This is the accessible text file for GAO report number GAO-05-308 
entitled 'Information Technology: Federal Agencies Face Challenges in 
Implementing Initiatives to Improve Public Health Infrastructure' which 
was released on July 11, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

June 2005: 

Information Technology: 

Federal Agencies Face Challenges in Implementing Initiatives to Improve 
Public Health Infrastructure: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-308]: 

GAO Highlights: 

Highlights of GAO-05-308, a report to congressional requesters: 

Why GAO Did This Study: 

The anthrax scare of October 2001 exposed serious weaknesses in the 
U.S. public health infrastructure. Since then, the appearance of new 
infectious diseases has made preparation and readiness even more 
critical. Information technology (IT) can be a major factor in 
detecting and responding to public health emergencies, including 
bioterrorism. 

GAO was asked to review the progress of major federal IT initiatives 
aimed at strengthening the ability of government at all levels to 
respond to public health emergencies, as well as to describe key 
challenges facing agencies pursuing these initiatives. 

What GAO Found: 

Although significant work remains, federal agencies have made progress 
on major public health IT initiatives. These initiatives include one 
broad initiative at the Centers for Disease Control and Prevention 
(CDC)--known as the Public Health Information Network (PHIN)--which is 
intended to provide the nation with integrated information systems, and 
two initiatives at the Department of Homeland Security (DHS), which are 
focused on biosurveillance (see table). CDC's PHIN initiative has made 
progress by establishing communications systems and promoting 
standards, but more work remains on associated surveillance systems. 
For example, public health officials told GAO that they did not find 
PHIN's BioSense application useful because of limitations in the data 
currently collected. DHS also has major initiatives related to public 
health, both of which are in development. In addition, a system 
associated with one of the DHS initiatives--BioWatch--has been 
deployed. BioWatch, an early-warning environmental monitoring system 
that collects air samples in order to detect trace amounts of 
biological materials, recently underwent modification to solve an 
interoperability problem: its three IT components required redundant 
data entry in order to communicate with each other. According to DHS, 
it has developed a solution to this interoperability problem and 
implemented it at two locations; DHS plans to install that solution in 
the remaining BioWatch locations. 

Major Federal Public Health IT Initiatives: 

CDC: 

Initiative: Public Health Information Network; 
Description: A national initiative to implement a multiorganizational 
business and technical architecture and associated information systems. 

DHS: 

Initiative: Biological Warning and Incident Characterization System; 
Description: An initiative to integrate data from environmental 
monitoring and health surveillance systems to provide warning of a 
biological attack and to help guide an effective response. 

Initiative: National Biosurveillance Integration System; 
Description: An effort to combine federal medical, environmental, 
agricultural, and intelligence data to allow early detection of events 
and assist response. 

Sources: CDC and DHS. 

[End of table]

CDC and DHS face challenges in planning and implementing their major 
public health IT initiatives. These challenges include (1) integrating 
current initiatives into a national health IT strategy and federal 
architecture to reduce the risk of duplicative efforts, (2) developing 
and adopting consistent standards to encourage interoperability, (3) 
coordinating initiatives with states and local agencies to improve the 
public health infrastructure, and (4) overcoming federal IT management 
weaknesses to improve progress on IT initiatives. Until these 
challenges are addressed, progress toward building a stronger public 
health infrastructure will be impeded, as will the ability to share 
essential information concerning public health emergencies and 
bioterrorism. 

What GAO Recommends: 

To improve the development of major public health IT initiatives, GAO 
recommends, among other actions, that the Secretary of Health and Human 
Services (1) establish clear linkage between the initiatives and the 
national health care strategy and federal health architecture and (2) 
encourage interoperability through the adoption of standards for health 
care data and communications. 

In response to a draft of this report, HHS generally concurred with the 
recommendations, while DHS did not comment specifically on them. Both 
agencies provided additional contextual information and technical 
comments, which were incorporated as appropriate. 

www.gao.gov/cgi-bin/getrpt?GAO-05-308. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David A. Powner at (202) 
512-9286 or pownerd@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Progress Made in Federal Public Health IT Applications, But More Work 
Remains: 

Challenges Need to Be Overcome to Strengthen the Information Technology 
That Supports the Public Health Infrastructure: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendixes: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Federal Agencies and Their Roles in Public Health 
Preparedness and Response: 

Appendix III: Comments from the Department of Health and Human 
Services: 

GAO Comments: 

Appendix IV: Comment from the Department of Homeland Security: 

GAO Comment: 

Appendix V: GAO Contact and Staff Acknowledgments: 

Related GAO Reports on Health Information Technology: 

Tables: 

Table 1: PHIN Applications Reviewed: 

Table 2: Initiatives under PHIN: 

Table 3: DHS Biosurveillance IT Initiatives: 

Table 4: Reported Costs for PHIN-Related Initiatives and Applications 
for Fiscal Years 2002-2005: 

Table 5: Reported IT Costs for DHS Biosurveillance IT Initiatives, 
Fiscal Year 2003-2005: 

Table 6: Status of Selected CDC PHIN Applications as of March 1, 2005: 

Table 7: Number of States and Localities with NEDSS Systems: 

Table 8: Status of DHS Biosurveillance IT Initiatives: 

Table 9: Industry Standards Used by the Public Health Information 
Network: 

Figures: 

Figure 1: Simplified Information Flow among Local, State, and Federal 
Agencies for Surveillance Data and Health Alerts/Communications

Figure 2: Estimated Time Lines of PHIN Applications

Figure 3: Estimated Time Lines of DHS Biosurveillance IT Initiatives

Abbreviations: 

BWICS: Biological Warning and Incident Characterization System: 

BWSIIP: BioWatch Signal Interpretation and Integration Program: 

CDC: Centers for Disease Control and Prevention: 

DHS: Department of Homeland Security: 

DOD: Department of Defense: 

Epi-X: Epidemic Information Exchange: 

ESSENCE: Electronic Surveillance System for the Early Notification of 
Community-based Epidemics: 

EPA: Environmental Protection Agency: 

HAN: Health Alert Network: 

HHS: Department of Health and Human Services: 

IT: information technology: 

LRN: Laboratory Response Network: 

NBIS: National Biosurveillance Integration System: 

NEDSS: National Electronic Disease Surveillance System: 

NEPHTN: National Environmental Public Health Tracking Network: 

OMB: Office of Management and Budget: 

PHIN: Public Health Information Network: 

RODS: Real-time Outbreak and Disease Surveillance: 

S&T: Science and Technology (Directorate of DHS): 

VA: Department of Veterans Affairs

Letter June 10, 2005: 

The Honorable Tom Davis: 
Chairman, Committee on Government Reform: 
House of Representatives: 

The Honorable Christopher Shays: 
Chairman, Subcommittee on National Security, Emerging Threats, and 
International Relations: 
Committee on Government Reform:
House of Representatives: 

The Honorable Adam H. Putnam: 
House of Representatives: 

The Honorable Richard Burr: 
Chairman, Subcommittee on Bioterrorism and Public Health Preparedness: 
Committee on Health, Education, Labor, and Pensions: 
United States Senate: 

It has been almost 4 years since the anthrax events of October 2001 
highlighted the weaknesses in our nation's public health 
infrastructure.[Footnote 1] Since that time, emerging infectious 
diseases have appeared--such as Severe Acute Respiratory Syndrome and 
human monkeypox--that have made our readiness for public health 
emergencies even more critical. Information technology (IT) is central 
to strengthening the public health infrastructure through the 
implementation of systems to aid in the detection, preparation for, and 
response to bioterrorism and other public health emergencies. 

You asked us to review the current status of major federal IT 
initiatives aimed at strengthening the ability of government at all 
levels to respond to public health emergencies. Specifically, our 
objectives were to: 

* assess the progress of major federal IT initiatives designed to 
strengthen the effectiveness of the public health infrastructure and: 

* describe the key IT challenges facing federal agencies responsible 
for improving the public health infrastructure. 

We selected specific IT initiatives to review from systems we 
identified in previous work,[Footnote 2] focusing on major public 
health IT initiatives in surveillance and communication 
systems.[Footnote 3] These initiatives were one broad initiative at the 
Department of Health and Human Services' (HHS) Centers for Disease 
Control and Prevention (CDC) and five initiatives at the Department of 
Homeland Security's (DHS) Science and Technology (S&T) Directorate. We 
also conducted limited work at the Department of Defense (DOD) because 
it provides technical support to one of the DHS initiatives. We also 
assessed the use of federal public health IT applications at six state 
and six local public health agencies. Further details of our 
objectives, scope, and methodology are provided in appendix I. Our work 
was performed from July 2004 through April 2005, in accordance with 
generally accepted government auditing standards. 

Results in Brief: 

Federal agencies have made progress on major public health IT 
initiatives, although significant work remains to be done. These 
initiatives include one broad initiative at CDC--the Public Health 
Information Network (PHIN) initiative--which is intended to provide the 
nation with integrated public health information systems to counter 
national civilian public health threats, and two major initiatives at 
DHS, which are primarily focused on biosurveillance.[Footnote 4] CDC's 
broad PHIN initiative encompasses a number of applications and 
initiatives, which show varied progress. Currently, PHIN's basic 
communications systems are in place, but it is unclear when its 
surveillance systems and data exchange applications will become fully 
deployed. Further, the overall implementation of PHIN does not yet 
provide the desired functionality, and so some applications are not 
widely used by state and local public health officials. For example, 
CDC's BioSense application, which is aimed at detecting early signs of 
disease outbreaks, is available to state and local public health 
agencies, but according to the state and local officials with whom we 
spoke, it is not widely used, primarily because of limitations in the 
data it currently collects. DHS is also pursuing two major public 
health IT initiatives--the National Biosurveillance Integration System 
and the Biological Warning and Incident Characterization System 
(BWICS). Both of these initiatives are still in development. The BWICS 
initiative, in addition, is associated with three other programs, one 
of which--BioWatch--is operational. This early-warning environmental 
monitoring system was developed for detecting trace amounts of 
biological materials and has been deployed in over 30 locations across 
the United States. Until recently, its three IT components were not 
interoperable and required redundant data entry in order to communicate 
with each other. 

As federal agencies work with state and local public health agencies to 
improve the public health infrastructure, they face several challenges. 
First, the national health IT strategy and federal health architecture 
are still being developed;[Footnote 5] CDC and DHS will face challenges 
in integrating their public health IT initiatives into these ongoing 
efforts. Second, although federal efforts continue to promote the 
adoption of data standards, developing such standards and then 
implementing them are challenges for the health care community. Third, 
these initiatives involve the need to coordinate among federal, state, 
and local public health agencies, but establishing effective 
coordination among the large number of disparate agencies is a major 
undertaking. Finally, CDC and DHS face challenges in addressing 
specific weaknesses in IT planning and management that may hinder 
progress in developing and deploying public health IT initiatives. 
Until all these challenges are addressed, progress toward building a 
stronger public health infrastructure will be impeded, as will the 
ability to share essential information concerning public health 
emergencies and bioterrorism. 

We are making recommendations to the Secretary of Health and Human 
Services to coordinate with state and local public health agencies, 
align federal public health IT initiatives with the national health IT 
strategy and federal health architecture, and continue federal actions 
to encourage the development and adoption of data standards. We are 
also making recommendations to the Secretary of Homeland Security to 
assess the department's alignment of its initiatives with those of 
other federal activities. 

We received written comments on a draft of this report from HHS and 
DHS. HHS generally concurred with our recommendations, while DHS did 
not comment specifically on the recommendations. Both agencies provided 
additional contextual information and technical comments, which we have 
incorporated in this report as appropriate. We provided DOD officials 
with the opportunity to comment on a draft of this report, which they 
declined. 

Background: 

On June 12, 2002, Congress passed the Public Health Security and 
Bioterrorism Preparedness and Response Act of 2002,[Footnote 6] which 
requires specific activities related to bioterrorism preparedness and 
response. For example, it calls for steps to improve the nation's 
preparedness for bioterrorism and other public health emergencies by 
increasing coordination and planning for such events; developing 
priority countermeasures; and improving state, local, and hospital 
preparedness and response. The Secretary of HHS is required to provide 
for the establishment of an integrated system or systems of public 
health alert communications and surveillance networks among (1) 
federal, state, and local public health officials; (2) public and 
private health-related laboratories, hospitals, and other health care 
facilities; and (3) any other entities that the Secretary determines 
are appropriate. These networks are to allow for secure and timely 
sharing and discussion of essential information concerning bioterrorism 
and other public health emergencies, as well as recommended methods for 
responding to such an attack or emergency. In addition, no later than 1 
year after the enactment of the law, the Secretary, in cooperation with 
health care providers and state and local public health officials, was 
to establish any additional technical and reporting standards, 
including those for network interoperability. 

Since fiscal year 2002, HHS has funded over $2.7 billion for public 
health preparedness efforts through grants administered by CDC and just 
over $1 billion for hospital preparedness grants administered by the 
Health Resources and Services Administration. To encourage the 
integration of health care system response plans with public health 
department plans, HHS has incorporated both public health preparedness 
and hospital performance goals into the agreements that the department 
uses to fund state and local public health preparedness improvements. 
The funding guidance provided by HHS to state and local governments 
calls for improvements in seven key areas: 

* preparedness planning and readiness assessment,

* surveillance and epidemiology capacity,

* laboratory capacity for handling biological agents,

* laboratory capacity for handling chemical agents,

* health alert network/communication and IT,

* risk communication and health information dissemination, and: 

* education and training. 

Over the past year, federal actions to encourage the use of IT for 
health care delivery and public health have been accelerated. In April 
2004, the President established the goal that health records for most 
Americans should be electronic within 10 years and issued an executive 
order to "provide leadership for the development and nationwide 
implementation of an interoperable health information technology 
infrastructure to improve the quality and efficiency of health care." 
As part of this effort, the President tasked the Secretary of HHS to 
appoint a National Coordinator for Health Information Technology--which 
he subsequently did 1 week later. The President's executive order 
called for the Coordinator to develop a strategic plan to guide the 
implementation of interoperable health IT in the public and private 
health care sectors. In July 2004, HHS issued a framework for strategic 
action that includes four broad goals; goal four of that framework is 
directed at improvements in public health.[Footnote 7]

Further, DHS released the National Response Plan[Footnote 8] this past 
January, under which HHS is to continue to lead the federal government 
in providing public health and medical services during major disasters 
and emergencies. In this role, HHS is to coordinate all federal 
resources related to public health and medical services that are made 
available to assist state, local, and tribal officials during a major 
disaster or emergency. 

