Health Information Technology:

DOD Needs to Provide More Information on Risks to Improve Its Program Management

GAO-11-148: Published: Nov 17, 2010. Publicly Released: Nov 17, 2010.

Additional Materials:


Valerie C. Melvin
(202) 512-3000


Office of Public Affairs
(202) 512-4800

The National Defense Authorization Act for Fiscal Year 2010 directed the Department of Defense (DOD) to submit a report to congressional defense committees on improvements to the governance and execution of its health information management and information technology (IT) programs to support medical care within the military health system. DOD submitted its report to the appropriate House and Senate committees in June 2010. The act also directed GAO to assess the report and DOD's plan of action to achieve its goals and mitigate risks in the management and execution of health information management and IT programs. Specifically, GAO's objective was to determine whether DOD addressed the reporting requirements specified in the defense authorization act. To do this, GAO reviewed the report submitted by DOD, and analyzed it against the reporting requirements, prior GAO work examining DOD's health IT issues, DOD guidance, and industry best practices.

DOD addressed 6 of the 10 reporting requirements included in the National Defense Authorization Act for Fiscal Year 2010. For example, it reported on its capability to meet the requirements for joint interoperability--the ability to exchange electronic patient health data--with the Department of Veterans Affairs. The department also reported on its capability to carry out necessary governance, management, and development functions of health information management and IT systems. The department partially addressed the remaining 4 requirements, which pertained to identifying, assessing, and mitigating risks, as well as reporting on estimated resources required to optimally support health care IT and planning corrective actions to remedy shortfalls that DOD identified. For example, the department had identified and assessed risks, but the report did not fully disclose these risks or the meaning of the department's assessment. Also, the report did not fully identify the staff and funds needed, nor did it fully identify the organizations responsible and accountable for accomplishing risk mitigation activities. If not corrected, incomplete reporting to address these requirements could impede congressional oversight of the department's planned improvements. GAO is recommending that DOD report additional details to address shortcomings in 4 requirements, including risk identification and assessment, risk mitigation planning, and corrective action planning. In comments on a draft of this report, DOD concurred with GAO's recommendation and described actions it is taking to address it.

Recommendation for Executive Action

  1. Status: Closed - Implemented

    Comments: On November 9, 2010, DOD included as an attachment to agency comments to the report, an expanded mitigation matrix titled Risks, Mitigations, and Milestones. The expanded matrix included comprehensive information about identified risks and assessment levels, mitigation steps, and corrective actions. The expanded matrix also identified organizations responsible for risk activities, approving officials, and milestones for completing risks activities. Additionally, in June 2012, as part of its Fiscal Year 2013 President's Budget Submission, DOD provided the future-year resources estimates for health IT initiatives to Congress separately in the Special Capital Investment Report (SCIR) The SCIR estimate was $1.3 million for Fiscal Years 2011 through 2014 for activities including research, development, testing, and evaluation; procurement; and operations and maintenance.

    Recommendation: To address shortcomings in meeting these 4 reporting requirements, the Secretary of Defense should direct the Deputy Secretary of Defense to report to the congressional defense committees additional details to address shortcomings GAO identified for the reporting requirements regarding (1) risk identification and assessment, (2) risk mitigation planning, (3) corrective action planning, and (4) future year resources estimation.

    Agency Affected: Department of Defense


Explore the full database of GAO's Open Recommendations »

Oct 13, 2020

Oct 7, 2020

Sep 30, 2020

Sep 29, 2020

Sep 28, 2020

Sep 14, 2020

Sep 9, 2020

Sep 8, 2020

Aug 31, 2020

Aug 3, 2020

Looking for more? Browse all our products here