Dhs Contract Four Thought Arizona Mmis

8/9/2019 Dhs Contract Four Thought Arizona Mmis

1/7

Submit in Duplicate.04STATE OF HAW All JU~ -8 AlO :5

REQUEST FOR EJ(EMPTION FROM CHAPTER lO3D, IlKS314TE Roc/ [ MO: Chief Procurement Officer Sr~T~c.'[~ HENT OFF',i'lL! :J\Yli',II"

FROM: DHS/Med-QUEST Division(DepartmcntJDivision/Agency) I

Pursuant to 103D-I02(b)( 4), HRS, and Ch:apter 3-120, BAR. he Department requests a procurement e~ernption to'p"lD'Chasehe followin~Description of goods, services, or construction:

Refer to attachment.

Name of Vendor: FourThought Group, Inc. . I Cost:Address: 112 North Central Ave., Suite 700 I $1.8 m llion

Phoenix, Arizona 85004 IIITmmofCoouact Fuly,ennofContract: From: July, 2004 To: June, 2006 IPriorExcmption ef.No.{ifappIica

I 02-28-RI (See cOIY attached)

Explanation describing how procurement by competitive means is either not practicable or not advantag~us to the StatRefer to attachment.

Details of the process or procedure to be followed in selecting the vendor to ensure maximum fair and open competitionpracticable: Refer to attachment.

SPOF0Jm-7 (Rev.{7/1~2) 1 P.E.N -.a!l~~-MI


2/7

Submit in Duplicate REQUEST F4[)R EXEMPTION FROM CHAPTER 103D, HRS (Conl)A description of the agency's internal controls and approval requirements for the exempted procmement

The contract will be neglotiated with FourThought Group, Inc. b the DHSHIPAA Project Director i:tl consultation with the Med-QUEST Div ion. Thecontract will be reviewed and signed by the DHS Director. The HIPAA ProjDirector, with supervisi,on by the DHS Deputy Director, will h e responsibfor working directly with the contractor to ensure the scope 0 work isperformed.

A list of agency personnel, by position title, who will be involved in the approval process and adminis n of the contLillian B. Koller, Esq., Director (approve and sign contract)Henry Oliva, Deputy Director (will supervise the HIPAA Projec Director monitor the contract)Andrea J. Armitage, HIPAA Project Director (will serve as pri ry contactfor the contractor and will negotiate and monitor the cont act)Steven Kawada, Med-QUEST Division Assistant Administrator and andy Chau

Med-QUEST Division Systems Officer (will consult with HIP ProjectDirector on the budgeting and scope of the contract).

Direct questions o:Andrea J. Armitage 4

This exemption should be considered or list of exemptions attached o Chapter 3-1 ;?O,HAR: No UI CERTIFY THAT THE INFORMATION PROVIDED ABOVE IS, TO THE BEST OF MY WLEDGE,

TRUE AND CORRECT.

JUN 0 Date

Title (If other than Depar1ment Heed)Chief Procurement Officer's Comments:

Pleaseensure adherence o applicable admiJ[listrative equirements.~ APPROVED 0 DI~)APPROVED ate

cc: Adminis1rator,State Procurement Office I

SPOFonn-7 (Rev.(7/lx}2) 2 P.E. -11!l~~-


3/7

RESPONSE TOREQt1EST FOR EXE]MPTION FROM CHAPTER 103D, HRSDescription of goods, services, or construction:IllP AA SecurityRule analysisand consulting services. As the stateMedicaid age cy,the Departmentof Human Services.DHS) is required o comply with the adminis ativesimplification requirementsof the ]H:ealthnsurancePortability and Accountabili Act(HIPAA). The federal aw affects :mosthealth care providers, all health plans (the DHSmeets he definition of a health plalfl)and clearinghouses.The law has severalcomponentswith different impleml~ntation ates. Thesecomponentsare he Priv yRule, the Transactionsand Code SI~SRule, and he SecurityRule. The implemen tiondate or compliancewith the Privac;yRule was April 14, 2003, and or the Transa ionsand Code SetsRule the implement:ation ate was October 16, 2003. The impleme tationdeadline or the SecurityRule, which was finalized in April, 2003, s April 20, 20 5.The HIP AA Security Rule will greatly affect how medical nformation will be rec ived,used, shared,storedand destroyed. This affects nformation systems,processesproceduresand potentially, facility layouts. Most organizationsneed he assistan fexperts o examine,assess, nd remediate ts operations. The DHS is no differentThe contractwould be performed n two parts over a two year period. In the flfSt rt theconsultantwould review the IllP AA Security Risk Assessmenthat was previouslcompleted,and hen use hat infonnation to assist he DHS to complete he SecuriAnalysis and Risk ManagementPlan, and a ContingencyPlan. The consultantw uldgive the DHS recommendationsor appropriate,cost-effective emediationand a 'ce onhow to maximize the federal matclting funds allowable. The consultantwould al assistthe DHS to draft ustifications for ;anyaddressablemplementation specifications otcomplied with. [The Rule states hat implementationspecificationsare either req ired oraddressable~f the entity doesnot l:omply with an addressable pecification hen i mustdocument ts justification for the noncompliance.] The first part would also nclu eassisting he DHS Security Team o draft policies and proceduresand o provide ecuritypolicy awarenessraining for DHS: staff as required by the Rule. In the secondp theconsultantwould conduct an audit of the implementationdone n the flfst part, an wouldassist he DHS with creating and 1mplementing rocedures or on-going auditing fSecurityRule compliance,given t]tteconstantchanges o the DHS network infra cture,network threats, and available software/hardware.The consultantwould further sist theDHS with corrective measures as:ed n the results of those audits. The consult t wouldgive the DHS the tools necessary :0 onducton-going training updatesand rernin ers asrequiredby the Rule. The secondpart of the contractwould also require he con ltant todevelopa protocol for a Standardized nterprise Architecture for the DHS' info ationtechnology systems.


