Forest Service: Financial Accountability (Testimony, 03/11/99,
GAO/T-AIMD-99-106).

Serious, long-standing accounting and financial reporting weaknesses
continue to plague the Forest Service's operations. As a result, GAO has
included the Forest Service in its list of government operations that
are particularly vulnerable to waste, fraud, abuse, and mismanagement.
(See GAO/HR-99-1, Jan. 1999.) The Forest Service's problems have
included a lack of basic accountability for major assets and
liabilities, the inability to accurately track the cost of programs and
activities, and significant reporting errors in the Forest Service's
financial statements and the records that support those statements. In
addition, the Forest Service has experienced significant problems in
implementing its new accounting system, which is crucial to overcoming
its financial management shortcomings and attaining basic accountability
over billions of dollars in taxpayers' funds and investments. This
testimony (1) briefly describes the historical pattern of the Forest
Service's financial management weaknesses, (2) discusses the fundamental
problems that the Forest Service must resolve to achieve financial
accountability, (3) outlines GAO's criteria for placing the Forest
Service's financial management on its high-risk list and what must take
place for the agency to be removed from that list, and (4) highlights
corrective measures that the agency has under way.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-106
     TITLE:  Forest Service: Financial Accountability
      DATE:  03/11/99
   SUBJECT:  Data integrity
             Accounting procedures
             Financial statement audits
             Accountability
             Internal controls
             Federal agency accounting systems
             Financial records
             Financial management
IDENTIFIER:  Forest Service Central Accounting System
             Forest Service Foundation Financial Information System
             
Forest Service: Financial Accountability (Testimony, 03/11/99,
GAO/T-AIMD-99-106).

Serious, long-standing accounting and financial reporting weaknesses
continue to plague the Forest Service's operations. As a result, GAO has
included the Forest Service in its list of government operations that
are particularly vulnerable to waste, fraud, abuse, and mismanagement.
(See GAO/HR-99-1, Jan. 1999.) The Forest Service's problems have
included a lack of basic accountability for major assets and
liabilities, the inability to accurately track the cost of programs and
activities, and significant reporting errors in the Forest Service's
financial statements and the records that support those statements. In
addition, the Forest Service has experienced significant problems in
implementing its new accounting system, which is crucial to overcoming
its financial management shortcomings and attaining basic accountability
over billions of dollars in taxpayers' funds and investments. This
testimony (1) briefly describes the historical pattern of the Forest
Service's financial management weaknesses, (2) discusses the fundamental
problems that the Forest Service must resolve to achieve financial
accountability, (3) outlines GAO's criteria for placing the Forest
Service's financial management on its high-risk list and what must take
place for the agency to be removed from that list, and (4) highlights
corrective measures that the agency has under way.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-106
     TITLE:  Forest Service: Financial Accountability
      DATE:  03/11/99
   SUBJECT:  Data integrity
             Accounting procedures
             Financial statement audits
             Accountability
             Internal controls
             Federal agency accounting systems
             Financial records
             Financial management
IDENTIFIER:  Forest Service Central Accounting System
             Forest Service Foundation Financial Information System
             
Year 2000 Computing Crisis: Readiness of Medicare and the Health Care
Sector (Testimony, 04/27/99, GAO/T-AIMD-99-160).

Pursuant to a congressional request, GAO discussed the readiness of
automated systems that support the nation's delivery of health benefits
and services to function reliably without interruption through the turn
of the century.

GAO noted that: (1) the Health Care Financing Administration (HCFA) and
its contractors have made progress in addressing Medicare year 2000
issues; (2) however, until HCFA completes its planned recertification
between July and November, the final status of the agency's year 2000
compliance will be unknown; (3) given the considerable amount of work
that HCFA faces, it is crucial that development and testing of HCFA's
business continuity and contingency plans move forward rapidly to avoid
the interruption of Medicare claims processing next year; (4) also,
because many states' Medicaid systems are at risk, business continuity
and contingency plans will become increasingly critical for these states
in an effort to ensure continued timely and accurate delivery of
benefits to needy Americans; (5) regarding the health sector overall,
while additional readiness information is available, much work remains
in renovating, testing, and implementing compliant systems; (6)
aggressive action is needed in obtaining information on the year 2000
readiness of hospitals, physicians, Medicare providers, and public
health agencies; (7) until this information is obtained and publicized,
consumers will remain in doubt as to the year 2000 readiness of key
health care components; (8) in addition, while compliance status
information is available for biomedical equipment through the Food and
Drug Administration (FDA) clearinghouse, FDA has not reviewed test
results supporting manufacturers' certifications; (9) such a review
would provide the American public with a higher level of confidence that
biomedical equipment will work as intended; and (10) the public also
needs readiness information on specific pharmaceutical manufacturers to
address concerns about the stockpiling of drugs and medications.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-160
     TITLE:  Year 2000 Computing Crisis: Readiness of Medicare and the 
             Health Care Sector
      DATE:  04/27/99
   SUBJECT:  Y2K
             Health care programs
             Systems conversions
             Strategic information systems planning
             Computer software verification and validation
             Systems compatibility
             State-administered programs
             Information resources management
             Claims processing
             Medical equipment
IDENTIFIER:  Y2K
             Medicare Program
             Medicaid Program
             FDA/VHA Federal Year 2000 Biomedical Clearinghouse
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                    <info@www.gao.gov>                        **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
ai99106t.book GAO

United States General Accounting Office

Testimony

Before the Subcommittee on Oversight and Investigations and the
Subcommittee on Health and Environment, Committee on Commerce,
House of Representatives

For Release on Delivery Expected at 1 p.m. Tuesday, April 27, 1999

YEAR 2000 COMPUTING CRISIS Readiness of Medicare and the Health
Care Sector

Statement of Joel C. Willemssen Director, Civil Agencies
Information Systems Accounting and Information Management Division

GAO/T-AIMD-99-160

Page 1 GAO/T-AIMD-99-160

Messrs. Chairmen and Members of the Subcommittees: We appreciate
the opportunity to join in today's hearing and share information
on the readiness of automated systems that support the nation's
delivery of health benefits and services to function reliably
without interruption through the turn of the century. This
includes the ability of Medicare and Medicaid to pay for services
to millions of Americans and the overall readiness of the health
care sector, including such key elements as biomedical equipment
used in the delivery of health services. Successful Year 2000--or
Y2K--conversion is critical to these efforts.

We reported in February that while some progress by the Department
of Health and Human Services' (HHS) Health Care Financing
Administration (HCFA)and its contractorshad been made in
addressing the numerous recommendations we made last year 1 to
improve key HCFA management practices associated with its Y2K
program, many significant challenges remained. 2 At the time, we
also reported that while some progress had been achieved, many
states' Medicaid systems were at risk, and much work remained. 3

Beyond Medicare and Medicaid, the information available on the
national level concerning Y2K readiness throughout the health care
sector including providers, insurers, manufacturers, and
suppliersindicates much work remains in renovating, testing, and
implementing compliant systems. Also, as we recently testified,
while information on the compliance status of biomedical equipment
is available through a clearinghouse maintained by the Food and
Drug Administration (FDA), the test results for this equipment are
not reviewed. 4 Finally, information on the Y2K readiness of
pharmaceutical and medical-surgical manufacturers is incomplete.

