Three weeks ago, a federal report declared that poor contracting is a "root cause" of the Cover Oregon health insurance exchange debacle.
More than $130 million has gone to California-based Oracle Corp., the main exchange IT vendor, under contracts that, according to the federal report, do "not have any leverage" to hold the firm accountable for missed deadlines or shoddy work.
So how did the project's weak contracting get that way?
State and exchange officials recently declined to discuss the contracting in detail, citing a soon-to-be released review of the fiasco by a consultant hired by Gov. John Kitzhaber. And while the state is starting to part ways with Oracle, officials haven't agreed on a future path.
Still, documents and earlier interviews describe significant irregularities with the contracts:
In the interest of speed, the Oregon Health Authority (OHA) used legal loopholes to get Oracle started on the project in 2011.
The state did not contract directly with Oracle, instead using a software-purchasing contract with a different company as a legal mechanism to pay Oracle.
After winning a federal grant in February 2011, the Oregon Health Authority vastly expanded Oracle's role to essentially build the IT project, but never issued a contract that reflected the project's full scope or cost.
OHA appears to have broken the mammoth project into small purchase orders to circumvent its own contracting rules.
Although the state Department of Administrative Services expressed concerns about the contracting process used by OHA, it had no control because of an exemption granted to OHA by the state Legislature.
OHA continued to issue weak contracts despite warnings from consultants and a state IT oversight analyst.
A whistleblower's March 2013 complaint alleging weak contracting and poor vendor oversight sparked no follow up by then-OHA director Bruce Goldberg or other state officials.
Health insurance exchanges are intended as one-stop shopping sites for people buying their own health coverage to compare plans, enroll and qualify for tax credits to reduce premiums.
Oregon secured a $47 million grant in February 2011 to develop one of the first exchanges in the nation. State officials promised to issue a contract in six weeks, a process that normally could take six months or more.
Officials tacked the exchange project onto an information-technology modernization project already contemplated by the Oregon Health Authority and its sister agency, the Department of Human Services. The agencies share an IT unit overseen primarily by OHA.
To save time, the state used a master software purchasing agreement with Dell to buy products and services from Oracle.
OHA officials consulted with DAS in June 2011 about its initial plan to use Oracle for its software products and some training for state workers. It chose Oracle for the project on July 1.
In the fall, a new OHA-DHS chief information officer, Carolyn Lawson, dramatically changed the project with Goldberg's approval. She canceled a plan to hire a "system integrator" firm to serve as general contractor for the exchange, instead giving all the work to Oracle as the main IT vendor.
The purchase orders issued to Oracle for the project frequently failed to include what's known as "deliverables" – clear descriptions of what Oracle agreed to produce for the money. Instead, they called for "time and materials" to be paid for by the state.
In February 2012, DAS Director Michael Jordan contacted OHA, to discuss his staff's concerns about the Oracle contract. Nothing was done after OHA's contracting officer reassured a Goldberg deputy that all was well.
In June 2012, the consultant Maximus issued its first quality assurance report. Because of poor contract invoicing, "payment to contractors may lack accountability," the report said. "Vendor contract management is an area of concern."
In September 2012, OHA issued four purchase orders the same day totaling $35 million. In its cover letter, OHA stated "Dollars must be split between four (purchase orders) because of ADPICS controls," referring to state contracting rules.
In October 2012, Maximus upped its concerns considerably, calling for a "detailed review of all current contracts."
It noted that 13 purchase orders had been issued for the project worth $57 million, including seven on the same day.
"From a project risk standpoint, the net effect ... is clear. The risks associated with this level of (time and materials) contracting for critical project resources is very high," the Maximus report stated.
Goldberg did not respond to a request to comment for this article. In the past, he has said he read the Maximus reports, but it was sometimes difficult to decipher what they meant.
In an Oct. 22, 2012 email to Goldberg and Lawson, the Legislature's IT oversight analyst Bob Cummings, also expressed concern, noting that "It is important to be able to show the federal government exactly how all grant funds are being spent, and to be able to tie all major IT expenditures to a detailed (statement of work)."
In March 2013, a state whistleblower using the assumed name "Sam Smith" emailed Goldberg, his DHS counterpart, Erinn Kelley-Siel, and several others.
It accused Lawson of " abusing and misusing state resources " by creating "an environment where millions of dollars are wasted through information technology contracts that do not have appropriate levels of vendor accountability, or the appropriate amount of independent oversight."
In an earlier interview, Goldberg said subordinates had complained about Lawson, but he considered them personality conflicts.
An OHA spokeswoman, Rebeka Gipson-King, said the Goldberg discussed the whistleblower complaint with Kelley-Siel, who forwarded the complaint to Lawson.
In an email to Cummings, Lawson called the accusations "at best, a misrepresentation."
Cover Oregon, the public corporation set up to oversee the exchange after it had been completed by the Oregon Health Authority, had intended to beef up the Oracle contracts. But in May 2013, it took over the project earlier than expected due to OHA grant mismanagement. As a result, the contracts remain largely unchanged.
Last month's federal review found that the contracts remain a problem.
"It appears that [Cover Oregon] does not have any leverage in their contract to make [Oracle] accountable for missing key deliverables," it said, adding that the contracts failed to spell out what work is required. "It appears that there is not a clear understanding between Cover Oregon and [Oracle] as to what the expected deliverables are."
Nick Budnick and Jeff Manning
©2014 The Oregonian (Portland, Ore.)