The URL can be used to link to this page

Browse Search

Home My WebLink About20050617.tiff RESOLUTION RE: APPROVE LETTER OF ENGAGEMENT FOR SERVICES FOR HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT(HIPAA)COMPLIANCE AND AUTHORIZE CHAIR TO SIGN - DIGITALCARE, INC. WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with a Letter of Engagement for Services for Health Insurance Portability and Accountability Act(HIPAA)between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, and DigitalCare, Inc., with further terms and conditions being as stated in said agreement, and WHEREAS,after review,the Board deems it advisable to approve said agreement,a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado,that the Letter of Engagement for Services for Health Insurance Portability and Accountability Act (HIPAA) between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County,and DigitalCare, Inc., be,and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said agreement. The above and foregoing Resolution was, on motion duly made and seconded, adopted by (lowing vote on the 23rd day of February, A.D., 2005. *1 lLa BOARD OF COUNTY COMMISSIONERS vailvWELD COUNTY, COLORADO 1861 .litY '�7 TT i // 4 �� / ��`%//CL Z!;7 William H. erke, Chair e:),, bu Clerk to the Board M. ile, o-Tem, BY: /a1, /7 ___> Deputy Clerk o th oard id . Long \f APPROV AS T % Rol r(/D. Masde ount At ey tuy "A Glenn Vaad Date of signature: `3/9/05 2005-0617 PE0022 -",--i DigitalCare, Inc.® Government Information Security Services Letter of Engagement for Services 1T r THIS AGREEMENT made this I 1 day of I"e�'fud/7 in the year 2005, which agreement supersedes all prior communications between the parties hereto, is between Weld County, Colorado Greeley, CO hereinafter referred to as the ("Client"), and DigitalCare, Inc., a Corporation of the State of Colorado, hereinafter referred to as the ("Consulting Firm"). WHEREAS, Client desires to engage Consulting Firm to perform certain professional HIPAA Security Rule assessment and consulting services ("Services") as hereinafter described in Appendix A("Project"); NOW, THEREFORE, in consideration of the mutual promises and covenants herein contained, the parties hereto agree, as follows: 1. Retention of Consultant Client hereby retains the Services of Consulting Firm as an independent contractor to provide Professional Consulting Services as set forth in Appendix A to this Agreement. 2. Fees, Expenses and Invoicing A. The pricing for Consulting services under this Agreement are listed in Appendix A. The Consulting Firm shall submit invoices for Services as they are performed, according to the following schedule: - 30% Payment to initiate the each Phase. - 70%Payment upon completion of each Phase, and delivery of all associated Deliverables. B. Client will pay invoice submitted in accordance with subparagraph A above within 15 days of receipt of the invoice. 3. Law of Colorado This Agreement shall be construed in accordance with the laws of the State of Colorado. IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first above written. Weld County, CO DigitalCare, BY: /Li� BY: e I� .4 Wti,c) AUTHORIZED SIGNATURE AUT OR ED SIGNATURE am H. Jerke 2/23/2005 air TITLE: (test e"-fr t GLIM i►•� � r to the Bo: .d DATE: a//10 S On f y "'Sty Clerk to the Board 427 North Weber Street Phone: (719) 477-9477 Toll Free: (877)477-9297 Colorado Springs. CO 80903 Fax: (719)329-0524 Web: www.digitalcare.com DOs.-Dl /7 DigitalCare, Inc. ' Government Information Security Services APPENDIX A HIPAA Security Assessment Services Initial Proposal - 4-29-04 Revised 2-17-05 Introduction This Proposal is based upon the email and phone communications between Weld County, CO (Don Warden and Cheryl Weinmeister) and DigitalCare (Doug Landolfi and Patricia Rothwell). Listed below is a"Chinese Menu" of the HIPAA Security Rule compliance services that we have determined are applicable to Weld County, given these communications. DigitalCare is an information security services firm focused within the government health and human services sectors. We possess extensive experience conducting HIPAA Gap Analyses and Risk Assessments, and large scale IT Security analysis projects, for County and State Governmental Organizations. We employ State-of-the-art security analysis tools and the highest rated assessment methodologies established by national associations and authorities. We have assembled a suite of information security tools and services that are tailored specifically for human services and health care applications. This document is organized as follows: - Introduction - Overview of our HIPAA Security Rule compliance services for Weld County - Pricing - Detailed Descriptions of these Services Overview of our HIPAA Security Rule compliance services for Weld County Based upon our communications with Weld County and our experience working with other Counties in CO, NM, AZ and OR, we recommend that a HIPAA Security Rule Assessment be conducted, and Policies and Procedures be written, before Training occurs. Our"Chinese Menu" of services listed below is based upon this opinion. (Please Note: Each of the services listed below is described in detail, following the Pricing Section) Phase I. HIPAA Security Compliance Assessment Part A. Security Gap Analysis A gap analysis compares current operations and security precautions to the requirements mandated by the Final HIPAA Security Rule. Part B. Security Risk Assessment A risk assessment evaluates the significance of security vulnerabilities in the context of your organization's operating environment. 427 North Weber Street Phone: (719)477-9477 Toll Free: (877)477-9297 Colorado Springs,CO 80903 Fax: (719)329-0524 Web: www.digitalcare.com "L° - .DigitalCare, Inc.