1 Medicare Computer Systems: Year 2000 Challenges Put Benefits and
Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998).

2 Year 2000 Computing Crisis: Medicare and the Delivery of Health
Services Are at Risk (GAO/T-AIMD-99-89, February 24, 1999).

3 Year 2000 Computing Crisis: Readiness of State Automated Systems
That Support Federal Human Services Programs (GAO/T-AIMD-99-91,
February 24, 1999).

4 See Year 2000 Computing Crisis: Action Needed to Ensure
Continued Delivery of Veterans Benefits and Health Care Services
(GAO/T-AIMD-99-136, April 15, 1999).

Page 2 GAO/T-AIMD-99-160

HCFA's Ability to Process Medicare Claims Into the Next Century

As the nation's largest health care insurer, Medicare expects to
process over a billion claims and pay $288 billion in benefits
annually by 2000. The consequences, then, of its systems' not
being Y2K compliant could be enormous. We originally highlighted
this concern in May 1997 and made several recommendations for
improvement. 5 Our report of last September warned that although
HCFA had made improvements in its Y2K management, the agency and
its contractors were severely behind schedule in making their
computers that process Medicare claims Y2K compliant. In February,
we testified that although HCFA had been responsive to our
recommendations and that its top management was actively engaged
in its Y2K program, its reported progress was highly overstated.
We testified that none of HCFA's 54 external mission-critical
systems reported compliant by HHS as of December 31, 1998, was Y2K
ready, based on serious qualifications identified by the
independent verification and validation (IV&V) contractor.
Further, we reported that HCFA continued to face serious Y2K
challenges. Specifically, HCFA

 lacked an overall schedule and critical path to identify and rank
Y2K tasks to help ensure that they could be completed in a timely
manner;  needed a formal risk management process to highlight
potential

technical and managerial weaknesses that could impair project
success;  continued to have thousands of electronic data exchanges
that were not

Y2K compliant;  faced a significant amount of testing in 1999,
especially since changes

will continue to be made to its mission-critical systems to make
them compliant; and  needed to sustain its efforts to complete and
test business continuity

and contingency plans to ensure that Medicare claims will be
processed next year.

The Office of Management and Budget (OMB) also continues to be
concerned about HCFA's progress. In its March 18, 1999, summary of
Y2K progress reports of all agencies for the reporting quarter
ending February 12, 1999, it concluded that HCFA remains a serious
concern due to external systems testing, implementation schedules,
and the qualified compliance of a number of external mission-
critical systems. OMB further stated that although Medicare
contractors had been making an intensive effort to

5 Medicare Transaction System: Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May
16, 1997).

Page 3 GAO/T-AIMD-99-160

complete validation and implementation by the governmentwide
deadline of March 31, 1999, some external contractors may not
succeed. Due in large part to HCFA's status, OMB designated HHS as
a tier 1 agency on its three-tiered rating scale, meaning it had
made insufficient progress in addressing the Y2K problem.

HCFA's Actions to Achieve Compliance and Bolster Outreach Efforts
to Medicare Providers

HCFA has been responsive to our recommendations. To more
effectively identify and manage risks, HCFA is relying on multiple
sources of information, including test reports, reports from its
IV&V contractors, and weekly status reports from its recently
established contractor oversight teams. In addition, HCFA has
stationed staff at critical contractor sites to assess the data
being reported and to identify problems.

HCFA also is more effectively managing its electronic data
exchanges. It issued instructions to its contractors (fiscal
intermediaries and carriers) to inform providers and suppliers
that they had to begin submitting Medicare claims in Y2K-compliant
data exchange format by April 5 of this year. HCFA now reports
that 93 percent of the fiscal intermediaries and 99 percent of the
carriers are complying. HCFA also established new instructions for
contractors to report on data exchanges, and created a new
database to track status.

HCFA continues to further define its testing procedures. It
required that existing qualifications be addressed and tested by
March 31, 1999. It also issued instructionson January 11, 1999for
all contractors to recertify their systems from July 1 to November
1, 1999. To more clearly define this testing, HCFA issued
additional recertification and end-to-end testing guidance on
March 10, 1999.

HCFA has also begun to use several Y2K-analysis tools to measure
testing thoroughness, and its IV&V contractor is assessing test
adequacy of the external systems (e.g., test coverage and
documentation). In addition to the IV&V contractors' efforts, HCFA
has engaged a separate contractor to conduct independent tests on
some of its mission-critical systems. HCFA further plans to
perform end-to-end testing with its Y2K-compliant test sites.
These end-to-end tests are to include all internal systems and
contractor systems; however, they will not include testing with
banks and providers.

Another area in which HCFA has demonstrated progress is developing
business continuity and contingency plans to ensure that, no
matter what,

Page 4 GAO/T-AIMD-99-160

beneficiaries will receive care and providers will be paid. HCFA
established cross-organizational workgroups to develop contingency
plans for the following core business functions: health plan and
provider payment, eligibility and enrollment issues, program
integrity, managed care, quality of care, litigation, and
telecommunications. HCFA's fourth and final iteration of this plan
was issued on April 1, 1999, and the plan is expected to be tested
by June 30.

HCFA has continued to strengthen its outreach efforts to the
providers of Medicare services. On January 12, 1999, the
Administrator sent individual letters to over 1.3 million Medicare
providers in the United States, alerting them to take prompt Y2K
action on their information and billing systems. Three days later,
the Administrator sent a letter to Congress, with assurances that
HCFA is making progress and stressing that physicians, hospitals,
and other providers must also meet the Y2K challenge. HCFA also
offered to provide speakers in local congressional districts, is
holding a series of conferences throughout the country, and has
established a toll- free information hotline.

Reported Status of HCFA's Mission-Critical Systems

HCFA operates and maintains 25 internal mission-critical systems;
it also relies on 75 external mission-critical systems operated by
contractors throughout the country who process Medicare claims.
These external systems include six standard processing systems and
the Common Working File. Each contractor relies on one of these
standard systems to process its claims, and adds its own front-end
and back-end processing systems. The Common Working File is a set
of databases located at nine sites that works with internal and
external systems to authorize claims payments and determine
beneficiary eligibility.

