GAO: VA takes steps to protect data, but other IT progress stalls

While the Department of Veterans Affairs has made progress in its privacy and cybersecurity efforts, it has made little headway in the past year on priority recommendations to improve VA operations, including veteran health and benefits.

The U.S. Government Accountability Office released two reports assessing the VA's progress in various areas.

The report on privacy and cybersecurity efforts, released May 21, found that the agency has improved security protocols for protected health information. The Veterans Health Administration uses services provided by third-party business associates to receive, maintain or transmit PHI.

On reviewing 73 randomly selected PHI-sharing agreements that the VA signed with business associates, the GAO found that all of them included the 12 HIPAA Privacy Rule requirements for the use and disclosure of PHI.

The agency also took steps to protect the health information in a key system used within its Million Veteran Program, a national research effort. It assessed potential risks and secured data in transit and at rest within the system, the GAO found. However, the GAO noted that deficiencies remain in cybersecurity controls in certain areas, including asset and risk management and identity and access management.

Overall, the GAO made 13 privacy and cybersecurity recommendations in September 2025 to address these deficiencies. Of these, the VA has implemented nine.

Still, the VA's progress towards implementing the GAO's open priority recommendations is moving slowly, another report stated. The GAO's priority recommendations aim to help government departments save money, improve congressional or executive branch decision-making and eliminate mismanagement, fraud and abuse.

According to the GAO, the VA's implementation rate for recommendations was 88%; however, as of May 7, 2026, the VA still had 217 open recommendations, including 30 priority recommendations. The GAO had identified 29 priority recommendations for the VA in May 2025, including modernizing EHRs and improving care quality and safety. But the VA implemented only two recommendations, though it did not specify which ones. The VA added three new priority recommendations in May 2026, bringing the total to 30.

In a letter to VA Secretary Douglas Collins, the GAO highlighted three areas that warrant attention: improving healthcare quality and timely access, modernizing IT and enhancing acquisition management.

As part of its IT modernization recommendation, the GAO emphasized the VA's ongoing EHR  project, which it stated "is crucial to helping VA effectively serve veterans." Among other recommendations, the GAO suggested that the VA independently update its total life cycle cost estimate and integrated master schedule for the EHR modernization project, as this "would help VA better understand and oversee this significant investment."

The VA's latest attempt at EHR modernization, which began in 2018, has faced significant challenges. But after renegotiating its contract with EHR vendor Oracle Health, the agency said it would complete the EHR implementation by 2031. It also plans to spend $1 billion on EHR maintenance and modernization, as well as facility preparation for future EHR upgrades.

Anuja Vaidya has covered the healthcare industry since 2012. She currently covers healthcare IT and innovation, including artificial intelligence, digital healthcare, EHRs and interoperability.