Role of IT in Public Health Preparedness and Response: 

As we reported in May 2003, IT can play an essential role in supporting 
federal, state, local, and tribal governments in public health 
preparedness and response.[Footnote 9] Development of IT can build upon 
the existing systems capabilities of state and local public health 
agencies, not only to provide routine public health functions, but also 
to support public health emergencies, including bioterrorism. In 
addition, according to the Institute of Medicine, the rapid development 
of new IT offers the potential for greatly improved surveillance 
capacity.[Footnote 10] Finally, for public health emergencies in 
particular, the ability to quickly exchange data between providers and 
public health agencies--or among providers--is crucial in detecting and 
responding to naturally occurring or intentional disease outbreaks. 

Because of the dynamic and unpredictable nature of public health 
emergencies, various types of IT systems may be used during the course 
of an event. These include: 

* surveillance systems, which facilitate the performance of ongoing 
collection, analysis, and interpretation of disease-related and 
environmental data so that responders and decision makers can plan, 
implement, and evaluate public health actions (these systems include 
devices to collect and identify biological agents from environmental 
samples, and they make use of IT to record and transmit data); and: 

* communications systems, which facilitate the secure and timely 
exchange of information to the relevant responders and decision makers 
so that appropriate action can be taken. 

Other types of IT may also be used, such as diagnostic systems, which 
identify particular pathogens and those that include data from food, 
water, and animal testing, but such systems are not among the major 
federal public health IT initiatives. 

State and Local Roles in Surveillance and Communications: 

Although state health departments have primary responsibility for 
disease surveillance in the United States, total responsibility for 
surveillance is shared among health care providers: more than 3,000 
local county, city, and tribal health departments; 59 state and 
territorial health departments; more than 180,000 public and private 
laboratories; and public health officials from multiple federal 
agencies. In addition, the United States is a member of the World 
Health Organization, which is responsible for coordinating 
international disease surveillance and response actions. 

While health care providers are responsible for the medical diagnosis 
and treatment of their individual patients, they also have a 
responsibility to protect public health--a responsibility that includes 
helping to identify and prevent the spread of infectious diseases. 
Because health care providers are typically the first health officials 
to encounter cases of infectious diseases--and have the opportunity to 
diagnose them--these professionals play an important role in disease 
surveillance. Generally, state laws or regulations require health care 
providers to report confirmed or suspected cases of notifiable 
diseases[Footnote 11] to their state or local health department. States 
publish lists of the diseases they consider notifiable and therefore 
subject to reporting requirements. According to the Institute of 
Medicine, most states also require health care providers to report any 
unusual illnesses or deaths, especially those for which a cause cannot 
be readily established. However, according to CDC, despite state laws 
requiring the reporting of notifiable diseases, a significant 
proportion of these cases are not reported, which is a major challenge 
in public health surveillance. 

Health care providers rely on a variety of public and private 
laboratories to help them diagnose cases of notifiable diseases. In 
some cases, only laboratory results can definitively identify 
pathogens.[Footnote 12] Every state has at least one public health 
laboratory to support its infectious diseases surveillance activities 
and other public health programs. State laboratories conduct testing 
for routine surveillance or as part of clinical or epidemiologic 
studies. For rare or unusual pathogens, these laboratories provide 
diagnostic tests that are not always available in commercial 
laboratories. State public health laboratories also provide specialized 
testing for low-incidence but high-risk diseases such as tuberculosis 
and botulism. Results from state public health laboratories are used by 
epidemiologists to document trends and identify events that may 
indicate an emerging problem. Upon diagnosing a case involving a 
notifiable disease, local health care providers are required to send 
the reports to state health departments through state and local disease-
reporting systems, which range from paper-based reporting to secure, 
Internet-based systems.[Footnote 13]

States, through their state and local health departments, have 
principal responsibility for protecting the public's health and 
therefore take the lead in conducting disease surveillance and 
supporting response efforts. Generally, local health departments are 
responsible for conducting initial investigations into reports of 
infectious diseases, employing epidemiologists, physicians, nurses, and 
other professionals. Local health departments are also responsible for 
sharing information that they obtain from providers or other sources 
with the state department of health. State health departments are 
responsible for collecting surveillance information statewide, 
coordinating investigations and response activities, and voluntarily 
sharing surveillance data with CDC and others. States vary in their 
requirements governing who should report notifiable diseases; in 
addition, the deadlines for reporting these diseases after they have 
been diagnosed vary by disease. State health officials conduct their 
own analyses of disease data to verify cases, monitor the incidence of 
diseases, and identify possible outbreaks. 

In reporting their notifiable disease data to CDC, states use multiple 
and sometimes duplicative systems. States are not legally required to 
report information on notifiable diseases to CDC, but CDC officials 
explained that the agency makes such reporting from the states a 
prerequisite for receiving certain types of CDC funding. 

Federal Role in Surveillance and Communications: 

Generally, the federal government's role in disease surveillance is to 
collect and analyze national disease surveillance data and maintain 
disease surveillance systems. Federal agencies investigate the causes 
of infectious diseases and maintain their own laboratory facilities. 
They also use communications systems to share disease surveillance 
information. In addition, federal agencies provide funding and 
technical expertise to support disease surveillance at the state, 
local, and international levels. 

Federal agencies such as CDC, the Food and Drug Administration, and DOD 
conduct disease surveillance using systems that gather data from 
various locations throughout the country to monitor the incidence of 
infectious diseases. In addition to using surveillance systems to 
collect and analyze notifiable disease data reported by states, federal 
agencies use other surveillance systems to collect data on different 
diseases or from other sources (e.g., international sources). These 
systems supplement the state data on notifiable diseases by monitoring 
surveillance information that states do not collect. 

In general, surveillance systems are distinguished from one another by 
the types of infectious diseases or syndromes they monitor and the 
sources from which they collect data. Some disease surveillance systems 
rely on groups of selected health care providers who have agreed to 
routinely supply information from clinical settings on targeted 
diseases. A relatively new type of surveillance system, known as a 
syndromic surveillance system, monitors the frequency and distribution 
of health-related symptoms--or syndromes--among people within a 
specific geographic area. These syndromic surveillance systems are 
designed to detect anomalous increases in certain syndromes, such as 
skin rashes, that may indicate the beginning of an infectious disease 
outbreak. Some monitor data from hospital and emergency room admissions 
or data from over-the-counter drug sales. Other data sources may 
include poison control centers, health plan medical records, first-aid 
stations, emergency medical service data, insurer claims, and discharge 
diagnosis information. For syndromic data to be analyzed effectively, 
information must be timely, and the analysis must take into account the 
context of the locality from which the data were generated. 

Because syndromic surveillance systems monitor symptoms and other signs 
of disease outbreaks instead of waiting for clinically confirmed 
reports or diagnoses of a disease, some experts believe that syndromic 
surveillance systems could help public health officials increase the 
speed with which they may identify outbreaks. However, as we reported 
last September, syndromic surveillance systems are relatively costly to 
maintain compared with other types of disease surveillance and are 
still largely untested.[Footnote 14]

Major CDC and DHS Public Health IT Initiatives: 

Two federal agencies are involved in major public health IT initiatives 
that focus on disease surveillance and communications. 

* CDC, one of HHS's divisions, has primary responsibility for 
conducting national disease surveillance[Footnote 15] and developing 
epidemiological and laboratory tools to enhance surveillance of 
disease, including public health emergencies. It also provides an array 
of technical and financial support for state infectious disease 
surveillance. 

* DHS's mission involves, among other things, protecting the United 
States against terrorist attacks, including bioterrorism. Its Science 
and Technology (S&T) Directorate serves as the department's primary 
research and development arm. Its focus is on catastrophic terrorism-- 
threats to the security of the United States that could result in large-
scale loss of life and major economic impact. S&T's work is designed to 
counter those threats, both by improvements to current technological 
capabilities and development of new ones. 

(Other federal agencies' roles in public health are described in app. 
II.)

CDC's major IT initiative, known as PHIN, is a national initiative to 
implement a multiorganizational business and technical architecture for 
public health information systems. After the 2001 anthrax incidents, 
CDC was mandated to increase national preparedness and capabilities to 
respond to naturally occurring diseases and conditions and the 
deliberate use of all threats, including biological, chemical, and 
radiological agents. CDC sees PHIN as an essential part of its strategy 
to achieve this mandate. 

According to CDC, the PHIN architecture: 

* defines and documents the systems needed to support public health 
professionals;

* identifies the industry standards that are necessary to make these 
systems work together;

* develops the specifications necessary to make these standards do the 
work of public health;

* defines integration points for systems to work together to meet the 
broad functional needs;

* establishes tools and components that support standards-based 
systems; and: 

* supports the certification process necessary to establish 
interoperability. 

To help achieve its goals, PHIN is also intended to integrate and 
coordinate existing systems, and CDC makes PHIN software available for 
optional use by state and local public health agencies. 

PHIN has substantial size and scope, because it is intended to serve as 
a comprehensive architecture, information exchange network, and set of 
services that will integrate existing capabilities and advance the ways 
in which IT can support public health. It is intended to improve public 
health systems and networks and to provide a means for exchanging data 
with other federal agencies, state and local government agencies, the 
private health care sector, and others. 

As part of PHIN, CDC has established the PHIN Preparedness initiative, 
which it describes as striving to accelerate the pace at which 
jurisdictions acquire or acquire access to public health preparedness 
systems. This initiative focuses on the near-term aspects of PHIN. 
According to CDC, the agency and its public health partners have 
identified a set of functional requirements defining the core 
capabilities for preparedness systems; these are categorized into six 
broad functional areas: 

* Early event detection: The early identification of bioterrorism and 
naturally occurring health events in communities. 

* Outbreak management: The capture and management of information 
associated with the investigation and containment of a disease outbreak 
or public health emergency. 

* Connection of laboratory systems: The development and adoption of 
common specifications and processes to enable public health 
laboratories to electronically exchange information with public health 
agencies. 

* Countermeasure and response administration: The management and 
tracking of measures taken to contain an outbreak or event and to 
provide protection against a possible outbreak or event. 

* Partner communications and alerting: The development of a nationwide 
network of integrated communications systems capable of rapid 
distribution of health alerts and secure communications among public 
health professionals involved in an outbreak or event. 

* Cross-functional components: Technical capabilities, or components, 
common across functional areas that are necessary to fully support PHIN 
Preparedness requirements. 

CDC officials stated that by September 2005, the agency will expect 
states to meet PHIN Preparedness requirements in these areas as a 
condition for receiving public health preparedness funding; CDC expects 
that this condition on funding will promote a wider adoption of PHIN 
standards. 

Table 1 presents communications and surveillance applications that are 
part of the PHIN initiative (some of which are significant system 
development efforts in themselves), along with the PHIN Preparedness 
functional areas that they support. 

Table 1: PHIN Applications Reviewed: 

Communications: 

Application[A]: Epidemic Information Exchange (Epi-X); 
PHIN Preparedness functional area: Partner communications and alerting; 
Description: A secure, Web-based communications system through which 
public health professionals share information relevant to public health 
emergencies. 

Application[A]: Health Alerting; 
PHIN Preparedness functional area: Partner communications and alerting; 
Description: A service that broadcasts e-mails of emergency 
notifications from CDC to state health officers, epidemiologists, lab 
directors, etc. 

Surveillance: 

Application[A]: BioSense; 
PHIN Preparedness functional area: Early event detection; 
Description: A Web-based application that provides access to health-
related data to enhance early event detection of naturally occurring 
events and possible bioterrorist attacks. It is intended to enhance 
early detection by including syndromic surveillance and diagnostic 
data. 

Application[A]: National Electronic Disease Surveillance System (NEDSS) 
Base System; 
PHIN Preparedness functional area: Early event detection; 
Description: A surveillance system that supports the electronic 
processes involved in notifiable disease surveillance and analysis, 
replacing the functionality supported by the current legacy system 
(National Electronic Telecommunications System for Surveillance). It is 
expected to provide the platform upon which state and program area 
needs, data collection, and processing can be built, including the 
development of modules that can be used for data entry and management 
of disease surveillance data. 

Application[A]: National Environmental Public Health Tracking Network 
(NEPHTN); 
PHIN Preparedness functional area: --; 
Description: An interoperable standards-based network planned to 
integrate three components: hazard monitoring, exposure surveillance, 
and health effects surveillance. This system is being designed to 
identify potential relationships between exposure and health conditions 
that either indicate the need for additional research or require 
intervention to prevent disease, disability, and injury. Data from 
NEPHTN will be available for public health policy analysis. 

Other: 

Application[A]: LRN Results Messaging; 
PHIN Preparedness functional area: Connection of laboratory systems; 
Description: An application supporting the exchange of laboratory test 
results from the Laboratory Response Network (LRN) laboratories to 
public health departments and to CDC, with current use in support of 
the BioWatch program of air sampling in many U.S. metropolitan areas. 

Application[A]: Outbreak Management System; 
PHIN Preparedness functional area: Outbreak management; 
Description: An application that runs on a laptop, a local area 
network, and in synchrony with a central repository for the collection, 
management, and analysis of data during investigations of disease 
outbreaks. It provides response teams with a standardized data 
management tool. 

Application[A]: PHIN Messaging System[B]; 
PHIN Preparedness functional area: Cross-functional components; 
Description: A generic, standards- based message transport system that 
is platform-independent and uses the Electronic Business Extensible 
Markup Language (ebXML) infrastructure to securely transmit public 
health information over the Internet. 

Source: CDC. 

[A] PHIN also includes other components that we did not review, such as 
PHIN Directory and PHIN Vocabulary Services, because our review was 
focused on communications and surveillance systems. 

[B] Although the PHIN Messaging System is not an application per se, it 
is an important data exchange component for PHIN applications. 

[End of table]

Many of these applications are associated with larger initiatives that 
predated PHIN (see table 2), which are now incorporated under the PHIN 
umbrella. For example, the origins of NEDSS date to 1995, when CDC co- 
authored a report that documented the problems of fragmentation and 
incompatibility in the nation's disease surveillance systems.[Footnote 
16] The recommendations in this report led CDC to develop the NEDSS 
initiative, which was begun in October 1999 and incorporated into PHIN 
in 2002. 

Table 2: Initiatives under PHIN: 

Initiative: BioSense; 
PHIN Preparedness functional area: Early event detection; 
Description: An initiative supporting early event detection that uses 
an approach to public health surveillance based on the secondary use of 
health care and health-related data. 

Initiative: Health Alert Network (HAN); 
PHIN Preparedness functional area: Partner communications and alerting; 
Description: An initiative to ensure that state and local health 
departments have rapid and timely access to emerging health information 
through providing grants to develop connectivity and alerting 
capabilities. 

Initiative: National Electronic Disease Surveillance System (NEDSS); 
PHIN Preparedness functional area: Early event detection; 
Description: An initiative to implement a national surveillance 
architecture using data and information system standards. This 
architecture is to advance the development of efficient, integrated, 
and interoperable surveillance systems at federal, state, and local 
levels. 

Initiative: National Environmental Public Health Tracking Network 
(NEPHTN); 
PHIN Preparedness functional area: --; 
Description: A collaborative effort between CDC and the Environmental 
Protection Agency to develop a national environmental public health 
tracking network that will allow direct electronic data reporting of 
health effects, exposure, and hazard data. 

Source: CDC. 

[End of table]

As part of its mission to protect the nation against terrorist attacks 
(including possible bioterrorism), DHS is also pursuing major public 
health IT initiatives. These initiatives and associated programs, which 
are primarily focused on signal interpretation and biosurveillance, are 
described in table 3. 

Table 3: DHS Biosurveillance IT Initiatives: 

Initiative: Biological Warning and Incident Characterization System 
(BWICS); 
Description: A system that is expected to integrate data from 
environmental monitoring and health surveillance systems with incident 
characterization tools[A] in order to provide timely warning of a 
biological attack and to help guide an effective response. BWICS is 
also expected to provide secure distribution of information to 
different types of users. 

Initiative: BioNet; 
Description: A cooperative program between DHS's S&T Directorate and 
DOD (established as a demonstration project in May 2004) that is 
expected to integrate civilian and military capabilities at the local 
level for detecting and responding to the use of biological agents. The 
BioNet initiative is being developed in one city. It includes the use 
of a syndromic surveillance system known as the Electronic Surveillance 
System for the Early Notification of Community-based Epidemics 
(ESSENCE).[B] DHS plans now call for BioNet to be terminated in fiscal 
year 2005 with lessons learned, tools, and capabilities transferred to 
the BWICS initiative. 

Initiative: BioWatch; 
Description: An early-warning environmental monitoring system that 
collects air samples from high-threat cities in order to detect trace 
amounts of biological materials. BioWatch consists of three IT 
components: a sample management tracking system, a lab analysis 
tracking system, and an electronic reporting system. BioWatch labs use 
the reporting system to send data to CDC, who then sends a monthly 
report of negative results to DHS. 

Initiative: BioWatch Signal Interpretation and Integration Program 
(BWSIIP); 
Description: A surveillance program pilot that is intended to evaluate 
public data feeds for their usefulness in biomonitoring signal 
interpretation to provide BioWatch metropolitan areas, in the event of 
a signal detection, with the ongoing collection and analysis of 
appropriate medical information (with personally identifying 
information removed) that would support rapid interpretation of the 
signal and integration into consequence management operations. Once 
BWSIIP is deployed as part of BWICS, plans call for local public health 
agencies to use locally existing or publicly available biosurveillance 
tools provided by DHS, such as ESSENCE, or the Real-time Outbreak and 
Disease Surveillance (RODS) software.[C]. 

Initiative: National Biosurveillance Integration System; 
Description: An effort at the federal level to combine multiple data 
streams from sector-specific agencies--those with medical, 
environmental, agricultural, and intelligence data--to give DHS 
situational awareness that is expected to allow earlier detection of 
events and to assist in response actions. 

Source: DHS. 

[A] Incident characterization tools are designed to integrate 
information from surveillance, environmental monitoring, plume hazard 
predictions, epidemiological forecasts, and population and critical 
infrastructure databases. 

[B] ESSENCE is a syndromic surveillance software package available 
through free licensing agreements with the Johns Hopkins University 
Applied Physics Lab. The software is available to federal, state, and 
local health organizations that wish to deploy a Web-based syndromic 
surveillance system using their own data. DOD uses the system 
worldwide. The Department of Veterans Affairs and about 26 states and 
localities are implementing ESSENCE. 

[C] RODS, developed by the University of Pittsburgh, is a syndromic 
surveillance system used by several states that collects data from 
hospital emergency room visits. This system identifies patients' chief 
medical complaints, classifies the complaints according to syndrome, 
and aggregates those data in order to look for anomalous increases in 
certain syndromes that may reveal an infectious disease outbreak. 

[End of table]

Figure 1 illustrates a simplified flow of existing surveillance 
information and health alerts among local, state, and federal agencies. 
This diagram does not show all flows of information that would occur in 
the case of an outbreak. For example, local health agencies may send 
alerts to health care providers. 

Figure 1: Simplified Information Flow among Local, State, and Federal 
Agencies for Surveillance Data and Health Alerts/Communications: 

[See PDF for image]

Note: The CDC systems listed provide information to health 
professionals and others by various means, such as the Internet for 
BioSense and Epi-X. 

[A] Only selected labs participate in the BioWatch program or provide 
data to BioSense. 

[B] Currently, state and local health departments submit information on 
nationally notifiable diseases to CDC using multiple systems. Once 
fully implemented, NEDSS will replace some of those reporting systems. 
Note that NEDSS or other disease-reporting systems are also implemented 
at the state level. 

[C] Although BioWatch is a DHS initiative, CDC receives the lab results 
data. Positive results are sent to the DHS Homeland Security Operations 
Center, as well as to the Joint Terrorism Task Force and Federal Bureau 
of Investigation. 

[End of figure]

According to CDC, costs for its PHIN initiatives and applications for 
fiscal years 2002 through 2005, totaling almost $362 million, are 
summarized in table 4. Most of these costs support local, state, and 
federal public health activities. 

Table 4: Reported Costs for PHIN-Related Initiatives and Applications 
for Fiscal Years 2002-2005: 

Dollars in millions. 

Communications: 

Epi-X application; 
FY 2002 actual: $2.1; 
FY 2003 actual: $1.4; 
FY 2004 actual: $0.9; 
FY 2005 budget: $0.9; 
Total: $5.3. 

Health Alert Network initiative; 
FY 2002 actual: $21.0; 
FY 2003 actual: $21.0; 
FY 2004 actual: $23.0; 
FY 2005 budget: $23.0; 
Total: $88.0. 

Health Alerting application; 
FY 2002 actual: $0.5; 
FY 2003 actual: $0.5; 
FY 2004 actual: $0.5; 
FY 2005 budget: $0.5; 
Total: $2.0. 

Grants for state and local agencies; 
FY 2002 actual: $20.5; 
FY 2003 actual: $20.5; 
FY 2004 actual: $22.5; 
FY 2005 budget: $22.5; 
Total: $86.0. 

Surveillance: 

BioSense initiative; 
FY 2002 actual: $0; 
FY 2003 actual: $6.0; 
FY 2004 actual: $17.8; 
FY 2005 budget: $50.8; 
Total: $74.6. 

BioSense application; 
FY 2002 actual: $0; 
FY 2003 actual: $6.0; 
FY 2004 actual: $5.3; 
FY 2005 budget: $3.0; 
Total: $14.3. 

Other BioSense costs[A]; 
FY 2002 actual: $0; 
FY 2003 actual: $0; 
FY 2004 actual: $12.5; 
FY 2005 budget: $47.8; 
Total: $60.3. 

NEDSS initiative; 
FY 2002 actual: $27.0; 
FY 2003 actual: $27.1; 
FY 2004 actual: $24.7; 
FY 2005 budget: $24.7; 
Total: $103.5. 

NEDSS Base System[B]; 
FY 2002 actual: $14.0; 
FY 2003 actual: $15.2; 
FY 2004 actual: $13.8; 
FY 2005 budget: $15.0; 
Total: $58.0. 

Grants for state and local agencies; 
FY 2002 actual: $13.0; 
FY 2003 actual: $11.9; 
FY 2004 actual: $10.9; 
FY 2005 budget: $9.7; 
Total: $45.5. 

National Environmental Public Health Tracking Network (NEPHTN) 
initiative; 
FY 2002 actual: $0; 
FY 2003 actual: $20.5; 
FY 2004 actual: $19.9; 
FY 2005 budget: $19.2; 
Total: $59.6. 

NEPHTN application; 
FY 2002 actual: $0; 
FY 2003 actual: $2.0; 
FY 2004 actual: $2.2; 
FY 2005 budget: $3.0; 
Total: $7.2. 

Grants for state and local agencies; 
FY 2002 actual: $0; 
FY 2003 actual: $18.5; 
FY 2004 actual: $17.7; 
FY 2005 budget: $16.2; 
Total: $52.4. 

Other: 

PHIN supporting costs[C]; 
FY 2002 actual: $0; 
FY 2003 actual: $0; 
FY 2004 actual: $9.1; 
FY 2005 budget: $8.9; 
Total: $18.0. 

LRN Results Messenger application; 
FY 2002 actual: $0; 
FY 2003 actual: $0; 
FY 2004 actual: $0.7; 
FY 2005 budget: $0.7; 
Total: $1.4. 

Outbreak Management System; 
FY 2002 actual: $0; 
FY 2003 actual: $3.1; 
FY 2004 actual: $3.1; 
FY 2005 budget: $3.2; 
Total: $9.4. 

PHIN Messaging System; 
FY 2002 actual: $0; 
FY 2003 actual: $in NEDSS; 
FY 2004 actual: $0.9; 
FY 2005 budget: $1.1; 
Total: $2.0. 

Subtotal for PHIN applications; 
FY 2002 actual: $16.6; 
FY 2003 actual: $28.2; 
FY 2004 actual: $27.4; 
FY 2005 budget: $27.4; 
Total: $99.6. 

Total PHIN-related initiatives and applications; 
FY 2002 actual: $50.1; 
FY 2003 actual: $79.1; 
FY 2004 actual: $100.1; 
FY 2005 budget: $132.5; 
Total: $361.8. 

Source: CDC. 

[A] Consist of remaining BioSense costs, including data acquisition, 
algorithm development, biointelligence center, etc. 

[B] Includes development cost for the program area modules. 

[C] Among other things, includes the development of requirements, 
standards, and specifications, as well as the certification and 
communications programs. 

[End of table]

According to DHS, IT costs for its biosurveillance initiatives for 
fiscal years 2003 through 2005 total about $45 million; these are 
summarized in table 5. This table does not reflect the total costs for 
the programs supporting these IT initiatives. 

Table 5: Reported IT Costs for DHS Biosurveillance IT Initiatives, 
Fiscal Year 2003-2005: 

Dollars in millions. 

Biological Warning and Incident Characterization System; 
FY 2003 actual: $0; 
FY 2004 actual: $3.5; 
FY 2005 budget: $10.0; 
Total: $13.5. 

BioNet[A]; 
FY 2003 actual: $5.6; 
FY 2004 actual: $0; 
FY 2005 budget: $0; 
Total: $5.6. 

BioWatch; 
FY 2003 actual: $1.0; 
FY 2004 actual: $.5; 
FY 2005 budget: $3.8; 
Total: $5.3. 

BioWatch Signal Interpretation and Integration Program; 
FY 2003 actual: $0; 
FY 2004 actual: $7.3; 
FY 2005 budget: $0; 
Total: $7.3. 

National Biosurveillance Integration System; 
FY 2003 actual: $0; 
FY 2004 actual: $2.0; 
FY 2005 budget: $11.0; 
Total: $13.0. 

Total; 
FY 2003 actual: $6.6; 
FY 2004 actual: $13.3; 
FY 2005 budget: $24.8; 
Total: $44.7. 

Source: DHS. 

[A] Although DHS funds BioNet, the Department of Defense's Defense 
Threat Reduction Agency is the project lead and responsible for 
managing the day-to-day operations of the project. This fiscal year, 
BioNet lessons learned, tools, and capabilities are to be incorporated 
into the BWICS initiative, after which DHS funding for BioNet is not 
expected to continue. 

[End of table]

Progress Made in Federal Public Health IT Applications, But More Work 
Remains: 

CDC and DHS have made progress on federal public health IT initiatives, 
including CDC's PHIN initiative, which is intended to provide the 
nation with integrated public health information systems to counter 
national civilian public health threats, and two major initiatives at 
DHS--primarily focused on signal interpretation and biosurveillance-- 
one of which is associated with three other programs. However, while 
progress has been made, more work remains, particularly in surveillance 
and data exchange. PHIN communications systems are being used, and 
improvements to surveillance systems (disease, syndromic, and 
environmental monitoring) are still being developed. Other PHIN 
applications are available for optional use by state and local public 
health officials, but they are not widely used because of system 
limitations. DHS's two major biosurveillance IT initiatives are still 
in the development stage, and one of the associated programs--BioWatch-
-is operational. However, as initially deployed, BioWatch required 
modification, because its three IT components did not communicate with 
each other, requiring redundant data entry. According to DHS, it has 
developed a solution to this interoperability problem and implemented 
it at two locations; DHS plans to install that solution in the 
remaining BioWatch locations. 

Projects under CDC's Public Health Information Network Are in Various 
Stages of Implementation: 

Table 6 briefly describes the status of CDC's PHIN applications, 
including operational status, number of installations or users, and 
future plans. Of the various PHIN applications, one is still in the 
planning process, two are partially operational, and five are 
operational. 

Table 6: Status of Selected CDC PHIN Applications as of March 1, 2005: 

Communications: 

Applications: Epidemic Information Exchange; 
Status: Operational; 
Users[A]: 3,260 state, local, federal, and international health 
officials; 
Future plans: Upgrade for PHIN compliance; Improve usability per user 
requests. 

Applications: Health Alerting; 
Status: Operational; 
Users[A]: 66 states, metro areas, territories; 
Future plans: Maintain application as is. 

Surveillance: 

Applications: BioSense; 
Status: Operational; 
Users[A]: 50 states, 30 metro areas; 
Future plans: Continue to expand current functionality; Add new 
algorithms and data sources. 

Applications: NEDSS Base System; 
Status: Partially operational[B]; 
Users[A]: 10 states; 
Future plans: Continue to expand current functionality; Improve 
usability per user requests; Upgrade operating environment; Continue 
development of program area modules. 

Applications: National Environmental Public Health Tracking Network; 
Status: Planning; 
Users[A]: Not applicable; 
Future plans: Continue state pilot projects; Plan for network 
development based on pilots. 

Other: 

Applications: LRN Results Messenger; 
Status: Partially operational; 
Users[A]: 95% of BioWatch labs; 
Future plans: Continue to expand current functionality; Improve 
usability per user requests; Support proficiency testing; Expand usage 
to all CDC-funded LRN laboratories. 

Applications: Outbreak Management System; 
Status: Operational; 
Users[A]: CDC[C]; 
Future plans: Continue to expand current functionality; Improve 
usability per user requests; Add capacity for importing data. 

Applications: PHIN Messaging System; 
Status: Operational; 
Users[A]: 51 locations[D]; 
Future plans: Continue to expand current functionality; Respond to 
stakeholder requests to improve usability. 

Source: GAO analysis of CDC data. 

[A] Users include either the number of individuals with access to the 
system or the number of locations that have installed the software; 
while there are federal users, not all are listed in this table. 

[B] Partially operational means that the system is functional and being 
used but not deployed to all installation sites. 

[C] Not used by users outside CDC, although once used externally for a 
small, disease-specific outbreak at a state prison. 

