aca compliance provider request for proposal (rfp) · aca request for proposal (rfp) 1 the purpose...

ACA COMPLIANCE PROVIDER REQUEST FOR PROPOSAL (RFP)

SEPTEMBER 2016

ACA REQUEST FOR PROPOSAL (RFP)

1

The purpose of this RFP is to identify and engage an outsourcing solution partner to provide ACA Compliance services to CLIENT with efficiency, industry-leading performance and support. Required Services (Determining Status, Counting Hours and Reporting):

1. Determining Eligibility Data Sources and Classes a. Accept third party data files from the CLIENT HRIS and Payroll systems b. Manage data and generate edit/audit reports c. Support multiple classes of employees, possibly with multiple measurement periods (hours

measured, hours worked and paid, paid LOA, equivalent for non-hourly, qualified unpaid hours, breaks in service (rule of parity), educational Institution rules)

2. Counting and Tracking to Fulfill Eligibility Requirements

a. Support historical and/or on-going calculations of full-time status based on the look-back measurement method (part-time only)

b. Tracking and notification process for full-time status changes for new hires and ongoing eligibility changes

3. Employer Monitoring and Reporting

a. Provide rule/role based security access for reporting b. Reporting of hours (access to reports): scheduled, point in time, on-demand, custom report design

available to employer c. Configure reports/notifications for different trigger points d. Provide an employer dashboard (reports and graphics, drill down for details, alerts) e. Provide the ability to forecast potential “pay or play” penalties

4. IRS Reporting (Section 6055 / 6056)

a. Populate the reports for Section 6055 and 6056 b. Distribute Form 1095-C to employees c. E-File ACA required reporting with the IRS d. Employee call center for 1095-C questions e. Manage Public Exchange inquiries f. Manage IRS appeals

Service Provider Expectations: CLIENT is looking for a long term partnership with a ACA Compliance Provider who has proven operations and IT infrastructure and will provide:

1. A partner that will ensure compliance with current and future ACA regulations. 2. A relationship based on the spirit of partnership with a high level of transparency. 3. A partner that is flexible and can respond quickly. 4. A highly secure technical environment that ensures protection of CLIENT employee data. 5. A process that is technologically advanced and rules/eligibility based. 6. Proactive issue management processes. 7. Thoroughly documented and updated policies and procedures. 8. Timely and accurate transaction processing backed up by industry standard service level agreements. 9. Easy access to data for reporting and analysis purposes. 10. Adherence to industry standard best practices. 11. Adherence to applicable regulations, e.g., HIPAA, etc.


2

TIMELINE

TASK DATE

Request for Proposal released

Service providers to submit clarifying questions for RFP

Answers to RFP clarifying questions returned to service providers

RFP Questionnaire, Pricing Response & Attachments Submitted (Hard/Electronic copies)

Web demos

RFP analysis report finished

Service provider decision finalized

Contract negotiations completed

Implementation kick-off

Target go-live


3

CLIENT INFORMATION Insert information compiled through ACA Discovery Template:

Current ACA process

Employee metrics

Data requirements

Desired service provider solutions

The following is a summary of the impacted employee benefit plans and providers supporting current HR information, timekeeping, leave management, payroll, benefits eligibility and enrollment for CLIENT:

SERVICE PROVIDER

Medical and Rx Carrier TBD

HR Information System TBD

Timekeeping System TBD

Benefits Eligibility and Enrollment System TBD

Leave Management System TBD

Payroll System TBD

W2 Preparer TBD

COBRA Administrator TBD


4

SERVICE PROVIDER PROFILE

Should you be selected as the service provider to CLIENT, your response to this RFP will be an attachment to the definitive contract, and the information that you provide in response to this RFP will have contractual effect.

Because answers and information that do not reflect reality may place you in breach of contract, you are encouraged to give full, complete and accurate answers and information from the outset.

Please answer these questions in consideration of CLIENT’s current ACA compliance administration process information provided in this RFP.

COMPANY INFORMATION

RFP QUESTION: SERVICE PROVIDER RESPONSE:

Question 1a. a. Company profile

Response 1a.

Question 1b. b. Company history

Response 1b.

Question 1c. c. Date ACA compliance services were established

Response 1c.

Question 1d. d. Indicate the name and the ACA business function of any subcontractors you are using to provide ACA services

Response 1d.

Question 1e. e. Location of company headquarters

Response 1e.

Question 1f.

f. Company size

Response 1f.

Question 1g.

g. Company growth plans (e.g., planned mergers, acquisitions, divestitures)

Response 1g.

Question 1h. h. Total number of employees in your ACA Compliance Department

Response 1h.

Question 1i. i. Work locations:

Company facility locations

Type of work being performed at each facility

Location that will primarily service the prospective client

Response 1i.


5

Question 1j. j. Overall company turnover and service center turnover over the past 12 months

Response 1j.

Question 1k. k. Services that are performed off-shore, where they are performed & for how long they have been performed in that location

Response 1k.

Question 1l. l. Number and average size of employers your ACA Compliance Service Team manages

Response 1l.

Response 1m. m. Is your firm willing to indemnify CLIENT for service provider errors that result in penalties to the company?

Response 1m.

AUDITS & SECURITY

1. INSURANCE, SYSTEMS & TECHNOLOGY AUDITS Describe all audits, tests and reviews conducted over the past 24 months internally or by clients, prospects and/or 3rd party service providers that you have hired specifically for audit purposes. There is no need to include written descriptions of formal audit results submitted as part of this RFP response.

RFP QUESTION:

SERVICE PROVIDER RESPONSE:

Question 1a. a. OPERATIONS Audits:

SSAE 16 (SOC 1, SOC 2, or SOC 3); include Issue Date, Type and Opinion (If you have not yet conducted a SSAE 16 SOC Audit, explain plans/timing of doing so.)

Response 1a.

Question 1b. b. DATA CENTER Audits:

SSAE 16 (SOC 1, SOC 2, or SOC 3); include Issue Date, Type, and Opinion (If you have not yet conducted a SSAE 16 SOC Audit, explain plans/timing of doing so.)

Response 1b.

Question 1c. c. SECURITY & TECHNICAL audits:

Tests and reviews including the following:

Answer 1c. Performed Internal/External (If external, who

performed?)

Additional Details

IT Risk Assessment Audit consistent with the ISO 2700 Standard

Application Code Reviews


6

Penetration or Vulnerability Scans

Security Audits

Stress Testing for Peak Periods

Question 1d. d. Insurance Coverages, Name of Carrier and Coverage Level for General Liability

Response 1d.

Question 1e. e. Tech Errors & Omissions (E&O) and Cyber Crime Insurance Coverage (Not Regular E&O):

Name of carrier and coverage level for Tech E&O coverage in force

Name of carrier and coverage level for Cyber Crime coverage in force

Response 1e.

Question 1f. f. Are the Tech E&O and Cyber Crime policies referenced in Question 1e. paid in full for the full-term and currently in force?

Response 1f.

Question 1g. g. Financial Audits, Tests and Reviews including:

Financial statements audited by public accountants resulting in an opinion (Include issue date, and opinion type issued: Unqualified, Qualified, or Adverse)

Response 1g.

Question 1h. h. If you are a privately held firm, are you willing to share your last two years of audited financial statements if selected as a finalist?

Response 1h.

2. SECURITY

RFP QUESTION:


Question 2a. a. Do you have a data breach plan in place? Have you ever been required to disclose a HIPAA breach of information for a client’s employee population?

If Yes: o What steps were taken to resolve? o Was your breach: 1) Unintentional (stolen laptop), 2) Intentional (disgruntled

employee) or 3) Outside breach?

Response 2a.

Question 2b. b. Has your company been under examination by the Department of Labor (DOL) or Department of Health and Human Services (HHS) within the last 4 years in relation to HIPAA security or procedures? If so, was remedial action required and/or were fines assessed in relation to service failures affecting your current or former clients?

Response 2b.


7

Question 2c. c. Describe your process for storing client data (i.e., servers, locations, cloud, etc.). What redundancy and security processes are used to ensure continuity of service?

Response 2c.

Question 2d. d. Confirm compliance with all HIPAA & HITECH requirements and regulations. Confirm you have a dedicated department and/or dedicated staff members responsible for monitoring and assuring HIPAA compliance.

Response 2d.

Question 2e. e. Confirm all subcontractors' compliance with all HIPAA & HITECH requirements and regulations. Confirm you will be responsible for executing BAAs with subcontractors and will be responsible for any subcontractor breaches in data security.

Response 2e.

Question 2f. f. Please detail your background check policy for employees and if it’s performed by a third party.

Response 2f.

3. ENCYPTION

RFP QUESTION:


Question 3a-h. Description of your encryption protocol?

Response 3a-h. Encrypted (Yes/No) Additional Details

a. Level: Database

b. Level: Field

c. At Rest

d. In Transit

e. Internal to your Network

f. External to your Network

g. Back-Up Data

h. Test Database

Question 3i. i. Who has control over the decryption keys?

Response 3i.

Question 3j. j. Are your data files encrypted during transmission (i.e., SFTP)?

Response 3j.

Question 3k. k. How is it protected at the destination?

Response 3k.

Question 3l. l. Outline the “front door” protection (i.e., protected using IDs and passwords).

Response 3l.


8

Question 3m-o. Password Protocols

Response 3m-o. m. Length?

n. Construct?

o. Duration?

4. OTHER

RFP QUESTION:


Question 4a. a. Detail your firewall and intrusion protections, network and host-based.

Response 4a.

Question 4b. b. Detail your user authentication process and restrictions.

Response 4b.

Question 4c. c. Detail your network access policy/approach as it relates to external interfaces.

Response 4c.

Question 4d. d. Detail your network integration abilities.

Response 4d.

Question 4e. e. Is your platform one single database or multiple?

Response 4e.

Question 4f. f. Detail your networks scalability to meet increases in demand.

Response 4f.

Question 4g. g. How many years of historical data can be kept? Is there a mechanism to archive/purge this information per regulatory guidelines?

Response 4g.

Question 4h. h. What operating systems (including mobile devices) and browsers are supported?

Response 4h.

ACA COMPLIANCE ADMINISTRATION

1. PROCESS


Question 1a. a. Is your ACA Compliance Administration available in a modular format (i.e., hours tracking on a stand-alone basis, reporting on a stand-alone basis)?

Response 1a.

Question 1b. b. Can you manage the tracking of multiple eligibility groups?

Response 1b.

Question 1c. c. Can you load data for the historical portion of the current measurement period?

Response 1c.


9

Question 1d. d. Do you have the capability to track multiple and variable measurement periods?

Response 1d.

Question 1e. e. Are you able to apply both monthly and look-back measurement methods?

Response 1e.

Question 1f. f. Are you able to track limited non-assessment periods?

Response 1f.

Question 1g. g. Are you able to track hours of service for non-hourly employees, including per diem employees?

Response 1g.

Question 1h. h. Can your system manage measurement and stability periods based on payroll dates as opposed to the first of the month?

Response 1h.

Question 1i. i. Describe your Employer Notification and Reporting Process for status changes, including dashboard capabilities, if applicable.

Response 1i.

Question 1j. j. Describe your Employee Notification Process for status changes.

Response 1j.

Question 1k. k. Are you able to include retirees and COBRA in the data for reporting?

Response 1k.

Question 1l. l. Are you able to forecast and trend Benefit Eligible Status on an on-going basis?

Response 1l.

Question 1m. m. Are you able to calculate Affordability? Please describe the process and the Safe Harbor options supported.

Response 1m.

Question 1n. n. Describe your employer reporting capabilities specific to forecasting full-time status changes and the associated impacts.

Response 1n.

2. DATA FILES


Question 2a. a. Are you able to import data from multiple 3rd party data sources? If so, please outline any limitations with this process.

Response 2a.

Question 2b. b. Do you require input data to be provided in a pre-determined template or do you have custom data intake capabilities?

Response 2b.


10

Question 2c. c. Describe your audit process for 3rd party data intake.

Response 2c.

Question 2d. d. Can the 3rd party data be edited once it is loading into your system? If so, please outline any limitations with this process.

Response 2d.

3. REPORTING


Question 3a. a. Are you able to manage (compile, e-file, distribute) the ACA IRS Reporting Requirements (Sections 6055 and 6056)? If so, describe your process for managing these requirements.

Response 3a.

Question 3b. b. Specifically, are you able to manage the ACA IRS Reporting Requirements for Form 1095-C, Lines 14, 15 and 16 (including Interpreting benefit data for indicator codes for Line 14, 15 And 16 on the 1095-C)? Please describe any limitations with FULLY completing this section of Form 1095-C.

Response 3b.

Question 3c. c. Has offeror’s solution been audited by a 3rd party to verify that all ACA regulations are accounted for and calculated correctly? If so, please list the 3rd party auditor.

Response 3c.

Question 3d. d. Is the 1095-C reporting available online for employees to access?

Response 3d.

Question 3e. e. Do you integrate with 3rd party tax systems like Turbo Tax or Quicken? If so, please list the providers.

Response 3e.

Question 3f. f. How long will you retain data and IRS reports for employee and employer inquiries?

Response 3f.

Question 3g. g. Is the 1095-C reporting online available for employers to access, review, audit and update both pre and post filing. If so, is there an audit trail? If a correction filing is required, does it automatically generate an updated e-file?

Response 3g.

4. IRS SUPPORT SERVICES


Question 4a. a. Do you provide call center services for employee inquiries regarding 1095 Reporting?

Response 4a.


11

Question 4b. b. Do you manage IRS inquires and penalties?

Response 4b.

Question 4c. c. Describe any support provided with Public Exchanges for penalty verifications and appeals.

