Request for Proposal for HIPAA Compliance Consulting Services LOYOLA by ancientbabylon

VIEWS: 178 PAGES: 14

									Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

REQUEST FOR PROPOSAL FOR LOYOLA UNIVERSITY HEALTH SYSTEM

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 1 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

INTRODUCTION The Health Insurance Portability and Accountability Act of 1996 (the “Act”), Public Law 104191, was enacted by Congress to address healthcare reform, administrative simplification and patient healthcare information privacy and security issues. On August 17, 2000 the Department of Health and Human Services (“DHHS”) published in the Federal Register the standards for electronic business transactions for healthcare entities mandated by the Act. More recently, on December 28, 2000 the DHHS published its final rules regarding patient healthcare information privacy. Other proposed rules that affect covered entities under the Act remain open; in particular, security measures by covered entities and unique identifiers. Loyola University Health System (“LUHS”) is interested in effectively preparing for the challenges of implementing the above standards. Its objective is to bring LUHS and its related entities into compliance while incorporating strategic business planning into the process. The purpose of this Request for Proposal (RFP) is to select a Vendor that will efficiently and effectively perform tasks related to the Assessment, Remediation and Implementation processes outlined in the Scope of Work section of this RFP. We have attempted to provide the information necessary for you to accurately and completely respond to this RFP. Please direct questions or requests for additional information, in writing or by e-mail to: Maria J. Pekar HIPAA Compliance Project Manager Loyola University Health System 2160 South First Avenue Maywood, Illinois 60153 708/216-8686 email: mpekar@lumc.edu Please note that responses to this RFP will be expected to be included in any contract between your firm and LUHS.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 2 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Background and Related Information 1. LOYOLA UNIVERSITY HEALTH SYSTEM
Based in the western suburbs of Chicago, Loyola University Health System (LUHS) is a nationally recognized leader in providing specialty and primary health-care services and in conducting groundbreaking research in the treatment of heart disease, cancer, organ transplantation and neurological disorders. Through its hub, Loyola University Medical Center (LUMC), located on a 70-acre campus in Maywood, Ill., Loyola has provided skilled, compassionate care to patients for more than 30 years. Loyola University Medical Center, includes Health Care Services, the Ambulatory Programs, Home Care and Hospice, and Medical Center Administration. The combined annual net revenue for FY 2001 is budgeted at $494,000 million. LUMC’s fiscal year started July 1, 2000.
• •

Foster G. McGaw Hospital is a teaching, tertiary-care, 536 licensed-bed facility that includes a Level 1 trauma center, Burn Center and an aeromedical service, Loyola Lifestar. Ronald McDonald Children’s Hospital of Loyola University Medical Center provides a network of general and specialty services throughout Chicago’s western suburbs at Loyola’s primary care and family health centers. The hospital-within-a-hospital on the LUMC campus includes a 50-bed Neonatal Intensive Care Unit, a 16-bed Pediatric Intensive Care unit and 34 general pediatric beds. Cardinal Bernardin Cancer Center houses facilities for cancer research, diagnosis, treatment and prevention under one roof. The Mulcahy Outpatient Center is equipped with general and specialized examination and treatment rooms, clinical laboratory, diagnostic radiology department and ambulatory services.

• •

The health system also includes:
• • •

RIC&LOYOLA, a partnership between LUHS and the Rehabilitation Institute of Chicago, offering comprehensive rehabilitation services. 16 primary care centers and one ambulatory care center that are conveniently located in the western suburbs of Chicago. Loyola University Chicago Stritch School of Medicine, which is a national role model in reinventing medical education to prepare students for today’s health care environment. Stritch also supports several research efforts:
o o o

Burn and Shock Trauma Institute is a multidisciplinary program that focuses upon prevention, treatment, education and research issues relevant to trauma and injury. Oncology Institute coordinates Loyola’s interdisciplinary approach to cancer research and treatment. Cardiovascular Institute unites investigators who have backgrounds in a variety of disciplines to foster cardiovascular disease research to advance clinical care and to enhance post-graduate education.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 3 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

o

Neuroscience and Aging Institute is a research program that focuses upon degenerative diseases and diseases of aging.

