Year 2000 Computing Crisis: Readiness Status of the Department of Health
and Human Services (Testimony, 02/26/99, GAO/T-AIMD-99-92).

Pursuant to a congressional request, GAO discussed the readiness of the
Department of Health and Human Services' (HHS) computer systems overall
and of some of its component organizations' systems to function reliably
into the next century.

GAO noted that: (1) HHS reported as of December 31, 1998, 83 percent of
its mission-critical systems were year 2000 compliant; (2) of its 34
systems remaining to be repaired, 99 percent were reported to be
renovated, 81 percent validated, and 77 percent implemented; (3) the
Health Care Financing Administration (HCFA) has been responsive to GAO
recommendations, and its top management is actively engaged in its year
2000 programs; (4) to more effectively identify and manage risks, HCFA
is relying on multiple sources of information, including test reports,
reports from its independent validation and verification contractors,
and weekly status reports from its recently established contractor
oversight teams; (5) HCFA is also more effectively managing its
electronic data exchanges and has more clearly defined its testing
procedures; (6) HCFA has demonstrated progress in developing business
continuity and contingency plans to ensure that, no matter what,
beneficiaries will receive care and providers will be paid; (7) however,
HCFA's reported progress on its external mission-critical systems is
considerably overstated; (8) key state-administered programs could be
affected by the year 2000; (9) these programs--critical to the health
and well-being of the needy--are overseen by HHS' Administration for
Children and Families; (10) GAO's report on the year 2000 readiness of
state systems that support these programs found that, although progress
varied, many systems were at risk and much work remained to ensure
continuation of services; (11) HHS' Program Support Center provides
grants payments and cash management services through its Payment
Management System; (12) however, this system is not yet compliant, and
it is unclear when it will be; (13) the question of whether medical
devices such as magnetic resonance imaging systems, x-ray machines,
pacemakers, and cardiac monitoring equipment can be counted on to work
reliably on and after January 1, 2000, is critical to the nation's
health care; (14) the Food and Drug Administration, which provides
information from biomedical equipment manufacturers to the public, had a
disappointing response rate from biomedical equipment manufacturers to
its request for compliance information; and (15) HHS reports that FDA
will continue to explore ways of obtaining compliance information from
manufacturers who have not yet replied.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-92
     TITLE:  Year 2000 Computing Crisis: Readiness Status of the 
             Department of Health and Human Services
      DATE:  02/26/99
   SUBJECT:  Y2K
             Medical equipment
             Embedded computer systems
             Internal controls
             Medical information systems
             Information resources management
             Computer software verification and validation
             Strategic information systems planning
             Systems conversions
             State-administered programs
IDENTIFIER:  Medicare Program
             Medicaid Program
             Y2K
             HHS Temporary Assistance for Needy Families Program
             HHS Child Support Enforcement Program
             HHS At-Risk Child Care Program
             HHS Child Care and Development Fund
             HHS Temporary Child Care and Crisis Nurseries Program
             HHS Child Welfare Services Program
             HHS Payment Management System
             
Year 2000 Computing Crisis: Readiness Status of the Department of Health
and Human Services (Testimony, 02/26/99, GAO/T-AIMD-99-92).

Pursuant to a congressional request, GAO discussed the readiness of the
Department of Health and Human Services' (HHS) computer systems overall
and of some of its component organizations' systems to function reliably
into the next century.

GAO noted that: (1) HHS reported as of December 31, 1998, 83 percent of
its mission-critical systems were year 2000 compliant; (2) of its 34
systems remaining to be repaired, 99 percent were reported to be
renovated, 81 percent validated, and 77 percent implemented; (3) the
Health Care Financing Administration (HCFA) has been responsive to GAO
recommendations, and its top management is actively engaged in its year
2000 programs; (4) to more effectively identify and manage risks, HCFA
is relying on multiple sources of information, including test reports,
reports from its independent validation and verification contractors,
and weekly status reports from its recently established contractor
oversight teams; (5) HCFA is also more effectively managing its
electronic data exchanges and has more clearly defined its testing
procedures; (6) HCFA has demonstrated progress in developing business
continuity and contingency plans to ensure that, no matter what,
beneficiaries will receive care and providers will be paid; (7) however,
HCFA's reported progress on its external mission-critical systems is
considerably overstated; (8) key state-administered programs could be
affected by the year 2000; (9) these programs--critical to the health
and well-being of the needy--are overseen by HHS' Administration for
Children and Families; (10) GAO's report on the year 2000 readiness of
state systems that support these programs found that, although progress
varied, many systems were at risk and much work remained to ensure
continuation of services; (11) HHS' Program Support Center provides
grants payments and cash management services through its Payment
Management System; (12) however, this system is not yet compliant, and
it is unclear when it will be; (13) the question of whether medical
devices such as magnetic resonance imaging systems, x-ray machines,
pacemakers, and cardiac monitoring equipment can be counted on to work
reliably on and after January 1, 2000, is critical to the nation's
health care; (14) the Food and Drug Administration, which provides
information from biomedical equipment manufacturers to the public, had a
disappointing response rate from biomedical equipment manufacturers to
its request for compliance information; and (15) HHS reports that FDA
will continue to explore ways of obtaining compliance information from
manufacturers who have not yet replied.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-92
     TITLE:  Year 2000 Computing Crisis: Readiness Status of the 
             Department of Health and Human Services
      DATE:  02/26/99
   SUBJECT:  Y2K
             Medical equipment
             Embedded computer systems
             Internal controls
             Medical information systems
             Information resources management
             Computer software verification and validation
             Strategic information systems planning
             Systems conversions
             State-administered programs
IDENTIFIER:  Medicare Program
             Medicaid Program
             Y2K
             HHS Temporary Assistance for Needy Families Program
             HHS Child Support Enforcement Program
             HHS At-Risk Child Care Program
             HHS Child Care and Development Fund
             HHS Temporary Child Care and Crisis Nurseries Program
             HHS Child Welfare Services Program
             HHS Payment Management System
             
Year 2000 Computing Crisis: Readiness Status of the Department of Health
and Human Services (Testimony, 02/26/99, GAO/T-AIMD-99-92).

