oversight

Information System: National Health Practitioner Data Bank Has Not Been Well Managed

Published by the Government Accountability Office on 1990-08-21.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                I
                                 1Jnitd   States General   Accounting   Office
     -----u

     GAO                          Report to Congressional Requesters



,-
)    Arlgllst       l!)!)O -’
                                 INFORMATION
+
1

                                 SYSTEM
                                  National Health
                                  Practitioner Data Bank
                                  Has Not Been Well
                                  Managed


                                                                                    142227




                                m--Not                 to be released outside the
                                 Geneml Accounting Offlce unless specif’ically
                                 approved by the Office of Congressional
                                 Itelatioxm
_l.__l.~-“---..-“-..l.. .I..-_.
                             -_ -_- ,__......_..
                                           -. .- __.“.-l.-_.._,-~ _-I__
                   United States
                   General Accuuutlng Office
                   Washington, D.C. 20548

                   Information Management and
                   Technology Division

                   B-239814
                   August 21,199O

                   The Honorable Tom Harkin
                   Chairman, Subcommitteeon Labor,
                     Health and Human Services,
                     Education, and Related Agencies
                   Committee on Appropriations
                   United States Senate
                   The Honorable William H. Natcher
                   Chairman, Subcommitteeon Labor,
                     Health and Human Services,
                     Education, and Related Agencies
                   Committee on Appropriations
                   Houseof Representatives

                   This report respondsto your requests for information on the Health
                   Resourcesand ServicesAdministration’s (HRSA) development of the
                   National Practitioner Data Bank. This data bank will enable HRSA to col-
                   lect and releaseinformation on malpractice litigation and adverse pro-
                   fessional actions involving physicians, dentists, and other health care
                   practitioners. The data bank, which HRSA expects to begin operating in
                   September 1990, will basically be an exception list containing the names
                   of and other information on practitioners whose professional compe-
                   tence or conduct has been questioned in such actions. Becausedata bank
                   information will be used to make judgments about the professional com-
                   petenceof health care practitioners, a system compromise could seri-
                   ously affect the credibility of the data bank. As agreedwith your
                   offices, we reviewed HRSA'S progress in developing the data bank,
                   including actions taken to ensure that user needsare met at the lowest
                   cost. (Seeapp. I for details of our scopeand methodology.)

                   HRSA'S failure to follow a sound managerial approach in developing the
Results in Brief   National Practitioner Data Bank casts serious doubt on whether HRSA
                   can open the bank by September 1990. HRSA has not yet ensured that the
                   data bank will protect the confidentiality of practitioner information
                   from unauthorized accessand manipulation. Good system development
                   practices dictate that effective security measuresbe included in a
                   system’s design. HRSA began developing the data bank before system
                   threats and vulnerabilities were identified. As a result, HRSA cannot
                   ensure that appropriate security measureswill be installed to prevent
                   unauthorized accessand manipulation of data bank information.


                   Page 1                          GAO/IMTEC-9089   National   Practitioner   Data   Bank
                                                                                                I!
             B-239814




             HRSA has not  effectively managedits data bank project. No one person
             has been accountable for the project since it began.Instead, accounta-
             bility is shared by at least 14 HRSA officials. Also, HRSA has either mis-
             placed or not developedcritical documentation necessaryto ensure
             effective managementcontrol and oversight of the project. Additionally,
             somecritical functions, such as ensuring that privacy requirements are
             met and establishing schedulesand budgets, have been assignedto the
             contractor developing the data bank becauseHRSA did not believe it had
             the staff with the training and experienceto perform them.
             Furthermore, the project’s total cost is uncertain at this time and could
             increase substantially. Currently, HRSA is modifying the contract which
             will require further negotiations. HRSA said the modification is neededto
             cover certain requirements that existed at the time the data bank con-
             tract was awarded, but which had not been defined to the degreeneces-
             sary for any offeror to addressin a cost proposal. Completing these
             tasks could increasethe project contract cost from $16.8 million to a
             total of $25 million.

             A successfulsystem development project needsto be well managed,con-
             form to generally acceptedsystems development standards, and incor-
             porate appropriate managementcontrols. HRSA has not done this in the
             caseof the National Practitioner Data Bank. We are making a series of
             recommendationsaimed at ensuring that the data bank is not opened
             until corrective actions are taken by the Department of Health and
             Human Services.


Background
             Title IV of the Health Care Quality Improvement Act of 1986 (P.L. 99-
             660) as amended,authorizes the Secretary of Health and Human Ser-
             vices to establish a data bank to ensure that unethical or incompetent
             practitioners do not compromise health care quality, This bank is to be
             created to help meet a national need to restrict the ability of incompe-
             tent practitioners to move from state to state without disclosure or dis-
             covery of the practitioner’s previous damaging or incompetent
             performance.

             The data bank is to contain information on adverse actions taken
             against a practitioner’s license, clinical privileges, and professional
             society memberships, as well as information on medical malpractice
             payments. Hospitals, group medical practices, professional societies,and


             Page 2                            GAO/IMTEG9068   National   Practitioner   Data Bank
                        B-239814




                        state licensing boards will have accessto bank information. In addition,
                        practitioners with data bank records will have accessto their own
                        records.
                        Title IV requires that actions taken against physicians’ or dentists’
                        licensesbe reported. Section 5 of the Medicare and Medicaid Patient and
                        Program Protection Act of 1987 (P.L. 100-93) expanded the scopeof the
                        data bank to include all licensed health care practitioners, as well as
                        health care entities such as hospitals. Title IV required that reporting
                        was to begin by November 1987.
                        Although the bank was originally scheduledto be operational in 1987,
                        funding for the data bank was not approved by the Congressuntil the
                        fall of 1988. In addition, the regulations for implementing Title IV provi-
                        sions were not finalized until October 1989.
                        In December1988 HRSA awarded a S-year $15.8 million cost-plus-fixed-
                        fee contract to the Unisys Corporation to establish and operate the data
                        bank, which will be housed at the company’s computer facility in
                        Camarillo, California. HFfSAexpects to have the bank operating by Sep-
                        tember 30, 1990. The bank will open under Title IV requirements only.
                        Implementation of Section 6 provisions is expected to follow about 1
                        year after the data bank opens.No information will be reported to the
                        data bank until it opens.Except for malpractice awards or settlements
                        paid through an annuity, no retroactive reporting on actions occurring
                        before the opening date will be required. HRSA officials stated that a
                        report must be made if a payment under an annuity is made after the
                        data bank opens.OnceHRSA establishesthe opening date, it will be pub-
                        lished in the Federal Register. The Unisys facility is expected to process
                        over 1 million queries and about 67,000 malpractice and adverse action
                        reports each year. Except for erroneous information, HRSA plans to
                        maintain the information collected on practitioners indefinitely, without
                        any provision for purging information. HRSA believes that purging infor-
                        mation from the data bank is inconsistent with its statutory purpose of
                        protecting the public.


Who Must Report and     Oncethe bank is open, individuals or entities, such as insurance compa-
What Must Be Reported   nies and self-insured hospitals who pay a malpractice claim or judge-
            J           ment must report the incident to the data bank. State medical and dental
                        boards must also report disciplinary actions taken against a dentist or
                        physician. Further, hospitals and other health care entities, such as
                        health maintenance organizations and certain medical and dental group


                        Page 3                            GAO/IMTEG9088   National   Practitioner   Data Bank
                                                                                                               I
                            B239814




                            practices, must report adverse actions taken against a physician’s or
                            dentist’s clinical privileges. These are actions, taken on the basis of the
                            practitioner’s professional competenceor conduct, that will last more
                            than 30 days. Also, professional societiesmust report an adverse action
                            taken against a practitioner’s membership through a formal peer review
                            process.Section 5 provisions require states to report certain adverse
                            actions taken against licensed health care practitioners or health care
                            entities by any licensing authority of the state.


Verifying Accuracy of the   Reports will be submitted by mail to the data bank using a standard
Data Bank Information       form. Reports will be assigneda unique document control number that
                            allows for identification and tracking from receipt through final disposi-
                            tion Unsigned reports or reports missing required information will not
                            be acceptedby the data bank, according to HRSA officials.
                            After the report data are entered, the data bank contractor will
                            (1) verify that the data were entered correctly and (2) send a verifica-
                            tion document to the reporting entity. This verification document is to
                            be reviewed and returned to the data bank. If errors or omissions are
                            found, the entity who reported it must send an addition or correction to
                            the data bank.
                            The subject practitioner will be notified that a report has been received
                            by the data bank and given 60 days to dispute the accuracy of the
                            report. If this practitioner believes there is an inaccuracy in the report,
                            the practitioner is to discussthe disagreementwith the reporting entity.
                            Information contained in a disputed report will be released30 days after
                            receipt in responseto queries, however, the practitioner can request that
                            a notation be placed in the report stating that it is in dispute.

                            If the reporting entity amendsor retracts a disputed report, all inquiring
                            parties who had previously received the information will be notified by
                            the data bank about the changes.If the reporting entity choosesnot to
                            changethe report, the practitioner may request the Secretary of Health
                            and Human Servicesto review the dispute. The Secretary then makes
                            the final determination.


Sanctions for yet           The Department’s Office of the Inspector General has been delegatedthe
Reporting                   authority to impose civil money penalties in accordancewith Sections
                            421(c) and 427(b) of Title IV of the Health Care Quality Improvement



                            Page 4                            GAO/IMTEG9088   National   Practitioner   Data Bank
                            B-239814




                            Act. Under the statute, an individual or entity that fails to report mal-
                            practice payments will be subject to a civil penalty of not more than
                            $10,000 for each unreported payment.


Who Must Query the Data     Querieswill be submitted to the data bank by mail using a standard
Bank                        form. Hospitals are required by the act to query the bank every 2 years
                            on any physician, dentist, or other health care practitioner who is on its
                            medical staff or has clinical privileges at the hospital. Hospitals also
                            must request information from the data bank when they are considering
                            hiring a physician, dentist, or other health care practitioner or granting
                            clinical privileges. Hospitals may also request information from the data
                            bank when they deem it necessaryor while conducting professional
                            review activities, While hospitals are the only entities that must request
                            information from the data bank, other health care entities, including
                            health maintenance organizations and group medical practices, may
                            query the data bank as needed.Also, physicians, dentists, and other
                            health care practitioners may request information concerningthem-
                            selves.Any person who violates the confidentiality of data bank infor-
                            mation may be subject to a civil penalty of up to $10,000 for each
                            violation.