® Government Information Security Services Part C. Recommendations Report. Based upon the results of the Gap Analysis and Risk Assessment, DigitalCare prepares a thorough recommendations report. This report identifies all current HIPAA Security Gaps and Security Risks within your organization. • Phase H. Policies and Procedures Development The final Security Rule requires that Covered Entities produce over 35 policies, procedures and plans. DigitalCare staff members can perform an on-site audit of your current policies and write new policies that are both HIPAA-compliant and specific to your organization. Phase III.Workforce Training Workforce training will provide each Weld County employee impacted by the HIPAA Security Rule a training program to learn the policies and procedures specific to Weld County and their department. • Pricin HTPAA Security Services Pricin Phase I. HIPAA Security Compliance Assessment Part A. Security Gap An ysis $12,500 Part B. Security Risk Assessment $15,000 Part C. Recommendations Report $6,000 Phase II. Policies and Procedures Development $5,000 Phase III. Onsite Workforce Training $7,500 per day Other Potential Follow On Services (As Required) TBD Detailed Descriptions of Our HIPAA Security Approach and Services Phase L HIPAA Security Compliance Assessment DigitalCare has found that the HIPAA Security Assessment can be best conducted in 3 main phases. Below please find detailed information about the methodologies and tools DigitalCare uses to conduct HIPAA Security Assessments as well as the phases of analysis. 427 North Weber Street Phone: (719)477-9477 Toll Free: (877)477 9297 Colorado Springs. CO 80903 Fax: (719)329-0524 Web: NN w.digitalcarc.com Jt , DigitalCare, Inc. ' Government Information Security Services Part A. Security Gap Analysis A gap analysis compares current operations and security precautions to the requirements mandated by the Final HIPAA Security Rule. DigitalCare, Inc. has extensive experience conducting HIPAA Gap Analyses for health care organizations. Outsourcing this process provides your organization with current expert opinion on the steps you need to comply with HIPAA. The deliverables for DigitalCare's Gap Analysis include: 1. A completed Gap checklist for your organization 2. An Inventory of Information Systems 3. A Security Risk Assessment 4. A Physical Security Review DigitalCare's HIPAA Security Gap Analysis Tool DigitalCare has developed a comprehensive database of over 300 questions, issues and evaluation criteria that we use to conduct HIPAA Security Assessments and evaluate information systems for government departments and agencies. This resource is continuously added to, updated and improved as it is used for each subsequent Security Assessment. This powerful existing Tool is customized to each County's specific environment, risk levels and needs, and then submitted to the County for review and approval. Any required changes or modifications desired by the County are made in a prompt fashion before the commencement of data gathering activities. DigitalCare's HIPAA Security Assessment Tool allows data tracking and reporting. The repository structure allows for easy access and reporting by HIPAA rule, category, facility, and program. It is designed to determine an organization's current level of compliance, reported deficiencies, observed deficiencies and exposure areas. This powerful Tool will serve as the central master repository/database. The system contains interview questionnaires by job responsibility and function. All responses require complete tracking of all demographic information, including: department, facility, interviewer, interviewee, specific answers and interviewer comments. All answers and information gathered from both on-site interviews and electronic questionnaires/surveys are logged into the database for query, cross-tabulation and reporting. Our system incorporates questions designed to determine exposure by each specific HIPAA Security standard and implementation specification for each of the three safeguards: Physical, Technical and Administrative, and for both Required and Addressable elements. This repository will be the central electronic resource used by DigitalCare during the project for tracking and evaluation of each Covered Entities' Security structure, legal gaps and risk levels. The full repository will be made available to the County at any time during the project. 427 North Weber Street Phone: (719)477-9477 Toll Free: (877)477-9297 Colorado Springs.CO 80903 Fax: (719) 329-0524 Web: WM .digilalcare.com •-,C) DigitalCare, Inc.© Government Information Security Services Part B. Security Risk Assessment A risk assessment evaluates the significance of security vulnerabilities in the context of your organization's operating environment. DigitalCare's HIPAA Security Risk Analysis process is based upon the National Institute for Standards in Technology (NIST) Special Publication 800-30. ("Risk Management Guide for Information Technology Systems"). DigitalCare has developed an extensive forms-based model that performs a thorough evaluation of vulnerabilities, threats and threat sources. DigitalCare's risk assessment process includes the following steps: I. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation We begin Security Assessments by reviewing breach or security incident information specific to the Covered Entity and individual system. Once we have completed that process, DigitalCare benchmarks all security gaps with other organizations. This process includes the following steps: • Benchmarking with other County Covered Entities: DigitalCare will contact other Counties to determine how they are assessing their relative levels of security risk • Benchmarking with other Weld County Departments and Agencies: We believe it is important to understand threats and breaches that have occurred within other County departments to help identify threats that are specific to your environment. • DigitalCare uses the following outside resources to determine areas of risk, degree of exposure and likely consequences of incidents: • National Institutes of Standards and Technology (NIST) o Risk Management Guide for Information Technology Systems o ICAT— a searchable index on computer system vulnerabilities • Computer Security Institute/FBI Annual Security Incident Tracking Data • URAC— Security Accreditation Standards • Health Information Management Systems Society (HIMSS)—Annual Survey - A portion of which tracks and defines security incidents • Your County's baseline security assessments for trend information(if available and appropriate) Once we have identified the expected types, frequencies and costs of internal and external breaches based upon the County's systems, past experiences, experiences of peers and available security 427 North Wcber Street Phone: (719)477-9477 Toll Free: (8771477-9297 Colorado Springs. CO 80903 Fax: (719)329-0524 Web: www.digitalcare.com • DigitalCare, Inc.