In HHS' latest Y2K quarterly progress report to OMB, dated
February 10, it reported that as of December 31, 1998, all 25 of
HCFA's internal mission- critical systems were reported to be
compliant, as were 54 of the external systems. Yet as we testified
in February, none of these 54 systems was Y2K ready because all
had important associated qualifications (exceptions), some of them
significant. 6 HCFA issued a memorandum in early January
requesting Medicare carriers and fiscal intermediaries to resolve
these qualifications by March 31, the federal target date for Y2K
compliance. HCFA reported to us on April 19, 1999, that most of
these qualifications

6 GAO/T-AIMD-99-89, February 24, 1999.

Page 5 GAO/T-AIMD-99-160

have been resolved and that 73 of 75 external systems are now
compliant (the total number of external mission-critical systems
decreased from 78 to 75 because three contractors plan to leave
the Medicare program before the end of the year).

HCFA's IV&V contractor's analysis of the qualifications was
consistent with what HCFA reported to us. Specifically, the IV&V
contractor's analysis of the 53 external systems concluded that 19
had no remaining qualifications, 33 had qualifications it deemed
low impact (i.e., could be addressed within the next 3 months or
would have a minor impact on the site's ability to meet Medicare
requirements), and 1 had qualifications deemed critical. The IV&V
contractor recommended that all qualifications be resolved by June
28, 1999, so that HCFA's final testing of its mission-critical
systems could begin on July 1, 1999, with no open qualifications.

Despite Reported Compliance, HCFA's Mission-Critical Systems Still
Require Additional Y2K Renovation and Testing

The HCFA mission-critical systems that have been characterized as
Y2K compliant are not, however, the final systems that will be
processing Medicare claims on January 1, 2000. These systems will
undergo a significant amount of change between now and July 1,
1999, for both Y2K and other reasons. These changes will require a
complete retest to ensure that the systems have not been
contaminated by the changes and that they still are indeed Y2K
compliant.

Specifically, these changes will address (1) outstanding
qualifications, (2) additional Y2K changes, (3) a critical
software release of the Common Working File, and (4) legislative
mandates. 7 In addition to the changes required to address
outstanding qualifications, changes are also occurring because of
other compliance issues not listed as qualifications. For example,
three standard system maintainers are currently updating their
systems because the earlier renovation was performed with
noncompliant compilers. 8 Each of these three upgrades is
scheduled to be completed by July 1999. In addition, analyses
using tools that determine the Y2K readiness of software code are
uncovering additional Y2K programming errors. For example, 28
programming errors were recently identified using a Y2K tool on
the Florida standard system. These errors are to be

7 These legislative mandates include software changes required to
implement new policies for the Balanced Budget Act of 1997, such
as hospice updates and Medicare+Choice.

8 A compiler is a computer program that converts human-readable
source code into a sequence of machine instructions that the
computer can run.

Page 6 GAO/T-AIMD-99-160

corrected and tested by June 1999. According to HCFA officials,
such errors were uncovered based on an inspection of only about
one-seventh of the software code associated with the Florida
standard system. If time permits, HCFA is considering using this
Y2K tool on 100 percent of the code on all of the standard
systems.

In addition to these Y2K-related changes, HCFA is planning a major
software release of the Common Working File in late June, and
legislatively mandated changes are to occur through June. HCFA
plans to conduct final tests of its systems between July 1 and
November 1, 1999, then recertify all mission-critical systems as
compliant without qualification or exception. These final tests
will ultimately determine whether HCFA's mission-critical systems
are Y2K compliant. The late 1999 time frames associated with this
testing represent a high degree of risk.

Other Critical Risks and Challenges Remain

Testing is a critical area in which HCFA faces significant
challenges. Complete and thorough testing is essential to
providing reasonable assurance that new or modified systems will
process dates correctly and will not jeopardize an organization's
ability to perform core business operations. Because the Y2K
problem is so pervasive, potentially affecting an organization's
systems software, applications software, databases, hardware,
firmware, embedded processors, telecommunications, and interfaces,
the requisite testing can be extensive and expensive. Experience
is showing that Y2K testing is consuming between 50 and 70 percent
of a Y2K project's time and resources. According to our guide, to
be done effectively, testing should be planned and conducted in a
structured and disciplined fashion. 9

To date, HCFA's testing of its external systems has not been
rigorous. HCFA's IV&V contractor has reported concerns with test
documentation, readiness, and coverage associated with HCFA's
external mission-critical systems. Specifically, the IV&V
contractor reported that the quality of test documentation has
been found to be incomplete and inadequate during a significant
number of site visits. In addition, the results of using a Y2K
tool to assess renovation quality and test readiness on each of
the standard systems revealed that both indicators are primarily
rated in the low to medium ranges, meaning that errors exist that
could cause Y2K-related system failures.

9 Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21,
November 1998).

Page 7 GAO/T-AIMD-99-160

The IV&V contractor also reported that HCFA's contractors have no
satisfactory mechanism for determining the quality of test
coverage (e.g., systems functionality, HCFA-mandated dates,
interface coverage) associated with the self-certification
testing. Because of this, HCFA issued instructions on April 9,
1999, that required contractors to submit information on the
functionality covered by their test cases. Until test coverage is
determined and testing is fully executed, the quality of the
testing conducted will remain unknown.

In addition, two standard system maintainers did not test with the
Common Working File, rather, they used a system that simulates the
functions performed by the Common Working File. Testing with a
system that simulates the Common Working File is less than ideal
since the simulated system is not identical to the actual system.
HCFA has acknowledged this and plans to have these two standard
system maintainers test with the Common Working File during the
recertification testing.

Further, testing has not been completed in the optimal sequence to
ensure compliance of all systems. Since each contractor relies on
one of the six standard systems to process its claims, ideally
each of these six standard systems should have been completely
tested before the contractors tested their front-end and back-end
processing systems with their respective standard systems.
However, only the Florida standard system maintainer completed
future-date testing before the system was provided to its 29
contractors. Thus, more than half of the contractors tested with
standard systems that had not completed Y2K testing. Managing
multiple testing baselines and ensuring that corrections to one
system's testing errors does not lead to problems in another
system is a major challenge.

In September 1998 we recommended that HCFA rank its remaining Y2K
work on the basis of a schedule that includes milestones for
renovation and testing of all systems, and that it include time
for end-to-end testing and development and testing of business
continuity and contingency plans. 10

Such a schedule is extremely important because of the number of
systems, their complexity, and interdependencies among them.
However, HCFA still lacks an integrated schedule. The complexity
and required sequencing of the 75 external and 25 internal systems
associated with the recertification requires an integrated testing
schedule to avoid scheduling constraints. For example, the Common
Working File and standard systems should be

10 GAO/AIMD-98-284, September 28, 1998.

Page 8 GAO/T-AIMD-99-160

tested initially so that the contractors can test with fully
compliant systems. Without an integrated schedule, HCFA cannot
effectively prioritize remaining work or ensure that all Y2K
testing will be completed on time.

