Health IT "Hold Harmless" and Defects Gag Clauses: Have Hospital Executives Violated Their Fiduciary Responsibilities By Signing Such Contracts?

July 2009 - Note: also see my letter to the editor in JAMA on this same topic, "Health Care Information Technology, Hospital Responsibilities, and Joint Commission Standards", published July 22, 2009, available online at this link.

Regarding healthcare IT "Hold Harmless" and Defects Gag Clauses as revealed by the JAMA article
Health Care Information Technology Vendors' "Hold Harmless" Clause - Implications for Patients and Clinicians by Koppel and Kreda:

Have hospital executives violated their fiduciary responsibilities by signing such contracts, and violated Joint Commission standards of hospital leadership conduct as well?

Fiduciary
(fidOO'shēe"rē), in law, a person who is obliged to discharge faithfully a responsibility of trust toward another. Among the common fiduciary relationships are guardian to ward, parent to child, lawyer to client, corporate director to corporation, trustee to trust, and business partner to business partner. In discharging a trust, the fiduciary must be absolutely open and fair. Certain business methods that would be acceptable between independent parties dealing with one another “at arm's length” may expose a fiduciary to liability for having abused a position of trust.

Hospital management conduct is not bound by traditional business law only, just as physicians and other clinicians hold additional obligations. In both cases, obligations go beyond that of, say, a manager or worker at a McDonald's or a Wal-Mart. In healthcare there are "special" third parties involved with critical rights and responsibilities, namely, patients and clinicians.

At Health Care Information Technology Vendors' "Hold Harmless" Clause I expressed great concern about the remarkable revelations in Koppel and Kreda's expose of arguably unethical and clearly inexcusable contracting practices by healthcare IT producers and vendors.

The vendors have declared themselves off limits from liability even if patients die as a result of software defects and malfunctions, pushing that liability onto clinicians. Vendors have simultaneously declared themselves the Ministry of Information, Soviet style, on such defects.

I also expressed my concern that the contractual suppression of information dissemination on health IT problems and defects may be one reason websites on health IT difficulties, such as the site I started in 1998 (in fact cited by Koppel and Kreda) remain uncommon on the Web. This is despite my documentation of continued, ongoing, world wide interest in this topic (see my 2006 AMIA abstract on this issue here, PDF, and poster here, PPT).

It is not just the vendors who may be acting against the best interests of medical science and patient safety, however.

It also seems to me that hospital executives, boards and counsel have fiduciary responsibilities, as well as obligations under principles of due diligence, Joint Commission and other regulatory guidelines, etc. to protect not just patients from defective technologies but also to protect their staffs from unfair risks and legal liabilities. I note that these health IT contracts have apparently been signed willingly by hospital executives, against the best interests of patients and medical staffs. Nobody is holding a gun to their heads, and nobody is forbidding negotiation of terms.

As a former CMIO/Director of Informatics I would never have signed such a contract. Period. (Of course, CMIO's and Directors of Informatics don't generally sign or even see health IT contracts, as they are Chiefs and Directors of Nothing.)

Have hospital executives, boards of directors and counsel been violating their responsibilities and obligations every time they've signed a healthcare IT "hold vendors harmless, it's all on your docs" and "shhhh! keep the defects secret" contract? Have they abused their positions of trust?

NIH research leaders and grant reviewers, as an example, consider seriously any problems with research that might place not just research subjects but also investigators at risk, medically, legally and otherwise. I perform this function on NIH study section panels.

Let's look at the Joint Commission Hospital Accreditation Program Leadership Chapter, and its standards for hospital leadership (link, PDF):

Leadership
LD.01.03.01

Standard LD.01.03.01
The governing body is ultimately accountable for the safety and quality of care, treatment, and services.

Rationale for LD.01.03.01
The governing body’s ultimate responsibility for safety and quality derives from their legal responsibility and operational authority for [organization] performance. In this context, the governing body provides for internal structures and resources, including staff, that support safety and quality.

The governing body has a legal responsibility for safety and quality, not just a moral obligation. One of the "internal structures" is healthcare IT that is safe and effective and that does not expose patients or staff to undue risks.

How does signing "hold harmless" and "defects gag order" clauses with an HIT vendor serve such a purpose, exactly?

Hospital executives know, should know, or should have known that such provisions would remove incentives for health IT vendors to produce the best products and to correct deficiencies rapidly, thus increasing risk to patients and clinicians.

