Year 2000 Computing Crisis: Medicare and the Delivery of Health Services Are at Risk

Published by the Government Accountability Office on 1999-02-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Committee on Ways and Means, House of

For Release on Delivery
Expected at
9 a.m.
                          YEAR 2000 COMPUTING
February 24, 1999         CRISIS

                          Medicare and the Delivery
                          of Health Services Are at
                          Statement of Joel C. Willemssen
                          Director, Civil Agencies Information Systems
                          Accounting and Information Management Division

Mr. Chairman and Members of the Committee:

We appreciate the opportunity to join in today's hearing and share
information on the readiness of automated systems that support the
nation’s delivery of health benefits and services to function reliably without
interruption through the turn of the century. This includes the ability of
Medicare to provide accurate benefits and services to millions of
Americans and the overall readiness of the health care sector, including
such key elements as biomedical equipment used in the delivery of health
services. Successful Year 2000--or Y2K--conversion is critical to these

In a report issued last year, we concluded that the progress made by the
Department of Health and Human Services’ (HHS) Health Care Financing
Administration (HCFA)—and its contractors—in making its computers that
process Medicare claims Year 2000 compliant was severely behind
schedule in areas including repair, testing, and implementation.1 Further,
we made numerous recommendations to improve key HCFA management
practices which we found to be lacking or inadequate. This morning I
would like to briefly discuss our findings from that report and our
suggestions for strengthening HCFA’s Y2K activities, describe actions taken
on those recommendations, and provide our perspective on where HCFA
stands today.

Beyond Medicare, the level of information on a national level concerning
Year 2000 compliance throughout the health care sector—including
providers, insurers, manufacturers, and suppliers—is limited. As we
reported last fall, this was true of biomedical equipment routinely used in
the delivery of health care. 2 Such equipment includes medical devices such
as cardiac defibrillators and monitoring systems that can record, process,
analyze, display, and/or transmit data. Today, I would like to share
information in this area with you as well.

1Medicare Computer Systems: Year 2000 Challenges Put Benefits and Services in Jeopardy
(GAO/AIMD-98-284, September 28, 1998).

 See Year 2000 Computing Crisis: Compliance Status of Many Biomedical Equipment Items Still
Unknown (GAO/AIMD-98-240, September 18, 1998).

Page 1                                                                       GAO/T-AIMD-99-89
HCFA’s Ability to      As the nation's largest health care insurer, Medicare expects to process
                       over a billion claims and pay $288 billion in benefits annually by 2000. The
Process Medicare       consequences, then, of its systems' not being Year 2000 compliant could be
Claims Into the Next   enormous. We originally highlighted this concern in May 1997, making
                       several recommendations for improvement.3 In our report of last
Century                September we warned that although HCFA had made improvements in its
                       Year 2000 management, serious challenges remained to be resolved in a
                       short period of time. Specifically, we reported that less than a third of
                       Medicare's mission-critical systems had been fully renovated, and none had
                       been validated or implemented. Further, in terms of the agency’s key
                       management practices necessary to adequately direct and monitor its Year
                       2000 project, HCFA had not

                       • developed an overall schedule and critical path to identify and rank Y2K
                         tasks to help ensure that they could be completed in a timely manner;
                       • implemented risk management processes necessary to highlight
                         potential technical and managerial weaknesses that could impair
                         project success;
                       • planned for or scheduled end-to-end testing to ensure that programwide
                         renovations would work as planned; or
                       • effectively managed its electronic data exchanges, thereby increasing
                         the risk that Y2K errors would be transferred through data exchanges
                         from one organization's computer systems to those of another.

                       The Office of Management and Budget (OMB) also had concerns. In its
                       December 8, 1998, summary of Year 2000 progress reports of all agencies
                       for the reporting quarter ending November 13, 1998, it concluded that while
                       HCFA had made significant progress in renovating its internal and external
                       systems, the agency remained a serious concern due to the remediation
                       schedule of its external systems. OMB further stated that Medicare
                       contractors would have to make an intensive, sustained effort to complete
                       validation and implementation of their mission-critical systems by the
                       governmentwide goal of March 31, 1999. OMB designated HHS as a tier 1
                       agency on its three-tiered rating scale since it had made insufficient
                       progress in addressing the Year 2000 problem.

                       Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and Technical
                       Weaknesses (GAO/AIMD-97-78, May 16, 1997).

                       Page 2                                                                      GAO/T-AIMD-99-89
                            Our conclusions and recommendations to the HCFA Administrator
                            reflected our concerns about the high level of risk and large number of
                            tasks still facing HCFA. We reported that it was more critical than ever that
                            HCFA have sound business continuity and contingency plans in place that
                            can be implemented should systems failures occur. Our specific
                            recommendations included that HCFA

                            • rank its remaining Year 2000 work on the basis of an integrated project
                              schedule and ensure that all critical tasks are prioritized and completed
                              in time to prevent unnecessary delays,
                            • develop a risk management process,
                            • define the scope of an end-to-end test of the claims process and develop
                              plans and a schedule for conducting such a test,
                            • ensure that all external and internal systems' data exchanges have been
                              identified and agreements signed among exchange partners, and
                            • accelerate the development of business continuity and contingency

HCFA’s Actions to Achieve   HCFA has been responsive to our recommendations, and its top
Compliance                  management is actively engaged in its Year 2000 program. HCFA’s
                            Administrator has made Year 2000 compliance the agency’s top priority and
                            has directed a number of actions to more effectively manage this project.
                            For example, HCFA has established a “war room” for real-time monitoring
                            of Year 2000 renovation, testing, and implementation activities. In addition,
                            the agency established seven contractor oversight teams to monitor
                            progress. HCFA also strengthened its outreach efforts: on January 12,
                            1999, the Administrator sent individual letters to each of the 1.25 million
                            Medicare providers in the United States, alerting them to take prompt Year
                            2000 action on their information and billing systems. Three days later the
                            Administrator sent a letter to Congress, with assurances that HCFA is
                            making progress and stressing that physicians, hospitals, and other
                            providers must also meet the Y2K challenge. HCFA also offered to provide
                            speakers in local congressional districts.

                            To more effectively identify and manage risks, HCFA is relying on multiple
                            sources of information, including test reports, reports from its independent
                            validation and verification (IV&V) contractors, and weekly status reports
                            from its recently established contractor oversight teams. In addition,
                            HCFA has stationed staff at critical contractor sites to assess the data being
                            reported to them and to identify problems.

                            Page 3                                                        GAO/T-AIMD-99-89
HCFA is also more effectively managing its electronic data exchanges.
HCFA now reports having a complete data exchange inventory of nearly
8,000 internal exchanges and over 255,000 external data exchanges. HCFA
also issued instructions to its contractors (carriers and fiscal
intermediaries) to inform providers and suppliers that they must submit
Medicare claims in Year 2000-compliant data exchange format by April 5 of
this year. The status of each of these data exchanges is being tracked by
HCFA staff.

HCFA has also more clearly defined its testing procedures. It published
additional testing guidance in November 1998 that provided a policy for
external systems that requires multiple levels of testing for each system,

• Unit level testing: testing of the individual software component using
  test cases that exercise all component functionality. For the standard
  claims processing system, this includes full functional testing of claims
  processing policy and program integrity edits.
• Simulated future date testing: testing of the individual software
  component using tools to simulate that the date has been rolled forward.
• Compliance testing: testing in a fully Year 2000-compliant environment
  with real future dates to verify that the system is Year 2000 compliant.

HCFA also plans to perform end-to-end testing with its Year 2000-compliant
test sites. These end-to-end tests are to include all internal systems and
contractor systems; however, they will not include testing with banks and
providers. Finally, HCFA has begun to use a Year 2000 analysis tool to
measure testing thoroughness, and its IV&V contractor is assessing test
adequacy on the external systems (e.g., test coverage and documentation).

The final area in which HCFA has demonstrated progress is developing
business continuity and contingency plans to ensure that, no matter what,
beneficiaries will receive care and providers will be paid. HCFA has
established cross-organizational workgroups to develop contingency plans
for the following core business functions: health plan and provider
payment, eligibility and enrollment issues, program integrity, managed
care, quality of care, litigation, and telecommunications. HCFA’s draft
plans document its business impact analysis; the contingency plans are
expected to be completed by March 31 of this year, and testing of the plans
by June 30.