Pursuant to a congressional request, GAO discussed the readiness of the
Department of Health and Human Services' (HHS) computer systems overall
and of some of its component organizations' systems to function reliably
into the next century.

GAO noted that: (1) HHS reported as of December 31, 1998, 83 percent of
its mission-critical systems were year 2000 compliant; (2) of its 34
systems remaining to be repaired, 99 percent were reported to be
renovated, 81 percent validated, and 77 percent implemented; (3) the
Health Care Financing Administration (HCFA) has been responsive to GAO
recommendations, and its top management is actively engaged in its year
2000 programs; (4) to more effectively identify and manage risks, HCFA
is relying on multiple sources of information, including test reports,
reports from its independent validation and verification contractors,
and weekly status reports from its recently established contractor
oversight teams; (5) HCFA is also more effectively managing its
electronic data exchanges and has more clearly defined its testing
procedures; (6) HCFA has demonstrated progress in developing business
continuity and contingency plans to ensure that, no matter what,
beneficiaries will receive care and providers will be paid; (7) however,
HCFA's reported progress on its external mission-critical systems is
considerably overstated; (8) key state-administered programs could be
affected by the year 2000; (9) these programs--critical to the health
and well-being of the needy--are overseen by HHS' Administration for
Children and Families; (10) GAO's report on the year 2000 readiness of
state systems that support these programs found that, although progress
varied, many systems were at risk and much work remained to ensure
continuation of services; (11) HHS' Program Support Center provides
grants payments and cash management services through its Payment
Management System; (12) however, this system is not yet compliant, and
it is unclear when it will be; (13) the question of whether medical
devices such as magnetic resonance imaging systems, x-ray machines,
pacemakers, and cardiac monitoring equipment can be counted on to work
reliably on and after January 1, 2000, is critical to the nation's
health care; (14) the Food and Drug Administration, which provides
information from biomedical equipment manufacturers to the public, had a
disappointing response rate from biomedical equipment manufacturers to
its request for compliance information; and (15) HHS reports that FDA
will continue to explore ways of obtaining compliance information from
manufacturers who have not yet replied.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-92
     TITLE:  Year 2000 Computing Crisis: Readiness Status of the 
             Department of Health and Human Services
      DATE:  02/26/99
   SUBJECT:  Y2K
             Medical equipment
             Embedded computer systems
             Internal controls
             Medical information systems
             Information resources management
             Computer software verification and validation
             Strategic information systems planning
             Systems conversions
             State-administered programs
IDENTIFIER:  Medicare Program
             Medicaid Program
             Y2K
             HHS Temporary Assistance for Needy Families Program
             HHS Child Support Enforcement Program
             HHS At-Risk Child Care Program
             HHS Child Care and Development Fund
             HHS Temporary Child Care and Crisis Nurseries Program
             HHS Child Welfare Services Program
             HHS Payment Management System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
AI99092t.boo GAO

United States General Accounting Office

Testimony Before the Subcommittee on Government Management,
Information and Technology, Committee on Government

Reform, House of Representatives

For Release on Delivery Expected at 9 a.m. Friday, February 26,
1999

YEAR 2000 COMPUTING CRISIS

Readiness Status of the Department of Health and Human Services

Statement of Joel C. Willemssen Director, Civil Agencies
Information Systems Accounting and Information Management Division

GAO/T-AIMD-99-92

Page 1 GAO/T-AIMD-99-92

Mr. Chairman and Members of the Subcommittee: We appreciate the
opportunity to participate in today's hearing focusing on the
readiness of the computer systems of the Department of Health and
Human Services (HHS) overall and of some of its component
organizations to function reliably into the next century. HHS is a
vast department; its components face varying challenges in making
sure that its programs do not suffer interruption in the delivery
of benefits and services upon which millions of Americans depend.

I would like to begin today by summarizing the information
contained in HHS' most recent Year 2000 (Y2K) quarterly report to
the Office of Management and Budget (OMB), reflecting progress
made as of December 31, 1998. I will then offer more specific
comments in areas in which we have done work, including the Health
Care Financing Administration's (HCFA) Medicare and Medicaid
programs, the Administration for Children and Families' (ACF)
state human services programs, the Program Support Center's (PSC)
Payment Management System (PMS), and the biomedical equipment
efforts of the Food and Drug Administration (FDA).

Reported Compliance Status of HHS Systems

As the following table illustrates, HHS reported that as of
December 31, 1998, 83 percent of its mission-critical systems were
Y2K compliant (243 of 294). Of its 34 systems remaining to be
repaired, 99 percent were reported to be renovated, 81 percent
validated, and 77 percent implemented.

Table 1: Year 2000 Compliance Status of HHS' Mission- Critical
Systems, December 31, 1998, as Reported to OMB on February 10,
1999

a Includes four systems that require additional coordination of
internal and external interfaces.

HHS agency Total systems Number

compliant To be replaced To be

repaired To be retired

HCFA internal 25 25 a 0 0 0 HCFA external 82 54 0 24 4 ACF 45 45 0
0 0 PSC 8 3 1 4 0 FDA 34 30 4 0 0 Other HHS b 100 86 5 6 3

Total 294 243 10 34 7

Page 2 GAO/T-AIMD-99-92

b Includes the Administration on Aging, Centers for Disease
Control and Prevention, Health Resources and Services
Administration, Indian Health Service, National Institutes of
Health, Office of Inspector General, and Substance Abuse and
Mental Health Services Administration. Source: Department of
Health and Human Services' quarterly report to OMB, February 10,
1999.

In addition to the work that remains to correct its mission-
critical systems, HHS has much work left in the embedded systems,
facilities, and telecommunications areas. Specifically, according
to its February 10, 1999, report to OMB, HHS had (1) assessed
about 40 percent of its embedded systems (primarily biomedical
equipment) and (2) assessed 20 percent of its facilities. Further,
HHS reported that it had two operating divisions with compliant
telecommunications systems as well as others in varying stages of
assessing and/or remediating their telecommunications systems.

Much Work Remains to Achieve Compliance at HCFA

In a report issued last year, we concluded that the progress made
by HCFAand its contractorsin making its computers that process
Medicare claims Year 2000 compliant was severely behind schedule
in areas including repair, testing, and implementation. 1 Further,
we made numerous recommendations to improve key HCFA management
practices that we found to be lacking or inadequate. Today I would
like to briefly discuss our findings from that report and our
suggestions for strengthening HCFA's Y2K activities, describe
actions taken on those recommendations, and provide our
perspective on where Medicare claims processing stands today. I
will also provide an update on the status of state systems that
support HCFA's Medicaid program.

Medicare Systems Remain at High Risk

As the nation's largest health care insurer, Medicare expects to
process over a billion claims and pay $288 billion in benefits
annually by 2000. The consequences, then, of its systems' not
being Year 2000 compliant could be enormous. We originally
highlighted this concern in May 1997, making several
recommendations for improvement. 2 In our report of last September
we warned that although HCFA had made improvements in its Year
2000 management, serious challenges remained to be resolved in a
short period of time. Specifically, we reported that less than a
third of

1 Medicare Transaction System: Success Depends Upon Correcting the
Critical Managerial and Technical Weaknesses (GAO/AIMD-99-78, May
16, 1997).

2 Medicare Transaction System: Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May
16, 1997).

Page 3 GAO/T-AIMD-99-92

Medicare's mission-critical systems had been fully renovated, and
none had been validated or implemented. Further, in terms of the
agency's key management practices necessary to adequately direct
and monitor its Year 2000 project, HCFA had not

 developed an overall schedule or critical path to identify and
rank Y2K tasks to help ensure that they could be completed in a
timely manner;

 implemented risk management processes necessary to highlight
potential technical and managerial weaknesses that could impair
project success;

 planned for or scheduled end-to-end testing to ensure that
programwide renovations would work as planned; or

 effectively managed its electronic data exchanges, thereby
increasing the risk that Y2K errors would be transferred through
data exchanges from one organization's computer systems to those
of another.

OMB also had concerns. In its December 8, 1998, summary of Year
2000 progress reports of all agencies for the reporting quarter
ending November 13, 1998, it concluded that while HCFA had made
significant progress in renovating its internal and external
systems, the agency remained a serious concern due to the
remediation schedule of its external systems. OMB further stated
that Medicare contractors would have to make an intensive,
sustained effort to complete validation and implementation of
their mission-critical systems by the governmentwide goal of March
31, 1999. OMB designated HHS as a tier 1 agency on its three-
tiered rating scale since it had made insufficient progress in
addressing the Year 2000 problem.

Our conclusions and recommendations to the HCFA Administrator
reflected our concerns about the high level of risk and large
number of tasks still facing HCFA. We reported that it was more
critical than ever that HCFA have sound business continuity and
contingency plans in place that could be implemented should
systems failures occur. Our specific recommendations included that
HCFA

 rank its remaining Year 2000 work on the basis of an integrated
project schedule and ensure that all critical tasks are
prioritized and completed in time to prevent unnecessary delays,

Page 4 GAO/T-AIMD-99-92

 develop a risk management process,  define the scope of an end-
to-end test of the claims process and develop

plans and a schedule for conducting such a test,  ensure that all
external and internal systems' data exchanges have been

identified and agreements signed among exchange partners, and
accelerate the development of business continuity and contingency

plans.

HCFA's Actions to Achieve Compliance in its Medicare Systems

HCFA has been responsive to our recommendations, and its top
management is actively engaged in its Year 2000 program. HCFA's
Administrator has made Year 2000 compliance the agency's top
priority and has directed a number of actions to more effectively
manage this project. For example, HCFA has established a war room
for real-time monitoring of Year 2000 renovation, testing, and
implementation activities. In addition, the agency established
seven contractor oversight teams to monitor progress. HCFA also
strengthened its outreach efforts: on January 12, 1999, the
Administrator sent individual letters to each of the 1.25 million
Medicare providers in the United States, alerting them to take
prompt Year 2000 action on their information and billing systems.
Three days later the Administrator sent a letter to Congress, with
assurances that HCFA is making progress and stressing that
physicians, hospitals, and other providers must also meet the Y2K
challenge. HCFA also offered to provide speakers in local
congressional districts.

To more effectively identify and manage risks, HCFA is relying on
multiple sources of information, including test reports, reports
from its independent validation and verification (IV&V)
contractors, and weekly status reports from its recently
established contractor oversight teams. In addition, HCFA has
stationed staff at critical contractor sites to assess the data
being reported to them and to identify problems.

HCFA is also more effectively managing its electronic data
exchanges. HCFA now reports having a complete data exchange
inventory of nearly 8,000 internal exchanges and over 255,000
external data exchanges. HCFA also issued instructions to its
contractors (carriers and fiscal intermediaries) to inform
providers and suppliers that they must submit Medicare claims in
Year 2000-compliant data exchange format by April 5 of this year.
The status of each of these data exchanges is being tracked by
HCFA staff.

