VA must strengthen controls on EHR performance

The Veterans Administration’s Office of Inspector General has conducted a new audit to determine whether the VA and Oracle Health have adequate controls in place to prevent, address and mitigate the impact of major performance incidents resulting from the launch of the agency’s new electronic health system at several veterans’ health care facilities.

The agency concluded that a lack of consistent response standards and weaknesses in various configuration management and monitoring controls could have prevented some of the EHR outages. However, steps are still needed to mitigate risks to veterans in the VA’s care.

“By gaining access to real-time EHR incident data and developing a formal procedure, VA can better prevent incidents, verify their duration, and impose (contractual) sanctions when appropriate,” OIG said.

Incidents continued during break

The VA has paused the rollout of Oracle-Cerner electronic health records in July 2022, except for the implementation at the Captain James A. Lovell Federal Healthcare Center in North Chicago, Illinois, on March 9.

However, according to OIG, incidents continued to occur, even as late as March.

For example, in February, OIG flagged active medication list issues in the VA EHR. OIG looked into pharmacy-related patient safety issues following a reported backlog of prescriptions at the VA Central Ohio Healthcare System in Columbus, Ohio, in April 2022.

“However, the OIG has identified additional unresolved high-risk patient safety issues,” David Case, deputy inspector general at the OIG, said in a Feb. 15 statement to the House Veterans Committee’s technology subcommittee.

Lack of consistent response standards

Numerous reports over the past four years have outlined how VA EHR system failures have resulted in numerous incidents of patient harm and even death. Despite this, the VA entered into a new deal with Oracle in May 2023, extending its contract with renegotiated terms.

In April, VA Secretary Denis McDonough told the House VA Committee that progress on resetting the EHR program will allow for broader implementations by 2025.

For the audit, OIG analyzed data on significant performance incidents tracked in Oracle Health’s Lights On Network system and VA’s ServiceNow system from October 24, 2020, through March 31, to identify performance information, including the start date, locations affected, responsible party, and incident description.

As part of their analysis, the auditors selected 28 incidents that Oracle Health had caused during the timeline.

While OIG indicated that VA needs to adjust the way it prioritizes major performance incidents, the investigation into the contract terms and the actions of both parties also found that it was often unclear who was to blame for the failed response.

“Ultimately, the inadequate controls over major incident handling originated in the manner in which the May 2018 contract was drafted,” OIG said in its report. report released Monday. The original contract “did not contain terms that comprehensively required Oracle Health to take necessary measures to address major incidents.”

The auditors found that the VA did not have clearly defined, consistent standards in its timely response guidelines and did not impose clear standards on Oracle Health.

“Given the inconsistencies and lack of clarity in expectations for major incident response times, in most cases the audit team was unable to determine whether VA or Oracle Health was following established procedures.”

Configuration and enforcement

The report found that the OIG’s audit identified deficiencies in several controls “that could have prevented the major incidents” in the sample, particularly in the areas of configuration management and assessment, authorization, and monitoring.

Deficiencies in these controls led to a total of 23 incidents in the new VA EHR, resulting in a system outage lasting 80 hours and 20 minutes, OIG said.

There were also problems with the continuous monitoring of the new system.

“Most of the EHR system disruptions resulting from the major incidents in the team’s sample – approximately 77 percent of the hours – were attributable to configuration management and monitoring issues,” the OIG auditors said.

According to OIG, the VA and Oracle Health also use different criteria for prioritizing major incidents.

“Most EHR disruptions were related to configuration management and assessment, authorization and monitoring issues, but the VA and Oracle Health used different criteria for prioritizing major incidents,” OIG said.

“VA’s guidelines changed after the contract was signed to prioritize only incidents with critical impact and critical urgency,” the auditors said, adding that the agency relied on Oracle’s incident reporting and had no formal process to verify contractor performance.

Notably, “VA’s threshold for a serious incident was higher and VA responded to less serious incidents than Oracle Health,” the OIG said. The OIG also said that while VA updated its contract and process requirements last year, “VA’s Office of Information and Technology has not enforced them.”

A continued lack of consistency in prioritizing incidents means that “VA cannot be assured that all incidents receive appropriate attention,” OIG said.

Going forward, OIG said, the VA must ensure “that reporting and resolution occur in a consistent manner; develop effective response guidelines that capture consistent outcomes for all significant performance incidents; and develop a strategy to consistently collect, verify, and report the information needed in post-resolution reports.”

It must be ensured that patient care is maintained

According to OIG, the audit team also focused on “the steps the VA has taken to mitigate the risk to patient safety during EHR outages.”

While it has strategies in place to continue patient care when the system is unavailable – downtime and backup procedures – “it did not sign the procedures until May 2024, more than three and a half years after the launch of the EHR system, and was still in the process of implementing a strategy for its backup systems.”

Veterans Health Administration officials blamed the delay on a failure to properly assess the adequacy of emergency response measures, which prevented them from properly training doctors on the measures, the OIG report said.

While the VHA has a business continuity plan in place in the event of EHR outages, and the VA has an action plan to address the deficiencies the oversight agency identified, OIG said it is still looking for evidence that the agency:

  • Communicates downtime procedure to clinicians.
  • Implements mechanisms to better identify key performance incidents and adverse patient outcomes.
  • Provides an assessment for communicating negative patient outcomes.

Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org

Healthcare IT News is a publication of HIMSS Media.