HCFA's late start and the limited time remaining raises risks that
the recertification testing will likewise not be as rigorous as
necessary. Two areas already have us concernedtesting overlap and
a decrease in the number of future dates that will be tested. HCFA
officials told us that contractors will begin to test with the
Common Working File before it is completely Y2K-tested. Ideally,
these tests should be done sequentially so that each contractor
can test with a fully Y2K-tested CommonWorking File. Also,
although HCFA's recertification will test four future dates, two
more than the self-certification testing, this total is fewer than
what HCFA had originally planned. Initially, HCFA planned to test
with nine future dates.

In addition to such individual systems testing, HCFA must also
test its systems end-to-end to verify that defined sets of
interrelated systems, which collectively support an organizational
core business function, will work as intended. As mentioned, HCFA
plans to perform this end-to-end testing with its Y2K-test sites.
These tests are to include all internal systems and contractor
systems, but will not include testing with banks and providers.
HCFA has required its contractors to future-date test with
providers and financial institutions. Even excluding banks and
providers, end-to-end testing of HCFA's internal and external
systems is a massive undertaking that will need to be effectively
planned and carried out. HCFA has not yet, however, developed a
detailed end-to-end test plan that explains how these tests will
be conducted or that provides a detailed schedule for conducting
them.

A final aspect of testing concerns the independent testing
contractor. HCFA expects this testing to be completed by August
31. This contractor currently plans to test eight internal systems
and the six external standard systems. Originally, all 25 internal
mission-critical systems were to be tested. In addition, because
of the changing nature of the Medicare systems and the limited
remaining time, the independent testing will be conducted with
systems that were available January 1999, not with the exact
systems that will be operating on January 1, 2000.

HCFA also faces risks because it has thousands of data exchanges
that are not yet compliant. HCFA's systemsboth internal and
externalexchange data, both among themselves and with the Common
Working File, other

Page 9 GAO/T-AIMD-99-160

federal agencies, banks, and providers. Accordingly, it is
important that HCFA ensure that Y2K-related errors will not be
introduced into the Medicare program through these data exchanges.
HCFA's total number of data exchanges dropped significantly since
February 10, 1999. The number of internal data exchanges declined
from 7,968 to 3,209, while the number of external data exchanges
dropped from 255,383 to 141,866. HCFA officials attributed this
decrease to performing a major cleanup of the data. As of April 9,
1999, HCFA reported that only four of its 3,209 internal data
exchanges were still not compliant, and that over 3,000 of its
141,866 external data exchanges were not compliant. To ensure that
HCFA's internal and external systems are capable of exchanging
data between themselves as well as with other federal agencies,
banks, and providers, it is essential that HCFA take steps to
resolve the remaining noncompliance of these data exchanges.

Given the magnitude of HCFA's Y2K problem and the many challenges
that continue to face it, the development of contingency plans to
ensure continuity of critical operations and business processes is
absolutely critical. Therefore, HCFA must sustain its efforts to
complete and test its agencywide business continuity and
contingency plans by June 30. Another challenge for HCFA is
monitoring the progress of the 62 separate business continuity and
contingency plans that will be submitted by its contractors. We
will continue to monitor progress in this area.

Other issues that further complicate HCFA's Y2K challenge are
planned October 1, 1999, and January 1, 2000, provider payment
updates; the known and unknown contractor transitions that are to
take place before January 1, 2000; and the unknown status of the
managed care organizations serving Medicare beneficiaries. We have
requested detailed information on the specific changes that the
October 1 and January 1 updates will require to determine the
amount of testing that will be necessary after these changes are
made. HCFA already is faced with too much to test in too little
time, and these updates further contribute to already monumental
testing challenges.

As reported in HHS' quarterly submission to OMB, HCFA is concerned
about the possibility of Medicare contractors, fiscal
intermediaries, and carriers leaving the program and notifying
HCFA of this after June. If this were to occur, the workload would
have to be transferred to another contractor whose Y2K-compliance
status may not be known. According to both contractor and HCFA
officials, it requires 6-12 months to transfer the claims
processing workload from one contractor to another. At present,

Page 10 GAO/T-AIMD-99-160

HCFA is transitioning the work of the three contractors that are
leaving the program.

HCFA required the 386 managed care organizations currently serving
6.6 million Medicare beneficiaries to certify their systems as Y2K
compliant by April 15. As of April 21, 1999, HCFA had received
certifications from 315 of the organizations. Similar to fee-for-
service contractors, 271 of the 315 certifications contained
qualifications. We plan to review these certifications as part of
our ongoing work for the Senate Special Committee on Aging to
determine whether the managed care organizations' systems are Y2K
compliant and whether a formal recertification would have to be
performed later this year.

Medicaid Systems Are at Risk

Similar to Medicare, the systems supporting the Medicaid program
also face Y2K challenges and risk. In fiscal year 1997, Medicaida
joint federal-state program supported by HCFA and administered by
the states provided about $160 billion to millions of recipients.
Medicaid provides health coverage for 36 million low-income
people, including over 17 million children. Its beneficiaries also
include elderly, blind, and disabled individuals.

In surveying states' Y2K status last summer, 11 we found that many
systems were at risk and much work remained to ensure the
continuation of services. The states' reported compliance rate for
Medicaid systems was only about 16 percent, and 18 states reported
that they had completed renovating one quarter or fewer of their
Medicaid claims processing systems. These 18 states had Medicaid
expenditures of about $40 billion in fiscal year 1997one quarter
of total Medicaid expenditures nationwide, covering about 9.5
million recipients.

In response, HCFA administered two state self-reported surveys and
conducted several on-site visits and found that overall state
Medicaid systems status had improved little. To obtain more
reliable Y2K state Medicaid status information, HCFA also hired a
contractor to conduct independent verification and validation of
states' systems.

11 Year 2000 Computing Crisis: Readiness of State Automation
Systems to Support Federal Welfare Programs (GAO/AIMD-99-28,
November 6, 1998). We sent a survey to the 50 states, the District
of Columbia, and three territories (Guam, Puerto Rico, and the
Virgin Islands). All but 1 of the 54 entities surveyed responded.

Page 11 GAO/T-AIMD-99-160

HCFA reported in HHS' February 1999 quarterly report to OMB that
based on seven site visits, some of the dates that states had
reported to us in July/August 1998 had already slipped,
underscoring the need for on-site visits to secure more accurate
information. In addition, according to HCFA, while four states
appeared to have made some progress in the 6 months since our
survey, three states' status remained the same. Further, HCFA
found that one state's Medicaid eligibility systemwas not as far
along as the state had reported in our survey. To assist states
with their effort, HCFA's IV&V contractor plans to make on-site
visits to all 50 states and the District of Columbia by the end of
this April. For states considered at risk, HCFA will conduct
second site visits between May and September 1999 and, if
necessary, third visits between October and December 1999. The
later visits will emphasize contingency planning to help the
states ensure continuity of program operations in the event of
systems failures.

Y2K Readiness of the Health Care Sector: Much Work Remains

At this point, I would like to broaden our discussion to the Y2K-
readiness status of the health care sector, including biomedical
equipment 12 and pharmaceutical and medical-surgical products used
in the delivery of health care. While it is undeniably important
that Medicare and Medicaid systems be compliant so that the claims
of health care providers and beneficiaries can be paid, it is also
critical that the services and products associated with health
care delivery itself be Y2K compliant. However, with just over 8
months until the turn of the century, the level of progress to
date is not reassuring.

Virtually everything in today's hospital is automatedfrom the
scheduling of procedures such as surgery, to the ordering of
medication such as insulin for a diabetic patient, to the use of
portable devices as diverse as heart defibrillators and
thermometers. It, therefore, becomes increasingly important for
health care providers such as doctors and hospitals to assess
their health information systems, facility systems (such as
heating, ventilating, and air conditioning equipment), and
biomedical equipment to ensure their continued operation on
January 1, 2000. Similarly, pharmaceutical manufacturers and
suppliers that rely heavily on computer systems for the
manufacture and distribution of drugs must assess their processes
for compliance. Given the large degree of interdependence among
components of the health sectorproviders, suppliers, insurance

12 Biomedical equipment refers to both medical devices regulated
by the Food and Drug Administration (FDA), and scientific and
research instruments, which are not subject to FDA regulation.

Page 12 GAO/T-AIMD-99-160

carriers, and patients/consumersthe availability and sharing of
Y2K readiness information is vital to safe, efficient, and
effective health care delivery.

In response to an October 1998 request from the Chair of the
President's Council on Year 2000 Conversion, several federal
agencies and professional health care associations surveyed key
components of the health care sector. Accordingly, the amount of
readiness information on this sector has increased in recent
months. The survey results, however, indicate that much work still
remains in renovating, testing, and implementing compliant
systems. Further, readiness information on the health sector is
still incomplete because a significant number of sector members
did not respond to the surveys.

According to a survey that the American Hospital Association (AHA)
sent to 2,000 of its members in February 1999, much work remains.
For example, based on the 583 responses received as of March 1,
1999, the hospitals reported that only about 6 percent of the
medical devices, 13 percent of information systems, and 24 percent
of physical plant/ infrastructure are compliant. However, most
hospitals indicated that they expect to be compliant by the end of
the year. 13

The American Medical Association's (AMA) survey to 7,000
physicians showed that approximately 47 percent of the 522
physicians that responded by mail or telephone indicated that they
do not have a good understanding of Y2K conversion, and have
practices that are not Y2K ready. Almost all of these physicians
reported that they would be ready by the end of the year. The
survey disclosed no difference between the Y2K preparedness of
large physician groups and solo or small physician groups (10
physicians or fewer). However, AMA stated that caution should be
taken in interpreting the survey results due to the low response
rate.

According to responses received to a December 1998 survey sent by
HHS' Office of the Inspector General to a sample of 5,000 Medicare
providers 1,000 each to hospitals, nursing homes, durable medical
device manufacturers, physicians, and home health agenciesexcept
for hospitals, providers reported making limited progress in
assessing their biomedical equipment for Y2K compliance. All
providers reported making

13 Compliance refers to the hospitals' information systems,
medical devices, and physical plant/ infrastructure.

Page 13 GAO/T-AIMD-99-160

limited progress in testing data exchanges between their computers
and external vendors, and developing emergency backup plans in
case of computer failures. Further, many Medicare providers did
not respond to this survey. For example, the response rates for
medical device manufacturers, physicians, and home health agencies
were less than 30 percent.

A survey sent by the Association of State and Territorial Health
Officials and the Centers for Disease Control and Prevention (CDC)
to 57 state and territorial health officials in December 1998
showed that two thirds of the 29 respondents did not have
contingency plans. CDC is also concerned about the lack of
readiness information on local public health agencies.

Finally, according to the second quarterly report by the
President's Council on Year 2000 Conversion, the health care
sector has not made adequate progress in addressing the Y2K
problem. 14 The report stated that while recent surveys indicate
that health care providers have a high level of confidence that
they will complete much of the work on mission-critical systems
before the end of the year, the actual number of systems made
compliant to date is relatively low in areas from recordkeeping to
infrastructure. The report noted that recordkeeping systems are of
great concern because they play an essential role in processing
payment claims to insurance companies and government health
agencies.

Biomedical Equipment: Status Information Available for Many Items,
but Test Results Not Reviewed

The question of whether medical devices such as magnetic resonance
imaging (MRI) systems, x-ray machines, pacemakers, and cardiac
monitors can be counted on to work reliably on and after January
1, 2000, is critical to medical care delivery. To the extent that
biomedical equipment uses embedded computer chips, it is
vulnerable to the Y2K problem.

Such vulnerability carries with it possible safety risks. This
could range from the more benignsuch as incorrect formatting of a
printoutto the most serioussuch as incorrect operation of
equipment with the potential to adversely affect the patient. The
degree of risk depends in large part on the role the equipment
plays in a patient's care.

14 The President's Council on Year 2000 Conversion: Second Summary
of Assessment Information, April 21, 1999.

Page 14 GAO/T-AIMD-99-160

Responsibility for oversight and regulation of medical devices,
including the impact of the Y2K problem, lies with FDA. Last
September we testified that FDA, like the Veterans Health
Administration (VHA)a key federal health care providerwas trying
to determine the Y2K compliance status of biomedical equipment. 15
FDA's goal was to provide a comprehensive, centralized source of
information on the Y2K compliance status of biomedical equipment
used in the United States and to make this information publicly
available on a web site. However, at the time, FDA had a
disappointing response rate from manufacturers to its letter
requesting compliance information. And, while FDA made this
information available to the public, it was not detailed enough to
be useful. Specifically, FDA's list of compliant equipment lacked
information relating to the particular make and model of the
equipment.

To provide more detailed information on the compliance status of
biomedical equipment, as well as to integrate more detailed
compliance information gathered by VHA, we recommended that VA and
HHS jointly develop a single data clearinghouse that provides such
information to all users. We said development of the clearinghouse
should involve representatives from the health care industry, such
as the Department of Defense's Health Affairs and the Health
Industry Manufacturers Association. In addition, we recommended
that the clearinghouse contain such information as (1) the
compliance status of all biomedical equipment by make and model,
and (2) the identity of manufacturers that are no longer in
business. We also recommended that VHA and FDA determine what
actions should be taken regarding biomedical equipment
manufacturers that have not provided compliance information.

In response to our recommendation, FDAin conjunction with VHAhas
established the Federal Year 2000 Biomedical Equipment
Clearinghouse. With the assistance of VHA, the Department of
Defense, and the Health Industry Manufacturers Association, FDA
has made progress in obtaining compliance-status information from
manufacturers. For example, according to FDA, 4,251 biomedical
equipment manufacturers had submitted data to the clearinghouse as
of April 5, 1999. As shown in figure 1, about 54 percent of the
manufacturers reported having products that do not employ a date,
while about 16 percent reported having date-related

15 Year 2000 Computing Crisis: Leadership Needed to Collect and
Disseminate Critical Biomedical Equipment Information (GAO/T-AIMD-
98-310, September 24, 1998).

Page 15 GAO/T-AIMD-99-160

problems such as incorrect display of date/time. FDA is still
awaiting responses from 399 manufacturers.

Figure 1: Biomedical Equipment Compliance- Status Information
Reported to FDA by Manufacturers as of April 5, 1999

Note: Total number of manufacturers = 4,251. Source: FDA.

FDA has also expanded the information in the clearinghouse. For
example, users can now find information on manufacturers that have
merged with or have been bought out by other firms.

In collaboration with the National Patient Safety Partnership, 16
FDA is in the process of obtaining more detailed information from
manufacturers on noncompliant products, such as make and model and
descriptions of the

16 The National Patient Safety Partnership is a coalition of
public and private health care providers, including VA, the
American Medical Association, the American Hospital Association,
the American Nurses Association, and the Joint Commission on
Accreditation of Healthcare Organizations.

2,299 880

669 403

0 500

1,000 1,500

2,000 2,500

Number of manufacturers Products do not

employ a date All products employing

date are compliant Products with date

related problems Product status report

ed in manufacturer's web site

Page 16 GAO/T-AIMD-99-160

impact of the Y2K problem on products left uncorrected. For
example, FDA sent a March 29, 1999, letter requesting that medical
device manufacturers submit to the clearinghouse a complete list
of individual product models that are Y2K compliant.

We reported last September that VHA and FDA relied on
manufacturers to validate, test, and certify that equipment is Y2K
compliant. 17 We also reported that there was no assurance that
the manufacturers adequately addressed the Y2K problem for
noncompliant equipment, because FDA did not require medical device
manufacturers to submit test results to it certifying compliance.
Accordingly, we recommended that VA and HHS take prudent steps to
jointly review manufacturers' compliance test results for critical
care/life support biomedical equipment. We were especially
concerned that VA and FDA review test results for equipment
previously determined to be noncompliant but now deemed by
manufacturers to be compliant, or equipment for which concerns
about compliance remain. We also recommended that VA and HHS
determine what legislative, regulatory, or other changes were
necessary to obtain assurances that the manufacturers' equipment
was compliant, including the need to perform independent
verification and validation of the manufacturers' certifications.

At the time, VA stated that it had no legislative or regulatory
authority to implement the recommendation to review test results
frommanufacturers. In its response, HHS stated that it did not
concur with our recommendation to review test results supporting
medical device equipment manufacturers' certifications that their
equipment is compliant. It said that the submission of appropriate
certifications of compliance was sufficient to ensure that the
certifying manufacturers' equipment was compliant. HHS also stated
that it did not have the resources to undertake such a review, yet
we are not aware of HHS' requesting resources from the Congress
for this purpose.

More recently, VHA's Chief Biomedical Engineer told us that VHA
medical facilities are not requesting test results for critical
care/life support biomedical equipment; they also are not
currently reviewing the test results available on manufacturers'
web sites. He said that VHA's priority is determining the
compliance status of its biomedical equipment inventory and
replacing noncompliant equipment. The director of FDA's Division
of

17 GAO/AIMD-98-240, September 18, 1998.

Page 17 GAO/T-AIMD-99-160

Electronics and Computer Science likewise said FDA sees no need to
question manufacturers' certifications.

In contrast to VHA's and FDA's positions, some hospitals in the
private sector believe that testing biomedical equipment is
necessary to prove that they have exercised due diligence in the
protection of patient health and safety. Officials at three
hospitals told us that their biomedical engineers established
their own test programs for biomedical equipment, and in many
cases contacted the manufacturers for their test protocols.
Several of these engineers informed us that their testing
identified some noncompliant equipment that the manufacturers had
previously certified as compliant. According to these engineers,
to date, the equipment found to be noncompliant all had display
problems and was not critical care/life support equipment. We were
told that equipment found to be incorrectly certified as compliant
included a cardiac catheterization unit, a pulse oxymeter, medical
imaging equipment, and ultrasound equipment.

VHA, FDA, and the Emergency Care Research Institute 18 continue to
believe that manufacturers are best qualified to analyze embedded
systems or software to determine Y2K compliance. They further
believe that manufacturers are the ones with full access to all
design and operating parameters contained in the internal software
or embedded chips in the equipment. VHA believes that such testing
can potentially cause irreparable damage to expensive health care
equipment, causing it to lock up or otherwise cease functioning.
Further, a number of manufacturers also have recommended that
users not conduct verification and validation testing.

We continue to believe that, rather than relying solely on
manufacturers' certifications, organizations such as VHA or FDA
can provide users of biomedical equipment with a greater level of
confidence that the equipment is Y2K compliant through independent
reviews of manufacturers' compliance test results. The question of
whether to independently verify and validate biomedical equipment
that manufacturers have certified as compliant is one that must be
addressed jointly by medical facilities' clinical staff,
biomedical engineers, and corporate management. The overriding
criterion should be ensuring patient health and safety.

18 An international, nonprofit health services research agency.
This organization believes that superficial testing of biomedical
equipment by users may provide false assurances, as well as create
legal liability exposure for health care institutions.

Page 18 GAO/T-AIMD-99-160

Y2K-Readiness Information on Pharmaceutical and Medical-Surgical
Manufacturers Is Incomplete

Another question critical to the delivery of health care is
knowing whether there will be sufficient supplies of
pharmaceutical and medical-surgical products available for
consumers at the turn of the century. As the largest centrally
directed civilian health care system in the United States, VHA has
taken a leadership role in the federal government in determining
whether manufacturers supplying these products are Y2K-ready. This
information is essential to VHA's medical operations because of
its just-in-time 19

inventory policy. Accordingly, VHA must know whether its
manufacturers' processes, which are highly automated, 20 are at
risk, as well as whether the rest of the supply chain will
function properly.

To determine the Y2K readiness of its suppliers, VA's National
Acquisition Center (NAC) 21 sent a survey on January 8, 1999, to
384 pharmaceutical firms and 459 medical-surgical firms with which
it does business. The survey contained questions on the firms'
overall Y2K status and inquired about actions taken to assess,
inventory, and plan for any perceived impact that the century
turnover would have on their ability to operate at normal levels.
In addition, the firms were requested to provide status
information on progress made to become Y2K compliant and a
reliable estimated date when compliance will be achieved for
business processes such as (1) ordering and receipt of raw
materials, (2) mixing and processing product, (3) completing final
product processing, (4) packaging and labeling product, and (5)
distributing finished product to distributors/ wholesalers and end
customers.

According to NAC officials, of the 455 firms that responded to the
survey as of March 31, 1999, about 55 percent completed all or
part of the survey. The remainder provided either general
information on their Y2K readiness status or literature 22 on
their efforts. As shown in table 1, more than half of the
pharmaceutical firms surveyed responded (52 percent), with just
less than one third (32 percent) of those respondents reporting
that they are

19 This term refers to maintaining a limited inventory on hand.

20 Pharmaceutical manufacturers rely on automated systems for
production, packaging, and distribution of their products, as well
as for ordering raw materials and supplies.

21 This organization is responsible for supporting VHA's health
care delivery system by providing an acquisition program for items
such as medical, dental, and surgical supplies and equipment;
pharmaceuticals; and chemicals. NAC is part of VA's Office of
Acquisition and Materiel Management.

22 This includes annual and quarterly financial reports required
by the Securities and Exchange Commission for companies listed on
the New York Stock Exchange.

Page 19 GAO/T-AIMD-99-160

compliant. The table also shows that 54 percent of the medical-
surgical firms surveyed responded, with about two-thirds of them
(166) reporting that they are Y2K compliant.

Table 1: Status of Companies Surveyed by VHA as of March 31, 1999

a Estimated compliance status ranged from 3/ 31/ 99 through 1/ 1/
2000; about 71 percent of pharmaceutical firms and 80 percent of
medical- surgical firms estimated they will be compliant by 7/ 31/
99. One firm responded that it will be compliant by 1/ 1/ 2000.
Source: VA. We did not independently verify these data.

On March 17, 1999, NAC sent a second letter to its pharmaceutical
and medical-surgical firms, informing them of VA's plans to make
Y2K readiness information previously provided to VA available to
the public through a web site ( www.va.gov/oa&mm/nac/y2k ). VA
made the survey results available on its web site on April 13,
1999. The letter also requested that manufacturers that had not
previously responded provide information on their readiness. NAC's
Executive Director said that he would personally contact any major
VA supplier that does not respond.

On a broader level, VHA has taken a leadership role in obtaining
and sharing information on the Y2K readiness of the pharmaceutical
industry. Specifically, VHA chairs the Year 2000 Pharmaceuticals
Acquisitions and Distributions Subcommittee, which reports to the
Chair of the President's Council on Year 2000 Conversion. The
purpose of this subcommittee is to bring together federal and
pharmaceutical representatives to address issues concerning supply
and distribution as it relates to the year 2000. The subcommittee
consists of FDA; federal health care providers; industry trade
associations such as the Pharmaceutical Research and Manufacturers
of America (PhRMA), Generic Pharmaceutical Industry Association,
the National Association of Chain Drug Stores, and the National
Wholesale Druggists' Association; and consumer advocates.

Responses Pharmaceutical Medical- surgical

Y2K compliant 65 166 Will be compliant by 1/ 1/ 2000 or earlier a
90 70 Provided no compliant date 50 14

Total number of responses 205 250

Non- responses 179 209

Total number of firms surveyed 384 459

Page 20 GAO/T-AIMD-99-160

In response to the Chair's request for Y2K-readiness information
on the pharmaceutical industry, several of these trade
associations, representing both brand name and generic
pharmaceutical manufacturers, have surveyed their members on this
issue. Table 2 summarizes the survey results available to date.

Table 2: Summary of Y2K Readiness Survey Results From
Pharmaceutical Manufacturers

a These members constitute more than 90 percent of the industry
capacity represented by PhRMA, which represents more than 95
percent of the research- based pharmaceutical manufacturers in the
United States. b This number only represents those members that
are generic pharmaceutical manufacturers.

c Of the members surveyed, 24 are also members of PhRMA and 22 of
these participated in the PhRMA survey. Source: Associations
listed. We did not independently verify these data.

In addition, the National Wholesale Druggists' Association sent a
survey to 240 of its associate members that are pharmaceutical
manufacturers requesting information on patient stockpiling of
pharmaceutical products. Three quarters of the 77 members
responding as of November 1998 said

Industry trade association Number of

members surveyed Number of

responses Summary of results

Pharmaceutical Research and Manufacturers of America (PhRMA) 25 24
a All respondents have Y2K plans and

are developing contingency plans to ensure continuous supply of
medicines to patients. Respondents expect to collectively spend
$1.75 billion to address the Y2K problem. Most repair work is
expected to be completed in early to mid- 1999.

Generic Pharmaceutical Industry Association (GPIA)

16 b 14 All respondents have Y2K plans and individually expect to
spend no more than $1.5 million on the Y2K problem. Most repair
work is expected to be completed in June or July 1999.

National Association of Pharmaceutical Manufacturers (NAPM)

12 7 Most respondents have Y2K plans. Association of Military
Surgeons of the U. S. (AMSUS)

41 c 41 All respondents have Y2K plans. Respondents are spending
from $2 million to $70 million on the Y2K problem. All repair work
is expected to be completed by June 30, 1999.

Page 21 GAO/T-AIMD-99-160

they could currently fill orders which will provide patients with
a 3-month supply. Less than 20 percent of the respondents said
they could provide a 1-year supply. Finally, in January 1999, the
National Association of Chain Drug Stores sent a survey to over
130 of its members and received responses from about 25 percent.
These respondents indicated that they will finish Y2K renovations
by September 30, 1999, and two-thirds of the respondents have
developed contingency plans.

Based on their survey results, these industry trade associations
believe that computer systems and software application problems
will not substantially impede the ability of the supply chain to
maintain an uninterrupted flow of medicines. However, in contrast
to VHA's survey, the associations' surveys were provided in
summary format and did not contain detailed information on the Y2K
readiness of specific manufacturers or members of the supply
chain. This information is necessary if consumers are to have
confidence that there will be a sufficient supply of medications
on hand at the turn of the century.

FDA's Y2K Efforts for Pharmaceutical and Biological Products
Industries Focused Initially on Awareness

FDA's oversight and regulatory responsibility for pharmaceutical
and biological products 23 is to ensure that they are safe and
effective for their intended uses. Because of its concern about
the Y2K impact on manufacturers of these products, FDA has taken
several actions to raise the Y2K awareness of the pharmaceutical
and biological products industries. In addition, it is thinking
about conducting a survey to determine the industry's Y2K
readiness.

One of FDA's actions to raise industry awareness was the January
1998 issuance of industry guidance by the Center for Biologics
Evaluation and Research (CBER) on the Y2K impact of computer
systems and software applications used in the manufacture of blood
products. In addition, as shown in table 3, FDA has issued several
letters to pharmaceutical and biological trade associations and
sole-source drug manufacturers.

23 Biological products include vaccines, blood, and blood
products.

Page 22 GAO/T-AIMD-99-160

Table 3: FDA Letters to Manufacturers Regarding Y2K

Source: FDA.

