Written Questions and Answers

Transcription

1 Written Questions and Answers UK HealthCare Office of Corporate Compliance Privacy Auditing and Monitoring Software Solution RFP UK Closing Date: 08/16/18 Today s Date: 08/07/18. Question Answer 1 In 3.5, NOTE: it refers to the University s General Terms and Conditions are those found here: condpurch.pdf If our standard Contract has terms that are not stated (thus exceptions) to the University T&C s, how are we to express those? They would be in addition to them, but not exceptions. If you have terms & conditions that will need to be reviewed, you can add them to an Appendix and submit it with your response what specific sections are to be included in the Technical Proposal? 3.6 is the Financial Proposal only to include section 4.7, Criteria 3? If not, what other sections are to be included in the Financial Proposal? The technical proposal is the demonstration of your qualifications to be considered in this RFP. Please see section 4.0 for our technical requirements. Please see section 7.0 Financial Offer Summary. 4 For the financial proposal, how many applications (EHR, departmental, etc) will be in scope for monitoring and therefore should be quoted? o Please provide a list of those applications to be in scope. Initial monitoring will be Allscripts (SCM and AEHR) and Soarian 5 What EMR does UK Health use that we would be monitoring? Initial monitoring will be AllScripts (SCM and AEHR) and Soarian Written Questions and Answers Page 1 of 5

2 6 How many users? 15,000-20,000 7 Total registered beds in the system? Approx. number of licensed beds is 950. Additional licensed beds are planned. 8 Whether companies from Outside USA can apply for this? (like, from India or Canada) Companies from outside the USA can respond Whether we need to come over there for meetings? Can we submit the proposals via ? Will you please share all vendors questions and answers regarding this RFP? In-person meetings are optional. All questions are combined within this response. 12 Is the software to monitor all hospitals and practices? (reference UK Website) a. UK Albert Chandler b. UK Good Samaritan c. 22 Practices The software will be monitoring all users of our EHR enterprise wide. This is not practice or location specific. 13 What is the EMR configuration to be included in proposal? a. Single instance of Allscripts for hospitals b. Is Cerner (Soarian) to be included in proposal and also a single instance? If not please describe configuration as this impacts proposal NOTE: To produce an accurate proposal, we need description of the existing EMRs to audit and if single instances or multiple instances of each EMR We use single instances of AllScripts (SCM and AEHR) and Soarian. Written Questions and Answers Page 2 of 5

3 14 15 Total staffed beds 758 accurate? (from HIMSS Analytics) Are all the employee demographics on same ERP (enterprise resource planning) e.g. SAP, Infor a. Please describe how we will access the employee demographics, insurance subscriber / guarantor b. Should this source be included in our proposal? Approx. number of licensed beds is 950. Additional licensed beds are planned. A. Employee demographics will be fed from SAP. Patient insurance/guarantor information will be fed from AllScripts or Soarian. B. Yes Is the RFP seeking proposal for software only? t managed services (resources) where a vendor serves as an extension of your team and monitors and records investigations for University of Kentucky. We do not provide managed services, but if the RFP is seeking that, we have partners that we would need to include in the proposal. Does UK utilize any GRC or Incident Management Systems today? We are not looking for managed services at this time. 18 What EMR system(s) does the University of Kentucky envision being implemented in the first year? Initial monitoring will be Allscripts (SCM and AEHR) and Soarian 19 How many users have access to the University of Kentucky's main Inpatient EMR? 15,000-20, What HR System(s) does the University of Kentucky use? SAP Written Questions and Answers Page 3 of 5

4 21 Will the University of Kentucky accept an initial contract with a 3-year term? UK HealthCare will consider a contract with a three-year term Please estimate the average number of privacy complaints from patients or employees, the UK system receives in a given month. Will the ability for Users to be able to search the entirety of the access log events within a tool be required? While we get a minimal number of complaints from patients or employees each month, our focus is to implement a software that will proactively monitor the activity of the 15-20,000 users who have access to our EHR. This is not required for users to access. However, this information should be available upon request. 24 Is this a budgeted/funded project earmarked for 2018/2019? Yes 25 Regarding on-premise or hosted in the vendor cloud, which is your preferred model? UK HealthCare is open to either solution. 26 Will UK act as a reference for the selected vendor in the RFP? Yes What EHR is in use? Please identify the 30 applications that use, transmit or store PHI. Please indicate how each system logs information about data access. AllScripts and Soarian Initial monitoring will only start with AllScripts and Soarian. Additional system to be fed into a privacy monitoring tool are yet to be determined and will likely not occur for the first year after installation. 29 Please describe the steps involved in the manual process used when reviewing the audit report to verify each access. What indicates what was accessed? Custom access audit report results pulled from AllScripts (SCM) developed internally from our IT team or canned reports from the system. Written Questions and Answers Page 4 of 5

5 What indicates the user s role in patient care? What indicates if the access was out of scope for their job role? Custom access audit report user title, manual research determines role if any. Manual review of chart and users role, including discussion with employee supervisor What system is currently used to generate the access reports? Are you using a Single sign on / and Security access Management Solution / tools Do you have any short comings with current solutions in place for SIEM tools. Also I believe UK Health has some Splunk and Varonis. Any issues there? I ask because I want to see if we can uncover and utilize any current tools to help eliminate cost. SCM/AEHR canned reports as well as custom built SQL queries from our IT Team. Splunk is being developed. However, it does not have the ability to retain or feed the native audit event information needed for a privacy monitoring solution. We are working on a Proof of Concept with Splunk in which there will be one Forwarder (a server Splunk uses to forwards logs) that will serve as a single destination for log files from clinical applications. Assuming this Proof of Concept works, this will help lower the cost for any Privacy Monitoring Tool solutions that charge by the feed from each clinical application as it will convert many feeds into just one. Written Questions and Answers Page 5 of 5