Page 4                                                       GAO/T-AIMD-99-89
Reported Status of HCFA’s   HCFA operates and maintains 25 internal mission-critical systems; it also
Mission-Critical Systems    relies on 78 external mission-critical systems operated by contractors
                            throughout the country to process Medicare claims. These external
                            systems include six standard processing systems and the “Common
                            Working File.” Each contractor relies on one of these standard systems to
                            process its claims, and adds its own front-end and back-end processing
                            systems. The Common Working File is a set of databases located at nine
                            sites that work with internal and external systems to authorize claims
                            payments and determine beneficiary eligibility.

                            HCFA’s reporting of its readiness for next January sounds quite positive as
                            stated in the most recent HHS Y2K quarterly progress report to OMB.
                            According to this report, dated February 10, as of December 31, 1998, all
                            25 of HCFA’s internal mission-critical systems were reported to be
                            compliant, as were 54 of the 78 external systems. Figure 1 shows HCFA’s
                            reported status, compared with what it reported on September 30, 1998.

                            Page 5                                                      GAO/T-AIMD-99-89
                              Figure 1: Reported Status of HCFA’s Mission-Critical Systems

                              Number of systems


                              60                                                                54 54


                              30       25                25 25 25

                              10                5
                                                                                   0 0
                                       9/30/98           12/31/98            9/30/98       12/31/98
                                                     Internal                 External

                                                    Renovated          Validated     Implemented
                              Source: HCFA quarterly reports to HHS.

Reported Progress Is Highly   HCFA’s reported progress on its external mission-critical systems is
Overstated                    considerably overstated. In fact, none of the 54 systems reported
                              compliant by HCFA was Year 2000 ready as of December 31, 1998. All
                              54 external systems that were reported as compliant have important
                              associated qualifications (exceptions), some of them very significant. Such
                              qualifications included a major standard system that failed to recognize
                              “00” as a valid year, as well as 2000 as a leap year; it also included systems
                              that were not fully future date tested.

                              According to HCFA officials, they reported these systems as compliant
                              because these qualifications were “minor problems” that should not take
                              much time to address. This is at variance with the IV&V contractor’s
                              interpretation. More specifically, the IV&V contractor found that the

                              Page 6                                                                GAO/T-AIMD-99-89
                         qualifications reported by all systems contractors were critical, most
                         requiring a major to moderate level of effort to resolve.

                         A specific example of a system reported as compliant with qualifications is
                         the Florida standard system, used by 29 contractors. This system had one
                         qualification that consisted of 22 test failures. The IV&V contractor
                         characterized this failure experience as significant. HCFA reports that
                         these failures were corrected with a January 29, 1999, software release.
                         However, in a February 16, 1999, IV&V status report, Blue Cross of
                         California—a user of the Florida standard system--found that date test
                         problems remained. In another example, the EDS MCS standard system
                         that is used by 10 contractors had 25 qualifications; these included
                         9 problems that were not future date tested. HCFA now reports that future
                         date testing of the January software release of the EDS MCS system is
                         92 percent complete.

                         As these examples illustrate, these systems are not yet Year 2000
                         compliant, and the 39 contractors that use these two standard systems
                         likewise cannot be considered compliant. Further, according to the IV&V
                         contractor, two critical qualifications associated with each of the standard
                         systems affect all external contractor systems: (1) HCFA-supplied systems
                         that contractors use in claims processing were delivered too late to them
                         for required testing to be performed and (2) the claims processing data
                         centers’ hardware, software, and telecommunications were not completely

                         The IV&V contractor acknowledges that Medicare claims processing
                         systems have made progress toward Year 2000 compliance over the past
                         year, yet the various qualifications inevitably mean that some renovation
                         and a significant amount of retesting still needs to be accomplished before
                         these systems can be considered compliant. To HCFA’s credit, it issued a
                         memorandum in early January requesting Medicare carriers and fiscal
                         intermediaries to resolve these qualifications by March 31, the federal
                         target date for Year 2000 compliance. The notice stated that Medicare
                         systems with unresolved Y2K problems affecting claims processing
                         functions must be corrected, tested, and installed in production. As part of
                         our ongoing work for the Senate Special Committee on Aging, we will be
                         monitoring the resolution of these qualifications closely.