[D] Includes usage for 10 NEDSS Base System states, many labs in the 
Laboratory Response Network, 5 hospitals in the National Healthcare 
Safety Network, 3 state health departments for intrastate messaging, 9 
hospitals and labs for lab messaging, and 2 BioSense data providers. 

[End of table]

Figure 2 shows the time frames for the planning, development, and 
implementation of the PHIN applications; these applications vary 
considerably both in complexity and in time needed to complete 
implementation. 

Figure 2: Estimated Time Lines of PHIN Applications: 

[See PDF for image]

[A] The NEDSS Base System includes the development of program area 
modules. 

[B] Planning means preparing to design the system or application. 

[C] Development means the acquisition or enhancement of the system or 
application. 

[D] Partially operational means that the system is functional and being 
used but not deployed to all installation sites. 

[E] Operational means that the system is fully deployed. 

[End of figure]

Two PHIN Communications Systems Are Fully Implemented and in Use: 

Health Alerting. The Health Alerting application, which is used to 
broadcast e-mail alerts to state and local public health officials 
about disease outbreaks, became operational in October 2000. This 
application provides full-time (24 hours a day, 7 days a week) Internet 
access and broadcast e-mail and fax capabilities. 

The Health Alerting application is part of the Health Alert Network 
initiative, which provides grant funding to states and local public 
health agencies for enhancement of their IT infrastructures. Using 
these funds, states and localities have either built their own Health 
Alert Networks or acquired commercial systems for alerting state and 
local officials. Some state Health Alert Networks use more 
sophisticated applications than the CDC Health Alerting application, 
providing various kinds of alerts based on user profiles and allowing 
document sharing. 

Epi-X. Epi-X, which is designed to be a secure, Web-based 
communications system through which public health professionals share 
information on public health emergencies, was implemented in December 
2000 and is being used by state and local public health officials. Epi- 
X includes multiple mechanisms for alerting; secure, moderated 
communications and discussion about disease outbreaks and other acute 
health events as they evolve; and a searchable report database. Most of 
the state and local health officials with whom we spoke were satisfied 
with the system. However, some officials questioned the need for both 
Health Alerting and Epi-X, since both applications have similar 
functionality and are used by some of the same public health officials. 
According to CDC, it is planning to create a common platform for use by 
both applications. 

Two of Three PHIN Surveillance Systems Are Not Yet Fully Operational: 

The National Electronic Disease Surveillance System (NEDSS). The NEDSS 
initiative promotes the use of data and information systems standards 
for the development of interoperable surveillance systems at federal, 
state, and local levels. It is intended to minimize the problems of 
fragmented, disease-specific surveillance systems; however, this goal 
is still years away from being achieved. 

A primary goal of NEDSS is the ongoing, automatic capture and analysis 
of data that are already available electronically. Its system 
architecture is designed to integrate and replace several current CDC 
surveillance systems, including the National Electronic 
Telecommunications System for Surveillance, the HIV/AIDS reporting 
system, and the systems for vaccine preventable diseases, tuberculosis, 
and other infectious diseases. In previous fiscal years, CDC funded 50 
states and 7 localities. These states and localities can use CDC's 
NEDSS Base System or build systems compatible with NEDSS/PHIN 
standards. The initiative includes an architecture to guide states and 
CDC as they build NEDSS-compatible systems, which can be either 
commercial or custom developed. The initiative is also intended to 
promote the use of data standards to advance the development of 
interoperable disease surveillance systems at federal, state, and local 
levels. 

Besides providing a secure, accurate, and efficient way to collect, 
process, and transmit data to CDC, the NEDSS Base System is intended to 
provide a platform upon which program area modules can be built to meet 
state and program area data needs. (Programs may be focused on specific 
diseases, populations, or other areas--such as smoking or obesity.) 
Program area modules are critical to eventually reducing the many 
program-specific surveillance systems that CDC currently maintains by 
consolidating the data collection of the various programmatic disease 
surveillance activities that are currently in place. 

Although CDC has been developing the NEDSS Base System since 2000, it 
is still only partially deployed. There are no clear milestones and 
plans for when the Base System will become fully deployed, although 
multiple versions of the Base System have been developed and deployed 
in several states. According to CDC, the NEDSS Base System has been 
deployed in 5 states since December 2004, and it expects implementation 
to continue with the 11 remaining states that are planning to use the 
Base System, but the implementation time frames will depend on when 
these states are ready to accept the system. Table 7 summarizes the 
status of NEDSS system implementation across the nation, which shows 
that about half of the states and localities have operational NEDSS 
systems. 

Table 7: Number of States and Localities with NEDSS Systems: 

Status: Planning or development; 
NEDSS Base System: 11; 
NEDSS-compatible system: 16; 
Total: 27. 

Status: Operational; 
NEDSS Base System: 10; 
NEDSS-compatible system: 20; 
Total: 30. 

Status: Total; 
NEDSS Base System: 21; 
NEDSS-compatible system: 36; 
Total: 57. 

Source: GAO analysis of CDC data. 

Note: Total includes 50 states and 7 localities. 

[End of table]

In addition, four NEDSS program area modules are being used, and six 
are in the process of being developed. Additional program area modules 
will be developed for other disease-specific areas in the coming years. 

BioSense. CDC's BioSense, which the agency describes as an early event 
detection system, is designed to provide near real-time event detection 
by using data (without patient names or medical numbers) from existing 
health-related databases. Although CDC began using BioSense data in 
late 2003, the BioSense application was implemented for state and local 
use in May 2004. BioSense is continuously being updated, and current 
plans for phase two of BioSense development call for enhancements to 
begin in May 2005. 

BioSense is a Web-based application that currently provides CDC and 
state and local users with the ability to view syndromic and 
prediagnostic data: specifically, Defense and Veterans Affairs 
ambulatory care data, BioWatch laboratory results, and national 
clinical labs data. Initially, CDC also provided data on sales of over- 
the-counter medication, but these were later discontinued. BioSense 
data are provided in the form of data reports displayed in various 
ways, rather than as raw data that can be input to analytical systems. 

Although CDC uses BioSense for a number of federal bioterrorism 
preparedness activities, BioSense is not extensively used by the state 
and local public health officials with whom we spoke, primarily because 
of limitations in the data and its presentation. These officials stated 
that the DOD and VA data were not useful to them,[Footnote 17] either 
because they were in locations without large military or veteran 
populations, or because they could get similar data elsewhere. For 
instance, many of these officials have access to local syndromic 
surveillance systems, which better fit their needs because the systems 
have better capabilities or because they provide data that are more 
timely than BioSense data. Some of these officials stated that they 
would prefer CDC to provide data for them to conduct their own 
analyses, especially data from national sources such as clinical 
laboratories, rather than displaying the data on the BioSense Web site. 
According to CDC officials, they will provide raw data to public health 
agencies upon request, have increased the number of data sets 
available, and have expanded the scope of user support by (1) 
increasing communications with state and local public health 
departments in the use of and response to daily surveillance data 
patterns, (2) monitoring data during special events (e.g., a 
presidential inauguration and sporting events) at state and local 
request, and (3) contracting with John Hopkins University for 
development of a standard operating procedure for monitoring and using 
early event detection. 

National Environmental Public Health Tracking Network (NEPHTN). 
Initiated in 2001, NEPHTN is still in the planning stage. CDC is 
planning to begin development of the network in 2006 and implementation 
of phase one in 2008. This initiative involves intra-and interagency 
collaboration among CDC and other federal agencies. CDC established a 
memorandum of understanding in 2003 with the Environmental Protection 
Agency (EPA) to coordinate activities relating to EPA's National 
Environmental Information Exchange Network and CDC's National 
Environmental Public Health Tracking Network. To date, three 
collaborative projects have been initiated: (1) a demonstration project 
in the Atlanta metropolitan area to test data linkage methods and 
utility of linked data; (2) a project to evaluate how different types 
of air quality characterization data can be used to link environmental 
and public health data; and (3) a project in New York to examine 
specific technical interoperability issues that would affect data 
exchange between EPA's and CDC's networks. 

As envisioned, NEPHTN will be a distributed, secure, Web-based network 
that will provide access to environmental and health data that are 
collected by a wide variety of agencies, such as individual state 
networks. Once established, it should also provide access to 
environmental, health, and linked environmental-health data from both 
centralized and decentralized data stores and repositories, 
implementing a common data vocabulary to support electronic data 
exchanges within states, and across state, regions, and nationally. 

Two Other PHIN Applications Are Not Widely Used, and One Is in Use but 
Considered Burdensome: 

Outbreak Management System. The Outbreak Management System is an 
application designed for case tracking during the investigation of 
disease outbreaks. Initially developed for use by CDC, the system is 
now available for use by state and local public health agencies. The 
project began as the Bioterrorism Field Response Application and was 
scoped to include only requirements related to bioterrorism response by 
CDC-deployed field teams. Since its inception in 2002, the scope has 
been broadened to include any epidemiologic investigation where 
standard data collection and data sharing would be advantageous. 
However, although the system is in use at CDC, none of the state and 
local public health officials with whom we spoke use the system--either 
because it cannot exchange data with other software applications, or 
because these agencies have their own capability for tracing cases of 
infectious diseases. According to CDC officials, the use of the 
Outbreak Management System is provided as an option for state and local 
public health agencies. Although only CDC and one state agency have 
used the application in support of outbreaks, four state agencies and 
one federal entity have evaluated the software for potential use and 
may implement it in the future. 

LRN Results Messenger. CDC's LRN Results Messenger utility is used by 
DHS's BioWatch initiative for transmitting data to CDC; however, it is 
burdensome to use, according to the BioWatch cities included in our 
review (BioWatch is discussed in more detail in the next section of 
this report). According to CDC, it anticipates releasing the next 
version of the LRN Results Messenger in September 2005, which should 
address the usability issues. 

PHIN Messaging System. The PHIN Messaging System is available for use, 
but only CDC and a few states and local public health agencies use it. 
As of March 1, 2005, 51 organizations used it, according to 
CDC.[Footnote 18] As yet, only BioWatch, the NEDSS Base System, and the 
Laboratory Response Network use PHIN Messaging; according to CDC, these 
are the major systems that support preparedness needs, and it is 
focusing on these systems first. 

Most DHS Biosurveillance IT Initiatives Are Still in Their Early 
Stages: 

DHS is also pursuing two major biosurveillance IT initiatives--the 
National Biosurveillance Integration System and the Biological Warning 
and Incident Characterization System (BWICS). The BWICS initiative, in 
addition, is associated with three other biosurveillance programs. Of 
these five, one is operational, but it has interoperability and other 
limitations, one is a demonstration project, and three are in 
development. All five were initially under the oversight of DHS's S&T 
Directorate; one is now the responsibility of the directorate for 
Information Analysis and Infrastructure Protection. Table 8 briefly 
describes the status and plans of DHS's biosurveillance IT initiatives 
for the current fiscal year. 

Table 8: Status of DHS Biosurveillance IT Initiatives: 

IT Initiative: Biological Warning and Incident Characterization System 
(BWICS); 
Status: Development; 
Users[A]: 2 pilot sites; 
Future plans: Deploy in phases to BioWatch cities. 

IT Initiative: BioNet; 
Status: Demonstration; 
Users[A]: 1 pilot site; 
Future plans: Complete pilot; Transfer lessons learned, tools, 
templates, and capabilities to BWICS. 

IT Initiative: BioWatch; 
Status: Operational; 
Users[A]: Over 30 metro areas; 
Future plans: Provide IT enhancements for top threat BioWatch 
jurisdictions; Plan for expansion to additional BioWatch jurisdictions. 

IT Initiative: BioWatch Signal Interpretation and Integration Project; 
Status: Development; 
Users[A]: BioWatch locations; 
Future plans: Complete pilot underway in one city; Transition to BWICS. 

IT Initiative: National Biosurveillance Integration System; 
Status: Development; 
Users[A]: Not applicable; 
Future plans: Implement systems integration. 

Source: DHS. 

[A] Users include either the number of individuals with access to the 
system or the number of locations that have installed the software. 

[End of table]

Most of DHS's biosurveillance IT initiatives are still being planned or 
developed. Figure 3 shows time lines for the five DHS IT initiatives. 

Figure 3: Estimated Time Lines of DHS Biosurveillance IT Initiatives: 

[See PDF for image]

[A] Planning means preparing to design the system or application. 

[B] Development means the acquisition or enhancement of the system or 
application. 

[C] Partially operational means that the system or application is 
functional and being used but not deployed to all installation sites. 

[D] Operational means that the system or application is fully deployed. 

[End of figure]

The one DHS surveillance initiative that is operational--BioWatch--is 
an environmental monitoring system that was developed and implemented 
within a 3-month period, according to DHS officials. DHS originally 
intended for local public health agencies to process and analyze all 
BioWatch data; however, at CDC's request, DHS agreed to share data with 
CDC for inclusion in BioSense. BioWatch consists of three IT 
components: 

* One component of BioWatch tracks the environmental samples as they 
are collected; it was developed by the Department of Energy's Los 
Alamos National Laboratory. 

* A second component performs sample testing and reports the results; 
this is a commercial product. 

* The third component, CDC's LRN Results Messenger, transmits the test 
results from the laboratory that processes the samples to CDC for 
analysis. 

As deployed, none of these three components could exchange data 
electronically, so that redundant, manual data entry has been required 
to transfer data among the three systems. State and local public health 
officials in BioWatch locations told us that they were dissatisfied 
with the deployment of BioWatch because of this need for repetitive 
data entry and because they were not involved in the system's planning 
and implementation. DHS hired a contractor to resolve BioWatch's 
interoperability problem, and DHS officials now report that they have 
begun implementing the resulting technical improvements in BioWatch 
laboratories. 

Additionally, EPA's Inspector General's Office recently reported that 
the agency did not provide adequate oversight of sampling operations 
for BioWatch to ensure that quality assurance guidance was adhered to, 
potentially affecting the quality of the samples taken; DHS officials 
state that this oversight issue has now been resolved.[Footnote 19]

In the broader context of environmental monitoring, questions exist 
about detection capabilities for environmental surveillance. As we 
reported in May 2003, real-time detection and measurement of biological 
agents in the environment is challenging because of the number of 
potential agents to be identified, the complex nature of the agents 
themselves, the countless number of similar micro-organisms that are a 
constant presence in the environment, and the minute quantities of 
pathogen that can initiate infection.[Footnote 20] In May 2004, the 
Department of Defense reported that the capability for real-time 
detection of biological agents is currently unavailable and is unlikely 
to be achieved in the near to medium term.[Footnote 21]

A second initiative, the BioWatch Signal Interpretation and Integration 
Program (BWSIIP), was established to respond to user needs regarding 
BioWatch. According to DHS, the initiative is intended to develop a 
system that will help BioWatch jurisdictions to better understand the 
public health or national security implications of a confirmed positive 
result for a biological agent from BioWatch, as well as to respond 
appropriately. BWSIIP is to be implemented by a consortium, initiated 
in 2004, that includes Carnegie Mellon University, the University of 
Pittsburgh, and the John Hopkins University Applied Physics Laboratory. 
The current BWSIIP pilot is scheduled for completion in fiscal year 
2006. After DHS transitions BWSIIP to the BWICS initiative, local 
public health agencies will use locally available applications or tools 
provided by DHS for that function. 