Page 5 GAO/T-AIMD-99-92

HCFA has also more clearly defined its testing procedures. It
published additional testing guidance in November 1998 that
provided a policy for external systems that requires multiple
levels of testing for each system, including:

 Unit level testing: testing of the individual software component
using test cases that exercise all component functionality. For
the standard claims processing system, this includes full
functional testing of claims processing policy and program
integrity edits.

 Simulated future date testing : testing of the individual
software component using tools to simulate that the date has been
rolled forward.

 Compliance testing: testing in a fully Year 2000-compliant
environment with real future dates to verify that the system is
Year 2000 compliant.

HCFA also plans to perform end-to-end testing with its Year 2000-
compliant test sites. These end-to-end tests are to include all
internal systems and contractor systems; however, they will not
include testing with banks and providers. Finally, HCFA has begun
to use a Year 2000 analysis tool to measure testing thoroughness,
and its IV&V contractor is assessing test adequacy on the external
systems (e.g., test coverage and documentation).

The final area in which HCFA has demonstrated progress is
developing business continuity and contingency plans to ensure
that, no matter what, beneficiaries will receive care and
providers will be paid. HCFA has established cross-organizational
workgroups to develop contingency plans for the following core
business functions: health plan and provider payment, eligibility
and enrollment issues, program integrity, managed care, quality of
care, litigation, and telecommunications. HCFA's draft plans
document its business impact analysis; the contingency plans are
expected to be completed by March 31 of this year, and testing of
the plans by June 30.

Reported Status of HCFA's Mission-Critical Systems

HCFA operates and maintains 25 internal mission-critical systems.
HCFA also has 78 external mission-critical systems 3 operated by
contractors throughout the country to process Medicare claims.
These external systems include six standard processing systems and
the Common Working File. Each contractor relies on one of these
standard systems to

3 HHS reported 82 HCFA external mission-critical systems, however,
4 of these are due to be retired.

Page 6 GAO/T-AIMD-99-92

process its claims, and adds its own front-end and back-end
processing systems. The Common Working File is a set of databases
located at nine sites that works with internal and external
systems to authorize claims payments and determine beneficiary
eligibility.

HCFA's reporting of its readiness for next January sounds quite
positive as stated in the most recent HHS Y2K quarterly progress
report to OMB. According to this report, dated February 10, as of
December 31, 1998, all 25 of HCFA's internal mission-critical
systems were reported to be compliant, as were 54 of the 78
external systems. Figure 1 shows HCFA's reported status, compared
with what it reported on September 30, 1998.

Figure 1: Reported Status of HCFA's Mission- Critical Systems

Source: HCFA quarterly reports to HHS.

25 25 51

78 9

25 0

54 5

25 0

54 0 10

20 30

40 50

60 70

80 90

9/30/98 12/31/98 9/30/98 12/31/98 Internal E x ternal

Renov ated V al i dated Im plem ented

Number of systems

Page 7 GAO/T-AIMD-99-92

Reported Progress Is Highly Overstated

HCFA's reported progress on its external mission-critical systems
is considerably overstated. In fact, none of the 54 systems
reported compliant by HCFA was Year 2000 ready as of December 31,
1998. All 54 external systems that were reported as compliant had
important associated qualifications (exceptions), some of them
very significant. Such qualifications included a major standard
system that failed to recognize 00 as a valid year, as well as
2000 as a leap year; they also included systems that were not
fully future-date tested.

According to HCFA officials, they reported these systems as
compliant because these qualifications were minor problems that
should not take much time to address. This is at variance with the
IV&V contractor's interpretation. More specifically, the IV&V
contractor found that the qualifications reported by all systems
contractors were critical, most requiring a major to moderate
level of effort to resolve.

A specific example of a system reported as compliant with
qualifications is the Florida standard system, used by 29
contractors. This system had one qualification that consisted of
22 test failures. The IV&V contractor characterized this failure
experience as significant. HCFA reports that these failures were
corrected with a January 29, 1999, software release. However, in a
February 16, 1999, IV&V status report, Blue Cross of Californiaa
user of the Florida standard system--found that date test problems
remained. In another example, the EDS MCS standard system that is
used by 10 contractors had 25 qualifications; these included 9
problems that were not future-date tested. HCFA now reports that
future- date testing of the January software release of the EDS
MCS system is 92 percent complete.

As these examples illustrate, the systems are not yet Year 2000
compliant, and the 39 contractors that use these two standard
systems likewise cannot be considered compliant. Further,
according to the IV&V contractor, two critical qualifications
associated with each of the standard systems affect all external
contractor systems: (1) HCFA-supplied systems that contractors use
in claims processing were delivered to them too late for required
testing to be performed and (2) the claims processing data
centers' hardware, software, and telecommunications were not
completely compliant.

The IV&V contractor acknowledges that Medicare claims processing
systems have made progress toward Year 2000 compliance over the
past year, yet the various qualifications inevitably mean that
some renovation

Page 8 GAO/T-AIMD-99-92

and a significant amount of retesting still needs to be
accomplished before these systems can be considered compliant. To
HCFA's credit, it issued a memorandum in early January requesting
Medicare carriers and fiscal intermediaries to resolve these
qualifications by March 31, the federal target date for Year 2000
compliance. The notice stated that Medicare systems with
unresolved Y2K problems affecting claims processing functions must
be corrected, tested, and installed in production. As part of our
ongoing work for the Senate Special Committee on Aging, we will be
monitoring the resolution of these qualifications closely.

