Year 2000 Computing Crisis: Medicare and the Delivery of Health Services
Are at Risk (Testimony, 02/24/99, GAO/T-AIMD-99-89).

Pursuant to a congressional request, GAO discussed the readiness of
automated systems that support the nation's delivery of health benefits
and services to function reliably without interruption throughout the
turn of the century, focusing on: (1) Medicare's ability to provide
accurate benefits and services to millions of Americans; and (2) the
overall readiness of the health care sector.

GAO noted that: (1) as the nation's largest health care insurer,
Medicare expects to process over a billion claims and pay $288 billion
in benefits annually by 2000; (2) the Health Care Financing
Administration (HCFA) has been responsive to GAO recommendations, and
its top management is actively engaged in its year 2000 program; (3) to
more effectively identify and manage risks, HCFA is relying on multiple
sources of information, including test reports, reports from its
independent validation and verification (IV&V) contractors, and weekly
status reports from its recently established contractor and oversight
teams; (4) HCFA is also more effectively managing its electronic data
exchanges and has more clearly defined its testing procedures; (5) HCFA
has also demonstrated progress in developing business continuity and
contingency plans to ensure that, no matter what, beneficiaries will
receive care and providers will be paid; (6) according to the Department
of Health and Human Services' year 2000 quarterly progress report, all
25 of HCFA's internal mission-critical systems were reported to be
compliant, as were 54 of the 78 external systems; (7) HCFA's reported
progress on its external mission-critical systems is considerably
overstated; (8) all 54 external systems that were reported as compliant
have important associated qualifications exceptions, some of them very
significant; (9) the IV&V contractor acknowledges that Medicare claims
processing systems have made progress toward year 2000 compliance over
the past year, yet the various qualifications inevitably mean that some
renovation and a significant amount of retesting still needs to be
accomplished before these systems can be considered compliant; (10) the
question of whether medical devices such as magnetic resonance imaging
systems, x-ray machines, pacemakers, and cardiac monitoring equipments
can be counted on to work reliably on and after January 1, 2000, is
critical to the nation's health care; (11) the Food and Drug
Administration, which provides information from biomedical equipment
manufacturers to the public, had a disappointing response rate from
biomedical equipment manufacturers to its request for compliance
information; and (12) until this information is obtained and publicized,
consumers will remain in doubt as to the year 2000 readiness of key
health care components.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-89
     TITLE:  Year 2000 Computing Crisis: Medicare and the Delivery of 
             Health Services Are at Risk
      DATE:  02/24/99
   SUBJECT:  Y2K
             Computer software verification and validation
             Systems compatibility
             Information resources management
             Systems conversions
             Health care services
             Data integrity
             Medical equipment
             Medical information systems
             Internal controls
IDENTIFIER:  Y2K
             Medicare Program
             HCFA Common Working File
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
AI99089T.book GAO United States General Accounting Office

Testimony Before the Committee on Ways and Means, House of
Representatives

For Release on Delivery Expected at 9 a. m. Wednesday, February
24, 1999

YEAR 2000 COMPUTING CRISIS

Medicare and the Delivery of Health Services Are at Risk

Statement of Joel C. Willemssen Director, Civil Agencies
Information Systems Accounting and Information Management Division




GAO/T-AIMD-99-89

  GAO/T-AIMD-99-89

Page 1 GAO/T-AIMD-99-89

Mr. Chairman and Members of the Committee: We appreciate the
opportunity to join in today's hearing and share information on
the readiness of automated systems that support the nation's
delivery of health benefits and services to function reliably
without interruption through the turn of the century. This
includes the ability of Medicare to provide accurate benefits and
services to millions of

Americans and the overall readiness of the health care sector,
including such key elements as biomedical equipment used in the
delivery of health services. Successful Year 2000-- or Y2K--
conversion is critical to these efforts.

In a report issued last year, we concluded that the progress made
by the Department of Health and Human Services' (HHS) Health Care
Financing Administration (HCFA) and its contractors in making its
computers that

process Medicare claims Year 2000 compliant was severely behind
schedule in areas including repair, testing, and implementation. 1
Further, we made numerous recommendations to improve key HCFA
management practices which we found to be lacking or inadequate.
This morning I would like to briefly discuss our findings from
that report and our

suggestions for strengthening HCFA's Y2K activities, describe
actions taken on those recommendations, and provide our
perspective on where HCFA stands today.