For the two remaining major biosurveillance IT initiatives, DHS is 
still developing requirements (lessons learned from its one 
demonstration project, BioNet, are being incorporated into BWICS). 

* BWICS, is to integrate data from environmental monitoring and health 
surveillance systems, and the pilot is expected to be completed in 
fiscal year 2006, according to DHS officials. DHS did not complete 
requirements development in the two pilot cities as scheduled, and it 
recently changed one of the original pilot cities, requiring a new 
start in requirements development in the new location. After the pilot, 
DHS is planning to expand BWICS beyond the two pilot cities to other 
BioWatch locations. 

* The National Biosurveillance Integration System is intended to 
connect the various federal surveillance systems to DHS's Homeland 
Security Operations Center. DHS S&T developed the system requirements 
and design and transferred the initiative to the Directorate for 
Information Analysis and Infrastructure Protection in December 2004 for 
implementation. 

Challenges Need to Be Overcome to Strengthen the Information Technology 
That Supports the Public Health Infrastructure: 

Despite federal, state, and local government efforts to strengthen the 
public health infrastructure and improve the nation's ability to 
detect, prevent, and respond to public health emergencies, important 
challenges continue to constrain progress. First, the national health 
care IT strategy and federal health architecture are still being 
developed; CDC and DHS will face challenges in integrating their public 
health IT initiatives into these ongoing efforts. Second, although 
federal efforts continue to promote the adoption of data standards, 
developing such standards and then implementing them are challenges for 
the health care community. Third, these initiatives involve the need to 
coordinate among federal, state, and local public health agencies, but 
establishing effective coordination among the large number of disparate 
agencies is a major undertaking. Finally, CDC and DHS face challenges 
in addressing specific weaknesses in IT planning and management that 
may hinder progress in developing and deploying public health IT 
initiatives. 

National Health IT Strategy and Architecture to Address Public Health 
Surveillance Are Still Being Developed: 

In May 2003, we recommended that the Secretary of HHS, in coordination 
with other key stakeholders, establish a national IT strategy for 
public health preparedness and response that should identify steps 
toward improving the nation's ability to use IT in support of the 
public health infrastructure. Among other things, we stated that HHS 
should set priorities for information systems, supporting technologies, 
and other IT initiatives. Since then, HHS appointed a National 
Coordinator for Health IT in May 2004 and issued a framework for 
strategic action in July 2004.[Footnote 22] This framework is a first 
step in the development of a national health IT strategy. Goal four of 
the framework is directed at improvements in public health and states 
that these improvements require the collection of timely, accurate, and 
detailed clinical information to allow for the evaluation of health 
care delivery and the reporting of critical findings to public health 
officials. Two of the strategies outlined by HHS are aimed at achieving 
this goal: (1) unifying public health surveillance architectures to 
allow for the exchange of information among health care organizations, 
organizations they contract with, and state and federal agencies and 
(2) streamlining quality and health status monitoring to allow for a 
more complete look at quality and other issues in real time and at the 
point of care. The framework for strategic action states that the key 
challenge in harmonizing surveillance architectures is to identify 
solutions that meet the reporting needs of each surveillance function, 
yet work in a single integrated, cost-effective architecture. 

Like the national health care IT strategy, the federal health 
architecture[Footnote 23] is still evolving, according to HHS officials 
in the Office of the National Coordinator for Health IT. Initially 
targeting standards for enabling interoperability, the federal health 
architecture is intended to provide a structure for bringing HHS's 
divisions and other federal agencies together. As part of achieving 
HHS's public health goal of unifying public health surveillance 
architectures, the federal health architecture program established a 
work group on public health surveillance that is responsible for 
recommending a target architecture related to disease surveillance to 
serve as the framework within the federal sector for developing and 
implementing public health surveillance systems. The newly formed work 
group, chaired by CDC and the Department of Veterans Affairs, met for 
the first time in December 2004. Because the new work group is so 
recently formed, plans are still being developed to address how CDC's 
PHIN initiative and DHS's IT initiatives will integrate with the 
national health IT strategy, such as plans to establish regional health 
information organizations.[Footnote 24]

In the absence of a completed strategy for public health surveillance 
efforts, state and local public health officials have raised concerns 
about duplication of effort across federal agencies. Some of the 
surveillance initiatives in our review address similar functionality 
and may duplicate ongoing efforts at other federal, state, and local 
agencies: for example, the use and development of syndromic 
surveillance systems. CDC is implementing BioSense at the national 
level, DHS is assisting local public health agencies in implementing 
local syndromic surveillance systems such as ESSENCE or RODS as part of 
its biosurveillance initiatives, and many state and local public health 
agencies have their own ongoing syndromic surveillance systems. As we 
have reported, syndromic surveillance systems are relatively costly to 
maintain compared with other types of disease surveillance and are 
still largely untested.[Footnote 25] According to HHS, with regard to 
BioSense, the agency is taking steps to mitigate costs and risk. 

State and local public health officials also expressed concern about 
the federal government's ability to conduct syndromic surveillance, 
because they see this type of surveillance as an inherently local 
function. Furthermore, last year the Council of State and Territorial 
Epidemiologists[Footnote 26] reported that while state health 
departments are given some guidance and leeway to use federal funding 
to enhance and develop their own disease surveillance activities, no 
focused mechanism has been established for states to share ideas and 
experiences with each other and with CDC to determine what has or has 
not worked, and what efforts are feasible and worth expanding. The 
Council recommended that to enhance bioterrorism-related surveillance 
objectives, HHS and CDC form a bioterrorism surveillance initiative 
steering committee to review current federal surveillance initiatives 
affecting state and local health departments; to review state-developed 
surveillance systems; and to recommend surveillance priorities for 
continuation of funding, further development, or implementation. HHS 
and CDC have taken steps to respond to these recommendations, but 
according to the Council, it is not yet satisfied that HHS and CDC have 
fully addressed its concerns. 

While HHS and other key federal agencies are organizing themselves to 
develop a strategy for public health surveillance and interoperability, 
decisions regarding development and implementation are being made now 
without the benefit of an accepted national health IT strategy that 
integrates public health surveillance-related initiatives. In the case 
of BioSense, these decisions affect the spending of about $50 million 
this fiscal year and an unknown amount in future years. Until a 
strategy and accompanying architecture are developed, major public 
health IT initiatives will continue to be developed without an overall, 
coordinated plan and are at risk of being duplicative, lacking 
interoperability, and exceeding cost and schedule estimates. 

Development and Adoption of Standards an Ongoing Critical Challenge for 
Health Care: 

In May 2003, we recommended that the Secretary of HHS, as part of his 
efforts to develop a national strategy, (1) define activities for 
ensuring that the various standards-setting organizations coordinate 
their work and reach further consensus on the definition and use of 
standards, (2) establish milestones for defining and implementing all 
standards, and (3) create a mechanism to monitor the implementation of 
standards throughout the health care industry. To support the 
compatibility, interoperability, and security of federal agencies' many 
planned and operational IT systems, the identification and 
implementation of data, communications, and security standards for 
health care delivery and public health are essential.[Footnote 27] As 
we testified in July 2004, HHS has made progress in identifying 
standards.[Footnote 28] While federal action to promote the adoption of 
these standards continues, the identification and implementation of 
these standards are an ongoing process. 

Despite progress in defining health care IT standards, several 
implementation challenges remain to be worked out, including the 
establishment of milestones. Currently, no formal mechanisms are in 
place to ensure coordination and consensus among these initiatives at 
the national level. HHS officials agree that leadership and direction 
are still needed to coordinate the various standards-setting 
initiatives and to ensure consistent implementation of standards for 
health care delivery and public health. Within the federal health 
architecture structure, the Consolidated Health Informatics initiative 
is focused on the adoption of data and communication standards to be 
used by federal agencies to achieve interoperability of IT within 
health IT initiatives. In March 2003, the Consolidated Health 
Informatics initiative announced the adoption of 5 standards, and in 
May 2004, it announced the adoption of another 15 standards. Some of 
these standards are included as PHIN standards.[Footnote 29]

As of March 1, 2005, CDC has adopted several industry standards and 
published specifications for PHIN; these standards are grouped by type 
in table 9. 

Table 9: Industry Standards Used by the Public Health Information 
Network: 

Standard type: Messaging; 
Standards: Health Level 7 (versions 2, 2.3.1, 2.4, 2.5, 3). 

Standard type: Vocabulary; 
Standards: Logical Observations Identifiers Names and Codes (LOINC); 
Systemized Nomenclature of Medicine (SNOMED)-
-Clinical Terms; 
Current Procedural Terminology; 
Medical Subject Headings; 
Multum Devices; 
Multum Drugs; 
North American Industry Classification System; 
Unified Medical Language System; 
International Classification of Disease, 9th edition, Clinical 
Modification. 

Standard type: Data model; 
Standards: Health Level 7 Reference Information Model. 

Standard type: Secure data transport; 
Standards: Electronic Business Extensible Markup Language; 
Extensible Markup Language (encryption and digital signature); 
HyperText Transfer Protocol, secure version. 

Standard type: Directory services; 
Standards: Lightweight Directory Access Protocol; 
Directory Service Markup Language. 

Standard type: Alerting; 
Standards: Common Alerting Protocol. 

Standard type: Security; 
Standards: X.509 Certificates. 

Source: CDC. 

[End of table]

CDC has also initiated a PHIN certification process for its partners 
(e.g., state and local public health agencies), which is intended to 
establish whether state and local systems can meet standards for the 
PHIN preparedness functional areas. In the future, CDC plans to require 
system owners to first perform self-assessment reviews to ensure that 
systems meet PHIN standards, followed by reviews by CDC certification 
teams to confirm PHIN compatibility. To be functionally compatible, 
systems must be capable of supporting the standards outlined for each 
PHIN functional area; accordingly, partners must demonstrate that their 
systems have this capability. 

In general, state and local public health officials consider the PHIN 
initiative to be a good framework for organizing the necessary 
standards for public health interoperability. Most of the state and 
local officials we spoke with agreed that CDC has done a commendable 
job of adopting and promoting standards for IT in selected programs. In 
addition, they agreed that CDC should continue to take a leadership 
role in pressing for industry standards and providing guidance to 
states and local entities. However, several officials stated that CDC 
should focus more of its attention on setting standards and less on 
developing software applications, which generally do not meet their 
needs and are not compatible with their specific IT environments. CDC 
officials say that it is important both to promote the use of industry 
standards and to develop software applications, especially for state 
and local public health agencies that have limited IT resources. 

Although federal efforts to promote the adoption of these standards 
continue, their identification and implementation are an ongoing 
process. Several implementation challenges remain, including 
coordination of the various efforts to ensure consensus on standards 
and establishment of milestones. Until these challenges are addressed, 
federal agencies will not be able to ensure that their systems can 
exchange data with other systems when needed. 

Coordination among Federal, State, and Local Public Health Agencies Is 
a Major Undertaking: 

In defining system requirements, federal agencies are challenged by the 
need to involve such key stakeholders as state and local public health 
agencies, which are expected to use these systems for reporting data to 
the federal government. For example, most participating local 
government agencies and state public health laboratories were told to 
implement the BioWatch initiative in their metropolitan areas and were 
given the procedures and software to use for sample management and data 
collection. According to some public health officials, BioWatch was 
implemented without a plan for how states and localities would respond 
to a positive test result, and they were left to develop a response 
plan after BioWatch had been deployed. One metropolitan area did not 
implement BioWatch for a year after it became operational, because 
officials did not have a response plan in place and did not want to be 
responsible for responding to a potential incident without a plan for 
handling positive test results. According to DHS officials, since local 
officials had received funds for emergency preparedness, it was their 
understanding that BioWatch locations had response plans in place; DHS 
officials have since developed a methodology to target funds for 
specific purposes, such as response plans. 

CDC has been challenged by the need to coordinate with a diverse range 
of state and local public health agencies. For example, CDC has found 
that it is difficult to implement "standard" systems that would address 
the full range of different needs and levels of IT resources available 
at the state level. HHS officials told us that the agency strives to 
address this challenge by developing applications that are based on 
industry standards. It also provides the standards and specifications 
to state and local agencies so that they can build or purchase their 
own systems that can conform to PHIN standards. Nonetheless, there was 
consensus among many of the state and local officials in our review 
that federal agencies did not obtain adequate input from state and 
local officials. A few state officials with whom we spoke said that CDC 
does not appropriately consider their need to comply with existing 
state IT architectures. In addition, in an informal e-mail survey, a 
small group of state chief information officers agreed that federal 
agencies do not take into consideration state IT architectures. 
According to the Council of State and Territorial Epidemiologists, no 
mechanism has yet been established for state and federal partners to 
collaboratively review initiatives developed over the past 3 years and 
plan for the future. Instead, the approach to system design and 
implementation remains top-down, mainly focused on expanding federally 
designed syndromic surveillance for early outbreak detection without 
critical review of its usefulness and cost and without systematic 
review of state-originated systems and needs. The result is that public 
health responders may not buy in to and use the federally designed 
systems, potentially constructive state-originated ideas may not get 
recognition and wider application, and national bioterrorism-related 
surveillance will be suboptimal. According to CDC, as part of its 
efforts to obtain state and local input, it hosts an annual PHIN 
conference and holds meetings with business partner organizations, such 
as a recent series of meetings on PHIN preparedness requirements with 
selected state and local officials. In addition, under CDC's new 
organizational structure, the new National Center for Public Health 
Informatics has a division for communications and collaboration with 
its partners. 

Further, CDC and DHS have coordinated with each other on specific 
projects, but that coordination has not been optimal, according to 
officials from both agencies. According to DHS officials, federal 
agencies are planning to meet within the next few months to discuss 
this issue. When asked about their experiences with coordination 
between CDC and DHS on public health IT initiatives, some of the state 
and local public health officials included in our review expressed 
concerns about coordination between the two agencies; one expressed 
confusion about their roles. 

Until CDC and DHS establish close coordination on federal public health 
IT, and state and local public health agencies are more actively 
involved in the definition and coordination of federal efforts, the 
effectiveness of the information systems intended to improve disease 
surveillance and communications may be inadequate. 

Rigorous Planning and Management of IT Initiatives Are Important to 
Building a Stronger Public Health Infrastructure: 

A challenge that both HHS and DHS face in implementing public health IT 
initiatives is ensuring their effective planning and management. This 
requires mature, repeatable systems development and acquisition 
processes to increase the likelihood that projects will be delivered on 
time and within budget. Key elements of information and technology 
management include (1) IT investment management and (2) systems 
development and acquisition management. To help federal agencies 
address these key elements, we and the Office of Management and Budget 
have developed guidance that provides a framework on the use of 
rigorous and disciplined processes for planning, managing, and 
controlling IT resources. We have previously reported on specific 
weaknesses at both HHS and DHS, including the lack of robust processes 
for IT investment management and immature systems development and 
acquisition practices.[Footnote 30] We made recommendations to HHS and 
DHS aimed at improving these practices. 

HHS and CDC have recently taken steps to improve their control over IT 
projects, which is an important aspect of IT investment management. 
Because PHIN and some of its initiatives (i.e., BioSense, NEDSS, the 
Health Alert Network, and NEPHTN) are considered major investments for 
fiscal year 2006, they required review by HHS. The HHS IT Investment 
Review Board conducted budgetary reviews for these applications in June 
2004 and recommended that the projects move forward as major IT 
investments; however, there is no documentation that additional HHS 
reviews were conducted on PHIN and its major applications until this 
past February, when HHS began implementing procedures for better 
monitoring of system development projects. In January 2004, CDC 
announced its intention to provide greater executive level oversight of 
IT investments, but it had been reorganizing and did not begin 
conducting control reviews for major PHIN investments until recently. 
In May 2004, CDC announced its new center for public health informatics 
to better coordinate IT projects; this center was formally recognized 
as operational as of mid-April 2005 when Congress approved CDC's 
reorganization. Until CDC and HHS management provides a systematic 
method for IT investment reviews, they will have difficulty minimizing 
risks while maximizing returns on these critical public health 
investments. 

Regarding CDC's systems development and acquisition practices, we 
observed weaknesses in project management that may hinder progress 
toward achieving PHIN objectives. For some of the projects in this 
review, we received limited documentation of project managers' tracking 
actual dates against baseline schedules, and it appeared that a number 
of projects had missed internal schedule dates. In November 2004, CDC 
started requiring project managers to provide status reports to its 
program management activity office on a biweekly basis. These reports 
are now required for five of the systems in our review. CDC officials 
acknowledged that project dates had to be rebaselined; after the 
rebaselining, CDC officials stated that their projects met official 
release dates. 

Early last year, CDC recognized the need for more direct executive 
involvement in IT governance and management. This fiscal year, CDC 
began implementing a project management office to oversee public health 
informatics projects. Establishing this office and institutionalizing 
its processes while managing new and ongoing IT projects will be a 
challenge. The new office has initiated new processes to manage project 
interdependencies, document and track milestones for projects, and 
formalize project change requests. For example, the office is beginning 
to track projects biweekly--asking project managers to report on 
upcoming milestones, their confidence that those milestones will be 
met, issues for executive attention, staffing problems, and other 
potential problems. CDC is also implementing a process to standardize 
project management across the agency. This process is designed to 
incorporate, among other things, program and project management, 
capital planning, security certification and accreditation, and system 
development life-cycle processes. 

DHS has been operational for just over 2 years, and the department has 
made progress in establishing key information and technology 
disciplines. However, as we have reported, these disciplines are not 
yet fully established and operational. For example, DHS has established 
an IT investment management process, but this process is still 
maturing. DHS has also had problems consistently employing rigorous 
systems development and acquisition practices. DHS did not provide 
documentation of its oversight of its public health IT investments. 
According to DHS officials, they plan to submit a capital asset plan 
and business case for the BWICS initiative this year for review and 
approval by the DHS IT review board. However, until DHS follows through 
on its initial actions to address its management, programmatic, and 
partnering challenges, its IT investments remain at risk. 

Conclusions: 

The federal government has made progress on major public health IT 
initiatives, but significant work remains to be done. CDC's PHIN 
initiative includes applications at various stages of implementation; 
as a whole, however, it remains years away from fully achieving its 
planned improvement to the public health IT infrastructure. In 
addition, DHS's initiatives are still in such early stages that it is 
uncertain how they will improve public health preparedness. 

Federal agencies face many challenges in improving the public health 
infrastructure. CDC and DHS are pursuing related initiatives, but there 
is little integration among them, and until the national health IT 
strategy is completed, it is unknown how their integration will be 
addressed. Implementing health data standards across the health care 
community is still a work in progress, and until these standards are 
implemented, information sharing challenges will remain. In addition, 
state and local public health agencies report that their coordination 
with federal initiatives is often limited. Until state and local public 
health agencies are more actively involved in coordination with their 
federal counterparts, disease surveillance systems will remain 
fragmented and their effectiveness will be impeded. Finally, the 
development of robust practices for IT investment management and for 
systems development and acquisition is a continuing challenge for HHS 
and DHS, about which we have previously made recommendations. Until 
agencies address all these challenges, progress toward building a 
stronger public health infrastructure will be limited, as will the 
ability to share essential information concerning public health 
emergencies and bioterrorism. 

Recommendations for Executive Action: 

In order to improve the development and implementation of major public 
health IT initiatives, we recommend that the Secretary of Health and 
Human Services take the following two actions: 

* ensure that the federal initiatives are (1) aligned with the national 
health IT strategy, the federal health architecture, and ongoing public 
health IT initiatives and (2) coordinated with state and local public 
health initiatives and: 

* ensure federal actions to encourage the development, adoption, and 
implementation of health care data and communication standards across 
the health care industry to address interoperability challenges 
associated with the exchange of public health information. 

We also recommend that the Secretary of Homeland Security align 
existing and planned DHS IT initiatives with other ongoing public 
health IT initiatives at HHS, including adoption of data and 
communications standards. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from the Acting 
Inspector General at HHS and Director of the Departmental GAO/OIG 
Liaison at DHS (these comments are reproduced in app. III and IV). HHS 
generally concurred with our recommendations, while DHS did not comment 
specifically on the recommendations. Both agencies provided additional 
contextual information and technical comments, which we have 
incorporated in this report as appropriate. We provided DOD officials 
with the opportunity to comment on a draft of this report, which they 
declined. 

Among its comments, HHS officials stated that this report does not 
adequately represent the department's accomplishments in implementing 
standards and specifications for health IT or the benefits of pursuing 
a standards-based approach. We concur with HHS on the importance of 
standards for health information technology and have been calling for 
federal leadership in expediting standards since 1993. Page 61 lists 
GAO reports on health IT, several of which address the benefits of 
standards and the need for a national health IT strategy. In response 
to HHS's comment that we suggest that early event detection is 
duplicative or irrelevant at the federal level, neither we nor the 
state and local public health officials suggest that early event 
detection at the federal level is irrelevant. Rather, we are reporting 
the concerns of state and local public health officials regarding the 
federal government's role, which merits further discussion and more 
involvement of state and local health officials. 

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
from the date of this letter. At that time, we will send copies of the 
report to other congressional committees. We will also send copies to 
the Secretaries of Health and Human Services, Homeland Security, 
Defense, and Energy. In addition, copies will be sent to the state and 
local public health agencies that were included in our review. Copies 
will also be made available at no charge on our Web site at [Hyperlink, 
http://www.gao.gov]. If you have any questions on matters discussed in 
this report, please contact me at 202-512-9286 or by e-mail at 
[Hyperlink, pownerd@gao.gov]. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix V. 

Signed by: 

David A. Powner: 
Director, Information Technology Management Issues: 

[End of section]

Appendixes: 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to: 

* assess the progress of major federal information technology (IT) 
initiatives designed to strengthen the effectiveness of the public 
health infrastructure and: 

* describe the key IT challenges facing federal agencies responsible 
for improving the public health infrastructure. 

To address these objectives, we conducted our work at Health and Human 
Services (HHS), Department of Homeland Security (DHS), and Department 
of Defense (DOD) offices in Washington, D.C., and the Centers for 
Disease Control and Prevention (CDC) in Atlanta. We selected specific 
IT initiatives to review from systems we identified in previous 
work,[Footnote 31] focusing on major public health IT initiatives in 
surveillance and communication systems. We excluded food safety systems 
and DOD disease surveillance systems that did not include civilian 
populations. We discussed our selection with federal officials to help 
ensure that we were addressing the most relevant major initiatives. To 
assess the progress of major federal IT initiatives designed to 
strengthen the effectiveness of the public health infrastructure, we 
analyzed agency documents such as Office of Management and Budget's 
Exhibit 300s, minutes of executive council meetings, and system 
development documents, including project plans, functional 
requirements, and cost-benefit analyses. We supplemented our evaluation 
of agency documents with interviews of federal officials. Through 
interviews with these officials and with state and local public health 
officials, we also assessed CDC's and DHS's interaction and 
coordination with each other on their IT initiatives. 

Because these federal initiatives affect state and local public health 
agencies, we supplemented our analysis of agency documentation by 
interviewing officials from six state and six local public health 
agencies on progress being achieved by CDC and DHS. We conducted our 
work at the San Diego County Health and Human Services Agency; the 
California Department of Health Services in Sacramento; the Thurston 
County Public Health and Social Services and the Washington State 
Department of Health in Olympia; the Austin/Travis County Health and 
Human Services Department and the Texas Department of State Health 
Services in Austin; the Milwaukee City Health Department; the Wisconsin 
Department of Health and Family Services in Madison, Wisconsin; the 
Boston Public Health Commission and the Commonwealth of Massachusetts 
Department of Public Health in Boston; the New York State Department of 
Health in Albany; and the New York City Department of Health and Mental 
Hygiene. The states and local public health agencies were selected 
because they were actively involved in implementing at least one of 
CDC's Public Health Information Network IT applications. We interviewed 
them on the impact of federal IT initiatives on state and local public 
health operations and lessons they learned from integrating federal IT 
initiatives into their local public health infrastructure. If they had 
systems similar to the federal systems in our review, we discussed how 
their systems compared with the federal initiatives. We also 
interviewed representatives of several public health professional 
organizations, which CDC considers its partners, such as the National 
Association of County and City Health Officials, the Association of 
State and Territorial Health Officials, the Council for State and 
Territorial Epidemiologists and the Association of Public Health 
Laboratories. We also had a discussion with the National Association of 
State Chief Information Officers. 

To identify key IT challenges facing federal agencies responsible for 
improving the public health infrastructure, we analyzed published GAO 
reports, agency documents, and other information obtained during 
interviews and site visits. We summarized the results of our evaluation 
and identified the key challenges that CDC and DHS have consistently 
encountered as they implement the IT initiatives included in our 
review. 

Our work was performed from July 2004 through April 2005 in accordance 
with generally accepted government auditing standards. 

[End of section]

Appendix II: Federal Agencies and Their Roles in Public Health 
Preparedness and Response: 

The Department of Health and Human Services (HHS) has primary 
responsibility for coordinating the nation's response to public health 
emergencies, including bioterrorism. HHS divisions responsible for 
bioterrorism preparedness and response, and their primary 
responsibilities, include the following: 

* The Office of the Assistant Secretary for Public Health Emergency 
Preparedness coordinates the department's work to oversee and protect 
public health, including cooperative agreements with states and local 
governments. States and local governments can apply for funding to 
upgrade public health infrastructure and health care systems to better 
prepare for and respond to bioterrorism and other public health 
emergencies. The office maintains a command center where it can 
coordinate the response to public health emergencies from one 
centralized location. This center is equipped with satellite 
teleconferencing capacity, broadband Internet hookups, and analysis and 
tracking software. 

* The Centers for Disease Control and Prevention (CDC) has primary 
responsibility for nationwide disease surveillance for specific 
biological agents, developing epidemiological and laboratory tools to 
enhance disease surveillance, and providing an array of scientific and 
financial support for state infectious disease surveillance, 
prevention, and control. CDC has an emergency operations center to 
organize and manage all of its emergency operations, allowing for 
immediate communication with HHS, the Department of Homeland Security, 
federal intelligence and emergency response officials, and state and 
local public health officials. CDC also provides testing services and 
consultation that are not available at the state level; training on 
infectious diseases and laboratory topics, such as testing methods and 
outbreak investigations; and grants to help states conduct disease 
surveillance. In addition, CDC provides state and local health 
departments with a wide range of technical, financial, and staff 
resources to help maintain or improve their ability to detect and 
respond to disease threats. 

* The Food and Drug Administration is responsible for safeguarding the 
food supply, ensuring that new vaccines and drugs are safe and 
effective, and conducting research on diagnostic tools and treatment of 
disease outbreaks. It is increasing its food safety responsibilities by 
improving its laboratory preparedness and food monitoring inspections. 

* The Agency for Healthcare Research and Quality is responsible for 
supporting research designed to improve the outcomes and quality of 
health care, reduce its costs, address safety and medical errors, and 
broaden access to effective services, including antibioterrorism 
research. It has initiated several major projects and activities 
designed to assess and enhance linkages between the clinical care 
delivery system and the public health infrastructure. Research focuses 
on emergency preparedness of hospitals and health care systems for 
bioterrorism and other public health events; technologies and methods 
to improve the linkages among the personal health care system, 
emergency response networks, and public health agencies; and training 
and information needed to prepare clinicians to recognize the symptoms 
of bioterrorist agents and manage patients appropriately. 

* The National Institutes of Health is responsible, among other things, 
for conducting medical research in its own laboratories and for 
supporting the research of nonfederal scientists in universities, 
medical schools, hospitals, and research institutions throughout the 
United States and abroad. Its National Institute of Allergy and 
Infectious Diseases has a program to support research related to 
organisms that are likely to be used as biological weapons. 

* The Health Resources Services Administration is responsible for 
improving the nation's health by ensuring equal access to 
comprehensive, culturally competent, quality health care. Its 
Bioterrorism Hospital Preparedness program administers cooperative 
agreements to state and local governments to support hospitals' efforts 
toward bioterrorism preparedness and response. 

The Department of Homeland Security (DHS) is responsible for, among 
other things, protecting the United States against terrorist attacks. 
One activity undertaken by DHS is coordination of surveillance 
activities of federal agencies related to national security. 

* The Science and Technology Directorate serves as the primary research 
and development arm of DHS, using our nation's scientific and 
technological resources to provide federal, state, and local officials 
with the technology and capabilities to protect the nation. The focus 
is on catastrophic terrorism--threats to the security of our homeland 
that could result in large-scale loss of life and major economic 
impact. The directorate's work is designed to counter those threats, 
both by improvements to current technological capabilities and 
development of new, revolutionary technological capabilities. 

* The Information Analysis and Infrastructure Protection Directorate is 
responsible for helping to deter, prevent, and mitigate acts of 
terrorism by assessing vulnerabilities in the context of continuously 
changing threats. It strengthens the nation's protective posture and 
disseminates timely and accurate information to federal, state, local, 
private, and international partners. 