Other Critical Risks/    The February 16, 1999, report of HCFA’s IV&V contractor stated that an
Challenges That Remain   integrated schedule that tracks all major internal system activities needs to

                         Page 7                                                       GAO/T-AIMD-99-89
be established. It added that system-specific information--including time,
test scheduling, and resource considerations--needs to be more fully
developed in order to achieve a robust, trackable schedule. We agree. In
fact, this is consistent with our previous recommendation that remaining
Y2K work be ranked on the basis of a schedule that includes milestones for
renovation and testing of all systems, and that it include time for end-to-end
testing and development and testing of business continuity and
contingency plans.4 Such a schedule is even more important for the
external systems because of their greater number, complexity, and
interdependencies. HCFA still lacks an integrated schedule that identifies a
critical path. Without this, it will be difficult for HCFA management to
identify important dependencies in this complex environment and to
prioritize its remaining work in the time that remains.

HCFA also lacks a formal risk management process—something to identify
all risks and their interdependencies, assess their impact, establish time
frames for mitigation and criteria for successful mitigation, and ensure that
the criteria are followed. The one system that was intended to serve as its
comprehensive risk management system does not contain current
information, according to the IV&V contractor.

HCFA’s systems—both internal and external—exchange data, both among
themselves and with the Common Working File, other federal agencies,
banks, and providers. Accordingly, it is important that HCFA ensure that
Y2K-related errors will not be introduced into the Medicare program
through these data exchanges. As of February 10, 1999, HCFA reported
that over 6,000 of its 7,968 internal data exchanges were still not compliant,
and that over 37,000 of its nearly 255,000 external data exchanges were not
compliant.5 To ensure that HCFA’s internal and external systems are
capable of exchanging data between themselves as well as with other
federal agencies, banks, and providers, it is essential that HCFA take steps
to resolve the remaining noncompliance of these data exchanges.

In yet another critical area, HCFA faces a significant amount of testing in
1999, since changes will continue to be made to its mission-critical systems
to make them compliant. First, changes to resolve the existing

4GAO/AIMD-98-284,   September 28, 1998.

  On February 23, 1999, the HCFA Administrator stated that she wanted us to note that the February
10, 1999, HHS quarterly report to OMB had a typographical error, and that the total number of internal
data exchanges is 3,418 and that 309 of these are still not compliant.

Page 8                                                                           GAO/T-AIMD-99-89
qualifications will need to be retested. Second, testing must still take place
with full production-level software. For example, the final software release
of the Common Working File before 2000 is scheduled for late June; testing
will therefore be needed after that. Third, legislatively mandated changes
to software that will occur through June will need to be retested as well.
HCFA plans to conduct these final tests of its systems between July 1 and
November 1, 1999, then recertify all mission-critical systems as compliant
without qualification or exception. These final tests will ultimately
determine whether HCFA’s mission-critical systems are indeed Year 2000
compliant. The late 1999 time frames associated with this testing represent
a high degree of risk.

In addition to such individual systems testing, HCFA must also test its
systems end-to-end to verify that defined sets of interrelated systems,
which collectively support an organizational core business function, will
work as intended. As mentioned, HCFA plans to perform this end-to-end
testing with its Year 2000 test sites. These tests are to include all internal
systems and contractor systems, but will not include testing with banks
and providers. HCFA has instructed its contractors that it is their
responsibility to test with providers and financial institutions. Even
excluding banks and providers, end-to-end testing of HCFA’s internal and
external systems is a massive undertaking that will need to be effectively
planned and carried out. HCFA has not yet, however, developed a detailed
end-to-end test plan that explains how these tests will be conducted or that
provides a detailed schedule for conducting them.