` Government Information Security Services research, we compile this information with data collected in the Baseline Assessment and Gap Analysis to determine Risk Exposure. DigitalCare's Security Risk Assessments evaluate an organization's risk relative to the following: • Value of Assets • Degree of Exposure • Likely consequences of incidents • Probability/Frequency of occurrence • Costs of alternative remediation measures • Best practices in other organizations Part C. Recommendations Report Based upon the results of the Gap Analysis and Risk Assessment, DigitalCare prepares a thorough recommendations report. This report identifies all current HIPAA Security Gaps and Security Risks within your organization. The report includes an ordered list of necessary corrective actions, fiscal and resource impacts, level of time and effort required, and the identification of available security upgrades. This report identifies the current business practices and IT infrastructures that will form the baseline for the compliance work. It will provide a detailed explanation of findings including: • Analysis of administrative policies and procedures, physical safeguards and technical security features • Enumeration of potential risk.areas and recommendations for next steps • Identification of all areas that fall short of compliance with the draft HIPAA security regulations • Development of"best practice" and HIPAA-compliant alternatives and recommendations as employed by other Counties and large organizations • Prioritization of findings • Recommendations for the Remediation phase, along with a recommended timeframe for implementing corrective actions • Estimate of resource requirements, including: investment cost, operations(recurring cost), staffing and training • Determination of whether"Addressable" standards are reasonable for the County This task also includes steps required to review and analyze existing administrative, physical and technical security policies within the County. The following list presents a brief overview of the subject areas that will be covered within the assessment: • Security Organization (assignment of security responsibilities, roles and responsibilities) • Information Security(data classification, control of sensitive/critical data) • Physical Security (physical access controls, environmental controls) • Administrative Security (logical access controls, auditing, security violations, risk 427 North Weber Street Phone: (719)477-9477 Toll Free: (877)477-9297 Colorado Springs,CO 80903 Fax: (719)329-0524 Web: w«<1.digitalcare.com '(ODigitalCare, Inc.® Government Information Security Services management, personnel security) • Procedural Security (IT security policies and procedures, separation of duties/functions, individual accountability) • Software Security(configuration management, security in the system development life cycle process, software reproduction) • Hardware Security (configuration management, theft control) • Telecommunications Security (configuration management, dial-in/out controls) • Internet Security (employee use of Internet for business-related issues) • Workstation/PC Security (specific protection requirements) • Portable Computer Security (theft/data protection, remote connectivity) • Contingency Planning(backup procedures, emergency response, testing) • Security Awareness Training (employee responsibilities) Phase IL Policies and Procedures Development The final Security Rule requires that Covered Entities produce over 35 policies, procedures and plans. Producing these documents in-house is costly, time intensive and unnecessary. DigitalCare staff members can perform an on-site audit of your current policies and write new policies that are both HIPAA-compliant and specific to your organization. In addition, we have electronic templates of all HIPAA mandated security policies, procedures and plans available for purchase. Phase IIL Workforce Training Workforce training will provide each Weld County employee impacted by the HIPAA Security Rule a training program to learn the regulations, policies and procedures specific to Weld County and their department. The employees will receive on-site interactive training and the opportunity to ask questions about how HIPAA affects them directly and their roles and responsibilities in regard to their job function. Other Potential Follow on Services (To be quoted separately, if and as Requiredi Contingency Planning: DigitalCare will conduct an onsite evaluation of your current information systems practices and design a comprehensive contingency plan for your organization. Deliverables will include the following specific documents necessary to comply with the HIPAA Security Rule: I. Applications and Data Criticality Analysis 2. A Data Backup Plan 3. A Disaster Recovery Plan 4. An Emergency Mode Operation Plan 427 North Weber Street Phonc: (719)477-9477 Toll Free: (877)477-9297 Colorado Springs.CO 80903 Fax: (719) 329-0524 Web: WWw.digitalcare.com �`s!,-'iDigitalCare, Inc.® Government Information Security Services Data Backup and Storage: DigitalCare provides off-site data backup and storage services that comply with HIPAA Security Regulations. Depending upon your organization's needs, we provide hardware, software and backup service via tape, disk and remote server updates. 427 North Weber Street Phone: (719)477-9477 Toll Free: (877)477-9297 Colorado Springs, CO 80903 Fax: (719)329-0524 Web: www.digitalcare.com Hello