I 1Jnitd States General Accounting Office -----u GAO Report to Congressional Requesters ,- ) Arlgllst l!)!)O -’ INFORMATION + 1 SYSTEM National Health Practitioner Data Bank Has Not Been Well Managed 142227 m--Not to be released outside the Geneml Accounting Offlce unless specif’ically approved by the Office of Congressional Itelatioxm _l.__l.~-“---..-“-..l.. .I..-_. -_ -_- ,__......_.. -. .- __.“.-l.-_.._,-~ _-I__ United States General Accuuutlng Office Washington, D.C. 20548 Information Management and Technology Division B-239814 August 21,199O The Honorable Tom Harkin Chairman, Subcommitteeon Labor, Health and Human Services, Education, and Related Agencies Committee on Appropriations United States Senate The Honorable William H. Natcher Chairman, Subcommitteeon Labor, Health and Human Services, Education, and Related Agencies Committee on Appropriations Houseof Representatives This report respondsto your requests for information on the Health Resourcesand ServicesAdministration’s (HRSA) development of the National Practitioner Data Bank. This data bank will enable HRSA to col- lect and releaseinformation on malpractice litigation and adverse pro- fessional actions involving physicians, dentists, and other health care practitioners. The data bank, which HRSA expects to begin operating in September 1990, will basically be an exception list containing the names of and other information on practitioners whose professional compe- tence or conduct has been questioned in such actions. Becausedata bank information will be used to make judgments about the professional com- petenceof health care practitioners, a system compromise could seri- ously affect the credibility of the data bank. As agreedwith your offices, we reviewed HRSA'S progress in developing the data bank, including actions taken to ensure that user needsare met at the lowest cost. (Seeapp. I for details of our scopeand methodology.) HRSA'S failure to follow a sound managerial approach in developing the Results in Brief National Practitioner Data Bank casts serious doubt on whether HRSA can open the bank by September 1990. HRSA has not yet ensured that the data bank will protect the confidentiality of practitioner information from unauthorized accessand manipulation. Good system development practices dictate that effective security measuresbe included in a system’s design. HRSA began developing the data bank before system threats and vulnerabilities were identified. As a result, HRSA cannot ensure that appropriate security measureswill be installed to prevent unauthorized accessand manipulation of data bank information. Page 1 GAO/IMTEC-9089 National Practitioner Data Bank I! B-239814 HRSA has not effectively managedits data bank project. No one person has been accountable for the project since it began.Instead, accounta- bility is shared by at least 14 HRSA officials. Also, HRSA has either mis- placed or not developedcritical documentation necessaryto ensure effective managementcontrol and oversight of the project. Additionally, somecritical functions, such as ensuring that privacy requirements are met and establishing schedulesand budgets, have been assignedto the contractor developing the data bank becauseHRSA did not believe it had the staff with the training and experienceto perform them. Furthermore, the project’s total cost is uncertain at this time and could increase substantially. Currently, HRSA is modifying the contract which will require further negotiations. HRSA said the modification is neededto cover certain requirements that existed at the time the data bank con- tract was awarded, but which had not been defined to the degreeneces- sary for any offeror to addressin a cost proposal. Completing these tasks could increasethe project contract cost from $16.8 million to a total of $25 million. A successfulsystem development project needsto be well managed,con- form to generally acceptedsystems development standards, and incor- porate appropriate managementcontrols. HRSA has not done this in the caseof the National Practitioner Data Bank. We are making a series of recommendationsaimed at ensuring that the data bank is not opened until corrective actions are taken by the Department of Health and Human Services. Background Title IV of the Health Care Quality Improvement Act of 1986 (P.L. 99- 660) as amended,authorizes the Secretary of Health and Human Ser- vices to establish a data bank to ensure that unethical or incompetent practitioners do not compromise health care quality, This bank is to be created to help meet a national need to restrict the ability of incompe- tent practitioners to move from state to state without disclosure or dis- covery of the practitioner’s previous damaging or incompetent performance. The data bank is to contain information on adverse actions taken against a practitioner’s license, clinical privileges, and professional society memberships, as well as information on medical malpractice payments. Hospitals, group medical practices, professional societies,and Page 2 GAO/IMTEG9068 National Practitioner Data Bank B-239814 state licensing boards will have accessto bank information. In addition, practitioners with data bank records will have accessto their own records. Title IV requires that actions taken against physicians’ or dentists’ licensesbe reported. Section 5 of the Medicare and Medicaid Patient and Program Protection Act of 1987 (P.L. 100-93) expanded the scopeof the data bank to include all licensed health care practitioners, as well as health care entities such as hospitals. Title IV required that reporting was to begin by November 1987. Although the bank was originally scheduledto be operational in 1987, funding for the data bank was not approved by the Congressuntil the fall of 1988. In addition, the regulations for implementing Title IV provi- sions were not finalized until October 1989. In December1988 HRSA awarded a S-year $15.8 million cost-plus-fixed- fee contract to the Unisys Corporation to establish and operate the data bank, which will be housed at the company’s computer facility in Camarillo, California. HFfSAexpects to have the bank operating by Sep- tember 30, 1990. The bank will open under Title IV requirements only. Implementation of Section 6 provisions is expected to follow about 1 year after the data bank opens.No information will be reported to the data bank until it opens.Except for malpractice awards or settlements paid through an annuity, no retroactive reporting on actions occurring before the opening date will be required. HRSA officials stated that a report must be made if a payment under an annuity is made after the data bank opens.OnceHRSA establishesthe opening date, it will be pub- lished in the Federal Register. The Unisys facility is expected to process over 1 million queries and about 67,000 malpractice and adverse action reports each year. Except for erroneous information, HRSA plans to maintain the information collected on practitioners indefinitely, without any provision for purging information. HRSA believes that purging infor- mation from the data bank is inconsistent with its statutory purpose of protecting the public. Who Must Report and Oncethe bank is open, individuals or entities, such as insurance compa- What Must Be Reported nies and self-insured hospitals who pay a malpractice claim or judge- J ment must report the incident to the data bank. State medical and dental boards must also report disciplinary actions taken against a dentist or physician. Further, hospitals and other health care entities, such as health maintenance organizations and certain medical and dental group Page 3 GAO/IMTEG9088 National Practitioner Data Bank I B239814 practices, must report adverse actions taken against a physician’s or dentist’s clinical privileges. These are actions, taken on the basis of the practitioner’s professional competenceor conduct, that will last more than 30 days. Also, professional societiesmust report an adverse action taken against a practitioner’s membership through a formal peer review process.Section 5 provisions require states to report certain adverse actions taken against licensed health care practitioners or health care entities by any licensing authority of the state. Verifying Accuracy of the Reports will be submitted by mail to the data bank using a standard Data Bank Information form. Reports will be assigneda unique document control number that allows for identification and tracking from receipt through final disposi- tion Unsigned reports or reports missing required information will not be acceptedby the data bank, according to HRSA officials. After the report data are entered, the data bank contractor will (1) verify that the data were entered correctly and (2) send a verifica- tion document to the reporting entity. This verification document is to be reviewed and returned to the data bank. If errors or omissions are found, the entity who reported it must send an addition or correction to the data bank. The subject practitioner will be notified that a report has been received by the data bank and given 60 days to dispute the accuracy of the report. If this practitioner believes there is an inaccuracy in the report, the practitioner is to discussthe disagreementwith the reporting entity. Information contained in a disputed report will be released30 days after receipt in responseto queries, however, the practitioner can request that a notation be placed in the report stating that it is in dispute. If the reporting entity amendsor retracts a disputed report, all inquiring parties who had previously received the information will be notified by the data bank about the changes.If the reporting entity choosesnot to changethe report, the practitioner may request the Secretary of Health and Human Servicesto review the dispute. The Secretary then makes the final determination. Sanctions for yet The Department’s Office of the Inspector General has been delegatedthe Reporting authority to impose civil money penalties in accordancewith Sections 421(c) and 427(b) of Title IV of the Health Care Quality Improvement Page 4 GAO/IMTEG9088 National Practitioner Data Bank B-239814 Act. Under the statute, an individual or entity that fails to report mal- practice payments will be subject to a civil penalty of not more than $10,000 for each unreported payment. Who Must Query the Data Querieswill be submitted to the data bank by mail using a standard Bank form. Hospitals are required by the act to query the bank every 2 years on any physician, dentist, or other health care practitioner who is on its medical staff or has clinical privileges at the hospital. Hospitals also must request information from the data bank when they are considering hiring a physician, dentist, or other health care practitioner or granting clinical privileges. Hospitals may also request information from the data bank when they deem it necessaryor while conducting professional review activities, While hospitals are the only entities that must request information from the data bank, other health care entities, including health maintenance organizations and group medical practices, may query the data bank as needed.Also, physicians, dentists, and other health care practitioners may request information concerningthem- selves.Any person who violates the confidentiality of data bank infor- mation may be subject to a civil penalty of up to $10,000 for each violation. User Fees A request for information from the data bank will be regarded as an agreementto pay the associatedfee. Initially the fee for querying the data bank will range somewherebetween $2 and $6 for each practi- tioner name submitted. Fee changeswill be announcedperiodically in the Federal Register. User fees are estimated by HRSA to produce about $2 million a year. Additional funds neededto operate the bank will be requested by HRSA in its annual appropriation. As of June 1990, the regulations, forms, and users’ guidebook for imple- Status of the Data menting Title IV requirements have been completed; however, much Bank work still needsto be done, specifically: . the 19 software programs for implementing Title IV requirements need to be finalized, tested, and accepted; . a software program to account for user fees needsto be finalized, tested, and accepted; . acceptanceand performance criteria for the software need to be developed; Page 5 GAO/lMTEC9O88 National Practitioner Data J3ank B-239814 . an adequatetest plan for validating the data bank’s software programs needsto be prepared; and . system security features need to be identified and an assessmentof system security vulnerabilities needsto be performed. HRSA expects to distribute the finalized forms, instructions, and users’ guidebook about 4 weeks before the bank becomesoperational. This short amount of time will make it difficult for users who plan to use computer systems to help generatethe data required for the bank report and query forms, according to users we spoke to, since the bank requires information they do not routinely collect. For example, an official of a large malpractice insurer stated that it will take over 5 months to pro- gram the company’s computers so that the data bank reports can be pre- pared using information in the company’s automated claims processing systems, In addition, it will take several months to train the 1,000 employeeswho will be responsible for preparing data bank reports or dealing directly with practitioners on malpractice payments, according to the company official. Becausethe documentation on the data bank’s design was not finalized at the time we completed our work in June 1990, we could not assessthe data bank’s ability to collect data and gen- erate reports relating to the professional competenceand conduct of health care practitioners. HRSA awarded the data bank contract before the system’s requirements Data Bank were finalized. Although the data bank contract was awarded in Development Started December1988, development of the data bank did not begin until after Before Requirements the regulations for Title IV provisions were finalized and approved in October 1989. Made Final Federal system development practices require that a comprehensive requirements analysis defining and documenting an automated system’s functional, data, and operational requirements be prepared before an automated system is acquired. HRSA officials did not prepare such an analysis before awarding the data bank contract becausethey believed that the Congress,through the legislative process,had adequately defined and documentedthe data bank’s data requirements. HRSA'S deci- sion to award a contract before finalizing the operational processesby which data bank information was to be gathered and disclosedwas a mistake. We found indications that the contractor developing the data bank rec- ognized the incompletenessof HRSA'S requirements for the data bank. Page 6 GAO/IMTEG!3068 National Practitioner Data Bank B-239814 The contractor, in a November 1989 Draft Narrative on Design and Implementation of the Bank, stated that the system design requirements identified in HRSA'S request for proposals were extremely general. According to the contractor, HRSA'S requirements focused on the content of the data bank by providing lists of data elementsto be captured, but established neither firm requirements nor constraints on the develop- ment and operational processesby which the data bank was to be con- structed and data was to be gathered and disclosed. The data bank’s development was delayed 10 months until the regula- tions for implementing Title IV provisions were finalized in October 1989. During this time the contractor held a seriesof educational confer- encesfor potential users on the data bank legislation. HRSA finalized the processesin its October 1989 regulations, which describethe actual data to be collected and impose requirements and constraints on the data bank’s design and architecture. HRSA'S approach to managing the development of the data bank has not Sound Project followed federal system development requirements, which describepru- Management Practices dent management actions to minimize cost and performance risks, These Are Not Being requirements are embodied in the Federal Acquisition Regulation, Fed- era1Information ResourcesManagementRegulation, Office of Manage- Followed ment and Budget guidelines, and the requirements of the Department of Health and Human Services,of which HRSA is a part. The requirements provide a structured means for ensuring that automated systems are successfully implemented. Flaws in HRSA'S approach to develop the data bank cast serious doubt on whether a successfulsystem can be deployed by the planned September 1990 opening date. The Department requires bureaus and offices requesting approval to acquire computer servicesto follow a set of disciplined procedures to justify the procurement and to ensure that user needsare met at the lowest cost. In addition, the Department has established special require- ments that apply to support servicescontracts that are for the develop- ment of a software application, such as the National Practitioner Data Page 7 GAO/IMTEC-W-68 National Practitioner Data Bank B-239814 Bank. The Department requires that these procurements follow its sys- tems development life cycle methodology1and federal information processingstandards2 To ensure HRSA’S compliance with Department requirements, the Depart- ment’s Division of Telecommunications and Automated Data Processing, in its July 1988 memorandum approving HRSA’S procurement request for the data bank, urged HRSA officials to take particular care to comply with the Department’s Information ResourcesManagementManual, which summarizes federal system development requirements applicable to the Department’s information resourcesactivities, by thoroughly doc- umenting system requirements. Failure to comply with this condition could render HRSA'S delegation of procurement authority from the Department voidable, according to the Acting Director of the Depart- ment’s Division of Telecommunications and Automated Data Processing who signed the memorandum. HRSA is not following the Department’s systems development life cycle methodology and neither is it complying with the Department’s Informa- tion ResourcesManagementManual. HRSA officials said they were not aware that they were supposedto be following the Department’s sys- tems development methodology or that the Department had established special requirements applicable to support servicescontracts. We examined HRSA’S official acquisition file and found that documentation the Department deemsnecessaryfor ensuring effective management control over the project was missing. This documentation included the cost/benefit analysis of alternative approaches,and an explanation of how the approach selectedwould meet users’ needsat the lowest overall cost over the system’s life, and a test plan for evaluating the software programs being developed by the contractor to ensure that they will attain the banks stated objectives. We asked HRSA officials why the studies and analyseswere not in the acquisition file. The officials speculatedthat someof the required studies and analyses,such as the cost/benefit study, may be in the orig- inal acquisition file; however, agency officials have been unable to locate the file since 1988. Other documents,such as the test plan, have ‘Department of Health and Human Services Information Resources Management Manual (Chapters 2 and 4), November 1, 1986. ‘Federal Information Processing Standards Publication 64, Guidelines for Documentation of Com- uter Programs and Automated Data Systems for the Initiation Ph r Documentation of Computer Programs and Automated Data Systems, National Technical Informa- tion Service, Department of Commerce. Page 8 GAO/lMTEC9088 National Practitioner Data Bank B-289914 not beenprepared becauseHRSA doesnot have staff with necessary training, experience, and knowledge to prepare them. In the absenceof this documentation, HRSA cannot ensure that the project will have effec- tive managementcontrol. Confidentiality Concerns The confidential receipt, storage, and disclosure of information is essen- Have Not Eken Adequately tial to the data bank’s operation. Any unauthorized accessor manipula- tion of practitioner information could have wide-ranging and serious Addressed consequenceson the professional and personal lives of competent practi- tioners. To ensure proper identification of each individual on whom data is stored, as well as to ensure that those reporting to or requesting infor- mation from the data bank are authorized to do so, a system of unique identification numbers will be used. However, HRSA has not complied with Department and governmentwide security requirements in deter- mining what security features should be included in the data bank’s computer system to prevent unauthorized accessand manipulation of data bank information. The Department’s Information ResourcesManagementManual states that organizations responsible for the operation of computer systems must ensure that computer programs and systems include adequate safeguards to prevent the unauthorized accessand manipulation of the system. Also, the Department requires the development and use of risk analyses in the system development processto identify system threats and vulnerabilities and to provide managersand systems designerswith recommendedsafeguards.The Department requires that the risk anal- ysis be reviewed and revised during each phase of the system develop- ment life cycle to ensure that appropriate security measuresare installed. We found that the required risk analyses were missing from HRSA’S acquisition file. HRSA officials provided us with documents that they believed met the key features of the Department’s procedural require- ments for risk analyses and data sensitivity studies. We reviewed the documents and concludedthat they did not meet the Department’s requirements. For example, the documents did not include any analysis of the damagethat could occur by the unauthorized disclo- sure