A final aspect of testing concerns the independent testing contractor. The
IV&V contractor’s recent assessment of the independent testing contractor
concluded that its strategy as currently stated “is high risk for providing
effective independent testing” because of the limited number of internal
systems to actually be independently tested: 8. This number was
previously 22. Further, this testing will not be completed until August. The
limited number of systems tested and the late completion date are not

Given the magnitude of HCFA’s Year 2000 problem and the many challenges
that continue to face it, the development of contingency plans to ensure
continuity of critical operations and business processes is absolutely
critical. Therefore, HCFA must sustain its efforts to complete and test its
agencywide business continuity and contingency plans by June 30.
Another challenge for HCFA is monitoring the progress of the 62 separate

Page 9                                                        GAO/T-AIMD-99-89
                         business continuity and contingency plans that will be submitted by its
                         contractors. We will continue to monitor progress in this area.

                         Other issues that further complicate HCFA’s Year 2000 challenge are the
                         known and unknown contractor transitions that are to take place before
                         January 1, 2000, and the unknown status of the managed care organizations
                         serving Medicare beneficiaries. As reported in HHS’ quarterly submission
                         to OMB, HCFA is concerned about the possibility of Medicare contractors,
                         fiscal intermediaries, and carriers leaving the program and notifying HCFA
                         after June 1999. If this were to occur, the workload would have to be
                         transferred to another contractor whose Year 2000 compliance status may
                         not be known. According to both contractor and HCFA officials, it requires
                         6-12 months to transfer the claims processing workload from one
                         contractor to another. At present, HCFA must transition the work of three
                         carriers that are leaving the program.

                         HCFA is requiring the 386 managed care organizations currently serving
                         6.6 million Medicare beneficiaries to certify their systems as Year 2000
                         compliant by this April 15. These certifications may be qualified, just as
                         with the fee-for-service contractors. If this were to occur, a formal
                         recertification would have to be performed later this year. Until this initial
                         certification is performed, it will remain unknown whether the managed
                         care organizations’ systems are year 2000 compliant.

                         To summarize HCFA’s situation, the agency and its contractors have made
                         progress in addressing issues that we have raised. However, their reported
                         progress vastly overstates the facts. Some renovation and a significant
                         amount of testing must still be performed this year. Until HCFA completes
                         its planned recertification between July and November 1999, the final
                         status of the agency’s Year 2000 compliance will be unknown. Given the
                         considerable amount of remaining work that HCFA faces, it is crucial that
                         development and testing of HCFA’s business continuity and contingency
                         plans move forward rapidly if we are to avoid the interruption of Medicare
                         claims processing next year.

Y2K Readiness of the     At this point, I would like to broaden our discussion to the Year 2000-
                         readiness status of the health care sector, including biomedical equipment
Health Care Sector:      used in the delivery of health care. While it is undeniably important that
Information Is Limited   Medicare systems be compliant so that the claims of health care providers
                         and beneficiaries can be paid, it is also critical that the services and
                         products associated with health care delivery itself be Year 2000 compliant.

                         Page 10                                                       GAO/T-AIMD-99-89
However, the level of information currently available on such compliance is
not reassuring.

Virtually everything in today’s hospital is automated--from the scheduling
of procedures such as surgery, to the ordering of medication such as insulin
for a diabetic patient, to the use of portable devices as diverse as heart
defibrillators and thermometers. It therefore becomes increasingly
important for health care providers such as doctors and hospitals to assess
their health information systems, facility systems (such as heating,
ventilation, and air conditioning), and biomedical equipment to ensure
their continued operation at the turn of the century. Similarly,
pharmaceutical manufacturers and suppliers that rely heavily on computer
systems for the manufacturing and distribution of drugs must assess their
processes for compliance. Given the large degree of interdependence
among components of the health sector--providers, suppliers, insurance
carriers, and patients/consumers—the availability and sharing of Y2K
readiness information is vital to safe, efficient, and effective health care

Readiness information is limited throughout the health care sector.
Specifically, the amount of data available to consumers on the Y2K
readiness of health care providers, private insurers, and pharmaceutical
manufacturers and suppliers is scant. This past June, for example, the
American Hospital Association sent a Y2K readiness survey to about
4,700 hospitals. However, only about 17 percent of its members responded.

