This story is limited to Industry Insider — California members.
Acting on behalf of the state’s largest health-care purchaser, the state’s business manager wants to hear from IT companies capable of providing certification support.
In a request for offer (RFO) released May 20, conducted by the California Department of General Services’ (DGS) purchasing authority for the Department of Health Care Services (DHCS), the state is looking for “Information Security Office (ISO) Additional Enterprise Certification Support Services.” The search is aimed at “eligible firms that hold a current IT Consulting Services, Master Service Agreement” with DGS, according to the RFO. Among the takeaways:
- The RFO follows state Medicaid Director Letter #06-022, in which the Centers for Medicare and Medicaid Services (CMS) required state agencies use “assessors or assessment teams” to do “periodic security and privacy control assessments of the Medicaid Enterprise System (MES) environment,” according to the RFO. The assessor’s role here is providing an “independent assessment of the effectiveness of implementations of security and privacy safeguards for the MES environment and to maintain the integrity of the assessment process.” The contractor chosen as a result of this RFO will provide “certification support services which includes providing an independent, third-party security and privacy control assessment report that covers compliance with the following and in accordance with DHCS certification governance as well as CMS certification guidance,” according to the RFO. These will include the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 and/or NIST SP 800-53 standards and align with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; aligning health care industry security approaches “pursuant to Cybersecurity Act of 2015, Section 405(d)”; and the open web application security project Top 10.” The services will serve to augment what’s provided by the DHCS’ Information Security Office (ISO) Risk Management Program (RMP). DHCS seeks two information security specialists to perform these services, per the RFO.
- DHCS seeks a contractor to be responsible for “the technical interfaces and integration of Electronic Visit Verification (EVV) data and claims data” to be used by DHCS systems and the EVV solution. Activities will include “assessing, evaluating, mapping, validating and updating EVV data and DHCS interfaces and systems in support of Cures Act compliance” and will address CMS Federal Medical Assistance Percentage penalties, “CMS requirements for EVV Certification, Management Information System/Decision Support System (MIS/DSS) data linking with claims and T-MSIS (Transformed Medicaid Statistical Information System) reporting.” Tasks will include project planning, including designing and developing the “application programming interface (API) and file transfer protocol scripts for data transport, validation and formatting”; and completing “different stages of complex ETL processes including calculations, joining and concatenation.” Participation in end-to-end testing will also be required as well as monitoring operations and testing “EVV interface performance for potential bottlenecks, identify possible solutions.” Deliverables will include a task accomplishment plan, weekly and monthly activity reports, EVV interfaces technical work plan and schedule, and an EVV interfaces detailed design document.
- Mandatory staffing experience for technical leads include at least five years’ experience in the last 10 years “analyzing business processes, modeling, configuring, designing, developing, coding, testing, implementing and maintaining databases”; at least three years’ experience in the last 10 years translating “detailed technical concepts” into easily understood language and “business-focused ideas into practical technical specifications”; and at least three years’ experience “coordinating, designing, writing and executing technical specifications and analyzing architecture for database projects”; and working on a “large-scale” system implementation of at least 1,000 end users and with implementation costs of at least $5 million. Desirable experience includes at least three years’ experience in the last 10 years on an IT system implementation for a state agency or department; in a lead role during the first three months after the deployment or go-live of an IT solution into operations; and finishing one successful implementation from development through development to production and/or integration using API technology.
- The state intends to make a single contract award as a result of this RFO, and compensation for the successful respondent will be on a “cost reimbursement basis” for the services performed. Contract term is expected to be 36 months with the option of two one-year extensions. Responses are due by 2 p.m. June 16. The state will conduct oral interviews with finalists; however, dates have not yet been set. The proposed contract’s start and end dates are yet to be determined.