promised that they would create some guidance to help organizations improve the safety and utility of their EHRs. The SAFER Guides were their attempt to do that. They contracted with us to develop them.

What do the Guides contain and  how would you recommend that a hospital or health system use them?

There are some complex organizational structures, but mostly the Guides have about 10 to 25 recommended practices that are very general. Something like, “You need to back up your mission-critical hardware and software.” The Guides also have examples to help people understand what that means, so for a backup, that ought to be an encrypted, offsite backup taken on a daily basis.

There is also a rationale to help people understand why they would do that particular practice. There are a lot of references to link people to different aspects of the scientific literature from where those ideas came from. If the items on the list were either from the HIPAA guidelines or the Meaningful Use guidelines, we link those to give people a renewed emphasis on why they need to do certain aspects.

As to the answer to how an organization would use them, we think that in a large organization, you would convene a multidisciplinary team with someone from IT, some clinical people, some nursing, some of the ancillary services, maybe medical records people. Try to bring all those stakeholders together. Some people know the answers to certain questions and know the nuances of those. In smaller organizations, you’d probably have to contact your EHR vendor or your IT consultant that’s helping you to get the answers to these questions.

It looks like some of the items could be incorporated into an RFP.

While we were doing this, we started out going to a lot of different healthcare provider organizations and talking to them about what they were doing and trying to understand what things were working and weren’t. Some of them, we realized that the EHR vendor really has to do these things. 

When we say something like, “The patient’s name should be on every screen and maybe it should have a picture of the patient,” the EHR vendor has to make that capability available. Then the organization has to implement that capability. You’re right; some of these things are very particular and only the vendors can do them.

How do you think the average hospital would do? Are these stretch goals, or would a hospital that’s competent in IT do fine?

Of the leading organizations — I think about the Scottsdale Institute members, for example, IHC, Mayo Clinic, and Partners in Boston, those kind of places –  I would expect they’re doing between 50 and 75 percent of the recommended practices. Of the 25 percent that they’re not doing, probably half of them they’ve consciously decided not to do them for one reason or another.

Some of these things are still a little bit controversial in terms of whether they’re really a good thing to do or whether an organization can really do them. For example, not allowing a user to open more than one chart for a patient on the same computer terminal. Most people would agree that that’s a good safety measure and would reduce wrong patient orders. But most clinicians would say, “I can’t survive if I can’t look at two charts at once.” 

Then it becomes a push-pull at the organizational level of whether the organization’s administration is going to make that kind of a proclamation to make that happen. If you look at a company like Epic, for example, they limit you to only opening five charts on one screen, but that’s a user-configurable parameter. You could say only one chart is allowed to be open on one screen.

A parallel would be hiring an external auditor to do a hospital IT audit. They evaluate their checklist of things that are important. You don’t have to do all of them, but since the report goes to your management, you would at least justify why you don’t. Would a rational use of the SAFER Guides be not necessarily checking every box, but at least recognizing that you should have a good reason for not checking them knowing they affect patient safety?

That’s a good way to say it. You need an explanation. If I were a CEO reading over the results and you were the IT person that came to me, I would want an explanation for why you think you should open more than one chart on it. You can say that the clinicians disagreed and we’ve decided to limit it to two. We could talk about that and decide whether that was reasonable or not. 

Intelligent people who are safety conscious could agree to disagree on certain of these items. But it’s something you definitely need to think about and understand why you’re doing it.

The beauty of an external IT audit report is the accountability. It seems as though like the audience that would be most interested, from an exposure from a patient care or legal liability standpoint, would be a hospital’s CEO.

I agree completely. We are really hoping that that’s the way they’re used. Either insurance companies will pick these up and ask organizations whether it’s doing this, or someone like the Joint Commission might take these up. 

We’re hoping that this is something that starts a conversation between what I’ll call the clinician, the EHR vendors, and leadership within your organization. That conversation is the key to improving the safety.

The IOM’s To Err is Human brought a lot of activity with regard to medical errors. The IOM’s EHR patient safety report was the genesis of the SAFER Guides. Will that make the idea easier to sell?

I would think that reasonable people would agree with these recommendations. The problem is that these recommendations generally are going to cost some extra money and some extra time.

Right now, with everyone thinking about Meaningful Use Stage 2 and ICD-10 coming up, I’m sorry to say that I think patient safety has been pushed to number three on the list. That is going to be the biggest struggle with these Guides and trying to get patient safety moved up to a high level of awareness within an organization.

Meaningful Use gets you a check, ICD-10 makes sure you keep getting checks, and patient safety doesn’t get you anything except possibly a lawsuit avoided. Is ONC going to market this like they do their other programs?

We’re hoping they’re going to do that. If they can keep their focus on this, I think that will happen. But like you said, this is really a cost avoidance thing. The organizations that seem to do the best in terms of meeting most of the recommended practices are those organizations that have had the biggest accidents. It’s like you don’t get religion until you need the religion.

In some of the organizations here in the Texas Medical Center after Hurricane Ike, they really got some newfound impetus to make sure they had better backup systems in place. They were ready for bad weather. It was Hurricane Alison that was like around year 2000 where we realized we couldn’t have our data centers in the basements any more in Texas Medical Center when they all flooded. It turned out the first floor of our buildings flooded, too. Now all of the hospitals in Texas Medical Center have their data centers at least on the third floor. 

It was interesting to me that when they had Hurricane Sandy in New York City that New York City still hadn’t learned that lesson about putting data centers and power generators and backup systems in the basement. Because when there’s a really big flood, the basements flood. It seems like we should be able to learn those things from other organizations. You shouldn’t have to experience them yourself. But for some reason, people always think that it couldn’t happen here. Like, do they think that New Orleans was a one-off, Houston was a one-off, and now you think New York City was a one-off? The important points are that these things can happen to anyone, anywhere.

What kind of resources would be required to complete the series and come up with a conclusion for an individual hospital?

It depends what you start with. We’ve had some pushback when we mentioned that you ought to have all your hardware systems backed up and you ought to have duplicate hardware. Sometimes that means two servers running in parallel and another one sitting off to the side, so when one of those that are running in parallel breaks, you have one to replace it. Some people say, “We can’t afford to have three of them on site all at one time.” We hear them say, “Our vendor promises 24-hour delivery.” A lot of it are those kinds of expenses and there are a lot of examples in the contingency planning about warm site backups, for example.

That’s just a matter of how much money you want to spend to get the kind of response and get the kind of availability that you think you need. You can always spend way too much money on any aspect of your process. You’ve certainly got to balance the amount of money you spend with the safety that you need. That’s a hard question to answer. 

The other way to answer it is, there are some other guides that would recommend that, for example, when you’re doing physician order entry that you ought to have all of your orders go through the physician order entry system. This idea of trying to get 30 or 60 percent of your orders through the order entry system — we think that sort of partial implementation of CPOE is a real danger because then you have some orders on paper and some on the computer system. 

That’s not really a cost in terms of money. That’s a cost in terms of the political capital of the leadership of the organization, of how much pressure they can put on the physicians — those final holdout physicians who aren’t using it. How much pressure can you put on them to incentivize them to use the system? There’s cost, both financial cost as well as a political cost.

If a hospital downloads the Guides, how much effort does it take for them to get far enough into the process to know where they stand?

In our preliminary evaluations, if you have either a very knowledgeable person or a group of knowledgeable people together, you can go through a Guide in under 30 minutes. There are nine Guides, so we’re talking four or five hours. If you took a half day, you could go through and get a pretty good feel for where you stood on these different items.

The obvious question without an obvious answer is that the government is paying incentives to get people use electronic health records. Now the government has issued a set of guidelines that says, “This is how you keep them safe,” and yet those factors are not tied to any incentive. Who’s supposed to run with this?

We’re not really sure right now what’s going to happen with them. Like I said, I’m placing my bets on insurance companies. The payers are the ones that can really enforce this. 

In one sense, the federal government is a payer. You could imagine CMS incorporating some of these recommendations in their Conditions of Participation and then making the Joint Commission responsible for looking at them. You could imagine public health departments saying something like this, or insurance companies saying, “We’re not going to approve this, or maybe we’ll incentivize you to use the SAFER Guides and give you a little more money if you have completed the SAFER Guides.”

We’re in the midst of negotiating with a lot of different organizations to try to get them to see who will step up and say, “This is a good idea. The people  we are working with ought to explain to us why they are or aren’t doing these kinds of things that are in the Guides”.

Are there other phases planned?

We have work planned, but we don’t have funding to do the work. Most of the criticisms we get fall into two categories. One is that there’s too much stuff on the Guides and they need to be shorter. The other criticism is, you left something out. When they say that we’ve left something out, they say, “We really need a Gguide for clinical documentation that would help people to understand how much copy-and-paste is allowable in a document.”

There’s also a lot of people who have been talking about a Guide for how to do  the patient engagement aspects of it — how should you configure your personal health record and what policies and procedures should go around the patient portal and their access to information. We certainly know there are at least two more Guides that would be very well received and are needed, but right now there’s no funding to develop them.

Do you have any final thoughts?

I would strongly encourage organizations to take a look at these Guides. They can really help an organization understand where they are and understand what the issues are.

A lot of people think that they’re unique and that things that they hear about don’t apply to them. When they see these Guides, they’ll realize that a lot of people are going through and struggling with these same issues. The leading organizations have pretty well come together and decided that backups are a good idea, for example, or physician order entry is a good idea. An organization would learn a lot by going through the Guides and seeing where they stand.