Other Critical Risks/Challenges That Remain

The February 16, 1999, report of HCFA's IV&V contractor stated
that an integrated schedule that tracks all major internal systems
activities needs to be established. It added that system-specific
information--including time, test scheduling, and resource
considerations--needs to be more fully developed in order to
achieve a robust, trackable schedule. We agree. In fact, this is
consistent with our previous recommendation that remaining Y2K
work be ranked on the basis of a schedule that includes milestones
for renovation and testing of all systems, and that it include
time for end-to-end testing and development and testing of
business continuity and contingency plans. 4 Such a schedule is
even more important for the external systems because of their
greater number, complexity, and interdependencies. HCFA still
lacks an integrated schedule that identifies a critical path.
Without this, it will be difficult for HCFA management to identify
important dependencies in this complex environment and to
prioritize its remaining work in the time that remains. HCFA also
lacks a formal risk management processsomething to identify all
risks and their interdependencies, assess their impact, establish
time frames for mitigation and criteria for successful mitigation,
and ensure that the criteria are followed. The one system that was
intended to serve as its comprehensive risk management system does
not contain current information, according to the IV&V contractor.

HCFA's systemsboth internal and externalexchange data, both among
themselves and with the Common Working File, other federal
agencies, banks, and providers. Accordingly, it is important that
HCFA ensure that Y2K-related errors will not be introduced into
the Medicare program through these data exchanges. As of February
10, 1999, HCFA reported that over 6,000 of its 7,968 internal data
exchanges were still not compliant, and that over 37,000 of its
nearly 255,000 external data exchanges were not

4 GAO/AIMD-98-284, September 28, 1998.

Page 9 GAO/T-AIMD-99-92

compliant. 5 To ensure that HCFA's internal and external systems
are capable of exchanging data among themselves as well as with
other federal agencies, banks, and providers, it is essential that
HCFA take steps to resolve the remaining noncompliance of these
data exchanges.

In yet another critical area, HCFA faces a significant amount of
testing in 1999, since changes will continue to be made to its
mission-critical systems to make them compliant. First, changes to
resolve the existing qualifications will need to be retested.
Second, testing must still take place with full production-level
software. For example, the final software release of the Common
Working File before 2000 is scheduled for late June; testing will
therefore be needed after that. Third, legislatively mandated
changes to software that will occur through June will need to be
retested as well. HCFA plans to conduct these final tests of its
systems between July 1 and November 1, 1999, then recertify all
mission-critical systems as compliant without qualification or
exception. These final tests will ultimately determine whether
HCFA's mission-critical systems are indeed Year 2000 compliant.
The late 1999 time frames associated with this testing represent a
high degree of risk.

In addition to such individual systems testing, HCFA must also
test its systems end-to-end to verify that defined sets of
interrelated systems, which collectively support an organizational
core business function, will work as intended. As mentioned, HCFA
plans to perform this end-to-end testing with its Year 2000 test
sites. These tests are to include all internal systems and
contractor systems, but will not include testing with banks and
providers. HCFA has instructed its contractors that it is their
responsibility to test with providers and financial institutions.
Even excluding banks and providers, end-to-end testing of HCFA's
internal and external systems is a massive undertaking that will
need to be effectively planned and carried out. HCFA has not yet,
however, developed a detailed end-to-end test plan that explains
how these tests will be conducted or that provides a detailed
schedule for conducting them.

A final aspect of testing concerns the independent testing
contractor. The IV&V contractor's recent assessment of the
independent testing contractor concluded that its strategy as
currently stated is high risk for providing

5 On February 23, 1999, the HCFA Administrator stated that she
wanted us to note that the February 10, 1999, HHS quarterly report
to OMB had a typographical error, and that the total number of
internal data exchanges is 3,418 and that 309 of these are still
not compliant.

Page 10 GAO/T-AIMD-99-92

effective independent testing because of the limited number of
internal systems to actually be independently tested: 8. This
number was previously 22. Further, this testing will not be
completed until August. The limited number of systems tested and
the late completion date are not reassuring.

Given the magnitude of HCFA's Year 2000 problem and the many
challenges that continue to face it, the development of
contingency plans to ensure continuity of critical operations and
business processes is absolutely critical. Therefore, HCFA must
sustain its efforts to complete and test its agencywide business
continuity and contingency plans by June 30. Another challenge for
HCFA is monitoring the progress of the 62 separate business
continuity and contingency plans that will be submitted by its
contractors. We will continue to monitor progress in this area.

Other issues that further complicate HCFA's Year 2000 challenge
are the known and unknown contractor transitions that are to take
place before January 1, 2000, and the unknown status of the
managed care organizations serving Medicare beneficiaries. As
reported in HHS' quarterly submission to OMB, HCFA is concerned
about the possibility of Medicare contractors, fiscal
intermediaries, and carriers leaving the program and notifying
HCFA after June 1999. If this were to occur, the workload would
have to be transferred to another contractor whose Year 2000
compliance status may not be known. According to both contractor
and HCFA officials, it requires 6-12 months to transfer the claims
processing workload from one contractor to another. At present,
HCFA must transition the work of three carriers that are leaving
the program.

HCFA is requiring the 386 managed care organizations currently
serving 6.6 million Medicare beneficiaries to certify their
systems as Year 2000 compliant by this April 15. These
certifications may be qualified, just as with the fee-for-service
contractors. If this were to occur, a formal recertification would
have to be performed later this year. Until this initial
certification is performed, it will remain unknown whether the
managed care organizations' systems are Year 2000 compliant.