In May 1998, the President’s Council on Year 2000 Conversion established a
Health Care Working Group6 chaired by HCFA to conduct outreach
activities of the health care sector. In response to an October 1998 request
from the Chair of the President’s Council to gauge the Year 2000 readiness
of the health sector, several professional health care associations surveyed
their membership, requesting information on the status of work completed
in the Y2K assessment, renovation, validation, and implementation phases.
For example, the Association of State and Territorial Health Officials and
the Centers for Disease Control and Prevention (CDC) sent a Year 2000
readiness-assessment survey to 57 state and territorial health officials.

  Members include federal health care agencies and professional health care associations such as the
American Ambulance Association, American Hospital Association, American Medical Association,
Health Industry Manufacturers Association, Joint Commission on the Accreditation of Health Care
Organizations, National Association of Community Health Centers, and National Association of Rural
Health Clinics.

Page 11                                                                         GAO/T-AIMD-99-89
                        According to CDC, officials of 27 states responded as of February 19, 1999,
                        and the results are still under review. Similarly, the Generic
                        Pharmaceutical Industry Association sent a survey to its members last
                        December; it plans to discuss the results at a March 8, 1999, meeting of the
                        Year 2000 Pharmaceuticals Acquisition and Distribution Committee
                        (comprised of federal and pharmaceutical representatives). Finally, HHS’
                        Office of the Inspector General sent a Y2K readiness survey last December
                        to a sample of Medicare providers; it is not known at this time when the
                        results will be available. The working group plans to gather Y2K readiness
                        information from this sector throughout 1999, especially among smaller
                        health care organizations.

                        Until such survey results are known to consumers, the Y2K readiness of
                        key components of the health sector will remain in doubt. Because of the
                        potential impact of the Year 2000 problem on patient care, it is critical that
                        such readiness information be obtained and publicized. In this way
                        consumers will have access to data that can offer some assurance that the
                        information systems, equipment, and products used in the delivery of
                        health care services will operate as expected when needed after the turn of
                        the century. Conversely, the lack of such information can contribute to
                        consumer doubt, misinformation, or even panic. It can also foster
                        unnecessary stockpiling of drugs and the attendant drain on
                        pharmaceutical product inventories.

Some Biomedical         The question of whether medical devices such as magnetic resonance
Equipment Status        imaging (MRI) systems, x-ray machines, pacemakers, and cardiac
                        monitoring equipment can be counted on to work reliably on and after
Information Available
                        January 1, 2000, is critical to our nation’s health care. To the extent that
Through FDA             biomedical equipment uses embedded computer chips, it is vulnerable to
                        the Y2K problem.7 Such vulnerability carries with it possible safety risks.
                        This could range from the more benign—such as incorrect formatting of a
                        printout—to the most serious—such as incorrect operation of equipment
                        with the potential to decrease patient safety. The degree of risk depends on
                        the role the equipment plays in the patient’s care.

                          Biomedical equipment refers both to medical devices regulated by HHS’ Food and Drug
                        Administration (FDA), and scientific and research instruments, which are not subject to FDA

                        Page 12                                                                        GAO/T-AIMD-99-89
As we reported last September,8 FDA--which provides information from
biomedical equipment manufacturers to the public through an Internet
World Wide Web site--had a disappointing response rate from biomedical
equipment manufacturers to its request for compliance information. The
FDA biomedical equipment database also lacked detailed information on
the make and model of compliant equipment. Further, FDA did not require
manufacturers to submit test results certifying compliance. Therefore, the
adequacy of manufacturers’ corrections of noncompliant equipment could
not be assured.

To address these issues, we made recommendations to the Secretaries of
HHS and Veterans Affairs (VA)--a key stakeholder in determining the
potential effects of the century change on biomedical equipment--to
determine what actions, if any, should be taken regarding manufacturers
that have not provided compliance information. We also recommended
that the departments (1) work jointly to develop a single data
clearinghouse to provide compliance information to all users of biomedical
equipment, and (2) take prudent steps to review test results for critical
care/life support biomedical equipment, especially equipment once
determined to be noncompliant but now deemed compliant--and make
those results publicly available through FDA’s central data clearinghouse.

HHS and VA agreed with our recommendation to develop a single data
clearinghouse. FDA, in conjunction with VA, has established a biomedical
equipment clearinghouse; it is publicly accessible through the Internet site
and contains information on biomedical equipment compliance submitted
to FDA by manufacturers, as well as information gathered by VA and the
Department of Defense as part of their Year 2000 compliance projects.
FDA also plans to include detailed information on the make and model of
equipment reported as compliant.

