The Veterans Administration's Office of Inspector General conducted a new audit to determine whether the VA and Oracle Health had sufficient controls in place to prevent, respond to and mitigate the impact of major performance incidents stemming from the launch of the agency's new electronic health system at several veterans' healthcare facilities. 

The agency found that a lack of consistent response standards and weaknesses in several controls regulating configuration management and monitoring could have prevented some EHR outages, but action is still needed to mitigate risks to veterans in the VA's care.

"By obtaining access to real-time EHR incident data and developing a formal procedure, VA could better prevent incidents, verify their duration and impose [contract] penalties when warranted," OIG said.

Incidents persisted during pause

The VA paused the rollout of the Oracle-Cerner electronic health records in July 2022, with the exception of the Captain James A. Lovell Federal Healthcare Center deployment in North Chicago, Illinois, on March 9. 

However, performance incidents continued, as recently as March, OIG said. 

For example, in February, OIG flagged active medication list issues in VA EHR. OIG looked into pharmacy-related patient safety issues after a reported prescription backlog at the VA Central Ohio Healthcare System in Columbus, Ohio, in April 2022. 

"However, the OIG identified other unresolved high-risk patient safety issues," David Case, Deputy Inspector General at OIG, said in a February 15 statement to the House Veterans Committee's subcommittee on technology.

Lack of consistent response standards

Numerous reports over the last four years have outlined how VA EHR system outages resulted in numerous incidents of patient harm and even death. Despite this, the VA struck a new deal with Oracle in May 2023 and renewed its contract with renegotiated terms. 

In April, VA Secretary Denis McDonough told the House VA Committee that progress on the EHR program reset will enable wider implementations in 2025.

For the audit, OIG analyzed major performance incident data maintained in Oracle Health’s Lights On Network and VA’s ServiceNow system from October 24, 2020, through March 31, to identify performance information, including the start date, the sites affected, the responsible party and the incident description. 

As part of their analysis, the auditors selected 28 incidents Oracle Health caused during the timeline. 

While OIG said that VA needs to update how it prioritizes major performance incidents, its review of contract terms and each party's actions also concluded the blame for the breakdown in response was often unclear.

"Ultimately the inadequate controls for handling major incidents originated in how the May 2018 contract was written," OIG said in its report released Monday. The original contract "did not include terms that comprehensively required Oracle Health to take necessary actions to address major incidents." 

The auditors said that the VA lacked well-defined, consistent standards in its guidance for timely response and did not impose clear standards on Oracle Health.

"Given the inconsistencies and lack of clarity in the expectations for major incident response time, the audit team could not determine whether VA or Oracle Health complied with the stated procedures in most cases."

Configuration and enforcement

OIG's audit has identified weaknesses in several controls "that could have prevented the major incidents" in its sampling, particularly in configuration management and assessment, authorization and monitoring, according to the report. 

Lapses in these controls resulted in the new VA EHR experiencing a total of 23 incidents with 80 hours and 20 minutes of system disruption, OIG said.

There were also problems with continuous monitoring of the new system.

"The majority of EHR system disruptions from the major incidents in the team’s sample – about 77% of the hours – were attributable to problems with configuration management and monitoring," the OIG auditors said. 

OIG said that the VA and Oracle Health had different criteria for prioritizing major incidents, too. 

"While most EHR disruptions related to problems with configuration management and assessment, authorization and monitoring, the VA and Oracle Health had different criteria for how major incidents should be prioritized," OIG said.

"VA’s guidance shifted after the contract was signed, designating only incidents with critical impact and critical urgency as priority," the auditors said, adding that the agency relied on Oracle’s incident reporting, and did not have a formal procedure for verifying contractor performance.

Of note, "VA’s threshold for a major incident was higher, and it responded to fewer of its major incidents than Oracle Health," OIG said, adding that although the VA updated contract and process terms last year, "VA’s Office of Information and Technology did not enforce them."

An ongoing lack of consistency in prioritizing incidents means that "VA lacks assurance that all incidents receive the necessary attention," OIG said. 

Going forward, OIG said that the VA must ensure that "notification and resolution occur in a consistent manner; develop effective response guidance that consistently captures results for all major performance incidents and develop a strategy to consistently collect, verify and report the information needed in post-resolution reports."

Need to ensure patient care remains

OIG said that the audit team also focused on "the steps VA has taken to mitigate the risk to patient safety during EHR downtime." 

While strategies to continue patient care when the system is unavailable – downtime and backup procedures – exist, "it did not sign the procedures until May 2024, over three and a half years after launching the EHR system, and it was still implementing a strategy for its backup systems."

Veterans Health Administration personnel attributed the delay to failure in assessing the adequacy of contingency actions, so were unable to thoroughly train clinicians on them, OIG said in the report. 

Although VHA has a business continuity plan when there are EHR outages, and the VA has an action plan to correct shortcomings the watchdog agency has identified, OIG said it is still looking for evidence that the agency: 

• Communicates downtime procedure to clinicians.
• Implements mechanisms to better identify major performance incidents and negative patient outcomes.
• Provides assessment for communicating negative patient outcomes.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.