REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF THE COUNTY OF SAN BERNARDINO
AND RECORD OF ACTION
February 11, 2020
FROM
GARY McBRIDE, Chief Executive Officer, County Administrative Office
SUBJECT
Title v
Agreement with Plante & Moran, PLLC for Privacy and Security Risk Analysis Services
End
RECOMMENDATION(S)
Recommendation
Approve Agreement with Plante & Moran, PLLC for Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act of 2009 Privacy and Security Risk Analysis services in an amount not to exceed $603,000 for the period of February 11, 2020 to February 10, 2021, with three, one-year options to extend.
(Presenter: Gary McBride, Chief Executive Officer, 387-5418)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Improve County Government Operations.
Operate in a Fiscally-Responsible and Business-Like Manner.
Provide for the Safety, Health and Social Service Needs of County Residents.
FINANCIAL IMPACT
This item will not result in the use of additional Discretionary General Funding (Net County Cost). The total estimated cost for Plante & Moran, PLLC (Plante Moran) to conduct a Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Privacy and Security Risk Analysis (HIPAA/HITECH Risk Analysis) services is $603,000. Adequate appropriation and revenue exist in the 2019-20 budgets for Arrowhead Regional Medical Center, County Administrative Office (CAO), Department of Behavioral Health, Department of Public Health, and Information Services Department to fund the $603,000 cost of this agreement and will be included in future recommended budgets. This HIPAA/HITECH Risk Analysis includes department costs for both technical (Mandatory) and non-technical (Optional) aspects of complying with privacy and security standards, as detailed in the table below.
Department |
Mandatory Costs |
Optional Costs |
Total |
Arrowhead Regional Medical Center |
$199,829 |
$25,000 |
$224,829 |
County Administrative Office |
$ 81,145 |
$49,000 |
$130,145 |
Department of Behavioral Health |
$ 54,449 |
$ 7,000 |
$ 61,449 |
Department of Public Health |
$ 56,954 |
$ 7,000 |
$ 63,954 |
Information Services Department |
$107,623 |
$15,000 |
$122,623 |
Total |
$500,000 |
$103,000 |
$603,000 |
The CAO budget will fund the anticipated $130,145 in Mandatory and Optional costs of the HIPAA/HITECH Risk Analysis for the Auditor/Controller-Treasurer-Tax Collector - Central Collections; Board of Supervisors (BOS); CAO; County Counsel; Department of Aging and Adult Services - Multipurpose Senior Services Program; Human Resources - Employee Benefits and Services Division; and Risk Management departments.
BACKGROUND INFORMATION
In 1996, the United States Congress passed the Health Insurance and Portability Accountability Act (HIPAA) (Public Law 104-191), a federal law designed to provide privacy and information security standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers (“covered entities”). Regulations have been implemented since the passage of HIPAA detailing the requirements placed upon covered entities in the areas of privacy and security. (45 CFR parts 160 and 164). The Health Information Technology for Economic and Clinical Health Act (HITECH)/Omnibus Rule HITECH as part of the American Recovery and Reinvestment Act of 2009 expanded the provisions of HIPAA by creating data breach notification requirements and added details such as holding healthcare providers’ business associates accountable for the same liability of data breaches as the providers themselves. Pursuant to HIPAA and its implementing regulations, covered entities, are required to conduct an accurate and thorough assessment of the potential information security and privacy risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity, or its business associate. (45 CFR 164.308) (a)(1)(ii)(A).)
Pursuant to 45 Code of Federal Regulations (CFR) section 164.105, the County has designated itself as a hybrid entity and has designated the following eleven County departments as members of its Health Care Component (HCC): Arrowhead Regional Medical Center, Auditor/Controller-Treasurer-Tax Collector - Central Collections; BOS; CAO; County Counsel; Department of Aging and Adult Services - Multipurpose Senior Services Program; Department of Behavioral Health; Department of Public Health; Human Resources - Employee Benefits and Services Division; Information Services Department; and Risk Management. In an effort to ensure/achieve compliance with HIPAA/HITECH across all portions of the HCC, the County established minimum standards and practices for HIPAA/HITECH compliance in County Policy No. 14-03. In accordance with these standards, HCC departments that manage, transmit, or store protected health information must have a HIPAA/HITECH Risk Analysis that meets the requirements of 45 CFR section 164.308(a). Approval of the agreement with Plante Moran will allow the County to contract for HIPAA/HITECH Risk Analysis services for departments designated as part of the HCC.
Plante Moran will conduct a comprehensive HIPAA/HITECH Risk Analysis of network hardware, information systems, information technology security controls, and administrative policies and practices to meet regulatory compliance requirements for each HCC department. This will cover both Mandatory technical and Optional non-technical aspects of complying with information privacy and security standards to ensure the confidentiality and integrity of protected health information; as well as use, disclosure, and breach reporting adherence to ensure ePHI and related health records are properly safeguarded. Within the Optional aspects of this HIPAA/HITECH Risk Analysis, each HCC department may request a HIPAA Privacy Rule Gap Analysis to determine whether certain controls or safeguards required by the HIPAA Privacy Rule are implemented, in addition to the option for a physical assessment.
PROCUREMENT
On December 18, 2018, a Request for Proposal (RFP No. CAO119-CAO4-3198) was released through the County’s Electronic Procurement System (ePro) to solicit agencies for HIPAA/HITECH Risk Analysis services. A total of twenty agencies attended the mandatory proposal conference held on January 15, 2019. The CAO received thirteen proposals in response to the RFP.
All proposals received met the minimum qualifications and were reviewed and evaluated by an evaluation team comprised of staff from Arrowhead Regional Medical Center, Auditor-Controller/Treasurer/Tax Collector, Department of Behavioral Health, Department of Public Health, and Information Services Department. The evaluation of the proposals was based on the criteria referenced in the RFP, including, but not limited to qualifications and experience, technical review, references and cost. Based on evaluation of proposals, the following four agencies were selected for interviews.
Proposer |
Location |
CTEK Security, Inc. (Cynergistik) |
Austin, TX |
Global Information Intelligence, Inc. |
Plano, TX |
Moss Adams |
Irvine, CA |
Plante Moran |
Southfield, MI |
Based upon evaluation of the proposals and the interviews, the evaluation team recommends awarding a contract to Plante Moran to provide HIPAA/HITECH Risk Analysis services. No written protests were received.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Kristina Robb, Deputy County Counsel, 387-5455 and Penny Alexander-Kelley, Chief Assistant County Counsel, 387-5455) on January 30, 2020; Finance (Stephenie Shea, Administrative Analyst, 387-4919; Paul Garcia, Administrative Analyst, 386-8392; Joon Cho, Administrative Analyst, 387-5402; Christopher Lange, Administrative Analyst, 386-8393; and Amanda Trussell, Principal Administrative Analyst, 387-4773) on January 28, 2020; and County Finance and Administration (Matthew Erickson, County Chief Financial Officer, 387-5423) on January 28, 2020.