or manipulation of practitioner data or identify the security mea- sures that were neededto prevent this from happening. The documents provided us by HRSA officials did show that as of May 1990 HRSA had not yet evaluated the actual software and operational aspectsof the data Page 9 GAO/IMTJ3G9O68 National Practitioner Data Bank B-229814 bank. In the absenceof this documentation, HRSA cannot ensure that the appropriate security measuresare being installed to prevent unautho- rized accessand manipulation of data bank information. In May 1990, as a result of concernsabout security and project docu- mentation, HRSA officials decided to engagethe Federal SystemsIntegra- tion and ManagementCenter to evaluate the data bank’s security system and to validate the system’s software. As part of the evaluation, the Center was to identify system threats and vulnerabilities and effec- tive countermeasuresto these threats. The Center expects to issue a final report on the results of its evaluation by September 1990. In our view, this action while needed,may be too late to ensure that appro- priate security measureswill be in place by September 1990. An assess- ment of system security vulnerabilities and the defining of system security specifications should have been completed prior to writing data bank computer programs. The Department has designatedthe data bank a major information HRSA Has Not resourcesmanagementinitiative, which means, according to federal reg- Effectively Managed ulations, that it should be headedby a project manager. Among other the Data Bank things the regulations require the project manager to be given budget guidance and a written charter of his or her authority, responsibility, Contract and accountability for accomplishing project objectives. The project manager is responsible for seeingthat a system is properly designedto meet the sponsors’ and users’ needs,and is developed on schedule.The project manager is also responsible for seeingthat all system documentation is prepared as the system is being developed.If the system is being developedby a contractor, the project manager is responsible for certifying that the delivered system meets all technical specifications, including security specifications. In addition, the project manager is responsible for establishing a team with the required skills and experienceto managethe development of the system. The data bank is being developed without a HRSA project manager becauseHRSA doesnot believe it has anyone with the necessaryexpertise to oversee the technical aspectsof the contractor’s efforts. Currently, at least 14 different HRSA officials are involved in developing and implementing the data bank. However, HRSA officials acknowledged that there is no one among the 14 with the necessarytraining and experienceto ensure that the system delivered by the contractor will meet all technical specifica- tions, including security. Page 10 GAO/IMTECXW38 National Practitioner Data Bank , B239814 Consequently, HRSA is relying on the contractor developing the data bank to carry out the critical project managementfunctions of estab- lishing plans, schedules,and budgets; and conducting most technical activities, such as testing computer programs before they are imple- mented. Becauseof HRSA'S lack of expertise, other critical project man- agementfunctions, such as ensuring that system sizing assumptions and work load volume are valid, identifying system internal control and security vulnerabilities, and ensuring that the Department’s security requirements are being met, are not being carried out. In May 1990, HRSA officials recognizedthe shortcoming of their project managementapproach and decided to bring in the Federal SystemsInte- gration and ManagementCenter to evaluate data bank development. Accordingly, HRSA entered into an agreementthat, among other things, provides for validation of the data bank’s software programs and an evaluation to determine whether the system meets the Department’s security requirements. The Center’s tasks include preparing documenta- tion describing the data bank’s performance requirements and each of the data bank’s software programs and their function, as well as devel- oping a test plan for validating the data bank’s software programs. HRSA is to be commendedfor recognizing it needshelp in managing this contract, however, we believe this action may have cometoo late to ensure that an effective data bank can be opened in September.Time will be neededby the Center to replace missing documents and prepare documents that are vital for managing this contract. We have found in the past that not preparing studies and analyses,such Project Cost May as those required by the Department, and the absenceof a qualified pro- Increase ject manager during critical acquisition and implementation phasesof a project lead to problems. These problems include millions spent for sys- tems that did not meet users’ needs,were not cost effective, experienced cost increases,were costly to maintain, or simply did not work.” HRSA has begun to experiencethe effects of not preparing the required studies and analyses.Although $15.8 million was approved for the pro- ject over a 5-year period beginning in January 1989, currently, HRSA is modifying the contract, which will require additional negotiations. HRSA “Computer Acquisition: Navy’s Aviation Logistics System Not Ready For Deployment (IMTEC-90-11, Feb. 22 lQQO),Tax Administration: Replacement of Service Center Computers Provides Lessons for the Future (GGm-109 Se 23 1987) and Mining Violations: Interior Needs Management Control -Automation Effort ~IM%C-i6-27, duly 28, 1986). Page 11 GAO/IMTJ3G9O88 National Practitioner Data Bank B-239814 officials believe that the changesthey are proposing will not signifi- cantly increaseproject cost. In commenting on a draft of this report, the Department of Health and Human Servicessaid the modification is neededto cover certain requirements that existed at the time the data bank contract was awarded, but which had not been defined to the degreenecessaryfor any offeror to addressin a cost proposal. The addi- tional requirements include the development of a user-fee system and development of software to implement the requirements of Section 5 of the Medicare and Medicaid Patient and Program Protection Act. Our dis- cussionwith contractor officials indicates they believe that about $9 million may have to be added to complete the data bank project. The Congressconsidersthe National Practitioner Data Bank to be essen- Conclusions tial for helping track and monitor potentially dangerouslicensed health care providers. Becauseof the anticipated cost of developing and main- taining the bank, the Secretary of Health and Human Servicesneedsto rethink HRSA'S approach to implementing the National Practitioner Data Bank. Allowing HRSA to continue along its current development approach is risky given that much design work still needsto be completed, as evi- dencedby the need to finalize many of the data bank’s software pro- grams and to identify and install appropriate system security features. The fact that the writing of software programs was initiated prior to the establishment of effective managementcontrols raises serious questions regarding the usefulnessof those software programs developedto date. Further, HRSA'S failure to develop documentation necessaryto safeguard the confidentiality of the information collected raises questions about HRSA'S ability to ensure that proper safeguards are being built into the system to prevent the unauthorized disclosure and use of highly sensi- tive practitioner information. Any violation of privacy could have an adverse effect on the health community and health care practitioners. In our opinion, the bank should not be operated until it has been tested to ensure that proper safeguards have been built into the system to ensure against the unauthorized disclosure or manipulation of bank information. Additionally, the development of the data bank has been adversely affected by a breakdown in managementcontrols at HRSA. BecauseHFtSA has not designated a project manager and has either misplaced or did not prepare critical documentation that is necessaryfor ensuring effec- tive managementcontrol over the project, it is questionable whether efforts to develop the data bank will result in the development of a Page 12 GAO/lMTEG9O88 National Practitioner Data Bank B289814 system that effectively and efficiently meets the Congress’expectations and the Department’s requirements. Although HRSA has invested many months of work, the agency has begun to experiencethe effects of mis- managing the data bank project. The $15.8 million approved for the data bank over a 5-year period may not be enough to complete the project. An undetermined amount of additional funds-the contractor estimates at least $9 million-may be neededto cover the costs incurred in devel- oping and operating the data bank over its 5-year life. We recommendthat the Secretary of Health and Human Servicesdirect Recommendations the Deputy Assistant Secretary of the Office of Information Resources Management,which is responsible for ensuring consistencywith infor- mation resourcesmanagementstatutory provisions and the Depart- ment’s requirements, to provide independent technical oversight of the development, implementation, and operation of the data bank. We further recommendthat the data bank not be openeduntil the Secre- tary has assurancefrom the Deputy Assistant Secretary of the Office of Information ResourcesManagementthat effective security procedures have been implemented and that software programs have been success- fully tested. In its July 16, 1990, commentson a draft of this report, the Department Agency Comments and stated that it was committed to the effective operation of the data bank, Our Evaluation including the application of all appropriate safeguards,and that our report provides insights that will help it achieve this goal (see app. 11). The Department further said that our report touches on a number of concernsunder consideration within HRSA. For example, as part of its final preparations for opening the data bank, HRSA has initiated efforts to ensure that the system will operate as required by law and regulation, with adequate provisions for security and the protection of individual privacy. The Department said it intends to open the data bank on or about Sep- tember 1, 1990, but agreed that the data bank should not be opened until the system’s security measureshave beentested and their ade- quacy verified. The Department said it strongly believes that it will have all appropriate safeguards in place and tested before the data bank opens.However, should any major deviation from specified system goals , be discovered,the Department said it would delay implementation Page 13 GAO/IMTEG9O438 National Practitioner Data Bank B289814 rather than risk consequencesthat would degrade public confidence in or violate the essential integrity of the system. We believe that a