Beyond Medicare, the level of information on a national level
concerning Year 2000 compliance throughout the health care sector
including providers, insurers, manufacturers, and suppliers is
limited. As we reported last fall, this was true of biomedical
equipment routinely used in the delivery of health care. 2 Such
equipment includes medical devices such

as cardiac defibrillators and monitoring systems that can record,
process, analyze, display, and/ or transmit data. Today, I would
like to share information in this area with you as well.

1 Medicare Computer Systems: Year 2000 Challenges Put Benefits and
Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998). 2 See
Year 2000 Computing Crisis: Compliance Status of Many Biomedical
Equipment Items Still Unknown (GAO/AIMD-98-240, September 18,
1998).

Page 2 GAO/T-AIMD-99-89

HCFA's Ability to Process Medicare Claims Into the Next Century

As the nation's largest health care insurer, Medicare expects to
process over a billion claims and pay $288 billion in benefits
annually by 2000. The consequences, then, of its systems' not
being Year 2000 compliant could be enormous. We originally
highlighted this concern in May 1997, making several
recommendations for improvement. 3 In our report of last

September we warned that although HCFA had made improvements in
its Year 2000 management, serious challenges remained to be
resolved in a short period of time. Specifically, we reported that
less than a third of Medicare's mission- critical systems had been
fully renovated, and none had been validated or implemented.
Further, in terms of the agency's key

management practices necessary to adequately direct and monitor
its Year 2000 project, HCFA had not  developed an overall schedule
and critical path to identify and rank Y2K

tasks to help ensure that they could be completed in a timely
manner;  implemented risk management processes necessary to
highlight potential technical and managerial weaknesses that could
impair project success;

 planned for or scheduled end- to- end testing to ensure that
programwide renovations would work as planned; or  effectively
managed its electronic data exchanges, thereby increasing the risk
that Y2K errors would be transferred through data exchanges

from one organization's computer systems to those of another. The
Office of Management and Budget (OMB) also had concerns. In its
December 8, 1998, summary of Year 2000 progress reports of all
agencies for the reporting quarter ending November 13, 1998, it
concluded that while

HCFA had made significant progress in renovating its internal and
external systems, the agency remained a serious concern due to the
remediation schedule of its external systems. OMB further stated
that Medicare contractors would have to make an intensive,
sustained effort to complete validation and implementation of
their mission- critical systems by the

governmentwide goal of March 31, 1999. OMB designated HHS as a
tier 1 agency on its three- tiered rating scale since it had made
insufficient progress in addressing the Year 2000 problem. 3
Medicare Transaction System: Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May
16, 1997).

Page 3 GAO/T-AIMD-99-89

Our conclusions and recommendations to the HCFA Administrator
reflected our concerns about the high level of risk and large
number of tasks still facing HCFA. We reported that it was more
critical than ever that HCFA have sound business continuity and
contingency plans in place that can be implemented should systems
failures occur. Our specific

recommendations included that HCFA  rank its remaining Year 2000
work on the basis of an integrated project

schedule and ensure that all critical tasks are prioritized and
completed in time to prevent unnecessary delays,  develop a risk
management process,  define the scope of an end- to- end test of
the claims process and develop

plans and a schedule for conducting such a test,  ensure that all
external and internal systems' data exchanges have been identified
and agreements signed among exchange partners, and

 accelerate the development of business continuity and contingency
plans.

HCFA's Actions to Achieve Compliance

HCFA has been responsive to our recommendations, and its top
management is actively engaged in its Year 2000 program. HCFA's
Administrator has made Year 2000 compliance the agency's top
priority and has directed a number of actions to more effectively
manage this project. For example, HCFA has established a war room
for real- time monitoring of Year 2000 renovation, testing, and
implementation activities. In addition, the agency established
seven contractor oversight teams to monitor

progress. HCFA also strengthened its outreach efforts: on January
12, 1999, the Administrator sent individual letters to each of the
1.25 million Medicare providers in the United States, alerting
them to take prompt Year 2000 action on their information and
billing systems. Three days later the

Administrator sent a letter to Congress, with assurances that HCFA
is making progress and stressing that physicians, hospitals, and
other providers must also meet the Y2K challenge. HCFA also
offered to provide speakers in local congressional districts.