* The Emergency Preparedness and Response Directorate is responsible 
for the National Incident Management System, which establishes 
standardized incident management processes, protocols, and procedures 
that all responders--federal, state, local and tribal--will use to 
coordinate and conduct response actions. 

The Department of Defense, while primarily responsible for the health 
and protection of its service members, contributes to global disease 
surveillance, training, research, and response to emerging infectious 
disease threats. 

* The Defense Threat Reduction Agency provides technical expertise and 
capabilities in combat support, technology development, threat control 
and threat reduction, including chemical and biological defense. 

* The United States Army Medical Research Institute of Infectious 
Diseases conducts biological research dealing with militarily relevant 
infectious diseases and biological agents. It also provides 
professional expertise on issues related to technologies and other 
tools to support readiness for a bioterrorist incident. 

The Department of Energy is developing new capabilities to counter 
chemical and biological threats. It expects the results of its research 
to be public and possibly lead to the development of commercial 
products in the domestic market. 

* The Chemical and Biological National Security Program has conducted 
research on biological detection, modeling and prediction, and 
biological foundations to support efforts in advanced detection, 
attribution, and medical countermeasures. 

* The national research laboratories (e.g., Lawrence Livermore, Los 
Alamos, and Sandia) are developing new capabilities for countering 
chemical and biological threats, including biological detection, 
modeling, and prediction. 

The Department of Agriculture (USDA) is responsible for protecting and 
improving the health and marketability of animals and animal products 
in the United States by preventing, controlling, and eliminating animal 
diseases. USDA's disease surveillance and response activities are 
intended to protect U.S. livestock and ensure the safety of 
international trade. In addition, USDA is responsible for ensuring that 
meat, poultry, and certain processed egg products are safe and properly 
labeled and packaged. USDA establishes quality standards and conducts 
inspections of processing facilities in order to safeguard certain 
animal food products against infectious diseases that pose a risk to 
humans. 

* The Agricultural Research Service conducts research to improve onsite 
rapid detection of biological agents in animals, plants, and food and 
has improved its detection capability for diseases and toxins that 
could affect animals and humans. 

* The Food Safety Inspection Service provides emergency preparedness 
for foodborne incidents, including bioterrorism. 

* The Animal and Plant Health Inspection Service has a role in 
responding to biological agents that cause zoonotic diseases (i.e., 
diseases transmitted from animals to humans). It also has veterinary 
epidemiologists to trace the source of animal exposures to diseases. 

The Environmental Protection Agency (EPA) has responsibilities to 
prepare for and respond to emergencies, including those related to 
biological materials. EPA can be involved in detection of agents by 
environmental monitoring and sampling. It is also responsible for 
protecting the nation's water supply from terrorist attack and for 
prevention and control of indoor air pollution. 

The Department of Veterans Affairs (VA) manages one of the nation's 
largest health care systems and is the nation's largest drug purchaser. 
The department purchases pharmaceuticals and medical supplies for the 
Strategic National Stockpile and the National Medical Response Team 
stockpile. The VA Emergency Preparedness Act of 2002 directed VA to 
establish at least four medical emergency preparedness centers to (1) 
carry out research and develop methods of detection, diagnosis, 
prevention, and treatment for biological and other public health and 
safety threats; (2) provide education, training, and advice to health 
care professionals inside and outside VA; and (3) provide laboratory 
and other assistance to local health care authorities in the event of a 
national emergency. 

[End of section]

Appendix III: Comments from the Department of Health and Human 
Services: 

DEPARTMENT OF HEALTH & HUMAN SERVICES: 
Office of Inspector General:
Washington, D.C. 20201: 

JUN 3 2005: 

Mr. David A. Powner: 
Director:
Information Technology Management Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Powner: 

Enclosed are the Department's comments on the U.S. Government 
Accountability Office's (GAO's) draft report entitled, "INFORMATION 
TECHNOLOGY-Federal Agencies Face Challenges in Implementing Initiatives 
to Improve Public Health Infrastructure" (GAO-05-308). The comments 
represent the tentative position of the Department and are subject to 
reevaluation when the final version of this report is received. 

The Department provided several technical comments directly to your 
staff. 

The Department appreciates the opportunity to comment on this draft 
report before its publication. 

Sincerely,

Signed by: 

Daniel R. Levinson: 
Acting Inspector General: 

Enclosure: 

The Office of Inspector General (OIG) is transmitting the Department's 
response to this draft report in our capacity as the Department's 
designated focal point and coordinator for U.S. Government 
Accountability Office reports. OIG has not conducted an independent 
assessment of these comments and therefore expresses no opinion on 
them. 

COMMENTS OF THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES ON THE 
U.S. GOVERNMENT ACCOUNTABILITY OFFICE'S REPORT ENTITLED "INFORMATION 
TECHNOLOGY-FEDERAL AGENCIES CHALLENGES IN IMPLEMENTING INITIATIVES TO 
IMPROVE PUBLIC HEALTH INFRASTRUCTURE" (GAO-05-308): 

The Department of Health and Human Services (HHS) appreciates the 
opportunity to review the Government Accountability Office's (GAO's) 
draft report. 

GAO's Recommendation: 

In order to improve the development and implementation of major public 
health IT initiatives, we recommend that the Secretary of Health and 
Human Services: 

* Ensure that the Federal initiatives are: (1) aligned with the 
National health IT strategy, the Federal health architecture, and 
ongoing public health IT initiatives; and (2) coordinated with State 
and local public health initiatives, and: 

* Ensure Federal actions to encourage the development, adoption, and 
implementation of health care data and communication standards across 
the health care industry to address interoperability challenges 
associated with the exchange of public health information. 

HHS Response: 

The Department generally concurs with the two core recommendations as 
noted in the draft report; however, there are a number of statements 
and concepts that should be reviewed and adjusted to provide a more 
accurate representation of public health's IT infrastructure. 
Therefore, HHS offers the following general comments regarding the 
draft report. 

During the anthrax events of 2001, public health entities exchanged 
data through faxes, e-mails, and telephone conversations, which lacked 
effective information technology (IT) to support preparedness and 
response needs. Today, through the Public Health Information Network 
(PHIN), public health has an interoperable, standards-based systems 
architecture that not only enables the secure and reliable electronic 
exchange of data but also provides specific systems and resources which 
perform preparedness and response functions for early event detection, 
outbreak management, the connection of laboratory systems, partner 
communication and alerting, and countermeasure and response 
administration. 

The PHIN systems implement industry standards such as Health Level (HL) 
7, and others, and are ready to work with standards-based electronic 
health records and other developing components of the nationwide health 
IT strategy. The draft report does not adequately represent the 
accomplishments in implementing technical specifications and standards 
for private, State, local, and HHH/CDC's systems, and the improvements 
and progress in public health IT since 2001. Readers may not recognize 
the significant amount of progress that has been made. Moreover, the 
draft does not reflect Secretary Leavitt's clearly stated strategic 
commitments, in his recently adopted 500-Day Plan, to express a clear 
vision of health information technology that conveys its benefits to 
patients, provider and payers; and to convene a national collaboration 
to further develop, set and certify health information technology 
standards and outcomes for interoperability, privacy and data exchange. 
(See http://www.hhs.gov/50ODayPlan). 

Incorporating an interoperable, standards-based strategy and standards-
based systems across a nationwide public health network introduces 
challenges but provides a greater long-term rate of return in terms of 
National cost savings and benefits as documented in a recent report on 
information exchange and interoperability published by the Center for 
Information Technology Leadership (CITL) 
http://www.himss.org/ASP/ContentRedirector.asp?Contentld=52848. This 
report found that, over a 10-year period, a health information exchange 
approach which is not based on standards could have a nationwide cost 
of over $34 billion. The CITL report also found that, while using 
systems which incorporate a standards-based approach, the cost savings 
could be over $337 billion. 

The GAO draft report focuses on many of the challenges such as longer 
deployment times associated with a standards-based approach; however, 
without the recognition of the activities involved in, or benefits of, 
pursuing a standards-based approach and standards-based systems, 
readers of the GAO report may not recognize the long-term benefits or 
even the negative impacts that alternative approaches may have. HHS 
requests that these benefits be incorporated into the final report to 
represent the strategy and value which are directly associated with 
these challenges. 

In several places throughout the draft report, GAO suggests that 
without a completed nationwide health strategy and accompanying 
architecture major initiatives are at risk (page 31, paragraph 2, 
"Health IT Strategy and Architecture to Address Public Health 
Surveillance Are Still Being Developed"). For the last 4 years, public 
health has been preparing for and responding to threats that impact the 
health of U.S. citizens; among these public health threats are Severe 
Acute Respiratory Syndrome (SARS), West Nile Virus, monkeypox, 
influenza, and hurricanes. In each event, the evolving IT has provided 
increasing value to public health, and public health's requirements 
continue to evolve and inform the overall strategy and architecture. 

Because of pressing preparedness needs, public health is working 
closely with the National Coordinator for Health IT to implement 
industry standards and standards-based systems that will work with 
emerging health IT standards. This is a necessary iterative strategy to 
gain immediate value and strengthen the public health infrastructure 
and also incorporate standards to facilitate interoperability not only 
among public health but other Federal and health organizations. For 
example: 

* CDC is implementing HL7-based lab result reporting from 94 of the 
Laboratory Response Network public health testing labs. These results 
will use Logical Observation Identifier Names and Codes (LOINC) and 
Systemized Nomenclature of Medicine (SNOMED) coding and industry 
standard transport and security. Because of the use of these standards, 
these results can be delivered to multiple recipients supporting 
multiple missions. 

CDC is implementing HL7-based reportable condition case reports for 
preparedness related events nationally. CDC has developed over 40 HL7 
standard implementation guides and industry standard supportive 
vocabulary so that suspect and confirmed disease cases can be exchanged 
between organizations. 

CDC's BioSense data provisioning support will emphasize the use of 
these industry standards for data exchange in the activities it 
supports and will, in many instances, take non-standard data formats 
and convert them to standard data and messaging formats to foster and 
advance the use of these industry standards in organizations receiving 
data. 

CDC's BioSense efforts will also foster data mobility in Regional 
Health Information Organizations (RHIO's) sharing the goals of having 
transportable electronic health records that can work with a National 
Health Information Network (NHIN). This point is one of many 
demonstrating how PHIN-related initiatives support plans to establish 
RHIO's (page 33). 

CDC's efforts are also supporting HL7 standards-based lab result 
reporting with SNOMED and LOINC coding from large private clinical 
laboratories such as LabCorp, Quest, Mayo, and others. These lab 
results in standard format can be used to support the delivery of 
electronic lab results to health care delivery organizations, as well 
as supporting public health organizations. 

As supporting evidence of this challenge's impact, the GAO draft report 
focuses on syndromic surveillance efforts within public health. The 
draft accurately points out that the Federal Health Architecture's 
(FHA) public health surveillance working group was formed 6 months ago. 
However, the report does not mention that a number of FHA workgroups, 
such as the FHA Interoperability workgroup and Consolidated Health 
Informatics (CHI), have been in existence for a longer period of time. 
Through these workgroups, many Federal standards have been established. 
CDC has actively participated in the formation of these standards, and 
PHIN and BioSense are fully compatible with the standards of this 
nationwide Federal architecture. Other organizations' initiatives and 
software applications may not adhere to these standards but, as in the 
case of the Electronic Surveillance System for the Early Notification 
of Community-based Epidemics (ESSENCE) and State and local public 
health applications, CDC is actively working to assist those 
initiatives in meeting these standards. This example, however, reflects 
a challenge associated more with adopting standards across a wide and 
diverse technology base than the absence of a completed strategy. HHS 
requests that this section of the draft report (page 32) be revised. 

In addition, it is essential to note that early event detection at the 
local, State, and Federal levels is neither duplicative nor irrelevant 
at a Federal level as the draft report suggests, but rather mandatory 
in protecting the public's health. Clearly, there are many who believe 
that looking at trends in one jurisdiction will not capture multi 
jurisdictional events (there are many examples of outbreaks that have 
only been identified when multi jurisdictional data have been 
examined), will not allow for the tracking of a communicable disease, 
such as SARS, being dispersed through travelers, such as with SARS, and 
will not allow for National situational awareness during a major event. 
When a major event occurs, National decision makers need to understand 
the size, scope, location and spread of the event. As the event 
progresses, they need to compare similar data from many different 
jurisdictions to understand the effectiveness of countermeasures and 
response. Therefore, HHS requests that this part of the section be 
deleted. 

Finally, the last paragraph of this section (page 34) overstates the 
urgency of the health architecture challenge. BioSense, as part of the 
PHIN architecture, is a standards-based, interoperable application that 
adheres to the Federal health IT strategy, which includes the FHA and 
CHI standards. The current language asserts that decisions are being 
made without a strategy in place and that CDC and the National 
Coordinator are not aligned. As stated in the previous paragraphs, 
these assertions are not accurate from an HHS perspective. Furthermore, 
there is no assessment of the risk associated with waiting. Finally, 
fiscal year (FY) 2006 costs for BioSense are unknown at this time. 
Therefore, HHS requests that this paragraph be deleted from the final 
report. 

HHS agrees that it is a challenge to strengthen the National public 
health infrastructure as the nationwide health IT strategy continues to 
evolve, but potential and real threats which adversely affect the 
public's health continue to occur. These technology initiatives assist 
public health in responding to threats, and the risk of not moving 
forward in discrete, iterative phases significantly outweighs that of 
waiting for a completed strategy. HHS suggests that this section does 
not accurately represent today's environment. Strategic pieces of a 
nationwide health IT architecture are in place; PHIN preparedness 
standards are in place; and the two are tracking with each other. 
Therefore, HHS requests that this section be revised based on the 
preceding comments. 

Following are key challenges that have been identified by CDC for 
realizing a nationwide standards-based, interoperable public health 
network: 

In an emergency, State and local health departments and clinical care 
sites usually share most data without consistent, mandatory reporting. 
However: 

* There is large variability in the type and coverage of data that are 
accumulated at the State and local levels;

* Baseline data against which the emergency data trends need to be 
compared for situational awareness are largely unavailable; and: 

* The processes and technical infrastructure to exchange the emergent 
data versus the routine data are so different that substantial 
technical and data work need to occur during each emergency causing a 
loss of critical time. 

Public health's role in preparedness and response has been perceived as 
limited to data collection and communications. Public health plays a 
far larger role, not only in detecting the event, but in managing, 
containing, and mitigating the event and its impact of events on the 
public. This larger role includes early event detection, outbreak 
management, countermeasure response and administration, laboratory 
results exchange, and partner communication and alerting. 