Further, on February 11, 1999, FDA's director of emergency and
investigation operations sent a memorandum on FDA's interim
inspection policy for the Y2K issue to the directors of FDA's
field investigations. The policy emphasizes FDA's Y2K awareness
efforts for manufacturers. It states that FDA inspectors are to
(1) inform firms of FDA's Y2K web page (URL
http://www.fda.gov/cdrh/yr2000/year2000.html ), (2) provide firms
with copies of the appropriate FDA Y2K awareness letter, (3)
explain that Y2K problems could potentially affect aspects of the
firms' operations, including some areas not regulated by FDA, and
that FDA anticipates that firms will take prudent steps to ensure
that they are not adversely affected by Y2K, and (4) provide firms
with a copy of FDA's compliance policy guide Year 2000 (Y2K)
Computer Compliance.

In addition, on February 22, 1999, FDA and PhRMA jointly held a
government/industry forum on the Y2K preparedness of the

Date FDA source Recipient Purpose

October 1998 Center for

Drug Evaluation and Research

Pharmaceutical manufacturer trade associations To relay to members
FDA's

expectation that the pharmaceutical industry would (1) make
resolution of Y2K a high priority, (2) ensure that production
systems were fixed and tested prior to January 1, 2000, and (3)
urge manufacturers to develop Y2K contingency plans.

October 1998 Center for Biologics

Evaluation and Research

Biologics manufacturer trade associations

Same as above. January 1999 Center for

Drug Evaluation and Research

Sole- source drug manufacturers Same as above. Also (1) noted that
the impact of Y2K on pharmaceutical safety, efficacy, and
availability merits special attention for firms which are the sole
manufacturers of drug components, bulk ingredients, and finished

products, and (2) stated that pharmaceutical industry suppliers
must have Y2K- compliant systems to protect against disruption in
the flow of product components, packaging materials, and equipment
to pharmaceutical manufacturers.

Page 23 GAO/T-AIMD-99-160

pharmaceutical and biotech industries. The objectives of this
forum were to (1) share information on Y2K programs conducted by
health care providers, pharmaceutical companies, FDA, and other
federal agencies, (2) provide a vehicle for networking, and (3)
raise awareness.

On March 29, 1999, FDA revised its February 11, 1999, interim
inspection policy. The revision states that field inspectors are
now to inquire about manufacturers' efforts to ensure that their
computer-controlled or date-sensitive manufacturing processes and
distribution systems are Y2K compliant. Inspectors are to include
this information in their reports, along with a determination of
activities that firms have completed or started to ensure that
they will be Y2K compliant.

Further, FDA inspectors may review documentation in cases in which
firms have made changes to their regulated computerized production
or process control systems to address Y2K issues. The purpose of
this review is to ensure that the changes were made in accordance
with firms' procedures and applicable regulations. If inspectors
determine that a firm has not taken steps to ensure Y2K
compliance, they are to notify their district managers and the
responsible FDA center.

FDA's interim policy describes steps inspectors are to take in
reviewing manufacturers' Y2K compliance. However, FDA stated that
the primary focus of its inspections for the remainder of 1999
will be to ensure that products sold in the United States are safe
and effective for their intended use and comply with federal
statutes and regulations, including current good manufacturing
practice requirements. 24 FDA officials explained that the agency
does not have sufficient resources to perform both regulatory
oversight of the manufacturers and in-depth evaluations of firms'
Y2K compliance activities.

Nevertheless, according to the March 29, 1999, memorandum, field
inspectors are to note, in the administrative remarks section of
their inspection reports, any concerns they may have with a firm's
Y2K readiness. These reports are to be reviewed by FDA district
managers. According to FDA, if a Y2K-related concern affects the
identity, strength, quality, purity, and potency, as well as
safety, effectiveness, or reliability of a drug product, the
district manager can discuss this issue with FDA's

24 These include federal standards for ensuring that products are
high in quality and produced under sanitary conditions (21 CFR
parts 210, 211).

Page 24 GAO/T-AIMD-99-160

Office of Regulatory Affairs and determine a course of action,
including product correction or removal.

Like VHA, FDA is interested in the impact of Y2K readiness of
pharmaceutical and biological products on the availability of
products for health care facilities and individual patients. FDA's
Acting Deputy Commissioner for Policy informed us on March 24,
1999, that the agency is thinking about surveying pharmaceutical
and biological products manufacturers, distributors, product
repackagers, and others in the drug dispensing chain, on their Y2K
readiness and contingency planning. In anticipation of a possible
survey, the agency published a notice in the March 22, 1999,
Federal Register , regarding this matter. The Acting Deputy
Commissioner said that potential survey questions on contingency
planning would include steps the manufacturers are taking to
ensure an adequate supply of bulk manufacturing materials from
overseas suppliers. This is a key issue because, as we reported in
March 1998, 25 according to FDA, as much as 80 percent of the bulk
pharmaceutical chemicals used by U.S. manufacturers to produce
prescription drugs is imported.

In summary, HCFA and its contractors have made progress in
addressing Medicare Y2K issues that we have raised. However, until
HCFA completes its planned recertification between July and
November, the final status of the agency's Y2K compliance will be
unknown. Given the considerable amount of remaining work that HCFA
faces, it is crucial that development and testing of HCFA's
business continuity and contingency plans move forward rapidly to
avoid the interruption of Medicare claims processing next year.
Also, because many states' Medicaid systems are at risk, business
continuity and contingency plans will become increasingly critical
for these states in an effort to ensure continued timely and
accurate delivery of benefits to needy Americans.

Regarding the health sector overall, while additional readiness
information is available, much work remains in renovating,
testing, and implementing compliant systems. Aggressive action is
needed in obtaining information on the Y2K readiness of hospitals,
physicians, Medicare providers, and public health agencies. Until
this information is obtained and publicized, consumers will remain
in doubt as to the Y2K readiness of key health care

25 Food and Drug Administration: Improvements Needed in the
Foreign Drug Inspection Program (GAO/HEHS-98-21, March 17, 1998).

Page 25 GAO/T-AIMD-99-160

components. In addition, while compliance status information is
available for biomedical equipment through the FDA clearinghouse,
FDA has not reviewed test results supporting manufacturers'
certifications; such review would provide the American public with
a higher level of confidence that biomedical equipment will work
as intended. The public also needs readiness information on
specific pharmaceutical manufacturers to address concerns about
the stockpiling of drugs and medications.

Messrs. Chairmen, this concludes my statement. I would be pleased
to respond to any questions that you or other members of the
Subcommittees may have at this time.

(511754) Let t er

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U.S. General Accounting Office P.O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using
fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e-mail message with info in the body to:

info@www.gao.gov or visit GAO's World Wide Web Home Page at:
http://www.gao.gov

United States General Accounting Office Washington, D.C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Mail

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***