Other entities that play a more limited role in the day-to-day activities at LUHS are: • RML Specialty Hospital Loyola University Medical Center joined Rush-Presbyterian-St. Luke's Medical Center and MacNeal Health Network as an owner/operator of RML Specialty Hospital. The hospital was established as a support center for patients dependent upon ventilators. It now treats patients with a wide variety of complex and chronic disorders, including lung and cardiovascular diseases and degenerative conditions requiring medical rehabilitative care. Edward J. Hines Jr. Memorial Veterans Affairs Hospital In 1996, Hines Hospital had 10,273 inpatient admissions and 344,230 outpatient visits. Many LUMC physicians provide care to Hines patients; Hines also is a teaching site for Loyola students, residents and fellows. Loyola University Chicago Insurance Company. Off shore “captive” company that provides insurance to LUPF physicians and LUMC.

•

•

2. LOYOLA UNIVERSITY PHYSICIAN FOUNDATION
The Loyola University Physician Foundation is a not-for-profit physicians’ organization with approximately 425 members. It is a large multi-specialty group practice that works to promote effective integration of the clinical practices of LUHS and to develop new clinical programs. LUPF mainly consists of the clinical faculty of the Stritch School of Medicine of Loyola University. LUPF has a separate board of directors and is closely affiliated with LUHS. LUPF acts as a billing and collection agent for its physicians, and has budgeted revenue of $130 million for FY 2001.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 4 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Some Technical Details
Technically, LUHS is in transition from mainframe-based applications to “web-enabled” applications. Our web-enabled electronic medical record, our extensive Intranet, web-accessible electronic mail system, and web-enabled IDX ExtendR scheduling system demonstrate this evolution. However, three significant core business applications still operate on the legacy mainframe - an IBM ES9000. These legacy applications include TDS 7000 for clinical information, and SMS InVision for registration and billing. From a hardware perspective, we have over 5,400 computers (Gateway and Dell), 140 servers (UNIX, Netware and NT) and a Cisco-based ATM network comprised of the main campus and 16 remote sites. Approximately 33% of the hardware is attributed to Stritch School of Medicine, 3-5% to LUPF and the remainder to LUHS. Although LUHS and LUPF are separate entities, both corporations’ systems are interfaced and exchange clinical registration and charge information. LUPF’s core business system, SMS Signature, is run remotely. LUPF’s standard operational systems, however, such as purchasing, payroll and general ledger are the same as those utilized by LUHS.

Miscellaneous Stats
• There are approximately 6,000 individuals employed in some capacity within LUHS. This total includes LUMC, LUPF and SSOM employees. Approximately 125 of those individuals may be attributed solely to LUPF. Additionally, over 200 job classes are utilized. LUMC experiences roughly 22,000 inpatient admissions on an annual basis. Approximately 400,000 ambulatory visits occur annually at LUHS. Both entities contract with approximately 70 payors, not including Medicare and Medicaid.

• • •

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 5 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Scope of work for HIPAA Consulting Services Project: The Respondent selected from the Proposal process will efficiently and effectively perform: Phase I Assessment – • Services - Assist LUHS and LUPF in completing an assessment that will identify responsibilities under the Health Insurance Portability and Accountability Act and the implementing regulations (“HIPAA”); and, to identify the differences between LUHS’s and LUPF’s operations and those operations required by the HIPAA. This will include an evaluation of LUHS’s and LUPF’s administrative, technical, and physical safeguards such as policies, practices, facilities, information systems, networks, training and auditing. It will also include a determination of federal pre-emption issues under HIPAA related to Illinois laws. • Deliverable – The Vendor will provide an assessment analysis that will identify existing vulnerabilities, including areas where LUHS and/or LUPF will not meet the HIPAA requirements and assess LUHS’s and LUPF’s internal awareness of transactions, privacy and security issues. The assessment will also include possible alternative solutions, such as working directly with a clearinghouse versus bringing LUHS and LUPF into full compliance. Vendor will recommend all steps needed to comply with the HIPAA.

