Computer-Based Patient Records: Better Planning and Oversight By
VA, DOD, and IHS Would Enhance Health Data Sharing (30-APR-01,
GAO-01-459).
In November 1997, the President called for Department of Veterans
Affairs (VA) and the Department of Defense (DOD) to create an
interface that would allow the two agencies to share patient
health information. The Government Computer-Based Patient
Record's (GCPR) aim to allow health care providers to
electronically share comprehensive patient information should
provide the VA, DOD, and the Indian Health Service (IHS) a
valuable opportunity to improve the quality of care for their
beneficiaries. But without a lead entity, a clear mission, and
detailed planning to achieve that mission, it is difficult to
monitor progress, identify project risks, and develop appropriate
contingency plans to keep the project moving forward and on
track. Critical project decisions were not made, and the agencies
were not bound by those that were made. The VA and DOD Chief
Information Officers' (CIO) action to focus on short-term
deliverables and to capitalize on existing technologies is
warranted and a step in the right direction. However, until
problems with the two agencies' existing systems and issues
regarding planning, management, and accountability are resolved,
project costs will likely continue to increase and implementation
of the larger GCPR effort--and its expected benefits--will
continue to be delayed.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-01-459
ACCNO: A00848
TITLE: Computer-Based Patient Records: Better Planning and
Oversight By VA, DOD, and IHS Would Enhance Health Data Sharing
DATE: 04/30/2001
SUBJECT: Health care services
Information resources management
Interagency relations
Medical information systems
Medical records
Strategic information systems planning
Systems compatibility
DOD Military Health Services System
DOD TRICARE Program
DOD/IHS/VA Government Computer-Based
Patient Record Project
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Testimony. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-01-459
Report to Congressional Committees
United States General Accounting Office
GAO
April 2001 COMPUTER- BASED PATIENT RECORDS
Better Planning and Oversight by VA, DOD, and IHS Would Enhance Health Data
Sharing
GAO- 01- 459
Page i GAO- 01- 459 Government Computer- Based Patient Records Letter 1
Appendix I Scope and Methodology 22
Appendix II Comments From the Department of Veterans Affairs 24
Appendix III Comments From the Department of Defense 34
Appendix IV Comments From the Indian Health Service 40
Appendix V GAO Contacts and Staff Acknowledgments 43
Table
Table 1: Changes in GCPR?s Estimated Project Cost 10
Figures
Figure 1: GCPR Interface With Agencies? Health Information Systems 6 Figure
2: GCPR Time Frames as of January 1999 and September
2000 9 Contents
Page ii GAO- 01- 459 Government Computer- Based Patient Records
Abbreviations
CIO Chief Information Officer CPRS Computer Patient Record System DOD
Department of Defense GCPR Government Computer- Based Patient Record HHS
Department of Health and Human Services HIPAA Health Insurance Portability
and Accountability Act IHS Indian Health Service IT information technology
MHS Military Health System MOA memorandum of agreement PACMEDNET Pacific
Medical Network PDTS Pharmacy Data Transaction System TMIP Theater Medical
Information Program VA Department of Veterans Affairs VHA Veterans Health
Administration VISN Veterans? Integrated Service Network VISTA Veterans
Health Information Systems and
Technology Architecture
Page 1 GAO- 01- 459 Government Computer- Based Patient Records
April 30, 2001 The Honorable John Warner Chairman The Honorable Carl Levin
Ranking Member Committee on Armed Services United States Senate
The Honorable Bob Stump Chairman The Honorable Ike Skelton Ranking Minority
Member Committee on Armed Services House of Representatives
The Department of Veterans Affairs (VA) and the Department of Defense (DOD)
combined provide health care services to approximately 12 million veterans,
military personnel, and dependents at an annual cost of $34 billion. The
Veterans Health Administration (VHA) and the Military Health System (MHS)
collect and maintain patient health information in separate systems. The
Gulf War exposed many deficiencies in these systems and highlighted the need
for VA and DOD to be able to readily access and transfer accurate health
data on their respective populations. In December 1992, the Congress asked
us to report on how VA and DOD, along with the Indian Health Service (IHS),
could share information technology (IT) and patient medical information to
provide greater continuity of care, accelerate VA eligibility
determinations, and save software development costs. 1 In November 1997, the
President called for VA and DOD to create an interface that would allow the
two agencies to share patient health information.
In 1998, the Government Computer- Based Patient Record (GCPR) project was
initiated by VA, DOD, and IHS, which was included in the effort because of
its population- based research expertise and its long- standing relationship
with VA. Early project documents stated that, when completed, GCPR would
allow health care professionals to ?share clinical
1 See Federal Health Care: Increased Information System Sharing Could
Improve Service, Reduce Costs (GAO/ IMTEC- 93- 33BR, June 1993).
United States General Accounting Office Washington, DC 20548
Page 2 GAO- 01- 459 Government Computer- Based Patient Records
information via a comprehensive, lifelong medical record.? Given the
inherent complexity of such an undertaking and the value of achieving this
capability, the Congress directed us to report on the status of the GCPR
effort. Specifically, we were asked to (1) describe GCPR?s time frames,
costs, and expected benefits; (2) determine whether barriers to the progress
of the project exist; and (3) if barriers exist, describe agency actions to
address them. 2
Our review of the GCPR project was based on site visits to VA, DOD, and IHS
facilities and on interviews with officials at these facilities and at the
agencies? headquarters, GCPR management and contractors, and medical IT
experts from the health care industry. We also reviewed relevant GCPR
project documents as well as documents on the three agencies? health
information systems. In addition, we conducted site visits to several
private sector health care organizations that are also undertaking efforts
to link disparate health information systems, and we interviewed
representatives of these organizations about their experiences. We conducted
this review from March 2000 through February 2001 in accordance with
generally accepted government auditing standards. For more on our scope and
methodology, see appendix I.