To summarize HCFA's Medicare situation, the agency and its
contractors have made progress in addressing issues that we have
raised. However, their reported progress vastly overstates the
facts. Some renovation and a significant amount of testing must
still be performed this year. Until HCFA completes its planned
recertification between July and November 1999, the final status
of the agency's Year 2000 compliance will be unknown. Given

Page 11 GAO/T-AIMD-99-92

the considerable amount of remaining work that HCFA faces, it is
crucial that development and testing of HCFA's business continuity
and contingency plans move forward rapidly if we are to avoid
interruption of Medicare claims processing next year.

Medicaid Systems Are at Risk

In fiscal year 1997, Medicaid--a joint federal-state program
supported by HCFA and administered by the states--provided about
$160 billion to millions of recipients. Medicaid provides health
coverage for 36 million low-income people, including over 17
million children. Its beneficiaries also include elderly, blind,
and disabled individuals.

In surveying states' Year 2000 status last summer, 6 we found that
many systems were at risk and much work remained to ensure the
continuation of services. The states' reported compliance rate for
Medicaid systems was only about 16 percent, and 18 states reported
that they had completed renovating one quarter or fewer of their
Medicaid claims processing systems. These 18 states had Medicaid
expenditures of about $40 billion in fiscal year 1997--one-quarter
of total Medicaid expenditures nationwide, covering about 9.5
million recipients.

Since last summer, HCFA has administered two state self-reporting
surveys and conducted several on-site visits, finding that overall
state Medicaid systems status has improved little. For example,
HCFA reported in November 1998 that Medicaid systems had shown
some progress in renovation, but that the number of states
reporting completion of this phase had actually decreased compared
with the July/August 1998 data that were reported to us by the
states. It found, further, that 11 states' Medicaid systems were
still reported to be 25 percent or less renovated, and about half
of the states were 50 percent or less renovated. Only five states
Arkansas, California, Idaho, Illinois, and Iowareported their
Medicaid systems to be 100 percent renovated. Thus, while OMB
guidelines target completion of systems renovation by September
1998, states' self-reported data to HCFA showed that about 90
percent of states had not completed renovation for the Medicaid
programs as of November 1998.

6 Year 2000 Computing Crisis: Readiness of State Automated Systems
to Support Federal Welfare Programs (GAO/AIMD-99-28, November 6,
1998). We sent a survey to the 50 states, the District of
Columbia, and three territories (Guam, Puerto Rico, and the Virgin
Islands). All but one of the 54 entities surveyed responded.

Page 12 GAO/T-AIMD-99-92

To obtain more reliable Year 2000 state Medicaid status
information, HCFA hired a contractor to conduct independent
verification and validation of states' systems. As an initial
effort, the contractor and HCFA distributed a survey to all states
to ascertain background and Year 2000 status information. However,
based on more recent information from on-site visits, the IV&V
project leader said that the survey data were not as reliable as
HCFA had expected because states tended to overstate their
progress. As a result, HCFA has instead decided to rely on on-site
contractor visits to ascertain accurate Medicaid systems status.

HCFA reported in HHS' February 1999 quarterly report to OMB that
based on seven site visits, some of the dates that states had
reported to us last July/August had slipped, underscoring the need
for on-site visits to secure more accurate information. For
example, according to HCFA, while four states appeared to have
made some progress in the 6 months since our survey, the status of
three states remained the same. Further, HCFA found that one
state's Medicaid eligibility system was not as far along as the
state had reported. As of February 17, 1999, HCFA told us that it
had visited 14 states and that half of those states had shown some
improvement. Thus, HCFA and the IV&V contractor plan to make on-
site visits to all 50 states and the District of Columbia by the
end of this April. For states considered at risk, HCFA will
conduct second site visits between May and September 1999 and, if
necessary, third visits between October and December. The later
visits will emphasize contingency planning to help the states
ensure continuity of program operations in the event of systems
failures.

Current Status of State Systems Supporting ACF Programs Is Unknown

Key state-administered programs that could be affected by Y2K
include Temporary Assistance for Needy Families (TANF), Child
Support Enforcement (CSE), Child Care (CC), and Child Welfare (CW)
programs; these programs--critical to the health and well being of
the needyare overseen by HHS' ACF. These programs focus on
providing benefits to economically needy families with children
who lack financial support from one or both parents because of
death, absence, incapacity, or unemployment. In fiscal year 1997,
federal and state agencies spent just under $14 billion on cash
and work-based assistance. Of this total, almost $8 billion was
federal money, while just over $6 billion was state-funded. These
programs served almost 8 million recipients as of September 1998.

Failure to complete Year 2000 conversion activities for these
programs could cause billions of dollars in benefits payments to
fail to reach our nation's needy families. Those newly approved
for benefits could face an

Page 13 GAO/T-AIMD-99-92

inability to be automatically added to the recipient file;
eligibility for new applicants might not be able to be determined
in a timely fashion; eligible recipients could be denied benefits;
and payments could be underpaid, overpaid, or delayed.

As figure 2 illustrates, in our November 1998 report on the Year
2000 readiness of state systems that support these programs we
found that, although progress varied, many systems were at risk
and much work remained to ensure continuation of services. 7

Figure 2: Percentage of Systems Reported Compliant  July/ August
l998

7 GAO/AIMD-99-28, November 6, 1998.

25 75

38 62

56 44

51 49

0 10

20 30

40 50

60 70

80 Compli ant Not compli ant

Percentage of systems TANF CSE CC CW

Programs

Page 14 GAO/T-AIMD-99-92

Following our report, OMB implemented a requirement that federal
oversight agencies include the status of state human services
systems in quarterly Year 2000 progress reports. Specifically, it
requested that federal agencies describe actions to help ensure
that federally supported, state-run programs will be able to
provide services and benefits. 8 OMB has further asked that
agencies report the date when each state's systems will be Year
2000 compliant, and provide information on any significant
difficulties that states are encountering.