Phase II Remediation – • Services - After sharing the assessment analysis with LUHS and LUPF, the Vendor will evaluate LUHS’s and LUPF’s areas of interest and resources, develop a remediation plan particular to LUHS and LUPF, and, at LUHS’s and/or LUPF’s request, act as a liaison between LUHS and/or LUPF and any third parties that will be treated as business associates under the final regulations. • Deliverable – The remediation plan will recommend methods to minimize exposure to adverse regulatory and accreditation actions as well as security threats specific to LUHS and/or LUPF, and recommend information system(s) and/or best practices that will minimize exposure in all HIPAA related areas. Phase III Implementation • Services and Deliverables - Work with LUHS and LUPF: o To establish a compliance program; o To develop, consolidate, and/or update policies, procedures, notices, authorizations, consents and safeguards to ensure compliance; o To improve physical-security processes; install physical access control systems and related equipment, software, and documentation; o To create record keeping and tracking systems to document LUHS’s and LUPF’s policies, procedures, compliance efforts and acts consistent with policies and procedures; o To specify, select, purchase or license, and implement technical safeguards such as authentication services, access-control solutions, auditing solutions, network security services, and other equipment, software, enhancements, revisions, code, and documentation; o To redesign key processes, compliance systems, and to educate employees and other users to implement the changes; work with the clinical application software staff to ensure compliance of previously purchased applications; and/or to develop a process to monitor continued compliance with HIPAA; and o To assist LUHS and LUPF in developing appropriate training modules for all affected LUHS and LUPF personnel. • Certification – Vendor will issue a certification to LUHS and LUPF as required by the HIPAA to ensure compliance with same including the administrative, technical and physical requirements.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 6 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Our Expectations of Proposals
LUHS is aware that there are different approaches to providing HIPAA consulting services to clients. We ask vendors to propose four different scenarios for both LUHS and LUPF, as follows: • • • • Transaction Standards and Code Sets Final Regulation Compliance – Assessment, Remediation and Implementation Phases. Privacy Standards Final Regulation Compliance – Assessment, Remediation and Implementation Phases. Security Standards Proposed or Final Regulation Compliance – Assessment, Remediation and Implementation Phases. Other HIPAA Standards Proposed or Final Regulation Compliance – Assessment, Remediation and Implementation Phases.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 7 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Status of the LUHS HIPAA Compliance Project to date
• April, 2000 - Chief Compliance Officer, Chief Financial Officer and Chief Information Officer meet to contemplate scope of project. Comparisons are drawn between the HIPAA Compliance Project and the Y2K Project in both size and potential for liability if issues are not addressed in a timely fashion. Recommendation was made to the Chief Executive Officer suggesting that this latest initiative be modeled in the same fashion as the Y2K Project. Specifically, the model should use both a Steering Committee and a Project Team. The Steering Committee would be comprised primarily of Senior Cabinet Members. The Project Team would consist of the functional experts within LUHS who would have principal responsibility for HIPAA compliance. May, 2000 – Chief Executive Officer appoints Chief Compliance Officer Chairman of the Steering Committee and a kick-off meeting is held. Initial training at the Senior Management level takes place. July, 2000 - Project Manager is named. Job descriptions are written. Project Team is formed. Additional training is provided to Senior Management regarding HIPAA preemption of State laws. Audit and Assessment Process is outlined. August, 2000 – Final Transaction Standards and Code Sets Regulation is released. September, 2000 – Overview of HIPAA and the LUHS HIPAA Compliance Project is provided to Project Team. November, 2000 – Follow-up information sent to Project Team regarding final Transaction Standards and Code Sets Final Regulation (“TSCS”). Seek input regarding preliminary audit related to the final regulation. December, 2000 – Preliminary audit related to TSCS performed. December, 2000 – Final Privacy Regulation issued. January, 2001 – Preliminary audit results reviewed by TSCS Project Team. January, 2001 – RFP prepared and issued.