September 1 opening date is optimistic given the amount of work remaining. Weaknessesidentified by the General Ser- vices Administration’s Federal SystemsIntegration and Management Center, an independent consultant engagedby HRSA to evaluate the data bank’s security system and software programs, will need to be addressedbefore the data bank can open. In July 1990 the Center reported that during its preliminary review of the system’s security, it had identified several weaknessesthat will, if not corrected, affect data bank security. For example, the Center found that as presently designed,the data bank doesnot contain a complete audit trail. An audit trail provides information for detecting unautho- rized changesto data bank information and associatingthose changes with specific individuals or processesso that appropriate action may be taken. In the absenceof an audit trail changescan be made to the data bank without the possibility of detection by simulating or masquerading as corrective actions. The Center concludedthat until audit trails can be clearly established, the Department and practitioners will not have reasonableassurance that the data bank contains only accurate information and that erro- neous information will not be disseminated. Further, the Center advised HRSA that without a complete audit trail, certification of an acceptable data bank security environment is not recommended. The Center expects to have a final report on the results of its security review and software validation issued in September 1990. On the basis of the results of the Center’s findings and our own, we believe that the Department should not open the data bank until the Center has issued its final report, all security concernsidentified by the Center are satis- factorily addressed,and the system has been certified as ready to operate. Out of concern over the manner in which HRSA is managing the data bank contract, the HouseCommittee on Appropriations in a July report4 directed that funds provided for the data bank for fiscal year 1991 not be obligated until the Secretary of Health and Human Servicesis satis- fied that the deficiencies we have identified in the managementof the 4House Report No. 101-691, July 12,199O. Page 14 GAO/IMTEG90-68 National Practitioner Data Bank B-239814 data bank contract have been adequately addressed.In addition, the Committee directed the Secretary to conduct a review of the likely total capitalization and operating costs of the data bank under current law and report these findings to the Committee. After receiving the Department’s written comments,we met with Department and HRSA officials to further discussour concerns.In a July 24,1990, memorandum to us confirming agreementsreached during this meeting, the Administrator of HRSA discussedactions the Deputy Assis- tant Secretary for Information ResourcesManagementand HRSA will take to ensure that the data bank is not openeduntil it is ready to open (see app. III). The Administrator agreedthat (1) there should be a spe- cific HRSA official who is responsible for the overall managementof the data bank’s implementation, (2) the Department’s Deputy Assistant Sec- retary for Information ResourcesManagementwill provide technical oversight to HRSA, and (3) the data bank will not be openeduntil the Deputy Assistant Secretary for Information ResourcesManagementpro- vides assurancesthat effective security procedures have been estab- lished and that software programs have been successfully tested. We believe that, if successfully implemented, the actions HRSA plans to take will effectively addressour concerns. As arranged with your offices, unless you publicly announcethe con- tents of this letter earlier, we plan no further distribution of it until 30 days after the date of this letter. At that time, we will send copies to the Secretary of Health and Human Services;the Assistant Secretary for Health, Public Health Service;the Director, Office of Managementand Budget; and other interested parties, Copieswill also be made available to others upon request. This report was prepared under the direction of Frank W. Reilly, Director, Human ResourcesInformation Systems,who can be reached at (202) 275-3462.Other major contributors are listed in appendix IV. Ralph V.‘Carlone Assistant Comptroller General Page 16 GAO/IMTEG9O-08 National Practitioner Data Bank Contents Letter Appendix I Scopeand Methodology Appendix II Agency Comments and G*OComments Our Evaluation Appendix III 38 Memorandum From the Administrator of HRSA Appendix IV 40 Major Contributors to This Report Abbreviations GAO General Accounting Office GGD General Government Division HRSA Health Resourcesand ServicesAdministration IMTJX Information Managementand Technology Division Page 16 GAO/IMTEG9088 National Practitioner Data Bank Page 17 GAO/EMTEC9048 National Practitioner Data Bank Appendix I Scopeand Methodology Our review was conducted from March 1990 to June 1990 at the Health Resourcesand ServicesAdministration headquarters in Rockville, Mary- land, the Department of Health and Human Servicesheadquarter’s in Washington, D.C., and the office of the contractor who is developing the National Practitioner Data Bank. In addition, we interviewed the project director and assistant project director for the contractor hired to develop the data bank. We performed our audit work in accordancewith generally acceptedgovernment auditing standards. The Department of Health and Human Servicesprovided written commentson a draft of this report. These comments are discussedin the report and are presented and evaluated in appendix II. To ascertain HRSA'S approach for developing the data bank, we reviewed its procurement request. We also interviewed responsible agency offi- cials, future users of the data bank, and the contractor who is devel- oping and will operate the data bank and obtained their views on the adequacy of the approach that Hm is using to develop the data bank. To determine whether HRSA was complying with the conditions estab- lished in the delegation of procurement authority and was following procurement procedures in the Department’s Information Resources ManagementManual, we reviewed documentation submitted by HRSA to the Department and compared it with Health and Human Service’s requirements applicable to automated data processingprocurements. We also discussedHealth and Human Service’spolicies and procedures with the Department’s Office of Information ResourcesManagementwho reviewed the approved the request. We discussedthe facts presented in this report with Health Resourcesand ServicesAdministration and Department of Health and Human ServicesOffice of Information ResourcesManagementofficials during the courseof our work and have incorporated their views where appropriate. Page 18 GAO/lMTEG9088 National Practitioner Data Bank p&ndix II &my Commentsand Our Evaluation Note: GAO comments supplementing those in the report text appear at the end of this appendix. DEPARTMENT OF HEALTH @aHUMAN SERVICES Office of Inspector General WashIngton. D.C. 20201 Mr. Ralph Carlone V. Assistant Comptroller General United States General Accounting Office Washington, D.C. 20548 Dear Mr. Carlone: Enclosed are the Department's comments on your draft report, @@Automated Data Processing: liRSAns National Practitioner Data Bank Is Not Ready To Operate.n The comments represent the tentative position of the Department and are subject to reevaluation when the final version of this report is received. The Department appreciates the opportunity to comment on this draft report before its publication. Sincerely yours, Daniel W. Blades Assistant Inspector Genera 1 for Pub lit Health Service Audits Enclosure Page 19 GAO/JMTEC-99-69 National Practitioner Data Bank , Appendix II Agency Cmnmenta and Our Evaluation DEPARTMENT OF HEALTH AND HUMAN SERVICES' COMMENTS ON THE GENERAL ACCOUNTING OFFICE DRAFT REPORT ENTITLED "NATIONAL PRACTITIONER DATA BANK IS NOT READY TO OPERATE" General Comments We appreciate the opportunity to provide comments on the General Accounting Office's (GAO) draft report on the Health Resources and Services Administration's (HRSA) development of the National Practitioner Data Bank (NPDB). This report provides additional insights which will assist us as we work for the fully successful implementation of this most critical system. The NPDB, when operational, will play a vital role in identifying and protecting the public from incompetent or unethical health care professionals. We believe the management processes employed by HRSA are both reasonable and adequate to achieve this goal. The draft report touched on a number of concerns already under active consideration within HRSA. For example, as part of its final preparations for opening the NPDB, HRSA has initiated efforts to assure that the system will operate as required by law and regulation, with adequate provisions for security and the protection of individual privacy. We are absolutely committed to the effective operation of the NPDB, including the application of all appropriate safeguards. At this time, indications are that a September 1 start date is feasible. However, should we discover any major deviation from the specified system goals, we would delay implementation rather than risk consequences which would degrade public confidence in the system, or violate the essential integrity of the system. The following are our comments on the recommendations. GAORecommendation 1. We recommend that the Data Bank not be opened and further funding for the contract to develop and implement the Data Bank not be provided until the Administrator, HRSA: (1) adopts an approach that conforms to the Federal system development requirements, includinc the Department ’s Information Resources Manaqement Manual; (2) explicitly defines the Data Bank's requirements, performance standards, and security features; (3) ensures that>ppropriate management control elements are introduced into the project; (4) develops adequate test plans for validating Data Bank software programs; (5) establishes a formal project quality control Page 20 GAO/IMTEC!40-6!3 National Practitioner Data Bank Appendix ll Agency Comments and Our Evaluation 2 system; and (6) determines what security features should be included to prevent the unauthorized access and manipulation of Data Bank information. Department Comment See comment 1 We do not concur. HRSA has approached the information resources management (IRM) system development in an overall acceptable manner. HRSA's statement of work in the contract contained adequate functional requirements for the contractor to initiate development of the NPDB; and the decision to use the competitive market place to determine the best approach to system design requirements is consistent with Departmental policy. The marketplace responded with diverse technical proposals, and we believe the systems approach of the contractor selected by HRSA is consistent with applicable Federal requirements. It also needs to be pointed out that HRSA has incorporated major elements of