User Fees                   A request for information from the data bank will be regarded as an
                            agreementto pay the associatedfee. Initially the fee for querying the
                            data bank will range somewherebetween $2 and $6 for each practi-
                            tioner name submitted. Fee changeswill be announcedperiodically in
                            the Federal Register. User fees are estimated by HRSA to produce about
                            $2 million a year. Additional funds neededto operate the bank will be
                            requested by HRSA in its annual appropriation.

                            As of June 1990, the regulations, forms, and users’ guidebook for imple-
Status of the Data          menting Title IV requirements have been completed; however, much
Bank                        work still needsto be done, specifically:
                          . the 19 software programs for implementing Title IV requirements need
                            to be finalized, tested, and accepted;
                          . a software program to account for user fees needsto be finalized, tested,
                            and accepted;
                          . acceptanceand performance criteria for the software need to be
                            developed;



                            Page 5                            GAO/lMTEC9O88   National   Practitioner   Data J3ank
                        B-239814




                      . an adequatetest plan for validating the data bank’s software programs
                        needsto be prepared; and
                      . system security features need to be identified and an assessmentof
                        system security vulnerabilities needsto be performed.

                        HRSA expects to  distribute the finalized forms, instructions, and users’
                        guidebook about 4 weeks before the bank becomesoperational. This
                        short amount of time will make it difficult for users who plan to use
                        computer systems to help generatethe data required for the bank report
                        and query forms, according to users we spoke to, since the bank requires
                        information they do not routinely collect. For example, an official of a
                        large malpractice insurer stated that it will take over 5 months to pro-
                        gram the company’s computers so that the data bank reports can be pre-
                        pared using information in the company’s automated claims processing
                        systems, In addition, it will take several months to train the 1,000
                        employeeswho will be responsible for preparing data bank reports or
                        dealing directly with practitioners on malpractice payments, according
                        to the company official. Becausethe documentation on the data bank’s
                        design was not finalized at the time we completed our work in June
                        1990, we could not assessthe data bank’s ability to collect data and gen-
                        erate reports relating to the professional competenceand conduct of
                        health care practitioners.

                        HRSA awarded the   data bank contract before the system’s requirements
Data Bank               were finalized. Although the data bank contract was awarded in
Development Started     December1988, development of the data bank did not begin until after
Before Requirements     the regulations for Title IV provisions were finalized and approved in
                        October 1989.
Made Final
                        Federal system development practices require that a comprehensive
                        requirements analysis defining and documenting an automated system’s
                        functional, data, and operational requirements be prepared before an
                        automated system is acquired. HRSA officials did not prepare such an
                        analysis before awarding the data bank contract becausethey believed
                        that the Congress,through the legislative process,had adequately
                        defined and documentedthe data bank’s data requirements. HRSA'S deci-
                        sion to award a contract before finalizing the operational processesby
                        which data bank information was to be gathered and disclosedwas a
                        mistake.
                        We found indications that the contractor developing the data bank rec-
                        ognized the incompletenessof HRSA'S requirements for the data bank.


                        Page 6                           GAO/IMTEG!3068   National   Practitioner   Data Bank
                       B-239814




                       The contractor, in a November 1989 Draft Narrative on Design and
                       Implementation of the Bank, stated that the system design requirements
                       identified in HRSA'S request for proposals were extremely general.
                       According to the contractor, HRSA'S requirements focused on the content
                       of the data bank by providing lists of data elementsto be captured, but
                       established neither firm requirements nor constraints on the develop-
                       ment and operational processesby which the data bank was to be con-
                       structed and data was to be gathered and disclosed.
                       The data bank’s development was delayed 10 months until the regula-
                       tions for implementing Title IV provisions were finalized in October
                       1989. During this time the contractor held a seriesof educational confer-
                       encesfor potential users on the data bank legislation. HRSA finalized the
                       processesin its October 1989 regulations, which describethe actual data
                       to be collected and impose requirements and constraints on the data
                       bank’s design and architecture.

                       HRSA'S approach to managing the development of the data bank has not
Sound Project          followed federal system development requirements, which describepru-
Management Practices   dent management   actions to minimize cost and performance risks, These
Are Not Being          requirements are embodied in the Federal Acquisition Regulation, Fed-
                       era1Information ResourcesManagementRegulation, Office of Manage-
Followed               ment and Budget guidelines, and the requirements of the Department of
                       Health and Human Services,of which HRSA is a part. The requirements
                       provide a structured means for ensuring that automated systems are
                       successfully implemented. Flaws in HRSA'S approach to develop the data
                       bank cast serious doubt on whether a successfulsystem can be deployed
                       by the planned September 1990 opening date.
                       The Department requires bureaus and offices requesting approval to
                        acquire computer servicesto follow a set of disciplined procedures to
                       justify the procurement and to ensure that user needsare met at the
                       lowest cost. In addition, the Department has established special require-
                       ments that apply to support servicescontracts that are for the develop-
                       ment of a software application, such as the National Practitioner Data




                       Page 7                           GAO/IMTEC-W-68   National   Practitioner   Data Bank
B-239814




Bank. The Department requires that these procurements follow its sys-
tems development life cycle methodology1and federal information
processingstandards2
To ensure HRSA’S compliance with Department requirements, the Depart-
ment’s Division of Telecommunications and Automated Data Processing,
in its July 1988 memorandum approving HRSA’S procurement request for
the data bank, urged HRSA officials to take particular care to comply
with the Department’s Information ResourcesManagementManual,
which summarizes federal system development requirements applicable
to the Department’s information resourcesactivities, by thoroughly doc-
umenting system requirements. Failure to comply with this condition
could render HRSA'S delegation of procurement authority from the
Department voidable, according to the Acting Director of the Depart-
ment’s Division of Telecommunications and Automated Data Processing
who signed the memorandum.
HRSA is not following the Department’s systems development life cycle
methodology and neither is it complying with the Department’s Informa-
tion ResourcesManagementManual. HRSA officials said they were not
aware that they were supposedto be following the Department’s sys-
tems development methodology or that the Department had established
special requirements applicable to support servicescontracts. We
examined HRSA’S official acquisition file and found that documentation
the Department deemsnecessaryfor ensuring effective management
control over the project was missing. This documentation included the
cost/benefit analysis of alternative approaches,and an explanation of
how the approach selectedwould meet users’ needsat the lowest overall
cost over the system’s life, and a test plan for evaluating the software
programs being developed by the contractor to ensure that they will
attain the banks stated objectives.

We asked HRSA officials why the studies and analyseswere not in the
acquisition file. The officials speculatedthat someof the required
studies and analyses,such as the cost/benefit study, may be in the orig-
inal acquisition file; however, agency officials have been unable to
locate the file since 1988. Other documents,such as the test plan, have
‘Department of Health and Human Services Information Resources Management Manual (Chapters 2
and 4), November 1, 1986.
‘Federal Information Processing Standards Publication 64, Guidelines for Documentation of Com-
  uter Programs and Automated Data Systems for the Initiation Ph
   r Documentation of Computer Programs and Automated Data Systems, National Technical Informa-
tion Service, Department of Commerce.



Page 8                                     GAO/lMTEC9088       National   Practitioner   Data Bank
                           B-289914




                           not beenprepared becauseHRSA doesnot have staff with necessary
                           training, experience, and knowledge to prepare them. In the absenceof
                           this documentation, HRSA cannot ensure that the project will have effec-
                           tive managementcontrol.


Confidentiality Concerns   The confidential receipt, storage, and disclosure of information is essen-
Have Not Eken Adequately   tial to the data bank’s operation. Any unauthorized accessor manipula-
                           tion of practitioner information could have wide-ranging and serious
Addressed                  consequenceson the professional and personal lives of competent practi-
                           tioners. To ensure proper identification of each individual on whom data
                           is stored, as well as to ensure that those reporting to or requesting infor-
                           mation from the data bank are authorized to do so, a system of unique
                           identification numbers will be used. However, HRSA has not complied
                           with Department and governmentwide security requirements in deter-
                           mining what security features should be included in the data bank’s
                           computer system to prevent unauthorized accessand manipulation of
                           data bank information.
                           The Department’s Information ResourcesManagementManual states
                           that organizations responsible for the operation of computer systems
                           must ensure that computer programs and systems include adequate
                           safeguards to prevent the unauthorized accessand manipulation of the
                           system. Also, the Department requires the development and use of risk
                           analyses in the system development processto identify system threats
                           and vulnerabilities and to provide managersand systems designerswith
                           recommendedsafeguards.The Department requires that the risk anal-
                           ysis be reviewed and revised during each phase of the system develop-
                           ment life cycle to ensure that appropriate security measuresare
                           installed.
                           We found that the required risk analyses were missing from HRSA’S
                           acquisition file. HRSA officials provided us with documents that they
                           believed met the key features of the Department’s procedural require-
                           ments for risk analyses and data sensitivity studies.
                           We reviewed the documents and concludedthat they did not meet the
                           Department’s requirements. For example, the documents did not include
                           any analysis of the damagethat could occur by the unauthorized disclo-
                           sure or manipulation of practitioner data or identify the security mea-
                           sures that were neededto prevent this from happening. The documents
                           provided us by HRSA officials did show that as of May 1990 HRSA had not
                           yet evaluated the actual software and operational aspectsof the data


                           Page 9                            GAO/IMTJ3G9O68   National   Practitioner   Data Bank
                      B-229814




                      bank. In the absenceof this documentation, HRSA cannot ensure that the
                      appropriate security measuresare being installed to prevent unautho-
                      rized accessand manipulation of data bank information.

                      In May 1990, as a result of concernsabout security and project docu-
                      mentation, HRSA officials decided to engagethe Federal SystemsIntegra-
                      tion and ManagementCenter to evaluate the data bank’s security
                      system and to validate the system’s software. As part of the evaluation,
                      the Center was to identify system threats and vulnerabilities and effec-
                      tive countermeasuresto these threats. The Center expects to issue a
                      final report on the results of its evaluation by September 1990. In our
                      view, this action while needed,may be too late to ensure that appro-
                      priate security measureswill be in place by September 1990. An assess-
                      ment of system security vulnerabilities and the defining of system
                      security specifications should have been completed prior to writing data
                      bank computer programs.

                      The Department has designatedthe data bank a major information
HRSA Has Not          resourcesmanagementinitiative, which means, according to federal reg-
Effectively Managed   ulations, that it should be headedby a project manager. Among other
the Data Bank         things the regulations require the project manager to be given budget
                      guidance and a written charter of his or her authority, responsibility,
Contract              and accountability for accomplishing project objectives.

                      The project manager is responsible for seeingthat a system is properly
                      designedto meet the sponsors’ and users’ needs,and is developed on
                      schedule.The project manager is also responsible for seeingthat all
                      system documentation is prepared as the system is being developed.If
                      the system is being developedby a contractor, the project manager is
                      responsible for certifying that the delivered system meets all technical
                      specifications, including security specifications. In addition, the project
                      manager is responsible for establishing a team with the required skills
                      and experienceto managethe development of the system. The data
                      bank is being developed without a HRSA project manager becauseHRSA
                      doesnot believe it has anyone with the necessaryexpertise to oversee
                      the technical aspectsof the contractor’s efforts. Currently, at least 14
                      different HRSA officials are involved in developing and implementing the
                      data bank. However, HRSA officials acknowledged that there is no one
                      among the 14 with the necessarytraining and experienceto ensure that
                      the system delivered by the contractor will meet all technical specifica-
                      tions, including security.



                      Page 10                           GAO/IMTECXW38   National   Practitioner   Data Bank
 ,
                   B239814




                   Consequently, HRSA is relying on the contractor developing the data
                   bank to carry out the critical project managementfunctions of estab-
                   lishing plans, schedules,and budgets; and conducting most technical
                   activities, such as testing computer programs before they are imple-
                   mented. Becauseof HRSA'S lack of expertise, other critical project man-
                   agementfunctions, such as ensuring that system sizing assumptions and
                   work load volume are valid, identifying system internal control and
                   security vulnerabilities, and ensuring that the Department’s security
                   requirements are being met, are not being carried out.
                   In May 1990, HRSA officials recognizedthe shortcoming of their project
                   managementapproach and decided to bring in the Federal SystemsInte-
                   gration and ManagementCenter to evaluate data bank development.
                   Accordingly, HRSA entered into an agreementthat, among other things,
                   provides for validation of the data bank’s software programs and an
                   evaluation to determine whether the system meets the Department’s
                   security requirements. The Center’s tasks include preparing documenta-
                   tion describing the data bank’s performance requirements and each of
                   the data bank’s software programs and their function, as well as devel-
                   oping a test plan for validating the data bank’s software programs.
                   HRSA is to be commendedfor recognizing it needshelp in managing this
                   contract, however, we believe this action may have cometoo late to
                   ensure that an effective data bank can be opened in September.Time
                   will be neededby the Center to replace missing documents and prepare
                   documents that are vital for managing this contract.

                   We have found in the past that not preparing studies and analyses,such
Project Cost May   as those required by the Department, and the absenceof a qualified pro-
Increase           ject manager during critical acquisition and implementation phasesof a
                   project lead to problems. These problems include millions spent for sys-
                   tems that did not meet users’ needs,were not cost effective, experienced
                   cost increases,were costly to maintain, or simply did not work.”
                   HRSA  has begun to experiencethe effects of not preparing the required
                   studies and analyses.Although $15.8 million was approved for the pro-
                   ject over a 5-year period beginning in January 1989, currently, HRSA is
                   modifying the contract, which will require additional negotiations. HRSA
                   “Computer Acquisition: Navy’s Aviation Logistics System Not Ready For Deployment (IMTEC-90-11,
                   Feb. 22 lQQO),Tax Administration: Replacement of Service Center Computers Provides Lessons for
                   the Future (GGm-109     Se 23 1987) and Mining Violations: Interior Needs Management Control
                   -Automation     Effort ~IM%C-i6-27, duly 28, 1986).



                   Page   11                                  GAO/IMTJ3G9O88     National   Practitioner   Data Bank
              B-239814




              officials believe that the changesthey are proposing will not signifi-
              cantly increaseproject cost. In commenting on a draft of this report, the
              Department of Health and Human Servicessaid the modification is
              neededto cover certain requirements that existed at the time the data
              bank contract was awarded, but which had not been defined to the
              degreenecessaryfor any offeror to addressin a cost proposal. The addi-
              tional requirements include the development of a user-fee system and
              development of software to implement the requirements of Section 5 of
              the Medicare and Medicaid Patient and Program Protection Act. Our dis-
              cussionwith contractor officials indicates they believe that about
              $9 million may have to be added to complete the data bank project.

              The Congressconsidersthe National Practitioner Data Bank to be essen-
Conclusions   tial for helping track and monitor potentially dangerouslicensed health
              care providers. Becauseof the anticipated cost of developing and main-
              taining the bank, the Secretary of Health and Human Servicesneedsto
              rethink HRSA'S approach to implementing the National Practitioner Data
              Bank. Allowing HRSA to continue along its current development approach
              is risky given that much design work still needsto be completed, as evi-
              dencedby the need to finalize many of the data bank’s software pro-
              grams and to identify and install appropriate system security features.
              The fact that the writing of software programs was initiated prior to the
              establishment of effective managementcontrols raises serious questions
              regarding the usefulnessof those software programs developedto date.

              Further, HRSA'S failure to develop documentation necessaryto safeguard
              the confidentiality of the information collected raises questions about
              HRSA'S ability to ensure that proper safeguards are being built into the
              system to prevent the unauthorized disclosure and use of highly sensi-
              tive practitioner information. Any violation of privacy could have an
              adverse effect on the health community and health care practitioners. In
              our opinion, the bank should not be operated until it has been tested to
              ensure that proper safeguards have been built into the system to ensure
              against the unauthorized disclosure or manipulation of bank
              information.

              Additionally, the development of the data bank has been adversely
              affected by a breakdown in managementcontrols at HRSA. BecauseHFtSA
              has not designated a project manager and has either misplaced or did
              not prepare critical documentation that is necessaryfor ensuring effec-
              tive managementcontrol over the project, it is questionable whether
              efforts to develop the data bank will result in the development of a


              Page 12                          GAO/lMTEG9O88   National   Practitioner   Data Bank
                      B289814




                      system that effectively and efficiently meets the Congress’expectations
                      and the Department’s requirements. Although HRSA has invested many
                      months of work, the agency has begun to experiencethe effects of mis-
                      managing the data bank project. The $15.8 million approved for the data
                      bank over a 5-year period may not be enough to complete the project.
                      An undetermined amount of additional funds-the contractor estimates
                      at least $9 million-may be neededto cover the costs incurred in devel-
                      oping and operating the data bank over its 5-year life.

                      We recommendthat the Secretary of Health and Human Servicesdirect
Recommendations       the Deputy Assistant Secretary of the Office of Information Resources
                      Management,which is responsible for ensuring consistencywith infor-
                      mation resourcesmanagementstatutory provisions and the Depart-
                      ment’s requirements, to provide independent technical oversight of the
                      development, implementation, and operation of the data bank.

                      We further recommendthat the data bank not be openeduntil the Secre-
                      tary has assurancefrom the Deputy Assistant Secretary of the Office of
                      Information ResourcesManagementthat effective security procedures
                      have been implemented and that software programs have been success-
                      fully tested.

                      In its July 16, 1990, commentson a draft of this report, the Department
Agency Comments and   stated that it was committed to the effective operation of the data bank,
Our Evaluation        including the application of all appropriate safeguards,and that our
                      report provides insights that will help it achieve this goal (see app. 11).
                      The Department further said that our report touches on a number of
                      concernsunder consideration within HRSA. For example, as part of its
                      final preparations for opening the data bank, HRSA has initiated efforts
                      to ensure that the system will operate as required by law and regulation,
                      with adequate provisions for security and the protection of individual
                      privacy.
                      The Department said it intends to open the data bank on or about Sep-
                      tember 1, 1990, but agreed that the data bank should not be opened
                      until the system’s security measureshave beentested and their ade-
                      quacy verified. The Department said it strongly believes that it will
                      have all appropriate safeguards in place and tested before the data bank
                      opens.However, should any major deviation from specified system goals                    ,
                      be discovered,the Department said it would delay implementation



                      Page 13                           GAO/IMTEG9O438   National   Practitioner   Data Bank
B289814




rather than risk consequencesthat would degrade public confidence in
or violate the essential integrity of the system.
We believe that a September 1 opening date is optimistic given the
amount of work remaining. Weaknessesidentified by the General Ser-
vices Administration’s Federal SystemsIntegration and Management
Center, an independent consultant engagedby HRSA to evaluate the data
bank’s security system and software programs, will need to be
addressedbefore the data bank can open.
In July 1990 the Center reported that during its preliminary review of
the system’s security, it had identified several weaknessesthat will, if
not corrected, affect data bank security. For example, the Center found
that as presently designed,the data bank doesnot contain a complete
audit trail. An audit trail provides information for detecting unautho-
rized changesto data bank information and associatingthose changes
with specific individuals or processesso that appropriate action may be
taken. In the absenceof an audit trail changescan be made to the data
bank without the possibility of detection by simulating or masquerading
as corrective actions.
The Center concludedthat until audit trails can be clearly established,
the Department and practitioners will not have reasonableassurance
that the data bank contains only accurate information and that erro-
neous information will not be disseminated. Further, the Center advised
HRSA that without a complete audit trail, certification of an acceptable
data bank security environment is not recommended.

The Center expects to have a final report on the results of its security
review and software validation issued in September 1990. On the basis
of the results of the Center’s findings and our own, we believe that the
Department should not open the data bank until the Center has issued
its final report, all security concernsidentified by the Center are satis-
factorily addressed,and the system has been certified as ready to
operate.
Out of concern over the manner in which HRSA is managing the data
bank contract, the HouseCommittee on Appropriations in a July report4
directed that funds provided for the data bank for fiscal year 1991 not
be obligated until the Secretary of Health and Human Servicesis satis-
fied that the deficiencies we have identified in the managementof the
4House Report No. 101-691, July 12,199O.



Page 14                                    GAO/IMTEG90-68   National   Practitioner   Data Bank
B-239814




data bank contract have been adequately addressed.In addition, the
Committee directed the Secretary to conduct a review of the likely total
capitalization and operating costs of the data bank under current law
and report these findings to the Committee.
After receiving the Department’s written comments,we met with
Department and HRSA officials to further discussour concerns.In a July
24,1990, memorandum to us confirming agreementsreached during this
meeting, the Administrator of HRSA discussedactions the Deputy Assis-
tant Secretary for Information ResourcesManagementand HRSA will
take to ensure that the data bank is not openeduntil it is ready to open
(see app. III). The Administrator agreedthat (1) there should be a spe-
cific HRSA official who is responsible for the overall managementof the
data bank’s implementation, (2) the Department’s Deputy Assistant Sec-
retary for Information ResourcesManagementwill provide technical
oversight to HRSA, and (3) the data bank will not be openeduntil the
Deputy Assistant Secretary for Information ResourcesManagementpro-
vides assurancesthat effective security procedures have been estab-
lished and that software programs have been successfully tested. We
believe that, if successfully implemented, the actions HRSA plans to take
will effectively addressour concerns.

As arranged with your offices, unless you publicly announcethe con-
tents of this letter earlier, we plan no further distribution of it until 30
days after the date of this letter. At that time, we will send copies to the
Secretary of Health and Human Services;the Assistant Secretary for
Health, Public Health Service;the Director, Office of Managementand
Budget; and other interested parties, Copieswill also be made available
to others upon request. This report was prepared under the direction of
Frank W. Reilly, Director, Human ResourcesInformation Systems,who
can be reached at (202) 275-3462.Other major contributors are listed in
appendix IV.




Ralph V.‘Carlone
Assistant Comptroller General




Page 16                            GAO/IMTEG9O-08   National   Practitioner   Data Bank
Contents


Letter
Appendix I
Scopeand
Methodology
Appendix II
Agency Comments and G*OComments
Our Evaluation
Appendix III                                                                                          38
Memorandum From
the Administrator of
HRSA
Appendix IV                                                                                           40
Major Contributors to
This Report




                        Abbreviations

                        GAO       General Accounting Office
                        GGD       General Government Division
                        HRSA      Health Resourcesand ServicesAdministration
                        IMTJX     Information Managementand Technology Division


                        Page 16                       GAO/IMTEG9088   National   Practitioner   Data Bank
Page 17   GAO/EMTEC9048   National   Practitioner   Data Bank
Appendix I

Scopeand Methodology


             Our review was conducted from March 1990 to June 1990 at the Health
             Resourcesand ServicesAdministration headquarters in Rockville, Mary-
             land, the Department of Health and Human Servicesheadquarter’s in
             Washington, D.C., and the office of the contractor who is developing the
             National Practitioner Data Bank. In addition, we interviewed the project
             director and assistant project director for the contractor hired to
             develop the data bank. We performed our audit work in accordancewith
             generally acceptedgovernment auditing standards. The Department of
             Health and Human Servicesprovided written commentson a draft of
             this report. These comments are discussedin the report and are
             presented and evaluated in appendix II.
             To ascertain HRSA'S approach for developing the data bank, we reviewed
             its procurement request. We also interviewed responsible agency offi-
             cials, future users of the data bank, and the contractor who is devel-
             oping and will operate the data bank and obtained their views on the
             adequacy of the approach that Hm is using to develop the data bank.
             To determine whether HRSA was complying with the conditions estab-
             lished in the delegation of procurement authority and was following
             procurement procedures in the Department’s Information Resources
             ManagementManual, we reviewed documentation submitted by HRSA to
             the Department and compared it with Health and Human Service’s
             requirements applicable to automated data processingprocurements. We
             also discussedHealth and Human Service’spolicies and procedures with
             the Department’s Office of Information ResourcesManagementwho
             reviewed the approved the request. We discussedthe facts presented in
             this report with Health Resourcesand ServicesAdministration and
             Department of Health and Human ServicesOffice of Information
             ResourcesManagementofficials during the courseof our work and have
             incorporated their views where appropriate.




             Page 18                          GAO/lMTEG9088   National   Practitioner   Data Bank
  p&ndix     II

&my                    Commentsand Our Evaluation


Note: GAO comments
supplementing those in the
report text appear at the
end of this appendix.        DEPARTMENT       OF HEALTH @aHUMAN        SERVICES                             Office   of Inspector   General


                                                                                                            WashIngton.      D.C.   20201




                             Mr.    Ralph     Carlone
                                             V.
                             Assistant     Comptroller       General
                             United   States    General
                               Accounting     Office
                             Washington,     D.C.      20548

                             Dear    Mr.    Carlone:
                             Enclosed     are the Department's     comments on your draft         report,
                             @@Automated Data Processing:        liRSAns  National   Practitioner         Data
                             Bank Is Not Ready To Operate.n           The comments represent         the
                             tentative     position    of the Department   and are subject        to
                             reevaluation       when the final  version   of this  report      is received.
                             The Department    appreciates      the opportunity                 to    comment         on this
                             draft report   before     its publication.
                                                                       Sincerely     yours,



                                                                   Daniel    W. Blades
                                                                   Assistant     Inspector             Genera 1
                                                                      for Pub lit    Health            Service  Audits

                             Enclosure




                              Page 19                                         GAO/JMTEC-99-69        National    Practitioner         Data Bank
                                                                                                                         ,
           Appendix II
           Agency Cmnmenta        and Our Evaluation




        DEPARTMENT OF HEALTH AND HUMAN SERVICES' COMMENTS ON
         THE GENERAL ACCOUNTING OFFICE DRAFT REPORT ENTITLED
      "NATIONAL PRACTITIONER DATA BANK IS NOT READY TO OPERATE"

General        Comments
We appreciate        the opportunity        to provide       comments    on the General
Accounting     Office's        (GAO) draft    report     on the Health     Resources     and
Services      Administration's           (HRSA)      development      of   the    National
Practitioner       Data    Bank (NPDB).
This     report      provides       additional       insights      which   will           assist       us as
we work         for     the   fully       successful        implementation               of this        most
critical        system.

The NPDB, when operational,      will play    a vital     role     in identifying
and protecting the public    from incompetent      or unethical        health     care
professionals.    We believe     the management       processes       employed       by
HRSA are both reasonable     and adequate     to achieve       this   goal.
The draft        report      touched      on a number         of concerns        already     under
active      consideration         within      HRSA.        For example,      as part       of its
final    preparations         for opening         the NPDB, HRSA has initiated            efforts
to assure        that     the system         will     operate    as required         by law and
regulation,          with      adequate         provisions       for    security         and      the
protection        of individual         privacy.
We are absolutely          committed     to the effective         operation      of the NPDB,
including       the application        of all    appropriate        safeguards.        At this
time,     indications       are that      a September       1 start      date is feasible.
However,       should we discover         any major deviation          from the specified
system       goals,      we would     delay    implementation            rather    than   risk
consequences          which would degrade        public     confidence        in the system,
or violate         the essential     integrity      of the system.
The   following          are    our    comments       on the      recommendations.
GAORecommendation
1.        We recommend           that     the Data        Bank not be opened                 and further
          funding      for the contract               to develop         and implement             the Data
          Bank not be provided                  until      the     Administrator,             HRSA:         (1)
          adopts      an approach            that       conforms        to     the     Federal         system
          development             requirements,              includinc            the       Department        ’s
          Information           Resources         Manaqement           Manual;         (2)     explicitly
          defines     the Data Bank's              requirements,           performance          standards,
          and security         features;       (3) ensures         that>ppropriate             management
          control     elements         are introduced          into the project;             (4) develops
          adequate        test        plans      for     validating           Data       Bank       software
          programs;        (5) establishes             a formal      project        quality       control




           Page 20                                             GAO/IMTEC!40-6!3       National   Practitioner      Data Bank
                          Appendix ll
                          Agency Comments        and Our Evaluation




                                                                                                                                 2



                         system;       and (6) determines       what security      features   should                            be
                         included       to prevent     the unauthorized     access    and manipulation
                         of Data       Bank information.
                 Department         Comment

See comment 1    We do not concur.                HRSA has approached                the information            resources
                 management         (IRM)       system       development           in     an overall           acceptable
                 manner.         HRSA's        statement         of work         in     the    contract         contained
                 adequate      functional          requirements          for     the contractor             to initiate
                 development        of the NPDB; and the decision                         to use the competitive
                 market     place       to determine            the     best      approach        to system          design
                 requirements           is     consistent           with      Departmental             policy.            The
                 marketplace         responded         with     diverse       technical          proposals,         and we
                 believe     the systems          approach       of the contractor             selected        by HRSA is
                 consistent      with applicable              Federal      requirements.            It also needs to
                 be pointed        out that         HRSA has incorporated                  major     elements       of IRM
                 life    cycle     management,           including        security,         into     the contractual
                 requirements          sufficient          for    the     contractor          to respond          with     an
                 acceptable       technical         proposal.

See comment 2.   As a result         of ongoing          monitoring         and site      visits      which      revealed
                 concerns          about        certain         aspects         of     security          and       project
                 documentation,             HRSA executed           an interagency             agreement        with     the
                 General      Services         Administration's           Federal      Systems       Integration          and
                 Management         Center      (GSA/FEDSIM)         to evaluate         system security             and to
                 verify     and validate          software.         The independent            consultant        provided
                 by GSA/FEDSIM              has confirmed           that      the    system       requirements            are
                 adequate,        and        asserts       that    confidentiality             concerns        have been
                 adequately        addressed.           The independent           consultant       further       believes
                 it is possible             for the system          to be tested,           validated,         and major
                 issues      satisfactorily             addressed       for the NPDB to be certified                        to
                 operate      as planned,          by September          1.
                 NPDB project          management      activities         have followed            a systematic         and
                 typical        Departmental         approach        throughout           the    course       of system
                 design       and development.                This      approach        begins       with      the    line
                 responsibility           of the program            project       officer        (who must receive
                 specific        project     officer      training),          the contracting            officer,       and
                 their    respective        management        chains,       buttressed         by support         from IRM
                 and financial           management      staff.        Due to the need for expertise                      in
                 fields      such as insurance          and hospital            administration,           and the need
                 for outreach           to user groups,           a Panel       of Experts         and an Executive
                 Committee        have also provided             advice      regarding        the NPDB.

