REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF THE COUNTY OF SAN BERNARDINO
AND RECORD OF ACTION
February 9, 2021
FROM
LEONARD X. HERNANDEZ, Chief Executive Officer, County Administrative Office
SUBJECT
Title v
Amendment to Agreement with Plante & Moran, PLLC for Privacy and Security Risk Analysis Services
End
RECOMMENDATION(S)
Recommendation
Approve Amendment No. 1, effective February 11, 2021, to Agreement No. 20-77 with Plante & Moran, PLLC for Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act of 2009 Privacy and Security Risk Analysis services, increasing the total agreement amount by $27,000, from $603,000 to a total not-to-exceed amount of $630,000 and extending the agreement term for one additional year, for an amended agreement term from February 11, 2020 through February 10, 2022.
(Presenter: Leonard X. Hernandez, Chief Executive Officer, 387-5417)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Improve County Government Operations.
Operate in a Fiscally-Responsible and Business-Like Manner.
Provide for the Safety, Health and Social Service Needs of County Residents.
FINANCIAL IMPACT
This item will not result in the use of additional Discretionary General Funding (Net County Cost). The original agreement amount included mandatory and optional costs as listed in the table below. The additional services requested for the Sheriff/Coroner/Public Administrator (Sheriff) will add $27,000 to the agreement amount and will be funded within the Sheriff’s existing budget allocation for 2020-21.
Department |
Mandatory Costs |
Optional Costs |
Total |
Arrowhead Regional Medical Center |
$199,829 |
$25,000 |
$224,829 |
County Administrative Office |
$81,145 |
$49,000 |
$130,145 |
Department of Behavioral Health |
$54,449 |
$7,000 |
$61,449 |
Department of Public Health |
$56,954 |
$7,000 |
$63,954 |
Information Services Department |
$107,623 |
$15,000 |
$122,623 |
Original Total |
$500,000 |
$103,000 |
$603,000 |
Sheriff/Coroner/Public Administrator |
$20,000 |
$7,000 |
$27,000 |
Amended Total |
$520,000 |
$110,000 |
$630,000 |
BACKGROUND INFORMATION
In 1996, the United States Congress passed the Health Insurance and Portability Accountability Act (HIPAA) (Public Law 104-191), a federal law designed to provide privacy and information security standards to protect patients’ medical records and other health information submitted to health plans, doctors, hospitals, and other health care providers (“covered entities”). Regulations have been implemented since the passage of HIPAA detailing the requirements placed upon covered entities in the areas of privacy and security (45 Code of Federal Regulations (CFR) parts 160 and 164). The Health Information Technology for Economic and Clinical Health Act (HITECH)/Omnibus Rule, as part of the American Recovery and Reinvestment Act of 2009, expanded the provisions of HIPAA by creating data breach notification requirements and added details such as holding healthcare providers’ business associates accountable for the same liability for data breaches as the providers themselves. Pursuant to HIPAA and its implementing regulations, covered entities are required to conduct an accurate and thorough assessment of the potential information security and privacy risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity, or its business associate (45 CFR §164.308 (a)(1)(ii)(A).)
Pursuant to 45 CFR section 164.105, the County has designated itself as a hybrid entity and has designated the following eleven County departments as members of its Health Care Component (HCC): Arrowhead Regional Medical Center, Auditor-Controller/Treasurer/Tax Collector - Central Collections; Board of Supervisors; County Administrative Office; County Counsel; Department of Aging and Adult Services (HIPAA covered programs only); Department of Behavioral Health; Department of Public Health; Human Resources - Employee Benefits and Services Division; Department of Innovation and Technology; and Risk Management. In an effort to achieve and ensure compliance with HIPAA/HITECH across all portions of the HCC, the County established minimum requirements in County Policy No. 14-03 and related Standard Practices. In accordance with the requirements of County Policy and standard practices, as well as HIPAA/HITECH, all HCC departments that manage, transmit, or store protected health information must participate in a HIPAA/HITECH Risk Analysis that meets the requirements of 45 CFR section 164.308(a) and that is conducted at a countywide level.
An agreement with Plante & Moran, PLLC (Plante & Moran) was approved on February 11, 2020 to conduct a comprehensive HIPAA/HITECH Risk Analysis of network hardware, information systems, information technology security controls, and administrative policies and practices to meet regulatory compliance requirements for each HCC department. While limited aspects of this agreement were accomplished, due to the onset of the COVID-19 pandemic, many of the tasks were delayed and will be accomplished during calendar year 2021 necessitating the need for execution of the first agreement extension period. An additional one-year extension remains available once this extension is exercised.
Additionally, after review of current documentation it was determined that the Sheriff required the services of Plante & Moran in order to maintain compliance with HIPAA/HITECH and, therefore, a new scope of work is added, consistent with that of the other County departments included under this agreement.
PROCUREMENT
Agreement No. 20-77 is based on an approved competitive procurement, as it is the result of a Request for Proposal Award.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Kristina Robb, Deputy County Counsel, 387-5455 and Penny Alexander-Kelley, Chief Assistant County Counsel, 387-5455) on January 27, 2021; Finance (Stephenie Shea, Administrative Analyst, 387-4919; and Carolina Mendoza, Administrative Analyst, 387-5423) on January 28, 2021; and County Finance and Administration (Kelly Welty, Deputy Executive Officer, 387-5423) on January 28, 2021.