ACF is currently surveying the states to determine the status of
TANF, child support enforcement, child care, and child welfare
systems, however, it does not have current information on states'
systems. In response to OMB's requirement to provide updated state
systems status in the quarterly Y2K progress reports, ACF sent
letters and surveys to state chief information officers asking for
such information, requesting that states return the survey by
January 31, 1999. As of February 16, 1999, ACF had received
responses from 27 states. Further, according to HHS' Year 2000
program manager, the information provided by the states raised
more questions than answers; some states did not answer all
questions or complete the survey for all systems.

ACF is now proposing on-site reviews of state systems for TANF and
the child support enforcement, child welfare, and child care
programs in all 50 states. ACF sees these reviews as enhancing the
available information concerning states' Year 2000 readiness and
providing a vehicle through which the agency can provide states
with technical assistance. ACF is considering developing a process
similar to the one being used by HCFA, or possibly working with
HCFA in gathering information.

Status of PSC's Payment Management System

HHS' PSC provides grants payments and cash management services
through its Payment Management System (PMS) to all HHS agencies
and to 10 other federal agencies on a fee-for-service basis. PSC
is organized into three business units, referred to as services.
Each service is responsible for a particular line of business.

8 OMB Memorandum for the Heads of Selected Agencies, Revised
Reporting Guidance on Year 2000 Efforts, January 26, 1999. The
state programs included were Food Stamps, Medical Assistance,
Unemployment Insurance, TANF, Child Support Enforcement, WIC, Low
Income Home Energy Assistance, Child Nutrition, Child Care, and
Child Welfare.

Page 15 GAO/T-AIMD-99-92

 The Administrative Operations Service's responsibilities include
property management, distribution of pharmaceuticals, medical and
dental supplies, information systems support, and technical
information services.

 The Financial Management Service is responsible for providing
financial services such as grants payments and cash management.

 The Human Resources Service is responsible for providing a full
range of human resources services such as personnel operations and
payroll.

A key PSC activity is providing electronic funding and cash
management service to organizations receiving HHS grants and
contracts, as well as grants from other federal agencies. Its list
of federal customers includes the Departments of Agriculture,
Energy, Interior, Labor; and the Federal Emergency Management
Agency, the Corporation for National Service, the National
Aeronautics and Space Administration, the Social Security
Administration, the Agency for International Development, and the
U.S. Information Agency. According to PSC, its customer
environment also includes 12 HHS operating divisions, and about
20,000 recipient organizations:

 2,900 universities and educational organizations;  7,500
hospitals, health, and nonprofit organizations;  3,800 state
government agencies; and  6,300 cross-servicing recipients. These
recipients receive about $165 billion annually in federal grants
payments for a wide range of activities such as school lunch
programs, highway construction, and health care.

Delays in Year 2000 Readiness of PMS

PSC has identified eight mission-critical systems spanning the
diversity of its administrative, financial, and human resources
activities:

 Commissioned Corps Personnel and Payroll System,  Civilian
Payroll and Personnel System,

Page 16 GAO/T-AIMD-99-92

 Automated Payment and Adjustment System,  Debt Collection System,
5ESS Telephone Switch,  PSC LAN Servers,  Payment Management
System, and the  CORE Accounting System. Of PSC's eight mission-
critical systems, the Payment Management System is one of the most
critical. However, this system is not yet compliant, and it is
unclear when it will be. Developed for the purpose of creating a
central system for paying most federal assistance grants, block
grants, and contracts, the main purpose of PMS is to serve as a
fiscal intermediary between awarding agencies and the recipients
of grants and contracts. PSC uses PMS to process billions of
dollars in payments to recipient organizations--over half of all
federal grant payments. Indeed, it is PMS that makes available to
states approximately $96 billion in Medicaid payments annually.

PMS was originally created 30 years ago, and has been expanded and
modified several times since, according to PSC. In 1995, PSC began
a project to replace PMS with a new, state-of-the-art automated
system known as the Reengineered Payment Management System. It was
anticipated that this new system would be Year 2000 compliant and
operational by October 1997.

Since its inception, the planned system replacement has
encountered problems and, as a result, is still not operational.
For example, according to a December 1997 PSC status report to
HHS, the original contractor for the replacement system failed to
maintain the agreed-upon schedule and therefore PSC decided to
hire another contractor to implement the system. With the new
contractor, the estimated date to complete the new system was
revised to October 1, 1998, which was not met.

Problems appear to continue to plague the new system replacement
effort. For example, in its biweekly status report for the period
ending February 12, 1999, the contractor reports that portions of
the implementation strategy are in jeopardy due to problems with
database

Page 17 GAO/T-AIMD-99-92

extracts from the existing system. The contractor is concerned
that database extracts, if transitioned to the new system, may
contain hidden surprises.

Despite the new system's problems, the Director of the Division of
Payment Management told us that he expects the new system to be
operational and Year 2000 compliant by March 31, 1999.
Nevertheless, because PSC was concerned that it was at risk of not
having a fully tested compliant system, it contracted in January
1999 for an independent consulting firm to conduct an analysis of
whether PSC should rely on the new replacement system as its Year
2000 solution or, instead, rely on remediation and testing of the
existing payment management system. According to the Division
Director, this analysis was due on February 23. The Division
Director stated that, as of this date, he had not received the
final report. According to the firm contracted by PSC, whichever
option PSC pursues, program management and independent
verification and validation support will be required for the
successful completion of the project.