IRM life cycle management, including security, into the contractual requirements sufficient for the contractor to respond with an acceptable technical proposal. See comment 2. As a result of ongoing monitoring and site visits which revealed concerns about certain aspects of security and project documentation, HRSA executed an interagency agreement with the General Services Administration's Federal Systems Integration and Management Center (GSA/FEDSIM) to evaluate system security and to verify and validate software. The independent consultant provided by GSA/FEDSIM has confirmed that the system requirements are adequate, and asserts that confidentiality concerns have been adequately addressed. The independent consultant further believes it is possible for the system to be tested, validated, and major issues satisfactorily addressed for the NPDB to be certified to operate as planned, by September 1. NPDB project management activities have followed a systematic and typical Departmental approach throughout the course of system design and development. This approach begins with the line responsibility of the program project officer (who must receive specific project officer training), the contracting officer, and their respective management chains, buttressed by support from IRM and financial management staff. Due to the need for expertise in fields such as insurance and hospital administration, and the need for outreach to user groups, a Panel of Experts and an Executive Committee have also provided advice regarding the NPDB. See comment 3 As of today, the NPDB is on schedule for a September opening and within budget for the work for which HRSA originally contracted. The contractor's initial proposal regarding a planned contract Page 21 GAO/IMTEC90-68 National Practitioner Data Bank Appendix 11 Agency Comments and Our Evaluation 3 modification was out of line. It has subsequently been withdrawn by the contractor. Moreover, additional funding to be negotiated with the contractor will be for expenses associated with the full implementation of legislative requirements contained in Section 5 of Public Law 100-93, and for a lo-month extension in the period of operations to compensate for a delay in the issuance of regulations. This work is unrelated to the system implementation and September 1 remains a viable target. GAO Recommendation 2. We further recommend that the Secretary for Health and Human Services: -- direct the Department's Director of Telecommunications and ADP to reconsider HRSA's Delegation of Procurement Authority (DPA) because the agency has failed to comply with the conditions established in the delegation for the agency's NPDB; and direct the Department's Deputy Assistant Secretary of the Office of Information Resources Management, which is responsible for ensuring consistency with information resources management statutory provisions and the Department's requirements, to take over management of the project until the Administrator of HRSA can demonstrate that appropriate management controls have been introduced into the project. Department Comment See comment 1. We do not concur. The GAO has provided no analysis of management alternatives, but has chosen and recommended a single option. The Assistant Secretaries for Health and for Management and Budget intend to support HRSA at this critical juncture in the project by providing an appropriate level of assurance that the management of the project and the final decisions leading to opening the NPDB are technically sound, take into account consultant and staff recommendations, and fully weigh any indicated risks. Page 22 GAO/IMTEC-90-68 National Practitioner Data Bank . Appendix II Agency Commenta and Our Evaluation 4 Technical Comments 1. Will the National Practitioner Data Bank Open in a Timely Fashion? Page 2: "The Data Bank is not ready to begin operating in September 1990." There is no assurance that appropriate security measures will have been installed to prevent unauthorized access and manipulation of Data Bank information. Pages 19-20: "The Bank should not be operated until it has been tested to ensure that proper safeguards have been built into the system to ensure against the unauthorized disclosure or manipulation of Data Bank information." Page 9: Four weeks' lead time for distribution of the Data Bank forms, instructions, and user guidebook is not sufficient. Comment: The Department intends to open the Data Bank on or about September 1, 1990. We are strongly of the opinion that all appropriate safeguards will be in place and their adequacy tested and documented before the Data Bank opens. The Department will not proceed with the opening of the Data Bank unless it has assurance from an independent source that the system is secure and, moreover, that it will operate in accord with design specifications. The preliminary report of the independent contractor, whose services we engaged through GSA/FEDSIM to evaluate the system's security and efficacy, indicates that the remaining tasks needed to open the Data Bank can be feasibly completed within existing time and resource constraints. Please refer to Section E, Security Concerns, following, for detailed discussion on these issues. Insofar as the issue of lead time is concerned, steps have already been taken by Data Bank program and contractor staff to ensure that the entities with Data Bank reporting and querying responsibilities will have in their possession, well in advance of the Data Bank's opening, the materials they will need to carry out these responsibilities. For example, the Data Bank reporting and querying form, the instructions for their completion, and the user guidebook (which is a detailed reference for individuals and entities reporting to and querying the Data Bank) all have been printed through GPO auspices and delivered to the Dnisys Corporation's Camarillo Computer Facility site, which is the locus of the Data Bank computer operations. Nationwide distribution of these materials by the Department, through the Data Bank contractor, will proceed on schedule. Delivery of the Data Bank forms, Page 23 GAO/IMTEC90-08 National Practitioner Data Bank Appendix II Agency Comments and Our Evaluation 5 instructions, and guidebook to the Nation's hospitals and other health care entities, medical malpractice insurers, State medical and dental boards, and professional societies (an estimated total of 16,000 entities) has already begun and all addressees will have received them by the end of July. This means that the entities with Data Bank reporting and querying responsibilities would have the necessary program materials at least a month before the scheduled opening of the Data Bank. Moreover, advance copies of the Data Bank forms, instructions, and Guidebook have already been provided to organizations representing the major user groups, e.g., the American ?-&"a' m~;;;;.ti;;nt~~lI American Medical Association Association (ADA), malpractice insurHnce consortia, etc., in May 1990. They in turn have duplicated them and are currently distributing them to their respective memberships and constituencies. Thus, critical documents are in their hands well before the formal mailing. Additionally, Data Bank program and contractor staff held over 12 educational conferences nationwide in February and March 1990 to orient entities with Data Bank reporting and querying responsibilities to the Data Bank requirements, forms, and related materials. These conferences were announced in the Federal Reqister. Further, Federal representatives of the Data Bank have addressed, upon invitation, numerous national professional health care and related organizations regarding Data Bank requirements, as well as their interpretation, reporting and querying policies and procedures. Through these and other activities, major professional organizations and entities have been kept fully and periodically informed about what they needed to know in order to help their constituencies fulfill their responsibilities to report to, or query the Data Bank. Throughout the developmental phase of the Data Sank, counsel and assistance have also been solicited from, and provided by, a variety of health professionals, professional health care and other associations and organizations, including public interest groupa, with expertise essential to the establishment and implementation of the Data Bank. These are described below. In February 1987, the former HRSA Administrator, Dr. David Sundwall, convened an ad hoc Title IV advisory committee comprised of Government personnel drawn from offices and agencies involved in programs bearing on medical liability and malpractice, licensing and discipline in the health Page 24 GAO/EMTEC-9068 National Practitioner Data Bank * Appendix IX Agency Comments and Our Evaluation 6 professions, quality assurance and risk management, and other matters relevant to the Data Bank. A major contribution of this committee was to lay out the conceptual design and framework for the Data Bank, in relation to requirements set forth in the Title IV statute. Responsibility for drawing up more detailed design elements for the Data Bank, the specification of requirements for the Data Bank procurement, and the eventual contract scope of work, was given to a Technical Advisory Panel whose membership included several senior Federal employees with distinctive knowledge and expertise in computer technology and ADP system design. Two bodies comprising representatives of leading health care related professional organizations, the Data Bank Executive Committee and the Data Bank Panel of Experts (POE), have provided advisory guidance and assistance to the Department and the contractor throughout the Data Bank's development and pre-implementation phases. The Executive Committee's membership includes the AMA, ADA, ABA, and other national organizations and consumer groups. The POE includes nationally recognized professionals in areas such as hospital administration, medical liability insurance, licensure and discipline of health care practitioners, computer science. The Executive Committee has been involved in virtually all aspects of the Data Bank's development and implementation and has assisted with the formulation of operational policies and procedures for the Data Bank, including, for example, those dealing with security, confidentiality, and reporting and querying methods. The Executive Committee also had direct input into the formulation of the content of the NPDB Guidebook, which is the principal reference and resource document for individuals and entities with Data Bank reporting and querying requirements. The POE was integrally involved with the design and development of the Data Bank reporting and querying instruments, including the formulation of specific reporting codes, and with the preparation of the instructions for completing the forms. The POE met collectively on several occasions and individual members were called upon separately, as needed, for their particular expertise. The HRSA Data Bank staff have been diligent in their efforts to seek out, engage, and listen to outside interest groups and the general public in the Data Bank development process. Public forums were held on the Data Bank on October 2 and November 27, 1989; a broad cross-section of professional health-related organizations and other interest groups, and Y Page 26 GAO/IMTEG9088 National Practitioner Data Bank Appendix II Agency Comment8 and Our Evaluation 7 representatives of the lay, consumer public and public media participated in these sessions. Other examples of major Data Bank outreach efforts include a December 14, 1989 Invitational Conference for National Professional Associations; and a January 11, 1990 conference with representatives of national hospital associations and HMO/group practice organizations to help plan Educational Conferences for Hospitals and Other Health Care Entitles; and, as noted, during the period February 5 - March 29, 1990, the convening of a series of conferences, nationwide, to provide guidance for entities and individuals in meeting their responsibilities to report to or query the Data Bank, viz., medical malpractice insurers, State medical and dental boards, hospitals and other health care entities, and professional medical and dental societies. Recommendations on Data Bank policy and procedural proposals made at these conferences were considered, and often incorporated, as appropriate into the pertinent Data Bank policies, procedures, and user materials. 