•

•

• • •

• • • •

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 8 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

General Requirements
Proposal Packaging and Submission Respondents must submit a signed original and three (3) copies of the Proposal by no later than 12:00 noon on the date indicated in the Schedule of Events to: Maria J. Pekar HIPAA Compliance Project Manager Loyola University Health System 2160 South First Avenue Maywood, Illinois 60153 708/216-8686 email: mpekar@lumc.edu Proposals will be accepted in person, by United States mail, by United Parcel Service, or by private courier service. A copy of the Proposal must also be submitted by electronic mail. No proposals will be accepted by oral communication, telephone, telegraphic transmission, or facsimile transmission. Vendor Proposal Guidelines It is imperative that all of the requirements set forth in this RFP be addressed. Clearly identify any requirements that cannot be satisfied. Follow the sequential order shown in the RFP. Please feel free to attach additional explanations, suggestions and content in areas where proposed advantages to LUHS are not specifically requested in this RFP. LUHS reserves the right to accept or reject any or all response(s) to the RFP even if all of the stated requirements are met. In addition, LUHS may enter into negotiations with more than one Vendor simultaneously and award the contract, or part of the contract, to any negotiating Vendor without prior notification to any other Vendor also negotiating with LUHS. Economy of Presentation The Vendor’s Proposal shall be prepared simply and economically in strict accordance with the format and instructional requirements of the RFP. Each Proposal should provide a concise delineation of the Vendor’s capabilities to satisfy the requirements of this RFP, with emphasis on completeness and clarity of content. Fancy bindings, colorful displays and promotional material are neither required nor desired, unless they add substance to Vendor’s Proposal.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 9 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Confidentiality Information pertaining to LUHS and its related entities obtained by the potential Vendor as a result of its participation in relation to this RFP is confidential and shall not be disclosed or used by the Vendor except as authorized herein or by LUHS. If the Vendor desires to release any of this information to a third party for the purpose of preparing for its Proposal, the Vendor must obtain the prior written consent of LUHS. Successful Vendor must complete a Confidentiality Agreement with terms acceptable to LUHS upon LUHS’s acceptance of offer and before the execution of the contract. Compliance with Laws LUHS will only consider responses from vendors: • • • Who are in full compliance with all applicable local, state and federal laws; Who are not deemed a debarred or excluded contractor by the General Services Administration of the U.S. Government; Who have not been convicted of a criminal offense under the Medicare, Medicaid or any other government program.

Contract Incorporation All Proposals, information and responses submitted by a potential Vendor will be incorporated into and made a part of any final agreement between LUHS and such Vendor. No such information or other material should be submitted that cannot be so incorporated into the agreement. LUHS RESERVES THE RIGHT TO DISQUALIFY ANY VENDOR THAT SUBMITS A PROPOSAL OR CONTRACT THAT DIRECTLY OR INDIRECTLY ATTEMPTS TO PRECLUDE OR LIMIT THE EFFECT OF THIS REQUIREMENT. Costs Incurred In Responding All cost directly or indirectly related to preparation of a response to the RFP or any oral presentation required to supplement and/or clarify a proposal which may be required by LUHS shall be the sole responsibility of and shall be borne by the Vendor. Negotiations • • LUHS reserves the right to negotiate all elements which comprise the Vendor's proposal to ensure that the best possible consideration be afforded to all concerned. LUHS reserves the right to reject any and all proposals and to re-solicit for proposals in such an event.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 10 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

•

The contract shall be prepared under the direction of the LUHS, and shall incorporate all applicable provisions. A firm fixed-fee or not-to-exceed contract is contemplated.

Taxes LUHS is tax exempt. Federal and state tax exemptions apply.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 11 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Proposal Format
Prefacing the proposal, the respondent shall provide an Executive Summary of three (3) pages or less, which gives in brief, concise terms, a summation of the proposal. Describe the solution you are proposing and how it meets LUHS’s requirements. Outline any alternative proposals with descriptions of options for these proposals. The proposal itself shall be organized in the following format and informational sequence and shall have a signed original and three (3) copies: Part I. Business Organization State the full name and address of your organization, including the parent company if you are a subsidiary. Specify the branch office or other subordinate element that will perform, or assist in performing, work herein. Indicate whether you operate as a partnership, corporation, or individual. Include the State in which incorporated or licensed to operate. Part II. Corporate Vision Describe your corporate mission, direction, and core competencies. Part III. Financial Stability Include an audited financial statement for the most current quarter and last year-end including Balance Sheet, Income Statement and Statement of Cash Flows. Please include a description of any litigation in which Vendor is currently involved, as well as any potential conflict of interest and plans for avoiding the conflict. Part IV. Process Describe your process for preparing a HIPAA compliance solution for LUHS and LUPF according to the requirements specified in this document. Focus specifically on the scenarios requested. Briefly describe your quality controls and how you will ensure an acceptable level of performance for the services provided to LUHS. Part V. Project Management Structure Give an overview of the project implementation team including project leadership and reporting responsibilities. If use of subcontractors is proposed, identify their placement in the primary management structure, and provide internal management description for each subcontractor. Describe the level and type of ability you can provide. List significant areas of certification. Identify primary contacts for scheduling, contractual, and technical issues. Indicate your proposed staffing for this project. Include technical skill sets. Attach personnel biographies or resumes if appropriate.
RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 12 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Part VI. Prior Experience • • Describe general relevant corporate experience providing service to organizations similar in size, complexity, and type of environment. List at least three (3) customer references with similar environments.

