REQUEST FOR OFFER
Office of HIPAA Compliance
HIPAA Disaster Recovery
&
Emergency Mode Operations Expert
RFO No.: OHC 07-023
Prepared by:
California Department of Health Care Services
Office of HIPAA Compliance
MS 4721
P.O. Box 997413
Sacramento, CA 95899-7413
Issue Date:
November 16, 2007
Page 1 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
1. BACKGROUND AND OVERVIEW
The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA)
specifies the availability of medical information. Direct language in the rule speaks
to the availability of information in disaster mode.
The Department of Health Care Services, Office of HIPAA Compliance (DHCS-
OHC) is responsible for guiding all HIPAA-related compliance work throughout the
Department. DHCS-OHC provides oversight, coordination, resource procurement,
project management support, and monitor and control, among other tasks, for
HIPAA activities within DHCS through a centralized project management approach.
Under an Inter-Agency Agreement, OHC also supports HIPAA activities in the
California Department of Public Health (CDPH). To perform this work, DHCS-OHC
utilizes state and contract staff. DHCS-OHC will utilize the California Multiple Award
Schedule (CMAS) to engage one (1) person to provide HIPAA Disaster Recovery &
Emergency Mode Operations Expert services.
2. SOLICITATION AND RESPONSES
A single CMAS vendor will be selected to provide all required services under this
solicitation; multiple awards will not be entertained. Work will be performed and
reimbursed on a time and materials basis. The hours projected by the vendor will be
at a maximum of 1880 hours. Vendor cost shall not exceed maximum cost to
complete the project. Any excess time spent completing tasks shall be at no cost to
the State. Rates submitted are for evaluation purposes only and may be different in
the final agreement. The vendor response must disclose any other vendors which
will have a financial interest in providing the required services, and the nature of their
involvement.
The CMAS vendor selected will be for the best value based on cost and vendor/staff
qualifications determined from vendor proposals, interviews (as needed), and
reference checks.
Submit responses to this Statement of Work (SOW) in Microsoft Word format
to the Mailing or Physical Address on the next page:
1. One (1) copy via e-mail to: erghe.poston@dhcs.ca.gov including:
2. One (1) copy of the DGS CMAS Contract including the Labor Category and
Hourly Rates.
3. Four (4) hardcopies delivered by December 7, 2007 at 12 P.M. (noon).
4. Mark all proposal packages: CONFIDENTIAL. DO NOT OPEN UNTIL AFTER
12 P.M., December 7, 2007, OHC-07-023.
5. Late proposals will not be accepted.
6. Delivery and receipt of timely proposals are the responsibility of the vendor.
Page 2 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
Mailing Address: Physical Address:
Attn: Erghe Poston Attention: Erghe Poston
Department of Health Care Services Department of Health Care Services
Office of HIPAA Compliance Office of HIPAA Compliance
MS Code 4722 1501 Capitol Ave., MS Code 4722
P.O. Box 997413 Sacramento, CA 95814-5006
Sacramento, CA 95899-7413 Phone: (916) 552-9062
Phone: (916) 552-9062 erghe.poston@dhcs.ca.gov
3. KEY DATES FOR THIS RFO
Below is the tentative time schedule for this RFO. It is recognized that time is of the
essence. All prospective respondents are advised of the following schedule and will
be expected to adhere to the required dates and times.
Event Date / Time (If applicable)
RFO Released November 16, 2007
Questions due November 28, 2007
Response to questions due November 30, 2007
Proposals due to DHCS December 7, 2007 by 12 P.M. (noon)
To be announced via e-mail, fax,
Oral interviews (if requested)
telephone, or in writing
Estimated Award Notification Date January 5, 2008
Proposed contract start date February 18, 2008
4. STATEMENT OF WORK
The scope of work in this contract is to fulfill the deliverables stated in Section 5.1 of
this RFO. The selected contractor is also expected to be a subject matter expert in
the area of Disaster Recovery (DR) and provide that expertise to State staff as
needed. Work in the area of HIPAA DR has taken place within the DHCS. It is
expected that those efforts be continued under this contract.
