VA EHRM (Oracle Health): The Honest SDVOSB Subcontracting Map

What is EHRM in 2026?

EHRM is the VA’s effort to replace VistA, its 40-year-old legacy EHR, with the commercial Oracle Health Millennium platform. VA awarded Cerner the original ~$10 billion contract in May 2018; Oracle acquired Cerner for $28.4 billion in June 2022 and rebranded it Oracle Health. The product VA deploys is a single instance of Oracle Health Millennium — the same platform the Department of Defense runs as MHS GENESIS — coordinated across departments by the Federal Electronic Health Record Modernization (FEHRM) office. After the 2023 “reset” pause, the program restarted: the first 2026 wave went live April 11, 2026 at four Michigan sites (Ann Arbor, Battle Creek, Detroit, and Saginaw), with 13 sites planned for 2026, roughly 26 in 2027, and full deployment to ~170 sites targeted by 2031. The numbers are large and contested — a 2019 lifecycle estimate of $16.1 billion, a 2022 independent estimate of $49.8 billion, and a figure of about $37 billion cited in December 2025 — and Congress withheld 30% of the FY26 appropriation pending an updated cost estimate and schedule. That scale, and the scrutiny that comes with it, is exactly why this is prime-and-integrator territory, not a place a solo firm walks in the front door.

Where does AI and automation enter — and where doesn’t it?

Start with the hard line: the Oracle Health Millennium core — the build, the configuration, the clinical content — is Oracle’s, and it is not an SDVOSB target. Don’t pitch it. What surrounds it is a different story. The dual-run period through 2031, with more than 130 instances of VistA collapsing into one Federal EHR, creates persistent engineering work: HL7/FHIR interface validation and terminology mapping (SNOMED CT, LOINC, RxNorm); VistA-to-Oracle data-migration quality assurance; and deployment-readiness test automation. Ambient AI scribing is being integrated into the EHR workflow — VA’s Digital Health Office signed a sole-source contract with Abridge (about $5.4 million) out of the AI Tech Sprint, and the integration work around consent flow, note routing, and structured-code extraction is real surrounding scope (the contact-center and AI Tech Sprint spokes cover the adjacent pieces). There’s operational analytics on de-identified data; change-management and training content (Accenture’s integration scope explicitly names “change management and user adoption”); and — the cleanest wedge for a small firm — the M-25-21 governance documentation that any AI touching the EHR now requires. The pattern is the same one that holds across the REACH VET and contact-center spokes: the model and the platform belong to the program; the surrounding paperwork, validation, and bounded tooling are where a capable sub fits.

Who runs the program?

Four names, and a bench. Oracle Health holds the single-award EHRM IDIQ and owns the platform — not a target. Accenture Federal Services won a 4.5-year, roughly $439 million EHRM System Integration Support task on GSA’s Alliant 2 in November 2025, covering strategic integration, enterprise transformation, legacy continuity, and change management across the 164 remaining site migrations — with AI integration explicitly in scope. Booz Allen Hamilton holds the ~$860 million EHRM Program Management Office support task on T4NG (and, through its Liberty IT Solutions subsidiary, the data-migration work). Leidos subcontracts at VA EHRM and leads the DoD MHS GENESIS integration. And Oracle’s own subcontractor bench has long included SDVOSBs — AbleVets, MicroHealth, B3 Group, EM Key Solutions — with EM Key Solutions publicly placed on an EHRM PMO team doing program management, health information exchange, testing, and technical writing. That last point is the proof of concept: SDVOSBs already sit in EHRM-surrounding test, PM, and HIE work — as subs. For a brand-new firm, the path runs through these primes on T4NG2 (whose task orders began flowing in 2026 after the Court of Federal Claims cleared the protests), Alliant 2, SPRUCE, the new SDVOSB-set-aside IHT 2.0 IDIQ, and VETS 2 — formalized through teaming.

What’s the PHI and compliance boundary?

EHR data is the most sensitive PHI the VA holds — governed by 38 U.S.C. §§ 5701 and 7332, HIPAA, and the Privacy Act — so it lives inside the VA Enterprise Cloud (VAEC), a FedRAMP High environment on AWS GovCloud and Azure Government, with the Oracle EHR in the FEHRM-managed federal enclave. That’s the binding constraint on a Cloudflare-native firm: Cloudflare for Government is FedRAMP Moderate (with High in process and its AI suite slated for 2026), which means PHI-bearing EHR workloads cannot run on Cloudflare today. What a Cloudflare-native SDVOSB can do is the non-PHI layer — public and internal documentation, training, and content; edge security for non-PHI staff tooling; workloads inside a prime’s authorized boundary where Cloudflare is one component, not the system of record; and off-platform deliverables like governance documentation, test scripts, FHIR validation reports, and change-management content. And because any AI whose output is a principal basis for a healthcare decision is presumptively high-impact under M-25-21, every such use case around the EHR needs an AI Impact Assessment, a Risk Mitigation Plan, independent testing, and a use-case-inventory entry — work that is itself a fixed-fee, low-PHI deliverable. (CMMC, the question every new vendor asks, doesn’t apply — it’s DoD-only.)

Where will the money actually move?

Follow the oversight. EHRM is one of the most scrutinized programs in the federal government, and each finding generates corrective procurement. GAO reported in December 2025 that 16 of 18 of its EHRM recommendations remained open, and in early 2025 that roughly 1,800 configuration change requests were unaddressed and that only 13% of users believed the system made the VA as efficient as possible. VA OIG documented pharmacy-related data-transmission errors affecting roughly 250,000 patients (about 120,000 with ongoing mail-order inaccuracies), found 826 major performance incidents between go-live in 2020 and early 2024, and flagged interface-testing gaps before the Michigan rollout. None of that is a reason to sensationalize the program; it’s a map. Testing gaps generate test-automation work. Governance findings generate documentation work. Interface failures generate validation work. The bipartisan Senate concern and the FY26 funding hold mean the schedule could shift again — but they also mean corrective and readiness work keeps flowing.

So where does a new SDVOSB actually fit?

In the surrounding work, as a sub — and the table below is the honest version, with the PHI level and who stays in control made explicit.

Working with Truvisory

Truvisory is a brand-new SBA-verified SDVOSB founded by a combat veteran. We have no EHRM past performance — and on a program this scrutinized, pretending otherwise in a proposal voids the bid, so we don’t.

What we offer is bounded, fixed-scope sub-tier delivery under an EHRM prime: a 4–6 week M-25-21 governance documentation package; a 6–12 week FHIR interface validation and terminology-QA engagement; an 8–12 week deployment-readiness test-automation build on a non-PHI sandbox; or a 90-day change-management content / RAG help-bot engagement on training corpora — Cloudflare-native, FedRAMP-aware, never touching the EHR platform or hosting PHI ourselves. If you’re a prime on the Accenture, Booz Allen, T4NG2, or IHT 2.0 side of EHRM and you need that kind of sub, send us the SOW — we’ll respond in 48 hours with a fixed-scope, fixed-price proposal, or tell you honestly it’s outside our lane. For the rest of the playbook — the capability statement we’ll send, the buyer map showing which center awards what, and the RAG and claims capability siblings — start at the pillar.