To more effectively identify and manage risks, HCFA is relying on
multiple sources of information, including test reports, reports
from its independent validation and verification (IV& V)
contractors, and weekly status reports from its recently
established contractor oversight teams. In addition, HCFA has
stationed staff at critical contractor sites to assess the data
being reported to them and to identify problems.

Page 4 GAO/T-AIMD-99-89

HCFA is also more effectively managing its electronic data
exchanges. HCFA now reports having a complete data exchange
inventory of nearly 8,000 internal exchanges and over 255,000
external data exchanges. HCFA

also issued instructions to its contractors (carriers and fiscal
intermediaries) to inform providers and suppliers that they must
submit Medicare claims in Year 2000- compliant data exchange
format by April 5 of this year. The status of each of these data
exchanges is being tracked by HCFA staff. HCFA has also more
clearly defined its testing procedures. It published additional
testing guidance in November 1998 that provided a policy for
external systems that requires multiple levels of testing for each
system,

including:  Unit level testing: testing of the individual software
component using

test cases that exercise all component functionality. For the
standard claims processing system, this includes full functional
testing of claims processing policy and program integrity edits.
Simulated future date testing: testing of the individual software
component using tools to simulate that the date has been rolled
forward.

 Compliance testing: testing in a fully Year 2000- compliant
environment with real future dates to verify that the system is
Year 2000 compliant.

HCFA also plans to perform end- to- end testing with its Year
2000- compliant test sites. These end- to- end tests are to
include all internal systems and contractor systems; however, they
will not include testing with banks and providers. Finally, HCFA
has begun to use a Year 2000 analysis tool to measure testing
thoroughness, and its IV& V contractor is assessing test adequacy
on the external systems (e. g., test coverage and documentation).

The final area in which HCFA has demonstrated progress is
developing business continuity and contingency plans to ensure
that, no matter what, beneficiaries will receive care and
providers will be paid. HCFA has established cross- organizational
workgroups to develop contingency plans for the following core
business functions: health plan and provider payment, eligibility
and enrollment issues, program integrity, managed care, quality of
care, litigation, and telecommunications. HCFA's draft plans
document its business impact analysis; the contingency plans are
expected to be completed by March 31 of this year, and testing of
the plans

by June 30.

Page 5 GAO/T-AIMD-99-89

Reported Status of HCFA's Mission- Critical Systems HCFA operates
and maintains 25 internal mission- critical systems; it also
relies on 78 external mission- critical systems operated by
contractors throughout the country to process Medicare claims.
These external systems include six standard processing systems and
the Common

Working File. Each contractor relies on one of these standard
systems to process its claims, and adds its own front- end and
back- end processing systems. The Common Working File is a set of
databases located at nine sites that work with internal and
external systems to authorize claims payments and determine
beneficiary eligibility. HCFA's reporting of its readiness for
next January sounds quite positive as stated in the most recent
HHS Y2K quarterly progress report to OMB. According to this
report, dated February 10, as of December 31, 1998, all 25 of
HCFA's internal mission- critical systems were reported to be
compliant, as were 54 of the 78 external systems. Figure 1 shows
HCFA's reported status, compared with what it reported on
September 30, 1998.

Page 6 GAO/T-AIMD-99-89

Figure 1: Reported Status of HCFA's Mission- Critical Systems

Source: HCFA quarterly reports to HHS.

Reported Progress Is Highly Overstated HCFA's reported progress on
its external mission- critical systems is considerably overstated.
In fact, none of the 54 systems reported

compliant by HCFA was Year 2000 ready as of December 31, 1998. All
54 external systems that were reported as compliant have important
associated qualifications (exceptions), some of them very
significant. Such qualifications included a major standard system
that failed to recognize 00 as a valid year, as well as 2000 as a
leap year; it also included systems that were not fully future
date tested.

According to HCFA officials, they reported these systems as
compliant because these qualifications were minor problems that
should not take much time to address. This is at variance with the
IV& V contractor's interpretation. More specifically, the IV& V
contractor found that the

25 51

78 9

25 0

54 5

25 0

54 25 0 10

20 30

40 50

60 70

80 90

9/ 30/ 98 12/ 31/ 98 9/ 30/ 98 12/ 31/ 98 Internal External

Renovated Validated Implemented

Number of systems

Page 7 GAO/T-AIMD-99-89

qualifications reported by all systems contractors were critical,
most requiring a major to moderate level of effort to resolve. A
specific example of a system reported as compliant with
qualifications is the Florida standard system, used by 29
contractors. This system had one qualification that consisted of
22 test failures. The IV& V contractor characterized this failure
experience as significant. HCFA reports that these failures were
corrected with a January 29, 1999, software release.