Some organizations do not invest in solutions that are standards-based. 
As a result, interoperability among different partners is significantly 
impeded, and information and data, two items essential to decision 
makers in an emergency, are often not exchanged in the most efficient 
and time-sensitive manner. 

The following are GAO's comments on the Department of Health and Human 
Services letter dated June 3, 2005. 

GAO Comments: 

1. We agree with HHS that the cost benefits of a standards-based 
approach to public health systems are potentially considerable. 
However, as we have reported before, the Center for Information 
Technology Leadership acknowledges that their cost estimates are based 
on a number of assumptions and inhibited by limited data that are 
neither complete nor precise.[Footnote 32]

2. We agree with HHS that standards-based systems provide important 
benefits. In our May 2003 report, we made several recommendations 
regarding the establishment and use of standards that are highlighted 
in this report. We also state that to support the compatibility, 
interoperability, and security of federal agencies' many planned and 
operational IT systems, the identification and implementation of data, 
communications, and security standards for health care delivery and 
public health are essential.[Footnote 33]

3. HHS states that our report does not mention a number of activities 
related to the Federal Health Architecture and the Consolidated Health 
Informatics initiative. We described the status of workgroup efforts 
specific to public health surveillance. In terms of the standards 
adopted by the Consolidated Health Informatics initiative, we presented 
the relevant standards in our table of industry standards used by the 
Public Health Information Network. We disagree with HHS that the 
paragraph needs to be revised. While the development of standards and 
policies is a key component of progress toward the implementation of a 
national health IT strategy, the development of a national strategy and 
corresponding federal architecture is equally important. 

4. We disagree with HHS that we should delete our discussion of the 
concerns of state and local public health officials regarding 
duplication of effort across federal agencies. Neither we nor the state 
and local public health officials suggest that early event detection at 
the federal level is irrelevant. Rather, we are reporting the concerns 
of state and local public health officials regarding the federal 
government's role, which merits further discussion and more involvement 
of state and local health officials. 

5. We have adjusted our report to indicate that fiscal year 2006 costs 
for BioSense are unknown. 

6. HHS comments that not moving forward with its technology initiatives 
presents greater risk than waiting for a completed national health IT 
strategy. We are not suggesting that HHS stop its ongoing activities; 
we only point out the risks associated with developing and implementing 
major IT initiatives without a coordinated strategy in place. 

[End of section]

Appendix IV: Comment from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

June 3, 2005:
Mr. David A. Powner: 
Director:
Information Technology Management Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Powner: 

Thank you for the opportunity to comment on GAO's draft report 
entitled, "Information Technology: Federal Agencies Face Challenges in 
Implementing Initiatives to Improve Public Health Infrastructure," GAO- 
05-308. Under separate cover we have provided extensive technical 
comments which we trust you will incorporate in the final report for 
clarity and to reflect the current state of the information technology 
(IT) initiatives being undertaken in the Department's Science and 
Technology (S&T) Directorate. 

The Department of Homeland Security (DHS) has just two overarching IT 
initiatives within the S&T Directorate. The first of these is the 
Biological Warning and Incident Characterization System (BWICS), which 
is to be the baseline BioWatch signal interpretation tool and will be 
deployed to all BioWatch cities. BWICS, once implemented, will link to 
both BioSense and the National Biosurveillance Integration System 
(NBIS). BioWatch (a component of BWICS) is not an IT system but rather, 
an environmental monitoring system for biological threat agents that 
uses an IT system for sample tracking, laboratory analysis, and data 
transmission to the Center for Disease Control (CDC). BioWatch Signal 
Interpretation and Integration Program (BWSIIP) is an effort that was 
initiated earlier to deploy some electronic medical surveillance tools 
to a BioWatch city to aid in signal interpretation. Once this effort is 
completed this fiscal year it will transition into BWICS, providing 
some of the medical surveillance tools to be used in the broader 
portfolio of BWICS signal interpretation tools. The second of S&T's IT 
initiatives is NBIS, which will integrate a much larger set of 
biosurveillance information across the nation from sector specific 
agencies; not just in BioWatch cities. As noted earlier, BWICS will be 
one of many feeds into NBIS. 

In the report, the term "biosurveillance" should be defined better 
because this word has different connotations. NBIS collects medical, 
environmental, and intelligence data, but in BWIC, it is not DHS's goal 
to develop medical biosurveillance systems but to use existing ones, 
either from locally existing systems or CDC, to provide health related 
syndromic data and information to assist in BioWatch signal 
interpretation and incident characterization. 

The draft report is erroneous in stating that our "..initiatives are 
still in such early stages that it is uncertain how they will improve 
public health preparedness". BioWatch, which was initially deployed in 
January of 2003, has been in existence for over 2 years and provides 
the ability for rapid biothreat detection prior to the presentation of 
clinical symptoms for rapid intervention. This initiative currently 
provides protection for a considerable percentage of the population 
with the potential to significantly minimize the mortality and 
morbidity associated with an intentional release of a biothreat agent 
into the environment. However, it is important to note that BioWatch is 
only one of the tools decision makers will use to understand or 
reconstruct a bioterrorist event. Several scenario-driven system 
studies have reinforced the utility of coupling biomonitoring data with 
biosurveillance data, sampling plans and strategies, and plume modeling 
to provide a better understanding of the target agent that was 
released, the method of release, its viability and degradation rate in 
the environment, etc. Assembling and analyzing this information will 
prove to be extremely beneficial in determining the affected 
areas/regions and population for rapid intervention, consequence 
management, remediation and restoration. Furthermore, BioWatch is 
designed to detect medium to large-scale release/attacks; medical 
biosurveillance data from federal and local sources will greatly assist 
in BioWatch signal interpretation and in capturing or serving as 
indicators for smaller scale release/attacks which could be missed by 
the BioWatch system. 

Due to the urgencies and importance of protecting the citizens of 
United States from a potential biological attack, DHS was requested to 
quickly deploy BioWatch, a research and development program at the 
time. Its primary goal was to provide rapid biodetection capability for 
rapid intervention to minimize mortality and morbidity and not 
interoperable IT systems due to time limitations. It is also important 
to note that DHS has been fully aware of the importance of an 
interoperable IT system to support such an extensive and complex 
architecture to provide nationwide biothreat coverage from the very 
beginning. The systematic approach taken by DHS was to initially deploy 
BioWatch and then follow through to address the deficiencies and to 
provide the appropriate tools for incident characterization and 
reconstruction, which currently is being addressed and accomplished 
through coordination and collaboration with the local BioWatch public 
health programs and environmental protection communities. 

We thank you again for the opportunity to provide comments on this 
draft report and look forward to working with you on future homeland 
security issues. 

Sincerely,

Signed by: 

Steven J. Pecinovsky: 
Director:
Departmental GAO/OIG Liaison: 

The following is GAO's comment on the Department of Homeland Security's 
letter dated June 3, 2005. 

GAO Comment: 

1. We disagree with DHS's statement that we erroneously categorize its 
initiatives as still in the early states. The initiatives that we are 
referring to as being in the early stages are the Biological Warning 
and Incident Characterization System and the National Biosurveillance 
Integration System, which according to DHS officials are considered 
their two major IT initiatives. DHS categorized them as being in 
development. 

[End of section]

Appendix V: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David A. Powner, 202-512-9286, [Hyperlink, pownerd@gao.gov]: 

Staff Acknowledgments: 

In addition to those named above, Barbara S. Collier, Neil J. Doherty, 
Amanda C. Gill, M. Saad Khan, Gay Hee Lee, Mary Beth McClanahan, M. 
Yvonne Sanchez, and Morgan Walts made key contributions to this report. 

[End of section]

Related GAO Reports on Health Information Technology: 

[End of section]

Health Information Technology: HHS Is Taking Steps to Develop a 
National Strategy. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-628]
Washington, D.C.: May 27, 2005. 

Health and Human Services' Estimate of Health Care Cost Savings 
Resulting from the Use of Information Technology. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-309R] 
Washington, D.C.: February 17, 2005. 

HHS's Efforts to Promote Health Information Technology and Legal 
Barriers to its Adoption. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-991R] 
Washington, D.C.: August 13, 2004. 

Health Care: National Strategy Needed to Accelerate the Implementation 
of Information Technology. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-947T] 
Washington, D.C.: July 14, 2004. 

Information Technology: Benefits Realized for Selected Health Care 
Functions. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-224]
Washington, D.C.: October 31, 2003. 

Bioterrorism: Information Technology Strategy Could Strengthen Federal 
Agencies' Abilities to Respond to Public Health Emergencies. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-139] 
Washington, D.C.: May 30, 2003. 

Automated Medical Records: Leadership Needed to Expedite Standards 
Development. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/IMTEC-93-17] 
Washington, D.C.: April 30, 1993. 

(310468): 

FOOTNOTES

[1] The public health infrastructure is the foundation that supports 
the planning, delivery, and evaluation of public health activities; it 
comprises a well-trained workforce, effective program and policy 
evaluation, sufficient epidemiology and surveillance capability to 
detect outbreaks and monitor incidence of diseases, appropriate 
response capacity for public health emergencies, effective 
laboratories, secure information systems, and advanced communications 
systems. 

[2] GAO, Bioterrorism: Information Technology Could Strengthen Federal 
Agencies' Abilities to Respond to Public Health Emergencies, GAO-03-139 
(Washington, D.C.: May 30, 2003). 

[3] We excluded food safety systems and Department of Defense disease 
surveillance systems that did not include civilian populations. 

[4] There is no generally accepted definition of biosurveillance; it 
generally refers to the automated monitoring of information sources of 
potential value in detecting an emerging epidemic, whether naturally 
occurring or the result of bioterrorism. Information sources may 
include data from environmental monitoring systems, the purchases of 
over-the-counter medication, and medical symptoms reported during 
ambulatory care. 

[5] The strategy is being developed on the basis of a framework that 
HHS published in July 2004. 

[6] Public Law 107-188 (June 12, 2002). 

[7] Department of Health and Human Services, The Decade of Health 
Information Technology: Delivering Consumer-centric and Information- 
rich Health Care (Washington, D.C.: July 21, 2004). 

[8] The National Response Plan is an all-discipline, all-hazards plan 
that establishes a single, comprehensive framework for the management 
of domestic incidents. It provides the structure and mechanisms for the 
coordination of federal support to state, local, and tribal incident 
managers and for exercising direct federal authorities and 
responsibilities. 

[9] GAO-03-139. 

[10] Institute of Medicine of the National Academies, The Future of the 
Public's Health in the 21st Century (Washington, D.C.: November 2002). 

[11] A notifiable disease is an infectious disease for which regular, 
frequent, and timely information on individual cases is considered 
necessary for the prevention and control of the disease. 

[12] Pathogens are bacteria, viruses, parasites, or fungi that have the 
capability to cause disease in humans. 

[13] In some cases, depending on state law, providers and others report 
first to local health departments, which report the disease information 
to the state health department. Local health departments may also 
conduct their own follow-up investigations into reports of notifiable 
diseases. 

[14] GAO, Emerging Infectious Diseases: Review of State and Federal 
Disease Surveillance Efforts, GAO-04-877 (Washington, D.C.: Sept. 30, 
2004). 

[15] CDC's responsibilities for surveillance are not limited to 
diseases, but also include chemical, injury, and health conditions, 
among others. 

[16] CDC and Agency for Toxic Substances and Disease Registry, 
Integrating Public Health Information and Surveillance Systems 
(Atlanta, Ga.: Spring 1995). 

[17] Some state and local officials said that they had found over-the- 
counter sales data the most useful, but these reports were 
discontinued. 

[18] These locations are primarily public health laboratories and the 
10 states that use the NEDSS Base System. 

[19] U.S. Environmental Protection Agency, EPA Needs to Fulfill Its 
Designated Responsibilities to Ensure Effective BioWatch Program, 2005- 
P-00012 (Washington, D.C.: Mar. 23, 2005). 

[20] GAO-03-139. 

[21] Department of Defense, Department of Defense Chemical, Biological, 
Radiological, and Nuclear Defense Program: Annual Report to Congress 
(Washington, D.C.: May 2004). 

[22] Department of Health and Human Services, The Decade of Health 
Information Technology: Delivering Consumer-centric and Information- 
rich Health Care (Washington, D.C.: July 21, 2004). 

[23] The federal health architecture program is intended to define a 
framework and methodology for establishing a target architecture and 
standards for interoperability and communication. An architecture 
describes an entity in both logical terms (e.g., interrelated 
functions, information needs and flows, work locations, systems, and 
applications) and technical terms (e.g., hardware, software, data, 
communications, and security). 

[24] HHS's goals and strategies associated with the national health IT 
strategy are further described in GAO, Health Information Technology: 
HHS Is Taking Steps to Develop a National Strategy, GAO-05-628 
(Washington, D.C.: May 27, 2005). 

[25] GAO, Emerging Infectious Diseases: Review of State and Federal 
Disease Surveillance Efforts, GAO-04-877 (Washington, D.C.: Sept. 30, 
2004). 

[26] The Council of State and Territorial Epidemiologists is a 
professional organization of public health epidemiologists from every 
U.S. state and territory, as well as Canada and Great Britain. 

[27] GAO-03-139. 

[28] GAO, Health Care: National Strategy Needed to Accelerate the 
Implementation of Information Technology, GAO-04-947T (Washington, 
D.C.: July 14, 2004). 

[29] Those included as PHIN standards are (1) Health Level 7 (HL7) 
messaging, (2) Systemized Nomenclature of Medicine--Clinical Terms 
(SNOMED), and (3) Logical Observations Identifiers Names and Codes 
(LOINC). HL7 message format standards provide a protocol that enables 
the flow of data between systems. SNOMED-Clinical Terms is a 
nomenclature classification for indexing medical vocabulary, including 
signs, symptoms, diagnoses, and procedures. LOINC is a set of code 
standards that covers a wide range of laboratory and clinical subject 
areas and identifies clinical questions, variables, and reports. 

[30] GAO, Department of Homeland Security: Formidable Information and 
Technology Management Challenge Requires Institutional Approach, GAO- 
04-702 (Washington, D.C.: Aug. 27, 2004); Information Technology 
Management: Governmentwide Strategic Planning, Performance Measurement, 
and Investment Management Can Be Further Improved, GAO-04- 49 
(Washington, D.C.: Jan. 12, 2004); and High-Risk Series: An Update, GAO-
05-207 (Washington, D.C.: Jan. 2005). 

[31] GAO, Bioterrorism: Information Technology Could Strengthen Federal 
Agencies' Abilities to Respond to Public Health Emergencies, GAO-03-139 
(Washington, D.C.: May 30, 2003). 

[32] GAO, Health and Human Services' Estimate of Health Care Cost 
Savings Resulting from the Use of Information Technology, GAO-05-309R 
(Washington, D.C.: Feb. 17, 2005). 

[33] GAO-03-139. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: