EHR Regulation in Canada: Did They Get It Right?
On 31 August 2009, Health Canada issued a Notice indicating that “patient management software” is subject to the Medical Devices Regulations (“MDRs”) and regulated under Canada’s Food and Drugs Act. While this action is laudable, the approach taken by Health Canada raises questions as to whether privacy and security are sufficiently addressed in this new regulation of EHRs and EMRs in Canada.
To briefly recap for those not familiar with this development, patient management software, manufactured, sold or distributed in Canada, now falls into two categories.
According to the Notice:
“Any patient management software used only for archiving or viewing information or images, and not involved in the primary acquisition, manipulation and transfer of data, is considered a Class I medical device based on Rule 12 of the Medical Devices Regulations.”
While Class I devices do not require a medical device license, manufacturers, distributors and importers must obtain an establishment license. For Class II:
“…any patient management software with capabilities beyond basic data visualization is considered a Class II medical device based on Rule 10 (1) of the Regulations.
This includes any patient management software involved in data manipulation, data analysis, data editing, image generation, recording of measurements, graphing, flagging of results or performing calculations. Any primary workstation that interfaces directly with a system (imaging or other type) by acquiring data and then sending data to an image generating, viewing or storage device, is also classified as Class II.”
Those definitions pretty well cover the waterfront when it comes to EHRs and EMRs in Canada – whether developed in the private or public sectors.
Regulating for patient safety makes sense. This news report, concerning recent Food and Drug Administration (US) testimony about EHRs, notes:
“Over the past two years, the FDA’s voluntary notification system logged a total of 260 reports of “malfunctions with the potential for patient harm,” including 44 injuries and the six deaths. Among other things the systems have mixed up patients, put test results in the wrong person’s file and lost vital medical information.”
What is required to satisfy Health Canada’s licensing requirement? Leaving aside establishment licenses, Health Canada requires compliance with ISO 13485-2003, which is a quality management standard for medical devices. Complying with ISO 13485-2003 means having the organizational structure, responsibilities, procedures, processes, and resources for implementing quality management in order to ensure that all of the features and characteristics of the device satisfy a “fitness for purpose” requirement, including safety and performance. In other words, demonstrate that you can systematically produce the same product for its intended use by following a particular course of production and you too can be certified under ISO 13485.
So if this is the first formal foray into EHR/EMR regulation in Canada – given the high sensitivity of personal health information – where are the security requirements? Health Canada is silent on the point (and the word “security” does not appear in ISO 13485). In reasonable scenarios, inattention to security not only raises the specter of physical harm but also emotional damage resulting from the violation of basic concepts of record confidentiality and integrity. One might suggest that such issues would certainly be addressed in RFPs but, as EHR audits in Canada have shown, there can be a large distance between stated RFP requirements and delivered product.
ISO 13485 is a “process” standard not a “product” standard. I’m not suggesting that Health Canada should not use a process standard nor am I suggesting that all the security issues with EHRs and EMRs will disappear with a regulatory requirement to meet security standards or criteria. What concerns me is the absence of any attention – even in passing reference – to the important aspects of privacy and security.
At least one might have thought some incorporation by reference to the requirements of Canada Health Infoway’s Privacy and Security Conceptual Architecture. Or, if ISO compliance is a good basis for regulation, then why not amend the August Notice to reference ISO 21547:2010, which concerns security requirements for the preservation of electronic health records? Or require certification under the ISO 27000 series for information security?
Secure coding remains the exception rather than the rule, as noted in this article, yet there is no insistence on some evidence of adherence to any one of a number of secure coding methodologies (so Health Canada doesn’t have to pick one; simply say use one).
We hear increasing reference to “privacy by design” these days but as Health Canada extends its regulatory authority over patient management software it doesn’t appear to have concerned itself with such a concept, especially when a good security regime for software design and development can go a long way to assure patient privacy.
Health Canada’s primary role is not to regulate privacy and security. But it has chosen to regulate software and the secure design, development and functioning of patient management software is, in my view, integral to the integrity of the software. So if Health Canada is concerned about “fitness for purpose”, shouldn’t one of those purposes – given the information in question – be how well software protects that information?
With a plethora of standards in Canada, some form of EHR/EMR certification is needed (and kudos to Health Canada for its decision to bring patient management software under the MDRs). But privacy and security need to form part of any certification. Which makes me wonder if Health Canada got the regulation of EHRs and EMRs right.
I’d be interested in understanding the rationale of the device licensing Bureau, Therapeutic Products Directorate of
Health Canada in setting this classification. Do they not appreciate the marked differences in process vs. product, hardware vs. software and that safety in a software context actually refers to privacy/security?
Notwithstanding any privacy issues, more fundamentally, it seems to me that when one looks at the defintion of medical device in the Food and Drugs Act (“FDA”) (“device” means any article, instrument, apparatus or contrivance)that devices only encompass tangibles and that there is a good argument that the TPP cannot add software without a change in the defintion in the FDA. Comments would be appreciated.
Yes, EHR system have a problem with coding quality, but the absolutely dominating problem is that it is not suitable for purpose. No matter how bug free it could be made, or how secure it could be made, it is still unsuitable for the purpose of diagnosing and treating patients. Current EHR systems are simply based on a defective view of the problem domain, making it extremely difficult to record the actual diseases a patient has, and track the progress along the steps in a clinical guideline. Neither “disease” or “clinical guideline” is a first rate entity in any of these systems. And that is the elephant in the room.
For clarity: Within IT service design and delivery frameworks (e.g. ITIL), and whether for primarily technological or administrative IT services, “fitness for purpose” is normally understood as a ‘utility’ concept, whereas security assurance (including the normally associated ‘CIA’ concepts of confidentiality, integrity/accuracy, and availability) – is understood as an aspect of ‘fitness for use’ – i.e. a warranty on the utility or purpose of the service itself. They are distinct because the processes, risks and process controls associated with each aspect, are inherently different. Indeed, arguably the design and implementation of aspects of utility should be distinct (but not necessarily separate) from that of warranty to ‘assure’, variously, the ‘safety’, privacy and security of the system or program itself. This distinction should not diminish our inherent interest in both utility and warranty (since the absence of one negates the value delivered from either) but the distinction and ordering of the concepts is important in framing this discussion since you can have utility without warranty but, I would argue, cannot conceivably have warranty without essential utility. It is therefore debatable whether the ‘purpose’ (or even part of the purpose) of a Class 1 or 2 device, or any IT device for that matter, is to ensure privacy. Privacy, as a matter of ‘warranty’, and as associated with security assurance, or perhaps even safety as suggested here, does advance the discussion. The resulting question may therefore be: is, or should, ‘fitness for use’ be the responsibility of this regulator or regulation?
While it appears, having made your fitness argument, that you essentially agree, consider that your “fitness for use” argument should also be used for security, in that secure coding practices (or at least validation), should be inherent in any EMR (or medical software) by design. It certainly is not and this ISO path does not address this safety concept.