However, in a February 16, 1999, IV& V status report, Blue Cross
of California a user of the Florida standard system-- found that
date test problems remained. In another example, the EDS MCS
standard system

that is used by 10 contractors had 25 qualifications; these
included 9 problems that were not future date tested. HCFA now
reports that future date testing of the January software release
of the EDS MCS system is 92 percent complete.

As these examples illustrate, these systems are not yet Year 2000
compliant, and the 39 contractors that use these two standard
systems likewise cannot be considered compliant. Further,
according to the IV& V contractor, two critical qualifications
associated with each of the standard systems affect all external
contractor systems: (1) HCFA- supplied systems that contractors
use in claims processing were delivered too late to them

for required testing to be performed and (2) the claims processing
data centers' hardware, software, and telecommunications were not
completely compliant. The IV& V contractor acknowledges that
Medicare claims processing systems have made progress toward Year
2000 compliance over the past year, yet the various qualifications
inevitably mean that some renovation and a significant amount of
retesting still needs to be accomplished before

these systems can be considered compliant. To HCFA's credit, it
issued a memorandum in early January requesting Medicare carriers
and fiscal intermediaries to resolve these qualifications by March
31, the federal target date for Year 2000 compliance. The notice
stated that Medicare

systems with unresolved Y2K problems affecting claims processing
functions must be corrected, tested, and installed in production.
As part of our ongoing work for the Senate Special Committee on
Aging, we will be

monitoring the resolution of these qualifications closely. Other
Critical Risks/ Challenges That Remain

The February 16, 1999, report of HCFA's IV& V contractor stated
that an integrated schedule that tracks all major internal system
activities needs to

Page 8 GAO/T-AIMD-99-89

be established. It added that system- specific information--
including time, test scheduling, and resource considerations--
needs to be more fully developed in order to achieve a robust,
trackable schedule. We agree. In fact, this is consistent with our
previous recommendation that remaining

Y2K work be ranked on the basis of a schedule that includes
milestones for renovation and testing of all systems, and that it
include time for end- to- end testing and development and testing
of business continuity and contingency plans. 4 Such a schedule is
even more important for the external systems because of their
greater number, complexity, and interdependencies. HCFA still
lacks an integrated schedule that identifies a critical path.
Without this, it will be difficult for HCFA management to

identify important dependencies in this complex environment and to
prioritize its remaining work in the time that remains. HCFA also
lacks a formal risk management process something to identify all
risks and their interdependencies, assess their impact, establish
time frames for mitigation and criteria for successful mitigation,
and ensure that the criteria are followed. The one system that was
intended to serve as its comprehensive risk management system does
not contain current information, according to the IV& V
contractor.

HCFA's systems both internal and external exchange data, both
among themselves and with the Common Working File, other federal
agencies, banks, and providers. Accordingly, it is important that
HCFA ensure that Y2K- related errors will not be introduced into
the Medicare program

through these data exchanges. As of February 10, 1999, HCFA
reported that over 6,000 of its 7,968 internal data exchanges were
still not compliant, and that over 37, 000 of its nearly 255,000
external data exchanges were not compliant. 5 To ensure that
HCFA's internal and external systems are

capable of exchanging data between themselves as well as with
other federal agencies, banks, and providers, it is essential that
HCFA take steps to resolve the remaining noncompliance of these
data exchanges. In yet another critical area, HCFA faces a
significant amount of testing in 1999, since changes will continue
to be made to its mission- critical systems to make them
compliant. First, changes to resolve the existing

4 GAO/AIMD-98-284, September 28, 1998. 5 On February 23, 1999, the
HCFA Administrator stated that she wanted us to note that the
February 10, 1999, HHS quarterly report to OMB had a typographical
error, and that the total number of internal data exchanges is
3,418 and that 309 of these are still not compliant.

Page 9 GAO/T-AIMD-99-89

qualifications will need to be retested. Second, testing must
still take place with full production- level software. For
example, the final software release of the Common Working File
before 2000 is scheduled for late June; testing will therefore be
needed after that. Third, legislatively mandated changes to
software that will occur through June will need to be retested as
well. HCFA plans to conduct these final tests of its systems
between July 1 and

November 1, 1999, then recertify all mission- critical systems as
compliant without qualification or exception. These final tests
will ultimately determine whether HCFA's mission- critical systems
are indeed Year 2000 compliant. The late 1999 time frames
associated with this testing represent a high degree of risk.

In addition to such individual systems testing, HCFA must also
test its systems end- to- end to verify that defined sets of
interrelated systems, which collectively support an organizational
core business function, will work as intended. As mentioned, HCFA
plans to perform this end- to- end testing with its Year 2000 test
sites. These tests are to include all internal systems and
contractor systems, but will not include testing with banks

and providers. HCFA has instructed its contractors that it is
their responsibility to test with providers and financial
institutions. Even excluding banks and providers, end- to- end
testing of HCFA's internal and

external systems is a massive undertaking that will need to be
effectively planned and carried out. HCFA has not yet, however,
developed a detailed end- to- end test plan that explains how
these tests will be conducted or that provides a detailed schedule
for conducting them.

A final aspect of testing concerns the independent testing
contractor. The IV& V contractor's recent assessment of the
independent testing contractor concluded that its strategy as
currently stated is high risk for providing effective independent
testing because of the limited number of internal

systems to actually be independently tested: 8. This number was
previously 22. Further, this testing will not be completed until
August. The limited number of systems tested and the late
completion date are not reassuring.

Given the magnitude of HCFA's Year 2000 problem and the many
challenges that continue to face it, the development of
contingency plans to ensure continuity of critical operations and
business processes is absolutely critical. Therefore, HCFA must
sustain its efforts to complete and test its agencywide business
continuity and contingency plans by June 30. Another challenge for
HCFA is monitoring the progress of the 62 separate

Page 10 GAO/T-AIMD-99-89

business continuity and contingency plans that will be submitted
by its contractors. We will continue to monitor progress in this
area. Other issues that further complicate HCFA's Year 2000
challenge are the known and unknown contractor transitions that
are to take place before January 1, 2000, and the unknown status
of the managed care organizations serving Medicare beneficiaries.
As reported in HHS' quarterly submission

to OMB, HCFA is concerned about the possibility of Medicare
contractors, fiscal intermediaries, and carriers leaving the
program and notifying HCFA after June 1999. If this were to occur,
the workload would have to be transferred to another contractor
whose Year 2000 compliance status may

not be known. According to both contractor and HCFA officials, it
requires 6- 12 months to transfer the claims processing workload
from one contractor to another. At present, HCFA must transition
the work of three carriers that are leaving the program.

HCFA is requiring the 386 managed care organizations currently
serving 6.6 million Medicare beneficiaries to certify their
systems as Year 2000 compliant by this April 15. These
certifications may be qualified, just as

with the fee- for- service contractors. If this were to occur, a
formal recertification would have to be performed later this year.
Until this initial certification is performed, it will remain
unknown whether the managed care organizations' systems are year
2000 compliant. To summarize HCFA's situation, the agency and its
contractors have made progress in addressing issues that we have
raised. However, their reported progress vastly overstates the
facts. Some renovation and a significant

amount of testing must still be performed this year. Until HCFA
completes its planned recertification between July and November
1999, the final status of the agency's Year 2000 compliance will
be unknown. Given the

considerable amount of remaining work that HCFA faces, it is
crucial that development and testing of HCFA's business continuity
and contingency plans move forward rapidly if we are to avoid the
interruption of Medicare claims processing next year.

Y2K Readiness of the Health Care Sector: Information Is Limited

At this point, I would like to broaden our discussion to the Year
2000readiness status of the health care sector, including
biomedical equipment used in the delivery of health care. While it
is undeniably important that Medicare systems be compliant so that
the claims of health care providers

and beneficiaries can be paid, it is also critical that the
services and products associated with health care delivery itself
be Year 2000 compliant.

Page 11 GAO/T-AIMD-99-89

However, the level of information currently available on such
compliance is not reassuring. Virtually everything in today's
hospital is automated-- from the scheduling of procedures such as
surgery, to the ordering of medication such as insulin for a
diabetic patient, to the use of portable devices as diverse as
heart defibrillators and thermometers. It therefore becomes
increasingly important for health care providers such as doctors
and hospitals to assess their health information systems, facility
systems (such as heating, ventilation, and air conditioning), and
biomedical equipment to ensure their continued operation at the
turn of the century. Similarly, pharmaceutical manufacturers and
suppliers that rely heavily on computer systems for the
manufacturing and distribution of drugs must assess their

processes for compliance. Given the large degree of
interdependence among components of the health sector-- providers,
suppliers, insurance carriers, and patients/ consumers the
availability and sharing of Y2K readiness information is vital to
safe, efficient, and effective health care delivery. Readiness
information is limited throughout the health care sector.

Specifically, the amount of data available to consumers on the Y2K
readiness of health care providers, private insurers, and
pharmaceutical manufacturers and suppliers is scant. This past
June, for example, the

American Hospital Association sent a Y2K readiness survey to about
4,700 hospitals. However, only about 17 percent of its members
responded. In May 1998, the President's Council on Year 2000
Conversion established a Health Care Working Group 6 chaired by
HCFA to conduct outreach activities of the health care sector. In
response to an October 1998 request from the Chair of the
President's Council to gauge the Year 2000 readiness of the health
sector, several professional health care associations surveyed
their membership, requesting information on the status of work
completed in the Y2K assessment, renovation, validation, and
implementation phases.

For example, the Association of State and Territorial Health
Officials and the Centers for Disease Control and Prevention (CDC)
sent a Year 2000 readiness- assessment survey to 57 state and
territorial health officials.

6 Members include federal health care agencies and professional
health care associations such as the American Ambulance
Association, American Hospital Association, American Medical
Association, Health Industry Manufacturers Association, Joint
Commission on the Accreditation of Health Care Organizations,
National Association of Community Health Centers, and National
Association of Rural Health Clinics.

Page 12 GAO/T-AIMD-99-89

According to CDC, officials of 27 states responded as of February
19, 1999, and the results are still under review. Similarly, the
Generic Pharmaceutical Industry Association sent a survey to its
members last December; it plans to discuss the results at a March
8, 1999, meeting of the

Year 2000 Pharmaceuticals Acquisition and Distribution Committee
(comprised of federal and pharmaceutical representatives).
Finally, HHS' Office of the Inspector General sent a Y2K readiness
survey last December to a sample of Medicare providers; it is not
known at this time when the results will be available. The working
group plans to gather Y2K readiness information from this sector
throughout 1999, especially among smaller health care
organizations.

Until such survey results are known to consumers, the Y2K
readiness of key components of the health sector will remain in
doubt. Because of the potential impact of the Year 2000 problem on
patient care, it is critical that such readiness information be
obtained and publicized. In this way consumers will have access to
data that can offer some assurance that the information systems,
equipment, and products used in the delivery of health care
services will operate as expected when needed after the turn of
the century. Conversely, the lack of such information can
contribute to consumer doubt, misinformation, or even panic. It
can also foster

unnecessary stockpiling of drugs and the attendant drain on
pharmaceutical product inventories.

Some Biomedical Equipment Status Information Available Through FDA

The question of whether medical devices such as magnetic resonance
imaging (MRI) systems, x- ray machines, pacemakers, and cardiac
monitoring equipment can be counted on to work reliably on and
after

January 1, 2000, is critical to our nation's health care. To the
extent that biomedical equipment uses embedded computer chips, it
is vulnerable to the Y2K problem. 7 Such vulnerability carries
with it possible safety risks. This could range from the more
benign such as incorrect formatting of a printout to the most
serious such as incorrect operation of equipment with the
potential to decrease patient safety. The degree of risk depends
on the role the equipment plays in the patient's care.

7 Biomedical equipment refers both to medical devices regulated by
HHS' Food and Drug Administration (FDA), and scientific and
research instruments, which are not subject to FDA regulation.

Page 13 GAO/T-AIMD-99-89

As we reported last September, 8 FDA-- which provides information
from biomedical equipment manufacturers to the public through an
Internet World Wide Web site-- had a disappointing response rate
from biomedical equipment manufacturers to its request for
compliance information. The FDA biomedical equipment database also
lacked detailed information on the make and model of compliant
equipment. Further, FDA did not require manufacturers to submit
test results certifying compliance. Therefore, the adequacy of
manufacturers' corrections of noncompliant equipment could not be
assured.