2. Process and Timing of Developmental Steps Page 10: Data bank development started before requirements were finalized. Page 2: HRSA began developing the data bank before system threats and vulnerabilities were identified. Page 11: FIRSA's decision to award a contract before finalizing the operational processes by which data bank information was to be gathered and disclosed was a mistake. See comment 4 Comment: As already indicated, the Data Bank was not a proposal that originated within the Executive Branch, but was mandated by Congress. Thus, there was not the opportunity to develop the options analysis that would have typically been associated with the development of a new system. BRSA was required to implement this legislative requirement with little lead time. Funding did not become available until October 1988 (FY 1989), thereby delaying the awarding of a contract until December 1988. The final regulations implementing Title IV requirements were not published until October 1989 principally because of the Department's effort to comply with OMB directives regarding the scope of data elements to be covered in those final regulations. See comment 5. To have waited until after publication of the final regulations to award a contract would have further delayed implementation of the program by a year. Such deferral was Page26 GAO/IMTEG9088 National Practitioner Data Bank Appendix II AgencyComments ssdOsrEvaluation 8 unnecessary because the basic Data Bank requirements had already been specified in the NPRM (which wa8 provided to the Unisys) and which, ultimately did not change significantly when the final regulations were promulgated. The contractor knew what was expected of it well before the final Title Iv regulations were published, since such requirements were reflected in the contractor's technical proposal of August 1988. The RFP/scope of work was carefully written to provide specific guidance in the areas of Data Bank systems design and security requirements. The contractor recognized and accepted the need to meet those requirements in its technical proposal of Auguat 15, 1988 (Page A.2 - 49, Section 2.1.2). Further, in its "Draft Narrative on Design for and Implementation of the Data Bank" (Contract Deliverable Item 32, Nyhnber 1989), the Data Bank contractor acknowledged detailed requirements and that the security constraints in the RFP/acope of work were "extensive in scope and detailed in their requirements, covering all aspect0 of security." The GSA/FEDSIM preliminary report confirms that Unisys believed the specification level to be adequate. 3. Adherence to Departmental Procedures Page 13; BRSA is not following the Department's systems development life cycle methodology and neither is it complying with the Department's Information Resources Manauement Manual. Page 13: Missing documentation: cost-benefit analysis of alternative approaches; explanation of how the approach selected would meet users' needs at the lowest overall cost over the system's life; test plan for evaluating the software program. Cozzzentr The decision to contract out both the development and operation of the Data Bank was made by former BBS Secretary Otis R. Bowen. In his communication of October 30, 1987 to James C. Miller, III, Director, OMB, requesting a $3.2 million budget amendment to the President's FY 1988 request for BRSA to implement the Health Care Quality Improvement Act of 1986 (the Act), Secretary Bowen stated that he had decided "that RRSA should secure the services of a private contractor to act as the Government's agent in the collection and release of the(ee) data" which the Act required be reported to the Data Bank. In his communication to the President regarding that budget amendment request, Mr. Miller affirmed the Secretary's decision to engage the services of a private contractor in establishing the Data Bank. Page 27 GAO/IMTEG9O-438 National Practitioner Data Bank Appendix II Agency Comments and Our Evaluation 9 Dr. Bowen's decision was based on the sensitivity of the subject, the relative lack of in-house capability, and the urgency of carrying out the congressional requirements. Separate contracts for the design and the implementation of the Data Bank would, perhaps, have been desirable (although not required by departmental procedures) but would have significantly delayed implementation of the legislative mandate. Further, HRSA has complied with all required departmental See comment 6. procedures. According to Chapter 2, Section 2-20-00, of the IiHS IRM Manual, RRS managers may tailor their management approach to life cycle guidelines "where appropriate to meet the particular needs of their own programs." The documentation aaaociated with the Delegation of See comment 7. Procurement Authority (DPA) adequately addresses departmental requirements. In particular, the requirement to develop a test plan was placed on the contractor (Unisya), and the adequacy of the test plan is being evaluated separately by the GSA/FEDSIM contractor. The contractor's technical proposal of August 1988 ("Quality Assurance/Configuration Management") commits to adhering to appropriate systems development methodology as specified by HI-IS in the RFP/scope of work. 4. RRSA's Manaqement Process Page 2: HRSA has not designated a project manager, so no one has been accountable for the project since it began. Pages 2-3: HRSA has either misplaced or not developed critical documentation necessary to ensure effective management control and oversight of the project. Pages 11-12: Sound project management practices are not being followed. Flaws in RRSA's approach to develop the data bank cast serious doubt on whether a successful system can be deployed by the planned September 1990 opening date. Pages 16-17: HRSA has not effectively managed the data bank contract. According to Federal regulations. . .it should be headed by a project manager;" "Currently, at least 14 different HRSA officials are involved in developing and implementing the data bank;" I*_ . . critical project management functions. . .are not being carried out. Page28 GAO/IMTBG9089 National Practitioner Data Bank AppendixIT &eneY Cmunenta and Our Evaluation 10 Page 20: The development of the data bank has been adversely affected by a breakdown in management controls at HRSA. Because HRSA has not designated a project manager. . . See comment 8 Comment: The main thrust of GAO's criticism stems from the premise that this project should have been managed in accordance with established guidelines for a "major systems acquisition," requiring the designation of someone with "project manager" responsibilities at the beginning of the developmental process. A "project manager" in the sense used by GAO has much broader authorities than are generally delegated below a Bureau level in this Department and is not required by the Department for a project of the size of the Data Sank. Although HRSA has not designated one individual as the "project manager," the NPDB has been managed responsibly and effectively through established line management structures, methodologies, and controls. The project officer for the contract meets all departmental requirements for a contract project officer and he reports to a Division Director, who reports to a Bureau Director. The contracting officer and the HRSA Financial Management Office do not report to the project officer or Bureau Director and this does not fit the GAO view of how a project of this magnitude should be managed. It is our view, however, that the normal departmental line management system is sufficient to assure appropriate management controls. This method/approach of management is entirely consistent with that successfully used for similar projects in the Department. While different from the model GAO contends is necessary, we believe this approach will result in the opening of a secure data bank on or about September 1, 1990. In fact, a combination of contractual requirements and program policies have consistently been used by HRSA to implement sound management practices. Planning for the Data Bank began in February 1987 when a series of ad hoc advisory committee meetings were held to formulate a plan to develop a Data Bank to meet the requirements of Title IV of Public Law 99-660, the Health Care Quality Improvement Act of 1986. Senior representatives from the Office of the Secretary, ASH, HRSA, BHPr, and other Federal organizations, attended these meetings. The meetings served as a basis for developing the Data Bank RFPs and NPRM. An RFP was first issued in June 1987. The scope of work was carefully written to provide specific guidance in the areas Page 29 GAO/IMTEC9988 National Practitioner Data Bank Appendix III Agency Comments and Our Evaluation 11 of Data Bank systems design and security requirements. In March 1988 the RFP was withdrawn because no funds were available. An updated RFP was issued in August 1988. On December 30, 1988, a S-year $15.9 million contract was awarded to Unisys Corporation to develop and operate the Data Bank. In their technical proposal, the contractor assured the Department of their expertise in systems design, security, and with the Privacy Act. Soon after the contract was awarded, Unisya was provided with a copy of the Data Bank NPRM to be used as a basic blueprint along with the scope of work in order to begin the development of the systems design. Although the final regulations were not published until October 1989, Unisys was instructed to continue development of the systems design based on continuous input from the Department regarding the shape of the draft final regulations. The scope of work called for a Data Bank Executive Committee and POE (formerly the Technical Assistance Group). The committee is advisory to the contractor. Two of the functions of the committee are to review and comment on the Data Bank policies and procedures for its operation and to advise on criteria against which the Data Bank will be assessed, including issues such as security and confidentiality. The POE coneists of individuals with expertise in computer science and other "technical" areas of systems design. Since January 1989, the Executive Committee has met four times and the POE three times. Both the committee and panel have provided valuable assistance and expertise to Unisys and the Department regarding the development of the Data Bank. Legal and program staff of the Department have worked closely with the contractor to develop policies and procedures to asaure a secure environment for the confidential receipt, storage, and controlled dissemination of data from the Data Bank. Contract Deliverable Item 39 -"Draft Policies and Procedures for the Initial NPDB Operation" expands on the scope of work to provide the contractor with a detailed description of Data Bank policies and procedures (PPDs) for reporting to and requesting information from the Data Bank. In addition to this document, the Department and the contractor have worked closely on development of Data Bank output documents, reporting and querying forms and instructions, and the Guidebook for individuals and entities reporting to and querying the Data Bank. The "output" materials consist of a series of documents which include reporting entity verification of information sent to the Data Bank, practitioner notification that a report has Page 30 GAO/IMTBG90-68 National Practitioner Data Bank Appendix II Agency Comments and Our Evaluation 12 been made to the Data Bank about them, and a practitioner's dispute of the accuracy of information in the Data Bank, The reporting and querying forms and instructions were carefully crafted following extensive discussions regarding systems design, confidentiality and security between the Department, unisys , and affected organizations in the Federal and non- Federal sectors. Other management and oversight procedures have already been described above, e.g., regular meetings between HRSA, BHPr, and Uniays since the first year of the contract regarding Data Bank policies, procedures and syetems design. Contrary to the impression created by GAO, the R??P/scope of work is studded with specific operational requirements developed by HRSA for the Data Bank which the contractor, in various documents, affirm0 and commits itself to fulfilling. The GAO allegation that the contract was awarded before the system requirements were finalized is, therefore, misleading; the contractor knew what was expected of it well before final regulations were published. In summary, HRSA has exercised a style of management of this project that is entirely consistent with that successfully used in the case of other projects for which it is or has been responsible. While different from the inapplicable management model which GAO seems committed to imposing, the fact remains that the approach employed by HPSA will result in the opening of a secure Data Bank on or about September 1, 1990. The Data Bank has been designed according to RFP/scope of work requirements by a contractor employed by the Department for the specific purpose of doing so. The contractor has been continuously guided and advised by a variety of oversight mechanisms in the process of achieving the result desired by the agency according to its own timetable. 5. Security Concerns Page 14: HRSA has not complied with Department and Governmentwide security requirements. Page 15: HRSA cannot ensure that the appropriate security measures are being installed to prevent unauthorized access and manipulation of data bank information. Page 20: The bank should not be operated until it has been tested to ensure that proper safeguards have been built into the system to ensure against the unauthorized disclosure or manipulation of bank information. Page31 GAO/IMTEG90438 National Practitioner Data Bank Appendix II Agency Comments and Our Evaluation 13 Comment: We agree that the Data Bank should not be opened until the system's security measures have been tested and their adequacy verified. Assuring the security of the Data Bank has been a concern to which the Department has devoted much attention and effort since the beginning of the project. Aa mentioned earlier, the contract scope of work is replete with requirements/specifications bearing on system security and integrity. Further, security reviews were conducted by BRSA staff in April 1989 and March 1990, each lasting several days. As a result of these reviews, BRSA implemented its Phase II systems review, involving more technical expertise than was available within the Agency. It was at that point that HRSA entered into an agreement with GSA/FEDSIM to provide independent evaluation, teat, and certification reviews. The initial site visit and documentation review has been completed and their preliminary analysis indicates "all deficiencies identified to date are correctable within a time frame which will not significantly impact the NPDB schedule." 6. cost Page 3; Project's cost could increase substantially. Page 18: PROJECT COST WAY INCREASE. Comment: GAO also raised concerns about cost overrun and contended that prospective increased contract costs were due to HRSA's failure to "prepare the required studies and analyses in sufficient detail prior to award of any contract." This statement is inaccurate. See comment 3 HRSA initiated a proposed contract modification to the original statement of work with the issuance of a Request for Proposal (RFP) to Unisys. The purpose of this RFP was to define "new" statement of work requirements confirmed by the final approval of the NPDB regulations. The new requirements dealt with aspects of the Data Bank's operation that were known to exist at the time of contract award, but not to the degree necessary for any offeror to address in a cost proposal, e.g., the development of a user fee system, the determination of the actual user fee based on cost criteria identified in the regulations, and the implementation of the NPDB to accommodate the requirements contained in the Section V of Public Law 100-93 which requires reporting of disciplinary actions executed on all licensed health professionals such as nurses and therapists. The original contract was for a period of 5 years but because of a 10 month delay in issuing regulations, a corresponding 10 month extension and associated funding were also proposed. Page 32 GAO/IMTEGBO-68 National Practitioner Data Bank . * Appendix II Agency Comments and Our Evaluation 14 Thus, the negotiations identified by the GAO were essential to contract administration and not attributable to an unanticipated cost overrun. The contractor responded to the proposed modification inappropriately with a re-baselining of the entire contract costs rather than individual pricing of the new statement of work requirements and the 10 month delay. HRSA advised the contractor that their proposal was inappropriate and unacceptable. The contractor'8 proposal was withdrawn in its entirety. At the present time, HRSA has not requested the contractor to submit a revised proposal, but has informed the contractor that negotiations and a contract modification are expected shortly. It is the position of HRSA that a modification is necessary to cover the modifications described above, the extension of the contract period and otherwise cover certain changea in technical direction. However the contractor's estimate that costs are expected to increase by $9 million are unfounded. I. GAO's Identification of Procurement Sensitive Information See comment 9 The GAO report indicates that MSA decided to bring in a contractor in May 1990. This statement, which is also made on Pages 2 and 15, should indicate that HRSA entered into an Interagency Agreement with GSA/FEDSIM. Also, the value of a referenced "contract" is procurement sensitive and should be deleted. Page I of Project Element Plan (PEP) No. 2, which is part of HRSA's Interagency Agreement with GSA/FEDSIM, states non-disclosure requirements relating to information contained in the PEP. Page 33 GAO/lMTEC-9068 National Practitioner Data Bank Appendix II Agency Comments and Our Evaluation 1. In its July 16, 1990, commentson our draft report, the Department GAO Comments disagreedwith our proposed recommendations.After receiving the Department’s comments,we met with Department and HRSA officials to further discussour concerns.Overall, the Department officials agreed that the data bank should not be openeduntil the Department’s Deputy Assistant Secretary for Information ResourcesManagementprovides assurancesthat effective security procedures have been implemented and that software programs have been successfully tested. In addition, the Department agreedto designate a project manager to ensure that the data bank is properly managed.The Department also said that the Deputy Assistant Secretary for Information ResourcesManagementwill provide technical oversight to the data bank project. On the basis of these agreements,we have refined our recommendationsto reflect our general concern that the data bank not be openeduntil it is ready. 2. We reviewed a preliminary report on system security issued by the independent consultant in July 1990. We disagreewith the Department’s assertion that the consultant has confirmed that the data bank’s system requirements are adequate and that confidentiality concernshave been adequately addressed.The consultant’s report found several vulnerabil- ities that will affect the security of the data bank if they remain uncor- rected. The report also found that the documents identified by HRSA as containing the data bank design did not contain sufficient information to provide a reasonablelevel of assurancethat the functional security requirements identified by HRSA in the solicitation for the data bank were being effectively implemented. The report further found that although Unisys had defined an effective approach for development and implementation of the data bank, the approach was not being followed. Additionally, the report found one security vulnerability that would result in a recommendation not to certify the acceptability of the data bank. The data bank lacks the capability to detect unauthorized changes to the data bank, according to the report. The report concludedthat until this vulnerability is adequately addressedHRSA and practitioners will not have reasonableassurancethat the data bank contains only accurate information. 3. The draft has been modified to show the current status of HRSA'S pro- posed modification to the data bank contract’s original statement of work. 4. According to the Department, HRSA did not have the opportunity to develop analyses that are typically associatedwith the development of a new system becauseHRSA was required to implement the data bank Page 34 GAO/lMTEC90-68 National Practitioner Data Bank . . Appendix II Agency Comments and Our Evaluation with little lead time. We disagree.We believe the 4 years that have been spent by HRSAin developing the data bank provided sufficient time to prepare the various studies and analysestypically associatedwith the development of a new system. 6. The Department assertsthat waiting until after publication of the data bank’s final regulations to award a contract was unnecessary becausethe basic requirements for the data bank had been specified in documents HRSAprovided to the contractor. The Department said the solicitation documents and contract’s scopeof work provided specific guidance in the areas of systems design and security. We disagree.We found, and the contractor and Federal SystemsIntegration and Manage- ment Center agree,the basic requirements contained in the Depart- ment’s solicitation documents are extremely general and do not constitute an adequate description that would permit development of a system design. Furthermore, the contractor in a December1989 letter to HRSAstated that The delay in publishing implementing regulations for the data bank has had a signif- icant impact on the design and development of the data bank. On the one hand, the delay in publishing regulations has required slowing down the development process and the project’s rate of spending; but, on the other hand actual development activi- ties will need to be extended over a longer period of time, particularly in connection with the implementation of Section 6 requirements. Had HRSAwaited to award the contract until the regulations were final- ized it could have had a more specific set of requirements to be used in designing the system becausethe regulations establish criteria and pro- ceduresfor collecting and releasing information from that data bank. 6. The Department stated that HRSAhas complied with all required departmental procedures.We disagree.We found evidenceshowing that HRSAdid not always comply with required departmental procedures.For example, in June 1988 the Department directed HRSAto prepare a cost/ benefit analysis which was to include the development of and pricing for at least three alternative methods for developing the data bank. The Department requires cost/benefit analysesso that managers,users, designers,and others have adequate information to analyze and eval- uate alternative approachesto meeting mission needs,HRSAofficials said that the cost/benefit analysis was not prepared becausethey had assumedthe Department had approved HRSA’Srequest to have the requirement waived. However, HRSAofficials could not provide docu- mentation showing the requirement had been waived. Page 35 GA0/IhlTEG90-68 National Practitioner Data Bank Appendix II Agency Comments and Our Evaluation The Federal SystemsIntegration and ManagementCenter also found that HRSA had not always complied with departmental requirements. For example, the Center found that the data bank doesnot contain an audit trail as required by Department and federal guidelines. An audit trail provides the information necessaryto detect unauthorized changesto an automated system. The Center concludedthat becausethe data bank doesnot have an audit trail, HFC% and practitioners will not have reason- able assurancethat the data bank contains only accurate information. 7. The Department stated that the documentation associatedwith the delegation of procurement authority adequately addressesdepartmental requirements. We examined the Department’s official acquisition file and found that the documentation associatedwith the delegation of pro- curement authority was missing. When we asked HRS~A officials why the documentation was not in the acquisition file, they speculatedthat it was in a file that they have been unable to locate since 1988. In the absenceof documentation we cannot determine whether the documenta- tion adequately addressesdepartmental requirements. 8. The Department stated it doesnot require project managersfor projects the size of the data bank. The Department believes that these projects can be managedresponsibly and effectively through established line managementstructures, methodologies,and controls. We disagree. We found that the data bank development effort has not been effec- tively managedthrough the Department’s project management approach. HRSA line managersresponsible for managing the data bank’s development said they lack the necessaryexpertise to overseethe tech- nical aspectsof the contractor’s efforts. Becauseof HRSA’S lack of exper- tise, we found that critical project managementfunctions, such as ensuring that system sizing assumptions and work load volume are valid, identifying system internal control and security vulnerabilities, and ensuring that the Department’s security requirements are being met, are not being carried out. Consequently,HRSA has been relying on the contractor to carry out critical project managementfunctions. The Federal Systems Integration and ManagementCenter, in its review of the data bank’s security system, also discoveredevidenceof problems resulting from HRSA’S managementapproach. The Center found that, although the system development approach describedin the contractor’s technical proposal was consistent with applicable federal requirements, the contractor failed to implement these procedures,which resulted in documentation deficiencies. According to the Center, this occurred as a Page 36 GAO/IMTEG90-68 National Practitioner Data Bank . Appendix II Agency Comments and Our Evaluation result of HRSA’S failure to monitor contractor compliance with its tech- nical proposal. As stated in comment 1, the Administrator of HRSA has now agreedthat there should be a specific HRSA official who is responsible for manage- ment of all aspectsof data bank implementation and has designatedthe director of HRSA’S Bureau of Health Professionsto be the data bank pro- gram manager. The Administrator also said that a qualified systems analyst will be assignedto work with the data bank program manager. 9. We agreethat the language suggestedby the Department is more pre- cise and have modified our draft. Page 37 GAO/IMTEC8088 National Practitioner Data Bank Appendix III MemorandumFrom the Administrator of Husk From Administrator Follow up Action on the General Accounting Office Draft Report Subject Entitled “The National Practitioner Data Bank Is Not Ready to Operate” To Thomas Jurkiewiez, GAO This memorandum documents the agreements we reached in the meeting chaired by Congresman Ronald Wyden (D-Oregon) on July 20 concerning GAO’s draft report on the NPDB. These agreements are as follows: 0 GAO is concerned that there be a single point of overall responsibility for managing the NPDB implementation. We agree, and the Department’s Office of Information Resources Management agrees that, to the extent permissible under currently mandated organizational functions and authorities, HRSA should identify the specific official who is responsible for oversight of all aspects of the NPDB implementation, with authorities commensurate with that responsibility. That individual is Fitzhugh Mullan, M.D., Director, Bureau of Health Professions. In his capacity as NPDB program manager, Dr. Mullan will have, among other staff members, a qualified systems analyst as a full- time member of his project team. 0 GAO is concerned about HRSA’s relative lack of technical expertise in automated systems design and Implementation, but recognizes that HRSA has significantly augmented Its internal staff capability through an inter-agency agreement with FEDSIM. We agree that HRSA will expeditiously augment its capability in this area but in the interim will continue to use FEDSIM. GAO will recommend that the Deputy Assistant Secretary for Information Resources Management provide technical oversight to HRSA. The Deputy Assistant Secretary agrees to provide such oversight and will also assure appropriate system documentation is in place in a timely fashion. Page 38 GAO/IMTEG80438 National Practitioner Data Bank c * . Appendix III Memorandum Prom the Administrator of HRSA Page 2 - Mr. Jurkiewiez 0 At the time of the initial GAO study, the FEDSIM consultants had not yet begun their independent assessment, and GAO was concerned that HRSA could not assure the security of confidential practitioner information. GAO has now reviewed the initial FEDSIM report and will recommend that the data bank not be opened until the Deputy Assistant Secretary for Information Resources Management assures that effective security procedures and software programs have been successfully tested. We agree. As stated in the original Department comments, should we discover any major deviation from the specified system goals, we would delay implementation rather than risk consequences which would degrade public confidence in the system, or violate the essential integrity of the system. Additionally, at the time of the GAO study, HRSA was precluded from designing audit trail capability into the system. That previous barrier has now been overcome and audit trail capability will be built into the system before it becomes operational. 0 GAO was concerned about ttcost overruns.” GAO now understands that the contractor’s proposed cost increase was withdrawn and will modify their report to reflect that understanding. It is our understanding that GAO will revise their recommendations in accordance with the agreements reached in this meeting to reflect their general concern that the NPDB not open until it is ready to open. As stated above, that has been and remains the Department’s pO8itiOn. A copy of this memorandum is being provided to Congressman Wyden’s office and other DHHS components as documentation of the agreements reached in the July 20 meeting. T@ I ohG?-l Robert G. Harmon, M.D., M.P.H. Page 39 GAO/IMTEG90-68 National Practitioner Data Bank Appendix IV Major Contributors to This Report Thomas J. Jurkiewicz, Assistant Director Information Janice D. Troupe, Evaluator-in-Charge Management and William D. Hadesty, Technical Adviser Technology Division, Janet C. Eackloff, Reports Analyst Washington, DC. John A. Carter, Senior Attorney Office of General Counsel, Washington, DC. (610600) Page 40 GAO/IMTEG9O68 National Practitioner Data Bank Ordering Information The first five copies of each GAO report are free. Additioual copies are $2 each. Orders should be sent to the following address, accom- panied by a check or money order made out to t.he Superintendent of I’Wx~ments, when necessary. Orders for 100 or more copies to be mailed to a single address are discounted 26 percent. ITS. General Accounting Office c PA). 130x 60 16 , Gait.hersburg, MD 20877 Orders may also be placed by calling (202) 2766241. , ‘4 %
Information System: National Health Practitioner Data Bank Has Not Been Well Managed
Published by the Government Accountability Office on 1990-08-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)