Health Care Information Technology Vendors' “Hold Harmless” Clause: Title and subTitle BreakImplications for Patients and Clinicians

Health care information technology (HIT) vendors enjoy a contractual and legal structure that renders them virtually liability free—“hold harmless” is the term of art—even when their proprietary products may be implicated in adverse events involving patients. This contractual and legal device shifts liability and remedial burdens to physicians, nurses, hospitals, and clinics, even when these HIT users are strictly following vendor instructions. Vendors avoid liability by relying on the legal doctrine known as “learned intermediaries” and on warranties prohibiting claims against their own products' fitness. According to this doctrine and legal language, HIT vendors are not responsible for errors their systems introduce in patient treatment, because physicians, nurses, pharmacists, and health care technicians should be able to identify—and correct—any errors generated by software faults.

Learned intermediaries are considered medical experts who, through education, experience, or both, are able to balance the benefits of any medication, dosage, software, or medical device against its potential dangers. The choice made by the intermediary is, therefore, an informed, individualized medical judgment based on knowledge of the patient as well as medical practice.¹ The HIT vendors thereby claim that, because they cannot practice medicine and are merely creating a software tool, clinicians are in much stronger positions to identify those errors resulting from faulty software or hardware.

Yet the more that HIT software embeds knowledge and performs complex calculations, the more risks there are to patients. For example, at a recent national conference on electronic health records and patient safety,² hospital leaders described faulty vendor software that miscalculated intracranial pressures. Nonetheless, had the trauma team not caught the error, the hospital would have been responsible for the resulting harm to the patients involved. In addition, if clinical decision support systems generate incorrect medication dosages because patients' weights are misconstrued in an internal algorithm (eg, confusing kilograms and pounds), it is the prescriber's “fault” for not having caught the error. Moreover, if electronic medical record software errors remove or change warnings about fatal drug allergies, learned intermediary clauses hold that clinicians should notice the mistake before prescribing.

The burden that learned intermediary and hold harmless/nonwarranty clauses place on health care professionals—who increasingly must use HIT systems—needs to be examined.

Several factors may explain this predicament for the health care community.

Vendors of HIT previously argued that, as a new industry, they needed “hold harmless” clause protections. Absent those clauses, innovation would be stifled and capital investments would wither. Other industries (eg, nuclear power providers, aircraft manufacturers) have used similar arguments to limit liabilities. Pharmaceutical and some medical device manufacturers have argued that because their products received regulatory approval, the manufacturers were not responsible for errors. Many industries influence legislators and master the art of regulatory give-and-take (“regulatory capture”), but their legal protections are neither pure nor perpetual. Vendors of HIT have also copied software industry arguments that, even without the learned intermediary cover, sought indemnity from consequential damages.

When hospitals and physician practices purchase HIT systems, they generally act alone rather than as members of cooperatives or professional organizations. While associations of physicians, informaticians, and hospitals provide literature on HIT implementations, such information is insufficient to guide the in situ, day-by-day decisions made by hospital or medical office staff and certainly cannot protect buyers from software design or execution errors. Furthermore, recommendations from industry-sponsored certification organizations do not confer legal recourse to buyers in the event of errors or even when physicians confront poorly designed user interface screens.

The substantial disparity between buyers and sellers in knowledge and resources is profound and consequential. Vendors retain company confidential knowledge about designs, faults, software operations, and glitches. Their counsel have crafted contractual terms that absolve them of liability and other punitive strictures, while compelling users' nondisclosure of their systems' problematic, even disastrous, software faults. Even though enforced nonsharing of software problems is an industry norm, it is anathema to improving care, to HIT, and to evidence-based medicine. In addition, clinicians' and health care facilities' leverage is weakened by fears that vendors' finances might be so jeopardized that clients' HIT departments are left to untangle millions of lines of orphaned software code.

Implementations of HIT are massively complex and fraught with delays,^{3 - 4} errors,^{3 ,5 - 8} resistance,^{3 ,5 ,8 - 9} work process redesign,^{10 - 11} frustration,^{3 - 5 ,7 - 9 ,12 - 14} and outright failure.^{3 - 9 ,12 - 14} Health care facilities cannot predict the myriad scenarios in which software failures could result in patient harm and liability, and they are not likely to be knowledgeable a priori about frequent vendor updates.

Hospitals and physicians have not yet engaged Congress to redress the counterproductive effects of their historic acceptance of the learned intermediary doctrine. As HIT and health care become further conjoined, clinicians may need legislative action to rebalance some of the historical defects in existing contracts.

Vendors have legitimate self-protection needs and should not be accountable for health care organizations' faulty use or incomplete specifications.

Medical facilities often request customization by vendors. These modifications can improve the fit between HIT and work flow and enhance patient safety by tailoring menus and options to medical specialties or foci. On the other hand, changes that might alter data, presentation of critical information, or connections within and among systems may have unforeseen repercussions. Even “innocent” modifications have untoward consequences, eg, changing background colors may conceal similarly colored text warnings. Similarly, clinical decision support rules and order sets are almost always locally developed and extensively modified. Vendors and clinical decision support providers cannot be responsible for post hoc modifications.