See comment 3    As of today,          the NPDB is on schedule      for a September                            opening     and
                 within   budget         for the work for which    HRSA originally                             contracted.
                 The contractor's           initial  proposal regarding   a planned                            contract




                          Page 21                                            GAO/IMTEC90-68         National     Practitioner        Data Bank
                        Appendix 11
                        Agency Comments      and Our Evaluation




                                                                                                                        3



                 modification      was out of line.            It has subsequently            been withdrawn
                 by the contractor.         Moreover,        additional        funding     to be negotiated
                 with    the contractor     will     be for expenses           associated      with    the full
                 implementation       of legislative         requirements         contained      in Section       5
                 of Public      Law 100-93,      and for      a lo-month        extension      in the period
                 of operations          to compensate         for     a delay        in   the     issuance      of
                 regulations.        This work is unrelated               to the system       implementation
                 and September       1 remains      a viable      target.
                 GAO Recommendation
                 2.     We further        recommend       that    the   Secretary       for    Health     and Human
                        Services:
                         --     direct    the Department's        Director    of Telecommunications
                                and ADP to reconsider         HRSA's Delegation        of Procurement
                                Authority     (DPA) because      the agency has failed       to comply
                                with the conditions      established       in the delegation     for the
                                agency's     NPDB; and
                                 direct     the Department's         Deputy Assistant          Secretary      of the
                                 Office      of Information          Resources        Management,        which     is
                                 responsible         for    ensuring      consistency        with    information
                                 resources          management       statutory         provisions         and    the
                                 Department's         requirements,       to take over management             of the
                                 project      until     the Administrator          of HRSA can demonstrate
                                 that appropriate           management     controls      have been introduced
                                 into    the project.
                 Department       Comment

See comment 1.   We do not concur.            The GAO has provided                  no analysis      of management
                 alternatives,        but has chosen and recommended                       a single    option.     The
                 Assistant       Secretaries        for     Health         and for       Management      and Budget
                 intend      to support      HRSA at this         critical         juncture      in the project       by
                 providing      an appropriate          level     of assurance           that    the management       of
                 the project      and the final          decisions          leading     to opening     the NPDB are
                 technically         sound,      take        into       account         consultant       and    staff
                 recommendations,          and fully        weigh any indicated               risks.




                        Page 22                                          GAO/IMTEC-90-68      National   Practitioner   Data Bank
.




            Appendix II
            Agency Commenta       and Our Evaluation




                                                                                                                   4




    Technical      Comments
    1.     Will   the      National        Practitioner             Data    Bank     Open    in     a Timely
           Fashion?
           Page     2:  "The Data           Bank is not ready        to begin      operating       in
           September     1990."            There   is no assurance            that  appropriate
           security     measures            will   have     been    installed        to    prevent
           unauthorized     access         and manipulation      of Data Bank information.
           Pages 19-20:       "The Bank should        not be operated      until     it has
           been tested     to ensure    that   proper     safeguards   have been built
           into the system      to ensure    against    the unauthorized      disclosure
           or manipulation       of Data Bank information."
           Page 9:         Four    weeks'     lead        time     for    distribution        of    the     Data
           Bank        forms,      instructions,                 and     user       guidebook         is      not
           sufficient.
           Comment:       The Department            intends        to open the Data Bank on or
           about September           1, 1990.        We are strongly              of the opinion           that
           all appropriate          safeguards        will     be in place and their                adequacy
           tested      and documented             before        the      Data      Bank opens.               The
           Department       will     not proceed        with      the opening          of the Data Bank
           unless     it has assurance             from an independent                  source      that     the
           system    is secure        and, moreover,           that     it will      operate      in accord
           with    design       specifications.              The preliminary               report      of the
           independent         contractor,          whose       services         we engaged           through
           GSA/FEDSIM        to evaluate          the system's              security        and efficacy,
           indicates       that     the remaining            tasks       needed      to open the Data
           Bank can be feasibly                   completed          within        existing        time      and
           resource      constraints.             Please       refer       to Section          E, Security
           Concerns,      following,          for detailed          discussion         on these issues.
           Insofar      as the issue            of lead time           is concerned,            steps      have
           already     been taken          by Data Bank program                 and contractor           staff
           to ensure         that     the entities             with     Data Bank reporting                 and
           querying      responsibilities             will     have in their           possession,         well
           in advance of the Data Bank's                    opening,       the materials          they will
           need to carry           out these        responsibilities.                 For example,           the
           Data    Bank reporting             and querying          form,      the instructions              for
           their     completion,         and the user guidebook                  (which is a detailed
           reference        for     individuals            and entities             reporting         to    and
           querying       the Data Bank)             all      have been printed               through       GPO
           auspices      and delivered            to the Dnisys           Corporation's           Camarillo
           Computer       Facility        site,     which      is the locus           of the Data Bank
           computer        operations.               Nationwide           distribution            of     these
           materials       by the Department,              through      the Data Bank contractor,
           will    proceed       on schedule.            Delivery        of the Data Bank forms,




            Page 23                                               GAO/IMTEC90-08       National    Practitioner        Data Bank
   Appendix II
   Agency Comments        and Our Evaluation




                                                                                                        5



instructions,          and guidebook         to the        Nation's     hospitals         and
other     health     care entities,        medical        malpractice      insurers,
State     medical      and dental       boards,       and professional          societies
(an estimated         total     of 16,000 entities)            has already      begun and
all    addressees        will    have received          them by the end of July.
This     means that          the entities       with      Data Bank reporting             and
querying       responsibilities           would     have     the necessary         program
materials        at least      a month before       the scheduled       opening      of the
Data Bank.
Moreover,     advance copies             of the Data Bank forms,              instructions,
and Guidebook             have already          been provided            to organizations
representing            the    major       user     groups,        e.g.,      the      American
?-&"a'       m~;;;;.ti;;nt~~lI                    American         Medical       Association
                                             Association             (ADA),      malpractice
insurHnce      consortia,          etc.,      in May 1990.             They in turn            have
duplicated       them and are currently                 distributing          them to their
respective        memberships          and constituencies.                  Thus,      critical
documents      are in their           hands well        before       the formal        mailing.
Additionally,             Data Bank program and contractor                     staff    held over
12 educational               conferences          nationwide        in February         and March
1990 to orient              entities       with Data Bank reporting                 and querying
responsibilities                 to the Data           Bank requirements,             forms,       and
related        materials.             These conferences             were announced            in the
Federal        Reqister.             Further,       Federal       representatives            of the
Data Bank have addressed,                       upon invitation,          numerous        national
professional            health       care and related            organizations          regarding
Data     Bank requirements,                    as well        as their        interpretation,
reporting        and querying            policies       and procedures.           Through       these
and other           activities,           major      professional         organizations            and
entities        have been kept fully                 and periodically           informed        about
what they needed to know in order to help their                                 constituencies
fulfill       their      responsibilities              to report      to, or query the Data
Bank.
Throughout        the developmental          phase of the Data Sank, counsel
and assistance          have also       been solicited       from,     and provided
by, a variety          of health       professionals,      professional         health
care     and other        associations         and organizations,          including
public      interest       groupa,      with     expertise     essential       to    the
establishment         and implementation          of the Data Bank.        These are
described       below.
In February       1987,    the former     HRSA Administrator,           Dr. David
Sundwall,     convened       an ad hoc Title          IV advisory       committee
comprised     of Government         personnel      drawn     from  offices        and
agencies    involved       in programs     bearing      on medical      liability
and malpractice,        licensing     and discipline       in the health




   Page 24                                             GAO/EMTEC-9068         National   Practitioner       Data Bank
*


             Appendix IX
             Agency Comments        and Our Evaluation




                                                                                                            6




        professions,        quality     assurance and risk management,       and other
        matters      relevant       to the Data Bank.     A major  contribution      of
        this    committee      was to lay out the conceptual        design     and
        framework        for the Data Bank, in relation        to requirements      set
        forth    in the Title         IV statute.
        Responsibility         for drawing     up more detailed           design      elements
        for the Data Bank, the specification                  of requirements           for the
        Data Bank procurement,             and the eventual           contract       scope     of
        work, was given to a Technical            Advisory      Panel whose membership
        included       several     senior   Federal    employees        with    distinctive
        knowledge       and expertise     in computer      technology        and ADP system
        design.
        Two bodies        comprising        representatives               of leading       health     care
        related      professional          organizations,               the Data Bank Executive
        Committee        and the       Data Bank Panel                  of Experts         (POE),     have
        provided       advisory      guidance         and assistance              to the Department
        and the contractor            throughout           the Data Bank's           development         and
        pre-implementation               phases.                The       Executive        Committee's
        membership         includes       the AMA, ADA, ABA, and other                          national
        organizations            and     consumer            groups.            The    POE includes
        nationally        recognized        professionals             in areas such as hospital
        administration,            medical       liability           insurance,        licensure         and
        discipline        of health        care practitioners,                 computer      science.
        The Executive            Committee         has been involved               in virtually            all
        aspects     of the Data Bank's               development          and implementation               and
        has assisted         with the formulation                 of operational           policies        and
        procedures        for the Data Bank,                 including,         for example,            those
        dealing      with       security,         confidentiality,              and reporting              and
        querying       methods.           The Executive             Committee        also     had direct
        input     into       the      formulation           of     the     content        of     the      NPDB
        Guidebook,         which       is    the     principal          reference         and resource
        document      for individuals             and entities          with Data Bank reporting
        and querying           requirements.             The POE was integrally                    involved
        with the design           and development             of the Data Bank reporting                   and
        querying       instruments,           including          the formulation             of specific
        reporting       codes,       and with the preparation                  of the instructions
        for completing           the forms.          The POE met collectively                  on several
        occasions       and individual            members were called                upon separately,
        as needed,        for their         particular          expertise.
        The HRSA Data Bank staff            have been diligent             in their        efforts
        to seek out,        engage,      and listen      to outside          interest        groups
        and the general        public     in the Data Bank development                  process.
        Public      forums   were held      on the Data Bank on October                       2 and
        November        27,  1989;     a broad      cross-section           of professional
        health-related        organizations       and other       interest         groups,      and


    Y




             Page 26                                             GAO/IMTEG9088         National   Practitioner   Data Bank
                       Appendix II
                       Agency Comment8 and Our Evaluation




                                                                                                                                    7




                      representatives               of the lay,     consumer            public       and public            media
                      participated             in   these  sessions.
                      Other      examples       of major Data Bank outreach                    efforts       include       a
                      December          14,     1989       Invitational           Conference          for      National
                      Professional           Associations;           and a January          11, 1990 conference
                      with     representatives              of national          hospital        associations          and
                      HMO/group         practice         organizations           to help        plan      Educational
                      Conferences          for Hospitals           and Other Health          Care Entitles;           and,
                      as noted,        during      the period           February     5 - March 29, 1990, the
                      convening        of a series           of conferences,           nationwide,         to provide
                      guidance         for     entities          and individuals              in    meeting         their
                      responsibilities             to report          to or query         the Data Bank, viz.,
                      medical      malpractice          insurers,        State medical         and dental        boards,
                      hospitals         and other         health        care entities,           and professional
                      medical       and dental          societies.           Recommendations           on Data Bank
                      policy     and procedural             proposals       made at these conferences                 were
                      considered,           and often         incorporated,         as appropriate             into    the
                      pertinent        Data Bank policies,                procedures,        and user materials.
                 2.   Process       and Timing             of    Developmental         Steps
                      Page     10:      Data        bank        development       started        before       requirements
                      were     finalized.

