Requested Delivery Date:30 Days ARO Bidder S Best Delivery: ______Days After Receipt Of

/ State of South Carolina
Request for Proposal
Amendment -7 / Solicitation
Run Date
Issue Date
Buyer
Phone / : 01-S4143
: 11/06/2001 04:57 PM
: 11/06/2001
: Bruce Breedlove
: (803) 737-0630 /
* Deliver all items to:MULTI AGENCY TERM CONTRACTHealth & Human Services - Finance
FOR AGENCIES AND DELIVERY1801 Main Street
AS SHOWN ON PAGE THREE (3)Columbia, SC 29201
OF BID., SC 29000

Requested Delivery Date:30 Days AROBidder’s Best Delivery: ______days After Receipt of Order (ARO)

Bidder’s Discount Terms:______%______Days.

Return Bid No Later Than…(Opening Date/Time): 11/2015/2001 02:30 pmPosting Date: 121/206/2001

Posting Location: 1201 Main Street, Suite 820

Return Bid To: Office of the State CIO Express / Hand-Carry To:1201 Main St. - Suite 820

P.O. Box 11395Capitol Center - Affinity Bldg.

Columbia, S.C. 29211Columbia, S.C. 29201

Description: Assessment of Privacy Requirements for Compliance With The Health Insurance Portability and Accountability Act (HIPAA))

MUST BE SIGNED TO BE VALID

By signing this bid. I certify that we will comply with all requirements of Section 44-107-10, ET Seq., relating to the S.C. Drug-Free Workplace Act.

*** Solicitation Number and Opening Date must be shown on sealed envelope ***

Solicitation and Amendments will be posted at our website address

Award will be posted at our website address:

AUTHORIZED SIGNATURE / PRINTED NAME / DATE
COMPANY / STATE VENDOR NO. (IF KNOWN)
MAILING ADDRESS / SOCIAL SECURITY OR FEDERAL TAX NO.
CITY / STATE / ZIP CODE / PHONE
EMAIL ADDRESS: (Please Provide) / CONTRACT NO.
ACCEPTED BY STATE OF SOUTH CAROLINA AS FOLLOWS:
BUYER / DATE

MMO NO. 001 (REV 7/01)

1

ACKNOWLEDGE RECEIPT OF THIS AMENDMENT PRIOR TO DATE AND TIME SPECIFIED IN THE SOLICITATION, OR AS AMENDED, BY ONE OF THE FOLLOWING METHODS: (A) BY SIGNING AND RETURNING ONE COPY OF THIS AMENDMENT WITH YOUR BID; (B) BY ACKNOWLEDGING RECEIPT OF THIS AMENDMENT ON EACH COPY OF THE OFFER SUBMITTED; OR (C) BY SEPARATE LETTER OR TELE-GRAM WHICH INCLUDES A REFERENCE TO THE SOLICITATION AND AMENDMENT NUMBER(S). FAILURE OF YOUR ACKNOWLEDGEMENT TO BE RECEIVED AT THE ISSUING OFFICE PRIOR TO DATE AND TIME SPECIFIED MAY RESULT IN REJECTION OF YOUR OFFER. IF, BY VIRTUE OF THIS AMENDMENT YOU DESIRE TO CHANGE AN OFFER ALREADY SUBMITTED, SUCH CHANGE MAY BE MADE BY LETTER OR TELEGRAM, PROVIDED SUCH LETTER OR TELEGRAM MAKES REFERENCE TO THE SOLICITATION AND THIS AMENDMENT AND IS RECEIVED PRIOR TO DATE AND TIME SPECIFIED.

The following is to clarify and amend:

1. Please note the opening date has changed to read: November 20, 2001; 2:30 PM.

1. The following will address questions received at the pre-proposal conference:

HIPAA Privacy Request for Proposal 01-S4143 (Amendment –6)

The following is to clarify and amend:

Questions from Covansys:

1. Is an organizational chart available for SCDHHS? This would be very useful in determining the scope of this project. How many members of the workforce, how many locations, how many departments, etc.? In order to properly scope the project a list of all of the existing and proposed projects would be very useful.

Answer: See attached Organization Chart.

1. Is there a list of existing privacy-related policies, procedures, and practices currently in existence at SCDHHS? This would be very useful in determining the scope of this project.

Answer: No, there are no agency-wide privacy practices currently in place.

1. Is there a list of existing systems, software applications, and interfaces used by SCDHHS? This would be very useful in determining the scope of this project.

Answer: See attached diagram.

1. Ref. Para 3.1.1 “Preliminary Assessment Project Plan”

The RFP States: “The OFFEROR shall deliver a HIPAA Assessment Project Plan/Timeline, offering a high level overview of the intended areas to be assessed for the privacy regulations. The objective of the plan is to provide a clear roadmap of tasks, resources, timing, communications, risks and strategy necessary to assess the agency’s programs for their readiness to comply with final and proposed regulations in HIPAA. The agency shall approve the Assessment Project Plan before the OFFEROR begins any assessment activity.”

Is a Preliminary Assessment Project Plan required for the proposal?

Answer: Yes.

1. Ref. Para 3.1.2 Regarding the risk analysis item, is risk for non-compliance after changes are made, or risk to their ability to change into a compliant organization?

Answer: This refers to risks the agency will be vulnerable to after changes are made.

1. Ref. Para 3.1.3 Can SCDHHS further define what is considered a "High-Level Project Plan"?

Answer: In this instance, a high-level project plan should include major milestones, timeframes and resources needed.

1. Ref. Para 3.1.3.7 “PRIVACY FRAMEWORK -With SCDHHS input, the CONTRACTOR will develop the core components of a HIPAA compliant Privacy framework for the agency’s programs.”

In order to be able to scope this, can SCDHHS list its existing Privacy policies. It is not clear what new policies must be created, what may require revision rather than creation, etc.

Can SCDHHS further define the scope and content of each of the framework components?

Answer: There are no current agency-wide privacy policies in place.

SCDHHS is asking for written documentation, definitions and model language based on what is requested in section 3.1.3.7

1. REF. PARA 3.1.3.4 “Statement of Work”

The RFP States: “The CONTRACTOR shall deliver a refinement of the project scope resulting in the submission of a final statement of work, which shall contain a detailed list all of the major tasks included in the project, the final cost for completing those tasks, and schedule for completing them. The final Statement of Work shall include all documentation required in Section 3.2.1, Required Business Functions DURING ALL Parts OF HIPAA READINESS of this RFP.”

Is the Statement of Work (SOW) described here supposed to address the tasks of the proposed project or the implementation plan deliverable? In other words does HHS require, in the proposal response, a SOW for the proposed project?

Answer: The SOW is considered to be a deliverable in this RFP.

1. REF. PARA 3.1.3.6“HEALTH CARE Provider Outreach Recommendations” The RFP States: “The CONTRACTOR shall deliver a strategy document to include a recommended approach for engaging and providing outreach services to outside entities affected by HIPAA who interact with the agency. In many cases, the outside entity affected will include the health care provider community in South Carolina. The strategy document shall include, but not be limited to: communication, education, assessment of HIPAA compliance status, impact to the agency for non-compliant trading partners, and specific actions that will minimize the risks associated with non-compliance for service delivery to the clients served by the agency.”

In order to properly scope this project, can SCDHHS provide a list of the types – and estimated number of each type – of outside entities that SCDHHS anticipates being addressed?

Answer:NURSING HOME 706
INPATIENT 163
OUTPATIENT 111
SC-MENTAL-HEALTH 332
BUY-IN 1
EPSDT 4
OTHER MEDICAL PROF 3201
PHYSICIAN,OSTEOPATH IND 13118
PHYSICIAN,OSTEOPATH GRP 3463
MEDICAL CLINICS 563
DENTIST, IND 1066
DENTAL, GRP 323
OPTICIANS 31
OPTOMETRIST, IND 366
OPTOMETRIST, GRP 200
PODIATRIST, IND 123
PODIATRIST, GRP 71
CHIROPRACTOR, IND 375
CHIROPRACTOR, GRP 228
OPTICIAN, GRP 15
HOME HEALTH AGENCY 127
CLTC, INDIVIDUAL 1453
CLTC, GROUP 27
PHARMACY 1028
DURABLE MEDICAL EQUIPMENT 1445
INDEPENDENT LABORATORY 35
X-RAY 69
AMBULANCE SERVICE 159
MEDICAL TRANSPORTATION 1131
CAP AGENCIES 32
MCCA 174

1. REF. PARA 3.1.3.8. “Training/Development” The RFP States: “This deliverable shall include a detailed training curriculum for the development of one or more training modules to be developed by the CONTRACTOR to train all SCDHHS employees on the Privacy rules. This shall include the development of self-paced, web-enabled, competency-based computer courses designed to train agency employees about the updated privacy policies and procedures the agency will adopt in response to HIPAA. The training solution shall be developed to run on the following equipment/software: Novell Netware, Microsoft IIS 5.0 on Windows 2000, Microsoft SQL Server 2000. The CONTRACTOR shall train SCDHHS on to maintain and update any software created for training purposes. The training solution should be in compliance with all state and federal regulations regarding workplace training.”

Is a commercial quality Internet-based distance learning solution considered compliant with this requirement, or must the training course be hosted on SCDHHS computers?

Answer: SCDHHS is requesting an in-house solution that can be updated and maintained by agency staff.

1. What is the anticipated start date and desired completion date for the project?

Answer: SDHHS anticipates the project to begin on or about December 17, 2001.

Questions from Unisys

1. Has SCDHHS conducted an organization wide general HIPAA awareness or education program? Are there any general education/awareness training programs available to SCDHHS employees?

Answer: SCDHHS has undergone preliminary HIPAA meetings. Organizational wide training has not been conducted.

1. Is there an internal committee established and staffed to oversee the HIPAA education and implementation process? Is this committee also in charge of the overall responsibility for complying with HIPAA?

Answer: Various bureaus that are directly involved with compliance issues are working together. There is not an organizational-wide committee in place to implement HIPAA.

1. Is there any legal counsel identified within the organization to be available or to oversee this effort?

Answer: Legal council will be available, but will not oversee this effort.

Questions for CIBER

1. Most everything in the SCDHHS Privacy RFP seemed to follow the Privacy requirements and our approach. However, the following from 3.1.3.2 on page 9:

"... and alternative impact to health care providers, recipients, to the contracted state agency and other state agencies, any additional entity that the STATE interfaces with and any and all trading partners. The analysis shall capture cost of resources, opportunities, risk, and other significant budgetary impacts. "

• Does that last sentence mean that we're estimating cost, etc. for the impact on trading partners and others as well as SCDHHS?

Answer: No. Costs shall only be considered for SCDHHS.

1. Is the data centrally stored? Is there a data warehouse in place within HHS currently?

Answer: The data is stored at Clemson University and can be accessed by terminals at SCDHHS.

3. If yes, then is this data segregated from other data or is it stored in one centralized location?

Answer: Yes the data is segregated from other data. Please see attached data flow diagram.

4. Who has access to the data?

Answer: SCDHHS, Clemson University staff, and other state agencies/entities that we have granted access to particular data files.

5. How is the data accessed currently?

-Through the Internet (point to point)?

-Point to Point Frame Relay connection?

-On Campus Network?

-Wireless?

-other means (paper documents and files)?

Answer: We utilize all of the above access methods EXCEPT wireless.

6. Is the data stored remotely, in other field offices? If so, how is it stored in those field offices? Answer: There are approximately 14 Community Long Term Care (CLTC) offices that have data stored both electronically and on paper.

1. Can DHHS provide us with a "VISIO" graph/chart of the current data flow?

Answer: Please see attached data flow diagram.

1. Is Authentication in place for the accessing of this data?

Answer: There is a process, but it is not HIPAA compliant.

1. Would you consider delaying the opening date of the RFP?

Answer: Yes, November 20, 2001; 2:30 PM

1. Do we need to provide specifics about interviews of field offices?

Answer: Not with your response, but it will be part of the Contractor’s responsibilities during the contract period.

Questions from Integrys/iVista Group

1. Is there one set of policies and procedures for the entire HHS organization? Are they in one location?

Answer: No, there is not one set of agency-wide privacy policies and procedures in place.

1. Does each department have their own set of policies and procedures? How many departments are there in the organization?

Answer: Please see the attached organizational chart.

1. Is it true, for the purposes of HIPSS, that HHS is a health plan, and not a provider?

Answer: For the purposes of HIPAA, HHS is a payer.

1. Has the designated record set been identified?

Answer: No, SCDHHS is still in the process of assessment for the Transaction and Code Set rule.

Questions for GovConnect

1. Are sample deliverables required for the proposal response? If so, will excerpts of previous deliverable experience satisfy this requirement?

Answer: No. The items necessary for the proposal response are outlined in section 3.1.1.

2. Our understanding is the State is looking for a legal review of State Laws, specifically their policies and procedures. If so, should the reviewing attorney have license to practice in South Carolina?

Answer: No, the reviewing attorney does not have to be licensed in South Carolina.

ATTACHMENTS

DATA FLOW CHART

ORGANIZATION CHART

1