Objective: DHCS-OHC seeks one (1) HIPAA DR and Emergency Mode Operations
(EMO) Expert to work with the DHCS Information Security Office (DHCS-ISO) and
CDPH-ISO to develop, execute, and monitor HIPAA Business Continuity Programs
for each department.
Page 3 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
5. DELIVERABLES AND REQUIRED ACTIVITIES
5.1 Deliverables
1. Plan and coordinate development of formal Business Continuity and Contingency
Programs, consisting of ongoing emergency operations documentation for
business units to meet HIPAA requirements for EMO
2. Review existing disaster recovery documentation, policies, written procedures
and designs, and provide recommendations based on HIPAA requirements and
industry best practices for disaster recovery
3. With the assistance of subject matter experts, create complete disaster recovery
documentation packages which meet state and departmental requirements, are
complete and of the highest quality, and have all necessary internal approvals
4. For all DHCS and CDPH critical systems, provide expert knowledge and
assistance in developing disaster recovery test plans, including checklists,
structured walk throughs, simulations and functional exercises
5. Develop a formalized training curriculum for DR coordinators
6. Review and document enterprise DR needs as it pertains to the backup and
restoration process, including off-site media storage and alternate or redundant
sites as needed
7. Review and document the organizations’ current physical security mechanisms
and make recommendations if necessary to preserve vital hardware components
(e.g., file and print servers)
8. Make recommendations that would ensure DHCS and CDPH implement
adequate system administration, including up-to-date inventories of hardware,
software, and media storage
9. Represent the DHCS-ISO and/or CDPH-ISO as required on disaster recovery-
related issues
10. Provide regular status to OHC, the DHCS-ISO, and CDPH-ISO
11. Provide adequate knowledge transfer to state staff
12. Formalize a process of including business continuity and contingency planning
into all ‘new’ system development at each stage of the system development
lifecycle
6. VENDOR REQUIREMENTS
6.1 Required Skills/Experience
To ensure the success of the contractor, DHCS requires that the skill set of the
proposed consultant include the following expertise:
1. In-depth knowledge and experience of Backup, Contingency, DR and EMO
requirements
2. Two (2) years experience in Business Continuity & Contingency Planning
3. Operational experience in a midrange computing environment
Page 4 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
4. Experience in a role involving direct customer contact (internal and external
customers)
5. Experience in writing high quality documentation.
6. Excellent oral communication skills
7. Must be self-motivated, team player, and able to immediately contribute to a fast
paced, deadline intensive environment
6.2 Desirable Skills/Experience
The following skills are desirable of the proposed consultant:
1. In-depth knowledge of California State Operational Recovery requirements
2. Experience in multiplatform environments, including Windows 2000, XP, Unix,
Server mainframe (MVS), and DB2
3. Experience with California State Administrative Manual requirements
4. Experience with Public Healthcare programs
5. College education
6. Certified Business Continuity Planner (CBCP)
6.3 Vendor Staff Resume
To the extent possible, resumes should be brief (i.e., no longer than four pages) and
should include the name of each previous employer and the beginning and end
dates (include month and year) for employment and specific job/role(s). Resumes
should not include personal information such as a social security number, home
address, home telephone number, marital status, sex, birth date, age, etc. Resumes
submitted without previous employer names and beginning and end dates (month
and year) for employment will not be evaluated. Do not submit multiple resumes.
Proposals with multiple resumes will not be reviewed.
7. RESPONSES TO THE REQUEST FOR OFFER (RFO)
Responses should include (at a minimum) the following information:
1. Resume for one (1) proposed staff person;
2. Reference for proposed staff (provide at least two (2) references);
3. Total cost of the proposal (Template is provided in Appendix A);
4. Copy of contractor’s CMAS contract;
5. Copy of contractor’s Small Business Certification (if applicable)
8. ACCEPTANCE CRITERIA
It shall be the State’s sole determination as to whether a work product document has
been successfully completed and is acceptable to the State.
Page 5 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
In the course of project activities, the contractor will be producing documentation of
technical research, technical alternatives and approaches, technical compliance
solution evaluations and options, technical recommendations, and other work
products that support and record the contractor’s work.