                      Page 2:   HRSA began developing      the data                               bank      before        system
                      threats and vulnerabilities     were identified.

                      Page       11:            FIRSA's    decision   to   award     a contract      before
                      finalizing              the    operational    processes      by which     data    bank
                      information              was to be gathered      and disclosed    was a mistake.

See comment 4         Comment:          As already            indicated,          the    Data Bank was not a
                      proposal       that originated             within      the Executive         Branch,      but was
                      mandated       by Congress.            Thus, there         was not the opportunity                 to
                      develop       the options          analysis        that     would have typically               been
                      associated         with    the development               of a new system.                BRSA was
                      required       to implement         this legislative             requirement         with little
                      lead time.            Funding       did not become available                    until     October
                      1988 (FY 1989),            thereby        delaying        the awarding          of a contract
                      until     December 1988.            The final        regulations         implementing        Title
                      IV     requirements            were       not     published          until       October       1989
                      principally         because       of the Department's               effort     to comply with
                      OMB directives            regarding           the scope         of data       elements      to be
                      covered       in those       final      regulations.

See comment 5.        To    have     waited     until   after    publication        of    the    final
                      regulations       to award a contract       would      have further     delayed
                      implementation        of the program    by a year.        Such deferral      was




                        Page26                                                   GAO/IMTEG9088           National    Practitioner       Data Bank
     Appendix II
     AgencyComments         ssdOsrEvaluation




                                                                                                             8



     unnecessary          because        the     basic       Data Bank requirements                    had
     already      been specified           in the NPRM (which wa8 provided                         to the
     Unisys)       and which,         ultimately           did not change             significantly
     when the final          regulations           were promulgated.                 The contractor
     knew what was expected                  of it well         before       the final         Title      Iv
     regulations          were      published,          since         such     requirements           were
     reflected        in the contractor's                  technical         proposal        of August
     1988.      The RFP/scope          of work was carefully                  written      to provide
     specific       guidance      in the areas of Data Bank systems design                             and
     security       requirements.            The contractor            recognized       and accepted
     the need to meet those requirements                           in its technical            proposal
     of Auguat        15, 1988 (Page A.2 - 49, Section                          2.1.2).        Further,
     in its      "Draft     Narrative          on Design         for and Implementation                   of
     the Data Bank" (Contract                  Deliverable           Item 32, Nyhnber              1989),
     the       Data       Bank       contractor             acknowledged                       detailed
     requirements           and      that       the     security           constraints           in     the
     RFP/acope        of work were "extensive                     in scope and detailed                   in
     their     requirements,           covering        all     aspect0       of security."             The
     GSA/FEDSIM preliminary                  report      confirms         that     Unisys      believed
     the specification             level      to be adequate.

3.   Adherence        to   Departmental           Procedures

     Page 13;    BRSA is not following                          the Department's      systems
     development  life    cycle methodology                   and neither     is it complying
     with the Department's      Information                  Resources    Manauement Manual.
     Page 13:      Missing      documentation:      cost-benefit                         analysis     of
     alternative      approaches;       explanation      of   how                     the     approach
     selected    would meet users'          needs at the lowest                        overall     cost
     over the system's       life;   test plan for evaluating                           the software
     program.
     Cozzzentr   The decision   to contract                       out     both the          development
     and operation    of the     Data  Bank                       was     made by            former    BBS
     Secretary   Otis R. Bowen.
     In his communication             of October       30, 1987 to James C. Miller,
     III,    Director,      OMB, requesting          a $3.2 million        budget amendment
     to the President's            FY 1988 request          for BRSA to implement              the
     Health       Care     Quality       Improvement       Act      of    1986      (the    Act),
     Secretary        Bowen stated        that he had decided            "that     RRSA should
     secure      the services         of a private         contractor          to act as the
     Government's         agent    in the collection            and release          of the(ee)
     data"     which     the Act required            be reported       to the Data Bank.
     In his communication              to the President           regarding        that    budget
     amendment         request,       Mr.     Miller      affirmed         the     Secretary's
     decision       to engage       the services         of a private           contractor        in
     establishing         the Data Bank.




     Page 27                                              GAO/IMTEG9O-438        National     Practitioner     Data Bank
                       Appendix II
                       Agency Comments      and Our Evaluation




                                                                                                                       9




                      Dr.     Bowen's       decision     was based       on the       sensitivity            of the
                      subject,         the relative       lack    of in-house       capability,            and the
                      urgency         of   carrying      out     the    congressional            requirements.
                      Separate        contracts      for the design        and the implementation                  of
                      the Data Bank would,              perhaps,     have been desirable                (although
                      not      required       by departmental          procedures)         but      would       have
                      significantly            delayed      implementation         of     the       legislative
                      mandate.
                      Further,      HRSA has complied        with    all   required       departmental
See comment 6.        procedures.       According   to Chapter       2, Section       2-20-00,     of the
                      IiHS IRM Manual,         RRS managers       may tailor       their     management
                      approach     to life    cycle guidelines       "where appropriate          to meet
                      the particular       needs of their      own programs."
                      The     documentation       aaaociated      with    the      Delegation        of
See comment 7.        Procurement      Authority    (DPA) adequately    addresses      departmental
                      requirements.         In particular,     the requirement        to develop       a
                      test    plan    was placed      on the contractor       (Unisya),       and the
                      adequacy      of the test plan is being evaluated         separately      by the
                      GSA/FEDSIM contractor.
                      The contractor's        technical     proposal    of August   1988 ("Quality
                      Assurance/Configuration           Management")      commits  to adhering     to
                      appropriate       systems    development      methodology   as specified     by
                      HI-IS in the RFP/scope        of work.
                 4.   RRSA's     Manaqement        Process
                      Page 2:       HRSA has not designated   a project                  manager,   so no one
                      has been      accountable  for the project     since                it began.
                      Pages    2-3:      HRSA has either         misplaced    or not                    developed
                      critical      documentation        necessary       to   ensure                    effective
                      management     control    and oversight      of the project.
                      Pages 11-12:       Sound project     management   practices                 are not being
                      followed.       Flaws in RRSA's approach        to develop                 the data bank
                      cast    serious     doubt  on whether      a successful                   system   can be
                      deployed      by the planned     September   1990 opening                  date.
                      Pages 16-17:          HRSA has not effectively            managed the data bank
                      contract.        According     to Federal     regulations.           . .it    should  be
                      headed     by     a project      manager;"          "Currently,         at    least   14
                      different        HRSA officials       are     involved         in    developing      and
                      implementing        the data bank;"     I*_ . . critical        project     management
                      functions.        . .are not being      carried      out.




                      Page28                                           GAO/IMTBG9089         National   Practitioner    Data Bank
                     AppendixIT
                     &eneY Cmunenta          and Our Evaluation




                                                                                                                         10




                Page 20:  The development   of the data bank has been                                       adversely
                affected by a breakdown   in management   controls
                at HRSA.  Because HRSA has not designated       a project
                manager. . .

See comment 8   Comment:          The main thrust                  of GAO's criticism                 stems from the
                premise         that        this       project           should        have       been      managed        in
                accordance          with       established             guidelines          for a "major           systems
                acquisition,"               requiring            the      designation             of     someone       with
                "project         manager"          responsibilities                 at the beginning               of the
                developmental             process.          A "project            manager"        in the sense used
                by    GAO has much broader                            authorities            than      are     generally
                delegated         below a Bureau                level       in this       Department         and is not
                required        by the Department                    for a project              of the size of the
                Data Sank.            Although          HRSA has not designated                       one individual
                as     the       "project           manager,"             the      NPDB has             been      managed
                responsibly              and        effectively                through           established           line
                management           structures,              methodologies,                and controls.                The
                project        officer           for     the        contract         meets        all     departmental
                requirements           for a contract                project       officer        and he reports           to
                a Division           Director,          who reports              to a Bureau            Director.        The
                contracting           officer         and the HRSA Financial                      Management        Office
                do not report              to the project                officer        or Bureau Director               and
                this     does not fit                the GAO view                of how a project                 of this
                magnitude         should         be managed.               It is our view,               however,      that
                the normal         departmental               line      management          system is sufficient
                to       assure           appropriate                 management              controls.                This
                method/approach               of management             is entirely           consistent       with that
                successfully             used for           similar          projects          in the Department.
                While different               from the model GAO contends                           is necessary,          we
                believe       this      approach         will       result       in the opening             of a secure
                data bank on or about September                               1, 1990.
                In fact, a combination       of contractual                      requirements and program
                policies  have consistently          been                    used by HRSA to implement
                sound management     practices.
                Planning        for    the Data Bank began               in February         1987 when a
                series       of ad hoc advisory              committee       meetings      were held       to
                formulate         a plan         to    develop      a Data        Bank     to    meet    the
                requirements          of Title      IV of Public       Law 99-660,      the Health     Care
                Quality       Improvement        Act of 1986.         Senior    representatives        from
                the     Office       of the       Secretary,      ASH, HRSA, BHPr,              and other
                Federal       organizations,          attended    these meetings.            The meetings
                served      as a basis        for developing        the Data Bank RFPs and NPRM.
                An RFP was first             issued     in June 1987.         The scope of work was
                carefully        written       to provide      specific      guidance      in the areas




                    Page 29                                                 GAO/IMTEC9988           National    Practitioner    Data Bank
      Appendix III
      Agency Comments       and Our Evaluation




                                                                                                  11



of Data Bank systems       design  and security     requirements.                                In
March      1988 the   RFP was withdrawn     because      no funds                             were
available.      An updated  RFP was issued     in August    1988.
On December        30, 1988,          a S-year         $15.9 million           contract       was
awarded to Unisys           Corporation         to develop        and operate         the Data
Bank.    In their       technical        proposal,       the contractor          assured      the
Department       of their         expertise        in systems         design,       security,
and with       the     Privacy        Act.        Soon     after      the     contract        was
awarded,    Unisya was provided               with a copy of the Data Bank NPRM
to be used as a basic               blueprint        along with        the scope of work
in order      to begin         the development              of the        systems       design.
Although     the      final       regulations           were     not     published         until
October    1989, Unisys            was instructed           to continue          development
of the     systems        design       based     on continuous             input     from the
Department      regarding        the shape of the draft              final     regulations.
The scope of work called                 for a Data Bank Executive             Committee
and POE (formerly               the     Technical       Assistance       Group).       The
committee      is advisory         to the contractor.           Two of the functions
of the committee            are to review         and comment on the Data Bank
policies      and procedures            for its      operation       and to advise       on
criteria       against        which      the    Data     Bank will        be assessed,
including       issues      such as security           and confidentiality.            The
POE coneists        of individuals          with expertise        in computer    science
and other       "technical"         areas of systems         design.      Since January
1989, the Executive             Committee       has met four times           and the POE
three     times.        Both      the     committee      and panel       have provided
valuable     assistance        and expertise         to Unisys and the Department
regarding       the development            of the Data Bank.
Legal and program            staff       of the Department             have worked closely
with     the contractor             to develop            policies       and procedures            to
asaure       a secure       environment             for     the confidential            receipt,
storage,        and controlled             dissemination           of data from the Data
Bank.         Contract       Deliverable             Item      39 -"Draft       Policies         and
Procedures         for    the     Initial         NPDB Operation"            expands       on the
scope      of work        to provide             the     contractor        with    a detailed
description         of Data Bank policies                    and procedures         (PPDs) for
reporting        to and requesting                information         from the Data          Bank.
In     addition        to     this        document,           the    Department         and      the
contractor         have worked            closely       on development          of Data       Bank
output         documents,            reporting            and      querying        forms         and
instructions,          and the Guidebook                for individuals          and entities
reporting        to and querying              the Data Bank.
The    "output"      materials      consist       of a series          of documents     which
include      reporting       entity    verification        of        information     sent   to
the    Data Bank, practitioner               notification            that   a report    has




      Page 30                                           GAO/IMTBG90-68         National   Practitioner   Data Bank
        Appendix II
        Agency Comments       and Our Evaluation




                                                                                                    12



     been made to the Data Bank about                them,    and a practitioner's
     dispute   of the accuracy        of information        in the Data Bank,          The
     reporting    and querying       forms and instructions             were carefully
     crafted    following      extensive       discussions        regarding     systems
     design,   confidentiality         and security       between     the Department,
     unisys , and affected         organizations        in the Federal        and non-
     Federal   sectors.
     Other     management        and oversight          procedures          have already        been
     described        above,     e.g.,     regular      meetings        between       HRSA, BHPr,
     and Uniays        since the first         year of the contract              regarding       Data
     Bank policies,          procedures       and syetems design.               Contrary      to the
     impression         created     by GAO, the R??P/scope of work is studded
     with    specific       operational        requirements          developed         by HRSA for
     the Data        Bank which         the contractor,             in various          documents,
     affirm0     and commits itself             to fulfilling.             The GAO allegation
     that    the contract         was awarded        before      the system          requirements
     were finalized           is, therefore,         misleading;         the contractor         knew
     what was expected             of it well         before      final       regulations       were
     published.
     In summary,          HRSA has exercised         a style     of management          of this
     project       that     is entirely      consistent       with       that   successfully
     used in the case of other             projects      for which it is or has been
     responsible.          While different       from the inapplicable             management
     model which GAO seems committed                  to imposing,         the fact remains
     that    the approach        employed     by HPSA will         result     in the opening
     of a secure         Data Bank on or about September                 1, 1990.     The Data
     Bank      has     been     designed      according       to      RFP/scope       of     work
     requirements          by a contractor         employed      by the Department            for
     the specific          purpose      of doing     so.     The contractor          has been
     continuously          guided     and advised        by a variety           of oversight
     mechanisms         in the process       of achieving         the result       desired      by
     the agency according             to its    own timetable.

5.   Security      Concerns
     Page    14:          HRSA has          not     complied        with      Department           and
     Governmentwide         security        requirements.
     Page 15:      HRSA cannot      ensure  that  the                appropriate          security
     measures   are being    installed     to prevent                 unauthorized           access
     and manipulation     of data bank information.
     Page   20:    The bank should      not be operated       until    it has                    been
     tested     to ensure  that  proper     safeguards    have been built                        into
     the system      to ensure  against      the unauthorized       disclosure                       or
     manipulation      of bank information.




        Page31                                           GAO/IMTEG90438        National   Practitioner    Data Bank
                     Appendix II
                     Agency Comments        and Our Evaluation




                                                                                                                            13



                     Comment:         We agree         that     the Data Bank should                   not be opened
                     until      the system's            security         measures         have been tested               and
                     their      adequacy      verified.             Assuring        the security          of the Data
                     Bank has been a concern                   to which         the Department            has devoted
                     much attention          and effort          since      the beginning           of the      project.
                     Aa mentioned          earlier,         the contract            scope of work           is replete
                     with     requirements/specifications                       bearing       on system         security
                     and integrity.              Further,         security        reviews       were conducted             by
                     BRSA staff       in April         1989 and March 1990, each lasting                          several
                     days.        As a result            of these         reviews,         BRSA implemented              its
                     Phase II systems              review,        involving         more technical            expertise
                     than was available               within        the Agency.            It was at that            point
                     that HRSA entered             into an agreement              with GSA/FEDSIM to provide
                     independent         evaluation,          teat,      and certification              reviews.         The
                     initial      site visit         and documentation               review     has been completed
                     and their        preliminary            analysis         indicates          "all    deficiencies
                     identified        to date are correctable                     within      a time frame which
                     will     not significantly              impact       the NPDB schedule."
                6.   cost
                     Page     3;     Project's        cost     could     increase        substantially.
                     Page     18:     PROJECT COST WAY INCREASE.
                     Comment:        GAO also      raised      concerns      about     cost    overrun and
                     contended      that prospective          increased      contract      costs were due
                     to    HRSA's     failure     to      "prepare      the    required       studies  and
                     analyses     in sufficient        detail     prior   to award of any contract."
                     This statement         is inaccurate.

See comment 3        HRSA initiated               a proposed           contract       modification              to     the
                     original        statement       of work with         the issuance         of a Request            for
                     Proposal         (RFP) to Unisys.               The purpose          of this       RFP was to
                     define       "new" statement           of work requirements               confirmed          by the
                     final      approval       of the NPDB regulations.                  The new requirements
                     dealt      with      aspects       of the Data Bank's               operation         that     were
                     known to exist            at the time of contract                award,      but not to the
                     degree        necessary         for     any offeror          to     address        in      a cost
                     proposal,         e.g.,      the development            of a user          fee system,            the
                     determination           of the actual           user fee based on cost criteria
                     identified          in the regulations,             and the implementation                   of the
                     NPDB to accommodate               the requirements          contained         in the Section
                     V of          Public       Law       100-93      which      requires           reporting            of
                     disciplinary             actions         executed        on     all      licensed            health
                     professionals            such as nurses            and therapists.               The original
                     contract       was for a period            of 5 years but because of a 10 month
                     delay       in     issuing        regulations,          a corresponding                10 month
                     extension         and associated           funding     were also proposed.




                     Page 32                                              GAO/IMTEGBO-68          National   Practitioner        Data Bank
        .
    *

                     Appendix II
                     Agency Comments        and Our Evaluation




                                                                                                                       14



                     Thus,     the negotiations            identified        by the GAO were essential
                     to     contract       administration             and     not     attributable           to   an
                     unanticipated         cost overrun.             The contractor          responded       to the
                     proposed      modification         inappropriately           with a re-baselining            of
                     the entire        contract      costs      rather     than individual            pricing     of
                     the new statement           of work requirements             and the 10 month delay.
                     HRSA advised             the     contractor          that       their        proposal      was
                     inappropriate        and unacceptable.             The contractor'8            proposal    was
                     withdrawn       in its entirety.
                     At the present        time,    HRSA has not requested      the contractor     to
                     submit     a revised       proposal,   but has informed       the contractor
                     that     negotiations       and a contract    modification       are expected
                     shortly.
                     It is the position           of HRSA that      a modification         is necessary
                     to cover     the modifications         described   above,       the extension        of
                     the contract         period    and otherwise     cover      certain       changea    in
                     technical      direction.        However the contractor's            estimate     that
                     costs     are expected      to increase      by $9 million        are unfounded.
                I.   GAO's      Identification         of   Procurement        Sensitive       Information

See comment 9        The GAO report           indicates         that     MSA decided             to bring        in a
                     contractor       in May 1990.            This     statement,         which is also           made
                     on Pages 2 and 15, should                 indicate       that     HRSA entered         into    an
                     Interagency        Agreement       with     GSA/FEDSIM.           Also,      the value       of a
                     referenced       "contract"        is procurement           sensitive          and should      be
                     deleted.       Page I of Project              Element       Plan (PEP) No. 2, which
                     is part      of HRSA's          Interagency           Agreement         with      GSA/FEDSIM,
                     states     non-disclosure            requirements          relating         to information
                     contained      in the PEP.




                      Page 33                                          GAO/lMTEC-9068        National   Practitioner        Data Bank
               Appendix II
               Agency Comments   and Our Evaluation




                1. In its July 16, 1990, commentson our draft report, the Department
GAO Comments   disagreedwith our proposed recommendations.After receiving the
               Department’s comments,we met with Department and HRSA officials to
               further discussour concerns.Overall, the Department officials agreed
               that the data bank should not be openeduntil the Department’s Deputy
               Assistant Secretary for Information ResourcesManagementprovides
               assurancesthat effective security procedures have been implemented
               and that software programs have been successfully tested. In addition,
               the Department agreedto designate a project manager to ensure that the
               data bank is properly managed.The Department also said that the
               Deputy Assistant Secretary for Information ResourcesManagementwill
               provide technical oversight to the data bank project. On the basis of
               these agreements,we have refined our recommendationsto reflect our
               general concern that the data bank not be openeduntil it is ready.
               2. We reviewed a preliminary report on system security issued by the
               independent consultant in July 1990. We disagreewith the Department’s
               assertion that the consultant has confirmed that the data bank’s system
               requirements are adequate and that confidentiality concernshave been
               adequately addressed.The consultant’s report found several vulnerabil-
               ities that will affect the security of the data bank if they remain uncor-
               rected. The report also found that the documents identified by HRSA as
               containing the data bank design did not contain sufficient information to
               provide a reasonablelevel of assurancethat the functional security
               requirements identified by HRSA in the solicitation for the data bank
               were being effectively implemented. The report further found that
               although Unisys had defined an effective approach for development and
               implementation of the data bank, the approach was not being followed.
               Additionally, the report found one security vulnerability that would
               result in a recommendation not to certify the acceptability of the data
               bank. The data bank lacks the capability to detect unauthorized changes
               to the data bank, according to the report. The report concludedthat
               until this vulnerability is adequately addressedHRSA and practitioners
               will not have reasonableassurancethat the data bank contains only
               accurate information.
               3. The draft has been modified to show the current status of HRSA'S pro-
               posed modification to the data bank contract’s original statement of
               work.

               4. According to the Department, HRSA did not have the opportunity to
               develop analyses that are typically associatedwith the development of
               a new system becauseHRSA was required to implement the data bank


               Page 34                                GAO/lMTEC90-68   National   Practitioner   Data Bank
    .
.
        Appendix II
        Agency Comments   and Our Evaluation




        with little lead time. We disagree.We believe the 4 years that have been
        spent by HRSAin developing the data bank provided sufficient time to
        prepare the various studies and analysestypically associatedwith the
        development of a new system.

        6. The Department assertsthat waiting until after publication of the
        data bank’s final regulations to award a contract was unnecessary
        becausethe basic requirements for the data bank had been specified in
        documents HRSAprovided to the contractor. The Department said the
        solicitation documents and contract’s scopeof work provided specific
        guidance in the areas of systems design and security. We disagree.We
        found, and the contractor and Federal SystemsIntegration and Manage-
        ment Center agree,the basic requirements contained in the Depart-
        ment’s solicitation documents are extremely general and do not
        constitute an adequate description that would permit development of a
        system design. Furthermore, the contractor in a December1989 letter to
        HRSAstated that

        The delay in publishing implementing regulations for the data bank has had a signif-
        icant impact on the design and development of the data bank. On the one hand, the
        delay in publishing regulations has required slowing down the development process
        and the project’s rate of spending; but, on the other hand actual development activi-
        ties will need to be extended over a longer period of time, particularly in connection
        with the implementation of Section 6 requirements.

        Had HRSAwaited to award the contract until the regulations were final-
        ized it could have had a more specific set of requirements to be used in
        designing the system becausethe regulations establish criteria and pro-
        ceduresfor collecting and releasing information from that data bank.

        6. The Department stated that HRSAhas complied with all required
        departmental procedures.We disagree.We found evidenceshowing that
        HRSAdid not always comply with required departmental procedures.For
        example, in June 1988 the Department directed HRSAto prepare a cost/
        benefit analysis which was to include the development of and pricing
        for at least three alternative methods for developing the data bank. The
        Department requires cost/benefit analysesso that managers,users,
        designers,and others have adequate information to analyze and eval-
        uate alternative approachesto meeting mission needs,HRSAofficials said
        that the cost/benefit analysis was not prepared becausethey had
        assumedthe Department had approved HRSA’Srequest to have the
        requirement waived. However, HRSAofficials could not provide docu-
        mentation showing the requirement had been waived.


        Page 35                                GA0/IhlTEG90-68   National   Practitioner   Data Bank
Appendix II
Agency Comments   and Our Evaluation




The Federal SystemsIntegration and ManagementCenter also found
that  HRSA had not always complied with departmental requirements. For
example, the Center found that the data bank doesnot contain an audit
trail as required by Department and federal guidelines. An audit trail
provides the information necessaryto detect unauthorized changesto an
automated system. The Center concludedthat becausethe data bank
doesnot have an audit trail, HFC% and practitioners will not have reason-
able assurancethat the data bank contains only accurate information.
7. The Department stated that the documentation associatedwith the
delegation of procurement authority adequately addressesdepartmental
requirements. We examined the Department’s official acquisition file
and found that the documentation associatedwith the delegation of pro-
curement authority was missing. When we asked HRS~A officials why the
documentation was not in the acquisition file, they speculatedthat it
was in a file that they have been unable to locate since 1988. In the
absenceof documentation we cannot determine whether the documenta-
tion adequately addressesdepartmental requirements.
8. The Department stated it doesnot require project managersfor
projects the size of the data bank. The Department believes that these
projects can be managedresponsibly and effectively through established
line managementstructures, methodologies,and controls. We disagree.
We found that the data bank development effort has not been effec-
tively managedthrough the Department’s project management
approach. HRSA line managersresponsible for managing the data bank’s
development said they lack the necessaryexpertise to overseethe tech-
nical aspectsof the contractor’s efforts. Becauseof HRSA’S lack of exper-
tise, we found that critical project managementfunctions, such as
ensuring that system sizing assumptions and work load volume are
valid, identifying system internal control and security vulnerabilities,
and ensuring that the Department’s security requirements are being
met, are not being carried out. Consequently,HRSA has been relying on
the contractor to carry out critical project managementfunctions.
The Federal Systems Integration and ManagementCenter, in its review
of the data bank’s security system, also discoveredevidenceof problems
resulting from HRSA’S managementapproach. The Center found that,
although the system development approach describedin the contractor’s
technical proposal was consistent with applicable federal requirements,
the contractor failed to implement these procedures,which resulted in
documentation deficiencies. According to the Center, this occurred as a



Page 36                                GAO/IMTEG90-68   National   Practitioner   Data Bank
.



    Appendix II
    Agency Comments   and Our Evaluation




    result of HRSA’S failure to monitor contractor compliance with its tech-
    nical proposal.
    As stated in comment 1, the Administrator of HRSA has now agreedthat
    there should be a specific HRSA official who is responsible for manage-
    ment of all aspectsof data bank implementation and has designatedthe
    director of HRSA’S Bureau of Health Professionsto be the data bank pro-
    gram manager. The Administrator also said that a qualified systems
    analyst will be assignedto work with the data bank program manager.
    9. We agreethat the language suggestedby the Department is more pre-
    cise and have modified our draft.




    Page 37                                GAO/IMTEC8088   National   Practitioner   Data Bank
Appendix III

MemorandumFrom the Administrator of Husk




               From      Administrator
                         Follow   up Action   on the General     Accounting  Office Draft Report
               Subject   Entitled   “The National   Practitioner      Data Bank Is Not Ready to
                         Operate”

               To        Thomas Jurkiewiez,           GAO


                         This memorandum documents       the agreements  we reached in the
                         meeting    chaired   by Congresman Ronald Wyden (D-Oregon)   on July
                         20 concerning      GAO’s draft  report  on the NPDB. These
                         agreements      are as follows:

                            0       GAO is concerned           that   there      be a single        point   of
                                    overall     responsibility          for managing the NPDB
                                    implementation.            We agree,       and the Department’s              Office
                                    of Information         Resources        Management agrees that,                to the
                                    extent     permissible        under currently          mandated
                                    organizational         functions        and authorities,           HRSA should
                                    identify      the specific        official        who is responsible             for
                                    oversight       of all aspects          of the NPDB implementation,
                                    with authorities           commensurate          with that      responsibility.
                                    That individual          is Fitzhugh         Mullan,     M.D., Director,
                                    Bureau of Health           Professions.           In his capacity          as NPDB
                                    program manager,           Dr. Mullan        will    have, among other
                                    staff     members, a qualified             systems      analyst      as a full-
                                    time member of his project                 team.
                            0       GAO is concerned             about HRSA’s relative               lack of
                                    technical         expertise       in automated         systems design          and
                                    Implementation,             but recognizes         that HRSA has
                                    significantly           augmented       Its internal         staff    capability
                                    through       an inter-agency           agreement       with FEDSIM.           We
                                    agree that HRSA will                expeditiously         augment its
                                    capability         in this      area but in the interim               will
                                    continue        to use FEDSIM.            GAO will      recommend that the
                                    Deputy Assistant             Secretary        for Information         Resources
                                    Management provide              technical        oversight       to HRSA. The
                                    Deputy Assistant             Secretary        agrees to provide            such
                                    oversight         and will      also assure         appropriate       system
                                    documentation            is in place        in a timely        fashion.




                          Page 38                                           GAO/IMTEG80438        National   Practitioner   Data Bank
        c
    *

.

                  Appendix III
                  Memorandum     Prom the Administrator
                  of HRSA




            Page 2 - Mr.         Jurkiewiez


              0        At the time of the initial               GAO study,          the FEDSIM
                       consultants         had not yet begun their              independent
                       assessment,         and GAO was concerned           that HRSA could not
                       assure the security             of confidential          practitioner
                       information.           GAO has now reviewed            the initial            FEDSIM
                       report       and will     recommend that the data bank not be
                       opened until         the Deputy Assistant           Secretary           for
                       Information         Resources     Management assures              that effective
                       security       procedures       and software       programs         have been
                       successfully         tested.      We agree.        As stated          in the
                       original       Department       comments,      should we discover                any
                       major deviation           from the specified           system goals,             we
                       would delay         implementation       rather      than risk
                       consequences         which would degrade           public       confidence          in
                       the system,         or violate     the essential           integrity           of the
                       system.        Additionally,       at the time of the GAO study,
                       HRSA was precluded            from designing         audit      trail
                       capability        into the system.           That previous            barrier       has
                       now been overcome and audit                trail     capability           will    be
                       built      into the system before            it becomes operational.

              0        GAO was concerned       about ttcost overruns.”         GAO now
                       understands     that the contractor’s      proposed      cost
                       increase     was withdrawn     and will modify    their     report                      to
                       reflect    that understanding.
            It is our understanding       that GAO will        revise   their
            recommendations     in accordance      with the agreements          reached in
            this  meeting   to reflect    their    general     concern    that the NPDB
            not open until    it is ready to open.            As stated     above, that has
            been and remains      the Department’s      pO8itiOn.

            A copy of this          memorandum is being provided     to Congressman
            Wyden’s office          and other DHHS components    as documentation                             of
            the agreements          reached  in the July 20 meeting.


                                                            T@        I ohG?-l
                                                           Robert     G. Harmon,        M.D.,        M.P.H.




                  Page 39                                           GAO/IMTEG90-68        National     Practitioner   Data Bank
Appendix IV

Major Contributors to This Report


                       Thomas J. Jurkiewicz, Assistant Director
Information            Janice D. Troupe, Evaluator-in-Charge
Management and         William D. Hadesty, Technical Adviser
Technology Division,   Janet C. Eackloff, Reports Analyst
Washington, DC.

                       John A. Carter, Senior Attorney
Office of General
Counsel, Washington,
DC.




(610600)               Page 40                           GAO/IMTEG9O68   National   Practitioner   Data Bank
    Ordering   Information

    The first five copies of each GAO report are free. Additioual copies
    are $2 each. Orders should be sent to the following address, accom-
    panied by a check or money order made out to t.he Superintendent
    of I’Wx~ments, when necessary. Orders for 100 or more copies to be
    mailed to a single address are discounted 26 percent.

    ITS. General Accounting Office
c   PA). 130x 60 16
,   Gait.hersburg, MD 20877

    Orders may also be placed by calling   (202) 2766241.
,
    ‘4   %