United States Government Accountability Office Testimony Before the Subcommittee on Coast Guard and Maritime Transportation, Committee on Transportation and Infrastructure, House of Representatives COAST GUARD HEALTH For Release on Delivery Expected at 10:00 a.m. ET Tuesday, January 30, 2018 RECORDS Timely Acquisition of New System Is Critical to Overcoming Challenges with Paper Process Statement of David A. Powner, Director, Information Technology Management Issues GAO-18-363T January 2018 COAST GUARD HEALTH RECORDS Timely Acquisition of New System Is Critical to Overcoming Challenges with Paper Process Highlights of GAO-18-363T, a testimony before the Subcommittee on Coast Guard and Maritime Transportation, Committee on Transportation and Infrastructure, House of Representatives Why GAO Did This Study What GAO Found In 2010, the Coast Guard initiated an Financial, technical, schedule, and personnel risks led to the United States Coast effort—known as IHiS—to replace its Guard’s (Coast Guard) decision to terminate the Integrated Health Information aging EHR system with a new system System (IHiS) project in 2015. According to the Coast Guard (a military service that was to modernize various health within the Department of Homeland Security), as of August 2017, $59.9 million care services for its nearly 50,000 was spent on the project over nearly 7 years and no equipment or software could military members. However, in October be reused for future efforts. In addition, the Coast Guard could not fully 2015, the Coast Guard announced that demonstrate the project management actions taken for IHiS, lacked governance the modernization project would be mechanisms, and did not document lessons learned for the failed project. canceled. In the absence of an electronic health record (EHR) system, the Coast Guard GAO was asked to summarize its currently relies on a predominately paper health record management process to report that is being released today on the Coast Guard’s actions related to its document health care services. Currently, the Coast Guard’s clinical staff EHR modernization initiative. GAO’s perform various manual steps to process each paper health record. Coast Guard testimony specifically addresses Coast Regional Managers and clinic and sick bay administrators informed GAO of the Guard’s (1) reasons for deciding to many challenges encountered in returning to a paper process. These challenges terminate further IHiS development; include the inability for some clinics to adequately track vital information such as (2) management and oversight actions medications—potentially causing harm to members if they take medications that for the discontinued project and have dangerous interactions. whether lessons learned were identified; (3) current process for Top Four Challenges Reported by Coast Guard Clinic and Sick Bay Administrators in Managing Paper Heath Records managing health records and the challenges it is encountering; and (4) plans for effectively implementing a new EHR system and the current status of its efforts. In preparing the report on which this testimony is based, GAO reviewed IHiS project expenditures; analyzed key project management documentation; surveyed Coast Guard’s Regional Managers and clinical staff; and interviewed key staff. What GAO Recommends In the report being released today, To help alleviate several of these challenges, the Coast Guard has developed GAO is recommending that the Coast alternative work-around processes. However, these alternative processes may Guard (1) expeditiously and judiciously not provide sustained solutions to overcoming these challenges. pursue a new EHR system, and in In February 2016, the Coast Guard initiated the process for acquiring a new EHR doing so (2) ensure key processes are system. As of November 2017, agency officials had conducted research and implemented; (3) establish project governance boards; and (4) document recommended a solution based on performance, risk, cost, and schedule lessons learned from the IHiS project. advantages. However, 2 years after canceling IHiS and moving toward a The Department of Homeland Security predominately manual process, the agency has not yet made a final concurred with GAO’s determination on this. Successfully and quickly implementing an EHR system is recommendations. vital to overcoming the challenges the Coast Guard currently faces in managing View GAO-18-363T. For more information, paper health records. The expeditious implementation of such a system can contact David A. Powner at (202) 512-9286 or significantly improve the quality and efficiency of care to the thousands of Coast pownerd@gao.gov. Guard active duty and reserve members that receive health care. United States Government Accountability Office Letter Letter Chairman Hunter, Ranking Member Garamendi, and Members of the Subcommittee: I am pleased to be here today to participate in your hearing on the United States Coast Guard’s (Coast Guard) electronic health record (EHR) system. As part of its mission, the Coast Guard is tasked with providing health care to active duty and reserve members and ensuring the availability of quality, cost-effective health care for all eligible beneficiaries. To assist with this task, the agency has historically relied on EHR systems to perform such functions as scheduling patient appointments, documenting patient consults and referrals, and tracking prescribed medications. In 2010, the Coast Guard’s Health Safety and Work-Life Directorate (HSWL) 1 initiated an effort to replace the agency’s aging EHR systems with a new system called the Integrated Health Information System (IHiS). This system was to modernize various health care services and provide additional functionality, such as a document management system, which was previously lacking. The project consisted of various contracts with 25 different vendors and was estimated to cost approximately $56 million to implement. However, in October 2015, the Coast Guard announced that the modernization project would be canceled. As requested, my statement summarizes our report that is being released today on the Coast Guard’s actions related to its EHR modernization initiative and its current health records management process. 2 Specifically, the statement addresses the Coast Guard’s (1) reasons for deciding to terminate further IHiS development and how much it spent on the project; (2) management and oversight actions for the discontinued EHR modernization project and whether lessons learned were identified; (3) current process for managing health records and the challenges it is 1 The Coast Guard’s HSWL Directorate is responsible for ensuring the readiness and health of nearly 50,000 members throughout the United States. In this regard, the Office of Health Services within HSWL is charged with providing healthcare to Coast Guard members, other military active duty and reserve members, retired personnel, and eligible family members. The Coast Guard’s healthcare services are supported by 41 U.S. based health clinics and 125 sick bays. 2 GAO, Coast Guard Health Records: Timely Acquisition of New System Is Critical to Overcoming Challenges with Paper Process, GAO-18-59 (Washington, D.C.: Jan. 24, 2018). Page 1 GAO-18-363T encountering; and (4) plans for effectively implementing a new EHR system and the current status of its efforts. Among other steps, in conducting our work, we reviewed IHiS project expenditures; analyzed key project management documentation; surveyed Regional Managers and clinical staff regarding challenges they face in managing paper health records and any mitigation strategies; and interviewed knowledgeable staff about the project. Our related report includes a detailed explanation of the scope and methodology for our work. We conducted the work on which this testimony is based in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. According to the Director of HSWL, who was appointed to the position in The Coast Guard August 2015, financial, technical, schedule, and personnel risks led the Attributed IHiS Coast Guard’s Executive Oversight Council 3 to decide to terminate the IHiS project in October 2015: Termination to Financial and Other • Financial risks. Internal investigations were initiated in January 2015 and May 2015 to determine whether the HSWL Directorate had Risks, after Spending violated the Antideficiency Act 4 by using incorrect funding sources and Approximately $60 incorrect fiscal year funds for the IHiS project. The Coast Guard ordered project management and contractor staff to cease work on Million on the Project 3 The Executive Oversight Council is an admiral/senior executive service-level group established to monitor major risks, address emergent issues, review acquisition phase exit criteria progress, and provide direction to cross-directorate teams to support the successful execution of major and non-major acquisitions. 4 The Antideficiency Act prohibits federal employees from, among other things, making or authorizing an expenditure or obligation that exceeds the amount available in an appropriation or fund. 31 U.S.C. § 1341(a)(1)(A). See GAO, Principles of Federal Appropriations Law, Vol. 3, 3rd ed., ch. 6, § C.1., GAO-06-382SP (Washington, D.C.: September 2008). Page 2 GAO-18-363T IHiS until a determination was made regarding the antideficiency violation. 5 • Technical risks. IHiS lacked an independent security assessment and full interface testing to ensure security and data integrity. In addition, key functionality for the system, such as user verification, had not been completed. • Schedule risks. The HSWL Director stated that she requested that the Department of Defense’s (DOD) Defense Health Agency Solution Delivery Information Technology (IT) team 6 independently validate the IHiS timelines and the status of the project in 2015 because of the identified technical risks and concerns as to whether the system would be ready to be piloted in the fall of 2015. According to the Director, the Defense Health Agency team projected the timeline for the first clinic implementation to be approximately 1 year later than originally estimated due, in part, to incomplete interfaces and workflows. • Personnel risks. Although HSWL staff had been managing the IHiS project since it was initiated in 2010, Command, Control, Communications, Computers, and Information Technology (C4&IT) 7 was directed to assume the oversight responsibilities for IHiS implementation in May 2015. This action was due to concerns about the project’s adherence to established governance processes raised by the internal investigators looking into the potential Antideficiency Act violations. By August 2015, the key HSWL project management personnel that had overseen the project since 2010 had been removed. As a result of the changes in staff, one vendor noted that it 5 The investigation for the funding sources was completed in November 2015, and the investigation for fiscal year funding was completed in February 2016. It was determined in both cases that no Antideficiency Act violation had occurred. In this testimony, we are not assessing or commenting on the Antideficiency Act claims relevant to this issue. 