Software for HIT can be very complicated and require considerable training. Even though health care organizations may carefully train users, implementations often last years. “Go live” dates may be delayed for many months, or users may lack full competence for other reasons. Although clear and intuitive software design mitigates the probability of errors, unskilled users or those unfamiliar with the software's clinical applications should not be vendor responsibilities.

Patient populations and norms may differ from software-embedded rules. For instance, morbidly obese patients may exceed smart pump parameters, which thus miscalculate infusion dosages. Software may require input in kilograms for one function and input in pounds for another. Many software specifics may not be enumerated in sales contracts or are overlooked in arcane technical appendices. These situations are numerous and cause many downstream issues. Vendors cannot predict all eventualities and cannot be held responsible for them.

In many HIT systems, physicians must enter patients' weights before entering medication orders. For non–weight-based dosages, the physician may estimate weights. However, if the next physician is ordering drugs for which exact weights are critical, the prior estimates could lead to harmful dosing. Adding weight qualifiers (eg, “estimate”) only emerge in hindsight. Another example recounts how an infant's incorrect weight was entered in the electronic medical record, which then generated dangerous dosing guidelines. Correcting the seemingly simple error required substantial effort and necessitated the vendor's “unlocking” the electronic medical record.² Can vendors be expected to anticipate situations like these?

Vendors require funds to engineer improvements, to meet user requests, and to enhance marketing prowess. Distinguishing remedial safety changes from new functions or fundamental improvements is nontrivial, no less so than prioritizing changes needed now vs subsequently. Exposure to broad product liability would force vendors to alter relations with users, modifying supply-and-demand deliberations. Vendor fears about liability could lengthen innovation cycles.

There should be ways to rebalance vendor and clinician responsibilities equitably to encourage innovation while reducing the risks faced by patients. Several approaches are possible.

State and national organizations with responsibility for inspecting hospitals—including state health departments and the Joint Commission through its certification of the Centers for Medicare & Medicaid Services handbook conditions of participation—would have the power to reset rules affecting contract terms. However, the HIT industry's Certification Commission for Healthcare Information Technology has not heretofore protected clinicians and health care organizations in this way.

Professional medical organizations could declare that HIT contracts containing blanket hold harmless/learned intermediary clauses are inconsistent with professional practice. Vendors would then have further incentive to focus on patient safety concerns in addition to marketing prowess.

Individual clinicians or health care professional associations could lobby their legislators to demand federal law changes that facilitate vendors' acceptance of safety responsibilities—much as with seat belt laws. In many congressional districts, medical facilities are major employers and economic engines. In addition, academic medical institutions have extraordinary moral standing and are likewise affected by these contracts.

The American Health Lawyers Association, representing hospitals and health care institutions, has the expertise to write improved model contracts (and propose legislative language) to delineate reasonable vendor responsibilities and liabilities.

A safe HIT environment requires disclosure of problems to the health care community. This is the minimum responsibility of HIT vendors. Provisions in many contracts, however, prohibit health care organizations from disclosing software attributes, even to the other HIT licensees (eg, clinicians, hospitals) using the same products. Such nondisclosure and the doctrine of learned intermediaries defeat patient safety efforts. Users should be quickly informed of suspected HIT errors via e-mailed bulletins. If the errors are shown to be user generated or idiopathic, all users should be immediately notified of the resolution. Without open presentation of risks, failure to mitigate even fully verified HIT risks to patient safety remains economically self-serving.

Accordingly, we are unable to identify litigation involving harm to patients arising from faulty vendor HIT, despite an extensive search of public records. Nondisclosure, compelled arbitration, and confidentiality clauses restrict settlements from public view. Moreover, the hold harmless/learned intermediary clauses, along with the costs of retaining forensic engineers to “prove” fault, generally prohibit such suits. Indeed, no party has incentives to publicize its involvement in errors resulting in patient harm.

The industry can also elect to develop a noncloseted arbitration solution, included in new and renegotiated HIT contracts, to create equitable and efficient incentives for relief. Arbitrators could set redress scope, stipulate response periods and compensation for failure to redress the problem, and impose obligations to disclose and provide remedies to affected licensees.

In the 21st century, medicine needs and expects HIT “dividends,” much of which are long overdue. Some of these dividend delays result from legal invulnerabilities HIT vendors have heretofore enjoyed. Vendors shifted liability to users and inserted other contractual language that effectively concealed from users the fuller knowledge of serious faults in their HIT systems. Those steps are both counterproductive and unethical. Reducing incentives for getting software right is neither a prescription for HIT health nor for lessened patient harm. Whether the industry is obliged to accept traditional liability, regulatory oversight,¹⁵ or both, restricting the hold harmless/learned intermediary clauses should help to speed the repair of faulty HIT.

There are doubtless many less-than-qualified clinician HIT users. In these cases, there are no shortages of attorneys willing to pursue those whose insufficient or incorrect use of HIT was associated with harm to patients. But in many cases, HIT problems may be caused not by clinicians but by poor software. While it is proper that HIT vendors should be held harmless from others' failures, being held responsible for their own errors will bring incentives into balance and enable learned intermediaries to focus on patient care, rather than on coping with product inadequacies or failures.