REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
July 23, 2024
FROM
MICHAEL BOWERS, Director, Human Resources Department
LYNN FYHRLUND, Chief Information Officer, Innovation and Technology Department
SUBJECT
Title
Agreements with Dovetail Software, Inc. for a Centralized Employee Relations Case Management Software as a Service Subscription
End
RECOMMENDATION(S)
Recommendation
1. Approve Master Subscription Agreement with Dovetail Software, Inc., including non-standard terms, for a centralized employee relations case management software as a service subscription to manage and track employee relations inquiries, incidents, and investigations; and to maintain compliance and safeguard the County’s employees’ confidential information, effective upon execution and continuing until all orders expire or are terminated, in the total contract amount of $220,500, for the contract period of July 23, 2024 through July 22, 2026.
2. Approve non-financial Health Insurance Portability and Accountability Act Business Associate Agreement with Dovetail Software, Inc., including non-standard terms, for a centralized employee relations case management software as a service subscription to manage and track employee relations inquiries, incidents, and investigations; and to maintain compliance and safeguard the County’s employees’ confidential information, for the contract period beginning July 23, 2024 until services are no longer provided or terminated by either party.
(Presenter: Michael Bowers, Director, 387-5570)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Promote the Countywide Vision.
Improve County Government Operations.
FINANCIAL IMPACT
Approval of this item will not result in the use of additional Discretionary General Funding (Net County Cost). The two-year cost for Dovetail Software as a Service (SaaS) subscription for centralized employee relations case management offered at a discounted rate under the Dovetail Software, Inc. (Dovetail) Master Subscription Agreement (MSA) is $220,500. Sufficient appropriation is included in the Human Resources Department (HR) 2024-25 budget and will be included in future recommended budgets.
BACKGROUND INFORMATION
Dovetail hosts all of its data and systems within the Amazon Web Services (AWS) cloud infrastructure which, in turn, maintains the physical security controls for its data centers. The Dovetail platform is designed as a SaaS application hosted by AWS. Dovetail’s core architecture takes advantage of AWS’s suite of security features. HR utilizes AWS security services such as GuardDuty, AWS Inspector, and SecurityHub for real-time monitoring, threat detection, and compliance reporting which help identify and promptly respond to any potential security incidents.
Dovetail is an HR service delivery platform that includes HR case management, employee case management, employee portal, HR knowledge management, and reporting and analytics that enables HR to achieve excellence in HR service delivery. Dovetail handles sensitive employee information that requires the need to sign a Business Associate Agreement (BAA) to ensure compliance with privacy regulations.
Dovetail’s centralized employee relations case management SaaS subscription platform will benefit HR’s employee relations case management processes, automate workflows, audit trails, and provide advanced reporting to track all HR employee relations cases. The Dovetail MSA sets the foundation for the relationship between Dovetail and HR by defining the basic parameters of HR’s subscription, such as the subscription term, the responsibilities of each party, payment terms, and other routine contractual expectations. The MSA acts as a safeguard for confidential information exchanged between parties. Confidential information includes a wide range of sensitive data related to HR’s technology, customers, business plans, promotional and marketing activities, finances and other business affairs including, but not limited to research, products, software, services, development, inventions, processes, specifications, designs, drawings, diagrams, marketing techniques, documentations, customer data, procedures, concepts, business policies, financial statements and third party information that HR is obligated to keep confidential. Dovetail offers extensive measures to safeguard client and client employee information.
Dovetail’s SaaS platform employs a comprehensive cybersecurity and information privacy program, leveraging industry best practices utilizing advanced cybersecurity features including appropriate physical security protections incorporated into this AWS infrastructure. The MSA ensures that communication and collaboration between HR and Dovetail are conducted securely, minimizing the risk of exposing confidential information. Dovetail’s Health Insurance Portability and Accountability Act (HIPAA) offerings align with the HIPAA regulatory obligations. By signing the BAA, Dovetail ensures compliance with information security privacy regulations related to handling of electronic Protected Health Information (ePHI), and Protected Health Information (PHI) when an employee voluntarily provides health information as part of an interactive process, meeting, or investigation. ePHI/PHI relates to specific health information stored, transmitted, or processed electronically as well as an individual’s health, treatment, or payment information that is maintained or transmitted by an organization covered by HIPAA.
The MSA is Dovetail’s standard commercial contract, which includes terms that differ from the standard County contract and omits certain County standard contract terms. While the parties negotiated certain terms to County standards, Dovetail would not agree to all County standard terms. The non-standard and missing terms include the following:
1. Dovetail’s maximum liability to the County is limited to $300,000, excluding Dovetail’s indemnification obligations, claims for bodily injury and death or damage to personal property.
• The County standard contract does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the MSA amount leaving the County financially liable for the excess.
2. There is no termination for convenience.
• County Policy 11-05 requires that the County have the right to terminate the contract, for any reason, with a 30-day written notice of termination without any obligation other than to pay amounts for services rendered and expenses reasonably incurred prior to the effective date of termination.
• Potential Impact: The County can only terminate the MSA during the term for an uncured breach by Dovetail. Any attempted termination by County without cause could result in payment liability for the full MSA amount, which could result in payment liability where no funds are available due to lack of allocation or loss of funding.
The HIPAA BAA is Dovetail’s standard contract, which includes terms that differ from the standard County contract and omits certain County standard contract terms. While the parties negotiated certain terms to County standards, Dovetail would not agree to all County standard terms. The non-standard and missing terms include the following:
1. Dovetail’s maximum liability to the County for reasonable costs associated to a breach of the HIPAA Privacy Rule and indemnification obligations for Dovetail’s improper use, access, maintenance or disclosure of County protected health information are subject to the $300,000 limitation of liability in the BAA.
• The County standard Business Associate Agreement does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap, leaving the County financially liable for the excess.
HR recommends approval of the MSA and HIPAA BAA to allow HR to leverage Dovetail’s solutions. These solutions will streamline HR processes, enhance the management of confidential information of County employees, and improve employee relations.
PROCUREMENT
Purchasing supports the non-competitive procurement of Dovetail best meeting the needs of HR and the County in terms of Employee Relations and Equal Employment Opportunity case management based on functional specification. Leveraging Dovetail’s employee relations system will provide case management tools, including investigative tracking, collaboration tools, tailored templates, data reporting and more. Other similar software products were evaluated, and an evaluation based on product offerings established that Dovetail was the ideal vendor due to its cost-effectiveness, compliance with the County’s technical and legal requirements, and provision of unlimited licenses with technical support.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on May 20, 2024; County Counsel (Richard Luczak, Deputy County Counsel 387-5455) on June 26, 2024; Innovation and Technology (Robert Pittman, Chief Information Security Officer, 388-5510) on April 30, 2024; Purchasing (Christina Reddix, Buyer III, 387-2060) on June 27, 2024; Risk Management (Gregory Utaszewski, Staff Analyst II, 386-9008) on June 27, 2024; Human Resources (Gina King, Human Resources Assistant Director, 387-5560) on June 27, 2024; Finance (Elias Duenas, Administrative Analyst, 387-4052) on July 2, 2024, (Abigail Grant, Administrative Analyst, 387-4603) on July 3, 2024; and County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on July 5, 2024.