6 According to its website, the Defense Health Agency is a joint, integrated combat support agency that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to combatant commands in both peacetime and wartime. The Solution Delivery Division within the Defense Health Agency is to deliver IT solutions to the Military Health System through acquisition program management, process re-engineering, information translation and sharing, training, and integration activities in order to support and advance the delivery of health care to its patients. 7 C4&IT is responsible for designing, developing, deploying, and maintaining C4&IT solutions for the entire Coast Guard. The Deputy Assistant Commandant for C4&IT serves as the Coast Guard’s Chief Information Officer (CIO). Page 3 GAO-18-363T was unclear as to who were the stakeholders, responsible parties, and decision makers. According to an analysis conducted by the Coast Guard, which included obligations and expenditures from September 2010 to August 2017, the agency had obligated approximately $67 million for the IHiS project and, of that amount, had spent approximately $59.9 million at the time of its cancelation. In addition, over 2 years after the project’s cancelation, the Coast Guard continued to pay vendors. In this regard, it paid approximately $6.6 million to vendors between November 2017 and February 2018 to satisfy existing contractual obligations for services such as leased equipment that was damaged or missing; software licensing and support; a data storage center; and removal and shipment of equipment. Further, according to staff in Coast Guard’s Office of Budget and Programs, no equipment or software from the IHiS project could be reused for future efforts. Page 4 GAO-18-363T The Coast Guard could not demonstrate that it effectively managed and The Coast Guard oversaw the IHiS project prior to its discontinuance, and did not document Could Not and share valuable lessons learned from the failed project. Specifically, although the Coast Guard was to follow its System Development Life Demonstrate Effective Cycle (SDLC) Practice Manual to guide its management and oversight of Project Management, the project, the agency could not provide complete evidence that it had addressed 15 of the 30 SDLC practices we selected for evaluation. 8 For Lacked Governance example, the Coast Guard could not demonstrate that it had conducted Mechanisms, and Did IHiS system testing, although the agency granted an authority to operate (ATO) 9 and indicated in the ATO memorandum that the system had Not Document undergone some form of testing. The Coast Guard’s SDLC specifies that Lessons Learned for system testing is to take place prior to the issuance of an ATO. the IHiS Project Project team members provided inconsistent explanations regarding whether or not documentation existed to demonstrate the actions taken to manage and oversee the project. The absence of the various documents and other artifacts that would support the required SDLC activities raises doubts that the Coast Guard took the necessary and appropriate steps to ensure effective management of the IHiS project. Further, although the Coast Guard developed charters for various governance boards to provide project oversight and direction, the boards were not active and the Chief Information Officer (CIO) was not included as a member of the boards. Taking steps to fully implement governance boards that include the CIO will be important to the Coast Guard’s oversight efforts in implementing a future EHR system and may decrease the risk of IT project failure. 8 The practices we selected are in the initial four phases of the SDLC—Conceptual Planning, Planning and Requirements, Design, and Development and Testing. The remaining three phases—Implementation, Operations and Maintenance, and Disposition—were not applicable to the project as it was canceled prior to system implementation. More information on our methodology for selecting the SDLC phases and practices can be found in our report released today. 9 The National Institute of Standards and Technology Special Publication 800-37 defines the ATO as the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation based on the implementation of an agreed-upon set of security controls. According to the Coast Guard’s SDLC Practice Manual, an ATO is required prior to deploying a pilot of the system in the production environment. Page 5 GAO-18-363T Lastly, although Coast Guard officials stated that lessons learned had been identified throughout the process of developing IHiS, as of 2 years after its cancelation, the agency had not documented and shared any lessons learned from the project and did not have established plans for doing so. Until the Coast Guard takes steps to document and share identified lessons learned with individuals charged with developing and acquiring its IT systems, opportunities to protect future systems against the recurrence of mistakes that contributed to the failure of IHiS will likely be missed. In the absence of an EHR system, the Coast Guard is relying on a The Coast Guard Is predominately paper health record management process to document Managing Health health care services for its nearly 50,000 military members. Currently, the Coast Guard’s clinical staff perform various manual steps to process each Records Using a paper health record. For example, clinical staff schedule appointments for Predominately Paper patients using Microsoft Outlook’s calendar feature and provide the patient with paper forms for completion upon his or her arrival. In addition, Process, but Many clinical staff must handwrite clinical notes in the paper health record Challenges Hinder during the appointment, as well as handwrite prescriptions, among other manual processes. Service Delivery In response to our survey, the 12 HSWL Regional Managers identified a number of challenges that clinics and sick bays in their regions had experienced in managing and maintaining paper health records. 10 These challenges were grouped into 16 categories. Further, the 120 clinic and sick bay administrators that subsequently responded to a separate survey reported varying degrees to which they viewed each category as challenging. 11 Figure 1 provides the clinic and sick bay respondents’ views of the top four challenges. 10 We surveyed all 12 Regional Managers and received a response from all 12 managers. 11 We sent surveys to all 166 local clinic and sick bay administrators and received a response from 120 of the 166 administrators. Page 6 GAO-18-363T Figure 1: Top Four Challenges Reported by Coast Guard Clinic and Sick Bay Administrators in Managing Paper Health Records With regard to these top four challenges to managing and maintaining paper health records, clinic and sick bay respondents offered the following examples: 12 Incomplete records. Ninety-eight (82 percent) of the respondents reported incomplete records 13 as challenging. In this regard, 34 of the survey respondents reported that not all records from the Coast Guard legacy EHR systems were printed out and included in patients’ paper health records as required before the systems were retired. Thus, they had no way to ensure the patients’ paper records were complete. 12 For the purpose of summarizing the responses to the identified challenges, each survey response of either very or moderately challenging was grouped together and was reported as “challenging.” Our related report provides more detailed examples on all 16 categories. 13 For the purposes of our survey, a paper record is incomplete when a patient’s health record does not contain all the necessary health information, including the history of clinic visits, prescribed medications, or lab results. Page 7 GAO-18-363T Penmanship. Among the 91 (76 percent) survey respondents that reported penmanship as challenging, several respondents noted that it is difficult for staff to read illegible handwritten medical notes. This, in turn, results in difficulty determining the accurate diagnosis, the required prescription, or a referral. Tracking medications. According to 89 (76 percent) of the respondents, it is challenging to track medications without an EHR. For example, one administrator stated that staff members rely heavily on patients to remember what medications they are taking—potentially causing harm if patients cannot remember what medications they are taking and the medications have dangerous interactions. Amount of time to manage records. According to 86 (72 percent) of the respondents, managing paper health records is challenging and requires more time for staff to complete and file paperwork. Several respondents stated that the size of the paper health records has increased, resulting in additional time required to review and file records. The responding clinic and sickbay administrators described a range of alternative work-around processes that they have developed to help alleviate several of the challenges. Specifically, they reported having developed additional forms, tracking methods, and alternative processes, as well as having notified Coast Guard HSWL management of the challenges they face. However, these alternative processes may not provide sustained solutions to overcoming these challenges. Until Coast Guard implements a new EHR solution, the challenges inherent in a predominantly paper process will likely remain. Page 8 GAO-18-363T The Coast Guard has begun taking steps to acquire a new EHR system The Coast Guard referred to as the Electronic Health Record Acquisition (eHRa). The Intends to Acquire a Coast Guard plans to manage and oversee the acquisition of eHRa through its non-major 14 acquisition process (NMAP), as described in its New EHR System, Non-Major Acquisition Process (NMAP) Manual. 15 NMAP requires formal but Has Not Yet approval reviews at three discrete knowledge points called acquisition Chosen a Solution decision events (ADE) and includes three phases to assess the readiness and maturity of the acquisition. 16 The Coast Guard formally identified the need for a new EHR system on February 1, 2016, and obtained approval for the first of three ADE’s on February 13, 2016. It subsequently initiated market research activities by collecting cost, schedule, and capabilities information from commercial and government solution providers, including DOD and the Department of Veterans Affairs. The Coast Guard used the providers’ responses to develop an alternatives analysis report that was completed in October 2017. The report recommended a solution based on performance, risk, cost, and schedule advantages. The report indicated that the Coast Guard plans to use the results of the alternatives analysis to refine the acquisition strategy, and to support the development of artifacts which are required to successfully achieve the ADE-2 milestone. Staff within the Acquisitions Directorate stated that they were also in the process of finalizing a life cycle cost estimate and a project plan for eHRa—documents necessary for ensuring that appropriate business decisions will be made regarding eHRa’s logistics, affordability, and resources, among other things. 14 According to the Coast Guard, a non-major acquisition is a procurement greater than $10 million in procurement costs and less than $300 million in life cycle costs. Major acquisitions are characterized as procurements above $300 million in life cycle costs. 15 The Coast Guard implemented this process for non-major IT acquisitions in December 2012. It is intended to provide oversight of non-major acquisitions. As of August 2017, the Coast Guard was in the process of updating the NMAP. See Coast Guard, Non-Major Acquisition Process (NMAP) Manual, COMDTINST M5000.11B (Washington, D.C.: Dec. 31, 2012). 16 Our related report provides a more detailed discussion of each ADE and each of the three phases that make up the NMAP process. Page 9 GAO-18-363T As of December 2017, the Coast Guard had not yet made a final determination as to which option would be chosen as the solution for the eHRa acquisition. Implementation of Our Our report that is being released today contains four recommendations to Recommendations Should the Coast Guard. Specifically, we recommend that the Coast Guard: Better Position Coast • expeditiously and judiciously pursue the acquisition of a new EHR Guard to Overcome system; Challenges with Paper • ensure established processes required for the future acquisition or Health Records development of an EHR are effectively implemented and adequately documented; • direct the Chief Information Officer and the Chief Acquisition Officer to establish and fully implement project governance boards for the future EHR effort that include the Chief Information Officer; and • document any lessons learned from the discontinued IHiS project, share them with the new project management team, and ensure lessons learned are utilized for the future EHR effort. The Department of Homeland Security 17 concurred with our four recommendations and identified actions being taken or planned to implement them. If the Coast Guard fully and effectively implements our recommendations, many of the challenges faced by its clinics and sick bays and the thousands of Coast Guard members utilizing its health services could be diminished. In summary, given the numerous challenges inherent with managing and maintaining paper health records, it will be important for the Coast Guard to prioritize obtaining an EHR for its thousands of members. Until a solution for its EHR system is chosen and successfully implemented, the agency is likely to continue to face these challenges. In addition, ensuring established project management and governance processes are effective, as well as documenting and sharing lessons learned, will be essential in avoiding past mistakes and helping to ensure a successful implementation of a future EHR solution at the Coast Guard. 17 The Coast Guard is a military service within the Department of Homeland Security. Page 10 GAO-18-363T Chairman Hunter, Ranking Member Garamendi, and Members of the Subcommittee, this concludes my prepared statement. I would be pleased to respond to any questions that you may have. If you or your staff have any questions about this testimony, please GAO Contact and contact David A. Powner, Director, Information Technology Management Acknowledgments Issues, at (202) 512-9286 or pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this testimony statement. GAO staff who made key contributions to this statement are Nicole Jarvis (Assistant Director), Ashfaq Huda (Analyst in Charge), Sharhonda Deloach, Rebecca Eyler, Monica Perez-Nelson, and Scott Pettis. (102569) Page 11 GAO-18-363T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. The Government Accountability Office, the audit, evaluation, and investigative GAO’s Mission arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is Obtaining Copies of through GAO’s website (http://www.gao.gov). Each weekday afternoon, GAO GAO Reports and posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to http://www.gao.gov Testimony and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, LinkedIn, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov and read The Watchblog. Contact: To Report Fraud, Website: http://www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in E-mail: fraudnet@gao.gov Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400, Congressional U.S. Government Accountability Office, 441 G Street NW, Room 7125, Relations Washington, DC 20548 Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707 Strategic Planning and U.S. Government Accountability Office, 441 G Street NW, Room 7814, External Liaison Washington, DC 20548 Please Print on Recycled Paper.