The Pentagon capped off a more than two-year acquisition process for a new electronic health record Wednesday afternoon, awarding a $4.3 billion contract to a consortium of companies led by Leidos. The new system will eventually be rolled out to more than a thousand sites around the world, replacing DoD’s homegrown and aging electronic records systems with a mostly commercial-off-the-shelf IT product.
After an extended acquisition and negotiating process involving three draft RFPs and during which three potential bidders dropped out or were eliminated, the Pentagon was left with three final offers prior to Wednesday’s award.
Frank Kendall, the undersecretary of Defense for acquisition, technology and logistics said all three remaining bids were “very viable and very competitive,” but that the proposal by the Leidos team, which also includes health IT giant Cerner, offered a clear best value to the government.
The initial contract covers the first two years of DoD’s rollout of the new EHR, but includes options that, if exercised, could extend the deal through 2025.
The department said the agreement it struck will likely mean that it will pay a much lower price for the health records system than it anticipated over the program’s entire lifecycle: Early estimates were as high as $11 billion over the next 18 years, but officials now project that they will pay less than $9 billion when all is said and done.
“Competition has worked for us and we’re very happy with the result we’ve gotten,” Kendall told reporters Wednesday. “About a third of the effort is fixed-price and the other two-thirds are cost-plus, but we think we’ve got a strong handle on the portion that’s cost-plus.”
The procurement’s managers said they sought to minimize expensive surprises in the cost-plus portion of the contract by insisting that all bids incorporate software licenses for all future system upgrades up front and that the commercial system demonstrate the ability to easily integrate new IT modules from other vendors as they become available or when DoD identifies a new mission need in its health care facilities. Fully one quarter of the funds the Pentagon is obligating are for ancillary services such as future training and IT support.
Chris Miller, the program executive officer for the Defense Healthcare Management System Modernization (DHMSM) program said the contract will also include strict requirements for government ownership of data rights.
“Vendor lock and data ownership are the exact kinds of issues that meant we needed to take our time with this procurement and do it right,” he said. “So for example, we own 100 percent of the data and people cannot charge us to share that data. Those are things that health care providers in the commercial marketplace are struggling with right now, because there’s a lot of nuance here. We also know that we need to be able to make changes. So besides all the patient data, we also own all the data rights dealing with all the training and configuration we would need if we wanted to move from one vendor to another. We have done the work we needed to do to make sure we weren’t picking Beta in the VHS war.”
Pentagon officials will meet with losing bidders in the coming days to explain their rationale for awarding the contract to their competitor.
Kendall said he is hopeful that they will refrain from formally protesting the award after having heard DoD’s case, but that the department is also highly confident it would prevail if any protests were filed.
“We think we’re in a good position,” he said. “The things you have to do to survive a protest are to follow the rules you put in place and then to document that you did so. In this program, we did this very well. And I think the fact that we had a clear best value decision in front of us will be apparent to the other bidders when we debrief them.”
Next, the department plans to begin fielding the system on an initial operating capability basis to eight sites in the Pacific Northwest, but the initial deployments will not even begin until late in 2016.
Besides training DoD’s huge medical workforce to use a huge new health IT system, the military services will also have to find ways to manage the new EHR alongside a collection of more than 50 legacy systems until the hodgepodge of older IT can be fully phased out.
“Each one of those systems has a transition plan, but let me stress that all of that data will be retained and accessible in the new EHR,” Miller said. “We have a responsibility to protect that data for many years both for clinical care and benefits. But the older systems are still going to be around, and we need to figure out an orderly transition process based on today’s vendor selection.”
The department first made the decision to buy a commercial health record in the summer of 2013 after several years of arduous negotiations aimed at creating a common system shared with the Department of Veterans Affairs ultimately fizzled out, much to the frustration of then-incoming Defense Secretary Chuck Hagel, who ordered Kendall to find a new way forward.
Kendall said Wednesady that the selection of a commercial product ensures the department will keep pace with modern technology while also giving its health care system the ability to influence the broader health IT market.
But officials bristle at the suggestion that operating a health records system that is technologically separate from VA’s will make their patient data less interoperable. Kendall said the actual EHR being used and the ability to share data are, in many ways, completely separate issues.
“There is not a big interoperability problem between DoD and VA today,” he said. “We are about to certify to the Congress that we are interoperable, because we have been working that very hard for the past two years. I think it’s a big misconception that the new health care system we’re buying is about interoperability. Interoperability is one of the things we want to preserve and enhance, but it’s not a barrier to our people receiving health care today and it’s not a major contributor to the VA backlog.”
Pentagon officials said they also made the ability to exchange patient data with private sector providers a key factor in the procurement. That capability is vital, they said, since more than 60 percent of DoD’s patient care is actually performed by private providers through the department’s TRICARE contracts.
Miller said in the next round of TRICARE contracts, due for award sometime in the next two years, the department intends to explicitly require providers to use common data standards set by the Office of the National Coordinator for Health IT, the same standards DoD and VA are using to exchange patient information.
“Interoperability is not something you just go buy one day,” Miller said. “It’s something we have to aggressively pursue and constantly look for opportunities to improve. We really do have a great opportunity here to save time, save money and save lives. But we have a lot of hard work ahead of us.”
The upcoming work also involves unanswered questions about where DoD will host its patient data and how to secure it from potential hackers as more and more sensitive medical information migrates from paper and into electronic databases.
On the cybersecurity front, officials said that while no contract arrangement could fully guarantee patient data was inaccessible to hackers, the department has demanded that its own cyber experts be allowed to conduct rigorous and ongoing line-by-line examinations of the source code which makes up the system DoD just purchased.
“The recent OPM incident reaffirmed the requirements we’ve been going through over the last 22 months, which put contractors against aggressive information assurance requirements involving our own engineers,” Miller said. “We were asking the vendors for things they normally don’t provide to commercial customers. They had to demonstrate to us that they were scanning their software and showing us where their vulnerabilities are. And we have made it clearly known to the vendor that we’re going to be making sure we understand their security posture and that they can meet any emerging security requirements. This is an explicit part of the contract.”
DoD also needs to reach a decision about where to house the data its new EHR generates and draws upon. All of the patient data used by its legacy systems is currently hosted in government data centers managed by the Defense Information Systems Agency, but Miller said DoD is open to the idea of migrating those functions to commercial cloud environments if it can be done with the same security assurances and at lower costs.
“We’re going through an analysis of alternatives right now and we’re going to be coordinating closely with the DoD chief information officer on that,” Miller said. “We’re going to have those discussions and we hope to resolve them over the next couple months.”