Intended for healthcare professionals


Health information technology and patient safety

BMJ 2012; 344 doi: (Published 20 February 2012) Cite this as: BMJ 2012;344:e1096
  1. Christopher A Longhurst, chief medical information officer1,
  2. Howard M Landa, chief medical information officer2
  1. 1Lucile Packard Children’s Hospital at Stanford University, Stanford, CA 94304, USA
  2. 2Alameda County Medical Center, Oakland, CA, USA
  1. clonghurst{at}

Rigorous transparent evaluation of software is crucial, but regulation may stifle innovation

Patient safety is an important component of the delivery of high quality medical care. The use of health information technology (health IT) can have both positive and negative effects on safety. In light of this, the American Institute of Medicine (IOM) released an advisory report on health IT and patient safety in late 2011.1 The goal of the report, commissioned by David Blumenthal—former head of the Office of the National Coordinator of Health IT—was to review evidence on the impact of health IT on patient safety and to recommend actions to be taken by the private and public healthcare sectors. This comprehensive review of the literature described both benefits and unintended consequences of health IT, and it acknowledged that insufficient information was available for an objective analysis that could accurately quantify the trade-offs between safety benefits and harms. Although the report makes many thoughtful recommendations, the lack of adequate supporting data raises concerns about the legitimacy of recommendations that call for more aggressive government regulation and oversight of health IT.

One of the first and best supported recommendations of the IOM report is that federal government should work with health IT vendors and healthcare organisations to promote post-deployment safety testing of electronic health records to detect any high prevalence, high impact safety risks to patients. The report suggested that organisations responsible for accrediting healthcare facilities (such as the Joint Commission or the Care Quality Commission) should adopt criteria relating to the safety of electronic health records. Such post-deployment testing has already resulted in a deeper understanding of which factors need to be aligned to produce successful electronic health record systems. An example of such a testing system is the Leapfrog sponsored tool that evaluates the ability of computerised physician order entry systems as deployed in the hospital setting to prevent drug prescribing errors.2 A recent study, which tested this tool at 62 hospitals that treat adults, found that the six top performing hospitals used six different software products, and that difference in vendor accounted for only 27% of variability in error prevention of the systems.3 Each of the six top scoring organisations had nearly identical test scores, which shows that each of these six software systems from different vendors can achieve a similar level of safety when implemented optimally and backed up by post-deployment enhancement.

A few of the report’s recommendations focus on the regulation of health IT software. This implies that the technology exists in isolation, which is not the case. One particularly controversial point is the call for conditional oversight of health IT software by the US Food and Drug Administration. The recommendation suggests that if short term progress towards improving safety and reliability is not sufficient, the industry should come under the authority of the FDA, just as medical devices currently do. But lessons can be learnt from the regulation of blood banking software by the FDA, which began in 1994.4 5 Although the quality of this software has since improved, according to anecdote, regulation has also caused an exodus of large IT corporations from the field, and innovation in and advancement of blood banking software has been limited by small numbers of vendors and onerous regulatory requirements.6

Separate from the question of whether health IT should be more aggressively regulated is the question of whether this is even feasible. The recommendation from the IOM that the FDA should immediately begin developing the necessary framework for regulation seems impractical given the current shortage of workers in health IT.7 The difficulty in defining health IT also makes regulation unfeasible. The report uses the term health IT instead of electronic health records because the authors include tools for engaging patients, health information exchanges, and clinical decision support systems. The ambiguity of the term health IT begs the question of whether merely using a search engine to seek a differential diagnosis will meet the definition of health IT.8 9

The IOM report does acknowledge in places that the health IT environment is a complex sociotechnical system. Policy makers in the United Kingdom who are considering its findings should focus on recommendations that support the entirety of that system. For example, it is important to ensure that vendors support the free exchange of information, including details relating to patient safety (such as screenshots), and to make sure that systems remove barriers for both vendors and users to report health IT related safety concerns. These recommendations reflect ongoing legal concern in the United States.10 Research should be funded to support cross disciplinary investigation of safety in the use of health IT as part of a learning healthcare system.11

The scope of the IOM report was purposely limited to the interaction of patient safety and health IT. However, the authors acknowledge that the IOM considers patient safety to be only one of six dimensions of quality healthcare. Ignoring the other five may inappropriately emphasise the challenges posed by software to patient safety and de-emphasise benefits in efficacy, efficiency, equity, timeliness, and patient centredness potentially conferred by the use of health IT.12 But policy makers everywhere should be aware that aggressive regulation of health IT systems may bring unintended consequences, although it is crucial to rigorously evaluate and openly share lessons learnt in this evolving field.


Cite this as: BMJ 2012;344:e1096


  • Competing interests: All authors have completed the ICMJE uniform disclosure form at (available on request from the corresponding author) and declare: no support from any organisation for the submitted work; no financial relationships with any organisations that might have an interest in the submitted work in the previous three years; no other relationships or activities that could appear to have influenced the submitted work.

  • Provenance and peer review: Commissioned; not externally peer reviewed.


View Abstract