y Y2K and Federally-Funded State Run Programs
DHHS Eagle graphic
ASL Header
Mission Nav Button Division Nav Button Grants Nav Button Testimony Nav Button Other Links Nav Button ASL Home Nav Button
US Capitol Building
Search
HHS Home
Contact Us
dot graphic Testimony bar

This is an archive page. The links are no longer being updated.

Testimony Regarding the Year 2000 Date Issue and the Federally Supported, State Run High Impact Programs by John J. Callahan
Assistant Secretary for Management and Budget and
Chief Information Officer
U.S. Department of Health and Human Services

Before the House Government Reform Committee, Subcommittee on Government Management, Information and the Committee on Science, Subcommittee on Technology
October 6, 1999


INTRODUCTION

Chairman Horn and Chairwoman Morella, I am pleased to appear before this joint hearing of your Subcommittees to provide you with a report on the accomplishments and the challenges faced by the U.S. Department of Health and Human Services (HHS) in assuring that our systems and those Federally supported State run systems are millennium compliant. I offer my comments on behalf of the Department and the Administration for Children and Families (ACF) and the Health Care Financing Administration (HCFA).

Secretary Shalala and Deputy Secretary Thurm have declared the Year 2000 date issue our highest priority -- simply put, Y2K is job number one at HHS. We have taken and will continue to take strong actions to ensure that HHS information systems are Year 2000 compliant.

HHS' YEAR 2000 EFFORT

All HHS mission critical systems are Year 2000 compliant. All of the systems have been renovated, future-date tested, certified compliant, verified compliant by an independent contractor, and implemented. These systems include those that manage the eligibility, enrollment, and premium status of 40 million Medicare beneficiaries, and make payments to about 380 managed care organizations and all of the claims processing systems, operated by private insurance contractors that process Medicare fee-for service claims and pay bills. In addition, we have tested end-to-end the grants payment process for all the HHS programs and are very pleased to report that the tests were successful and the grantees will be able to access their grant funds after January 1, 2000.

HHS also requires all of its operating divisions to conduct thorough testing and independent verification and validation of renovated systems. We also know there is a possibility that, try as we might, some of our partners' systems may not be fully compliant in time. Consequently, all of our Operating Divisions have submitted initial business continuity and contingency plans to the Department. These plans are being finalized and tested to provide us with the operational policies needed to permit business continuity in the event of system failure.

HHS agencies collect a tremendous amount of information that requires data exchanges. The Department has inventoried our data exchanges and contacted our service partners to emphasize the importance of assuring Year 2000 compliance. HHS is working with the National Association of State Information Resource Executive s (NASIRE) and others to assure a coordinated response. On April 22, 1998, HHS provided a listing of State interfaces to NASIRE for its review of completeness and accuracy, we updated this listing monthly until all of our State interfaces were compliant. HHS updated the listing on the GSA web site for NASIRE review. All 1,141 State data exchanges are compliant and in use today.

The U.S. Department of Health and Human Services is responsible for six high impact programs that receive federal funding, but are actually administered by States or localities. While HHS does not control these systems, the Department is working with States to ensure that State-administered programs like Medicaid, Temporary Assistance to Needy Families and child welfare programs are prepared. To accomplish this goal, the Department has worked on a number of fronts. We have provided outreach to health care and human services providers, as well as grantees administering our programs since mid-1998. We have assessed State programs for Y2K compliance and have provided feedback to States on potential problems. We are providing Y2K technical assistance to States that request it. We are providing special funding to the territories to address Y2K-related issues. All of these efforts have the goal of minimizing Y2K disruptions in the benefits and services provided to often vulnerable citizens.

HUMAN SERVICES PROGRAMS

The Administration for Children and Families (ACF) supports five impact programs that are administered at the State, county and local levels. Those programs are: Child Welfare, Child Support Enforcement, Child Care, Temporary Assistance for Needy Families, and Low-Income Home Energy Assistance.

The Administration for Children and Families (ACF) is 100% Y2K compliant for the internal ACF systems,those by which we interface directly with States. As the Assistant Secretary for ACF has testified earlier this year to the Ways and Means Committee, ACF has remediated or replaced all non-compliant systems, as well as independently tested and verified them. The agency is in the final testing stage on its business continuity and contingency plans, for the Day One time period and beyond.

Beyond the Federal level, Y2K compliance for human services programs is a very complicated issue. There are substantial variations in the degree of automation in each program and at each level, ranging from a Statewide system for multiple programs to a simple desktop operation for a non-profit service provider.

STATE ASSESSMENT PROCESS

In April of this year, ACF was provided funding to examine the Y2K compliance status of States and territories for those five high impact programs. In addition to assessing State systems, ACF looked at a sample of county-level, local, and private sector program administration. In

April 1999, EDS Corporation was brought on as the contractor to perform this Y2K assessment.

EDS and ACF staff have now conducted on-site assessments in fifty-five jurisdictions to evaluate the Y2K compliance of the operations of the five high impact programs. The assessments involved examining evidence pertaining to the agencies' efforts to achieve Y2K compliance with automated systems, to develop business continuity and contingency plans, and to communicate with and to involve the local offices (point of service delivery) in these plans. The assessment protocol addressed factors ranging from management support and sponsorship to mission-critical external interfaces.

A special challenge in this project was the assessment of county-administered States. To ensure Y2K readiness was addressed at the service provider level, additional resources were made available and the protocol was expanded to include the assessment of at least two distinct county operations in each of the 13 county-administered States. Because of the complex nature of our programs, in many States, it was necessary to include three or more counties in the assessment in order to obtain complete information and valid indicators as to the counties Y2K readiness.

ACF is satisfied with the scope, thoroughness, and objectivity of the reviews. We also believe the assessments have assisted some States in prioritizing the most critical needs among the Y2K activities that remain to be completed for our high impact programs.

All reports will be issued in October.

ACF ASSESSMENT FINDINGS

The findings from the assessments are generally good news. Trend analyses of findings to date reveal that many States have made substantial progress to ensure the Y2K compliance of their automated systems. While self-reported data that we had received from States showed that a portion of the programs would not be compliant until December of this year, in our actual assessments, we have found that, for the majority of our programs, States have completed or are well on their way to completing system remediation. We have also found that many State programs are not highly automated, or automated recently with Y2K compliant software, thus reducing the risk of Y2K failures.

This does not mean that we do not have concerns. We are very concerned about the compliance status of some territories, because their remediation effort may not be completed on time. A small number of State programs in Alabama, Delaware, District of Columbia, Georgia, Mississippi, New Hampshire, and South Carolina have been assessed as being at a high risk of Y2K failure because both the remediation and testing of systems is not complete or behind schedule and there are underdeveloped or nonexistent contingency plans. Also a number of States, regardless of the status of their automated systems, lack completed Business Continuity and Contingency Plans (BCCP). These plans are necessary in the event that unlikely or unanticipated failures occur, and provide for the implementation of alternate procedures and processes to continue program operations while the systems failure is corrected.

We are pleased to note that the States responding to our assessment reports have been in agreement with the findings, have taken steps to address the concerns identified, and are implementing the recommendations made. A number of States, the reports have been appreciated for moving particular programs higher on the list of priorities for State remediation efforts.

ACF PHASE II OF THE ASSESSMENT PROCESS

The next steps in the process are to monitor States' progress of Y2K efforts in relation to the five high-impact programs and to target technical assistance where needed, particularly for high and medium risk programs. Follow-up assessments for those State programs that were found to have significant concerns in the initial assessments will be conducted by ACF and EDS staff who participated in the first round of visits. These second visits will focus on the concerns noted in the report, and will begin shortly.

ACF has been focusing its technical assistance efforts on business continuity and contingency planning, since that was the most commonly identified concern. EDS experts will conduct multiple sessions of BCCP training for State representatives. ACF and EDS staff will make technical assistance trips to States that require individualized assistance, in coordination with other Federal human services agencies, including HCFA.

These technical assistance efforts have resulted in progress. ACF and EDS staff have already provided on-site technical assistance in one State at its request, and will shortly conduct visits to one of the territories and several other States. Last week, the first BCCP training session was held, and representatives from one-third of the States targeted by ACF for BCCP Technical assistance attended; course evaluations were extremely positive.

For all State programs, ACF is collecting State BCCP plans and both EDS and ACF staff are reviewing them for completeness. We will provide specific feedback to States as needed on those plans, regardless of whether a State is targeted as needing technical assistance or not.

MEDICAID AND STATE CHILDREN'S HEALTH INSURANCE PROGRAMS

Although HCFA provides major funding for Medicaid, States operate these programs and it is each State's responsibility to take the steps it believes are appropriate to meet the needs of its Medicaid and State Children's Health Insurance Program (CHIP). HCFA's primary role is to assess, as best it can, each State's progress on meeting its own goals and to provide guidance on remediation, testing, and contingency planning. While HCFA does not have the authority, ability, or resources to take over and operate State systems, it is providing unprecedented levels of State technical assistance for Y2K preparedness.

Medicaid and CHIP programs are operated directly by the States with oversight from HCFA. State computers are used in determining the eligibility of Medicaid and CHIP beneficiaries, as well as Food Stamp recipients and Temporary Assistance to Needy Families (TANF) recipients. In addition to supporting the administration and oversight of these programs, computers help make sure that eligible beneficiaries get the health care services for which they are eligible as well as process and pay Medicaid claims submitted by doctors, hospitals, and other health care partners. Generally, there are three key computer systems in each State that are being readied for Y2K: a Medicaid Management Information System (MMIS), a CHIP system for which HCFA has some oversight responsibility, and an eligibility system (ES) which is used to determine eligibility for both Medicaid and CHIP.

A SUCCESSFUL COLLABORATION

Although States are responsible for assuring Y2K readiness of their computer systems, HCFA provides technical assistance to State Medicaid agencies, including protocols for Y2K compliance and testing, contingency planning strategies, and information on best practices. HCFA has also taken the extra step of hiring expert consultants who, through site visits, are assessing States' progress against their own goals and standards in becoming Y2K compliant, as well as providing detailed feedback and additional technical support. These contractors are also assessing the adequacy of each States' contingency plans. The high degree of cooperation we have achieved with the States on Y2K is a source of great pride and satisfaction for us.

As of October 1, the first two rounds of State site visits has been completed. A third round of visits is now underway. Thus far, States have made substantial progress in their Y2K readiness and many appear to have benefitted from the assistance HCFA has provided. Systems are assessed in two categories, MMIS and CHIP together in one category and the eligibility system in the other category.

HCFA SITE VISITS

By the end of April, HCFA and its independent contractors had made three to four day visits to all 50 States and the District of Columbia, as part of the first round of assessments of State Medicaid and CHIP computer systems. The purpose of the initial visits was to establish an objective assessment of the status of each State's Y2K remediation efforts; and provide technical assistance in such areas as risk mitigation, contingency planning, and business continuity. States were rated as High, Medium or Low based on an assessment of several factors discussed below. Depending on the State's status, second and even third round visits may be conducted.

Second round site visits were devoted to the Y2K efforts of Medium- and High-Risk States and were made to 40 States, Puerto Rico, and the U.S. Virgin Islands, during May through

September 1999. They focused on the status of States' validation and implementation phases, end-to-end testing, risk mitigation, business continuity and contingency planning, Day One planning, and outreach activities to beneficiaries and providers.

A third round of visits to 20 States that remain High or Medium Risk States is being conducted from September through December 1999. The focus of these visits is on the States' contingency plans and risk mitigation efforts.

After each site visit, the information gathered and HCFA's assessments are discussed with State officials in a debriefing session. In-depth written reports are then provided to State officials, including each respective Governor, State Medicaid Director, and State Chief Information Officer. These results document HCFA's key findings and recommendations and, through a letter from Secretary Shalala, request the Governor's leadership in assuring that federal and State systems will work effectively after the Year 2000. The States are also provided with recommendations and other types of technical assistance to strengthen their Y2K remediation efforts.

It is important to note that the States' computer systems involve many lines of code and are dependent upon numerous electronic interfaces with other partners ranging from hospitals and physician offices to county and city-based eligibility determination systems. For that reason, a determination that a State is a Low Risk does not mean the State has "no risk." Therefore, HCFA is being careful to continue to monitor the readiness of those Low Risk States that did not receive second and third round visits. For example, follow-up calls will be made to gauge and monitor progress in specific areas of interest and to verify that a State's risk status has not changed. Should there be a change in status, HCFA will conduct another site visit.

During the second round of visits, the majority of States are showing improvement in one or more systems. In fact, State ratings can change due to the dynamic nature of Y2K readiness. States considered to be High Risk earlier in the year have made considerable progress. On the other hand, States rated Medium or Low in Round 1 sometimes not have continued to meet their internal targets or taken other steps to ensure enterprise-wide Y2K readiness, thus causing their rating to increase in later rounds of HCFA visits. However, based on indicators from the Round 2 visits, HCFA expects to see States' system readiness continue to improve.

MEDICAID RISK EXPOSURE DETERMINATION

Details are provided below to explain how HCFA is evaluating Y2K readiness. Systems are assessed in two categories, with MMIS and CHIP together in one category, and the eligibility system in the other category. To compare and contrast the relative level of risk of Y2K failure for each Medicaid system in each State, HCFA is using a risk rating based on the evaluation of 42 individual factors that measure the processes, products, and progress of a State's Medicaid Y2K efforts. These include various independent factors that measure project management considerations, among others, that are correlated with the five critical phases identified by the General Accounting Office: Awareness, Assessment, Renovation, Validation, and Implementation. Scores on individual factors are weighted using a special protocol. An accumulated score is reached by adding the individual factors with the verification and validation experience of the on-site assessors. Each State's MMIS and CHIP system, and eligibility system (ES) fall into one of the three risk categories (High, Medium, and Low) based on the accumulated score.

High Risk Systems tend to share many of the same characteristics, such as inadequate project management, planning, and testing. There often is a lack of progress relative to the State's own schedule, and often no independent validation and verification of the State's status. Other common factors among High Risk systems include: a lack of an objective certification process, inadequate quality assurance measures, and an underdeveloped or nonexistent contingency plan to assure system remediation or business continuity in case of failure. The mix of these factors varies from State to State. Currently six States and two territories (Alabama, Alaska, Massachusetts, New Hampshire, New Mexico, North Carolina, Puerto Rico and Virgin Islands) are adjudged to be at high risk in one or more of their Medicaid mission critical systems.

Medium Risk Systems tend to exhibit some smaller set of the same characteristics of high risk systems, but are often characterized by better management practices. As a result, there is a better chance that risks will be mitigated in the coming months. For this reason, Medium Risk sites warrant a follow-up visit to verify the anticipated improvement. Currently 13 States (Connecticut, Delaware, Georgia, Louisiana, Nevada, New Jersey, Ohio, Oklahoma, South Carolina, Tennessee, Texas, Vermont, and Wyoming) and the District of Columbia are adjudged to be at medium risk on their Medicaid mission critical systems.

Low Risk Systems usually combine a solid management approach, adequate resources, solid renovation and testing, all with adequate control and independent validation and verification. However, even these systems are not no risk since the delivery of Medicaid services are highly decentralized and depend heavily upon the smooth operation of many people and services beyond the State's direct authority control. Thirty-one States (Arizona, Arkansas, California, Colorado, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, New York, North Dakota, Pennsylvania, Florida, Illinois, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Oregon, Rhode Island, South Dakota, Utah, Virginia, Washington, West Virginia, and Wisconsin) are at low risk on both the Medicaid mission critical systems.

Finally, the Secretary has written to the governors three times to bring to their attention the progress that has been made in their State and to indicate what work remains to be done. We have found that the direct communication by the Secretary to the governors results in more attention and resources for States' compliance efforts.

We also have been working closely with our nation's Governors and State Program Directors to ensure that "high impact" Federally financed, State administered programs are ready for the Year 2000. We have undertaken an extensive effort to assess the Year 2000 readiness of these programs as well as provide technical assistance on compliance protocols, testing, contingency planning strategies, and best practice information. We have taken the extra step of hiring expert consultants who, through site visits, are assessing States' progress against their own goals and standards in becoming Year 2000 compliant, as well as providing detailed feedback and technical support. We are continuing to assist States that are having particular difficulties, including providing technical support in developing and evaluating their contingency plans where needed. Based on observations obtained through our site visits, States have made substantial progress.

CONTINGENCY PLANNING AND DAY ONE PLANNING

HCFA has requested business continuity and contingency plans from all 50 States, territories and the District of Columbia and recommended that States closely follow GAO guidance on the topic. The contingency plans address all the States' HCFA is also working with States on the coordination of Day One activities. On September 28, HCFA sent a letter to State Medicaid Directors advising them of HCFA's Day One activities and plans to track information about the status of State Medicaid Agency claims payment and recipient eligibility verification and determination systems. HCFA recommended that States complete Day one plans and provided a template/checklist for States to use to track key Day One information. HCFA also recommended that States establish a Day One team and command and control center.

CONCLUSION

HHS recognizes our obligation to the American people to assure that HHS's programs function properly now and in the next millennium. We all share a common goal of having our systems and programs function with appropriate care for program beneficiaries continue throughout the millennium transition. We are confident of our own internal preparedness, and cautiously optimistic that significant efforts of our State partners will minimize the effects of the Y2K computer problems in these "high impact" programs. In the coming months, we will continue our efforts to monitor State readiness for Year 2000 and provide technical assistance which is responsive to State needs. We would urge the Congress to continue to highlight both State and Federal preparedness efforts for these programs now and in the weeks ahead.

I thank the Committee for its interest and oversight on this issue, and I would be happy to answer any questions you may have.


Privacy Notice (www.hhs.gov/Privacy.html) | FOIA (www.hhs.gov/foia/) | What's New (www.hhs.gov/about/index.html#topiclist) | FAQs (answers.hhs.gov) | Reading Room (www.hhs.gov/read/) | Site Info (www.hhs.gov/SiteMap.html)