Pharmacy POS RFP - Draft

COUNTY OF SAN MATEO, CALIFORNIA

RFP #3000

REQUEST FOR PROPOSAL (RFP) for

CORRECTIONAL HEALTH SERVICES

INFORMATION SYSTEM

Correctional Health Services

300 Bradford Street

Redwood City CA 94063

Contact person:

Laurie Washer , Contract Administrator lwasher@smcgov.org

Phone: (650) 363 –4152 i

Proposals must be submitted and received by 4:00 PM, Monday October 15, 2012

REQUEST FOR PROPOSALS FOR

Integration of Correctional Health Services Information System

Proposals must be submitted to:

County of San Mateo


300 Bradford Street

Redwood City, California 94063

Attention: Laurie Washer by 4:00 p.m. Monday, October 15, 2012

PROPOSALS WILL NOT BE ACCEPTED AFTER THIS DATE AND TIME .

This Request for Proposals (RFP) is not a commitment or contract of any kind.

The County of San Mateo reserves the right to pursue any and/or all ideas generated by this request. Costs for developing the proposals are entirely the responsibility of the Offeror(s) and shall not be reimbursed. The County reserves the right to reject any and all proposals, and to waive any requirements of this

RFP when it determines that waiving a requirement is in the best interest of the

County. All materials submitted in response to this RFP will become the property of the County.

Government Code Sections 6550 et. Seq., the “Public Record Act” defines public record as any writing containing information relating to the conduct of the public business. The Public Record Act provides that public records shall be disclosed upon written request, and that any citizen has a right to inspect any public record, unless the document is exempted from disclosure.

THE COUNTY OF SAN MATEO CANNOT REPRESENT OR GUARANTEE

THAT ANY INFORMATION SUBMITTED IN RESPONSE TO THIS RFP WILL

BE CONFIDENTIAL. IF THE COUNTY RECEIVES A REQUEST FOR ANY

DOCUMENT SUBMITTED IN RESPONSE TO THIS REQUEST, IT WILL NOT

ASSERT ANY PRIVILEGES THAT MAY EXIST ON BEHALF OF THE PERSON

OR BUSINESS ENTITY SUBMITTING THE PROPOSAL. IT IS THE

RESPONSIBILITY OF THE PERSON OR BUSINESS ENTITY SUBMITTING

THE PROPOSAL TO ASSERT ANY APPLICABLE PRIVILEGES OR

REASONS WHY THE DOCUMENT SHOULD NOT BE PRODUCED.

RFP #3000 ii

TABLE OF CONTENTS

I. INTRODUCTION ......................................................................................................... 4

A.

PURPOSE OF THIS REQUEST FOR PROPOSAL ............................................ 4

B.

VISION ............................................................................................................... 4

C.

SUMMARY SCOPE OF WORK ......................................................................... 4

D.

SCOPE OF PROCUREMENT ............................................................................ 4

E.

PROCUREMENT ............................................................................................... 5

F.

DEFINITION OF TERMINOLOGY ...................................................................... 5

G.

BACKGROUND INFORMATION ....................................................................... 6

II. CONDITIONS GOVERNING THE PROCUREMENT .................................................. 7

A.

SCHEDULE OF EVENTS................................................................................... 7

Schedule ............................................................................................................................................... 7

Target Date ........................................................................................................................................... 7

B.

TERMS AND CONDITIONS ............................................................................... 7

C.

RFP PROCESS DETAILS.................................................................................. 8

III. RESPONSE FORMAT AND ORGANIZATION ........................................................ 11

A.

NUMBER OF RESPONSES ............................................................................. 11

B.

NUMBER OF COPIES ..................................................................................... 11

C.

PROPOSAL FORMAT ..................................................................................... 11

IV. SPECIFICATIONS ................................................................................................... 13

A.

INFORMATION ................................................................................................ 13

B.

TECHNICAL SPECIFICATIONS/FUNCTIONAL REQUIREMENTS ................ 16

C.

MANDATORY BUSINESS SPECIFICATIONS ................................................ 20

V.

E VALUATION C RITERIA ................................................................................................ 27

A TTACHMENT A: D ESCRIPTION OF E XISTING P ROGRAMS ................................................ 28

A TTACHMENT C: S AMPLE C OUNTY CONTRACT .............................................................. 29

APPENDIX A

–

PROPOSAL COST RESPONSE FORM ........................................... 37

APPENDIX B – TECHNICAL FUNCTIONAL REQUIREMENTS................................ 40

APPENDIX C – SECURITY FUNCTIONAL REQUIREMENTS .................................. 53

APPENDIX D

–

FUNCTIONAL REQUIREMENTS RESPONSE FORM ..................... 56

APPENDIX E – SYSTEM INTEGRATION REQUIREMENTS RESPONSE FORM .... 66

APPENDIX F – SECURITY ASSESSMENT CHECKLIST ......................................... 67

APPENDIX G

–

DESIGNATION OF SUBCONTRACTORS ....................................... 71

APPENDIX H

–

BUSINESS ASSOCIATE AGREEMENT (HIPAA) ............................ 72

APPENDIX I – CONTRACTOR ACCESS SECURITY STATEMENT ......................... 75

APPENDIX J – NON-COLLUSION DECLARATION ................................................. 79

RFP #3000 iii

I. INTRODUCTION

A. PURPOSE OF THIS REQUEST FOR PROPOSAL

The County of San Mateo (hereafter, “County”) is requesting proposals from qualified suppliers to provide, install, implement, support and maintain a Correctional Health Services

Information System for the San Mateo County Correctional Health Services Division. The

System should provide the following:



Captures extensive demographic information



Automated statistical reporting and documentation



HIPAA compliant solution



Robust functionality



Comprehensive centralized monitoring



Configurable alarm (tickler) monitoring, with audible and visual notification modes



Integrated reporting



Interoperability with various Management Information Systems



Scalable and reliable solution, with a minimum of 99.9% availability (verifiable by analysis)



Intuitive and user-friendly interface which facilitates ease of use

We are seeking proposals for an integrated solution - the installation of computer hardware and software (with some modifications or customization if required), as well as training of

County staff in use and maintenance of the software.

Only proven system software products will be considered. Professional services to design and develop a system will not be considered.

This RFP shall result in a single source award.

B.

VISION

The County’s vision is to implement a Correctional Health Services Information System that supports the client care, monitoring and documentation needs of the Correctional Health

Services Division. The Correctional Health Services Information System will provide a unified interface, which will streamline the use and reporting of information, and enhance our information system for our County staff and other County agencies.

C. SUMMARY SCOPE OF WORK

The installation shall consist of planning, organizing and implementing the hardware and software system and interfaces on the servers that may be provided by the contractor, and integrating with County supplied equipment, training County users and technical support staff in the use and operation of the system and providing technical support and maintenance upgrades.

D. SCOPE OF PROCUREMENT

The scope of this solicitation includes the equipment, software and support services required for the installation and operation of the system, which will include, but not be limited to, hardware upgrades required to maintain adequate system operational performance, software or additional software programs, data files, enhancements, modification, systems or control software, and utilities as well as hardware and software training, maintenance, technical support, documentation, and any other directly related professional services.

RFP #3000 4

The initial contract shall be for a term of one (1) calendar year with an option to renew.

Software licensing and maintenance agreements must survive the expiration of the contract.

E. PROCUREMENT

The County has designated a Contract Administrator who is responsible for the conduct of this procurement whose name, address, and telephone number are listed below:

County of San Mateo


300 Bradford Street


Attention: Laurie Washer

Telephone: (650) 363-4152

All deliveries via express carrier should be addressed as follows:

County of San Mateo


300 Bradford Street



Any inquiry or request regarding this procurement should be submitted to the Contact

Administrator in writing.

F. DEFINITION OF TERMINOLOGY

This section contains definitions that are used throughout this procurement document, including appropriate abbreviations.

“County” means the County of San Mateo

“Base System” means the assembly of computer equipment and an operational group of computer programs that will perform, without modification, a significant portion of the functional requirements contained in this RFP. The base system must include system interfaces and may include contractor supplied third party software required for the maintenance or operation of the base system.

“Contract” means an agreement for the procurement of items of tangible personal property or services.

“Contractor” means successful offeror who enters into a binding contract.

“Determination” means the written documentation of a decision of a procurement officer including findings of fact supporting a decision. A determination becomes part of the procurement file to which it pertains.

“Desirable”— The terms “may,” “can,” “should,” “preferably,” or “prefers” identify a desirable or discretionary item or factor (as opposed to “mandatory”).

“ Equipment” means computer equipment and peripherals as well as any required network equipment or appliances required for the effective operation of the base system plus modifications or customization as required to meet the requirements of this solicitation.

RFP #3000 5

“Evaluation Committee” means a body appointed by the County management to perform the evaluation of offeror proposals.

“Finalist” is defined as an offeror who meets all the mandatory specifications of the

Request for Proposal and whose score on evaluation factors is sufficiently high to qualify that offeror for further consideration by the Evaluation Committee.

“Interface” means the transmission of data that will allow for efficient and logical interaction with other applicable systems.

“Mandatory” The terms “must,” “shall,” “will,” “is required,” identify a mandatory item or factor (as opposed to “desirable”). Failure to meet a mandatory item or factor will result in the rejection of the Offeror(s) proposal.

“Offeror” or “Offeror(s)” is any person, corporation, or partnership who chooses to submit a proposal.

“ PST ” means Pacific Standard Time or Pacific Daylight Time

“Request for Proposals” or “RFP” means all documents, including those attached or incorporated by reference, used for soliciting proposals.

“Services” means maintenance, training, installation, technical support, site analysis, configuration analysis, and operational assistance of the base system.

G. BACKGROUND INFORMATION

San Mateo County, Correctional Health Services Division

Correctional Health Services is the division of the San Mateo County Health System

(SMCHS) that provides integrated medical, pharmaceuticals, dental, mental health, chemical dependency treatment, food and nutrition to the incarcerated adult population along with medical and dental care to the juvenile hall population of San Mateo County.

Information Services Department

The SMCHS Information Services Department is responsible for all systems and applications planning, development and support within SMCHS. Business units comprising Information

Services (IS). are:



Analysis and Support



Clinical Informatics



Managed Care Systems



Health System Applications



Integration, Development and Support (IDS)



IS Planning and Business Development



Technical Services

Note: The software/hardware solution must work with State-mandated compliance and regulatory directives.

Information Services Technical Environment

Information about our Information Technology environment is contained in Section IV.B.4

RFP #3000 6

II. CONDITIONS GOVERNING THE PROCUREMENT

This section of the RFP contains the schedule for the procurement and the conditions governing the procurement.

A. SCHEDULE OF EVENTS

The Contract Administrator will make every effort to adhere to the following schedule:

Schedule

RFP sent to potential contractors

Target Date

September 10, 2012

Last day for questions to be submitted

October 1, 2012

Answers to all questions published

Proposal Due

Proposal Review Process

Product review

Vendor selection

Review/Approval by the Board of

Supervisors, CMO, County Counsel

October 8, 2012

October 15, 2012

October 16, 2012

November 26, 2012

January 31, 2010

June, 2013

Contract begins July 1, 2013

B. TERMS AND CONDITIONS

If an Offeror fails to satisfy any of the requirements identified in this RFP, the proposal may be considered non-responsive and the proposal may be rejected. As of the issuance date of this RFP and continuing until the final date of proposals, all County personnel are specifically directed not to hold meetings, conferences or technical discussions with any

Offeror for the purposes of responding to this RFP. Any Offeror found to be acting any way contrary to this directive shall be disqualified from entering into any contract that may result from this RFP.

If an Offeror discovers any ambiguity, conflict, discrepancy, omission, or other error in the

RFP, he/she shall immediately notify the County of such error in writing and request modification or clarification of the document. Modifications will be made by addenda issued as stated below. Clarifications will be given by written notice to all parties who have been furnished an RFP for proposal purposes, without divulging the source of the request for same. Insofar as practical, the County will give such notices to other interested parties, but the County shall not be responsible therefore.

If an Offeror fails to notify the County of an error in the RFP prior to the date fixed for submission, he/she shall propose at his/her own risk, and if he/she is awarded the contract, he/she shall not be entitled to additional compensation or time by reason of the error or its later correction.

The County may modify the RFP prior to the fixed date for submission of proposals by issuance of an addendum to all parties who have received the RFP. The County reserves the right to accept other than the lowest price and to negotiate with Offeror on a fair and equal basis when the best interests of the County are served by so doing. The County reserves the right to cancel the RFP in part, or in its entirety, at any time.

RFP #3000 7

All proposals shall be firm offers, and will be so considered by the County. Proposals shall be considered valid offers for a period of six months following the close of the RFP on

October 15, 2012.

The County reserves the right to waive any irregularities and technicalities within a proposal and may, at its sole discretion, request a clarification or other information to evaluate any or all proposals. The County reserves the right to accept the proposals of any or all of the items it deems, at its sole discretion, to be in the best interest of the County. The County reserves the right to reject any and/or all items proposed.

C. RFP PROCESS DETAILS

1. Proposal Clarification and Questions

Any questions regarding clarification or intent of the RFP must be submitted by 4:00 P.M PST on October 15, 2012 via e-mail to: lwasher@smcgov.org

. Type “RFP Clarification” on the

Subject Line. Any questions received after that date and time will not be addressed. The

Contract Administrator will not respond to questions submitted in any other manner or format.

Answers to submitted questions will be made available to all known prospective Offeror(s).

2. Proposal Submission Process

Proposals shall determine the Offeror(s) capability of rendering the requested services. All proposals must be received for review and evaluation by the Contract Administrator no later than 4:00 P.M. Pacific Standard Time (PST) on October 15, 2012. Proposals are to be received at the time and place specified in Section 2.C.b. All received proposals will be time stamped. a) Proposal Preparation

Proposals must be on company letterhead that address all the requirements and specifications in Section III in the same order as listed in the Section. One original proposal and five (5) copies must be submitted along with one copy of the entire proposal on CD-ROM. All proposals must be signed with the company name, and by a responsible officer or employee. Obligations assumed by such signature must be fulfilled. An unsigned proposal may be rejected.

Offeror(s) shall adhere to the specified content and sequence of information used in this RFP.

