San Bernardino header
File #: 1708   
Type: Consent Status: Passed
File created: 2/4/2020 Department: County Administrative Office
On agenda: 2/11/2020 Final action: 2/11/2020
Subject: v Agreement with Plante & Moran, PLLC for Privacy and Security Risk Analysis Services
Attachments: 1. CON-CAO-021120-HIPAA HITECH Privacy and Security Risk Analysis -Plante Moran 1.31.pdf, 2. Item #31 Executed BAI, 3. 20-77 Executed Contract

REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS

OF THE COUNTY OF SAN BERNARDINO

AND RECORD OF ACTION

 

February 11, 2020

 

FROM

GARY McBRIDE, Chief Executive Officer, County Administrative Office

         

SUBJECT                      

Title                     v

Agreement with Plante & Moran, PLLC for Privacy and Security Risk Analysis Services

End

 

RECOMMENDATION(S)

Recommendation

Approve Agreement with Plante & Moran, PLLC for Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act of 2009 Privacy and Security Risk Analysis services in an amount not to exceed $603,000 for the period of February 11, 2020 to February 10, 2021, with three, one-year options to extend.

(Presenter: Gary McBride, Chief Executive Officer, 387-5418)

Body

 

COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES

Improve County Government Operations.

Operate in a Fiscally-Responsible and Business-Like Manner.

Provide for the Safety, Health and Social Service Needs of County Residents.

 

FINANCIAL IMPACT

This item will not result in the use of additional Discretionary General Funding (Net County Cost). The total estimated cost for Plante & Moran, PLLC (Plante Moran) to conduct a Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Privacy and Security Risk Analysis (HIPAA/HITECH Risk Analysis) services is $603,000. Adequate appropriation and revenue exist in the 2019-20 budgets for Arrowhead Regional Medical Center, County Administrative Office (CAO), Department of Behavioral Health, Department of Public Health, and Information Services Department to fund the $603,000 cost of this agreement and will be included in future recommended budgets. This HIPAA/HITECH Risk Analysis includes department costs for both technical (Mandatory) and non-technical (Optional) aspects of complying with privacy and security standards, as detailed in the table below.  

 

Department

Mandatory Costs

Optional Costs

Total

Arrowhead Regional Medical Center

$199,829

$25,000

$224,829

County Administrative Office

$  81,145

$49,000

$130,145

Department of Behavioral Health

$  54,449

$  7,000

$  61,449

Department of Public Health

$  56,954

$  7,000

$  63,954

Information Services Department

$107,623

$15,000

$122,623

Total

$500,000

$103,000

$603,000

 

The CAO budget will fund the anticipated $130,145 in Mandatory and Optional costs of the HIPAA/HITECH Risk Analysis for the Auditor/Controller-Treasurer-Tax Collector - Central Collections; Board of Supervisors (BOS); CAO; County Counsel; Department of Aging and Adult Services - Multipurpose Senior Services Program; Human Resources - Employee Benefits and Services Division; and Risk Management departments.

 

BACKGROUND INFORMATION

In 1996, the United States Congress passed the Health Insurance and Portability Accountability Act (HIPAA) (Public Law 104-191), a federal law designed to provide privacy and information security standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers (“covered entities”).  Regulations have been implemented since the passage of HIPAA detailing the requirements placed upon covered entities in the areas of privacy and security. (45 CFR parts 160 and 164). The Health Information Technology for Economic and Clinical Health Act (HITECH)/Omnibus Rule HITECH as part of the American Recovery and Reinvestment Act of 2009 expanded the provisions of HIPAA by creating data breach notification requirements and added details such as holding healthcare providers’ business associates accountable for the same liability of data breaches as the providers themselves.  Pursuant to HIPAA and its implementing regulations, covered entities, are required to conduct an accurate and thorough assessment of the potential information security and privacy risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity, or its business associate.  (45 CFR 164.308) (a)(1)(ii)(A).)

 

Pursuant to 45 Code of Federal Regulations (CFR) section 164.105, the County has designated itself as a hybrid entity and has designated the following eleven County departments as members of its Health Care Component (HCC):  Arrowhead Regional Medical Center, Auditor/Controller-Treasurer-Tax Collector - Central Collections; BOS; CAO; County Counsel; Department of Aging and Adult Services - Multipurpose Senior Services Program; Department of Behavioral Health; Department of Public Health; Human Resources - Employee Benefits and Services Division; Information Services Department; and Risk Management.  In an effort to ensure/achieve compliance with HIPAA/HITECH across all portions of the HCC, the County established minimum standards and practices for HIPAA/HITECH compliance in County Policy No. 14-03. In accordance with these standards, HCC departments that manage, transmit, or store protected health information must have a HIPAA/HITECH Risk Analysis that meets the requirements of 45 CFR section 164.308(a).   Approval of the agreement with Plante Moran will allow the County to contract for HIPAA/HITECH Risk Analysis services for departments designated as part of the HCC. 

 

Plante Moran will conduct a comprehensive HIPAA/HITECH Risk Analysis of network hardware, information systems, information technology security controls, and administrative policies and practices to meet regulatory compliance requirements for each HCC department. This will cover both Mandatory technical and Optional non-technical aspects of complying with information privacy and security standards to ensure the confidentiality and integrity of protected health information; as well as use, disclosure, and breach reporting adherence to ensure ePHI and related health records are properly safeguarded.  Within the Optional aspects of this HIPAA/HITECH Risk Analysis, each HCC department may request a HIPAA Privacy Rule Gap Analysis to determine whether certain controls or safeguards required by the HIPAA Privacy Rule are implemented, in addition to the option for a physical assessment.

 

PROCUREMENT

On December 18, 2018, a Request for Proposal (RFP No. CAO119-CAO4-3198) was released through the County’s Electronic Procurement System (ePro) to solicit agencies for HIPAA/HITECH Risk Analysis services. A total of twenty agencies attended the mandatory proposal conference held on January 15, 2019. The CAO received thirteen proposals in response to the RFP. 

 

All proposals received met the minimum qualifications and were reviewed and evaluated by an evaluation team comprised of staff from Arrowhead Regional Medical Center, Auditor-Controller/Treasurer/Tax Collector, Department of Behavioral Health, Department of Public Health, and Information Services Department. The evaluation of the proposals was based on the criteria referenced in the RFP, including, but not limited to qualifications and experience, technical review, references and cost. Based on evaluation of proposals, the following four agencies were selected for interviews.

 

Proposer

Location

CTEK Security, Inc. (Cynergistik)

Austin, TX

Global Information Intelligence, Inc.

Plano, TX

Moss Adams

Irvine, CA

Plante Moran

Southfield, MI

 

Based upon evaluation of the proposals and the interviews, the evaluation team recommends awarding a contract to Plante Moran to provide HIPAA/HITECH Risk Analysis services. No written protests were received.

 

REVIEW BY OTHERS

This item has been reviewed by County Counsel (Kristina Robb, Deputy County Counsel, 387-5455 and Penny Alexander-Kelley, Chief Assistant County Counsel, 387-5455) on January 30, 2020; Finance (Stephenie Shea, Administrative Analyst, 387-4919; Paul Garcia, Administrative Analyst, 386-8392; Joon Cho, Administrative Analyst, 387-5402; Christopher Lange, Administrative Analyst, 386-8393; and Amanda Trussell, Principal Administrative Analyst, 387-4773) on January 28, 2020; and County Finance and Administration (Matthew Erickson, County Chief Financial Officer, 387-5423) on January 28, 2020.