Computer-Based Patient Records: Better Planning and Oversight By VA, DOD, and IHS Would Enhance Health Data Sharing (30-APR-01, GAO-01-459). In November 1997, the President called for Department of Veterans Affairs (VA) and the Department of Defense (DOD) to create an interface that would allow the two agencies to share patient health information. The Government Computer-Based Patient Record's (GCPR) aim to allow health care providers to electronically share comprehensive patient information should provide the VA, DOD, and the Indian Health Service (IHS) a valuable opportunity to improve the quality of care for their beneficiaries. But without a lead entity, a clear mission, and detailed planning to achieve that mission, it is difficult to monitor progress, identify project risks, and develop appropriate contingency plans to keep the project moving forward and on track. Critical project decisions were not made, and the agencies were not bound by those that were made. The VA and DOD Chief Information Officers' (CIO) action to focus on short-term deliverables and to capitalize on existing technologies is warranted and a step in the right direction. However, until problems with the two agencies' existing systems and issues regarding planning, management, and accountability are resolved, project costs will likely continue to increase and implementation of the larger GCPR effort--and its expected benefits--will continue to be delayed. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-01-459 ACCNO: A00848 TITLE: Computer-Based Patient Records: Better Planning and Oversight By VA, DOD, and IHS Would Enhance Health Data Sharing DATE: 04/30/2001 SUBJECT: Health care services Information resources management Interagency relations Medical information systems Medical records Strategic information systems planning Systems compatibility DOD Military Health Services System DOD TRICARE Program DOD/IHS/VA Government Computer-Based Patient Record Project ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Testimony. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-01-459 Report to Congressional Committees United States General Accounting Office GAO April 2001 COMPUTER- BASED PATIENT RECORDS Better Planning and Oversight by VA, DOD, and IHS Would Enhance Health Data Sharing GAO- 01- 459 Page i GAO- 01- 459 Government Computer- Based Patient Records Letter 1 Appendix I Scope and Methodology 22 Appendix II Comments From the Department of Veterans Affairs 24 Appendix III Comments From the Department of Defense 34 Appendix IV Comments From the Indian Health Service 40 Appendix V GAO Contacts and Staff Acknowledgments 43 Table Table 1: Changes in GCPR?s Estimated Project Cost 10 Figures Figure 1: GCPR Interface With Agencies? Health Information Systems 6 Figure 2: GCPR Time Frames as of January 1999 and September 2000 9 Contents Page ii GAO- 01- 459 Government Computer- Based Patient Records Abbreviations CIO Chief Information Officer CPRS Computer Patient Record System DOD Department of Defense GCPR Government Computer- Based Patient Record HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accountability Act IHS Indian Health Service IT information technology MHS Military Health System MOA memorandum of agreement PACMEDNET Pacific Medical Network PDTS Pharmacy Data Transaction System TMIP Theater Medical Information Program VA Department of Veterans Affairs VHA Veterans Health Administration VISN Veterans? Integrated Service Network VISTA Veterans Health Information Systems and Technology Architecture Page 1 GAO- 01- 459 Government Computer- Based Patient Records April 30, 2001 The Honorable John Warner Chairman The Honorable Carl Levin Ranking Member Committee on Armed Services United States Senate The Honorable Bob Stump Chairman The Honorable Ike Skelton Ranking Minority Member Committee on Armed Services House of Representatives The Department of Veterans Affairs (VA) and the Department of Defense (DOD) combined provide health care services to approximately 12 million veterans, military personnel, and dependents at an annual cost of $34 billion. The Veterans Health Administration (VHA) and the Military Health System (MHS) collect and maintain patient health information in separate systems. The Gulf War exposed many deficiencies in these systems and highlighted the need for VA and DOD to be able to readily access and transfer accurate health data on their respective populations. In December 1992, the Congress asked us to report on how VA and DOD, along with the Indian Health Service (IHS), could share information technology (IT) and patient medical information to provide greater continuity of care, accelerate VA eligibility determinations, and save software development costs. 1 In November 1997, the President called for VA and DOD to create an interface that would allow the two agencies to share patient health information. In 1998, the Government Computer- Based Patient Record (GCPR) project was initiated by VA, DOD, and IHS, which was included in the effort because of its population- based research expertise and its long- standing relationship with VA. Early project documents stated that, when completed, GCPR would allow health care professionals to ?share clinical 1 See Federal Health Care: Increased Information System Sharing Could Improve Service, Reduce Costs (GAO/ IMTEC- 93- 33BR, June 1993). United States General Accounting Office Washington, DC 20548 Page 2 GAO- 01- 459 Government Computer- Based Patient Records information via a comprehensive, lifelong medical record.? Given the inherent complexity of such an undertaking and the value of achieving this capability, the Congress directed us to report on the status of the GCPR effort. Specifically, we were asked to (1) describe GCPR?s time frames, costs, and expected benefits; (2) determine whether barriers to the progress of the project exist; and (3) if barriers exist, describe agency actions to address them. 2 Our review of the GCPR project was based on site visits to VA, DOD, and IHS facilities and on interviews with officials at these facilities and at the agencies? headquarters, GCPR management and contractors, and medical IT experts from the health care industry. We also reviewed relevant GCPR project documents as well as documents on the three agencies? health information systems. In addition, we conducted site visits to several private sector health care organizations that are also undertaking efforts to link disparate health information systems, and we interviewed representatives of these organizations about their experiences. We conducted this review from March 2000 through February 2001 in accordance with generally accepted government auditing standards. For more on our scope and methodology, see appendix I. Expanding time frames and cost estimates, as well as inadequate accountability and poor planning, have raised doubts about GCPR?s ability to provide its expected benefits, prompting the agencies to refocus their approach to the project. Initial plans called for the agencies to begin worldwide deployment of GCPR on October 1, 2000, but intermediate target dates, such as those for testing, were not met, pushing project deployment out to an undefined date. GCPR cost estimates have also proven to be unreliable. In September 1999, GCPR was estimated to cost about $270 million over its 10- year life cycle, by August 2000, projections for GCPR stood at $360 million- estimates that GCPR project managers acknowledge are probably understated. By the end of 2000, it became evident that, in the near term, physicians and other health care professionals would not have access to comprehensive beneficiary health information across the three partner agencies, limiting the extent to which the effort will provide the benefits originally envisioned- including improved research and quality of care as well as clinical and administrative efficiencies. 2 H. R. Rep. No. 106- 616 at 383 (2000). Results in Brief Page 3 GAO- 01- 459 Government Computer- Based Patient Records With accountability for GCPR blurred across several management entities, basic principles of sound IT project planning, development, and oversight have not been followed, creating barriers to progress. For example, clear goals and objectives have not been set; detailed plans for the design, implementation, and testing of the interface have not been developed; and critical decisions are not binding on all partners. In addition, GCPR plans have not resolved data incompatibilities and other differences that complicate the electronic exchange of health information among the three agencies? facilities. Finally, concerns related to developing a comprehensive strategy to guarantee the privacy and security of health information shared through GCPR have not been addressed. In September 2000, we discussed these barriers with VHA?s and MHS? Chief Information Officers (CIO). Soon after, they began to exercise much needed oversight, temporarily suspending further work on previously planned project activities and focusing on more immediate and less ambitious returns from GCPR. According to the CIOs, they are developing plans for an interim effort to allow VHA to view DOD health data and expect to have this capability by fall 2001. They plan to evaluate their existing IT products as well as commercial products that have a similar aim of sharing patient data to determine whether these technologies can be used for the interim effort, which may allow VA and DOD to reduce or eliminate redundancies. However, this interim effort, which does not include IHS as a partner, has several major limitations. For example, physicians at Military Treatment Facilities (MTF) will not be able to view VHA health information- or information from other MTFs. Moreover, the information?s usefulness to health care providers and researchers will likely be limited, in part because the requested data could take as long as 48 hours to receive. Once DOD data are accessible to VA, project officials report that they plan to resume the broader, longer- term effort- establishing a link among multiple health information systems to provide comprehensive patient information to physicians and other health care professionals in the three agencies. However, to date, formal plans for the interim effort and the resumption of the broader GCPR project have not been developed. To help ensure that GCPR succeeds in exchanging patient health information, we are making recommendations for VA and DOD to continue to improve their oversight and planning of the project. In commenting on our draft report, VA, DOD, and IHS concurred with the findings and recommendations. In their comments, the agencies also outline a new approach for GCPR. Page 4 GAO- 01- 459 Government Computer- Based Patient Records The GCPR effort developed out of VA and DOD discussions about ways to share data in their health information systems and from efforts to create electronic records for active duty personnel and veterans. The patients served by VA?s and DOD?s systems tend to be highly mobile. Consequently, their health records may be at multiple federal and nonfederal medical facilities both in and outside the United States. In December 1996, the Presidential Advisory Committee on Gulf War Veterans? Illnesses reported on many deficiencies in VA?s and DOD?s data capabilities for handling service members? health information. In November 1997, the President called for the two agencies to start developing a ?comprehensive, life- long medical record for each service member.? In August 1998, 8 months after the GCPR project was officially established, the President issued a directive requiring VA and DOD to develop a ?computer- based patient record system that will accurately and efficiently exchange information.? The directive further stated that VA and DOD should ?define, acquire, and implement a fully integrated computer- based patient record available across the entire spectrum of health care delivery over the lifetime of the patient? and recognized VA and DOD?s effort to ?create additional interface mechanisms that will act as bridges between existing systems.? 3 IHS became involved because of its expertise in population- based research and its long- standing relationship with VA in caring for the Indian veteran population as well as IHS? desire to improve the exchange of information among its facilities. Each of the three agencies? health facilities is linked to their agency?s regional database or an IT center: VA has about 750 facilities in 22 regions, DOD has about 600 MTFs in 14 domestic and overseas medical regions, and IHS has 550 facilities in 12 regions. 4 Currently, these facilities cannot electronically share patient health information across agency lines, and only VA facilities have the capability of sharing certain information across regions. GCPR is not intended to be a separate computerized health information system, nor is it meant to replace VA?s, DOD?s, and IHS? existing systems. 3 National Science and Technology Council, A National Obligation: Planning for Health Preparedness for and Readjustment of the Military, Veterans, and Their Families After Future Deployments, Presidential Review Directive 5 (Washington, D. C.: Executive Office of the President, Office of Science and Technology Policy, Aug. 1998). 4 VA?s regions are officially referred to as Veterans? Integrated Service Networks, or VISNs; IHS? regions are generally referred to as areas. Background Page 5 GAO- 01- 459 Government Computer- Based Patient Records GCPR is intended to allow physicians and other authorized users at the agencies? health facilities to access data from any of the agencies? other health facilities by serving as an interface among their health information systems (see fig. 1). As envisioned, the interface would compile requested patient information in a temporary or virtual record while appearing on the computer screen in the format of the user?s system. GCPR would divide health data into 24 categories, or ?partitions,? including pharmacy, laboratory results, adverse reactions, vital signs, patient demographics, and doctors? notes. Page 6 GAO- 01- 459 Government Computer- Based Patient Records Figure 1: GCPR Interface With Agencies? Health Information Systems Source: GAO. With this ability to exchange information, GCPR is expected to achieve several benefits, including improving quality of care; providing data for population- based research and public health surveillance; advancing industrywide medical information standards; and generating administrative and clinical efficiencies, such as cost savings. DOD Facilities' Composite Health Care System (CHCS) I & II IHS Facilities' Resource and Patient Management System (RPMS) VA Facilities' Veterans Health Information Systems and Technology Architecture (VISTA) GCPR Page 7 GAO- 01- 459 Government Computer- Based Patient Records Several management entities share responsibility for GCPR: Military and Veterans Health Coordinating Board: This entity was created to ensure coordination among VA, DOD, and the Department of Health and Human Services (HHS) on military and veteran health matters, particularly as they relate to deployed settings, such as the Persian Gulf. The board also oversees implementation of the President?s August 1998 directive. The board consists of the Secretaries of VA, DOD, and HHS. DOD and VA Executive Council: The council was created to identify and implement interagency initiatives that are national in scope. One initiative is to ensure a smooth transfer of information between DOD?s and VA?s health care systems through efforts such as GCPR. The council comprises VA?s Under Secretary for Health, DOD?s Assistant Secretary for Health Affairs, their key deputies, and the Surgeon General of each military branch. GCPR Board of Directors: The board was established to set GCPR programmatic and strategic priorities and secure funding from VA, DOD, and IHS. The board consists of the VA Under Secretary for Health and CIOs for MHS and IHS. 5 GCPR Executive Committee: The Executive Committee sets tactical priorities, oversees project management activities, and ensures that adequate resources are available. The committee membership consists of senior managers from VA, DOD, and IHS. GCPR is managed on a day- to- day basis by a program office staffed by personnel from VA, DOD, IHS, and the project?s prime contractor, Litton/ PRC of McLean, Virginia. Litton/ PRC is responsible for building, shipping, installing, configuring, and operating the interface and administering site training. Battelle Memorial Institute of Columbus, Ohio, holds contracts for developing medical ?reference models,? which allow for the exchange of data among different systems without requiring 5 The MHS CIO replaced the Deputy Surgeon General of the Navy as DOD?s representative on the board. Previously, the MHS CIO was an ex- officio member and was recorded as a participant in board minutes. Page 8 GAO- 01- 459 Government Computer- Based Patient Records standardization. 6 Assisting in the project are government- led work groups, which consist of VA, DOD, and IHS employees and Litton/ PRC staff. The work groups? key tasks include acquisition, finance, legal work, marketing, telecommunications, and documenting clinical practices. Throughout the course of the GCPR project, time frames and cost estimates have expanded, and GCPR?s ability to deliver its expected benefits has become less certain. In 1999, initial plans called for GCPR to begin worldwide deployment October 1, 2000, but target dates for intermediate phases, such as testing, were not met, pushing project deployment out to an undefined date. For example, completion of testing was originally scheduled for September 2000 but was delayed until August 2002 (see fig. 2). 6 Comprehensive industry standards for medical language and its context do not exist. Consequently, different health information systems or providers may use different terms to mean the same thing. For example, to indicate a patient is suffering from a rhinovirus, some may use ?cold? while others may use ?upper respiratory disorder? or ?nasal congestion.? In addition, without knowing the context in which a term such as ?cold? is used, it is difficult to determine whether the patient has a rhinovirus or feels cold or has chronic obstructed lung disease. According to GCPR project documents, reference models would allow translation among the different medical languages and terminologies used by VA, DOD, and IHS. Time Frames and Cost Estimates Have Expanded, and Expected Benefits Have Been Delayed Page 9 GAO- 01- 459 Government Computer- Based Patient Records Figure 2: GCPR Time Frames as of January 1999 and September 2000 Source: GCPR project documents. GCPR cost estimates also increased. GCPR was estimated in September 1999 to cost about $270 million over its 10- year life cycle; by August 2000, projections for GCPR stood at $360 million (see table 1). However, GCPR project officials told us that the cost estimates were unreliable and probably understated, in part because some costs- such as computer hardware needed by the project?s contractors- were not included. Other cost estimates, such as those for deployment, could not be verified. In the case of deployment, final decisions affecting costs were not made. Page 10 GAO- 01- 459 Government Computer- Based Patient Records Table 1: Changes in GCPR?s Estimated Project Cost (Dollars in millions) Phase Estimates as of Sept. 1999 Estimates as of Aug. 2000 Preliminary $12.5 $1.8 Phase I (prototype and proof of concept) 42.0 17.7 Phase II (pilot, alpha-, and beta- field testing) 23.3 98.2 Phase III (phased deployment) 92.8 133.5 Ongoing operations 99.0 108.7 Total $269.6 $359.9 Source: GCPR project documents. By the end of 2000, it became apparent that the benefits described in GCPR project documents and brochures and on its website- including access to comprehensive, life- long patient information- would not be realized in the near future. According to Litton/ PRC, preliminary testing of data transfer among selected VA facilities is demonstrating that the GCPR technology works. However, significant issues in sharing comprehensive patient data have not been adequately addressed. For example, while GCPR managers planned to field test 6 7 of the 24 data partitions, they had no plans for when other partitions would be tested. Moreover, access was to be limited to patient information in VA?s, DOD?s, and IHS? health information systems; information in other major data sources, such as TRICARE- DOD?s managed care program- and other third- party providers would not be accessible. Access to patient information would be further limited because full deployment of CHCS II- DOD?s new, more comprehensive health information system, currently under development- has been delayed until 2004 as the result of complications such as limited system capacity and slow response time. With CHCS II, GCPR would provide access to information on immunizations; allergies; and outpatient encounters, such as diagnostic and treatment codes; as well as to information in CHCS I, DOD?s current system, which primarily includes information on patient hospital admission and discharge, patient medications, laboratory results, and radiology. Providing other anticipated benefits- such as improved quality of patient health records- will also be difficult because GCPR plans do not include steps for correcting longstanding data problems, such as inaccurate data entries. 7 Demographics, security, laboratory results, problem lists, medication profiles, and adverse reactions. Page 11 GAO- 01- 459 Government Computer- Based Patient Records The lack of accountability and sound IT project planning- critical to any project, particularly an interagency effort of this magnitude and complexity- put GCPR at risk of failing. The relationships among GCPR?s management entities were not clearly established, and no one entity had the authority to make final project decisions binding on the other entities. As a result, plans for the development of GCPR have not included a clear vision for the project and have not given sufficient attention to technological and privacy and security issues as the effort has moved forward. 8 From the outset, decision- making and oversight were blurred across several management entities, compromising GCPR?s progress. The roles and responsibilities of these entities and the relationships among them are not spelled out in the VA- DOD- IHS memorandum of agreement (MOA), and no one entity exercised final authority over the project. The Board of Directors and the Executive Committee did not follow sound IT business practices- such as ensuring agency commitment, securing stable funding, and monitoring the project?s progress- as dictated by federal requirements. 9 For example, GCPR documents show that VA, DOD, and IHS should provide consistent project funding of 40 percent, 40 percent, and 20 percent, respectively, but DOD has never provided this level of funding and, at times, temporarily withheld funding it had promised. Moreover, the Board of Directors and the Executive Committee did not exercise sufficient oversight, including monitoring, to ensure that the project would be adequately funded. Without agency commitment and sufficient oversight, the project team has been limited in its ability to manage GCPR effectively or efficiently. Unstable funding forced GCPR project managers to develop and issue multiple short- term contracts for work that could have been covered by a single longer- term contract. At one point during our review, project managers told us that the project would end after field- testing because of a lack of adequate funding and a lack of a clear mandate to proceed with full 8 An earlier independent risk assessment by Northpoint Software Ventures, Inc., found similar weaknesses in GCPR?s business practices. 9 Six laws largely lay out the IT management responsibilities of federal agencies: the Federal Records Act of 1950, the Privacy Act of 1974, the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger- Cohen Act of 1996, and the Government Paperwork Elimination Act of 1998. Inadequate Accountability and Planning Compromised GCPR?s Progress Lack of Accountability Undermined Agencies? Commitment to the Project Page 12 GAO- 01- 459 Government Computer- Based Patient Records deployment, even though plans called for the project to continue through deployment. The three partner agencies never reached consensus on GCPR?s mission and how it would relate to the individual agencies? missions. In addition, key project documents, such as the MOA establishing GCPR, have not adequately spelled out the project?s goals and objectives. For example, some DOD officials thought GCPR?s mission paralleled the goals and objectives of Presidential Review Directive 5; however, GCPR project managers did not share this understanding and the directive was never adopted as GCPR?s mission. Without an agreed upon mission with clear goals and objectives, it remained unclear what problem GCPR was trying to solve. This lack of consensus on the project?s mission, goals, and objectives affected the agencies? dedication of resources. Expecting GCPR to enhance its ability to carry out its mission to provide health care to veterans, VA was providing the most funding to the project. In contrast, DOD elected to place priority on funding CHCS II, which is estimated to cost several billion dollars because officials believe it will more specifically address the Department?s health mission. GCPR plans have also not sufficiently addressed other critical issues that need to be resolved, such as decisions about key data elements. For example, DOD and IHS use different identifiers to match health records to patients- DOD facilities use Social Security numbers, while IHS facilities use facility- specific health record numbers. Differences such as these complicate the electronic exchange of health information. Further, in the absence of common medical terminology, project personnel, assisted by Battelle, are developing reference models they believe will interpret VA, DOD, and IHS data and present the data in a format understandable to the user- without requiring cross- agency standards. However, GCPR plans have not specified the key tasks for developing these models, their relation to one another, and who should carry them out. As a result, work progressed slowly and rework has been necessary. For example, coordination between the Battelle team and Litton/ PRC was, initially, not adequate to ensure that the reference models developed by Battelle would meet Litton/ PRC?s technical requirements for developing the interface. Therefore, the models had to be revised. In addition, the MOA and other key project documents did not lay out the specific roles and responsibilities of VA, DOD, and IHS in developing, testing, and deploying the interface. GCPR plans also did not describe how the project would use the agencies? existing technologies for sharing Inadequate Planning Hindered Progress Page 13 GAO- 01- 459 Government Computer- Based Patient Records patient health information and to avoid duplication of effort. For example, GCPR plans do not discuss VA?s ?remote view? capability- which will allow users of VA?s Computer Patient Record System (CPRS) 10 to simultaneously view health data across multiple facilities- or three of DOD?s health information systems: Theater Medical Information Program (TMIP), Pacific Medical Network (PACMEDNET), and Pharmacy Data Transaction System (PDTS). 11 Finally, a comprehensive strategy to guarantee the privacy and security of electronic information shared through GCPR was not developed. GCPR?s draft privacy and security plan delegates primary responsibility for ensuring privacy and security to more than 1,000 VA, DOD, and IHS local facilities, with few additional resources and little guidance. However, there have been long- standing privacy and security problems within VA?s, and DOD?s information systems. For example, weak access controls put sensitive information- including health information- at risk of deliberate or inadvertent misuse, improper disclosure, or destruction. 12 By providing broader access to more users, GCPR may exacerbate these risks. DOD is required by the Floyd D. Spence National Defense Authorization Act for 2001 (P. L. 106- 398) to submit to the Congress a comprehensive plan consistent with HHS medical privacy regulations to improve privacy. 13 The act also requires DOD to promulgate interim regulations that allow for use of medical records as necessary for certain purposes, including patient treatment and public health reporting, thus providing DOD the flexibility to share patient health information through a mechanism such as GCPR. The HHS privacy regulations went into effect on April 14, 2001, and contain provisions that require consent to disclose health information 10 CPRS is a component system of VISTA. 11 DOD?s TMIP, currently under development, is intended to capture medical information for deployed personnel; PACMEDNET is a joint DOD/ VA effort to link medical records in the Pacific region; and PDTS is DOD?s new patient drug transaction and safety database. Program costs are $14.8 million for PDTS and $19. 5 million for PACMEDNET; program costs for TMIP have not been determined. 12 See Information Security: Serious and Widespread Weaknesses Persist at Federal Agencies (GAO/ AIMD- 00- 295, Sept. 6, 2000). 13 The Health Insurance and Portability Act (HIPAA) requires the development of comprehensive privacy standards that would establish rights for patients with respect to their medical records and define the conditions for using and disclosing identifiable health information. (P. L. 104- 191, 264, 110 Stat. 1936, 2033.) The final regulations require that patient consent must be secured before disclosing information in individual medical records. Page 14 GAO- 01- 459 Government Computer- Based Patient Records before engaging in treatment, payment, or health care operations (45 C. F. R. parts 160- 164). 14 Over the past several months, we have provided briefings on our findings to agency and project officials, including the CIOs of VHA and MHS whom we initially briefed in September 2000. Concerned about the lack of progress and the significant weaknesses that we found, the CIOs have begun to exert much needed oversight. They told us that they are now focusing on ?early deliverables? for VA and DOD. To ensure more immediate applicability of GCPR to their missions, VA and DOD?s current priority is to allow VA health care providers to view DOD health data by the end of September 2001. Once this interim effort is completed, the CIOs told us that they plan to resume the broader GCPR project- establishing a link among all three partner agencies? health information systems. Under the interim effort, as described by the CIOs, certain trigger events, such as a new veteran enrolling for VA medical treatment, will prompt VISTA to contact a central server, which would search the hundreds of CHCS I sites and collect any data on that patient. To help ensure efficient development of the interim effort, VA and DOD now plan to evaluate their existing IT products- such as VA?s remote view capability, which could have the potential to facilitate the retrieval of DOD health data- as well as commercial products to determine if these technologies can be used to electronically transmit data among the agencies? systems. While we did not conduct an in- depth review of these initiatives, we agree that such an evaluation may allow VA and DOD to reduce or eliminate redundancies because these products have a common aim of sharing patient data. However, it is unclear to what extent the interim effort will be using the GCPR technology- which, according to Litton/ PRC, has demonstrated that data can be moved among VA facilities. However, our concerns regarding the usefulness of the information- and the implications for GCPR?s expected benefits- still remain. For example, under the interim effort, the requested information is expected to take as long as 48 hours to be received. In addition, only authorized VHA personnel will have the ability to see CHCS I data from MTFs; health care 14 The Secretary of HHS has stated that there will be guidelines and modifications made to the consent provisions to make it clear that doctors and hospitals will have access to necessary medical information about patients whom they are treating. CIOs Change Immediate Focus, but Serious Concerns Remain Page 15 GAO- 01- 459 Government Computer- Based Patient Records providers at MTFs will not be able to view health information from VHA- or information from other MTFs. It is also unclear whether all or only selected VA and DOD facilities will have the interim capability now being proposed. IHS will not be included in the interim effort. Moreover, the interim effort will rely on DOD?s aging system, CHCS I, which historically has not been adequate to meet physicians? needs. CHCS I is primarily limited to administrative information and some patient medical information, such as pharmacy and laboratory results. CHCS I does not include patient information on the health status of personnel when they enter military service, on reservists who receive medical care while not on active duty status, or on military personnel who receive care from TRICARE providers. CHCS I also does not include physician notes made during examinations. In addition, information captured by CHCS I can vary from MTF to MTF. Some facilities, such as Tripler Army Medical Center in Hawaii, have significantly enhanced their CHCS software to respond to the needs of physicians and other system users and to collect patient health information not collected by other facilities. Further, the interim effort will need to address many of the same problems that confronted the broader GCPR effort: Transmitted information will be viewable only as sent; therefore, it will not be computable- that is, it will not be possible to organize or manipulate data for quick review or research. Electronic connectivity among MTFs is limited, and the interim effort does not propose to establish facility- to- facility links. Currently, only MTFs within the same region and using the same DOD IT hardware can access one another?s data using CHCS I. The requested data will not be meaningful to the VA user unless CHCS? language is translated into VISTA?s. For example, without interpretation, a VA physician?s VISTA query for a patient?s sodium level would not recognize ?NA? (used by DOD) as equivalent to ?sodium? (used by VA). Until terms and their context are standardized or the variations are identified, or ?mapped,? across all VA and DOD facilities, much of the information could be meaningless to VA physicians. According to VHA?s and MHS? CIOs, detailed plans and time frames are being prepared for the short- term, interim effort to allow VA to receive available electronic health information in CHCS I. However, as of the end of February 2001, no agreement on the goals, time frames, costs, and oversight for the interim approach has been reached, and no formal plans for the interim project exist. Moreover, revised plans for the broader, long- Page 16 GAO- 01- 459 Government Computer- Based Patient Records term GCPR project- including how and when IHS will resume its role in the project- have not been developed. While a draft of this report was being reviewed by the agencies, they developed a new near- term effort which they outlined in their comments. This effort, which revises their interim effort, is intended to address our concerns. However, many of our concerns remain and are addressed in our response to comments from the agencies. GCPR?s aim to allow health care providers to electronically share comprehensive patient information should provide VA, DOD, and IHS a valuable opportunity to improve the quality of care for their beneficiaries. But without a lead entity, a clear mission, and detailed planning to achieve that mission, it is difficult to monitor progress, identify project risks, and develop appropriate contingency plans to keep the project moving forward and on track. Critical project decisions were not made, and the agencies were not bound by those that were made. The VA and DOD CIOs? action to focus on short- term deliverables and to capitalize on existing technologies is warranted and a step in the right direction. However, until problems with the two agencies? existing systems and issues regarding planning, management, and accountability are resolved, projected costs are likely to continue to increase, and implementation of the larger GCPR effort- along with its expected benefits- will continue to be delayed. To help strengthen management and oversight of GCPR, we recommend that the Secretaries of VA and DOD and the Director of IHS reassess decisions about the broader, long- term GCPR project, based on the results of the interim effort. If the Secretaries of VA and DOD and the Director of IHS decide to continue with the broader effort, they should direct their health CIOs to apply the principles of sound project management delineated in our following recommendations for the interim effort. For the interim effort, we recommend that the Secretaries of VA and DOD and the Director of IHS direct their health CIOs to take the following actions: Designate a lead entity with final decision- making authority and establish a clear line of authority. Create comprehensive and coordinated plans to ensure that the agencies? can share comprehensive, meaningful, accurate, and secure patient health data. These plans include an agreed- upon mission and clear goals, Conclusions Recommendations for Executive Action Page 17 GAO- 01- 459 Government Computer- Based Patient Records objectives, and performance measures, and they should capitalize on existing medical IT capabilities. VA, DOD, and IHS reviewed and separately commented on a draft of this report. Each concurred with the findings and recommendations. The agencies also provided comments that outline a new near- term effort for GCPR and that aim to clarify GCPR?s purpose. Additionally, VA, DOD, and IHS provided written technical comments, which we have incorporated where appropriate. The full texts of their comments are reprinted as appendixes II, III, and IV. Regarding our recommendation to establish a clear line of authority, the Secretary of VA committed to meeting with the Secretary of Defense and the Director of IHS to designate a lead entity that will have decisionmaking authority for the three organizations. He said that once established, that entity will have a clear line of authority over all GCPR development activities. With regard to our recommendation to create comprehensive and coordinated plans for sharing patient health data, the Secretary of VA said he would direct the VHA CIO, in collaboration with VA?s departmentwide CIO to prepare such plans under the oversight of the lead entity. In response to our recommendation that longer- term GCPR decisions be reassessed based on the results of the interim effort, the Secretary of VA responded that GCPR will be reassessed based on the results of their near- term effort. Additionally, he said that the longer- term strategy will depend to some extent on advances in medical informatics, standards development, and the ability to bring in additional partners. DOD provided similar comments on our recommendation concerning longer- term GCPR decisions and also mentioned that it plans to include the Military Health System Information Management Committee in GCPR oversight. While IHS provided no information on the steps it plans to take to implement our recommendations, it commented, along with VA and DOD, that collaboration is essential to the future of GCPR. Overall, the agencies? statements, in our view, represent a commitment to oversight and management of GCPR. However, it is much too soon to know whether their commitment will result in a successful project. VA, DOD, and IHS also provided information that, according to the organizations, is intended to serve as a foundation for assessing GCPR and its progress. The agencies emphasized that GCPR is not intended to carry the whole weight for the service members? health records and the related health information systems, but instead consists of the agencies? core health information systems with GCPR handling the transfer and Agency Comments Page 18 GAO- 01- 459 Government Computer- Based Patient Records mediation of data. Our report does not suggest that GCPR is a replacement for the agencies? information systems or that it should carry the weight of the agencies? patient health information. Rather, our report states that GCPR is intended to create an electronic link that will enable the agencies to share patient data from their separate health information systems. The agencies also provided a clarification of GCPR?s purpose, stating that it will provide a longitudinal record covering service members from the start of their service through their care with VA. VA acknowledges that the realities of the challenges the project has presented have led to a scaling back of the initial version of GCPR as described in early project documents, such as budget submissions, contractors? statements of work, and project plans. These documents indicated that in addition to including IHS, GCPR would permit health care professionals to share clinical information via a comprehensive lifelong, medical record- one that would include information from all sources of care. GCPR was similarly described on GCPR?s home page and during briefings to the Congress and others, such as the National Committee on Vital and Health Statistics. Some documents, such as VA?s Fiscal Year 2001 Performance Plan, have described GCPR as including dependents of service members. To the extent that the agencies agree on the scaled- back description of GCPR, project documents and communications need to reflect this new understanding. This is, in part, why we recommended that the agencies develop and document a clear, agreed upon project mission, along with specific goals, objectives, and performance measures. The agencies? also provided information on a new near- term effort for GCPR, which they developed while reviewing our draft report. According to the agencies, this revised near- term effort that they have developed uses the GCPR framework and will provide VA clinicians with DOD data on all active duty members, retirees, and separated personnel. VA and DOD recognize that this one- way flow of information is not perfect but should be a substantial improvement for physicians making medical decisions and enhance the continuity of care for veterans. According to the agencies, the near- term effort is funded through year 2001 and they expect to have initial operating capability by fall 2001. We agree that, if successful, this effort should provide useful information to VA clinicians. In our view, their outline of the new near- term approach indicates that it is only in the concept stage and detailed planning and actual work are just beginning. For example, the agencies note that current data will be sent in ?near realtime transmission,? and historical data will be ?extracted and transmitted on a predetermined schedule.? But they do not define ?near real- time? and ?predetermined schedule.? Page 19 GAO- 01- 459 Government Computer- Based Patient Records Additionally, the agencies assert that the new near- term effort addresses many of the concerns we raised in the report. However, several of these issues remain and, as we recommended, need to be reassessed at the conclusion of the near- term effort because of their implications for the long- term effort: GCPR- both the near- term and larger efforts- will not provide a longitudinal record because plans call for GCPR to use DOD?s CHCS I for the foreseeable future. CHCS I, as DOD acknowledges in its comments, was not designed to include patient information on the health status of personnel when they enter military service, on reservists who receive medical care while not on active duty status, or on military personnel who receive care outside MTFs. The meaningfulness of the transmitted data remains in question because the agencies do not plan to standardize or map the differing terminology in their health information systems. As we note in the report, without standardized terminology or mapping, the meaning of certain terms used in medical records may not be apparent to the VA provider requesting the information. For example, unless the context is clear, the meaning of the term ?cold? in a medical record may be interpreted as meaning a rhinovirus, a feeling of being cold, or having chronic obstructed lung disease. The agencies also need to more fully address data- specific matters, such as GCPR?s reference modeling, before developing additional hardware and software. Once they reach consensus on these issues, their agreement must be clearly stated in a formalized document- one that is binding on all three partners. Finally, for the project to be successfully deployed, detailed plans on GCPR?s system components and tasks with clear project parameters need to be developed. Until such plans are developed, the agencies? GCPR efforts cannot be fully assessed. Privacy and security issues are also continuing concerns. DOD states in its comments that it does not intend to delegate responsibility for complying with DOD and federal privacy and security requirements to its local facilities. However, DOD does not describe how it plans to ensure compliance, raising concerns such as how unintended or unauthorized disclosure or access of information would be prevented when the nearterm effort provides selected ?data feeds from CHCS I [into] a database to be accessed by VA.? Similarly, VA generally describes how authorized VA staff will access DOD medical records. However, we have concerns about how the two Departments will ensure the privacy and security of patient information given the security weaknesses in their computer systems, which we have repeatedly reported on. In March 2001, we reported that DOD continues to face significant personnel, technical, and operational Page 20 GAO- 01- 459 Government Computer- Based Patient Records challenges in implementing a departmentwide information security program, and DOD management has not carried out sufficient program oversight. 15 We included VA?s computer security in our January 2001 HighRisk Series and, in an accompanying report, pointed out persistent computer security weaknesses that placed critical VA operations, including health care delivery, at risk of misuse, fraud, improper disclosure, or destruction. 16 For example, we found that VA has not adequately limited access granted to authorized users, managed user identification and passwords, or monitored access activity- weaknesses that VA?s Inspector General recently testified on. 17 Funding is also a concern. VA states that GCPR?s ?success and rate of progression will depend to some extent on the ability to add partners and available funding.? Similarly, DOD states that GCPR program requirements will be funded in accordance with overarching DOD mission priorities. IHS also noted that it faces competing demands for scarce resources. We recognize that each agency has multiple priorities. However, securing adequate and stable funding and determining whether additional partners are needed depends on reliable cost estimates- which can only be determined with well- defined goals and detailed plans for achieving those goals. As DOD points out in its comments, the 10- year cost estimates for GCPR will continue to be considered unreliable until clear mid- and longterm goals and objectives have been established and agreed to by the three agencies. Each of the three agencies also stated that GCPR may have been judged by the criteria used to assess a standard information system development effort and that doing so understates the complexity of their undertaking. While we believe that the technology exists to support GCPR- particularly the new near- term effort- we agree that GCPR presents unique and difficult administrative challenges. Yet it is this very complexity that calls for thorough planning, interagency coordination, and diligent oversight as well as consistent and regular communication of the project?s status and progress to all stakeholders. 15 Information Security: Progress and Challenges to an Effective Defense- wide Information Assurance Program (GAO- 01- 307, Mar. 30, 2001). 16 Major Management Challenges and Program Risks: Department of Veterans Affairs (GAO- 01- 255, Jan. 2001). 17 Testimony of Richard J. Griffin, Inspector General, Department of Veterans Affairs, before the House Committee on Veterans? Affairs, Subcommittee on Oversight and Investigations, April 4, 2001. Page 21 GAO- 01- 459 Government Computer- Based Patient Records Finally, VA noted that it would like to discuss with us certain details in our report with which it did not fully agree but yet did not disclose in its comments. Throughout the course of the project- and particularly over the past 6 months- we met frequently with the agencies to provide observations on our work and discuss any concerns that were brought to our attention. We are committed to continuing to meet with VA, DOD, and IHS to help in this important endeavor. We are sending this report to the Honorable Anthony Principi, Secretary of Veterans Affairs; the Honorable Donald Rumsfeld, Secretary of Defense; the Honorable Tommy Thompson, Secretary of Health and Human Services; appropriate congressional committees; and other interested parties. We will also make copies available to others upon request. Should you have any questions on matters discussed in this report, please contact me at (202) 512- 7101. Other contacts and key contributors to this report are listed in appendix V. Stephen P. Backhus Director, Health Care- Veterans? and Military Health Care Issues Appendix I: Scope and Methodology Page 22 GAO- 01- 459 Government Computer- Based Patient Records To determine the status of the GCPR project, we conducted site visits to VA, DOD, and IHS facilities; interviewed personnel at these locations, representatives of nonfederal health care organizations, and others knowledgeable about computerized linking of disparate health information systems; and reviewed documents relevant to the project. We also consulted with project officials at various times during our audit about the status of our review. We went to a total of nine VA, DOD, and IHS health care facilities in California, Hawaii, Indiana, and Washington, D. C. These sites were judgmentally selected based on a variety of factors, including diversity of system capabilities and size and type of facility, such as major medical centers and small community- based clinics. Therefore, they are not necessarily representative of the agencies? facilities. During these site visits, we spoke with a variety of facility staff- ranging from a DOD regional medical commander and IHS facility managers to VA administrative personnel- about their experiences using the agencies? existing health information systems. We also asked them about what additional information and system features they consider to be important in treating patients and conducting population- based research. Further, we talked with facility IT technicians and administrators about their systems? capabilities and the technical requirements for developing the GCPR interface, and we discussed the potential effect the interface might have on current operations and systems. We interviewed VA, DOD, and IHS officials, primarily from the agencies? headquarters, involved directly in the GCPR project to obtain specific information about the project?s day- to- day operations and management, including timelines, costs, and technical matters. We also interviewed personnel from the two primary GCPR contractors- Litton/ PRC in McLean, Virginia, and Battelle Memorial Institute of Columbus, Ohio- on the status of the interface development, particularly regarding the reference modeling. We also talked with agency representatives on the GCPR Board of Directors and Executive Committee about the oversight of the project. To obtain additional perspectives about the development of computerized patient record systems, we talked with recognized leaders in the field and visited selected private sector facilities, including Kaiser Permanente, Aurora HealthCare of Wisconsin, and the Regenstrief Institute of the University of Indiana in Indianapolis. We also talked with officials from the National Committee on Vital and Health Statistics regarding privacy Appendix I: Scope and Methodology Appendix I: Scope and Methodology Page 23 GAO- 01- 459 Government Computer- Based Patient Records and security issues and the status of the development of HIPAA regulations. Finally, we reviewed many GCPR project documents. These included technical plans, such as the project?s draft privacy and security plan, deployment plans, and other planning documents; cost analyses; and Board of Directors and Executive Committee meeting minutes; and other relevant project documents. We conducted our review between March 2000 and April 2001 in accordance with generally accepted government auditing standards. Appendix II: Comments From the Department of Veterans Affairs Page 24 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Appendix II: Comments From the Department of Veterans Affairs Page 25 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 26 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 27 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 28 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 29 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 30 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 31 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 32 GAO- 01- 459 Government Computer- Based Patient Records Appendix II: Comments From the Department of Veterans Affairs Page 33 GAO- 01- 459 Government Computer- Based Patient Records Appendix III: Comments From the Department of Defense Page 34 GAO- 01- 459 Government Computer- Based Patient Records Appendix III: Comments From the Department of Defense Appendix III: Comments From the Department of Defense Page 35 GAO- 01- 459 Government Computer- Based Patient Records Appendix III: Comments From the Department of Defense Page 36 GAO- 01- 459 Government Computer- Based Patient Records Appendix III: Comments From the Department of Defense Page 37 GAO- 01- 459 Government Computer- Based Patient Records Appendix III: Comments From the Department of Defense Page 38 GAO- 01- 459 Government Computer- Based Patient Records Appendix III: Comments From the Department of Defense Page 39 GAO- 01- 459 Government Computer- Based Patient Records Appendix IV: Comments From the Indian Health Service Page 40 GAO- 01- 459 Government Computer- Based Patient Records Appendix IV: Comments From the Indian Health Service Appendix IV: Comments From the Indian Health Service Page 41 GAO- 01- 459 Government Computer- Based Patient Records Appendix IV: Comments From the Indian Health Service Page 42 GAO- 01- 459 Government Computer- Based Patient Records Appendix V: GAO Contacts and Staff Acknowledgments Page 43 GAO- 01- 459 Government Computer- Based Patient Records Ann Calvaresi- Barr (202) 512- 6986 Keith Steck (202) 512- 9166 In addition to those named above, the following staff made key contributions to this report: Tonia Johnson, Helen Lew, William Lew, Valerie Melvin, Karen Sloan, and Thomas Yatsco. Appendix V: GAO Contacts and Staff Acknowledgments GAO Contacts Staff Acknowledgments (101646) The first copy of each GAO report is free. Additional copies of reports are $2 each. A check or money order should be made out to the Superintendent of Documents. VISA and MasterCard credit cards are also accepted. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U. S. General Accounting Office P. O. Box 37050 Washington, DC 20013 Orders by visiting: Room 1100 700 4 th St., NW (corner of 4 th and G Sts. NW) Washington, DC 20013 Orders by phone: (202) 512- 6000 fax: (202) 512- 6061 TDD (202) 512- 2537 Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512- 6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. Orders by Internet For information on how to access GAO reports on the Internet, send an email message with ?info? in the body to: Info@ www. gao. gov or visit GAO?s World Wide Web home page at: http:// www. gao. gov Contact one: Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm E- mail: fraudnet@ gao. gov 1- 800- 424- 5454 (automated answering system) Ordering Information To Report Fraud, Waste, and Abuse in Federal Programs *** End of document ***