Some Biomedical Equipment Status Information Available Through FDA

The question of whether medical devices such as magnetic resonance
imaging (MRI) systems, x-ray machines, pacemakers, and cardiac
monitoring equipment can be counted on to work reliably on and
after January 1, 2000, is critical to our nation's health care. To
the extent that biomedical equipment uses embedded computer chips
and software, it is vulnerable to the Y2K problem. 9 Such
vulnerability carries with it possible safety risks. This could
range from the more benignsuch as incorrect formatting of a
printoutto the most serioussuch as incorrect operation of
equipment with the potential to decrease patient safety. The
degree of risk depends on the role the equipment plays in the
patient's care.

Responsibility for oversight and regulation of medical devices,
including the impact of the Y2K problem, lies with FDA. It
provides information from biomedical equipment manufacturers
through an Internet World Wide Web site. Last September, 10 we
reported that FDA had a disappointing response rate from
biomedical equipment manufacturers to its request for compliance
information. The FDA biomedical equipment database also

9 Biomedical equipment refers both to medical devices regulated by
FDA, and scientific and research instruments, which are not
subject to FDA regulation.

10 Year 2000 Computing Crisis: Compliance Status of Many
Biomedical Equipment Items Still Unknown (GAO/AIMD-98-240,
September 18, 1998).

Page 18 GAO/T-AIMD-99-92

lacked detailed information on the make and model of compliant
equipment. Further, FDA did not require manufacturers to submit
test results certifying compliance. Therefore, the adequacy of
manufacturers' corrections of noncompliant equipment could not be
assured.

To address these issues, we made recommendations to the
Secretaries of HHS and Veterans Affairs (VA)--a key stakeholder in
determining the potential effects of the century change on
biomedical equipment--to determine what actions, if any, should be
taken regarding manufacturers that have not provided compliance
information. We also recommended that the departments (1) work
jointly to develop a single data clearinghouse to provide
compliance information to all users of biomedical equipment and
(2) take prudent steps to review test results for critical care/
life support biomedical equipment, especially equipment once
determined to be noncompliant but now deemed compliant--and make
those results publicly available through FDA's central data
clearinghouse.

HHS and VA agreed with our recommendation to develop a single data
clearinghouse. FDA, in conjunction with VA, has established the
Federal Y2K Biomedical Equipment Clearinghouse; it is publicly
accessible through the Internet site and contains information on
biomedical equipment compliance submitted to FDA by manufacturers,
as well as information gathered by VA and the Department of
Defense as part of their Year 2000 compliance projects. FDA also
plans to include detailed information on the make and model of
equipment reported as compliant.

In its February 10, 1999, quarterly submission to OMB, HHS
reported that as of January 12, 1999, about three quarters (1,438)
of 1,932 biomedical equipment manufacturers identified by FDA had
submitted data to the clearinghouse. As shown in figure 3, about
40 percent of the manufacturers have products that do not employ a
date, while about 17 percent reported equipment having date-
related problems.

Page 19 GAO/T-AIMD-99-92

Figure 3: Biomedical Compliance Status Information Reported to FDA
by Manufacturers as of January 12, 1999

Note: Total number of manufacturers = 1,438. Source: Department of
Health and Human Services.

Last September we also reported that most manufacturers citing
noncompliant products listed incorrect display of date and/or time
as the Y2K problem. 11 According to VA, these cases may not
present a risk to patient safety because health care providers,
such as physicians and nurses, can work around the problem. Of
more serious concern are situations in which devices depend on
date calculations, which can be

11 GAO/AIMD-98-240, September 18, 1998.

569 396

251 217

5 0 100

200 300

400 500

600

Number of manufacturers

3URGXFWV GR

QRW HPSOR\

D GDWH

$OO SURGXFWV

HPSOR\LQJ GDWH

DUH FRPSOLDQW

3URGXFWV ZLWK

GDWH  UHODWHG

SUREOHPV

3URGXFW VWDWXV

UHSRUWHG LQ

PDQXIDFWXUHUV ZHEVLWH

0DQXIDFWXUHU VXEPLVVLRQV

UHTXLULQJ )'$

IROORZ XS

Page 20 GAO/T-AIMD-99-92

incorrect. One manufacturer cited an example of a product used for
planning delivery of radiation treatment using a radioactive
isotope as the source. An error in calculating the strength of the
radiation source on the day of treatment could result in a dose
that is too high or too low, which could have an adverse effect on
the patient. 12

HHS reports that FDA will continue to explore ways of obtaining
compliance information from manufacturers who have not yet
replied. In response to our recommendation that FDA and VA review
test results of manufacturers' compliance certifications, VA--
deferring to HHS--stated that it did not have the legislative or
regulatory authority to do this. HHS, for its part, said that it
lacked the available resources to undertake such a review and,
further, that insufficient time remained to complete such reviews
before 2000. We believe that if HHS lacks sufficient resources to
review manufacturers' test results, it may want to solicit the
help of federal health care providers and professional
associations. Finally, HHS stated that submission of appropriate
certifications of compliance is sufficient to ensure that the
certifying manufacturers are in compliance. We disagree. Through
independent reviews of manufacturers' test results, users of
medical devices are provided with a greater level of confidence
that the devices are indeed Year 2000 compliant.

Mr. Chairman, this completes my statement. I would be pleased to
respond to any questions that you or other members of this
Subcommittee may have at this time.

12 Year 2000 Computing Crisis: Leadership Needed to Collect and
Disseminate Critical Biomedical Equipment Information (GAO/T-AIMD-
98-310, September 24, 1998).

(511739) Lett er

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U.S. General Accounting Office P.O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using
fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e-mail message with info in the body to:

[email protected] or visit GAO's World Wide Web Home Page at:
http://www.gao.gov

United States General Accounting Office Washington, D.C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***