In its February 10, 1999, quarterly submission to OMB, HHS reported that
as of January 12, 1999, about three quarters (1,438) of 1,932 biomedical
equipment manufacturers identified by FDA had submitted data to the
clearinghouse. As shown in figure 2, about 40 percent of the manufacturers
have products that do not employ a date, while about 17 percent reported
equipment having date-related problems.

    GAO/AIMD-98-240, September 18, 1998.

Page 13                                                     GAO/T-AIMD-99-89
Figure 2: Biomedical Compliance Status Information Reported to FDA by
Manufacturers as of January 12, 1999

         Number of manufacturers
          600    569





                  t                         g                     e-                                                  ns
               no                        in                    at                            d e
                                                                                         rte sit
             do te                   o y                      d   s                    o      b                  s io
           ts da                  pl t                    ith                        p e                       is p
        u a                     em lian                  w le m                  s
                                                                                   re w
                                                                                       s                    b m w -u
                                                       s    b                         ’
      od oy                   ts p                  ct r o                      u r
                                                                              at re                       su llo
    Pr pl                   uc om               o du d p                    st ctu                    r er fo
      em                  d                                               t
                        ro e c                Pr lat
                                                     e                   c fa                       tu DA
                   l l p ar                     re                   o du nu                    f ac g F
                  A ate                                            Pr m  a                    u n
                     d                                                                     a n iri
                                                                     in                 M qu

Note: Total number of manufacturers = 1,438
Source: Department of Health and Human Services.

Last September we reported that most manufacturers citing noncompliant
products listed incorrect display of date and/or time as the Y2K problem.9
According to VA, these cases may not present a risk to patient safety
because health care providers, such as physicians and nurses, can work
around the problem. Of more serious concern are situations in which
devices depend on date calculations, which can be incorrect. One

    GAO/AIMD-98-240, September 18, 1998.

Page 14                                                                                           GAO/T-AIMD-99-89
                   manufacturer cited an example of a product used for planning delivery of
                   radiation treatment using a radioactive isotope as the source. An error in
                   calculating the strength of the radiation source on the day of treatment
                   could result in a dose that is too high or too low, which could have an
                   adverse effect on the patient.10

                   HHS reports that FDA will continue to explore ways of obtaining
                   compliance information from manufacturers who have not yet replied. In
                   response to our recommendation that FDA and VA review test results of
                   manufacturers’ compliance certifications, VA--deferring to HHS--stated that
                   it did not have the legislative or regulatory authority to do this. HHS, for its
                   part, said that it lacked the available resources to undertake such a review
                   and, further, that insufficient time remained to complete such reviews
                   before 2000. We believe that if HHS lacks sufficient resources to review
                   manufacturers’ test results, it may want to solicit the help of federal health
                   care providers and professional associations. Finally, HHS stated that
                   submission of appropriate certifications of compliance is sufficient to
                   ensure that the certifying manufacturers are in compliance. We disagree.
                   Through independent reviews of manufacturers’ test results, users of
                   medical devices are provided with a greater level of confidence that the
                   devices are indeed Year 2000 compliant.

                   In summary, there is great need for much more information available on the
                   Y2K readiness of the health care sector. Until this information is obtained
                   and publicized, consumers will remain in doubt as to the Y2K readiness of
                   key health care components. In addition, while compliance status
                   information is available for some biomedical equipment through the FDA
                   clearinghouse, FDA has not reviewed test results supporting
                   manufacturers’ certifications to provide the American public with a higher
                   level of confidence that biomedical equipment will work as intended.

                   Mr. Chairman, this completes my statement. I would be pleased to respond
                   to any questions that you or other members of this Committee may have at
                   this time.

                    Year 2000 Computing Crisis: Leadership Needed to Collect and Disseminate Critical Biomedical
                   Equipment Information (GAO/T-AIMD-98-310, September 24, 1998).

(511738)   Leter   Page 15                                                                      GAO/T-AIMD-99-89
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:


or visit GAO’s World Wide Web Home Page at:

United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested