If a hospital learns that hackers breached your medical records, federal law requires that it inform you. If the same hospital learns you may have been exposed to a deadly pathogen, it usually doesn’t have to say a thing.
That's because hospitals don’t have a legal obligation to tell patients about the presence of pathogens — even antibiotic-resistant bacteria. These so-called superbugs are increasingly common, and are so deadly that Tom Frieden, head of the Centers for Disease Control (CDC), has described them as “nightmare bacteria." Recent outbreaks, linked to contaminated endoscopes at UCLA and other hospitals, are bringing this policy gap to the fore.
Investigations of some outbreaks went on for months or years without patients knowing. Transmissions at a Seattle hospital that began in 2012, for instance, weren't made public until this year. When UCLA Health System in February discovered that seven patients had been infected with a superbug known as CRE, including two who died, the hospital told 179 patients they might have been exposed to the bacteria through dirty scopes. "Our No. 1 priority is the health and safety of our patients and we believe in honesty and transparency," hospital spokeswoman Dale Tate said in a March 5 e-mail.
There are lots of ways germs can spread in medical facilities. Staff might not wash their hands, for example, or they might improperly prepare surgical sites. The federal government requires hospitals to track and disclose their rates of six types of infections, including some other drug-resistant bugs, but CRE isn't one of them. CRE is a novel strain of the type of bacteria that is always present in the human gut. But CRE is particularly dangerous because it can’t be treated with last-resort antibiotics, and 40 percent to 50 percent of those infected die. Patients who encounter CRE through a contaminated instrument might get infected immediately. Others might become “colonized” — they don’t get sick, but the bacteria live in their gut. That could cause an infection later or potentially transmit the pathogen to others in a hospital.
In some states, health-care providers have to report CRE and other outbreaks to state public health authorities. Some states also require hospitals to report cases of serious patient harm known as "sentinel events.” And adverse events linked to medical devices are supposed to be filed with the Food and Drug Administration (FDA), though the names of hospitals are scrubbed.
But little of this information reaches patients or the general public. The FDA, which regulates medical device makers, didn’t issue an alert warning that the contaminated endoscopes implicated in the UCLA outbreak may be impossible to fully clean until the day after news broke. On Wednesday, in an update to that alert, the agency disclosed that manufacturer Olympus didn’t have proper FDA clearance to market the specific model used at UCLA. These specialized devices, known as duodenoscopes or ERCP endoscopes, are inserted through the mouth and threaded through the gastrointestinal tract to reach small ducts in the digestive system.
The agency said it has no evidence that the lack of clearance was linked to infections, which have also been associated with other brands of the devices. Olympus spokesman Mark Miller said that in 2010 the company made changes to a model of scope that was already cleared by the FDA and Olympus “determined” that the new model didn’t require a separate approval. The FDA asked for a new application in March 2014, said agency spokeswoman Leslie Wooldridge, and the company submitted one in October. The FDA said it’s not pulling the scopes from the market because that could lead to a shortage of the devices, which are used in 500,000 procedures in the U.S. each year.
Advocates for patient safety say hospitals and public health authorities are keeping life-or-death information from patients. Lisa McGiffert, director of the Safe Patient Project at Consumers Union, says hospitals should notify prospective patients when they learn that superbugs are spreading. When officials know the source of transmission, they should notify patients who might have been exposed. And public health authorities should make the information widely known, she says.
The current system, where information is sometimes passed to state health officials but not to patients, amounts to “a secret network,” McGiffert says. “We believe that these kinds of secret networks are the fundamental reason that we have 440,000 people die from preventable infection or medical errors every year,” she says. (That figure is the top range of estimates from a 2013 article in the Journal of Patient Safety.)
The American Hospital Association, the industry’s trade group, also wants hospitals to be upfront with patients. "We encourage all hospitals to be transparent in the case of a contagion, proactively communicating with all possibly impacted patients, informing them the potential for infection and offering follow-up care and treatment,” the group’s chief medical officer, John Combes, says. The FDA, in its updated safety alert, likewise advises that health-care providers “inform patients of the benefits and risks associated with ERCP procedures, including the risk of possible infection.”
Lawrence Muscarella, a patient safety consultant who’s been sounding alarms about the risks of the scopes, says the FDA should go further. The agency hasn't asked hospitals to warn patients explicitly about superbugs, or to screen those who may have been exposed. "It is unclear how many people who recently underwent ERCP would discover they are now colonized with a potentially life-threatening superbug,” Muscarella says.
McGiffert says hospitals initially resisted the idea of tracking preventable illness that occurs when infection control instructions aren't followed. But making the data available cut the number of infections. "It wasn’t motivating enough that tens of thousands of people were dying every year," McGiffert says. "It was the public disclosure that motivated it."