To address these issues, we made recommendations to the
Secretaries of HHS and Veterans Affairs (VA)-- a key stakeholder
in determining the potential effects of the century change on
biomedical equipment-- to determine what actions, if any, should
be taken regarding manufacturers that have not provided compliance
information. We also recommended

that the departments (1) work jointly to develop a single data
clearinghouse to provide compliance information to all users of
biomedical equipment, and (2) take prudent steps to review test
results for critical care/ life support biomedical equipment,
especially equipment once determined to be noncompliant but now
deemed compliant-- and make those results publicly available
through FDA's central data clearinghouse. HHS and VA agreed with
our recommendation to develop a single data clearinghouse. FDA, in
conjunction with VA, has established a biomedical equipment
clearinghouse; it is publicly accessible through the Internet site
and contains information on biomedical equipment compliance
submitted to FDA by manufacturers, as well as information gathered
by VA and the Department of Defense as part of their Year 2000
compliance projects. FDA also plans to include detailed
information on the make and model of equipment reported as
compliant.

In its February 10, 1999, quarterly submission to OMB, HHS
reported that as of January 12, 1999, about three quarters (1,
438) of 1,932 biomedical equipment manufacturers identified by FDA
had submitted data to the clearinghouse. As shown in figure 2,
about 40 percent of the manufacturers have products that do not
employ a date, while about 17 percent reported equipment having
date- related problems. 8 GAO/AIMD-98-240, September 18, 1998.

Page 14 GAO/T-AIMD-99-89

Figure 2: Biomedical Compliance Status Information Reported to FDA
by Manufacturers as of January 12, 1999

Note: Total number of manufacturers = 1,438 Source: Department of
Health and Human Services.

Last September we reported that most manufacturers citing
noncompliant products listed incorrect display of date and/ or
time as the Y2K problem. 9 According to VA, these cases may not
present a risk to patient safety because health care providers,
such as physicians and nurses, can work around the problem. Of
more serious concern are situations in which

devices depend on date calculations, which can be incorrect. One 9
GAO/AIMD-98-240, September 18, 1998.

569 396

251 217

5 0 100

200 300

400 500

600 Products do not

employ a date All products employing

date are compliant Products with date

related problems Product status reported

in manufacturer's website Manufacturer submissions

requiring FDA follow- up Number of manufacturers

Page 15 GAO/T-AIMD-99-89

manufacturer cited an example of a product used for planning
delivery of radiation treatment using a radioactive isotope as the
source. An error in calculating the strength of the radiation
source on the day of treatment could result in a dose that is too
high or too low, which could have an adverse effect on the
patient. 10 HHS reports that FDA will continue to explore ways of
obtaining compliance information from manufacturers who have not
yet replied. In response to our recommendation that FDA and VA
review test results of

manufacturers' compliance certifications, VA-- deferring to HHS--
stated that it did not have the legislative or regulatory
authority to do this. HHS, for its part, said that it lacked the
available resources to undertake such a review and, further, that
insufficient time remained to complete such reviews before 2000.
We believe that if HHS lacks sufficient resources to review
manufacturers' test results, it may want to solicit the help of
federal health care providers and professional associations.
Finally, HHS stated that submission of appropriate certifications
of compliance is sufficient to ensure that the certifying
manufacturers are in compliance. We disagree.

Through independent reviews of manufacturers' test results, users
of medical devices are provided with a greater level of confidence
that the devices are indeed Year 2000 compliant. In summary, there
is great need for much more information available on the Y2K
readiness of the health care sector. Until this information is
obtained and publicized, consumers will remain in doubt as to the
Y2K readiness of key health care components. In addition, while
compliance status

information is available for some biomedical equipment through the
FDA clearinghouse, FDA has not reviewed test results supporting
manufacturers' certifications to provide the American public with
a higher level of confidence that biomedical equipment will work
as intended.

Mr. Chairman, this completes my statement. I would be pleased to
respond to any questions that you or other members of this
Committee may have at this time. 10 Year 2000 Computing Crisis:
Leadership Needed to Collect and Disseminate Critical Biomedical
Equipment Information (GAO/T-AIMD-98-310, September 24, 1998).

(511738) Lett er

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e- mail message with info in the body to: info@ www. gao. gov
or visit GAO's World Wide Web Home Page at: http:// www. gao. gov

United States General Accounting Office Washington, D. C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***