Part VII. Pricing • • • Pricing should be broken down by each scenario and phase for both LUHS and LUPF. Indicate pricing for the project. Describe how your pricing is competitive and how it will remain competitive relative to the industry. Indicate whether pricing is a fixed fee or based on a formula. If based on a formula, please indicate if there is a “not to exceed” limit. We fully expect a fixed fee for the assessment phase of each scenario and will accept an hourly rate and ask that you provide ranges based on other similar engagements for the remediation and implementation phases. Indicate any and all assumptions that were used in the price quotation.

•

Part VIII. Payment Terms Describe your payment terms. Include procedures for disputed invoices and charges. Part IX. Authorized Negotiator Include name, address, and telephone number of person in your organization authorized to negotiate contract terms and render binding decisions on contract matters.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 13 of 14

Request for Proposal for HIPAA Compliance Consulting Services

LOYOLA UNIVERSITY HEALTH SYSTEM

Evaluation Process and Schedule
Six (6) vendors have been selected to respond to this RFP. Evaluation of your response will take place as indicated in the Proposal Schedule of Events. Evaluation criteria will include: • • • • • • Vendor’s ability to provide services closely matching the requirements set forth in this RFP; The most cost effective price schedule; The features of the Vendor’s job descriptions, organizational structure, and knowledge of the pertinent laws; The Vendor’s range of experience in providing same or very similar services for similar sized organization with similar requirements; The Vendor’s accessibility and responsiveness throughout the selection process; and Service improvements, features, or enhancements beyond the scope of requirements of this RFP.

Part of our evaluation will include telephone reference checks to your existing clients. By responding to this RFP you hereby give consent to our anticipated communications.

Questions
All questions concerning the RFP should be in written format. These questions will be accepted either by email, fax, United States Mail, United Parcel Service, or by private courier service. No questions concerning the RFP will be accepted by oral communication, or telephone. All questions must be clearly identified as to the submitting vendor. All questions must be received by LUHS by the date and time indicated in the SCHEDULE of EVENTS. Submitted questions will be responded to in writing by LUHS and copies will be provided to all responding suppliers without identifying the source of the questions. It is anticipated that responses to questions will be provided via fax by date and time indicated in the Schedule of Events.

Schedule of Events
Event RFP Sent to Vendors Questions concerning RFP accepted Answers to RFP questions back to Vendors Response to RFP due to LUHS Evaluation of Vendor responses Finalist(s) selected Possible Follow up meeting(s) with Finalist(s) Final Vendor Selected and Announced Compliance Project – Vendor Start Date Compliance Project – Target Completion Date Date January 10, 2001 January 10, 2001 – January 15, 2001 January 15, 2001 – January 20, 2001 January 25, 2001 January 26, 2001 – February 1, 2001 February 2, 2001 February 3, 2001 – February 10, 2001 February 15, 2001 February 26, 2001 February 26, 2003

Proposal Due Date
Proposals will be due by 12:00 noon on the date indicated in the Proposal Schedule of Events. LUHS requires that the submitted Proposals remain in effect for at least 90 days from the submission date indicated in the Proposal Schedule of Events.

RFP base template obtained with permission from the College of Healthcare Information Management Executives (CHIME) Website - www.cio-chime.org Page 14 of 14


								
To top