Elements of Performance for LD.01.03.01
5. The governing body provides for the resources needed to maintain safe, quality care, treatment, and services.

One of those resources is health IT.

Standard LD.02.01.01
The mission, vision, and goals of the [organization] support the safety and quality of care, treatment, and services.

Rationale for LD.02.01.01
The primary responsibility of leaders is to provide for the safety and quality of care, treatment, and services. The purpose of the [organization]’s mission, vision, and goals, is to define how the [organization] will achieve safety and quality. The leaders are more likely to be aligned with the mission, vision, and goals when they create them together. The common purpose of the [organization] is most likely achieved when it is understood by all who work in or are served by the [organization].

How is a contract with an HIT vendor that calls for hiding defects in health IT and exposing staff to liability for defects in same serving the above purposes?

Standard LD.02.03.01
The governing body, senior managers and leaders of the organized medical staff regularly communicate with each other on issues of safety and quality.

Does that include communication on health IT defects? Can a medical staff member ask to see a database of such defects when the hospital has signed a nondisclosure of defects agreement with an HIT vendor?

Rationale for LD.02.03.01
Leaders, who provide for safety and quality, must communicate with each other on matters affecting the [organization] and those it serves.

I ask the same question as above.


Standard LD.03.01.01
Leaders create and maintain a culture of safety and quality throughout the [organization].

Safety for whom, exactly? Patients, or patients and staff?

How is exposing professional staff to undeserved liability from defective health IT serving the creation of a culture of safety and quality for them? How is suppressing information on health IT defects and problems helping patient safety and care quality?

How is lack of seeking informed consent on health IT use from patients whose care is mediated by health IT devices with known but undisclosable defects creating a culture of quality?

How is hiding such defects creating a culture of quality in the community's other hospitals, that may be considering purchase of the very same health IT?

Standard LD.03.04.01
The [organization] communicates information related to safety and quality to those who need it, including staff, licensed independent practitioners, [patient]s, families, and external interested parties.

Rationale for LD.03.04.01
Effective communication is essential among individuals and groups within the [organization], and between the [organization] and external parties. Poor communication often contributes to adverse events and can compromise safety and quality of care, treatment, and services. Effective communication is timely, accurate, and usable by the audience.

Are physicians and nurses explicitly informed by administration that clinicians are liable for bad outcomes due to software problems? Are they informed of the gag clause? Are patients informed of unremediated health IT defects existing at time of service?

This standard seems a veritable smoking gun regarding breach of fiduciary responsibility and Joint Commission obligations when hospital leadership signs agreements specifically excluding the sharing information about health IT defects and complaints. It is already known that hospitals maintain lists of health IT defects, some in the thousands of items. A number of the defects rise to the level of creating considerable risk to patients, and nobody is in a hurry to remediate them. (See my proposed although somewhat tongue in cheek "HIT Informed Consent" that describes some of these known defect categories here).

Standard LD.04.04.03
New or modified services or processes are well-designed.

... 3. The hospital's design of new or modified services or processes incorporates: Information about potential risks to patients.

4. The hospital's design of new or modified services or processes incorporates: Evidence-based information in the decision-making process. Note: For example, evidence-based information could include practice guidelines, successful practices, information from current literature, and clinical standards.

How does the contractual inability to communicate about health IT defects, which its executives willingly sign, serve this purpose?

Standard LD.04.04.05
The [organization] has an organization-wide, integrated [patient] safety program.

... 12. The hospital disseminates lessons learned from root cause analyses, system or process failures, and the results of proactive risk assessments to all staff who provide services for the specific situation.

Disseminates lessons learned, except when the HIT contract they've signed with a vendor forbids it, that is.

The practices of the health IT industry, and the dealings of the hospital leadership with that industry, may in fact be a scandal of national (or international) proportions.

I urge physicians and concerned others reading this to read the Univ. of PA press release "Why Are Healthcare Information Manufacturers Free of All Liability When Their Products Can Result in Medical Errors?" here, obtain the JAMA article by Koppel and Kreda, and call their congressional and other representatives to have these self-serving industry practices that ignore protection of patients and practitioners from undue jeopardy stopped.

I also believe any clinician under lawsuit related to hospital HIT malfunction, and/or patients harmed, should consider suit against the management that signed the contracts allowing the defective IT's entry into the hospital and mandated clinicians to use the HIT.

I, for one, already have begun discussing these issues with my representatives in Washington, and they've expressed great surprise at these revelations.

-- SS