The National Defense Authorization Act for Fiscal Year 2010 directed the Department of Defense (DOD) to submit a report to congressional defense committees on improvements to the governance and execution of its health information management and information technology (IT) programs to support medical care within the military health system. DOD submitted its report to the appropriate House and Senate committees in June 2010. The act also directed GAO to assess the report and DOD's plan of action to achieve its goals and mitigate risks in the management and execution of health information management and IT programs. Specifically, GAO's objective was to determine whether DOD addressed the reporting requirements specified in the defense authorization act. To do this, GAO reviewed the report submitted by DOD, and analyzed it against the reporting requirements, prior GAO work examining DOD's health IT issues, DOD guidance, and industry best practices.

DOD addressed 6 of the 10 reporting requirements included in the National Defense Authorization Act for Fiscal Year 2010. For example, it reported on its capability to meet the requirements for joint interoperability--the ability to exchange electronic patient health data--with the Department of Veterans Affairs. The department also reported on its capability to carry out necessary governance, management, and development functions of health information management and IT systems. The department partially addressed the remaining 4 requirements, which pertained to identifying, assessing, and mitigating risks, as well as reporting on estimated resources required to optimally support health care IT and planning corrective actions to remedy shortfalls that DOD identified. For example, the department had identified and assessed risks, but the report did not fully disclose these risks or the meaning of the department's assessment. Also, the report did not fully identify the staff and funds needed, nor did it fully identify the organizations responsible and accountable for accomplishing risk mitigation activities. If not corrected, incomplete reporting to address these requirements could impede congressional oversight of the department's planned improvements. GAO is recommending that DOD report additional details to address shortcomings in 4 requirements, including risk identification and assessment, risk mitigation planning, and corrective action planning. In comments on a draft of this report, DOD concurred with GAO's recommendation and described actions it is taking to address it.

Status Legend:

Review Pending-GAO has not yet assessed implementation status.

Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.

Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.

Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.

• Review Pending
• Open
• Closed - implemented
• Closed - not implemented

Recommendation for Executive Action

Recommendation: To address shortcomings in meeting these 4 reporting requirements, the Secretary of Defense should direct the Deputy Secretary of Defense to report to the congressional defense committees additional details to address shortcomings GAO identified for the reporting requirements regarding (1) risk identification and assessment, (2) risk mitigation planning, (3) corrective action planning, and (4) future year resources estimation.

Agency Affected: Department of Defense

Status: Review Pending

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.