HIPAA Security Risk Analysis RFP FORMAL REQUEST FOR

advertisement
HIPAA Security Risk Analysis RFP
FORMAL REQUEST FOR PROPOSAL
ADDENDUM NUMBER: (2)
June 3, 2015
THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS.
THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,
REVISIONS, AND MODIFICATION FORM A PART OF THE CONTRACT DOCUMENTS
ONLY IN THE MANNER AND TO THE EXTENT STATED.
Please note that the following clarifications:
1.
As noted in the Summary Scope section of the RFP, the overall goal of the engagement is to conduct a
HIPAA Security Risk Analysis as defined in the HIPAA Security Final Rule 45 CFR 164.308(a)(1)(ii)(A) of
Broward Health's environment. The Security Risk Analysis will identify the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected health
information held by Broward Health.
The performance of a HIPAA Security Analysis is a component of HIPAA Administrative Safeguards
(164.308). However, the RFP requests the performance of services that are categorized by the HIPAA
Security Final Rule as Physical (164.310) and Technical (164.312) Safeguards, as well as Organizational
(164.314) and Policy and Procedure Documentation (164.316) requirements. Additionally, Broward
Health is requesting the assessment of Privacy Rule Validation Requirements and Patient Rights that
are addressed n Subpart E – Privacy of Individually Identifiable Health Information. .
The Risk Analysis will identify the potential risks and vulnerabilities to the confidentiality, integrity,
and availability of electronic protected health information held by Broward Health, as well as the
evaluation of the performance of services under the physical, technical, organizational, policy
and procedure requirements. In addition to the privacy of individual health information.
2.
In the Pricing section of the RFP, Broward Health acknowledges that certain items in the RFP are over
and above the base requirements of the RFP, and they should be separately listed with additional
initial and/or maintenance costs shown for each service. The requesting is that Broward Health
identify which requirements are “base” requirements and which “are over and above”, so we can
provide the best possible price.
Base Requirements:
HIPAA Security Risk Analysis
Physical Safeguards
Technical Safeguards
Organizational Requirements
Police and Procedure Documentation Requirements
Privacy Rule Validation Requirements
The items listed in the RFP are considered base items in the RFP pricing, the Risk Analysis will identify
the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by Broward Health, as well as the evaluation of the performance of
services under the physical, technical, organizational, policy and procedure requirements. In addition
to the privacy of individual health information. Over and above suggestions would be additional
recommendations by the vendor providing the response.
3.
Are the same facilities identified in Question #2 the same for the requested services that are
considered “over and above” or will these services be performed at different locations? In addition,
will the same random sampling approach be used to assess these services?
The following sites are considered base items in the RFP pricing, the Risk Analysis will performed at
each of the four hospitals, two large clinics and four doctor practices and main data center in the ISC
building. The sampling approach should be determined by the vendor to allow the vendor to allow
evidence of concise and consistent standard applied by the district.
4.
The Technical Safeguards Assessment in the RFP requires that additional assessments and
configuration reviews be performed.
A.
Will the physical site reviews be performed at the facilities considered “in scope” for the Risk
Analysis?
See answer 3 for in scope.
B.
Will physical site reviews be performed at any third party service providers that Broward Health
has contracted with?
No, only indicated Broward Health facilities.
C.
As it relates to the review of the sufficiency of existing security policies and procedures, are
these decentralized by location, or centralized?
Centralized
D.
As it relates to the assessment and configuration of difference devices, What is an estimate of
the number of units/devices to provide the best possible price
This will be based on the vendor recommendation of best practices allowing
5.
6.
7.
8.
How many corporations has this RFP been distributed? Not a valid question in determining a
response to the bid.
Do you have to be FL based corporation to bid on this? Answered in RFP
We are a Minority owned corporation (based in MA), are we allowed to bid as a minority owned
company. Answered in RFP
Do you plan to have a pre-bid conference to address the questions? No, this was the forum until
yesterday at 12 midnight to pose questions.
9. Can you please provide us the timeline as to when the deliverables are due? Answered in RFP, project
will commence upon finalization of the contract with the vendor.
10. For the assessment and findings – please provide us the appropriate sample size ( For eg. - @ ipa
clinics – Sample size should be 10; etc….) Answered in RFP this is a vendor recommendation based on
best practices.
11. Who is the executive sponsor(s) for this project? Not required to respond to the RFP
12. Will Broward Health provide the selected consultant with a project liaison or coordinator to assist
with the coordination, planning, and communications of this project? Answered in RFP – Mary
Hummel is identified in the document.
13. To confirm, is Broward Health seeking a HIPAA Security Risk Analysis as defined in the HIPAA Security
Final Rule 45 CFR 164.308(a)(1)(ii)(A) only or is the HIPAA Privacy Rule to be included in this project
effort? RFP Section VII.D.7 is titled “Privacy Rule Validation Requirements” (page 29) and we want to
double-check that the HIPAA Privacy Rule is out of scope for this project. Please confirm or clarify. –
Clarification made in prior questions
14. Is Broward Health seeking a one-time HIPAA security risk assessment or an ongoing security
program? – One time yearly analysis
15. Does Broward Health have a software and hardware inventory that is relevant to HIPAA that you can
share with bidders? Question is unclear
16. Has Broward Health completed any gap analysis or risk analysis with respect to their HIPAA
compliance in the past?
a. If yes, would the selected consultant have access to the results and when would they
receive them? – Yes, yearly
17. Is this a new contract or a renewal of an earlier contract? If it is a renewal, who is/was the incumbent
vendor? – New, yearly
18. What does Broward Health anticipate for the timing and duration of this project? Will commence
within two weeks of award and contract finalization.
19. Has Broward Health done any previous work regarding HIPAA? If yes: See above questions
a. Please describe the nature and scope of the previous work conducted.
b. When was this work conducted?
c. What documents exist for this work?
d. Did an external vendor conduct this work? If so, who? What was the contract value(s)?
20. Will Broward Health be willing to provide advance materials, transmitted securely, to allow the
successful consultant to review documentation and make preparations prior to conducting work onsite at Broward Health? Dependent on data requested and will be worked through with the awarded
vendor.
21. Regarding RFP Section II.1 (page 6): The RFP states “The successful candidate will have documented
healthcare experience providing a HIPAA healthcare security assessment experience, implementation
services, documentation and post implementation support.”
As it relates to this HIPAA Security Risk Analysis project, can Broward Health elaborate on
its expectations for the selected consultant to provide “implementation services,
documentation and post implementation support”? This pertains to the Risk Analysis,
documentation of findings and recommendations to the findings.
22. Regarding item #5 in RFP Section VII.A (page 22): What is Broward Health’s expectation and/or
preference for the ratio of on-site versus remote project support? This would be determined and
discussed with the award to identify areas requiring onsite versus remote activity.
23. Regarding item # 5 in RFP Section VII.C (page 25): Are we correct in assuming that the maximum
number of Broward Health sites will be 10? Page 22 of the RFP mentions a “random sampling of 4
major hospitals, 2 large clinics and 4 doctor practices.” Random sampling with a minimum of the
number identified in the RFP.
24. Pages 34 and 35 are missing from the RFP. Can Broward Health make the missing pages available to
potential bidders on its Corporate Resource & Materials Management Website?
25. May we receive answers to all questions submitted by potential bidders? – Addendum will be sent to
all bidders
26. Does Broward Health have a budget estimate or range for this project that you can share? If yes,
please provide detail. – This is not a valid RFP question.
Download