4/7

III

Explanation describing how pro(:urement by competitive means s either notpracticable or not advantageous to the State:Procurementby competitive mean~;s not advantageouso the State. When theTransactionsand Code SetsRules were n draft form, the DHS made he decision 0comply with theseRules through an nterstateagreementwith the Arizona Medic' dagency,Arizona Health Care Cost ContainmentSystem AHCCCS). AHCCCS iprocessing he Medicaid claims for both the Med-QUEST (MQD) and Social Se ices(SSD) Divisions through its claims processingsystemwhich is referred o in Haw ii asthe Hawaii PrepaidMedicaid Management nformation System HP:MMIS). In 0 der oprepare or those changes, he DH~) and AHCCCS both contractedwith FourTho htGroup, Inc., (FourThought) of Phoenix, Arizona, to complete he IllP AA transactonanalysesand remediation,and assi:stwith their Privacy and SecurityRule complia ceefforts.The DHS entered nto a sole sourc,e ontractwith FourThought n June,2002 to a sistwith its compliancewith the IllP AA Privacy and SecurityRules. This contract e iredon January31, 2004.During the contract,FourThought assisted he DHS with determining ts covered tystatus n the first phase;conducteda Privacy Rule Gap Analysis in the secondph andin the third phaseassisted he DH~; with drafting requiredPrivacy policies andprocedures, oth at the Departmentand Division levels, conducted llP AA Privatraining for all coveredcomponen1:taff on Oahu and on the Neighbor Islands,anconducted llP AA training for somenon-coveredcomponentstaff. Also in phas three,FourThought,with its Honolulu-b.iSed ubcontractor,SecureTechnologyHawaii Inc.,conductedand documenteda 1llP,~ SecurityRule Risk Assessmentwhich the 'RSreceived n January2004. Because . . onst aints,and he delayed inalization of the finallllP AA Security Rule ebruary,20 in ead ofthe anticipatedOctober, 2002), all 0 e secunty requirementsand assessments ere notcompleted.The implementationdate of April 20, 2005 for the IllP AA security requirements "Yesthe DHS only eleven months o pE~rform ll tasks required by the SecurityRule ( alysis,evaluationof alternatives,and mplementation, echnical, physical and administr tive).Given the short time frame availa1)le,t is necessaryo contractwith a consultant hat isknowledgeableof:

. IllP AA Transactionsand Code Sets.Privacy. and SecurityRules - It isimperative hat the consul1:antave expertise n all three llP AA rules. T ey areinterrelatedand nterdependent.Knowledge of general nformation tech logysecurity protocols only, wlould be unacceptable.. The Medicaid Program There are many consultants nowledgeableof AA,but the DHS is seekinga (~onsultanthat has specific knowledge ofMedi id andpublic programs. Typical1y,Medicaid programs nterfacewith a number of other

2


5/7

stateand ederal programs. There are nterfaceswith the DepartmentofH lth(DOH), Departmentof Education (DOE), and he Departmentof Public S ety(PSD). The Medicaid program reimburses or services enderedby varioudivisions within the DOH and soon he DOE. The DHS processes laims orPSD.lntemally, the DHS must assess nd make decisionson interfacesbe eenMQD, SSD, Vocational Rehabilitation Division (VRD) and he Benefit,Employment and Support ~;ervicesDivision (BESSD). Expertisewith pu licprogramsand specific kno,vledgeof Medicaid payments s required o un erstandhow to apply IllP AA regulations. Finally, knowledge of the Medicaid pr am sessential o assisting he DHS in maximizing federal reimbursement or stemand proceduralchanges.. AHCCCS and DHS OQera1~ - While both programsare Medicaid pro amsand are similar, there are dilfferences nd t is critical for the consultant ounderstand he similarities and differences. HP:MMIS s jointly sharedby awaiiand Arizona. Any policy changesaffecting the HP:MMIS nformation sys emmust be consistentwith b01th tates,as hesepolicies are written to protect heinformation in the samesy:~tem.Consistencywill minimize systemmodi cationsand reducecosts. AHCCCS utilized the expertiseofFourThought for itsTransactionsand Code Setsand Privacy Rules mplementations.

AHCCCS is currently using FourThought Group, nc. exclusively o assis in itsSecurityRule implementationand remediation efforts. The scopeof AHC CScontracts ncludes:0 Development of a ]usk Analysis and Risk ManagementPlan0 Developmentof HIP AA SecurityPolicies and Procedures0 Developing a meth,od f distributing Security reminders o staff0 Integrating Securit;y raining into currentPrivacy training program0 Developing a method of conducting and recording a IllP AA Secu "tyevaluationaudit0 Developing Securi1ty uidelines or new systemapplication softw e0 Developing ustific:ations or noncompliantAddressable mpleme tation

specificationsTheseare he samedeliverables hat the DHS will be requesting n this c tract.Awarding a sole sourceccntract with FourThought will allow the DHS tleverage he work that coJ1lsultantas alreadydone and s currently comp ing forAHCCCS, at a reducedcost.. DHS OQerations After having worked with the DHS from June2002 toughJanuary2004 on the DHS' Transactionsand Codes Sets,Privacy and Sec rityRules mplementations,FourThought s familiar with the businessproces es hatare unique to the DHS, as well as with respect o its relationshipswith ot er stateagenciesand AHCCCS. ]n January2004, FourThought completeda det led andcomplex administrative and echnical SecurityRisk Assessment f the D S'current statuswith the Se


6/7

efforts. It is essential hat this proposedcontract be a continuation of the e liercontract, addingPhasesFour andFive of the Security Rule compliancee rts.This would provide continulityof our current strategy. Other consultants ouldbe at a severedisadvantage, s hey would not know the intricacies of the HS'businessprocesses, or wh:~tHIP AA implementationsefforts the DHS hconducted o date. This wolllld clearly cost further time and money.. The DHS HIP AA Security Risk Assessment - The HIP AA SecurityRisAssessment erformed and documentedby FourThought ast January s aextremely sensitiveand coltfidential document. It containsdetailed echni alinformation about all the Vtllnerabilitieswith the DHS' current nformatiotechnology systemsand ne1tworks,ncluding the DHS' connectivity to oth r Stateof Hawaii departments su(;has he Departmentof Accounting and Gener IServices, nformation and C::omrnunication ervicesDivision) and AHCC Sthrough HP:MMIS. Prospectivebidders pursuant o an RFP would not be llowedto see his documentunles~~nd until the DHS actually had a contractwit them.

However, it would be essential or any consultantbidding on this contract 0know this information for t:heconsultant o make an informed proposalon thescopeof the project. Without it, the proposalwould be purely guesswork.FourThoughtdid he assessment nd wrote the document. They are ntim elyfamiliar with the scopeof the work that remainson our HIP AA Security p oject.In summary, he DHS hasbeenworking with FourThought on HIPAA implemen tionfor two years,and AHCCCS curre:ntly s working exclusively with FourThought 0complete ts SecurityRule impleltlentation. There are currently only a small nu er ofconsultantswith expertise n both IllP AA and Medicaid programs. n order to e ctivelyand efficiently implement phases :our nd five of the DHS' HIP AA Project, expe ise nHIP AA and Medicaid, familiarity with AHCCCS and he DHS operationsandinformational systems,and knowl~dgeof the results of the SecurityRisk Assess tarecritical. Only FourThought will meet all of these equirements.

4-


7/7

Submit in DuplicateSTATE OF HAWAIINOTICE OF EXEMPTION FROM CHAPTER lO3D, H]~S

The Chief ProcurementOfficer is in the processof reviewing he request rom the Departmentof Hum~n Services-Med-Ouest Division for exemption rom Chapter O3D, HRS, for the following goods,services,or onstruction:HIPAAsecurity rule analysisand conslJlting ervices.1stpart would involve he review of the HIPSecurityRiskAssessment, omplete h,eSecurityAnalysisand Risk ManagementPlan ~ndContingPlan. 2ndpart would involve an audit o,f he implementationdone in the 1stpart, the eptablishingimplementingprocedures or on-going auditing of SecurityRulecomplianceand develppa protoca StandardizedEnterpriseArchitecture:or DHS nformation echnologysystems.

Vendor: FourThought roup, n!:.Address: 112 North CentralAvenue,Suite 700Phoenix,AZ 85004

Term of Contract: From: To: I Cost:July 200'~ June 2006 I $l,800,pOO.00IDirect any inquiries to: IDepartment: HumanServices-Med Quest Division II Phone um er:Contactame/Title: Andrea J. Armitage I (808) 58 -4954IAddress: II Fax NumbeIII

... ... ... ..' ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...Date Posted: une 10-L 200

A copy of this notice of exemption from Chap1er O3D, HRS, shall be posted by the Chief Procurement pfficer and thepurchasing agency in an area accessible to the public, at least seven (7) calendar days prior to any appro al action.Submit written objections to this notice to issue an exemption from Chapter lO3D, HRS, within seven (7 calendar daythe date posted to:

Chief Procurement OfficerOffice/Agency tate Procurement OfficeAddress 1151 Punchbowl Street. Room 416I-ionolulu. Hawaii 96813

spa Fom1-7A Rev.7/1/02) P.E.No. 04

Dhs Contract Four Thought Arizona Mmis

Documents

Transcript of Dhs Contract Four Thought Arizona Mmis