Proposal should specifically address each of the items listed under Section IV .B. “Technical

Specifications/Functional Requirements .” Materials and data not specifically requested for evaluation should not be interwoven throughout each section. Label such material as “Additional

Data”.

Proposals should include a one-page cover letter that includes the address, tax identification number, company voice and fax phone numbers, email address of the person or persons to be used for contact and name of person who is authorized to represent the Offeror.

Proposals should include current certificates of insurance indicating liability insurance of a minimum of $1,000,000 for each of the following: Comprehensive, General, Motor Vehicle,

Profess ional, and Workers’ Compensation. The County must be named as additional insured.

RFP #3000 8

b) Proposal Delivery

Proposal must be received no later than 4:00 P.M. on Monday, October 15, 2012.

Proposals sent via e-mail, facsimile, or any other electronic means, as well as after the due date will not be considered. Send proposal to:

County of San Mateo


300 Bradford St


3. Evaluation Process

County will put each proposal through a process of evaluation to determine the Offeror(s) responsiveness to County’s needs. Part of the process is an evaluation and recommendation by an RFP committee. A list of some of the evaluation criteria can be found in Section IV.

Proposals will be screened and a group of finalists selected for additional review. Additional review may include a product demonstration, one or more panel interviews, and/or site visit.

The County may require the presence of an Offeror(s) representative for answering specific questi ons, orally and/or in writing. The Committee’s recommendation may be rejected or accepted by the Health System Chief .


4. Award Process

The County reserves the right, before awarding the contract, to require Offeror(s) to submit evidence of qualifications or any other information the County may deem necessary. A contract, if awarded, will be negotiated with the Offeror who can best meet the County’s needs.

If the Offeror chooses not to accept the County’s contract, the Offeror is requested to explain, in w riting, its objections to accepting the County’s contract as written.

For the services requested, the County will execute a contract upon approval by the Board of

Supervisors. The contract shall be interpreted, construed and given effect in all respects according to the laws of the State of California. All the terms, conditions and technical specifications stated in the RFP shall be construed to be a condition of the contract.

After contract, signing but prior to initiation of any work effort the County may require a sixty (60) day period for confirmation of assumptions and development of specifications. The County will assume that this task has been considered by Offeror and is included in their cost estimates.

5. Inability to Negotiate a Contract

The successful Offeror and the County will negotiate a contract for submission to the County’s

Board of Supervisors for consideration and possible approval. If a satisfactory contract cannot be negotiated, the County may begin, at its sole discretion, contract negotiations with one or more of the remaining Offeror(s).

6. Protest Process

A Offeror must submit a written protest to the Health System Chief at the address listed below within five (5) business days after receipt of a letter informing such Offeror that their proposal has not been selected. Protests shall state the specific grounds for the protest. Address protests to:

RFP #3000 9

Jean Fraser, Chief

San Mateo County Health System

225 37 th Avenue

San Mateo, CA 94403

The Health System Chief will respond to the protest within seven (7) business days of its receipt. The decision of the Health System Chief is final.

RFP #3000 10

III. RESPONSE FORMAT AND ORGANIZATION

A. NUMBER OF RESPONSES

Offeror(s) must submit only one proposal.

B. NUMBER OF COPIES

Offeror(s) shall provide one original and five (5) identical copies of their proposal Binder 1, one original and five (5) copies of their proposal Binder 2, and one original and three (3) copies their proposal Binder 3 to the location specified in Section I, Paragraph E on or before the closing date and time for receipt of proposals.

All of the original binders must be stamped “original”. Original binders 1, 2 and 3 must contain all of the required signatures from the Offeror. The remaining sets should be copies of the original.

Offeror(s) must also provide one electronic copy of their proposal Binder 1, Binder 2 and Binder

3 in CD-ROM format, prepared using Microsoft Office, Word and Excel. The CD must be included in original Binder 1. The CD containing the Project Work Plan in Microsoft Project

Format must be included with the original in Binder 1. One copy of the magnetic media (CD) is required.

C. PROPOSAL FORMAT

All proposals must be typewritten in 12 font, on standard 8 ½ x 11 paper (larger paper is permissible for charts, spreadsheets, etc.) and placed within a binder with tabs delineating each section. Hard copies should utilize both sides of the paper where practical.

1. Proposal Organization

The proposal must be organized and indexed in the following format and must contain, at a minimum, all listed items in the sequence indicated.

Binder

Binder 1

Content

1. Letter of Transmittal

2. Table of Contents

3. Executive Summary

4. Offeror Experience/Information

5. Project Management and Key

Personnel List

6. System Operational Service and

Support Requirements

7. Past Performance / References

8. Alternatives

9. Technical Functional Requirements

Response

10. Functional Requirements Response

Form

11. System Integration Requirements

Response Form

12. Value Added Services (Optional)

13. Oral Presentation and Demonstration, including Statement of Concurrence

14. Technical Resources Response

15. Magnetic Media (CDs)

16. Other Materials to improve proposal

RFP #3000 11

Binder Content

Binder 2

Binder 3

1. Proposal Preparation Instructions quality

1. SOW - Project Work Plan

2. SOW - Training Plan

3. System Documentation

4. Acceptance Plan

5. Risk Management

6. Security Assessment Checklist

7. Business Associate Agreement

(HIPAA)

8. Contractor Access Security Statement

9. Other Supporting Materials including

Technical System Documentation,

System hardware Specifications,

Samples or Examples

1. Financial Stability

2. Proposal Cost Specification Form(s)

3. License / Purchase Agreement

4. Warranty and Maintenance

5. Software in Escrow

6. Designation of Subcontractors and

Non-Collusion Declaration

7. Response to Agency Terms and

Conditions

8. Offeror(s) Additional Terms and

Conditions

Within each section of their proposal, Offeror(s) should address the items in the order in which they appear in this RFP. All forms provided in the RFP must be thoroughly completed and included in the appropriate section of the proposal. All discussion of proposed costs, rates, or expenses must occur only in Binder 3 with the cost response form.

The proposal summary may be included by Offeror(s) to provide the Evaluation Committee with an overview of the technical and business features of the proposal; however, this material will not be used in the evaluation process unless specifically referenced from other portions of the Offeror(s) proposal.

Offeror(s) may attach other materials that they feel may improve the quality of their responses. However, these materials should be included as items in a separate appendix in

Binder 1.

Any proposal that does not adhere to these requirements may be deemed non-responsive and rejected on that basis.

RFP #3000 12

IV. SPECIFICATIONS

This section contains specifications and relevant information Offeror(s) should use for the preparation of their proposals. Offeror(s) should thoroughly respond to each specification.

A. INFORMATION

1. County Resources

The following resources will be provided to contractor personnel for use on this contract:



Temporary work space



Use of telephone and access to a network printer



Use of copiers and fax machines



Server facility

The contractor must provide its personnel with the required computing equipment.

2. Work Performance

For the purpose of preparing proposals, Offeror(s) are to assume that all on-site work (if any) will be performed at the following locations:

1. ISD Data Center, 222 West 39 th Ave, San Mateo, CA

2. ISD Data Center, 455 County Center, Redwood City, CA

3. County Training Room, 455 County Center, Redwood City, CA

3. Technical Resources

For the purpose of preparing proposals, Offeror(s) are to assume that the proposed system will be installed and operated in the technical environment described in Section IV.B.4

For the purpose of preparing proposals, Offeror(s) must indicate the resources and associated skill levels required throughout the system implementation (i.e. server group

– build server, install OS, etc.; desktop support – install client, etc.; network group – assign network IP, etc.).

4. Tasks and Timeframe

For the purpose of preparing proposals, Offeror(s) are to assume that the proposed system will be in full operation by 08/16/2015 . The contract is scheduled to begin on 01/20/2014 .

The contract deliverables are to be implemented in the following order:

Project Phase

Phase I

Phase II

Phase Description

Final Project Plan including Acceptance Test and Training Plans

System installation for Correctional Health Services Information

Phase III

Phase IV

Phase V

Phase VI

System



Data conversion (If deemed necessary)



Equipment and Software Install and full build/configuration

User and operational training

Acceptance testing

System In Operation/”Go-Live”

Interface implementation, testing and integration

RFP #3000 13

5. Interfaces

For the purpose of preparing proposals, Offeror(s) are to assume that the system interfaces to the following listed systems will be required. Offeror(s) must provide any data file format requirements required to meet the specifications.



eClinical Works by E-Clinical Works, the Ambulatory Electronic Medical Record

System used by San Mateo Medical Center for outpatient information tracking



CJIS by In-house/Clerity the Criminal Justice Information System used by the

Sheriff’s Office and other criminal justice departments of the County



Invision by Siemens, the patient management and patient accounting system used by San Mateo Medical Center



JCMS by In-house/Clearwave, the Juvenile Case Management System used by the

Sheriff’s Office and other departments of the County



Avatar by Netsmart Technologies, the Electronic Medical Record System used by the Behavioral Health & Recovery Services department

6. Data Conversion

For the purpose of preparing proposals, Offeror(s) are to assume that data file conversion will be required.

7. Acceptance Test

For the purpose of preparing proposals, Offeror(s) are to assume that five ( 5) user agency

FTE composed of both technical and user personnel resources will be available for acceptance testing.

8. User Training

For the purpose of preparing proposals, Offeror(s) are to assume that twenty to onehundred (20 100) user agency personnel will require user training. This number includes trainers that may be deployed to train additional County personnel.

9. Project Management

The contractor will be responsible for supplying expertise and leadership for the professional project planning of all tasks required for the success of this project through a single project manager. The completion of these tasks must be cooperatively managed by the Offeror(s) project manager and the designated County Project Manager.

This project involves new technology for the County and the County is relying on the

Offeror(s) project manager for planning, implementation, support, communication and leadership to ensure success and timely identification of problems.

The meetings will focus on discussing project progress, risk management, problem areas, next steps and future plans. Meeting minutes, action items, item/issues discussed and outstanding issues will be documented and distributed after each meeting by the County

Project Manager.

RFP #3000 14

The successful offeror shall provide all installation labor and Project Management. The successful Offeror(s) Project Manager will meet with a designated SMHS Project Manager on a mutually agreed upon schedule to review project status and to identify and resolve any pending issues or problems; other members of the project team or County staff may be

. added to the list of required attendees as deemed appropriate.

RFP #3000 15

B. TECHNICAL SPECIFICATIONS/FUNCTIONAL REQUIREMENTS

The County is seeking a contractor with an integrated solution – a system consisting of all equipment and software necessary to satisfy our functional and technical requirements and capable of providing the stated capacity and service levels as well as the training and technical support required to maintain the system in an operational status. The technical requirements are defined in the Technical Functional Requirements (Appendix B). The functional requirements are defined in the Functional Requirement Response Form (Appendix D). The integration requirements are defined in the System Integration Requirement Response Form

(Appendix E).

1. Explanation of Technical and Security Functional Requirements (Appendix B &

Appendix C).

Offeror(s) must complete and submit with their proposals the Technical and Security

Functional Requirements, responding in a thorough narrative supported by references to the technical and security documentation. The response will permit the Evaluation Committee the ability to fairly evaluate the functionality of the proposed systems.

2. Complete Functional Requirements Response Form (Appendix D)

Offeror(s) must complete and submit with their proposals the Functional Requirements

Response Form. All specifications designated as “M” for mandatory must be included in the proposed system.

Response Codes — Place the appropriate letter designation in the “Availability” column according to the following codes and their description:

Y. Specification is one that currently exists in the proposed software in the current production version (name version release). This requirement can be demonstrated at an installed client site in general release.

A. Specification is not part of the proposed software but is available at an additional cost that is not included in the County’s price. This requirement can be demonstrated at an installed client site in general release.

B. Specification is not in the proposed software but is a planned or future enhancement or will be added at no additional cost. Specify in the comment section if this feature is under development, beta or alpha testing and indicate expected general release date.

C. Specification is not part of the proposed software but will be added at additional cost included in the County’s price. All such additional costs must be reported on an attachment to the cost response form.

N. Specification is not available in the proposed software.

Reference — Write the location (Binder/Section/Page Number) of the discussion of the specification in the Offeror(s) proposal. Technical materials may be submitted as part of the proposal.

RFP #3000 16

3. System Integration Requirements Response Form (Appendix E)

Offeror(s) must complete and submit with their proposals the Systems Integration

Requirements Response Form

RFP #3000 17

4. Technical Environment

SAN MATEO HEALTH SYSTEM

Information Services – Technical Services

Technical Standards – Intel Platform

SERVER

Operating system Windows 2008 R2

Hardware

Dell 11 th and 12 th generation servers. Rack-mount servers, no blades.

Backup

Server redundancy/cluster

Disk array

DESKTOP/LAPTOP HARDWARE

Mid-level PC with 17” – 19” monitor

Small footprint PC with flat 17” – 19 “

LCD panel monitor (where space limitations require small footprint)

Monitor settings

Laptop

Docking station

DESKTOP/LAPTOP SOFTWARE

Operating System

Office applications

Email

Terminal emulation

PDF reader

Internet browser

Antivirus

Java

Encryption

–

Laptop Only

PRINTERS

Laser

Impact

Label

RFP #3000

CommVault Simpana

Some MSCS in the environment.

RAID 1, RAID 5, RAID 6, RAID 10

Mixture of Dell Optiplex 745’s up to Optiplex 790’s with 17” and 19” monitors

Mixture of Dell Optiplex 745’s up to Optiplex 790’s with 17” and 19” monitors

Standard

Dell Latitudes E6400 series

Standard port replicator from Dell

Microsoft Windows XP Professional, Windows 7

Office 2003 – Office 2010

Novell Groupwise Version 8 backend. Clients 7.x up to 8.x

Attachmate 8 sp1

Adobe Reader 9+

IE 7 up to IE 8

McAfee 8 to 8.8i with EPO Agent 4.6

Various versions

Guardian Edge and/or Symantec and/or McAfee

Mostly HP ranging from 4000 to 4515’s.

Okidata..Very few in use.

Zebra/Eltron

18

Technical Standards – Proprietary Platform (Midrange)

COMMUNICATION

Protocol

Ethernet……TCP/IP

Topology Star from client to switch

Routers/ switches

Bandwidth – network

Bandwidth – to the desktop

Cisco

Backbone

Cable to the desktop

Optiman

Typically 100 Mbps

Varied from 100Mbps to 1Gbps between campuses (Optiman):

1. Between the RWC Hall of Justice and Sheriff Work

Program/Women's Jail, it is a 100Mbps connection.

2. Between RWC Hall of Justice and Maguire, it is 1Gbps.

3. the INET Link between RWC and SMMC is 1Gbps

Typically 100 Mbps

Database Standards

Database Management System

RFP #3000

MS SQL Server 2005/2008/2012

Oracle 10/11/12

MySQL 5.5/5.6

Cache 2008

19

C. MANDATORY BUSINESS SPECIFICATIONS

Offeror(s) shall respond to each specification. All specifications are mandatory. The response should in the form of a thorough narrative, the submission of a completed form or other required or desired information described in the specification. The response to the specification along with appropriate supporting materials will be evaluated and awarded points accordingly.

1. Offeror Experience/Information

The Offeror shall include in their proposal a statement of relevant experience. The Offeror should thoroughly describe, in the form of a narrative, its experience and success as well as the experience and success of subcontractors, if applicable in providing and/or supporting the proposed system.

In addition, Offeror(s) are required to provide the following information: a. Offeror(s) shall provide the company name, business address, including headquarters and all local offices, and telephone numbers. b. Offeror(s) shall indicate any offices or facilities located within the County of San Mateo that substantially and directly enhances the Offeror(s) ability to perform the proposed contract. c. Offeror(s) shall provide a description of the Offeror(s) organization, including names of principals, number of employees, client base, areas of specialization and expertise, and any other information that will assist the Evaluation Committee in formulating an opinion about the stability and strength of the organization. d. Offeror(s) shall provide the name of the jurisdiction in which the Offeror is organized and the date of such organization. e. Offeror(s) shall provide specifics on the number of certified local (stationed in greater

Bay Area) technicians. f. Offeror(s) shall provide a description of the depth their experience installing and supporting the proposed system. g. Offeror(s) shall provide a discussion of the type and duration of the business relationship with the manufacturer(s) whose products are included in the proposed systems.

2. Project Management and Key Personnel

Given the information provided in Section IV.A. Offeror(s) shall address each of the following specifications in their proposal: a. Offeror shall include the management plan the offeror intends to employ for the project and an explanation of how it will support the project requirements and logically lead to the required deliverables. The description shall include the organization of the project team, including accountability and lines of authority. b. Offeror(s) shall describe how the relationship between using agency and offeror will be managed from an account and technical support perspective. c. Offeror(s) shall describe what is required of using agency to ensure the successful implementation of the system.

RFP #3000 20

d. Offeror(s) shall include the steps that will be would undertake to identify and resolve any issues or problems before, during or after the implementation. e. Offeror(s) shall describe how you would implement a short pilot project as part of the implementation process f. Offeror(s) shall provide resumes, experience narratives and at least one reference for key personnel who will be assigned to the project, if awarded the contract. Key personnel include the project manager, lead (appearing on-site) maintenance and support technician (s) and lead trainer(s). They may be the Offeror(s) employees or employees of subcontractors. g. The references shall include the following information: i. Name of the contact person; ii. Name of the company or governmental entity; iii. Address of the contact person; iv. Telephone number of contact person; v. Email address of the contact person; vi. A description of the services provided and dates the services were provided. h. The experience narratives should include relationship with the Offeror, including job title and years of employment with the Offeror; role to be played in connection with the proposal; manufacturer certifications; relevant experience, other certificates or other achievements relevant to this solicitation. i. Offeror(s) shall include a list of proposed project staff and key personnel which shall become an exhibit to the contract. For the List of Project Management and Key

Personnel, list all requirements.

3. SOW - Project Work Plan

The Offeror(s) proposal shall include a detailed work plan for the implementation and operation of the proposed system based upon the phases and timeframe stated in Section

IV.A.4. and the information in response to Section IV.C.2, above, as follows: a. Task Level The plan shall include all activities necessary for a successful project down to the task level. No task can exceed more than eighty hours in the work plan. b. Identify All Resources - The plan shall clearly identify all Offeror (including subcontractors) and using agency resources required to successfully complete the project. The Offeror shall provide job descriptions and the number of personnel to be assigned to the installation, testing, and implementation of the project. c. Plan Progress Charts - The plan shall include appropriate progress/Gantt charts that reflect the proposed schedule and all major milestones. d. Microsoft Project – A sample project plan shall be submitted using Microsoft Project.

4. SOW - Training Plan

The Offeror(s) proposal shall include three types of training as follows: a. Offeror(s) should describe their approach, training techniques, resources and materials to support user training.

RFP #3000 21

b. Offeror(s) should describe their approach, training techniques, resources and materials to support the technical administration of the proposed system. c. Offeror(s) should describe their approach, training techniques, resources and materials to support technical operational training of all components of the proposed system.

d. Offeror(s) must describe the type and quantity of training that will be provided for all administrative, support and end-user staff, including: i. The number of users who can be accommodated at each class ii. Future training availability iii. Ability to provide training at a County location iv. Include (at a minimum) training for: a. General Users b. Power Users / Administrators c. Technical Support Users e. Offeror(s) must describe the following: i. Approach that will be utilized for training (train-the-trainer, etc.) ii. Maximum number of users that can be trained in a vendor-sponsored class for the application iii. Training that it is included in the proposal iv. Type and location (onsite, vendor facility, webinar, etc.) v. If using webinars, describe how they are conducted and what the setup requirements are vi. Training provided with new releases vii. How system documentation is provided (online, hard copy, etc.) for the initial implementation, system release updates, etc.

5. System Documentation a. The Offeror shall describe the documentation provided to facilitate system implementation. b. The Offeror shall describe the System Administrator documentation provided. c. The Offeror shall describe the availability of Users Groups, including how often and where they meet. Explain if the user group is a separate independent organization or funded and organized by the Offeror. d. The Offeror shall a ttach a listing summarizing available stock (“canned”) reports provided by the solution and a sample of each. e. The Offeror shall s pecify the maximum number of aliases captured, or “unlimited” if no restriction is present.

6. Acceptance Test Plan

The Offeror(s) proposal shall include an acceptance test plan for the implementation and operation of the proposed system based upon the phases and timeframe stated in Section

IV.A.4. The plan shall individually address each system component that comprises the proposed system. The plan should document the acceptance testing approach, resources and/or tools that may be used to validate the functions and features of the proposed system.

7. System Operational Maintenance Requirements

RFP #3000 22

a. Offeror(s) must describe the operational support requirements including number of FTEs and skill sets for each support area (i.e. database administration, system administration, etc.) b. Offeror(s) must provide information on the availability and capability of account managers and support staff to respond to voice and email messages and service support requirements. c. Offeror(s) must describe the post implementation follow-up activities that will be provided by the Offeror, specifically addressing the following tasks: i. Post-live system debugging to bring application into full conformance with documentation, proposal and modification specifications ii. Six-month and 12-month post live operational (non-technical) audits to review

SMHS utilization of the software and to provide recommendations for optimizing benefits. iii. Describe how application and support documentation is updated and distributed.

8. Past Performance (References)

The Offeror(s) proposal shall include three external references from clients who are willing to validate the Offeror(s) past performance on similar projects. The minimum information that shall be provided for each client reference follows: a. Name of the contact person; b. Name of the company or governmental entity; c. Address of the contact person; d. Telephone number of contact person; e. Email address of the contact person; f. A description of the products and services provided and dates the products and services were provided.

At least ONE (1) of the references for the proposed system shall be from a site of comparable or larger size where the proposed system has been installed and is in current operation. Offeror(s) are encouraged to include additional references that they believe the

Evaluation Committee would find helpful in thoroughly evaluating their past performance.

The contact person will be expected to complete and return the Past Performance

Questionnaire to the Evaluation Committee in a timely manner. The failure of a contact person to return or thoroughly complete the questionnaire will result in a reduction of points awarded for this evaluation factor.

Offeror should list up to ten (10) other county facilities in which the system has been installed, including the counties, states and the size of the facilities.

Offeror should list any locations within the San Francisco Bay Area in which the system has been installed. Offeror shall list the organizations, their locations, and the size of their facility. For the purpose of this proposal, the San Francisco Bay Area is defined as the following counties within the State of California: Alameda County, Contra Costa County,

Marin County, Napa County, San Benito County, the City and County of San Francisco, San

Mateo County, San Mateo County, Santa Cruz County, Solano County, Sonoma County.

9. Risk Management

Offeror(s) shall submit with their proposals a risk assessment using the methodology published by the Project Management Institute or other comparable methodology. Offeror(s) should include risk mitigation strategies as well as the resources the using agency may utilize to reduce risk.

RFP #3000 23

10. Value Added Services (Optional)

Offeror(s) are encouraged but not required to propose any optional value added services they believe would help the using agency to effectively implement, operate or use the proposed system. This can include Users Groups, etc.

11. Oral Presentation and Demonstration

If selected as a finalist, Offeror(s) agree to present their proposals and demonstrate their proposed systems to the Evaluation Committee. In addition, Offeror(s) agree to provide the

Evaluation Committee the opportunity to interview proposed staff members identified by the

Evaluation Committee in the finalist notification letter at the session. The Offeror(s) proposed project manager is expected to conduct the session. A statement of concurrence is required.

NOTE: Finalist Offeror(s) shall provide all of the required computer equipment and internet access required for the demonstration of their proposed systems.

Offeror(s) shall include in their proposals a list of any and all addition special equipment, communications facilities or other resources required for the demonstration of their proposed systems.

12. Financial Stability

Offeror shall submit copies of the most recent years independently audited financial statements, as well as those for the preceding three years, if they exist. The submission shall include the audit opinion, balance sheet, income statement, retained earnings, cash flows, and notes to the financial statements. If independently audited financial statements do not exist for the Offeror, the Offeror shall state the reason and, instead, submit sufficient information such as the latest Dun Bradstreet report to enable the Evaluation Committee to determine the financial stability of the Offeror. The Procurement Officer may request and the

Offeror shall supply any additional financial information requested in a timely manner.

13. License Agreement

The contractor will grant the County an unlimited perpetual license to use the software.

There shall be no limitation on the numbers of authorized users. Authorized users shall include County personnel and authorized agents. Offeror(s) shall provide a statement of agreement with this requirement and include a copy of the additional terms and conditions of their licensing agreement in their proposals.

14. Cost Specifications

Offeror(s) shall complete the Proposal Cost Response Form, all pages, found in Appendix A and submit it with their proposals. The proposed costs shall directly relate to the Project

Work Plan . The completed form shall become Contract Exhibit A for the selected contractor.

The County will evaluate all solutions proposed. If multiple deployment options are available,

Offeror(s) shall provide a cost response proposal for each solution proposed. If offering the option of an ASP-hosted service, Appendix E must be completed.

The proposed cost shall include: a. Software License fees or costs: i. Base System -- software ii. Customization required or proposed addressing specifications. iii. Additional modules required or proposed addressing specifications. iv. 3rd Party Software, if any, required for the operation of the system.

RFP #3000 24

b. Technical and User Documentation c. Installation costs (Professional Services) d. Integration costs (Professional Services) e. Conversion costs (Professional Services) f. Training including Training materials. i. User ii. Administration iii. Technical g. Maintenance Costs, to include, per year i. Existing Software ii. Updates to support files iii. Revisions to documentation iv. Utilities v. New Functionality h. Technical Support/Customer Service, per year i. Equipment (include detail equipment configuration on cost response form) j. Unlimited phone technical support for the technical staff k. Site preparation, if any l. Equipment maintenance (after warranty) m. Test System Costs (Maintenance, etc.) n. Other Costs (describe) o. Performance Bond (Non-Applicable) p. Deliverables and Associated Costs

List the major contract deliverables and the associated cost for each shall be listed on page two. This “Schedule of Deliverables” will become an exhibit to the Contract. It shall govern contract payments.

Contract deliverables include: i. Phase I Deliverable - Final Project Plan which includes the acceptance test and training plans. ii. Phase II Deliverable – Complete system installation and testing, including computer equipment, software, data conversion from Global and Pre3 Database, and interfaces. iii. Phase III Deliverable – User and operational training complete iv. Phase IV Deliverable – Acceptance Test Complete v. Phase V Deliverable – System in operation vi. Phase VI Deliverable – Interface implementation, testing and integration. q. Customization

List each Base System modification and the associated cost on page two. r. Consulting and Technical Support Services

The hourly rates for consulting services and technical support services are to be listed by category of additional services beyond implementation and maintenance services proposed on the Cost Response Form. These rates shall include travel and lodging expenses for work performed in the County of San Mateo, California. s. Equipment Configurations

Offeror(s) shall list of all proposed equipment by components including interface components, if applicable.

15. Warranty and Maintenance

Offeror(s) shall include a copy of the equipment and software maintenance agreements in their proposals. The minimum warranty for software and equipment shall be 1 year after installation date.

RFP #3000 25

The Offeror shall provide the following information in its proposal: b. Describe in detail the warranties provided by you or the manufacturer, both hardware and software for the technology proposed. c. Provide information on the coverage times, warranty period, covered services and replacement requirements, etc.

16. Software in Escrow

The Offeror shall include a statement of its intention and written evidence of its ability to procure, submit to the County, and maintain a Software Escrow Agreement. A statement to this effect and written evidence of ability in the form a letter from an escrow agent or other acceptable third party is required.

17. Alternatives

Offeror(s) may provide any suggested improvements and alternatives for doing business with their company that will make this arrangement more cost effective for their company and the County.

18. Designation of Subcontractors and Non-Collusion Declaration

Offeror(s) shall complete and submit with their proposal the Designation of Subcontractors

(Appendix G) and Non-Collusion Declaration (Appendix J) with their proposals.

19. APPENDICES

BUSINESS ASSOCIATES AGREEMENT (HIPAA) – Appendix H

CONTRACTOR ACCESS SECURITY STATEMENT – Appendix I

SECURITY ASSESSMENT CHECKLIST – Appendix F

Offeror(s) shall complete and submit with proposals the above-mentioned appendices.

RFP #3000 26

V. Evaluation Criteria

A. Evaluation Criteria

An RFP Evaluation Committee composed of representatives of the Health System and

Information Services Department will evaluate proposals. Selection will not be based solely on lowest price. Evaluation criteria include, but are not limited to, the following:

1. Offeror(s) Experience

Experience providing system products and services. Capability and experience of key personnel.

2. Philosophy and Values

There is a clear commitment to timely response and support for a Correctional Health

Services Information System.

3. Organizational Capacity a. History of successfully providing similar services. b. History of successfully managing other contracts with public agencies similar in size/scope. c. History of company and length of time in business.

4. Program and Service Specification a. All items in Section IV. Specifications are addressed. b. There is a clear understanding of the scope of services and products to be provided. c. There is sufficient staffing proposed to provide the services. d. Proposed mandatory user requirements listed in the RFP are met. e. Proposed service delivery, availability and experience providing technical support and maintenance are sufficient to provide services.

5. Financial Narrative a. Net cost to County, which will include cost of installation, training and other incidental costs. b. Anticipated annual maintenance cost.

.

RFP #3000 27

Attachment A: Description of Existing Programs

A. Mental Health Services

Mental health services include crisis intervention, evaluation, treatment, psychiatric medication, behavior management, and continuing care referrals.



Day treatment services are provided to mentally ill men and women in the

Life Skills Program at the Maguire Correctional Facility.



Acute care services are contracted through the Santa Clara County

Correctional Treatment Center.



Weekly group therapy



Individual and group

B. Medical Services

Medical services include health screening, treatment, education, and 24-hour emergency response for juveniles and adults. Clinic appointments are available by referral and upon request and include chronic care for hypertension, diabetes, asthma, and HIV; obstetric, orthopedic, and urgent care.

C. Dental Services

Dental services, including treatment and medication for urgent dental conditions and extractions, for adults and juveniles.

D. Chemical Dependency Treatment Program (CHOICES)

Chemical dependency treatment includes:



Treatment program for adults —192 men and 30 women



Substance abuse education



Parenting skills and domestic violence prevention training



GED program



Gender specific, trauma informed treatment



Cognitive behavioral approach to addiction and recovery; and



Re-entry services for those transitioning back into the community.

E. Youth Services Program (YSC)

The Youth Services Center (YSC) includes a juvenile detention facility. The YSC contains an admissions unit, seven living units, a kitchen and dining room, a health and dental clinic, a fullyaccredited school, and a gym and outdoor recreation area.

F. Food & Nutrition

The Correctional Food Service Program provides meals to the adults and juveniles while in custody that are in compliance with State and Federal guidelines. The meals are caloric appropriate, hearth healthy and emphasize healthy eating habits.

RFP #3000 28

Attachment C: Sample County contract

AGREEMENT BETWEEN THE COUNTY OF SAN MATEO AND

[Contractor name]

THIS AGREEMENT, entered into this _____ day of _______________ , 20_____, by and between the COUNTY OF SAN MATEO, hereinafter called "County," and [Contractor name here], hereinafter called "Contractor";

W I T N E S S E T H:

WHEREAS, pursuant to Government Code, Section 31000, County may contract with independent contractors for the furnishing of such services to or for County or any Department thereof;

WHEREAS, it is necessary and desirable that Contractor be retained for the purpose of [Enter information here].

NOW, THEREFORE, IT IS HEREBY AGREED BY THE PARTIES HERETO AS FOLLOWS:

1. Exhibits and Attachments

The following exhibits and attachments are included hereto and incorporated by reference herein:

Exhibit A —Services

Exhibit B

—Payments and rates

Attachment H —HIPAA Business Associate requirements

Attachment I

—§ 504 Compliance

Attachment IP – Intellectual Property

(**if the IP Attachment does not apply to this contract then delete this line**)

2. Services to be performed by Contractor

In consideration of the payments set f orth herein and in Exhibit “B,” Contractor shall perform services for County in accordance with the terms, conditions and specifications set forth herein and in Exhibit “A.”

3. Payments

In consideration of the services provided by Contractor in accordance with all terms, conditions and specifications set forth herein and in Exhibit "A," County shall make payment to Contractor based on the rates and in the manner specified in Exhibit "B." The County reserves the right to withhold payment if the County determines that the quantity or quality of the work performed is unacceptable. In no event shall the County’s total fiscal obligation under this Agreement exceed

[Write out amount], [$Amount].

4. Term and Termination

RFP #3000 29

Subject to compliance with all terms and conditions, the term of this Agreement shall be from

[Month and day], 20[Last 2 digits of year] through [Month and day], 20[Last 2 digits of year].

This Agreement may be terminated by Contractor, the [Name of County Department Head] or his/her desig nee at any time without a requirement of good cause upon thirty (30) days’ written notice to the other party.

In the event of termination, all finished or unfinished documents, data, studies, maps, photographs, reports, and materials (hereafter referred to as materials) prepared by Contractor under this Agreement shall become the property of the County and shall be promptly delivered to the County. Upon termination, the Contractor may make and retain a copy of such materials.

Subject to availability of funding, Contractor shall be entitled to receive payment for work/services provided prior to termination of the Agreement. Such payment shall be that portion of the full payment which is determined by comparing the work/services completed to the work/services required by the Agreement.

5. Availability of Funds

The County may terminate this Agreement or a portion of the services referenced in the

Attachments and Exhibits based upon unavailability of Federal, State, or County funds, by providing written notice to Contractor as soon as is reasonably possible after the County learns of said unavailability of outside funding.

6. Relationship of Parties

Contractor agrees and understands that the work/services performed under this Agreement are performed as an independent Contractor and not as an employee of the County and that

Contractor acquires none of the rights, privileges, powers, or advantages of County employees.

7. Hold Harmless

Contractor shall indemnify and save harmless County, its officers, agents, employees, and servants from all claims, suits, or actions of every name, kind, and description, brought for, or on account of: (A) injuries to or death of any person, including Contractor, or (B) damage to any property of any kind whatsoever and to whomsoever belonging, (C) any sanctions, penalties, or claims of damages resulting from Contractor’s failure to comply with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all Federal regulations promulgated thereunder, as amended, or (D) any other loss or cost, including but not limited to that caused by the concurrent active or passive negligence of County, its officers, agents, employees, or servants, resulting from the performance of any work required of

Contractor or payments made pursuant to this Agreement, provided that this shall not apply to injuries or damage for which County has been found in a court of competent jurisdiction to be solely liable by reason of its own negligence or willful misconduct.

The duty of Contractor to indemnify and save harmless as set forth herein, shall include the duty to defend as set forth in Section 2778 of the California Civil Code.

8. Assignability and Subcontracting

RFP #3000 30

Contractor shall not assign this Agreement or any portion thereof to a third party or subcontract with a third party to provide services required by contractor under this Agreement without the prior written consent of County. Any such assignment or subcontract without the County’s prior written consent shall give County the right to automatically and immediately terminate this

Agreement.

9. Insurance

The Contractor shall not commence work or be required to commence work under this

Agreement unless and until all insurance required under this paragraph has been obtained and such insurance has been approved by Risk Management, and Contractor shall use diligence to obtain such insurance and to obtain such approval. The Contractor shall furnish the County with certificates of insurance evidencing the required coverage, and there shall be a specific contractual liability endorsement extending the Contractor's coverage to include the contractual liability assumed by the Contractor pursuant to this Agreement. These certificates shall specify or be endorsed to provide that thirty (30) days' notice must be given, in writing, to the County of any pending change in the limits of liability or of any cancellation or modification of the policy.

(1) Worker's Compensation and Employer's Liability Insurance The Contractor shall have in effect during the entire life of this Agreement Workers' Compensation and

Employer's Liability Insurance providing full statutory coverage. In signing this Agreement, the Contractor certifies, as required by Section 1861 of the California Labor Code, that it is aware of the provisions of Section 3700 of the California Labor Code which requires every employer to be insured against liability for Worker's Compensation or to undertake selfinsurance in accordance with the provisions of the Code, and will comply with such provisions before commencing the performance of the work of this Agreement.

(2) Liability Insurance The Contractor shall take out and maintain during the life of this

Agreement such Bodily Injury Liability and Property Damage Liability Insurance as shall protect him/her while performing work covered by this Agreement from any and all claims for damages for bodily injury, including accidental death, as well as any and all claims for property damage which may arise from contractors operations under this Agreement, whether such operations be by himself/herself or by any sub-contractor or by anyone directly or indirectly employed by either of them. Such insurance shall be combined single limit bodily injury and property damage for each occurrence and shall be not less than the amount specified below.

Such insurance shall include:

(a) Comprehensive General Liability . . . . . . . . . . . . . . .

. . .

$1,000,000

(b) Motor Vehicle Liability Insurance . . . . . . . . . . . . . . .

. . .

(c) Professional Liability . . . . . . . . . . . . . . . . . . . . . . . . .

$1,000,000

$1,000,000

. . .

County and its officers, agents, employees and servants shall be named as additional insured on any such policies of insurance, which shall also contain a provision that the insurance afforded thereby to the County, its officers, agents, employees and servants shall be primary insurance to the full limits of liability of the policy, and that if the County or its officers and employees have other insurance against the loss covered by such a policy, such other insurance shall be excess insurance only.

RFP #3000 31

In the event of the breach of any provision of this section, or in the event any notice is received which indicates any required insurance coverage will be diminished or canceled, the County of

San Mateo at its option, may, notwithstanding any other provision of this Agreement to the contrary, immediately declare a material breach of this Agreement and suspend all further work pursuant to this Agreement.

10. Compliance with laws; payment of Permits/Licenses

All services to be performed by Contractor pursuant to this Agreement shall be performed in accordance with all applicable Federal, State, County, and municipal laws, ordinances and regulations, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Federal Regulations promulgated thereunder, as amended, and will comply with the Business Associate requirements set forth in Attachment “H,” and the

Americans with Disabilities Act of 1990, as amended, and Section 504 of the Rehabilitation Act of 1973, as amended and attached hereto and incorporated by reference herein as Attachment

“I,” which prohibits discrimination on the basis of handicap in programs and activities receiving any Federal or County financial assistance. Such services shall also be performed in accordance with all applicable ordinances and regulations, including, but not limited to, appropriate licensure, certification regulations, provisions pertaining to confidentiality of records, and applicable quality assurance regulations. In the event of a conflict between the terms of this

Agreement and State, Federal, County, or municipal law or regulations, the requirements of the applicable law will take precedence over the requirements set forth in this Agreement. Further,

Contractor certifies that the Contractor and all of its subcontractors will adhere to all applicable provisions of Chapter 4.106 of the San Mateo County Ordinance Code, which regulates the use of disposable food service ware .

Contractor will timely and accurately complete, sign, and submit all necessary documentation of compliance.

11. Non-Discrimination and Other Requirements

A. Section 504 applies only to Contractors who are providing services to members of the public.

Contractor shall comply with § 504 of the Rehabilitation Act of 1973, which provides that no otherwise qualified handicapped individual shall, solely by reason of a disability, be excluded from the participation in, be denied the benefits of, or be subjected to discrimination in the performance of this Agreement.

B. General non-discrimination . No person shall, on the grounds of race, color, religion, ancestry, gender, age (over 40), national origin, medical condition (cancer), physical or mental disability, sexual orientation, pregnancy, childbirth or related medical condition, marital status, or political affiliation be denied any benefits or subject to discrimination under this Agreement.

C. Equal employment opportunity. Contractor shall ensure equal employment opportunity based on objective standards of recruitment, classification, selection, promotion, compensation, performance evaluation, and management relations for all employees under this Agreement. Contractor’s equal employment policies shall be made available to County of San Mateo upon request.

D. Violation of Non-discrimination provisions.

Violation of the non-discrimination provisions of this Agreement shall be considered a breach of this Agreement and subject the Contractor to penalties, to be determined by the County Manager, including but not limited to i) ii) termination of this Agreement; disqualification of the Contractor from bidding on or being awarded a County contract for a period of up to 3 years; iii) liquidated damages of $2,500 per violation;

RFP #3000 32

iv) imposition of other appropriate contractual and civil remedies and sanctions, as determined by the County Manager.

To effectuate the provisions of this section, the County Manager shall have the authority to examine Contractor’s employment records with respect to compliance with this paragraph and/or to set off all or any portion of the amount described in this paragraph against amounts due to Contractor under the Contract or any other Contract between Contractor and County.

Contractor shall report to the County Manager the filing by any person in any court of any complaint of discrimination or the filing by any person of any and all charges with the Equal

Employment Opportunity Commission, the Fair Employment and Housing Commission or any other entity charged with the investigation of allegations within 30 days of such filing, provided that within such 30 days such entity has not notified Contractor that such charges are dismissed or otherwise unfounded. Such notification shall include the name of the complainant, a copy of such complaint, and a description of the circumstance. Contractor shall provide County with a copy of their response to the Complaint when filed.

E. Compliance with Equal Benefits Ordinance. With respect to the provision of employee benefits,

Contractor shall comply with the County Ordinance which prohibits contractors from discriminating in the provision of employee benefits between an employee with a domestic partner and an employee with a spouse.

F.

E The Contractor shall comply fully with the non-discrimination requirements required by 41

. CFR 60-741.5(a), which is incorporated herein as if fully set forth.

12. Compliance with Contractor Employee Jury Service Ordinance

Contractor shall comply with the County Ordinance with respect to provision of jury duty pay to employees and have and adhere to a written policy that provides that its employees shall receive from the Contractor, on an annual basis, no less than five days of regular pay for actual jury service in San Mateo County. The policy may provide that employees deposit any fees received for such jury service with the Contractor or that the Contractor deduct from the employees’ regular pay the fees received for jury service.

13. Retention of Records, Right to Monitor and Audit

(a) CONTRACTOR shall maintain all required records for three (3) years after the COUNTY makes final payment and all other pending matters are closed, and shall be subject to the examination and/or audit of the County, a Federal grantor agency, and the State of California.

(b) Reporting and Record Keeping: CONTRACTOR shall comply with all program and fiscal reporting requirements set forth by appropriate Federal, State and local agencies, and as required by the COUNTY.

(c) CONTRACTOR agrees to provide to COUNTY, to any Federal or State department having monitoring or review authority, to COUNTY's authorized representatives, and/or their appropriate audit agencies upon reasonable notice, access to and the right to examine all records and documents necessary to determine compliance with relevant Federal, State, and local statutes, rules and regulations, and this Agreement, and to evaluate the quality, appropriateness and timeliness of services performed.

RFP #3000 33

14. Merger Clause

This Agreement, including the Exhibits attached hereto and incorporated herein by reference, constitutes the sole Agreement of the parties hereto and correctly states the rights, duties, and obligations of each party as of this document's date. In the event that any term, condition, provision, requirement or specification set forth in this body of the agreement conflicts with or is inconsistent with any term, condition, provision, requirement or specification in any exhibit and/or attachment to this agreement, the provisions of this body of the agreement shall prevail.

Any prior agreement, promises, negotiations, or representations between the parties not expressly stated in this document are not binding. All subsequent modifications shall be in writing and signed by the parties.

15. Controlling Law and Venue

The validity of this Agreement and of its terms or provisions, as well as the rights and duties of the parties hereunder, the interpretation, and performance of this Agreement shall be governed by the laws of the State of California. Any dispute arising out of this Agreement shall be venued either in the San Mateo County Superior Court or in the United States District Court for the

Northern District of California.

16. Notices

Any notice, request, demand, or other communication required or permitted hereunder shall be deemed to be properly given when both (1) transmitted via facsimile to the telephone number listed below and (2) either deposited in the United State mail, postage prepaid, or when deposited for overnight delivery with an established overnight courier that provides a tracking number showing confirmation of receipt, for transmittal, charges prepaid, addressed to:

In the case of County, to:

In the case of Contractor, to:

In the event that the facsimile transmission is not possible, notice shall be given both by

United States mail and an overnight courier as outlined above.

IN WITNESS WHEREOF, the parties hereto, by their duly authorized representatives, have affixed their hands.

COUNTY OF SAN MATEO

By:

President, Board of Supervisors, San Mateo County

RFP #3000 34

ATTEST:

By:

Date:

Clerk of Said Board

[Contractor Name Here]

Contractor’s Signature

Date:

Long Form Agreement/Business Associate v 8/19/08

RFP #3000 35

Exhibit “A”

In consideration of the payments set forth in Exhibit “B”, Contractor shall provide the following services:

Exhibit “B”

In consideration of the services provided by Contractor in Exhibit “A”, County shall pay Contractor based on the following fee schedule:

RFP #3000 36

APPENDIX A – PROPOSAL COST RESPONSE FORM

Offeror(s) Organization Name: _____________________________________________________

Fixed Cost Summary by Year

YEAR

1 a. Software License fees or costs:

1. Base System:

2. Customization * c. Installation costs: d. Integration costs:

3. Additional Modules

3. 3rd Party Software, if any: b. Technical and User Documentation: e. Conversion costs f. Training (and Training Materials):

_______

_______

_______

_______

_______

_______

_______

_______

1. User

2. Administration

3. Technical g. Maintenance Costs, to include, per year:

1. Existing Software

2. Updates to support files

_______

_______

_______

_______

3. Revisions to documentation

4. Utilities

5. New functionality h. Technical Support/Customer Service, per year: _______ i. Equipment (including detail) j. Unlimited phone technical support k. Site Preparation: l. Equipment Maintenance (after warranty):

_______

_______

_______

_______ m. Test System Costs (HW, SW, Maintenance etc.)_______ n. Other costs (i.e. database administration. Describe):

________________________

________________________

________________________

________________________ o. Performance Bond

Total Cost for First Year

Grand Total Cost for First Year

_______

_______

_______

Not Applicable

____________

____________

RFP #3000 37

PROPOSAL COST RESPONSE FORM

Schedule of Deliverables and Payments

Deliverable a. Phase I Deliverable -

Payment Amount

$_____________ b. Phase II Deliverable - $_____________ c. Phase III Deliverable - $_____________ d. Phase IV Deliverable - $_____________ e. Phase V Deliverable - $_____________ f. Phase VI Deliverable - $_____________

Total First Year Cost $_______________

Customization

Itemize each Base System customization/modifications and the associated cost here.

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

____________________________________

Consulting and Technical Support Services

The hourly rates for consulting services and technical support services are to be listed by category of additional services beyond implementation and maintenance services proposed on the Cost

Response Form. These rates must include travel and lodging expenses for work performed in the

County of San Mateo, California.

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

_______________________________________________________________________________

_____________________________________________________________

RFP #3000 38

PROPOSAL COST RESPONSE FORM

Proposed Software

(List all software modules by title and description here)

Equipment Configuration

(List all equipment components by title & description here, including the cost for each individual type of unit)

RFP #3000 39

#

APPENDIX B – TECHNICAL FUNCTIONAL REQUIREMENTS

VENDOR NAME: _________________________________________

Response Code : Respondent should place the appropriate letter designation in the

“Response Code” column according to the following codes and their description:


A. Specification is not part of the proposed software but is available at an additional cost that is not included in the Count y’s price. This requirement can be demonstrated at an installed client site in general release.




Reference : Please provide any additional information requested or any additional information useful to the proposal in the comments column. If referencing attachments or other included information, write the location (Binder/Section/Page Number) of the discussion of the specification in the Offeror(s) proposal. Technical materials may be submitted as part of the proposal, and should be clearly labeled as such.

Note: Where the requirement is only partially satisfied by this solution, specify in the

Description/Comment column which parts are satisfied and which parts are not.

Description

1. a)

RFP #3000

Description of System

Offeror must provide a description of the proposed product, database, software and services, as they will be configured during the term of the system implementation, including how the proposed system will meet or

Description/Comments and

Page Binder Number in the proposal where additional information can be found

(Include additional attachments with reference if needed)

40

# Description b) c) d) e)

RFP #3000 exceed the requirements stated in the entire RFP. Include sufficient technical information about the application, operating environment and performance data to enable the County to determine whether or not the proposed system meets the technical environment prerequisites

Offeror must identify/list all software required for the solution that is not supplied directly by the

Offeror (any/all third party software)

Offeror must provide an overview and/or benchmarks relating to the system’s ability to process information in real time. Include the number of concurrent users as well as named users the proposed system will accommodate and state the maximum number of recommended users.

Offeror must identify any requirement to purchase interfaces from other vendors to work with the proposed solution.

Offeror must define the scalability of the proposed system.



Can the system be purchased in modules and expanded?



How scalable is the proposed software regarding the number of users?



Does the system scale in parallel, i.e. can additional application servers be configured in a load-balanced cluster?



Can the database, application and data analysis




41

# Description f) g) h) i) j) k) l) m)

RFP #3000 components be configured to reside on separate independent servers, so that one impacted subsystem does not affect the overall solution?

Offeror must identify if the server(s) can be purchased from a source other than the successful Offeror.

Offeror must identify how many users per application server are supported by the proposed software.

Offeror must identify if the proposed software is ODBC,

OLE-DB or OLAP compliant.

Identify any drivers provided.

Offeror must describe licenses required for the software

(concurrent / per seat and the number associated).

Offeror must describe how the system protects database records while it is being accessed by one user, so that multiple users will not attempt to change the record at the same time.

Offeror must identify if the solution’s database is ACID

(Atomicity, Consistency, Isolation and Durability) compliant, and how it provides transaction rollback capability in the event of a failed transaction.

Offeror must define the requirements for a test system.

Include all related components

(hardware, software, etc.) Include test system costs

Offeror must describe the maximum number of database records that can be stored locally.




42

# Description n) o) p) q) r) s) t) u) v) w)

2. a)

RFP #3000

Offeror must define which third party reporting tools the system is compatible with.

Offeror must provide the data dictionary and schema with the system.

Offeror must describe the minimum monitor and screen resolution limit.

Offeror must describe the process for change management or customer notification.

Offeror must describe the current version number and release date, including how often target dates are met.

Offeror must provide continuous application and system support

12 hours a day, 365 days per year.

Offeror must provide the company escalation and response plan, and describe how issues are triaged and escalated.

Offeror must provide the average response time of the proposed system.

Offeror must describe the level of customization available without a programmer or vendor support.

Offeror must provide the location of the closest service representative.

Equipment and Software

Offeror must provide detailed hardware specifications, including but not limited to, server footprint, processor type and speed, RAM

(in the basic system), size of the hard drive, type of monitors (with or without readers), barcode devices, scanning devices, barcode printing devices, RFID




43

# Description b) c)

3. a) b) c) d)

RFP #3000 devices, etc. Include the recommended number of devices per location and recommended number of backup devices. If multiple servers are specified, provide individual specifications for each server.

Offeror must specify the operating system proposed with the system.

Offeror should describe how the client software components are able to coexist with other software and applications on end-user workstations.

Backup/Recovery

Offeror must specify which of the following measures or devices are provided with the proposed system:



RAID 5, 6, 10 Disk Support



Mirrored Disk Support



Hot Backup System Support



Warm Backup System

Support



UPS Monitoring



Redundant Power Supply



Transaction Rollback

Function

Offeror must describe the backup capabilities for the proposed system, including:



Utilities required for backing up data



Process for how backups and restores are performed



The ability to use customersupplied backup software, if supported

Offeror must describe the

Disaster Recovery plan, including requirements for zero-downtime.

Offeror should describe the




44

# Description e)

4. a) b) c) d) e) f) g)

RFP #3000 notification provided if an application failure occurs.

Offeror must describe the process for automatic reprogramming and/or recovery after a failure due to hardware, software or absence of power.

Network/Hardware

Offeror must describe wiring or infrastructure required to support the system. Infrastructure necessary to support ancillary devices, such as alarm enunciators or remote monitors, must be included.

Offeror must provide a system/network design diagram, which provides a visual summary of the system’s servers, network and ancillary components and their relationships.

Offeror must describe any proprietary equipment utilized.

Offeror must describe any special networking requirements, i.e. dedicated/segregated network segments, VLANs, etc.

Offeror must provide network design diagram detailing all inbound and outbound communication requirements necessary for the functionality of the system, including all required ports and protocols.

Offeror must describe how the system supports Network Address

Translation (NAT) if the proposed system is not a local In-house solution

Offeror must describe how the system supports either Cisco VPN

Site-to-Site or similar SSL-based solution if the proposed system is




45

# Description h)

5. a) b) c) d) e)

6. a) b) c) d)

RFP #3000 non-internally hosted system.

Offeror must describe how much bandwidth is required for its imaging component and the level of impact on the network load.

Storage

Offeror must explain how data is archived (e.g., on demand, automatically, via optical disk, etc.)

Offeror must describe how the system allows for adding additional storage capacity

Offeror must describe the archival scheme for the system, including the recommended length of time data is retained on the production system and the availability of data for reporting after archiving.

Offeror must describe the maximum size of the database and the largest currently operating production and archive directories.

Offeror must describe the longterm storage options available for the system.

Database Integration

Offeror must list all databases that are fully supported by the proposed system.

Offeror must indicate which backend database is natively supported by the proposed software.

Offeror must indicate whether a

CLIENT database management system is supplied with the proposed software? If so, explain in more detail.

Offeror must indicate what type of

API’s does the proposed system use for application integration.




46

# Description e)

7. a) b) c) d)

8. a)

9. a) b) c)

RFP #3000

Offeror must indicate if any out-ofthe-box integration packages are being used.

Web Integration

Offeror should describe if and how the system supports webbased access

Offeror should define the system’s capability to support multiple browser types (i.e. Internet

Explorer and Mozilla Firefox) on different platforms, and the minimum version of each browser supported if the system supports web-based access.

Offeror should specify all browser plug-ins necessary to utilize webbased features, if the system supports web-based access.

Offeror should specify the web service standards used and the functionality exposed through the web services, if the system supports the use of web service protocols such as SOAP.

Remote Access

Offeror must describe the requirements needed to support this option

Critical Updates, Patches and

Antivirus

Offeror must describe the process for approving and installing operating system Critical

Updates. Attach the Offeror policy regarding Microsoft Critical

Updates.

Offeror must describe the process for how Critical updates are installed (by vendor, by customer, etc.)

Offeror must describe or attach the company Service Pack policy




47

# Description d) e) f) g)

10. a) b) c) d)

RFP #3000 for the proposed solution.

Offeror must describe any issues that may occur when running

Antivirus software in real-time on the servers at the kernel level.

Offeror must describe or attach the company policy regarding the use of anti-virus software with the proposed system.

Offeror must describe the disclosure policies related to security vulnerabilities found in the system, including procedures in place to notify customers of potential flaws, and the average time between a flaw being discovered and corrective action taken.

Offeror must describe how the locally hosted servers and workstations are able to support the County’s Enterprise solutions

(EPO and BES), regarding to its

Anti-Virus and Patching solutions.

Application Security Features

Offeror should describe the system’s compliance with LDAP

(Lightweight Directory Access

Protocol), and how the system can be configured to authenticate users against it.

Offeror should describe how the proposed solution can be configured to authenticate users against an Active Directory 2003 tree, if possible.

Offeror should describe how the solution audits user access and privilege use and the information that is logged.

Offeror should describe how the solution allows the County meet or exceed the password security




48

# Description e) f)

RFP #3000 standard on the minimum password difficulty requirements, and password lockout policies.

The County’s standards for password management are:



User account names and passwords must not be the same.



All account IDs must have unique passwords.



The minimum password must contain at least is six characters.



At least one character in each password must be non-alpha.



Passwords must not contain consecutive identical characters.



Passwords are not to be shared, posted, or recorded except in a secure manner.



Passwords should change at the user's first log-on and thereafter at intervals of not more than sixty days.



New passwords must be unique from previously used passwords.



For Secure systems the minimum length password is eight characters.

Offeror should describe how the solution allows system administrators to set a password expiration policy, thereby requiring end-users to change their passwords at a specified interval.

Offeror should describe how the solution encrypts sensitive information transmitted across the network, and specify the




49

# Description g) h) i) j) k) l) m)

11.

RFP #3000 algorithms used.

Offeror should specify whether the system establishes user identity via:



A user ID and password

Offeror should describe how access privileges are configured in the system, and whether or not privileges can be based on group designations.

Offeror should describe how different levels of security and privileges are established.

Offeror should specify if a “user inactivity timeout” feature is available, that forces a user to reauthenticate if idle for a preconfigured amount of time.

The County’s policy requires that secure systems should feature automatic user inactivity logoffs.

Offeror must describe how the system utilizes electronic signatures and electronic confirmation.

Offeror must describe how the proposed solution ensures that one Client’s information does not inadvertently display in another

Client’s room.

Offeror must support the following:



Single Sign-on



Role based security



Organization based security



Virtualization

If Offeror does not support any of the above, Offeror must disclose reasons why and any future enhancements that would allow feasibility

Additional Functional

Requirements




50

# Description a) Contractor should provide San

Mateo County, Correctional Health

Services with a registration product that supports industry standards b) The use of proprietary code is discouraged and will be heavily considered when choosing a


Information System contractor. c) System could be hosted on a San

Mateo County server. d) System must provide customization/expansion options

– must be a scalable system. e) Proposal should include a discussion of how a new Correctional Health

Services program would be integrated into the system.

Customizations must be fully supported by future updates to the product without additional cost to

San Mateo County. f) Proposal should include mobile access of system either through distribution /synchronization of the application to a laptop/PDA or access via wireless connectivity. g) The system should have an open system architecture. The system must utilize ODBO interoperable standards and ODBC access. The system must interface with other databases such as Oracle or SQL

Server. Additionally, the system should be CCOW compliant. h) Vendor must provide technical support and documentation.

Documentation to be available as hard copies as well as electronic copies. i) System must support current County

IT Standards j) System must be Windows-based server architecture k) Vendor will provide training for endusers. l) Vendor will provide training for

RFP #3000




51

# Description system maintenance and training for any customization to the software package. m) Identify any required downtime for the system and its frequency. n) Address whether or not the County will need to purchase any Third Party

Software (TPS) to use the proposed system and/or sign any TPS agreements. If yes, please provide copies of TPS agreements. o) The County will consider proposals that suggest additional services that the Offeror has reason to believe would benefit the County

12. Vendor System Methodologies a) Does your company maintain written product development and version update procedures?

If YES to the question, please submit a copy of these procedures with your proposal.

b) Please identify the system diagram techniques used by your company to illustrate the AS-IS and TO-BE processes. a. Flow charts b. Data Flow Diagram c. OO Diagram d. ER Diagrams e. Other c) Will Rapid Prototyping techniques be used to let users preview key functions to determine the data entry/inquiry/reporting formats most suitable to end user needs?

RFP #3000




52

APPENDIX C – SECURITY FUNCTIONAL REQUIREMENTS

VENDOR NAME: _________________________________________


“Response Code” column according to the following codes and their description:



#






Description/Comment column which parts are satisfied and which parts are not.

Description




1. a) b)

RFP #3000

Description of System

Offeror must provide a description of their breach disclosure practices



Should a breach occur how will the offeror be immediate and transparent in its response?

Offeror must provide the

53

# Description frequency and by whom of its security posture.

c) Offeror must describe their operational security practices



How do you ensure all systems are maintained at current patch level



How do you ensure all hardware are maintained at current patch level



How do you ensure all confidential data is transported via secure protocols



How do you ensure all confidential data is kept cryptographically sound while at rest d) Offeror must describe how data is encrypted in the following:



Encrypted at rest



Encrypted in transit e) Offeror must describe in detail ownership of customer data



If the County elects to terminate the contract how does the offeror propose to deliver the data back to the County f) Offeror must describe how data is separated between clients



If multiple customers are housed on the same server how are they logically/physically separated to ensure data is not viewed by unauthorized personnel g) Offeror must describe the location of where the data center is located



Is it prone to natural disasters h) Does the offeror employ a Secure

Development Lifecycle standard and does it weave security into the very fabric of its coding and implementation practices i) Offeror must describe the procedures that are in place that govern the receipt and removal of

RFP #3000




54

# Description hardware and electronic media that contain electronic protected health information (ePHI) into and out of their facility j) Offeror must describe what procedures are in place that are designed to eliminate ePHI from all media before that media may be reused or taken out of service k) Offeror must disclose if employees have a unique name/number for system access l) Offeror must describe to what extent are the appropriate compliance frameworks (PCI, SOX, HIPAA) kept in mind, as well as Web application security standards (input validation, encoding output, preventing request forgery and information disclosure) m) Is the offeror willing to disclose a copy of their SAS 70(or other security) auditor’s report?

RFP #3000




55

APPENDIX D – FUNCTIONAL REQUIREMENTS RESPONSE FORM

VENDOR NAME: _________________________________________

Mandatory or Desirable: This column contains a value specifying that an item is mandatory, the desirability of a specific feature, or that the line item is a request for additional information or clarification.



( M )andatory



( H )ighly Desirable



( U )seful


“Availability” column according to the following codes and their description:






#



Description/Comment column which parts are satisfied and which parts are not

Description

Comments or Page and

Binder Number in the proposal where additional information can be found

(Include delivery date if

Availability is “B” or “C”)

1

Client Data Collection

The proposed solution, at a minimum, captures the following data

M

RFP #3000 56

# Description

2

3

4

RFP #3000 elements to support patient registration/intake:



Client Name



Client Aliases



Client Address



Client Aliases Address



Client Telephone Number(s) and the type of number (i.e. home, work, cellular, etc.)



Client date of birth (DOB)



Client Sex



Client Social Security

Number

 Client Driver’s License



Client Medi-Cal Number



Client Medical Record

Number (MRN) and

Associated Facility



Client Insurance: o Address o Phone number o Fax number o Coverage and benefit information o Subscriber and

Subscriber ID o Review Group o E-mail Address



Client Financial Class



Spouse and/or Partner Name



Criminal Justice ID Number

Multiple visits may be linked to a medical record number (MRN)

Specify the emergency contact information collected

The following housing and booking information is available and or customizable fields are available

(please indicate customizable and or available in the comments section)



Booking Date



Release Date



Housing Unit (POD)



Bed Type (Upper/Lower

Bunk)



In Custody Status

H

M

M





57

# Description

5

6

7

8

9

10

11



Court Dates



Court Charges



Previous Incarcerations

Monitoring and Alert

Notification

System must retain the original entry date of client

System must provide historical instances on all changes that occur for each client with the ability to track which user made the change logging date/time stamp

System must provide an alert feature, also known as “Tickler” for users to self-create reminder notices based on client entry and assessment needs

System must be flexible to allow users to self-create

“Tickler” for any and all automated notifications

The solution is able to track and alert on user defined Client parameters.

Describe the types of parameters, which may be tracked, and the methods of tracking and alerting which may be utilized.

System will provide functionality to identify duplicates with the ability to merge the data of the duplicate client and delete the incorrect record

System must have the ability to support workflow, To Do List and automated triggers e.g. A completed form after submission will trigger a notification to a staff member

Clinical Case Management

12. Assessment, treatment plan, outcome data, time keeping, progress notes, must be able to capture and manage data for each program and client

13. System has the ability for add/edit/deletion of assessments, progress notes etc. List system limitations in detail if limitations exist

RFP #3000

M

M

M

M

M

M

M

M

M





58

# Description

14. Software must have the capacity to use and store clinical information such as , Lab/Test Results,

Prescriptions, similar to a hospital setting

15. System should have capability of changes to program workflow without requiring programming changes.

16. Consent forms and other program- specific forms should be electronic, verifiable and stored in the system.

Document imaging must be feasible

17. System should have the ability to manage data and workflow to support integration with other

Hospital and or Jail Management

Information Systems

18. System should have the ability to search and display scanned documents

19. Scanned images (reports, letters, request and any other document specified) may be stored, which are sub sequently “attached” to a Client’s record.

20. System should have the ability to support various programs with the ability to identify which program client is receiving services, e.g.

Mental Health, CHOICES, Medical

Services, Dental Services, YSC

21. Free-form textual notes and comments for progress notes, assessment notes, nursing, etc must be supported.

22. Spell checking must be available for fields (free-form text and otherwise).

23. System should be flexible to allow for different location/facility

24. System should have ability to allow supervisor or designee to approve case(s) up to and including status of case and case records management if needed

25. Display each clients encounter history in a specific order

(ascending/descending)

RFP #3000

M

H

M

H

H

M

M

M

M

M

M

H





59

# Description

26. System must be able to handle electronic signatures, describe the type of signature pads the system supports and it’s limitations

Time Keeping/Appointments

27. System must have the ability to view existing appointments from other systems (Jail Management System) with options to add/update clinical appointments, describe how this can be accomplished and with what methods

28. Appointment data must be able to propagate and update other systems

(push-pull method), describe how this can be accomplished and with what methods

29. System should permit entry by all staff of all time incurred during a workday

30. System must permit import/export of

Appointment data

31. System must include real-time access to obtain appointment information from the Criminal Justice

System, describe how this can be accomplished and with what methods

32. System should be able to accommodate staff time keeping of group activities that are not attributable to any specific client, for example, education classes given to groups of clients

33. System should permit the easy entry of staff activity and staff time coinciding with a client encounter

That includes the specification of activity type in the encounter documentation, entry of staff time spent on each client encounter, client

ID number

34. Information entered on one form is able to flow to other forms, thereby reducing redundant user entry.

35. User productivity can be tracked.

36. Ideally system will have the case

RFP #3000

M

M

M

M

M

H

H

H

M

H

U





60

# Description management notes tied in with the time keeping/appointments, virtually everything in one screen.

37. System should be able to store time of day for encounters which should be built to have the ability to transfer to or built into the time entry portion of the users daily activities

Diet Orders/Nutrition

38. Client allergies are documented.

39. Meal orders have the ability to be exported into labels

40. Nutritional Analysis is built into the system

41. BMI calculations are automatically calculated

Reporting and Statistical Analysis

42. Client reports for case management, including progress notes, summary of assessments, medication history, lab results history, client dashboard is available

43. Reports that give program level counts of contact, clients, client descriptions and outcomes e.g.

CHOICES Program

44. System must have the ability to generate ad-hoc reporting similar to a Query interface without needing a

3 rd party product

45. Statistical data, configurable by the end user, is captured for subsequent reporting.

Once configured, data collection and calculation is automatic and does not require user manual processing.

Describe the types of statistical information and reporting available.

46. System should include ability to generate data for budget planning and financial accounting

47. Stock (“canned”) statistical reports are available and have the ability to be exported

RFP #3000

H

M

H

M

M

M

M

M

H

M

H





61

# Description

48. System should be flexible enough to do ad-hoc reporting on any data elements (“fields”), if system does not handle this, contractor must disclose which modules and which fields are not reportable.

49. System must allow for all logging of user transactions, up to and including changes that were made, explain how your system allows for such tracking

50. All tables must be reportable, if tables are not reportable or limitations exist within the system, contractor must disclose all limitations

51. System must be able to handle reporting on the following as an example:



RN list for inmate TB plant



RN list of TB result check



Daily Schedule of appointments



RN 24 hour report



Physical Examination List for

MD



Blood Draw Sheets



Ex-ray Sheets



Sick Call Lists



Inmate transportation list



Staff schedule



Mental Health Referral List

Customization

52. User-defined fields are available for customization, reporting and graphing

53. Certain features including flow sheets, data collection screens, reports, may be customized in-house without the need for vendor services.

54. System will have the ability to create departmental assessments needed to monitor clients

55. System must have the ability to allow users to self create at no additional

RFP #3000

M

M

M

H

H

M

M

M





62

# Description cost

56. System must be able to edit/modify/delete/hide entries within a table that are not needed

57. System should have the ability to calculate percentages that autodisplay on user screen (without the need for a separate report)

Migration of Existing Data

58. Existing Client data and records, within multiple systems /databases will be seamlessly transferred and migrated to the proposed solution.

59. System must be able to generate a report in readable format for users to determine which records were rejected during migration

60. System must be able to support multiple migrations/imports of data

Implementation

61. System will be implemented one program/facility at a time over an estimated period of 12-16 months.

Child H

62. The implementation of each

Correctional Health Services program/facility will require the import of data from an existing system and/or the building of an interface with the system currently being used by that program or other

County EMR/EHR system.

63. System will be set up to include



a development/test system



a training system and



a production/live system.

Program/facility implementation will initially be done on the development system. After sufficient testing, the program will be migrated to the production system.

64. Program implementation schedule:

Provide a proposed implementation plan outlining Offeror and County roles and responsibilities and a highlevel timeline with major milestones.

RFP #3000

M

H

M

M

H

M

M

M

M





63

# Description

The implementation plan should note the software, if any, that would be required to be installed on user desktops. The implementation plan should suggest the options available for making the software available over the county network (e.g., Citrix).

65. Personnel list: Provide a complete list of personnel assigned to this project. Describe proposed staff and their duties, including disciplines and degrees as appropriate. Name the person responsible for overseeing the County account and provide the level of education, background and areas of expertise this person has, and include this person’s availability.

Interfaces

66. System should have the capability to integrate with the following San

Mateo County systems:



San Mateo County Medical

Center System (Siemens

Invision RCO, eClinical-

Works)



County Sheriff’s Department

Jail Management System

(CJIS)



Juvenile Case Management

System (JCMS)



Health Plan San Mateo

(HPSM)



Mental Health System

(Avatar)

67. System should be able to support real-time and batch processing with other systems. Name other systems you have integrated with and which methods used, real-time/batch

68. System should have the ability to interface with multiple systems that have different database backend infrastructures, name any limitations

69. Systems should have the ability to look up information form other systems and have the ability to

RFP #3000

M

M

H

M

M





64

# Description import specific data to avoid redundant data entry

70. System should have the ability to export information into multiple formats, name all possible formats

71. Additional Requirements

72. System must be able to handle esignature, describe what type of signature pads are used including version number

73. System must have the ability to handle e-prescriptions, describe the capabilities and how the data is transferred electronically

74. System tables have pricing fields included to support lab costs, prescriptions etc

75. Describe all of the features that support a Mobile Solution. What models of tablets/handheld devices are used with your product

76. Describe if the Mobile Solution is real-time or a check-in/check-out model e.g. sync methods

77. Describe how the user can customize their own desktop and also describe how the system allows for user standard desktop settings upon creation of a new user

78. Asset management tracking of supplies e.g. inventory tracking

79. Specify any bed and infirmary management components

80. Specify how the system supports eMAR

81. System must support billing management to track costs, payment history, balances

82. Specify other modules that the system can support

M

M

M

M

M

M

M

U

M

M

M

M





RFP #3000 65

APPENDIX E – SYSTEM INTEGRATION REQUIREMENTS RESPONSE FORM

CORRECTIONAL HEALTH SERVICES

OFFEROR NAME: ____________________________________________

ID QUESTION

1 List the type of interfaces offered and classify them based on the choices below: a. Push model (vendor receives unsolicited messages, e.g. ADT) b. Pull model (vendor sends unsolicited messages, e.g. Charges) c. Query/Response model (query is sent from vendor and response is sent back)

ANSWER

2 Is the HL7 (Version 2.x) standard supported? If so, which version?

3 If the HL7 (Version 2.x) standard is supported what events are accepted?

4 Does the system interface to:

∙ Medi-Cal Eligibility

5 Is the OPENLink Interface Engine used? If not, what

Interface Engine is used and/or supported?

6 Can data be sent/received real-time, batch, and file?

7 What is the format or standard type of data transmitted on each connection type?

Interface

Provided

(ADT,

Charge, etc.)

Format

(HL7, Fixed,

ASCII, etc.)

Version /

Variant

Connectivity

Type

(TCP/IP,

SNA, etc.)

Freq

(Real Time,

Batch)

# of connections

Comments:

8 Provide any additional information:

RFP #3000 66

APPENDIX F

– SECURITY ASSESSMENT CHECKLIST

Supplier – please complete the attached checklist if your application is ASP, note that detailed responses are required, and not just simple “yes” or “no” answers. Complete detailed information must be provided to allow a valid comparison between supplier practices and those required by the

COUNTY. The information provided below shall be accurate and true.

Description of COUNTY

Requirement

Details on How ASP

Meets Requirement

Other Security

Measures That

Mitigate This Risk

Comments

The ASP has a written Disaster

Recovery Plan that offers a viable approach to restoring operations following an emergency situation.

The ASP site has adequate, redundant physical and/or logical network connectivity to ensure continued operations following a network failure.

The ASP system/application performs database backups on a schedule that is consistent with the importance of the Department application.

Backup media are treated with a level of security commensurate with the classification level of the data they contain.

ASP servers are closely monitored for both performance and availability.

The ASP is willing to sign a

Service level Agreement (SLA) that is consistent with the importance of the Department application.

The ASP has a formal, written

Security Policy.

COUNTY User authentication standards (both local and for remote access) can be implemented if COUNTY users access the application directly on the ASP server. For remote connections, this includes use of encrypted VPN connectivity and one-time password technology.

Other mechanisms, such as secure SSL, may also be used in some circumstances as long as sole reliance is not placed on simple User ID/password combinations for authentication.

Once granted access, Users are limited to authorized activities

RFP #3000 67


Requirement only; i.e., customers are prevented from accessing either applications or data that belong to other customers.

ASP network connectivity is protected by firewalls, intrusion detection/ prevention systems, etc. designed to protect against attack.

The equipment hosting the

Department’s application is located in a physically secure facility that employs access control measures, such as badges, card key access, or keypad entry systems.

ASP servers are kept in locked areas/cages that limit access to authorized personnel.

ASP staff is bonded, and/or have been subjected to background checks.

ASP servers are hardened against attack and operating system and server software patches related to security are applied regularly.

Commercially available anti-virus software is used on the servers, and is maintained in a current state.

ASP servers are monitored on a continuous basis, and logs are kept of all activity.

The ASP is willing to report security breaches and/or security issues to the COUNTY.

Details on How ASP

Meets Requirement

Other Security

Measures That

Mitigate This Risk

Comments

RFP #3000 68


Requirement

The ASP conducts regular vulnerability assessments, using viable third-party organizations, designed to assess both the

ASP’s network infrastructure and the individual servers that host applications . The ASP implements “fixes” to correct discovered vulnerabilities.

The ASP has a formal Incident

Response Plan.

(Optional) The network infrastructure hosting the

Department application is “airgapped” from any other network or customer that the ASP may have. This means that in an ideal situation, the application environment must use a separate, dedicated server, as well as a separate network infrastructure.

Encryption or hashing algorithms utilized by the ASP application infrastructure utilize algorithms that have been published and evaluated by the general cryptographic community.

The ASP is willing to permit onsite visits by COUNTY staff in order to evaluate security measures in place.

Details on How ASP Meets

Requirement

Other Security

Measures That

Mitigate Risk

Comments

RFP #3000 69


Requirement

Details on How ASP Meets

Requirement

Other Security

Measures That

Mitigate Risk

Comments

If the Department will be connecting to the ASP via a private connection (such as a dedicated T1 circuit), the circuit will terminate on the

COUNTY’s extranet, and operation of the circuit will fall within the policies related to network connections from non-COUNTY entities. If a public network such as the

Internet is used, the ASP deploys appropriate firewall technology, and the traffic between San Mateo COUNTY and the ASP is protected and authenticated through the implementation of VPN or equivalent technology.

Completed by: ________________________ Approved by: COUNTY of San Mateo

(Supplier’s name) Information Services Dept.

_____________________________________

(Print Name)

_______________________________

(Print Name)

_____________________________________

(Signature)

_____________________________________

(Title)

_______________________________

(Signature)

_______________________________

(Title)

_____________________________________ _______________________________

(Date) (Date)

RFP #3000 70

APPENDIX G

– DESIGNATION OF SUBCONTRACTORS

Offeror shall completely fill in the form below for each subcontract that exceeds one-half percent

(1/2%) of the Offeror(s) total Base Bid. A subcontractor is defined as a person who;

1) Performs work or labor

2) Provides a service to the Offeror

3) Specially fabricates and installs a portion of the work according to the plans and the specifications

Work shall be done in compliance with California Public Contract Code 4100-4114 and any amendment thereof.

Offeror shall assume full responsibilities for the actions, omissions and errors of subcontractors listed below. No change in subcontractor shall be permitted, after award, without prior written approval from the County Procurement Department Buyer or his/her designee. Changes in subcontractors without prior written consent from the County Procurement Department Buyer or his/her designee can result in the cancellation of the purchase order.

NAME OF

SUBCONTRACTOR

COMPLETE ADDRESS

AND TELEPHONE NO. SPECIALTY

_________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

COMPANY NAME: _________________________________________________________________

AUTHORIZED

SIGNATURE: _____________________________________________________________________

PRINT NAME: _____________________________________________________________________

DATE: ___________________________________________________________________________

RFP #3000 71

APPENDIX H

– BUSINESS ASSOCIATE AGREEMENT (HIPAA)

HIPAA - BUSINESS ASSOCIATE AGREEMENT PURSUANT TO THE HEALTH

INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

I. Definitions

Terms used, but not otherwise defined, and terms with initial capital letters in this provision of the

Agreement have the same meaning as defined under the Health Insurance Portability and

Accountability Act of 1996, 42 USC §§ 1320d et seq. (“HIPAA”) and the implementing regulations.

To the extent the HIPAA Privacy Rule changes the meaning of the terms; this provision shall be modified automatically to correspond to the meaning given in the rule.

“PROTECTED HEALTH INFORMATION,” as defined at 45 C.F.R. §§ 164.501, and 160.103, means information that:

(1) is created or received by a health care provider, health plan, employer or health care clearing house; and

(2) relates to the past, present of future physical or mental health or condition of an individual; the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual, and (a) identifies the individual or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

“ELECTRONIC PROTECTED HEALTH INFORMATION (EPHI)” as defined at 45 C.F.R. §

160.103(2), means Protected Health Information that is created electronically, transmitted electronically by electronic media, or is maintained in electronic media.

“BUSINESS ASSOCIATE” refers to ________________________ (Name of Contractor) in this

Agreement.

“COVERED ENTITY” refers to the COUNTY of San Mateo in this Agreement.

II. Duties & Responsibilities of BUSINESS ASSOCIATE

A. BUSINESS ASSOCIATE’S use and/or disclosure of PROTECTED HEALTH

INFORMATION (“PHI”) will be limited to those permitted or required by the terms of this Agreement or as REQUIRED BY LAW as defined pursuant to 45

CFR 164.501.

B. Unless otherwise limited by this Agreement, BUSINESS ASSOCIATE may use the PHI in its possession for the proper management and administration of the

BUSINESS ASSOCIATE or to carry out its legal responsibilities.

C.

D.

BUSINESS ASSOCIATE may further disclose PHI for the proper management and administration of the BUSINESS ASSOCIATE or to carry out its legal responsibilities if the disclosure is required by law, or the BUSINESS

ASSOCIATE receives reasonable assurances from the person receiving the

PHI that it will be held confidentially, and will be used or further disclosed only as required by law and that the person receiving the PHI will notify the

BUSINESS ASSOCIATE of any instances known in which the confidentiality has been breached.

BUSINESS ASSOCIATE must not use or disclose PHI in any manner that would constitute a violation of the PRIVACY RULE (Standard for Privacy of

Individually Identifiable Health Information at 45 CFR part 160 and part 164, subpart A and E).

RFP #3000 72

E. BUSINESS ASSOCIATE must use appropriate safeguards to prevent uses or disclosures of PHI other than as provided for by this Agreement.

F. BUSINESS ASSOCIATE must report in writing any use or disclosure of PHI not provided for by this Agreement to the COVERED ENTITY as soon as it learns of it.

G. BUSINESS ASSOCIATE must ensure subcontractors and agents that have access to, or to whom the BUSINESS ASSOCIATE provides PHI, agree in writing to the restrictions and conditions concerning the use and disclosure of PHI which are contained in this Agreement.

H. At the request of the COVERED ENTITY, BUSINESS ASSOCIATE must comply with the COVERED ENTITY’S request to accommodate an individual’s access to his/her PHI in a designated record set maintained by the BUSINESS ASSOCIATE.

In the event an individual contacts BUSINESS ASSOCIATE directly about access to PHI, BUSINESS ASSOCIATE will not provide access to the individual but will forward the request to the COVERED ENTITY within three business days of contact.

I. Within fifteen business days of a request by the COVERED ENTITY, BUSINESS

ASSOCIATE will comply with the COVERED ENTITY'S request to amend an individual’s PHI in a designated record set maintained by the BUSINESS

ASSOCIATE. BUSINESS ASSOCIATE will promptly incorporate any such amendment into the PHI. In the event an individual contacts BUSINESS

ASSOCIATE directly about making amendments to PHI, BUSINESS ASSOCIATE will not make any amendments to the individual's PHI but will forward the request to

COVERED ENTITY within three business days of such contact.

J. BUSINESS ASSOCIATE must keep a record of disclosures of PHI for a minimum of six years and agrees to make information regarding disclosures of PHI available to the COVERED ENTITY within fifteen days of a request by the COVERED

ENTITY. BUSINESS ASSOCIATE must provide, at a minimum, the following information:

(1) the name of the individual whose PHI was disclosed.

(2) the date of disclosure;

(3) the name of the entity or person who received the PHI, and the address of such entity or person, if known;

(4) a brief description of the PHI disclosed; and

(5 ) a brief statement regarding the purpose and explanation of the basis of such disclosure.

BUSINESS ASSOCIATE is not required to maintain a record of disclosures of PHI under the following circumstances:

(1) To carry out treatment, payment or COUNTY health care operations, or activities that are incident to such disclosures;

(2) To individuals of their own PHI;

(3) Pursuant to a written authorization;

(4) For the facility’s directory or to person involved in the individual’s care or other notification purposes in 45 CFR 164.510;

(5) For national security or intelligence purposes;

(6) To correctional institutions or law enforcement officials;

(7) As part of a limited data set in accordance with 45 CFR 164.514(e); or

(8) That occurred prior to the compliance date for the covered entity.

RFP #3000 73

K. BUSINESS ASSOCIATE must comply with any other restrictions on the use or disclosure of PHI that the COVERED ENTITY may from time to time request.

L. BUSINESS ASSOCIATE must make its internal practices, books and records relating to uses and disclosures of PHI available to the Secretary of the U.S.

Department of Health and Human Services or designee, for purposes of determining the COVERED ENTITY’S compliance with the PRIVACY RULE.

BUSINESS ASSOCIATE must notify the COVERED ENTITY regarding any information that BUSINESS ASSOCIATE provides to the Secretary concerning the

PHI. Concurrently with providing the information to the Secretary and upon the

COVERED ENTITY’S request, BUSINESS ASSOCIATE must provide COVERED

ENTITY with a duplicate copy of the information.

M. Upon the termination of this Agreement for any reason, BUSINESS ASSOCIATE must return or destroy all PHI, including all PHI that is in the possession of subcontractors or agents of the BUSINESS ASSOCIATE. BUSINESS ASSOCIATE must not retain any copies of PHI. If return or destruction is not feasible,

BUSINESS ASSOCIATE must notify the COVERED ENTITY of the condition that makes the return or destruction of PHI not feasible. If the COVERED ENTITY agrees that the return or destruction is PHI is not feasible, BUSINESS ASSOCIATE may dispose of the PHI, subject to all of the protections of this Agreement and must make no further use or disclosure of the PHI.

N. The respective rights and responsibilities of BUSINESS ASSOCIATE related to the handling of PHI survive termination of this Agreement.

O. Notwithstanding any other provision of this Agreement, the COVERED ENTITY may immediately terminate this Agreement if BUSINESS ASSOCIATE has materially violated its responsibilities regarding PHI under this Agreement upon written notice.

P. EPHI : If BUSINESS ASSOCIATE receives, creates, transmits, or maintains EPH on behalf of COVERED ENTITY, BUSINESS ASSOCIATE will, in addition, do the following:

(1) Develop, implement, maintain and use appropriate administrative, physical, and technical safeguards in compliance with Section 1173(d) of the Social Security Act,

Title 42, Section 1320(d) or the United States Code and Title 45, Part 162 and 164 of CFR to preserve the integrity and confidentiality of all electronically maintained or transmitted PHI received from or on behalf of COVERED ENTITY.

(2) Document and keep these security measures current and available for inspection by COVERED ENTITY.

(3) Ensure that any agent, including a subcontractor, to whom the BUSINESS

ASSOCIATE provides EPHI, agrees to implement reasonable and appropriate safeguards to protect it.

(4) Report to the COVERED ENTITY any Security Incident of which it becomes aware.

For the purposes of this Agreement, Security Incident means, as set forth in 45

C.F. R. section 164.304, “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

RFP #3000 74

APPENDIX I

– CONTRACTOR ACCESS SECURITY STATEMENT

Agreement between [Vendor Name] and San Mateo County [Agency Name] Dated [Date]

The Agreement entered into _______________ between San Mateo County [AGENCY NAME]

(“Customer”) and [VENDOR NAME] (“Contractor”) is hereby amended, effective

__________________, to add the following terms and conditions relating to Contracto r’s ability to remotely access Customer’s systems as set forth below. In the event of any conflict or inconsistency between the applicable terms of this ________Amendment and the terms of the Agreement, the terms of the Agreement will apply and control in all instances.

1. Definitions

County: “County” shall mean San Mateo County, in the State of California.

Remote Access: Remote access is the act of connecting to County systems from a non-County system through a public network or non-County network infrastructure. Systems include personal computers, workstations, servers and/or any device with network capabilities (e.g., a workstation with an attached modem, routers, switches, laptop computers, handheld devices).

2. Scope of Access

a. Customer hereby grants remote access to the following Customer systems at the locations listed, collectively referred to as “IS”, in accordance with the terms of the Agreement and this Amendment:

Customer Systems: ____________________________________________________

All other access is prohibited. b. Access is granted for the purpose of Contractor providing services and performing it’s obligations as set forth in the Agreement including, but not limited to, supporting Contractorinstalled programs. Unauthorized or illegitimate access to IS and/or County data/information is prohibited. c. Modifications to Access Right: Customer will review the scope of Contractor’s access rights periodically. In no instance will Contractor’s access rights be reduced, limited or modified in any way that prevents or delays Contractor from performing its obligations set forth in the

Agreement. Any modifications to these access rights must be mutually agreed to in writing by

Customer and Contractor.

3. Security Requirements

a. Contractor will not install any remote access capabilities on any Customer owned or managed system or network unless such installation and configuration is approved in writing by Customer’s and Contractor’s respective designees. b. Contractor may only remotely access County systems, including those connections initiated from a County system, if the following conditions are met:

1. Contractor will submit documentation verifying its network security mechanisms to

Customer for Customer’s review and approval. Advanced written approval of

Contractor’s security mechanisms is required prior to Contractor being granted remote access.

RFP #3000 75

2. Contractor security systems must include the following minimum control mechanisms: a. Two Factor Authentication: an authentication method that requires two of the following three factors to confirm the identity of the user attempting remote access. Those factors include: 1) something you possess (e.g., security token and/or smart card), 2) something you know (e.g., a personal identification number (PIN)), 3) something you are (e.g., fingerprints, retina scan). The only exceptions are County approved County site to Contractor site VPN infrastructure. b. Centrally controlled authorizations (permissions) that are user specific (e.g., access lists that limit access to specific systems or LANs). c. Audit tools that create detailed records/logs of access attempts. d. All systems used to remotely access County systems must have installed and activated industry-standard anti-virus and other security measures that might be required by the County (e.g., software firewall). e. Access must be established through a centralized collection of hardware and software centrally managed and controlled by Customer’s and Contractor’s respective designees.

Monitoring/Audit 4.

Customer will monitor access to and activities on Customer owned or managed systems and networks. All remote access attempts to Customer networks and/or systems will be logged on a

Customer managed and monitored system with the date, time, and user identification.

5. Copying Deleting or Modifying Data

Contractor is prohibited from copying, modifying, or deleting any data contained in or on any IS unless otherwise stated in the Agreement or unless Contractor receives prior written approval from

Customer. This does not include data installed by the Contractor to fulfill its obligations set forth in the

Agreement.

6. Connections to Non-County Networks and/or Systems

Contractor agrees to make every effort to protect Customer’s data contained on Customer owned and/or managed systems and networks within Contractor’s control from unauthorized access. Prior written approval is required before Contractor may connect Customer networks or systems to non-

Customer owned and/or managed networks or systems. Such connections shall be made in accordance with industry standard protocols and procedures as mutually agreed upon and shall be timely approved in writing by Customer. All modem access and other forms of remote access, such as but not limited to, Virtual Private Network (VPN) access, shall be made in accordance with mutually agreed upon industry standard protocols and procedures, which shall be timely approved in writing by the Customer.

7. Term and Termination a. Term: The term of this Amendment will begin on its effective date set forth above and will run Co-terminus with the Agreement unless terminated earlier as set forth herein. b. Termination: Customer may terminate this Amendment in accordance with the Termination section of the Agreement foll owing Contractor’s violation of any of the provisions set forth herein or in the Agreement.

8. Person Authorized to Act on Behalf of Parties: for purposes of this Amendment:

The following persons are the designees

Contractor: Title/ Designee ________________________________

Customer: Title/ Designee _________________________________

RFP #3000 76

Either party may change the aforementioned names and or designees by providing the other party with no less than three (3) business days prior written notice.

9. Remote Access Back-Up Model:

This Remote Access Back-Up Model shall only be used in the event that the primary model selected below is inoperable. Contractor will abide by the additional provisions relating to the backup model selected below in the event Contractor utilizes the backup model.

10. Access Models: Contractor agrees to abide by the following additional provisions relating to the primary model selected as indicated below. Please mark appropriate box for each model or if a model is inapplicable, please check the box marked N/A.

A. VPN - Site-to-Site

(x)



Primary

( )



Backup

( )



N/A

Contactor support staff will have 24X7 access to all Contractor supported software, devices and systems (including applicable third party software products).

In addition to the above terms, the Contractor agrees to the following:

Only staff providing services or fulfilling Contractor obligations under the Agreement will be given remote access rights.

Only Contractor supported software, devices and systems (including applicable third party software products) will be accessed.

An encryption method reviewed and approved by the County will be used. Customer shall be solely responsible and liable for any delay or failure of Customer, as applicable, to approve the encryption method to be used by Contractor where such delay or failure causes Contractor to fail to meet or perform, or be delayed in meeting or performing, any of its obligations under the

Agreement.

Contractor will be required to log all access activity to the Customer. These logs will be kept for a minimum of 90 days and be made available to Customer no more frequently than once every 90 days.

Contractor will promptly report to Customer all system changes made via remote access.

11. Mobile Devices : a. Must take reasonable steps to protect against the installation of unlicensed or malicious software. b. For Mobile Devices other than laptops/tablets, the Contractor must provide their own encryption software capable of encrypting the device, file or folder. c. Upon termination of the work request or at the request of County, the contractor will return or destroy all County of San Mateo information and provide written certification of that return or destruction within 24 hours. d. Ensure that mobile devices are sanitized in such a way that does not allow for the retrieval of the data using data recovery/salvage software. Alternatively, mobile devices may be physically destroyed by a method that leaves the device’s data unrecoverable. e. Notify the County immediately if a mobile device used in the performance of County activities is lost or stolen.

RFP #3000 77

C. Client based VPN and SSLVPN County System Administrator Authentication

(X) Primary (X) Backup N/A

A PIN number will be provided to the Contractor to use as identification for remote access. The

Customer’s [TITLE] or his/her designee will verify the PIN number provided by the Contractor. After verification the Customer [TITLE] or his/her designee will give the Contractor a onetime password which will be used to authenticate Contractor when accessing the Customer’s IS. All system changes will be subject to prior approval by Customer’s [TITLE] or his/her designee. All remote access will be initiated only after a support case has been opened either by Customer or Contractor.

Because the PIN number allows access to privileged or confidential information residing on the

Customer’s IS, the Contractor agrees to treat the PIN number as it would a signature authorizing a financial commitment of a Contractor executive every time the PIN number is used.

In addition to the above terms, Contractor agrees to the following:

The PIN number is confidential, County-owned, and will be identified as such.

The PIN number must be kept in a secured environment under the direct control of the Contractor, such as a locked office where public or other unauthorized access is not allowed.

If the remote access equipment is moved to a non-secured site such as a repair location, the

PIN number shall be kept under Contractor control.

The PIN number can only be released to an authorized employee of the Contractor and may only be used by the designated individual.

If the PIN number is compromised or misused, the Contractor shall notify the Customer’s

[TITLE] or his/her designee within one (1) business day.

Contactors use the PIN number as part their normal business operations and for legitimate business purposes only. Use of the PIN number to gain unauthorized or illegitimate access to

County information is prohibited and may result in contract termination and other potential consequences provided by law.

The PIN number will be issued to Contractor following execution of this Agreement.

The PIN number will be inactivated by the Customer’s [TITLE] or his/her designee within five

(5) business days following contract termination, or upon written request of the County for any reason.

By executing this Amendment, both Contractor and Customer agree to abide by the terms and conditions contained herein.

Customer: County of San Mateo Contractor:

[Agency Name]

Name: ______________________

Title: ________________________

Date: ________________________

[Vendor Name]

Name: __________________________

Title: ___________________________

Date: ___________________________

RFP #3000 78

APPENDIX J

– NON-COLLUSION DECLARATION

I, ____________________________________________________________, am the

(Print Name)

________________________________ of _______________________________________,

(Position/Title) (Name of Company) the party making the foregoing proposal that the proposal is not made in the interest of, or on behalf of, any undisclosed person, partnership, company, association, organization, or corporation; that the bid is genuine and not collusive or sham; that the Offeror has not directly or indirectly induced or solicited any other Offeror to put in a false or sham bid; and has not directly or indirectly colluded, conspired, connived, or agreed with any Offeror or anyone else to put in a sham bid, or that anyone shall refrain from bidding; that the Offeror has not in any manner directly or indirectly, sought by agreement, communication, or conference with anyone to fix the bid price of the Offeror or any other Offeror, or to fix any overhead, profit, or cost element of the bid price, or of that of any other Offeror, or to secure any advantage against the public body awarding the contract of anyone interested in the proposed contract; that all statements contained in the bid are true; and, further, that the Offeror has not, directly or indirectly, submitted his or her bid price or any breakdown thereof, or the contents thereof, or divulged information or data relative thereto, or paid, and will not pay, any fee to any corporation, partnership, company association, organization, bid depository, or to any member or agent thereof to effectuate a collusive or sham bid.

I declare under penalty of perjury under the Laws of the State of California that the foregoing is true and correct:

COMPANY NAME: ________________________________________________________

AUTHORIZED

SIGNATURE _____________________________________________________________

PRINT NAME: ____________________________________________________________

DATE:

_________________________________________________________________________

RFP #3000 79

Pharmacy POS RFP - Draft

COUNTY OF SAN MATEO, CALIFORNIA

REQUEST FOR PROPOSAL (RFP) for

CORRECTIONAL HEALTH SERVICES

INFORMATION SYSTEM

REQUEST FOR PROPOSALS FOR

Integration of Correctional Health Services Information System

Proposals must be submitted to:

County of San Mateo

Correctional Health Services

300 Bradford Street

Redwood City, California 94063

Attention: Laurie Washer by 4:00 p.m. Monday, October 15, 2012

PROPOSALS WILL NOT BE ACCEPTED AFTER THIS DATE AND TIME .

This Request for Proposals (RFP) is not a commitment or contract of any kind.

RFP when it determines that waiving a requirement is in the best interest of the

County. All materials submitted in response to this RFP will become the property of the County.

THE COUNTY OF SAN MATEO CANNOT REPRESENT OR GUARANTEE

THAT ANY INFORMATION SUBMITTED IN RESPONSE TO THIS RFP WILL

BE CONFIDENTIAL. IF THE COUNTY RECEIVES A REQUEST FOR ANY

DOCUMENT SUBMITTED IN RESPONSE TO THIS REQUEST, IT WILL NOT

ASSERT ANY PRIVILEGES THAT MAY EXIST ON BEHALF OF THE PERSON

OR BUSINESS ENTITY SUBMITTING THE PROPOSAL. IT IS THE

RESPONSIBILITY OF THE PERSON OR BUSINESS ENTITY SUBMITTING

THE PROPOSAL TO ASSERT ANY APPLICABLE PRIVILEGES OR

REASONS WHY THE DOCUMENT SHOULD NOT BE PRODUCED.

[Contractor Name Here]

Related documents

Products

Support

Pharmacy POS RFP - Draft

COUNTY OF SAN MATEO, CALIFORNIA

REQUEST FOR PROPOSAL (RFP) for

CORRECTIONAL HEALTH SERVICES

INFORMATION SYSTEM

REQUEST FOR PROPOSALS FOR

Integration of Correctional Health Services Information System

Proposals must be submitted to:

County of San Mateo

Correctional Health Services

300 Bradford Street

Redwood City, California 94063

Attention: Laurie Washer by 4:00 p.m. Monday, October 15, 2012

PROPOSALS WILL NOT BE ACCEPTED AFTER THIS DATE AND TIME .

This Request for Proposals (RFP) is not a commitment or contract of any kind.

RFP when it determines that waiving a requirement is in the best interest of the

County. All materials submitted in response to this RFP will become the property of the County.

THE COUNTY OF SAN MATEO CANNOT REPRESENT OR GUARANTEE

THAT ANY INFORMATION SUBMITTED IN RESPONSE TO THIS RFP WILL

BE CONFIDENTIAL. IF THE COUNTY RECEIVES A REQUEST FOR ANY

DOCUMENT SUBMITTED IN RESPONSE TO THIS REQUEST, IT WILL NOT

ASSERT ANY PRIVILEGES THAT MAY EXIST ON BEHALF OF THE PERSON

OR BUSINESS ENTITY SUBMITTING THE PROPOSAL. IT IS THE

RESPONSIBILITY OF THE PERSON OR BUSINESS ENTITY SUBMITTING

THE PROPOSAL TO ASSERT ANY APPLICABLE PRIVILEGES OR

REASONS WHY THE DOCUMENT SHOULD NOT BE PRODUCED.

[Contractor Name Here]

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib