Two ‘oops’ at VA: OIG finds VA, Oracle performance misalignments, makes 9 recommendations; VP candidates’ EHR records improperly accessed by VA employees

Another OIG audit still finds plenty of inconsistencies between VA and Oracle Health in the EHRM implementation–and makes another set of recommendations. The VA’s Office of Inspector General (OIG) conducted a review of the ongoing EHR Modernization (EHRM) at the VA, and once again found shortcomings in processes not addressed in the May 2023 revision of the 10 year contract.

It’s all about controls and consistency in response. The report identified that VA and Oracle Health still do not have adequate controls to prevent system changes from causing major incidents. Regarding response, both organizations are not uniform nor thorough. Controls were not adequate to mitigate incident impact by providing standard procedures and interoperable downtime equipment. VA lacked a formal process for linking delays to specific major performance incidents.

The auditors analyzed 360 major performance incidents—outages, performance degradations, and incomplete functionality—that occurred between 24 October 2020 and 31 August 2022, plus additional incidents through March 2024. Even though deployments halted in VA facilities except for the joint MHS/VA rollout at Lovell Federal Health Care Center in March, major performance incidents continued, including at Lovell which experienced a major problem in filling 60% of prescriptions.

The OIG made nine recommendations in their report. Grouped together, they include the following actions:

  1. Real-time data sharing to give VA greater awareness of potential problems in system operations
  2. Prioritizing major performance incident response in a clear and consistent manner
  3. Developing and enforcing response and other performance metrics to hold the contractor accountable
  4. Requiring sufficient detail in post-resolution reports
  5. Raising staff awareness of procedures
  6. Acquiring appropriate backup systems for downtime
  7. Better identifying and addressing major performance incidents linked to negative patient outcomes.
  8. Identifying the appropriate backup system and develop a training strategy to ensure clinicians can use the system during downtime.
  9. Assessing facilities’ patient safety reports identified during this audit, determining if additional actions need to be taken and, if so, providing an action plan.

VA release, Healthcare IT News

Some VA employees got very naughty in looking up information on the two VP candidates. Both Ohio Senator JD Vance and Minnesota Governor Tim Walz are both veterans (Marines and Army National Guard, respectively). The breaches were discovered in August during a security sweep of high-profile health accounts held in the VA’s EHR. 

  • 12 employees used their VA computers to access information on Vance and Walz.
  • These included physicians and a contractor viewing for an “extended time”.
  • The curious employees may face charges including dismissal and criminal charges. The length of access and intent will be taken into account.
  • Unknown is whether any of the information was shared outside of VA.

Their respective campaigns were notified and the investigation continues. The VA sent a memo to all employees on 30 August from VA Secretary Denis McDonough with a restatement of official data privacy and conduct directives plus the results of a failure to comply. Original reports were in the Washington Post and CNN. Healthcare IT News, Becker’s

Categories: Latest News and Opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *