Page 1 of 13
Request for
Proposal
Island County
Information Technology
Department
HIPAA/HITECH ACT/OMNIBUS
Compliance Consulting Services
Island County
Island County is soliciting proposals for the provision of professional services to assist in Health
Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic
and Clinical Health (HITECH) Act compliance efforts throughout Island County Government.
Page 2 of 13
I. INTRODUCTION
Island County is seeking a qualified contractor to provide Health Insurance Portability and
Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health
(HITECH) Act Compliance Consulting Services for select departments and offices in Island County
Government.
This Request for Proposal (RFP) is being released to invite qualified companies and professionals to
prepare and submit proposals in accordance with the instructions provided. Written proposals will be
evaluated by the County based upon the contractor’s ability to perform the services required under
the contract, contractor’s qualifications, professionalism and cost.
II. GENERAL REQUIREMENTS
A. HISTORY
In 1996, the United States Congress passed the Health Insurance Portability and
Accountability Act (HIPAA), one of the purposes of which was to simplify and standardize
the administrative functions of healthcare. The Administrative Simplification provisions
(Title II) of this law require an adaptation and implementation of standards for the
privacy, security and arrangement of electronic healthcare transactions. The Health
Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) of the
American Recovery and Reinvestment Act of 2009 (ARRA) contains provisions that
significantly affected the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule and
the HIPAA Security Rule (collectively, the “HIPAA Rules”) were issued by the United
States Department of Health and Human Services in 2002 and 2003, respectively.
B. BACKGROUND
In 2002 Island County conducted a County-wide assessment of all Offices and
Departments to determine applicability of the Health Insurance Portability and
Accountability Act, determine which Offices and Departments were bound to the
provisions, and develop policies and procedures to ensure compliance. It was
determined by the County Prosecuting Attorney that Island County is a Hybrid Entity and
has operations that meet the classification of a “Small Health Plan” but none that fall
into the classifications of “Covered Entity Provider” or “Clearinghouse.”
Island County, under advisement by the Office of the County Prosecuting Attorney and
with close scrutiny of the Federal HIPAA legislation and website*, developed HIPAA
policy and practices to govern how specific Offices and Departments handle private and
protected health information. A HIPAA Screening Committee was instituted in 2002, to
provide ongoing compliance advice and audit reporting to the County on the
development of HIPAA regulations and any reportable issues or breaches within the
County.
Page 3 of 13
Since the adoption and implementation of the initial policies and procedures, use of
electronic data and electronic transmission has increased substantially. Island County
provides a variety of health related programs and services. Current policies and
procedures may need to be updated to reflect changes in regulations and best industry
practices to ensure compliance.
* The HIPPA website is located at http://www.hhw.gov/hipaa/for-
professionals/security/laws-regulations/
C. DEFINITIONS
Agency means the County of Island, WA.
Analysis means the HIPAA/HITECH/OMNIBUS Act Privacy and Security Gap Analysis
requested through this RFP.
Compliance means meeting the requirements of the HIPAA Privacy and Security Rules.
Contract means a written agreement between the COUNTY and RESPONDENT selected
to provide a HIPAA/HITECH/OMNIBUS Privacy and Security Gap Analysis.
Consultant means the successful RESPONDENT selected to provide a
HIPAA/HITECH/OMNIBUS Privacy and Security Gap Analysis under contract to the
COUNTY.
Division means a branch or subunit of an Elected Office or Department with unique
functions to support the mission and goals of the specific Office or Department.
ePHI means electronic Protected Health Information.
Gap Analysis means an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected
health information held by a covered entity. For the purposes of this RFP, gap analysis
will also include a written report of analysis findings with short term and long term
remediation necessary to ensure HIPAA Privacy and Security compliance, preparation of
HIPAA Privacy and Security policies and procedures, assistance in identifying covered
components for an appropriate hybrid entity designation, and review of existing HIPAA
Privacy and Security mandated online training programs and, if necessary, development
of enhancements to training programs.
HIPAA means the Health Insurance Portability and Accountability Act of 1996.
HIPAA Privacy Rule means the provisions regarding the privacy of individually
identifiable health information located in 45 CFR Part 160 and Subparts A and E of Part
164 as well as any amendments.
HIPAA Security Rule means the provisions regarding security standards for the
protection of electronic protected health information located in 45 CFR Part 160 and
Subparts A and C of Part 164 as well as any amendments.
Page 4 of 13
HITECH Act means the Health Information Technology for Economic and Clinical Health
Act of 2009 as well as any amendments.
Hybrid Agency: Island County is determined a “Hybrid Agency” by Resolution C-24-03 as
described in HIPAA, a single legal entity whose business activities include both HIPAA
covered and non-covered functions.
OMNIBUS Act was enacted in January 2013 to include Modification to the HIPPA Privacy,
Security, Enforcement, and Breach Notification Rules under the Health Information
Technology for Economic and Clinical Health Act and the Genetic Information
Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
PHI means Protected Health Information for an individual that identifies past, present, or
future health conditions or provisions of health care.
Proposal means a formal, written response to this RFP submitted by a RESPONDENT.
Request for Proposal (RFP) means all documents, including those attached or
incorporated by reference, used for soliciting proposals to provide a
HIPAA/HITECH/OMNIBUS Privacy and Security Gap Analysis.
RESPONDENT means any person or organization who submits a Proposal in response to
this RFP.
D. PURPOSE
In order to ensure compliance with the HIPAA Privacy and Security Rules, the County is
requesting a CONSULTANT to perform a HIPAA/HITECH Privacy and Security Gap
Analysis. The purpose of this RFP is to select a qualified CONSULTANT to perform the
gap assessment for those organizational units listed in G. Select Departments and Offices,
and to identify problem areas and make specific recommendations for remediation to
ensure HIPAA/HITECH/OMNIBUS Privacy and Security compliance.
E. SUMMARY OF SCOPE OF WORK
The scope of work shall consist of visiting different Island County offices and
departments to perform the assessment. A written summary of all problem areas shall
include specific remediation recommendations for HIPAA/HITECH/OMNIBUS Privacy and
Security compliance. The CONSULTANT shall have the staff and resources to implement
and complete the requirements of this RFP, including the written summary, within one
hundred twenty (120) days after contract signing.
F. DESCRIPTION OF ISLAND COUNTY
Island County consists of many Departments and Offices providing a myriad of functions
and services in support of the citizens and inhabitants of Island County, Washington.
Many of these services include the collection a n d / o r use of PHI resulting in the
maintenance and use of both physical and ePHI. Island County has a need to contract
with an outside CONSULTANT to assess the County’s compliance efforts as a Hybrid
Page 5 of 13
Entity regarding HIPAA Privacy and Security and the HITECH/OMNIBUS Act. This
assessment will note current effort status and identify deficiencies. The CONSULTANT
will be responsible for the Services and Deliverables provided in section H.
G. SELECT DEPARTMENTS AND OFFICES
The offices and departments to be assessed are those that are subject to HIPAA as a
hybrid agency. These include:
1. Health Benefits Coordinator under the Auditor’s payroll function;
2. Human Resources;
3. Human Services;
4. Information Technology; and
5. Public Health.
H. DETAILED SCOPE AND DELIVERABLES
The CONSULTANT shall:
1. CONDUCT HIPAA PRIVACY AND SECURITY GAP ANALYSIS AND PREPARE A
WRITTEN REPORT OF ANALYSIS FINDINGS FOR EACH BRANCH/PROGRAM THAT
INCLUDES SPECIFIC SHORT AND LONG-TERM REMEDIATION NECESSARY TO ENSURE
HIPAA PRIVACY AND SECURITY COMPLIANCE.
a. Conduct a thorough Analysis. The Analysis will specifically evaluate the
current standing of Island County business practices in relation to HIPAA Privacy
and Security rules. This will include current County operations and policy status
as compared to HIPAA Privacy and Security Rule standard and specific
remediation steps to correct potential violations. The Analysis will include all
HIPAA connected offices and departments, related administrative policies and
procedures, physical facility and office conditions, and information technologies
in use by Island County.
b. Compare HIPAA Privacy and Security regulations with all Washington state
security and confidentiality statutes and identify which state statutes are more
restrictive than the federal law.
c. Conduct onsite visits of all involved branches/programs in order to evaluate
physical structures to determine if building or space modifications are required
to comply with HIPAA Privacy and Security regulations or other state privacy and
security statutes.
d. Interview selected management and staff members regarding common
privacy and security related practices within branches/programs and between
branches/programs to include, but not be limited to, disposal, storage, and
encryption practices or procedures.
Page 6 of 13
e. Identify all information systems and communication networks that store,
maintain, or transmit ePHI and determine compliance with HIPAA Privacy and
Security regulations or other state privacy and security statutes.
Evaluate the potential risks (to include the cost of failure related to privacy or
security breaches and related public communication costs) associated with how
the different divisions/programs collect, use, manage, house, disclose and
dispose of information and evaluate options or changes to current practices in
order to meet HIPAA Privacy and
f. Security regulations or other state privacy and security statutes. Evaluate risks
related to management, investigation and remediation of privacy and security
breaches.
g. Analyze the current County physical and electronic PHI-handling and
monitoring practices against the requirements of HIPAA Privacy and Security
regulations and identify gaps between current practices and required practices
under HIPAA Privacy and Security regulations.
h. Review Office and Department procedures for release, disclosure and
recording of health information for compliance with each of the following HIPAA
Privacy and Security standards:
164.308 Administrative Safeguards
164.310 Physical Safeguards
164.312 Technical Safeguards
164.502(b) Standard: Minimum Use and Disclosure of PHI
164.530(a) Standard: Personnel Designations
164.530(b) Standard: Training
164.530(c) Standard: Safeguards
164.530(d) Standard: Complaints to the Covered Entity
164.530(e) Standard: Sanctions
164.530(f) Standard: Mitigation
164.530(g) Standard: Refraining from Intimidating and Retaliatory Acts
164.530(h) Standard: Waiver Rights
164.530(i) Standard: Policies and Procedures
164.530(j) Standard: Documentation
i. Review the County HIPAA Breach incident reporting and response practices,
procedures and policies for sufficiency.
j. Review a sampling of County contracts, Joint Powers Agreements,
Memoranda of Understanding, Government Service Agreements, Business
Associate Agreements, and other organizational relationships or HIPAA Privacy
and Security compliance.
Page 7 of 13
k. Review County HIPAA Privacy and Security training modules currently used by
the Agency to determine if there are gaps between training content and HIPAA
Privacy and Security standards or state privacy and security statutes. Evaluate
training module to determine appropriate changes to improve training efficacy.
Identify training requirements for staff, management, and executive levels to
include determination if some training should be procured externally for specific
programs and services.
l. Review County Human Resources policies, procedures and practices for HIPAA
Privacy and Security compliance, including the review of all HIPAA-related
agreements for new hires (County employees, contracted employees,
temporary employees, volunteers, etc.), the sufficiency of the HIPAA Privacy and
Security Officers’ job descriptions and job assessments, employee disciplinary
process and the protocol for addressing breach-related infractions.
m. Describe in detail a proposed analysis process to be followed for each
division/program including a work plan documenting tasks to be accomplished,
timeframes, the responsible party, and deliverable work products.
n. Commence Analysis within fifteen (15) calendar days of Contract award and
complete Analysis within one hundred twenty (120) calendar days of the
Contract award. Submit to County a comprehensive report detailing the findings
of the Analysis, due within fifteen (15) calendar days (timeframe negotiable) of
completing the field analysis.
o. Suggest specific short and long-term projects and remediation for each
individual branch/program audited, including a tentative timeframe and budget,
for the correction of identified discrepancies in HIPAA Privacy and Security
compliance.
2. ON-SITE VALIDATION OF PHYSICAL SECURITY CONTROLS
a. In addition to the requirement for a risk assessment, the HIPAA Security Rule
requires compliance with additional Safeguards to protect the confidentiality,
integrity, and availability of protected health information. CONSULTANT will
assess the state of Island County compliance with the following HIPAA Security
Rule sections:
164.308 Administrative Safeguards
164.310 Physical Safeguards
164.312 Technical Safeguards
164.314 Organizational Requirements
b. CONSULTANT is to provide a HIPPA Security Rule compliance report within
fifteen (15) days following assessment of physical security controls. The report
will include assessment of Island County’s compliance with each HIPPA Security
Page 8 of 13
Rule specification, along with risk rated prioritization of recommendations for
remediation of any identified compliance gaps.
3. HIPPA SECURITY RULE RISK ANALYSIS
a. In the spirit of the HIPAA risk analysis [as required in section
164.308(a)(1)(ii)(A)] CONSULTANT will perform a risk assessment of the PHI
held by Island County. The assessment will include the following stages:
Asset Identification: Work with County personnel to identify each asset
where PHI is either stored or transmitted.
Threat Identification: Facilitate a review with County to identify the
types of threats that may affect the identified assets.
Vulnerability Identification: Facilitate a review with County to identify
any known or likely vulnerabilities to the identified assets.
Inherent risk: Based on the above details, CONSULTANT will facilitate a
risk assessment of the inherent risk to PHI in the identified assets.
Controls identification: Identify any existing controls that may reduce
the inherent risk for these assets.
Gaps identified: Based on the threats, vulnerabilities, and controls
identified, and using the assessors’ judgment, what are the current
gaps?
Residual risk: Reevaluate the risk of to the asset based on the existing
controls.
Recommended remediation: Based on the residual risks, the
CONSULTANT shall submit a list of recommended controls for
consideration.
b. A risk assessment report will be issued that will include the results from each
portion of the assessment, the final risk profile, and potential solutions.
4. INTERNAL PENETRATION TEST
a. Taking a vulnerability assessment beyond a simple “check the box” approach,
CONSULTANT should use an attacker mindset to increase the effectiveness and
findings of the internal assessment. In this case, the assessment is specifically
targeting network infrastructure and segmentation, end-user workstations, and
exfiltration techniques. CONSULTANT must use a realistic perspective of the
effectiveness of the defensive mechanisms currently in place at preventing and
detecting an attacker. In general terms, exploitations techniques are listed
below.
Internal network reconnaissance
System fingerprinting
Server and workstation configuration flaws
Privilege escalation
Page 9 of 13
Vulnerability exploitation
Password policy requirements
Database vulnerability scanning
Firewall and ACL testing
Protocol poisoning
Egress testing
Website filtering
5. EXTERNAL PENETRATION TEST
a. Included in the scope of this security assessment, is an external network
penetration test. CONSULTANT’S security methodology should include more
than a simple IP range scan testing of a variety of vulnerabilities. Going beyond
the surface, CONSULTANT’S security professionals should apply advanced
attacker tactics and techniques targeting the external infrastructure including
routers, servers, VPNs, firewalls, and any other external services. However, in
contrast with the external penetration test, the external vulnerability
assessment focuses more on vulnerability discovery and remediation than
exploitation and impact identification. Attacks that may be included in the
external penetration test are listed below.
System Fingerprinting
Services Probing
Analysis and Identification of Attack Vectors
Exploit Testing
Authentication Attacks
Vulnerability Exploitation
Privilege Escalation
Exploitation of Configuration Flaws
b. The scope of the external network vulnerability assessment will include
external IP addresses maintained by Island County. Prior to the assessment
beginning, Island County will provide CONSULTANT with the list of IP addresses
to be included in the assessment.
6. PROJECT REPORT
Upon completion of the penetration test, CONSULTANT will provide a report to Island
County within fourteen (14) days of completion. The report will contain documented and
detailed findings as a result of performing the services contained and outlined within this
RFP.
I. POINT OF CONTACT
For questions regarding this RFP, please find staff contacts listed below:
Page 10 of 13
1. Submittal Questions:
RFP Coordinator: Lynette Goodell
Email Address: [email protected]
2. Scope and Deliverables Questions:
IT Director: John Kent
Email Address: [email protected]
J. SUBMISSION DEADLINE AND ADDRESS
Proposals must be submitted in original and two (2) hardcopy forms plus one electronic
form (USB thumb drive or DVD) no later than 3:00 pm (PST), June 20, 2017. The
proposal must contain all sections identified in (K) Proposal Contents (below). Faxes
and late responses will not be accepted. Proposals must be delivered (all form types)
to:
By Mail: HIPPA RFP, PO Box 5000, Attn: Lynette Goodell, Coupeville, WA 98239
By Courier: HIPPA RFP, 1 NE 7th Street, Room 200, Attn: Lynette Goodell, Coupeville, WA
98239
In addition to the mandatory 2 hardcopy and 1 electronic copies of the proposal, the
RESPONDENT may also send an optional copy of the full proposal via email to the RFP
Coordinator at the email address above.
K. PROPOSAL CONTENTS
Proposals should be submitted on double-sided (8 ½” x 11”) paper without permanent
binding; loose-leaf binding is permissible. Any attachments or exhibits must be reduced
to letter size. Ink and paper colors must not prevent entire proposal from being
photocopied. The use of divider tabs is required.
Proposers must submit one (1) original and two (2) copies of the proposal, as well as an
electronic copy (USB thumb drive/DVD). The original should be clearly marked on the
outside cover as such. All signatures in the original proposal must be in blue ink.
Each of the major sections identified below should be separately tabbed, for easy
identification. Every page of the proposal must be numbered sequentially, including
attachments and appendices.
Evaluations are based only upon the quality of the proposed solution described in the
response to this solicitation document. Evaluators will be instructed to score only upon
the content of the response and not upon any knowledge obtained through prior
experience with the RESPONDENT or with RESPONDENT presentations and
documentation provided prior to the release of this document.
Page 11 of 13
It is in the RESPONDENT’s best interest, therefore, to be thorough and fully responsive in
preparing its solutions (answers) to these requirements. Failure of the RESPONDENT to
respond to any one scored requirement will result in the RESPONDENT receiving a score
of zero (0) or no score for that part of their response.
A scored requirement will receive zero (0) if the RESPONDENT fails to include documents
or references requested. The maximum allowable score is 100 points.
1. Describe your experience and expertise in providing similar services necessary to
complete the consultant requirements in the timeframe provided. Specify projects,
dates and results, if appropriate. Include a brief description of the types of services
provided (for example research products, long term service analysis, group
facilitation, etc.). (35 points)
2. Discuss how your organization will staff the project to promote accountability for
carrying out program functions and responsiveness to timelines. Provide a detailed
listing of the key personnel or team you propose for this project, including the titles
of staff, team roles (if applicable), and a current resume of each person proposed.
Resumes must detail experience with the required skills listed in Section III.
Detailed Scope and Deliverables, of this RFP. (25 points)
3. Describe a past project that you provided similar services. Provide an example of the
final work product (report, written policy, etc.). (15 points)
4. Provide a detailed project budget (reference project scope) based upon specific
deliverables (25 points):
a. Gap Analysis and written report.
b. HIPAA Privacy and Security Policies and Procedures.
c. Enhancements to online training.
NOTE: Transportation, lodgings and necessary tools, equipment and supplies should all
be anticipated in the budget development.
L. PROCUREMENT SCHEDULE
The Procurement Schedule outlines the tentative schedule for important action dates
and times. All dates after the proposal submission due date are approximate and may
be adjusted as conditions indicate, without amending this document. It is the
RESPONDENT’s sole responsibility to periodically check the website for amendments to
this document.
Page 12 of 13
Figure 1. PROCUREMENT SCHEDULE
Item Action Date
1. Island County issues RFP Jun 3, 2017
2. RESPONDENT may submit written questions and comments until 3:00
p.m. Pacific Standard Time Jun 9, 2017
3. Island County will issue written responses to the original RESPONDENT
and make them available on the Island County website. Jun 16, 2017
4. RESPONDENT must submit Proposal by 3:00 p.m. Pacific Standard
Time Jun 20, 2017
5. Anticipated Contract Start Date On or about Jul 24, 2017
M. EVALUATION CRITERIA
An award will be made to the RESPONDENT whose proposal is determined to be the
most advantageous to Island County, taking into account price and other evaluation
criteria as set forth in this RFP. Staff of other agencies and consultants may be involved
in the evaluation of the proposals. Island County reserves the right to reject any and all
proposals submitted in response to this RFP.
A score of zero (0) on any scored requirement may cause the entire response to be
eliminated from further consideration.
During the evaluation process, RESPONDENT(S) may be contacted for the purpose of
obtaining clarification of their response. However, no clarification will be sought if a
RESPONDENT completely fails to address a feature contained in the RFP document. If the
failure was in response to a mandatory feature, the RESPONDENT may be disqualified.
As part of its evaluation, Island County may conduct interviews with one or more
RESPONDENT(S). In such an event, RESPONDENT(S) may be required to travel to
Coupeville, Washington, at their own expense, to participate in an on-site interview.
Conversely, Island County may elect to travel to the RESPONDENT(S) headquarters to
conduct the interview, as well as tour its facilities.
Upon completion of the evaluation process, the County may select a RESPONDENT(S)
with which to negotiate a contract, based on the evaluation findings and other such
criteria as deemed relevant for ensuring that the decision is made in the best interest of
Island County. In the event Island County is successful in negotiating with the
RESPONDENT(S), Island County will issue a notice of award. In the event Island County is
not successful in negotiating with a particular RESPONDENT, Island County reserves the
option of negotiating with another RESPONDENT. Island County may cancel the
Page 13 of 13
procurement and make no award, if that is determined to be in Island County’s best
interest.
NOTE: Island County will accept all proposals properly submitted. After receipt of
proposals, Island County reserves the right to sign a contract, without negotiation, based
on terms, conditions and premises of the RFP and the proposal of the selected
RESPONDENT. Proposals must be responsive to all requirements in the RFP in order to be
considered for contract award. For Island County General Terms and Conditions, please
see Exhibit A.