The objective of this joint audit was to determine the extent to which the actions taken by the Department of Defense (DoD) and Department of Veterans Affairs (VA) in acquiring and implementing a common, commercial electronic health record (EHR) system and supporting architecture will achieve interoperability between DoD, VA, and external health care providers.
Interoperability is the ability to exchange EHRs securely with other health information technology systems without special effort on the part of the user, which includes health care providers, patients, and others authorized to view the patient’s EHR (a real-time, digital, patient-centered record of a patient’s medical history). In the FY 2008 National Defense Authorization Act (NDAA), Congress directed the DoD and VA to jointly develop and implement EHR systems or capabilities that would allow for interoperability of patient health care information between the Departments. In the FY 2014 NDAA, Congress stated that the DoD and VA’s efforts to date were unsuccessful and clarified its expectations by requiring that the EHR systems of the DoD and VA have the ability to seamlessly exchange health care information between the Departments and external health care providers. The FY2020 NDAA added requirements that the DoD and VA develop EHR systems with the ability to interpret, use, and exchange health care information from medical systems, devices, and applications.
To meet the NDAA requirements for interoperability, the DoD and VA acquired Cerner Corporation’s Millennium EHR platform (Cerner Millennium) in July 2015 and May 2018, respectively. As of December 2021, Cerner Millennium had deployed at 49 DoD health care facilities and one VA facility.
The DoD plans to deploy Cerner Millennium at 490 health care facilities by 2023, and the VA plans to deploy Cerner Millennium at 1,454 health care facilities by 2028. In addition, the Secretaries of the DoD and VA established the Federal Electronic Health Record Modernization (FEHRM) Program Office to provide direction and oversight to the DoD and VA organizations deploying Cerner Millennium. The FEHRM Program Office’s primary mission is to work closely with the DoD and VA to implement a single, interoperable Federal EHR and develop and maintain a complete patient record that would enhance patient care and health care provider effectiveness. Furthermore, the FEHRM Program Office implemented the Joint Health Information Exchange to enhance the ability of the Departments to securely exchange health care information with more than 15,000 external health care providers.
The DoD and VA took action to achieve interoperability of patient health care information across DoD, VA, and external health care providers by acquiring Cerner Millennium, deploying the EHR system at 49 DoD facilities and one VA health care facility, and launching the Joint Health Information Exchange. However, the DoD and the VA did not take all actions needed to achieve interoperability. Specifically, the DoD and the VA did not:
- consistently migrate patient health care information from the legacy electronic health care systems into Cerner Millennium to create a single, complete patient EHR;
- develop interfaces from all medical devices to Cerner Millennium so that patient health care information will automatically upload to the system from those devices; or
- ensure that users were granted access to Cerner Millennium for only the information needed to perform their duties.
The DoD and the VA did not take all action necessary to achieve interoperability because FEHRM Program Office officials did not develop and implement a plan to achieve all FY 2020 NDAA requirements or take an active role to manage the program’s success as authorized by its charter. Instead, FEHRM Program Office officials limited their role to facilitating discussions when disputes arose between the DoD and the VA, and would only provide direction if the Departments reported a problem. Because the FEHRM Program Office limited its role, the DoD and the VA took separate actions to migrate patient health care information, develop interfaces, and grant user access to Cerner Millennium.
Achieving interoperability between the DoD, VA, and external health care providers through the deployment of a single EHR system is critical because health care providers will have the ability to securely transfer and share health care information for the Nation’s 9.6 million DoD Armed Forces members, dependents, and retirees, and 9.21 million enrolled users. As the DoD and the VA continue to deploy Cerner Millennium, health care providers at those facilities should be confident that a patient’s EHR is accurate and complete regardless of where the point of care occurred.
We recommend that the Deputy Secretary of Defense and the Deputy Secretary of Veterans Affairs review the actions of the FEHRM Program Office and direct the FEHRM Program Office to develop processes and procedures in accordance with the FEHRM Program Office charter and the National Defense Authorization Acts. In addition, we recommend, among other actions, that the Director of the FEHRM Program Office, in coordination with the Director of the Defense Health Agency, the Program Executive Director of the VA Office of Electronic Health Record Modernization Integration, and the Program Manager for DoD Healthcare Management System Modernization:
- determine the type of health care information that constitutes a complete EHR;
- develop and implement a plan for migrating legacy patient health care information needed for a patient’s complete EHR once the FEHRM Program Office determines the type of patient health care information that constitutes a complete patient electronic heath record;
- develop and implement a plan for creating interfaces that would allow medical devices to connect and transfer patient health care information to Cerner Millennium; and
- develop and implement a plan to modify Cerner Millennium user roles to ensure that users are granted access to only the patient health care information necessary to perform their job responsibilities.
Management Comments and Our Response
The Deputy Secretary of Defense and Deputy Secretary of Veterans Affairs agreed with the recommendation to review the actions of the FEHRM Program Office and direct the FEHRM Program Office to develop processes and procedures in accordance with the recommendations. In addition, the Deputy Secretary of Defense and Deputy Secretary of Veterans Affairs stated that they would ensure the FEHRM Program Office complies with its charter and applicable NDAA requirements.
The FEHRM Program Office Director agreed with the recommendations to determine the type of health care information that constitutes a complete EHR, develop and implement a plan to migrate that patient information to Cerner Millennium, and develop and implement a plan for creating interfaces between medical devices and Cerner Millennium. However, the Director stated that the FEHRM Program Office needed resourcing and appropriate delegations of authority from the DoD and VA to properly address the recommendations. The Director also stated that the FEHRM Program Office was prepared to begin executing actions when funding, staffing, and authorities are allocated. Although the Director agreed, we consider the recommendations unresolved because the Director made any actions contingent upon the DoD and VA providing additional authorities and resources. It is the Director’s responsibility to request needed resources and authorities from the DoD and VA; therefore, we request that the FEHRM Program Office Director provide additional comments describing the actions the FEHRM Program Office plans to take to identify the resources needed to execute its mission and request the authorities needed to address the recommendations. The FEHRM Program Office Director partially agreed with the recommendation to ensure that Cerner Millennium users are granted access to only the patient health care information necessary to perform their job responsibilities. Specifically, the Director stated that user access was assessed as Cerner Millennium was deployed and that Cerner Millennium was configured to balance the need to comply with the Health Insurance Portability and Accountability Act with the need to ensure that the quality of care and patient safety were not compromised. However, we found that the Cerner Millennium user roles were not always commensurate with the health care provider’s assigned duties and therefore, users had more access to patient health care information than was necessary. The Health Insurance Portability and Accountability Act Privacy Rule requires covered entities to limit the access to patient EHRs to the minimum access necessary for users to perform their official duties. Therefore, we request that the Director provide additional comments describing what actions the FEHRM Program Office plans to take to ensure that Cerner Millennium users are granted access to only the patient health care information necessary to perform their job responsibilities.