Expanding time frames and cost estimates, as well as inadequate
accountability and poor planning, have raised doubts about GCPR?s ability to
provide its expected benefits, prompting the agencies to refocus their
approach to the project. Initial plans called for the agencies to begin
worldwide deployment of GCPR on October 1, 2000, but intermediate target
dates, such as those for testing, were not met, pushing project deployment
out to an undefined date. GCPR cost estimates have also proven to be
unreliable. In September 1999, GCPR was estimated to cost about $270 million
over its 10- year life cycle, by August 2000, projections for GCPR stood at
$360 million- estimates that GCPR project managers acknowledge are probably
understated. By the end of 2000, it became evident that, in the near term,
physicians and other health care professionals would not have access to
comprehensive beneficiary health information across the three partner
agencies, limiting the extent to which the effort will provide the benefits
originally envisioned- including improved research and quality of care as
well as clinical and administrative efficiencies.
2 H. R. Rep. No. 106- 616 at 383 (2000). Results in Brief
Page 3 GAO- 01- 459 Government Computer- Based Patient Records
With accountability for GCPR blurred across several management entities,
basic principles of sound IT project planning, development, and oversight
have not been followed, creating barriers to progress. For example, clear
goals and objectives have not been set; detailed plans for the design,
implementation, and testing of the interface have not been developed; and
critical decisions are not binding on all partners. In addition, GCPR plans
have not resolved data incompatibilities and other differences that
complicate the electronic exchange of health information among the three
agencies? facilities. Finally, concerns related to developing a
comprehensive strategy to guarantee the privacy and security of health
information shared through GCPR have not been addressed.
In September 2000, we discussed these barriers with VHA?s and MHS? Chief
Information Officers (CIO). Soon after, they began to exercise much needed
oversight, temporarily suspending further work on previously planned project
activities and focusing on more immediate and less ambitious returns from
GCPR. According to the CIOs, they are developing plans for an interim effort
to allow VHA to view DOD health data and expect to have this capability by
fall 2001. They plan to evaluate their existing IT products as well as
commercial products that have a similar aim of sharing patient data to
determine whether these technologies can be used for the interim effort,
which may allow VA and DOD to reduce or eliminate redundancies. However,
this interim effort, which does not include IHS as a partner, has several
major limitations. For example, physicians at Military Treatment Facilities
(MTF) will not be able to view VHA health information- or information from
other MTFs. Moreover, the information?s usefulness to health care providers
and researchers will likely be limited, in part because the requested data
could take as long as 48 hours to receive. Once DOD data are accessible to
VA, project officials report that they plan to resume the broader, longer-
term effort- establishing a link among multiple health information systems
to provide comprehensive patient information to physicians and other health
care professionals in the three agencies. However, to date, formal plans for
the interim effort and the resumption of the broader GCPR project have not
been developed. To help ensure that GCPR succeeds in exchanging patient
health information, we are making recommendations for VA and DOD to continue
to improve their oversight and planning of the project.
In commenting on our draft report, VA, DOD, and IHS concurred with the
findings and recommendations. In their comments, the agencies also outline a
new approach for GCPR.
Page 4 GAO- 01- 459 Government Computer- Based Patient Records
The GCPR effort developed out of VA and DOD discussions about ways to share
data in their health information systems and from efforts to create
electronic records for active duty personnel and veterans. The patients
served by VA?s and DOD?s systems tend to be highly mobile. Consequently,
their health records may be at multiple federal and nonfederal medical
facilities both in and outside the United States. In December 1996, the
Presidential Advisory Committee on Gulf War Veterans? Illnesses reported on
many deficiencies in VA?s and DOD?s data capabilities for handling service
members? health information. In November 1997, the President called for the
two agencies to start developing a ?comprehensive, life- long medical record
for each service member.? In August 1998, 8 months after the GCPR project
was officially established, the President issued a directive requiring VA
and DOD to develop a ?computer- based patient record system that will
accurately and efficiently exchange information.? The directive further
stated that VA and DOD should ?define, acquire, and implement a fully
integrated computer- based patient record available across the entire
spectrum of health care delivery over the lifetime of the patient? and
recognized VA and DOD?s effort to ?create additional interface mechanisms
that will act as bridges between existing systems.? 3 IHS became involved
because of its expertise in population- based research and its long-
standing relationship with VA in caring for the Indian veteran population as
well as IHS? desire to improve the exchange of information among its
facilities.
Each of the three agencies? health facilities is linked to their agency?s
regional database or an IT center: VA has about 750 facilities in 22
regions, DOD has about 600 MTFs in 14 domestic and overseas medical regions,
and IHS has 550 facilities in 12 regions. 4 Currently, these facilities
cannot electronically share patient health information across agency lines,
and only VA facilities have the capability of sharing certain information
across regions.
GCPR is not intended to be a separate computerized health information
system, nor is it meant to replace VA?s, DOD?s, and IHS? existing systems.
3 National Science and Technology Council, A National Obligation: Planning
for Health Preparedness for and Readjustment of the Military, Veterans, and
Their Families After Future Deployments, Presidential Review Directive 5
(Washington, D. C.: Executive Office of the President, Office of Science and
Technology Policy, Aug. 1998). 4 VA?s regions are officially referred to as
Veterans? Integrated Service Networks, or VISNs; IHS? regions are generally
referred to as areas. Background
Page 5 GAO- 01- 459 Government Computer- Based Patient Records
GCPR is intended to allow physicians and other authorized users at the
agencies? health facilities to access data from any of the agencies? other
health facilities by serving as an interface among their health information
systems (see fig. 1). As envisioned, the interface would compile requested
patient information in a temporary or virtual record while appearing on the
computer screen in the format of the user?s system. GCPR would divide health
data into 24 categories, or ?partitions,? including pharmacy, laboratory
results, adverse reactions, vital signs, patient demographics, and doctors?
notes.
Page 6 GAO- 01- 459 Government Computer- Based Patient Records
Figure 1: GCPR Interface With Agencies? Health Information Systems
Source: GAO.
With this ability to exchange information, GCPR is expected to achieve
several benefits, including improving quality of care; providing data for
population- based research and public health surveillance; advancing
industrywide medical information standards; and generating administrative
and clinical efficiencies, such as cost savings.
DOD Facilities' Composite Health
Care System (CHCS) I & II
IHS Facilities' Resource and Patient Management System
(RPMS) VA Facilities' Veterans Health Information Systems and Technology
Architecture
(VISTA)
GCPR
Page 7 GAO- 01- 459 Government Computer- Based Patient Records
Several management entities share responsibility for GCPR:
Military and Veterans Health Coordinating Board: This entity was created
to ensure coordination among VA, DOD, and the Department of Health and Human
Services (HHS) on military and veteran health matters, particularly as they
relate to deployed settings, such as the Persian Gulf. The board also
oversees implementation of the President?s August 1998 directive. The board
consists of the Secretaries of VA, DOD, and HHS.
DOD and VA Executive Council: The council was created to identify and
implement interagency initiatives that are national in scope. One initiative
is to ensure a smooth transfer of information between DOD?s and VA?s health
care systems through efforts such as GCPR. The council comprises VA?s Under
Secretary for Health, DOD?s Assistant Secretary for Health Affairs, their
key deputies, and the Surgeon General of each military branch.
GCPR Board of Directors: The board was established to set GCPR
programmatic and strategic priorities and secure funding from VA, DOD, and
IHS. The board consists of the VA Under Secretary for Health and CIOs for
MHS and IHS. 5
GCPR Executive Committee: The Executive Committee sets tactical
priorities, oversees project management activities, and ensures that
adequate resources are available. The committee membership consists of
senior managers from VA, DOD, and IHS.
GCPR is managed on a day- to- day basis by a program office staffed by
personnel from VA, DOD, IHS, and the project?s prime contractor, Litton/ PRC
of McLean, Virginia. Litton/ PRC is responsible for building, shipping,
installing, configuring, and operating the interface and administering site
training. Battelle Memorial Institute of Columbus, Ohio, holds contracts for
developing medical ?reference models,? which allow for the exchange of data
among different systems without requiring
5 The MHS CIO replaced the Deputy Surgeon General of the Navy as DOD?s
representative on the board. Previously, the MHS CIO was an ex- officio
member and was recorded as a participant in board minutes.
Page 8 GAO- 01- 459 Government Computer- Based Patient Records
standardization. 6 Assisting in the project are government- led work groups,
which consist of VA, DOD, and IHS employees and Litton/ PRC staff. The work
groups? key tasks include acquisition, finance, legal work, marketing,
telecommunications, and documenting clinical practices.
Throughout the course of the GCPR project, time frames and cost estimates
have expanded, and GCPR?s ability to deliver its expected benefits has
become less certain. In 1999, initial plans called for GCPR to begin
worldwide deployment October 1, 2000, but target dates for intermediate
phases, such as testing, were not met, pushing project deployment out to an
undefined date. For example, completion of testing was originally scheduled
for September 2000 but was delayed until August 2002 (see fig. 2).
6 Comprehensive industry standards for medical language and its context do
not exist. Consequently, different health information systems or providers
may use different terms to mean the same thing. For example, to indicate a
patient is suffering from a rhinovirus, some may use ?cold? while others may
use ?upper respiratory disorder? or ?nasal
congestion.? In addition, without knowing the context in which a term such
as ?cold? is used, it is difficult to determine whether the patient has a
rhinovirus or feels cold or has chronic obstructed lung disease. According
to GCPR project documents, reference models would allow translation among
the different medical languages and terminologies used by VA, DOD, and IHS.
Time Frames and Cost
Estimates Have Expanded, and Expected Benefits Have Been Delayed
Page 9 GAO- 01- 459 Government Computer- Based Patient Records
Figure 2: GCPR Time Frames as of January 1999 and September 2000
Source: GCPR project documents.
GCPR cost estimates also increased. GCPR was estimated in September 1999 to
cost about $270 million over its 10- year life cycle; by August 2000,
projections for GCPR stood at $360 million (see table 1). However, GCPR
project officials told us that the cost estimates were unreliable and
probably understated, in part because some costs- such as computer hardware
needed by the project?s contractors- were not included. Other cost
estimates, such as those for deployment, could not be verified. In the case
of deployment, final decisions affecting costs were not made.
Page 10 GAO- 01- 459 Government Computer- Based Patient Records
Table 1: Changes in GCPR?s Estimated Project Cost
(Dollars in millions)
Phase Estimates as of Sept. 1999 Estimates as of
Aug. 2000
Preliminary $12.5 $1.8 Phase I (prototype and proof of concept) 42.0 17.7
Phase II (pilot, alpha-, and beta- field testing) 23.3 98.2 Phase III
(phased deployment) 92.8 133.5 Ongoing operations 99.0 108.7
Total $269.6 $359.9
Source: GCPR project documents.
By the end of 2000, it became apparent that the benefits described in GCPR
project documents and brochures and on its website- including access to
comprehensive, life- long patient information- would not be realized in the
near future. According to Litton/ PRC, preliminary testing of data transfer
among selected VA facilities is demonstrating that the GCPR technology
works. However, significant issues in sharing comprehensive patient data
have not been adequately addressed. For example, while GCPR managers planned
to field test 6 7 of the 24 data partitions, they had no plans for when
other partitions would be tested. Moreover, access was to be limited to
patient information in VA?s, DOD?s, and IHS? health information systems;
information in other major data sources, such as TRICARE- DOD?s managed care
program- and other third- party providers would not be accessible. Access to
patient information would be further limited because full deployment of CHCS
II- DOD?s new, more comprehensive health information system, currently under
development- has been delayed until 2004 as the result of complications such
as limited system capacity and slow response time. With CHCS II, GCPR would
provide access to information on immunizations; allergies; and outpatient
encounters, such as diagnostic and treatment codes; as well as to
information in CHCS I, DOD?s current system, which primarily includes
information on patient hospital admission and discharge, patient
medications, laboratory results, and radiology. Providing other anticipated
benefits- such as improved quality of patient health records- will also be
difficult because GCPR plans do not include steps for correcting
longstanding data problems, such as inaccurate data entries.
7 Demographics, security, laboratory results, problem lists, medication
profiles, and adverse reactions.
Page 11 GAO- 01- 459 Government Computer- Based Patient Records
The lack of accountability and sound IT project planning- critical to any
project, particularly an interagency effort of this magnitude and
complexity- put GCPR at risk of failing. The relationships among GCPR?s
management entities were not clearly established, and no one entity had the
authority to make final project decisions binding on the other entities. As
a result, plans for the development of GCPR have not included a clear vision
for the project and have not given sufficient attention to technological and
privacy and security issues as the effort has moved forward. 8
From the outset, decision- making and oversight were blurred across several
management entities, compromising GCPR?s progress. The roles and
responsibilities of these entities and the relationships among them are not
spelled out in the VA- DOD- IHS memorandum of agreement (MOA), and no one
entity exercised final authority over the project. The Board of Directors
and the Executive Committee did not follow sound IT business practices- such
as ensuring agency commitment, securing stable funding, and monitoring the
project?s progress- as dictated by federal requirements. 9 For example, GCPR
documents show that VA, DOD, and IHS should provide consistent project
funding of 40 percent, 40 percent, and 20 percent, respectively, but DOD has
never provided this level of funding and, at times, temporarily withheld
funding it had promised. Moreover, the Board of Directors and the Executive
Committee did not exercise sufficient oversight, including monitoring, to
ensure that the project would be adequately funded.
Without agency commitment and sufficient oversight, the project team has
been limited in its ability to manage GCPR effectively or efficiently.
Unstable funding forced GCPR project managers to develop and issue multiple
short- term contracts for work that could have been covered by a single
longer- term contract. At one point during our review, project managers told
us that the project would end after field- testing because of a lack of
adequate funding and a lack of a clear mandate to proceed with full
8 An earlier independent risk assessment by Northpoint Software Ventures,
Inc., found similar weaknesses in GCPR?s business practices. 9 Six laws
largely lay out the IT management responsibilities of federal agencies: the
Federal Records Act of 1950, the Privacy Act of 1974, the Computer Security
Act of 1987, the Paperwork Reduction Act of 1995, the Clinger- Cohen Act of
1996, and the Government Paperwork Elimination Act of 1998. Inadequate
Accountability and Planning Compromised GCPR?s Progress
Lack of Accountability Undermined Agencies? Commitment to the Project
Page 12 GAO- 01- 459 Government Computer- Based Patient Records
deployment, even though plans called for the project to continue through
deployment.
The three partner agencies never reached consensus on GCPR?s mission and how
it would relate to the individual agencies? missions. In addition, key
project documents, such as the MOA establishing GCPR, have not adequately
spelled out the project?s goals and objectives. For example, some DOD
officials thought GCPR?s mission paralleled the goals and objectives of
Presidential Review Directive 5; however, GCPR project managers did not
share this understanding and the directive was never adopted as GCPR?s
mission. Without an agreed upon mission with clear goals and objectives, it
remained unclear what problem GCPR was trying to solve. This lack of
consensus on the project?s mission, goals, and objectives affected the
agencies? dedication of resources. Expecting GCPR to enhance its ability to
carry out its mission to provide health care to veterans, VA was providing
the most funding to the project. In contrast, DOD elected to place priority
on funding CHCS II, which is estimated to cost several billion dollars
because officials believe it will more specifically address the Department?s
health mission.
GCPR plans have also not sufficiently addressed other critical issues that
need to be resolved, such as decisions about key data elements. For example,
DOD and IHS use different identifiers to match health records to patients-
DOD facilities use Social Security numbers, while IHS facilities use
facility- specific health record numbers. Differences such as these
complicate the electronic exchange of health information. Further, in the
absence of common medical terminology, project personnel, assisted by
Battelle, are developing reference models they believe will interpret VA,
DOD, and IHS data and present the data in a format understandable to the
user- without requiring cross- agency standards. However, GCPR plans have
not specified the key tasks for developing these models, their relation to
one another, and who should carry them out. As a result, work progressed
slowly and rework has been necessary. For example, coordination between the
Battelle team and Litton/ PRC was, initially, not adequate to ensure that
the reference models developed by Battelle would meet Litton/ PRC?s
technical requirements for developing the interface. Therefore, the models
had to be revised.
In addition, the MOA and other key project documents did not lay out the
specific roles and responsibilities of VA, DOD, and IHS in developing,
testing, and deploying the interface. GCPR plans also did not describe how
the project would use the agencies? existing technologies for sharing
Inadequate Planning
Hindered Progress
Page 13 GAO- 01- 459 Government Computer- Based Patient Records
patient health information and to avoid duplication of effort. For example,
GCPR plans do not discuss VA?s ?remote view? capability- which will allow
users of VA?s Computer Patient Record System (CPRS) 10 to simultaneously
view health data across multiple facilities- or three of DOD?s health
information systems: Theater Medical Information Program (TMIP), Pacific
Medical Network (PACMEDNET), and Pharmacy Data Transaction System (PDTS). 11
Finally, a comprehensive strategy to guarantee the privacy and security of
electronic information shared through GCPR was not developed. GCPR?s draft
privacy and security plan delegates primary responsibility for ensuring
privacy and security to more than 1,000 VA, DOD, and IHS local facilities,
with few additional resources and little guidance. However, there have been
long- standing privacy and security problems within VA?s, and DOD?s
information systems. For example, weak access controls put sensitive
information- including health information- at risk of deliberate or
inadvertent misuse, improper disclosure, or destruction. 12 By providing
broader access to more users, GCPR may exacerbate these risks. DOD is
required by the Floyd D. Spence National Defense Authorization Act for 2001
(P. L. 106- 398) to submit to the Congress a comprehensive plan consistent
with HHS medical privacy regulations to improve privacy. 13 The act also
requires DOD to promulgate interim regulations that allow for use of medical
records as necessary for certain purposes, including patient treatment and
public health reporting, thus providing DOD the flexibility to share patient
health information through a mechanism such as GCPR. The HHS privacy
regulations went into effect on April 14, 2001, and contain provisions that
require consent to disclose health information
10 CPRS is a component system of VISTA. 11 DOD?s TMIP, currently under
development, is intended to capture medical information for deployed
personnel; PACMEDNET is a joint DOD/ VA effort to link medical records in
the Pacific region; and PDTS is DOD?s new patient drug transaction and
safety database. Program costs are $14.8 million for PDTS and $19. 5 million
for PACMEDNET; program costs for TMIP have not been determined.
12 See Information Security: Serious and Widespread Weaknesses Persist at
Federal Agencies (GAO/ AIMD- 00- 295, Sept. 6, 2000). 13 The Health
Insurance and Portability Act (HIPAA) requires the development of
comprehensive privacy standards that would establish rights for patients
with respect to their medical records and define the conditions for using
and disclosing identifiable health information. (P. L. 104- 191, 264, 110
Stat. 1936, 2033.) The final regulations require that patient consent must
be secured before disclosing information in individual medical records.
Page 14 GAO- 01- 459 Government Computer- Based Patient Records
before engaging in treatment, payment, or health care operations (45 C. F.
R. parts 160- 164). 14
Over the past several months, we have provided briefings on our findings to
agency and project officials, including the CIOs of VHA and MHS whom we
initially briefed in September 2000. Concerned about the lack of progress
and the significant weaknesses that we found, the CIOs have begun to exert
much needed oversight. They told us that they are now focusing on ?early
deliverables? for VA and DOD. To ensure more immediate applicability of GCPR
to their missions, VA and DOD?s current priority is to allow VA health care
providers to view DOD health data by the end of September 2001. Once this
interim effort is completed, the CIOs told us that they plan to resume the
broader GCPR project- establishing a link among all three partner agencies?
health information systems.
Under the interim effort, as described by the CIOs, certain trigger events,
such as a new veteran enrolling for VA medical treatment, will prompt VISTA
to contact a central server, which would search the hundreds of CHCS I sites
and collect any data on that patient. To help ensure efficient development
of the interim effort, VA and DOD now plan to evaluate their existing IT
products- such as VA?s remote view capability, which could have the
potential to facilitate the retrieval of DOD health data- as well as
commercial products to determine if these technologies can be used to
electronically transmit data among the agencies? systems. While we did not
conduct an in- depth review of these initiatives, we agree that such an
evaluation may allow VA and DOD to reduce or eliminate redundancies because
these products have a common aim of sharing patient data. However, it is
unclear to what extent the interim effort will be using the GCPR technology-
which, according to Litton/ PRC, has demonstrated that data can be moved
among VA facilities.
However, our concerns regarding the usefulness of the information- and the
implications for GCPR?s expected benefits- still remain. For example, under
the interim effort, the requested information is expected to take as long as
48 hours to be received. In addition, only authorized VHA personnel will
have the ability to see CHCS I data from MTFs; health care
14 The Secretary of HHS has stated that there will be guidelines and
modifications made to the consent provisions to make it clear that doctors
and hospitals will have access to necessary medical information about
patients whom they are treating. CIOs Change
Immediate Focus, but Serious Concerns Remain
Page 15 GAO- 01- 459 Government Computer- Based Patient Records
providers at MTFs will not be able to view health information from VHA- or
information from other MTFs. It is also unclear whether all or only selected
VA and DOD facilities will have the interim capability now being proposed.
IHS will not be included in the interim effort. Moreover, the interim effort
will rely on DOD?s aging system, CHCS I, which historically has not been
adequate to meet physicians? needs. CHCS I is primarily limited to
administrative information and some patient medical information, such as
pharmacy and laboratory results. CHCS I does not include patient information
on the health status of personnel when they enter military service, on
reservists who receive medical care while not on active duty status, or on
military personnel who receive care from TRICARE providers. CHCS I also does
not include physician notes made during examinations. In addition,
information captured by CHCS I can vary from MTF to MTF. Some facilities,
such as Tripler Army Medical Center in Hawaii, have significantly enhanced
their CHCS software to respond to the needs of physicians and other system
users and to collect patient health information not collected by other
facilities.
Further, the interim effort will need to address many of the same problems
that confronted the broader GCPR effort:
Transmitted information will be viewable only as sent; therefore, it will
not be computable- that is, it will not be possible to organize or
manipulate data for quick review or research.
Electronic connectivity among MTFs is limited, and the interim effort does
not propose to establish facility- to- facility links. Currently, only MTFs
within the same region and using the same DOD IT hardware can access one
another?s data using CHCS I.
The requested data will not be meaningful to the VA user unless CHCS?
language is translated into VISTA?s. For example, without interpretation, a
VA physician?s VISTA query for a patient?s sodium level would not recognize
?NA? (used by DOD) as equivalent to ?sodium? (used by VA). Until terms and
their context are standardized or the variations are identified, or
?mapped,? across all VA and DOD facilities, much of the information could be
meaningless to VA physicians.
According to VHA?s and MHS? CIOs, detailed plans and time frames are being
prepared for the short- term, interim effort to allow VA to receive
available electronic health information in CHCS I. However, as of the end of
February 2001, no agreement on the goals, time frames, costs, and oversight
for the interim approach has been reached, and no formal plans for the
interim project exist. Moreover, revised plans for the broader, long-
Page 16 GAO- 01- 459 Government Computer- Based Patient Records
term GCPR project- including how and when IHS will resume its role in the
project- have not been developed.
While a draft of this report was being reviewed by the agencies, they
developed a new near- term effort which they outlined in their comments.
This effort, which revises their interim effort, is intended to address our
concerns. However, many of our concerns remain and are addressed in our
response to comments from the agencies.
GCPR?s aim to allow health care providers to electronically share
comprehensive patient information should provide VA, DOD, and IHS a valuable
opportunity to improve the quality of care for their beneficiaries. But
without a lead entity, a clear mission, and detailed planning to achieve
that mission, it is difficult to monitor progress, identify project risks,
and develop appropriate contingency plans to keep the project moving forward
and on track. Critical project decisions were not made, and the agencies
were not bound by those that were made. The VA and DOD CIOs? action to focus
on short- term deliverables and to capitalize on existing technologies is
warranted and a step in the right direction. However, until problems with
the two agencies? existing systems and issues regarding planning,
management, and accountability are resolved, projected costs are likely to
continue to increase, and implementation of the larger GCPR effort- along
with its expected benefits- will continue to be delayed.
To help strengthen management and oversight of GCPR, we recommend that the
Secretaries of VA and DOD and the Director of IHS reassess decisions about
the broader, long- term GCPR project, based on the results of the interim
effort. If the Secretaries of VA and DOD and the Director of IHS decide to
continue with the broader effort, they should direct their health CIOs to
apply the principles of sound project management delineated in our following
recommendations for the interim effort.
For the interim effort, we recommend that the Secretaries of VA and DOD and
the Director of IHS direct their health CIOs to take the following actions:
Designate a lead entity with final decision- making authority and
establish a clear line of authority.
Create comprehensive and coordinated plans to ensure that the agencies?
can share comprehensive, meaningful, accurate, and secure patient health
data. These plans include an agreed- upon mission and clear goals,
Conclusions
Recommendations for Executive Action
Page 17 GAO- 01- 459 Government Computer- Based Patient Records
objectives, and performance measures, and they should capitalize on existing
medical IT capabilities.
VA, DOD, and IHS reviewed and separately commented on a draft of this
report. Each concurred with the findings and recommendations. The agencies
also provided comments that outline a new near- term effort for GCPR and
that aim to clarify GCPR?s purpose. Additionally, VA, DOD, and IHS provided
written technical comments, which we have incorporated where appropriate.
The full texts of their comments are reprinted as appendixes II, III, and
IV.
Regarding our recommendation to establish a clear line of authority, the
Secretary of VA committed to meeting with the Secretary of Defense and the
Director of IHS to designate a lead entity that will have decisionmaking
authority for the three organizations. He said that once established, that
entity will have a clear line of authority over all GCPR development
activities. With regard to our recommendation to create comprehensive and
coordinated plans for sharing patient health data, the Secretary of VA said
he would direct the VHA CIO, in collaboration with VA?s departmentwide CIO
to prepare such plans under the oversight of the lead entity. In response to
our recommendation that longer- term GCPR decisions be reassessed based on
the results of the interim effort, the Secretary of VA responded that GCPR
will be reassessed based on the results of their near- term effort.
Additionally, he said that the longer- term strategy will depend to some
extent on advances in medical informatics, standards development, and the
ability to bring in additional partners.
DOD provided similar comments on our recommendation concerning longer- term
GCPR decisions and also mentioned that it plans to include the Military
Health System Information Management Committee in GCPR oversight. While IHS
provided no information on the steps it plans to take to implement our
recommendations, it commented, along with VA and DOD, that collaboration is
essential to the future of GCPR. Overall, the agencies? statements, in our
view, represent a commitment to oversight and management of GCPR. However,
it is much too soon to know whether their commitment will result in a
successful project.
VA, DOD, and IHS also provided information that, according to the
organizations, is intended to serve as a foundation for assessing GCPR and
its progress. The agencies emphasized that GCPR is not intended to carry the
whole weight for the service members? health records and the related health
information systems, but instead consists of the agencies? core health
information systems with GCPR handling the transfer and Agency Comments
Page 18 GAO- 01- 459 Government Computer- Based Patient Records
mediation of data. Our report does not suggest that GCPR is a replacement
for the agencies? information systems or that it should carry the weight of
the agencies? patient health information. Rather, our report states that
GCPR is intended to create an electronic link that will enable the agencies
to share patient data from their separate health information systems.
The agencies also provided a clarification of GCPR?s purpose, stating that
it will provide a longitudinal record covering service members from the
start of their service through their care with VA. VA acknowledges that the
realities of the challenges the project has presented have led to a scaling
back of the initial version of GCPR as described in early project documents,
such as budget submissions, contractors? statements of work, and project
plans. These documents indicated that in addition to including IHS, GCPR
would permit health care professionals to share clinical information via a
comprehensive lifelong, medical record- one that would include information
from all sources of care. GCPR was similarly described on GCPR?s home page
and during briefings to the Congress and others, such as the National
Committee on Vital and Health Statistics. Some documents, such as VA?s
Fiscal Year 2001 Performance Plan, have described GCPR as including
dependents of service members. To the extent that the agencies agree on the
scaled- back description of GCPR, project documents and communications need
to reflect this new understanding. This is, in part, why we recommended that
the agencies develop and document a clear, agreed upon project mission,
along with specific goals, objectives, and performance measures.
The agencies? also provided information on a new near- term effort for GCPR,
which they developed while reviewing our draft report. According to the
agencies, this revised near- term effort that they have developed uses the
GCPR framework and will provide VA clinicians with DOD data on all active
duty members, retirees, and separated personnel. VA and DOD recognize that
this one- way flow of information is not perfect but should be a substantial
improvement for physicians making medical decisions and enhance the
continuity of care for veterans. According to the agencies, the near- term
effort is funded through year 2001 and they expect to have initial operating
capability by fall 2001. We agree that, if successful, this effort should
provide useful information to VA clinicians. In our view, their outline of
the new near- term approach indicates that it is only in the concept stage
and detailed planning and actual work are just beginning. For example, the
agencies note that current data will be sent in ?near realtime
transmission,? and historical data will be ?extracted and transmitted on a
predetermined schedule.? But they do not define ?near real- time? and
?predetermined schedule.?
Page 19 GAO- 01- 459 Government Computer- Based Patient Records
Additionally, the agencies assert that the new near- term effort addresses
many of the concerns we raised in the report. However, several of these
issues remain and, as we recommended, need to be reassessed at the
conclusion of the near- term effort because of their implications for the
long- term effort:
GCPR- both the near- term and larger efforts- will not provide a
longitudinal record because plans call for GCPR to use DOD?s CHCS I for the
foreseeable future. CHCS I, as DOD acknowledges in its comments, was not
designed to include patient information on the health status of personnel
when they enter military service, on reservists who receive medical care
while not on active duty status, or on military personnel who receive care
outside MTFs.
The meaningfulness of the transmitted data remains in question because the
agencies do not plan to standardize or map the differing terminology in
their health information systems. As we note in the report, without
standardized terminology or mapping, the meaning of certain terms used in
medical records may not be apparent to the VA provider requesting the
information. For example, unless the context is clear, the meaning of the
term ?cold? in a medical record may be interpreted as meaning a rhinovirus,
a feeling of being cold, or having chronic obstructed lung disease.
The agencies also need to more fully address data- specific matters, such
as GCPR?s reference modeling, before developing additional hardware and
software. Once they reach consensus on these issues, their agreement must be
clearly stated in a formalized document- one that is binding on all three
partners. Finally, for the project to be successfully deployed, detailed
plans on GCPR?s system components and tasks with clear project parameters
need to be developed. Until such plans are developed, the agencies? GCPR
efforts cannot be fully assessed.
Privacy and security issues are also continuing concerns. DOD states in
its comments that it does not intend to delegate responsibility for
complying with DOD and federal privacy and security requirements to its
local facilities. However, DOD does not describe how it plans to ensure
compliance, raising concerns such as how unintended or unauthorized
disclosure or access of information would be prevented when the nearterm
effort provides selected ?data feeds from CHCS I [into] a database to be
accessed by VA.? Similarly, VA generally describes how authorized VA staff
will access DOD medical records. However, we have concerns about how the two
Departments will ensure the privacy and security of patient information
given the security weaknesses in their computer systems, which we have
repeatedly reported on. In March 2001, we reported that DOD continues to
face significant personnel, technical, and operational
Page 20 GAO- 01- 459 Government Computer- Based Patient Records
challenges in implementing a departmentwide information security program,
and DOD management has not carried out sufficient program oversight. 15 We
included VA?s computer security in our January 2001 HighRisk Series and, in
an accompanying report, pointed out persistent computer security weaknesses
that placed critical VA operations, including health care delivery, at risk
of misuse, fraud, improper disclosure, or destruction. 16 For example, we
found that VA has not adequately limited access granted to authorized users,
managed user identification and passwords, or monitored access activity-
weaknesses that VA?s Inspector General recently testified on. 17
Funding is also a concern. VA states that GCPR?s ?success and rate of
progression will depend to some extent on the ability to add partners and
available funding.? Similarly, DOD states that GCPR program requirements
will be funded in accordance with overarching DOD mission priorities. IHS
also noted that it faces competing demands for scarce resources. We
recognize that each agency has multiple priorities. However, securing
adequate and stable funding and determining whether additional partners are
needed depends on reliable cost estimates- which can only be determined with
well- defined goals and detailed plans for achieving those goals. As DOD
points out in its comments, the 10- year cost estimates for GCPR will
continue to be considered unreliable until clear mid- and longterm goals and
objectives have been established and agreed to by the three agencies.
Each of the three agencies also stated that GCPR may have been judged by the
criteria used to assess a standard information system development effort and
that doing so understates the complexity of their undertaking. While we
believe that the technology exists to support GCPR- particularly the new
near- term effort- we agree that GCPR presents unique and difficult
administrative challenges. Yet it is this very complexity that calls for
thorough planning, interagency coordination, and diligent oversight as well
as consistent and regular communication of the project?s status and progress
to all stakeholders.
15 Information Security: Progress and Challenges to an Effective Defense-
wide Information Assurance Program (GAO- 01- 307, Mar. 30, 2001). 16 Major
Management Challenges and Program Risks: Department of Veterans Affairs
(GAO- 01- 255, Jan. 2001). 17 Testimony of Richard J. Griffin, Inspector
General, Department of Veterans Affairs, before the House Committee on
Veterans? Affairs, Subcommittee on Oversight and Investigations, April 4,
2001.
Page 21 GAO- 01- 459 Government Computer- Based Patient Records
Finally, VA noted that it would like to discuss with us certain details in
our report with which it did not fully agree but yet did not disclose in its
comments. Throughout the course of the project- and particularly over the
past 6 months- we met frequently with the agencies to provide observations
on our work and discuss any concerns that were brought to our attention. We
are committed to continuing to meet with VA, DOD, and IHS to help in this
important endeavor.
We are sending this report to the Honorable Anthony Principi, Secretary of
Veterans Affairs; the Honorable Donald Rumsfeld, Secretary of Defense; the
Honorable Tommy Thompson, Secretary of Health and Human Services;
appropriate congressional committees; and other interested parties. We will
also make copies available to others upon request. Should you have any
questions on matters discussed in this report, please contact me at (202)
512- 7101. Other contacts and key contributors to this report are listed in
appendix V.
Stephen P. Backhus Director, Health Care- Veterans?
and Military Health Care Issues
Appendix I: Scope and Methodology Page 22 GAO- 01- 459 Government Computer-
Based Patient Records
To determine the status of the GCPR project, we conducted site visits to VA,
DOD, and IHS facilities; interviewed personnel at these locations,
representatives of nonfederal health care organizations, and others
knowledgeable about computerized linking of disparate health information
systems; and reviewed documents relevant to the project. We also consulted
with project officials at various times during our audit about the status of
our review.
We went to a total of nine VA, DOD, and IHS health care facilities in
California, Hawaii, Indiana, and Washington, D. C. These sites were
judgmentally selected based on a variety of factors, including diversity of
system capabilities and size and type of facility, such as major medical
centers and small community- based clinics. Therefore, they are not
necessarily representative of the agencies? facilities. During these site
visits, we spoke with a variety of facility staff- ranging from a DOD
regional medical commander and IHS facility managers to VA administrative
personnel- about their experiences using the agencies? existing health
information systems. We also asked them about what additional information
and system features they consider to be important in treating patients and
conducting population- based research. Further, we talked with facility IT
technicians and administrators about their systems? capabilities and the
technical requirements for developing the GCPR interface, and we discussed
the potential effect the interface might have on current operations and
systems.
We interviewed VA, DOD, and IHS officials, primarily from the agencies?
headquarters, involved directly in the GCPR project to obtain specific
information about the project?s day- to- day operations and management,
including timelines, costs, and technical matters. We also interviewed
personnel from the two primary GCPR contractors- Litton/ PRC in McLean,
Virginia, and Battelle Memorial Institute of Columbus, Ohio- on the status
of the interface development, particularly regarding the reference modeling.
We also talked with agency representatives on the GCPR Board of Directors
and Executive Committee about the oversight of the project.
To obtain additional perspectives about the development of computerized
patient record systems, we talked with recognized leaders in the field and
visited selected private sector facilities, including Kaiser Permanente,
Aurora HealthCare of Wisconsin, and the Regenstrief Institute of the
University of Indiana in Indianapolis. We also talked with officials from
the National Committee on Vital and Health Statistics regarding privacy
Appendix I: Scope and Methodology
Appendix I: Scope and Methodology Page 23 GAO- 01- 459 Government Computer-
Based Patient Records
and security issues and the status of the development of HIPAA regulations.
Finally, we reviewed many GCPR project documents. These included technical
plans, such as the project?s draft privacy and security plan, deployment
plans, and other planning documents; cost analyses; and Board of Directors
and Executive Committee meeting minutes; and other relevant project
documents. We conducted our review between March 2000 and April 2001 in
accordance with generally accepted government auditing standards.
Appendix II: Comments From the Department of Veterans Affairs
Page 24 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Appendix II: Comments From the Department of Veterans Affairs
Page 25 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 26 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 27 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 28 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 29 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 30 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 31 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 32 GAO- 01- 459 Government Computer- Based Patient Records
Appendix II: Comments From the Department of Veterans Affairs
Page 33 GAO- 01- 459 Government Computer- Based Patient Records
Appendix III: Comments From the Department of Defense
Page 34 GAO- 01- 459 Government Computer- Based Patient Records
Appendix III: Comments From the Department of Defense
Appendix III: Comments From the Department of Defense
Page 35 GAO- 01- 459 Government Computer- Based Patient Records
Appendix III: Comments From the Department of Defense
Page 36 GAO- 01- 459 Government Computer- Based Patient Records
Appendix III: Comments From the Department of Defense
Page 37 GAO- 01- 459 Government Computer- Based Patient Records
Appendix III: Comments From the Department of Defense
Page 38 GAO- 01- 459 Government Computer- Based Patient Records
Appendix III: Comments From the Department of Defense
Page 39 GAO- 01- 459 Government Computer- Based Patient Records
Appendix IV: Comments From the Indian Health Service
Page 40 GAO- 01- 459 Government Computer- Based Patient Records
Appendix IV: Comments From the Indian Health Service
Appendix IV: Comments From the Indian Health Service
Page 41 GAO- 01- 459 Government Computer- Based Patient Records
Appendix IV: Comments From the Indian Health Service
Page 42 GAO- 01- 459 Government Computer- Based Patient Records
Appendix V: GAO Contacts and Staff Acknowledgments
Page 43 GAO- 01- 459 Government Computer- Based Patient Records
Ann Calvaresi- Barr (202) 512- 6986 Keith Steck (202) 512- 9166
In addition to those named above, the following staff made key contributions
to this report: Tonia Johnson, Helen Lew, William Lew, Valerie Melvin, Karen
Sloan, and Thomas Yatsco. Appendix V: GAO Contacts and Staff
Acknowledgments GAO Contacts Staff Acknowledgments
(101646)
The first copy of each GAO report is free. Additional copies of reports are
$2 each. A check or money order should be made out to the Superintendent of
Documents. VISA and MasterCard credit cards are also accepted.
Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.
Orders by mail:
U. S. General Accounting Office P. O. Box 37050 Washington, DC 20013
Orders by visiting:
Room 1100 700 4 th St., NW (corner of 4 th and G Sts. NW) Washington, DC
20013
Orders by phone:
(202) 512- 6000 fax: (202) 512- 6061 TDD (202) 512- 2537
Each day, GAO issues a list of newly available reports and testimony. To
receive facsimile copies of the daily list or any list from the past 30
days, please call (202) 512- 6000 using a touchtone phone. A recorded menu
will provide information on how to obtain these lists.
Orders by Internet
For information on how to access GAO reports on the Internet, send an email
message with ?info? in the body to:
Info@ www. gao. gov or visit GAO?s World Wide Web home page at: http:// www.
gao. gov
Contact one:
Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm
E- mail: fraudnet@ gao. gov
1- 800- 424- 5454 (automated answering system) Ordering Information
To Report Fraud, Waste, and Abuse in Federal Programs
*** End of document ***