INTRODUCTION
Chairman Horn and Chairwoman Morella, I am pleased to appear before this joint hearing
of your Subcommittees to provide you with a report on the accomplishments and the
challenges faced by the U.S. Department of Health and Human Services (HHS) in assuring that our
systems and those Federally supported State run systems are millennium compliant. I offer
my comments on behalf of the Department and the Administration for Children and Families
(ACF) and the Health Care Financing Administration (HCFA).
Secretary Shalala and Deputy Secretary Thurm have declared the Year 2000 date issue our
highest priority -- simply put, Y2K is job number one at HHS. We have taken and will
continue to take strong actions to ensure that HHS information systems are Year 2000
compliant.
HHS' YEAR 2000 EFFORT
All HHS mission critical systems are Year 2000 compliant. All of the systems have been
renovated, future-date tested, certified compliant, verified compliant by an independent
contractor, and implemented. These systems include those that manage the eligibility,
enrollment, and premium status of 40 million Medicare beneficiaries, and make payments to
about 380 managed care organizations and all of the claims processing systems, operated by
private insurance contractors that process Medicare fee-for service claims and pay bills.
In addition, we have tested end-to-end the grants payment process for all the HHS programs
and are very pleased to report that the tests were successful and the grantees will be
able to access their grant funds after January 1, 2000.
HHS also requires all of its operating divisions to conduct thorough testing and
independent verification and validation of renovated systems. We also know there is a
possibility that, try as we might, some of our partners'
systems may not be fully compliant in time. Consequently, all of our Operating Divisions
have submitted initial business continuity and contingency plans to the Department. These
plans are being finalized and tested to provide us with the operational policies needed to
permit business continuity in the event of system failure.
HHS agencies collect a tremendous amount of information that requires data exchanges.
The Department has inventoried our data exchanges and contacted our service partners to
emphasize the importance of assuring Year 2000 compliance. HHS is working with the
National Association of State Information Resource Executive
s (NASIRE) and others to
assure a coordinated response. On April 22, 1998, HHS provided a listing of State
interfaces to NASIRE for its review of completeness and accuracy, we updated this listing
monthly until all of our State interfaces were compliant. HHS updated the listing on the
GSA web site for NASIRE review. All 1,141 State data exchanges are compliant and in use
today.
The U.S. Department of Health and Human Services is responsible for six high impact programs
that receive federal funding, but are actually administered by States or localities. While
HHS does not control these systems, the Department is working with States to ensure that
State-administered programs like Medicaid, Temporary Assistance to Needy Families and
child welfare programs are prepared. To accomplish this goal, the Department has worked on
a number of fronts. We have provided outreach to health care and human services providers,
as well as grantees administering our programs since mid-1998. We have assessed State
programs for Y2K compliance and have provided feedback to States on potential problems. We
are providing Y2K technical assistance to States that request it. We are providing special
funding to the territories to address Y2K-related issues. All of these efforts have the
goal of minimizing Y2K disruptions in the benefits and services provided to often
vulnerable citizens.
HUMAN SERVICES PROGRAMS
The Administration for Children and Families (ACF) supports five impact programs that
are administered at the State, county and local levels. Those programs are: Child Welfare,
Child Support Enforcement, Child Care, Temporary Assistance for Needy Families, and
Low-Income Home Energy Assistance.
The Administration for Children and Families (ACF) is 100% Y2K compliant for the
internal ACF systems,those by which we interface
directly with States. As the Assistant Secretary for ACF has testified earlier this year
to the Ways and Means Committee, ACF has remediated or replaced all non-compliant systems,
as well as independently tested and verified them. The agency is in the final testing
stage on its business continuity and contingency plans, for the Day One time period and
beyond.
Beyond the Federal level, Y2K compliance for human services programs is a very
complicated issue. There are substantial variations in the degree of automation in each
program and at each level, ranging from a Statewide system for multiple programs to a
simple desktop operation for a non-profit service provider.
STATE ASSESSMENT PROCESS
In April of this year, ACF was provided funding to examine the Y2K compliance status of
States and territories for those five high impact programs. In addition to assessing State
systems, ACF looked at a sample of county-level, local, and private sector program
administration. In
April 1999, EDS Corporation was brought on as the contractor to perform this Y2K
assessment.
EDS and ACF staff have now conducted on-site assessments in fifty-five jurisdictions to
evaluate the Y2K compliance of the operations of the five high impact programs. The
assessments involved examining evidence pertaining to the agencies'
efforts to achieve Y2K compliance with automated
systems, to develop business continuity and contingency plans, and to communicate with and
to involve the local offices (point of service delivery) in these plans. The assessment
protocol addressed factors ranging from management support and sponsorship to
mission-critical external interfaces.
A special challenge in this project was the assessment of county-administered States.
To ensure Y2K readiness was addressed at the service provider level, additional resources
were made available and the protocol was expanded to include the assessment of at least
two distinct county operations in each of the 13 county-administered States. Because of
the complex nature of our programs, in many States, it was necessary to include three or
more counties in the assessment in order to obtain complete information and valid
indicators as to the counties Y2K readiness.
ACF is satisfied with the scope, thoroughness, and objectivity of the reviews. We also
believe the assessments have assisted some States in prioritizing the most critical needs
among the Y2K activities that remain to be completed for our high impact programs.
All reports will be issued in October.
ACF ASSESSMENT FINDINGS
The findings from the assessments are generally good news. Trend analyses of findings
to date reveal that many States have made substantial progress to ensure the Y2K
compliance of their automated systems. While self-reported data that we had received from
States showed that a portion of the programs would not be compliant until December of this
year, in our actual assessments, we have found that, for the majority of our programs,
States have completed or are well on their way to completing system remediation. We have
also found that many State programs are not highly automated, or automated recently with
Y2K compliant software, thus reducing the risk of Y2K failures.
This does not mean that we do not have concerns. We are very concerned about the
compliance status of some territories, because their remediation effort may not be
completed on time. A small number of State programs in Alabama, Delaware, District of
Columbia, Georgia, Mississippi, New Hampshire, and South Carolina have been assessed as
being at a high risk of Y2K failure because both the remediation and testing of systems is
not complete or behind schedule and there are underdeveloped or nonexistent contingency
plans. Also a number of States, regardless of the status of their automated systems, lack
completed Business Continuity and Contingency Plans (BCCP). These plans are necessary in
the event that unlikely or unanticipated failures occur, and provide for the
implementation of alternate procedures and processes to continue program operations while
the systems failure is corrected.
We are pleased to note that the States responding to our assessment reports have been
in agreement with the findings, have taken steps to address the concerns identified, and
are implementing the recommendations made. A number of States, the reports have been
appreciated for moving particular programs higher on the list of priorities for State
remediation efforts.
ACF PHASE II OF THE ASSESSMENT PROCESS
The next steps in the process are to monitor States' progress of Y2K efforts in relation to the five high-impact programs and to target
technical assistance where needed, particularly for high and medium risk programs.
Follow-up assessments for those State programs that were found to have significant
concerns in the initial assessments will be conducted by ACF and EDS staff who
participated in the first round of visits. These second visits will focus on the concerns
noted in the report, and will begin shortly.
ACF has been focusing its technical assistance efforts on business continuity and
contingency planning, since that was the most commonly identified concern. EDS experts
will conduct multiple sessions of BCCP training for State representatives. ACF and EDS
staff will make technical assistance trips to States that require individualized
assistance, in coordination with other Federal human services agencies, including HCFA.
These technical assistance efforts have resulted in progress. ACF and EDS staff have
already provided on-site technical assistance in one State at its request, and will
shortly conduct visits to one of the territories and several other States. Last week, the
first BCCP training session was held, and representatives from one-third of the States
targeted by ACF for BCCP Technical assistance attended; course evaluations were extremely
positive.
For all State programs, ACF is collecting State BCCP plans and both EDS and ACF staff
are reviewing them for completeness. We will provide specific feedback to States as needed
on those plans, regardless of whether a State is targeted as needing technical assistance
or not.
MEDICAID AND STATE CHILDREN'S HEALTH
INSURANCE PROGRAMS
Although HCFA provides major funding for Medicaid, States operate these programs and it
is each State's responsibility to take the steps
it believes are appropriate to meet the needs of its Medicaid and State Children's Health Insurance Program (CHIP). HCFA's primary role is to assess, as best it can, each
State's progress on meeting its own goals and to
provide guidance on remediation, testing, and contingency planning. While HCFA does not
have the authority, ability, or resources to take over and operate State systems, it is
providing unprecedented levels of State technical assistance for Y2K preparedness.
Medicaid and CHIP programs are operated directly by the States with oversight from
HCFA. State computers are used in determining the eligibility of Medicaid and CHIP
beneficiaries, as well as Food Stamp recipients and Temporary Assistance to Needy
Families (TANF) recipients. In addition to supporting the administration and oversight of
these programs, computers help make sure that eligible beneficiaries get the health care
services for which they are eligible as well as process and pay Medicaid claims submitted
by doctors, hospitals, and other health care partners. Generally, there are three key
computer systems in each State that are being readied for Y2K: a Medicaid Management
Information System (MMIS), a CHIP system for which HCFA has some oversight responsibility,
and an eligibility system (ES) which is used to determine eligibility for both Medicaid
and CHIP.
A SUCCESSFUL COLLABORATION
Although States are responsible for assuring Y2K readiness of their computer systems,
HCFA provides technical assistance to State Medicaid agencies, including protocols for Y2K
compliance and testing, contingency planning strategies, and information on best
practices. HCFA has also taken the extra step of hiring expert consultants who, through
site visits, are assessing States' progress
against their own goals and standards in becoming Y2K compliant, as well as providing
detailed feedback and additional technical support. These contractors are also assessing
the adequacy of each States' contingency plans.
The high degree of cooperation we have achieved with the States on Y2K is a source of
great pride and satisfaction for us.
As of October 1, the first two rounds of State site visits has been completed. A third
round of visits is now underway. Thus far, States have made substantial progress in their
Y2K readiness and many appear to have benefitted from the assistance HCFA has provided.
Systems are assessed in two categories, MMIS and CHIP together in one category and the
eligibility system in the other category.
HCFA SITE VISITS
By the end of April, HCFA and its independent contractors had made three to four day
visits to all 50 States and the District of Columbia, as part of the first round of
assessments of State Medicaid and CHIP computer systems. The purpose of the initial visits
was to establish an objective assessment of the status of each State's Y2K remediation efforts; and provide technical
assistance in such areas as risk mitigation, contingency planning, and business
continuity. States were rated as High, Medium or Low based on an assessment of several
factors discussed below. Depending on the State's
status, second and even third round visits may be conducted.
Second round site visits were devoted to the Y2K efforts of Medium- and High-Risk
States and were made to 40 States, Puerto Rico, and the U.S. Virgin Islands, during May
through
September 1999. They focused on the status of States' validation and implementation phases, end-to-end testing, risk mitigation, business
continuity and contingency planning, Day One planning, and outreach activities to
beneficiaries and providers.
A third round of visits to 20 States that remain High or Medium Risk States is being
conducted from September through December 1999. The focus of these visits is on the States' contingency plans and risk mitigation efforts.
After each site visit, the information gathered and HCFA's assessments are discussed with State officials in a
debriefing session. In-depth written reports are then provided to State officials,
including each respective Governor, State Medicaid Director, and State Chief Information
Officer. These results document HCFA's key
findings and recommendations and, through a letter from Secretary Shalala, request the
Governor's leadership in assuring that federal
and State systems will work effectively after the Year 2000. The States are also provided
with recommendations and other types of technical assistance to strengthen their Y2K
remediation efforts.
It is important to note that the States' computer systems involve many lines of code and are dependent upon numerous electronic
interfaces with other partners ranging from hospitals and physician offices to county and
city-based eligibility determination systems. For that reason, a determination that a
State is a Low Risk does not mean the State has "no
risk." Therefore, HCFA is being careful to
continue to monitor the readiness of those Low Risk States that did not receive second and
third round visits. For example, follow-up calls will be made to gauge and monitor
progress in specific areas of interest and to verify that a State's risk status has not changed. Should there be a
change in status, HCFA will conduct another site visit.
During the second round of visits, the majority of States are showing improvement in
one or more systems. In fact, State ratings can change due to the dynamic nature of Y2K
readiness. States considered to be High Risk earlier in the year have made considerable
progress. On the other hand, States rated Medium or Low in Round 1 sometimes not have
continued to meet their internal targets or taken other steps to ensure enterprise-wide
Y2K readiness, thus causing their rating to increase in later rounds of HCFA visits.
However, based on indicators from the Round 2 visits, HCFA expects to see States' system readiness continue to improve.
MEDICAID RISK EXPOSURE DETERMINATION
Details are provided below to explain how HCFA is evaluating Y2K readiness. Systems are
assessed in two categories, with MMIS and CHIP together in one category, and the
eligibility system in the other category. To compare and contrast the relative level of
risk of Y2K failure for each Medicaid system in each State, HCFA is using a risk rating
based on the evaluation of 42 individual factors that measure the processes, products, and
progress of a State's Medicaid Y2K efforts.
These include various independent factors that measure project management considerations,
among others, that are correlated with the five critical phases identified by the General
Accounting Office: Awareness, Assessment, Renovation, Validation, and Implementation.
Scores on individual factors are weighted using a special protocol. An accumulated score
is reached by adding the individual factors with the verification and validation
experience of the on-site assessors. Each State's
MMIS and CHIP system, and eligibility system (ES) fall into one of the three risk
categories (High, Medium, and Low) based on the accumulated score.
High Risk Systems tend to share many of the same characteristics, such as
inadequate project management, planning, and testing. There often is a lack of progress
relative to the State's own schedule, and often
no independent validation and verification of the State's status. Other common factors among High Risk systems include: a lack of an objective
certification process, inadequate quality assurance measures, and an underdeveloped or
nonexistent contingency plan to assure system remediation or business continuity in case
of failure. The mix of these factors varies from State to State. Currently six States and
two territories (Alabama, Alaska, Massachusetts, New Hampshire, New Mexico, North
Carolina, Puerto Rico and Virgin Islands) are adjudged to be at high risk in one or more
of their Medicaid mission critical systems.
Medium Risk Systems tend to exhibit some smaller set of the same
characteristics of high risk systems, but are often characterized by better management
practices. As a result, there is a better chance that risks will be mitigated in the
coming months. For this reason, Medium Risk sites warrant a follow-up visit to verify the
anticipated improvement. Currently 13 States (Connecticut, Delaware, Georgia, Louisiana,
Nevada, New Jersey, Ohio, Oklahoma, South Carolina, Tennessee, Texas, Vermont, and
Wyoming) and the District of Columbia are adjudged to be at medium risk on their Medicaid
mission critical systems.
Low Risk Systems usually combine a solid management approach, adequate
resources, solid renovation and testing, all with adequate control and independent
validation and verification. However, even these systems are not no risk since the
delivery of Medicaid services are highly decentralized and depend heavily upon the smooth
operation of many people and services beyond the State's
direct authority control. Thirty-one States (Arizona, Arkansas, California, Colorado,
Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, New York, North Dakota,
Pennsylvania, Florida, Illinois, Maryland, Michigan, Minnesota, Mississippi, Missouri,
Montana, Nebraska, Oregon, Rhode Island, South Dakota, Utah, Virginia, Washington, West
Virginia, and Wisconsin) are at low risk on both the Medicaid mission critical systems.
Finally, the Secretary has written to the governors three times to bring to their
attention the progress that has been made in their State and to indicate what work remains
to be done. We have found that the direct communication by the Secretary to the governors
results in more attention and resources for States' compliance efforts.
We also have been working closely with our nation's Governors and State Program Directors to ensure that "high impact" Federally financed, State administered
programs are ready for the Year 2000. We have undertaken an extensive effort to assess the
Year 2000 readiness of these programs as well as provide technical assistance on
compliance protocols, testing, contingency planning strategies, and best practice
information. We have taken the extra step of hiring expert consultants who, through site
visits, are assessing States' progress against
their own goals and standards in becoming Year 2000 compliant, as well as providing
detailed feedback and technical support. We are continuing to assist States that are
having particular difficulties, including providing technical support in developing and
evaluating their contingency plans where needed. Based on observations obtained through
our site visits, States have made substantial progress.
CONTINGENCY PLANNING AND DAY ONE PLANNING
HCFA has requested business continuity and contingency plans from all 50 States,
territories and the District of Columbia and recommended that States closely follow GAO
guidance on the topic. The contingency plans address all the States'
HCFA is also working with States on the coordination of Day One activities. On
September 28, HCFA sent a letter to State Medicaid Directors advising them of HCFA's Day One activities and plans to track information
about the status of State Medicaid Agency claims payment and recipient eligibility
verification and determination systems. HCFA recommended that States complete Day one
plans and provided a template/checklist for States to use to track key Day One
information. HCFA also recommended that States establish a Day One team and command and
control center.
CONCLUSION
HHS recognizes our obligation to the American people to assure that HHS's programs
function properly now and in the next millennium. We all share a common goal of having our
systems and programs function with appropriate care for program beneficiaries continue
throughout the millennium transition. We are confident of our own internal preparedness,
and cautiously optimistic that significant efforts of our State partners will minimize the
effects of the Y2K computer problems in these "high impact" programs. In the coming months, we will
continue our efforts to monitor State readiness for Year 2000 and provide technical
assistance which is responsive to State needs. We would urge the Congress to continue to
highlight both State and Federal preparedness efforts for these programs now and in the
weeks ahead.
I thank the Committee for its interest and oversight on this issue, and I would be
happy to answer any questions you may have.
Privacy Notice (www.hhs.gov/Privacy.html) |
FOIA (www.hhs.gov/foia/) |
What's New (www.hhs.gov/about/index.html#topiclist) |
FAQs (answers.hhs.gov) |
Reading Room (www.hhs.gov/read/) |
Site Info (www.hhs.gov/SiteMap.html)