9. ADDITIONAL INFORMATION AND CRITERIA
Personnel commitments made in the contractor’s offer shall not be changed without
prior written approval of the DHCS-OHC IT Section Chief. Staffing shall include
those named individuals at the levels of effort proposed. DHCS-OHC must approve
in advance and in writing any permanent or temporary changes to the contractor’s
key personnel.
10. PERFORMANCE EVALUATION
The contractor’s performance under the agreement shall be evaluated at the
conclusion of the term. The evaluation shall include, but not be limited to:
1. Whether the contracted work or services were completed as specified in the
agreement and reasons for and amount of any cost overruns.
2. Whether the contracted work or services met the quality standards specified in
the agreement.
3. Whether the contractor fulfilled all requirements of the agreement.
4. Factors outside the control of the contractor, which caused difficulties in
contractor performance.
11. PROGRESS REPORTS OR MEETINGS
The contractor shall submit progress reports or attend meetings with State personnel
at intervals determined by DHCS to determine if the contractor is on the right track,
whether the project is on schedule, provide communication of interim findings, and
afford occasions for airing difficulties or special problems encountered so that
remedies can be developed quickly.
At the conclusion of the agreement and if applicable, the contractor shall hold a final
meeting at which the contractor shall present any findings, conclusions, and
recommendations. If required by the agreement, the contractor shall submit a
comprehensive written final report.
Page 6 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
12. OTHER REPORTING REQUIREMENTS
On a monthly basis, the contractor shall complete a time sheet. Time sheets will be
attached to the monthly invoice. Invoices are expected in a timely manner.
The contractor will develop and provide ad-hoc reports as deemed appropriate and
necessary.
13. TRAVEL/TRAINING
Travel necessary to complete the deliverables of the SOW must be approved in
advance by the State and reimbursed under general State guidelines for travel
reimbursement, with the exception of relocation costs. Reloc ation costs are the
responsibility of the contractor and will not be reimbursed by the State.
A set amount of $1,000 will be budgeted for all travel/training during the term of the
agreement.
14. TERMS AND CONDITIONS
The agreement will be issued on a time and material basis. The hours projected
will be at a maximum. The contractor cost shall not exceed maximum cost to
complete the project. Any excess shall not be at the cost to the State.
All bidders must agree to the general terms and conditions of the CMAS.
14.1 Amendments to the CMAS Purchase Order
Any purchase order resulting from this RFO may be amended to extend the
contract term, contract total, and the Statement of Work at any time by mutual
agreement of the parties. All such amendments shall be in writing and issued only
upon written concurrence of the contractor.
14.2 Cancellation/Termination
A. This agreement may be canceled or terminated without cause by either party by
giving thirty (30) calendar days advance written notice to the other party. Such
notification shall state the effective date of termination or cancellation and include
any final performance and/or payment/invoicing instructions/requirements.
B. Upon receipt of the notice of termination or cancellation from California
Department of Health Care Services (DHCS), contractor shall take immediate
steps to stop performance and to cancel or reduce subsequent contract costs.
Page 7 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
C. Contractor shall be entitled to payment for all allowable costs authorized under
this agreement, including authorized non-cancelable obligations incurred up to
the date of termination or cancellation, provided such expenses do not exceed
the stated maximum amounts payable.
15. CONFLICT OF INTEREST EXCLUSION
1. The vendor selected to provide services under this SOW will be excluded from
responding to future DHCS-OHC solicitations related to HIPAA project SOWs
developed under this agreement.
2. The vendor selected to provide the services under this SOW may respond to
other DHCS-OHC solicitations that are not related to future SOWs developed
under this agreement.
16. KEY ASSUMPTIONS
DHCS retains overall responsibility and ownership of any documentation created
under the terms of this contract.
17. STATE RESPONSIBILITIES
All contractor communications will be addressed to the IT Section Chief who has
the authority to act for DHCS in all aspects of this SOW. Additionally, DHCS
responsibilities include the following:
a. Provide overall task direction to contractor staff;
b. Serve as the interface between the contractor staff and DHCS;
c. Attend project status meetings;
d. Help resolve and escalate issues, as necessary;
e. Review and/or approve all work products;
f. Notification of any change in work plan or scope;
g. Provide facilities for meetings;
h. Make available appropriate staff for achieving tasks of this contract by providing
timely access to subject matter experts;
i. Provide workstation equipment, necessary software and office space; and
j. Obtain security clearance to provide contractor staff access to the building
during normal business hours.
Page 8 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
18. PERIOD OF PERFORMANCE
The term of the agreement is expected to be one (1) year (estimated to be
February 18, 2008 to February 17, 2009). The agreement term may change if
DHCS makes an award earlier than expected or if DHCS cannot execute the
agreement in a timely manner due to unforeseen delays.
19. SERVICE LOCATION/HOURS
Services shall be performed at the space provided by DHCS, currently located at the
East End Complex, Capitol Avenue, Sacramento, 95814. All work must be
completed onsite, unless specifically approved by DHCS.
Services shall be provided during working hours of 8:00 a.m. to 5:00 p.m., Monday
through Friday, except official State holidays.
20. FUNDING LIMIT
A maximum of $240,000 is anticipated to be made available to obtain the services
described in this SOW.
Funding for each state fiscal year is subject to an annual appropriation by the State
Legislature or Congress. If full funding does not become available, DHCS will
cancel the agreement or amend it to reflect reduced funding and reduced activities.
Continuation beyond the first state fiscal year is also subject to the contractor’s
successful performance. Without prior DHCS authorization, you may not expend
funds set aside for one budget period in a subsequent budget period.
21. QUESTIONS ON STATEMENT OF WORK
Immediately notify DHCS if you need clarification about the services sought or have
questions about the CMAS instructions or requirements. Put your questions in
writing and transmit them to DHCS as instructed below.
DHCS’ response to a vendor’s inquiry will be transmitted by fax or e-mail to the
requestor. DHCS will transmit the question(s) and response(s) to those vendor’s
who received the SOW, via e-mail. DHCS reserves the right not to accept or
respond to individual inquiries based on the nature of the inquiry. At its discretion,
DHCS may contact an inquirer to seek clarification of any question or inquiry
received.
Page 9 of 11
REQUEST FOR OFFER
Office of HIPAA Compliance
21.1 What to include in an inquiry:
1. Your name, name of your firm, mailing address, area code and telephone
number, fax number and e-mail address (if applicable).
2. A description of the subject or issue in question or SOW discrepancy found.
3. SOW section, page number or other information useful in identifying the specific
problem or issue in question.
4. Remedy sought, if any.
21.2 Label and submit all questions and inquiries as follows:
Questions: OHC 07-023
Department of Health Care Services
Office of HIPAA Compliance
Attn: Erghe Poston
Fax questions to: (916) 449-5125.
E-mail questions to: erghe.poston@dhcs.ca.gov
Verbal inquiries are discouraged unless the inquiry involves an immaterial issue
surrounding clarification of CMAS instructions, general submission questions (i.e.,
content, format), steps of the CMAS process, or simple clarification of SOW
requirements. DHCS reserves the right not to accept or respond to individual verbal
inquiries based on the nature of the inquiry. Spontaneous verbal remarks provided
in response to verbal inquires may not be binding on DHCS unless later confirmed in
writing.
Vendors that fail to report a known or suspected problem with this SOW or fail to
seek clarification and/or correction of this SOW shall submit a proposal at his/her
own risk.
21.3 QUESTION DEADLINE
Fax or e-mail your questions to DHCS no later than November 28, 2007
at 12 P.M. (noon).
Errors in the SOW or its instructions may be reported up to the proposal submission
due date.
Page 10 of 11
DHS Office of
REQUEST FOR OFFER
HIPAA
Compliance
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
APPENDIX A: COST TEMPLATE
Est. Hourly Projected
Name Labor Category Function Hours Rate Cost
HIPAA Disaster 1880 $ $
Recovery & Emergency
Mode Operations Expert
Travel Cost $1,000.00
Total Cost $ $ $
NOTE: These hours are for cost proposal evaluation purposes and actual contract hours may vary – Do not change
these hours.
Page 11 of 11