REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
February 8, 2022
FROM
LEONARD X. HERNANDEZ, Chief Executive Officer, County Administrative Office
SUBJECT
Title
Amendment to Agreement with Plante & Moran, PLLC for Privacy and Security Risk Analysis Services
End
RECOMMENDATION(S)
Recommendation
Approve Amendment No. 2 to Agreement No. 20-77 with Plante & Moran, PLLC for Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act of 2009 Privacy and Security Risk Analysis services, with no change to the scope or not-to-exceed amount of $630,000, extending the agreement term by one year, for a total agreement period of February 11, 2020 through February 10, 2023.
(Presenter: Leonard X. Hernandez, Chief Executive Officer, 387-5417)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Improve County Government Operations.
Operate in a Fiscally-Responsible and Business-Like Manner.
Provide for the Safety, Health and Social Service Needs of County Residents.
FINANCIAL IMPACT
This item will not result in the use of additional Discretionary General Funding (Net County Cost). The original agreement amount included mandatory and optional costs that were included in the respective department’s budgets and will be included in future recommended budgets as necessary.
BACKGROUND INFORMATION
In 1996, the United States Congress passed the Health Insurance and Portability Accountability Act (HIPAA) (Public Law 104-191), a federal law designed to provide privacy and information security standards to protect patients’ medical records and other health information submitted to health plans, doctors, hospitals, and other health care providers (“covered entities”). Regulations have been implemented since the passage of HIPAA detailing the requirements placed upon covered entities in the areas of privacy and security [45 Code of Federal Regulations (CFR) parts 160 and 164]. The Health Information Technology for Economic and Clinical Health Act (HITECH)/Omnibus Rule, as part of the American Recovery and Reinvestment Act of 2009, expanded the provisions of HIPAA by creating data breach notification requirements and added details such as holding healthcare providers’ business associates accountable for the same liability for data breaches as the providers themselves. Pursuant to HIPAA and its implementing regulations, covered entities are required to conduct an accurate and thorough assessment of the potential information security and privacy risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity, or its business associate (45 CFR §164.308 (a)(1)(ii)(A).)
Pursuant to 45 CFR section 164.105, the County has designated itself as a hybrid entity and has designated the following 12 County departments as members of its Health Care Component (HCC): Arrowhead Regional Medical Center, Auditor-Controller/Treasurer/Tax Collector - Central Collections; Board of Supervisors (Board); County Administrative Office; County Counsel; Department of Aging and Adult Services (HIPAA covered programs only); Department of Behavioral Health; Department of Public Health; Human Resources - Employee Benefits and Services Division; Department of Innovation and Technology; Risk Management; and the Sheriff/Coroner/Public Administrator (HIPAA covered programs only). In an effort to achieve and ensure compliance with HIPAA/HITECH across all portions of the HCC, the County established minimum requirements in County Policy No. 14-03 and related standard practices. In accordance with the requirements of County Policy and standard practices, as well as HIPAA/HITECH, all HCC departments that manage, transmit, or store protected health information must participate in a HIPAA/HITECH Risk Analysis that meets the requirements of 45 CFR section 164.308(a) and that is conducted at a countywide level.
On February 11, 2020 (Item No. 31), the Board approved Agreement No. 20-77 with Plante & Moran, PLLC (Plante & Moran) to conduct a comprehensive HIPAA/HITECH Risk Analysis of network hardware, information systems, information technology security controls, and administrative policies and practices to meet regulatory compliance requirements for each HCC department in the amount of $603,000, for the period of February 11, 2020 to February 10, 2021. On February 9, 2021 (Item No. 27), the Board approved Amendment No. 1 with Plante & Moran that expanded the scope of work to include the Sheriff/Coroner/Public Administrator consistent with that of the other County departments in the HIPAA/HITECH Risk Analysis, increased the agreement amount by $27,000, from $603,000 to $630,000, and extended the agreement end date to February 10, 2022.
The HIPAA/HITECH Risk Analysis has been completed, including the additional scope of work for the Sheriff/Coroner/Public Administrator, added as part of Amendment No. 1. With the continued impacts of COVID-19 and unanticipated staffing issues experienced by Plante & Moran, additional time is required to review and approve the HIPAA/HITECH Risk Assessment and finalize findings and reports with the participating departments.
The recommended amendment and the underlying agreement provides for the safety, health and social service needs of County residents by ensuring privacy and information security standards to protect patients’ medical records and other health information are in place.
PROCUREMENT
Agreement No. 20-77 is based on an approved competitive procurement, as it is the result of a Request for Proposal Award.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Charles Phan, Deputy County Counsel, 387-5455) on January 21, 2022; Finance (Stephenie Shea, Administrative Analyst, 387-4919) on January 25, 2022; and County Finance and Administration (Matthew Erickson, County Chief Financial Officer, 387-5423) on January 25, 2022.