Response 4c.

5. OTHER ACA REQUIREMENTS


Question 5a. a. Do you report the employer and employee Total Premium Cost of applicable plans to payroll to be included on the W2? Please include method of reporting (payroll feed or other report) and frequency (per payroll or year-end files).

Response 5a.

Question 5b. b. What level of customization is available for the Notice of Exchanges? What Is the method of distribution and associated costs?

Response 5b.

Question 5c. c. Please indicate how you can support the calculation of the Number of Covered Lives for the Patient-Centered Outcomes Research Institute (PCORI) Fee. Please include a description of your reporting capabilities, including counting methods supported.

Response 5c.

Question 5d. d. Please Indicate the reporting available for Hours Data. Please indicate if the reports can be scheduled, are available as of a point in time, available on-demand and if a custom report design is available to the client.

Response 5d.

ROLL OUT AND SERVICE MODEL

1. IMPLEMENTATION GO LIVE ROLL OUT


Question 1a. a. Your standard implementation timeline.

Response 1a.

Question 1b. b. Internal quality control procedures in place to audit and review all implementation related tasks.

Response 1b.

Question 1c. c. Detail how you manage and monitor your implementation and ongoing service capacity.

Response 1c.

2. SERVICE MODEL


Question 2a. a. Client Services Account Management Team structure.

Response 2a.

Question 2b. b. Location and hours the Client Services Account Management Team (not Service Center Team) is available for HR administrations (specify time zone).


12

Response 2b.

Question 2c. c. Ongoing client stewardship process – include details on: a. Methods used to monitor ongoing client satisfaction b. Frequency you review client satisfaction with clients c. Ongoing stewardship reports & stewardship analytics d. Ability to show trends and/or areas that need improvement

Response 2c.

Pricing

TASK PEPM SERIVE PROVIDER

RESPONSE:

ACA COMPLIANCE SERVICES

PEPM

DATA MANAGEMENT

PEPM

a. Load Historical Employee Payroll, Time and Benefit Data from 3rd

party data sources (HCM, Benefit Administration system, etc. PEPM

b. Load Ongoing Employee Data Files from payroll systems and other data sources

PEPM

COUNTING AND TRACKING TO FULFILL ELIGIBILITY REQUIREMENTS

PEPM

a. Support historical and/or on-going calculations of full-time status based on the client specific measurement method

PEPM

b. Tracking and notification process (reporting, dashboard, etc.) for benefit eligibility status changes

PEPM

IRS/REPORTING (SECTION 6055/6056)

PEPM

a. Fulfill reports for Section 6055 and 6056 PEPM

b. Distribute Form 1095-C to employees PEPM

c. E-file Form 1094-C with IRS PEPM

d. Distribute Form 1095-C to employees PEPM

e. Manage Public Exchange inquiries PER INQUIRY

f. Manage IRS appeals PER APPEAL


13

Appendix 1 Statement of Work (To Be Customized) This Statement of Work (SOW) is made and entered by and between CLIENT and the chosen ACA Compliance Service Provider. The chosen ACA Compliance Service Provider agrees as follows: 1. Identify/quantify Risks:

Describe risks to the project 2. Scope of Work

Describe in detail the work the chosen ACA Compliance Service Provider will perform 3. Inclusions

Describe:

Tasks to be performed

Resources assigned to tasks

Location(s) where task(s) to be performed 4. Exclusions

Describe:

Tasks that are not part of the scope of this project 5. Deliverables by Phases

Describe:

Items that will be developed or provided (i.e., products, service, plans, status reports, documentation)

Dates for delivery

Implementation plan


14

ADDITIONAL APPENDICES To be included as attachments

1. Standard Contract

2. Standard Service Level Agreement/Performance Guarantees

3. Standard Business Associate Agreement

4. Latest Audit Reports (or other External Audit Reports including: SSAE 16 (SOC 1, SOC 2, or SOC 3);

include Issue Date and Type

5. Tech Errors & Omissions Insurance Certificate

6. Cyber Crime Insurance Certificate

7. Implementation Timelines and other implementation documentation

8. Administrator Training documentation

9. Standard Ongoing Stewardship Reports

10. Results of Client Satisfaction Surveys

11. Sample Reporting Package and listing of all reports available

12. ACA Compliance Documentation and Samples

13. Security, Privacy Policies and Procedures

14. Technology Infrastructure Documents such as:

a. Network and System Infrastructure Diagrams

b. System Dataflow / Integration Diagrams

c. Business Continuity and Disaster Recovery Plans

d. Overview of Data Center Infrastructure

15. Any other materials you believe are relevant

16. Pricing Proposal