ACA COMPLIANCE PROVIDER REQUEST FOR PROPOSAL (RFP)

Transcription

1 ACA COMPLIANCE PROVIDER REQUEST FOR PROPOSAL (RFP) SEPTEMBER 2016

2 The purpose of this RFP is to identify and engage an outsourcing solution partner to provide ACA Compliance services to CLIENT with efficiency, industry-leading performance and support. Required Services (Determining Status, Counting Hours and Reporting): 1. Determining Eligibility Data Sources and Classes a. Accept third party data files from the CLIENT HRIS and Payroll systems b. Manage data and generate edit/audit reports c. Support multiple classes of employees, possibly with multiple measurement periods (hours measured, hours worked and paid, paid LOA, equivalent for non-hourly, qualified unpaid hours, breaks in service (rule of parity), educational Institution rules) 2. Counting and Tracking to Fulfill Eligibility Requirements a. Support historical and/or on-going calculations of full-time status based on the look-back measurement method (part-time only) b. Tracking and notification process for full-time status changes for new hires and ongoing eligibility changes 3. Employer Monitoring and Reporting a. Provide rule/role based security access for reporting b. Reporting of hours (access to reports): scheduled, point in time, on-demand, custom report design available to employer c. Configure reports/notifications for different trigger points d. Provide an employer dashboard (reports and graphics, drill down for details, alerts) e. Provide the ability to forecast potential pay or play penalties 4. IRS Reporting (Section 6055 / 6056) a. Populate the reports for Section 6055 and 6056 b. Distribute Form 1095-C to employees c. E-File ACA required reporting with the IRS d. Employee call center for 1095-C questions e. Manage Public Exchange inquiries f. Manage IRS appeals Service Provider Expectations: CLIENT is looking for a long term partnership with a ACA Compliance Provider who has proven operations and IT infrastructure and will provide: 1. A partner that will ensure compliance with current and future ACA regulations. 2. A relationship based on the spirit of partnership with a high level of transparency. 3. A partner that is flexible and can respond quickly. 4. A highly secure technical environment that ensures protection of CLIENT employee data. 5. A process that is technologically advanced and rules/eligibility based. 6. Proactive issue management processes. 7. Thoroughly documented and updated policies and procedures. 8. Timely and accurate transaction processing backed up by industry standard service level agreements. 9. Easy access to data for reporting and analysis purposes. 10. Adherence to industry standard best practices. 11. Adherence to applicable regulations, e.g., HIPAA, etc. 1

3 TASK Request for Proposal released TIMELINE DATE Service providers to submit clarifying questions for RFP Answers to RFP clarifying questions returned to service providers RFP Questionnaire, Pricing Response & Attachments Submitted (Hard/Electronic copies) Web demos RFP analysis report finished Service provider decision finalized Contract negotiations completed Implementation kick-off Target go-live 2

4 CLIENT INFORMATION Insert information compiled through ACA Discovery Template: Current ACA process Employee metrics Data requirements Desired service provider solutions The following is a summary of the impacted employee benefit plans and providers supporting current HR information, timekeeping, leave management, payroll, benefits eligibility and enrollment for CLIENT: SERVICE Medical and Rx Carrier HR Information System Timekeeping System Benefits Eligibility and Enrollment System Leave Management System Payroll System W2 Preparer COBRA Administrator PROVIDER 3

5 SERVICE PROVIDER PROFILE Should you be selected as the service provider to CLIENT, your response to this RFP will be an attachment to the definitive contract, and the information that you provide in response to this RFP will have contractual effect. Because answers and information that do not reflect reality may place you in breach of contract, you are encouraged to give full, complete and accurate answers and information from the outset. Please answer these questions in consideration of CLIENT s current ACA compliance administration process information provided in this RFP. RFP QUESTION: Question 1a. COMPANY INFORMATION a. Company profile Response 1a. Question 1b. b. Company history Response 1b. Question 1c. c. Date ACA compliance services were established Response 1c. Question 1d. Response 1d. Question 1e. d. Indicate the name and the ACA business function of any subcontractors you are using to provide ACA services e. Location of company headquarters Response 1e. Question 1f. f. Company size Response 1f. Question 1g. g. Company growth plans (e.g., planned mergers, acquisitions, divestitures) Response 1g. Question 1h. h. Total number of employees in your ACA Compliance Department Response 1h. Question 1i. i. Work locations: Company facility locations Type of work being performed at each facility Location that will primarily service the prospective client Response 1i. 4

6 Question 1j. j. Overall company turnover and service center turnover over the past 12 months Response 1j. Question 1k. Response 1k. k. Services that are performed off-shore, where they are performed & for how long they have been performed in that location Question 1l. l. Number and average size of employers your ACA Compliance Service Team manages Response 1l. Response 1m. Response 1m. m. Is your firm willing to indemnify CLIENT for service provider errors that result in penalties to the company? AUDITS & SECURITY 1. INSURANCE, SYSTEMS & TECHNOLOGY AUDITS Describe all audits, tests and reviews conducted over the past 24 months internally or by clients, prospects and/or 3 rd party service providers that you have hired specifically for audit purposes. There is no need to include written descriptions of formal audit results submitted as part of this RFP response. RFP QUESTION: Question 1a. Response 1a. a. OPERATIONS Audits: SSAE 16 (SOC 1, SOC 2, or SOC 3); include Issue Date, Type and Opinion (If you have not yet conducted a SSAE 16 SOC Audit, explain plans/timing of doing so.) Question 1b. b. DATA CENTER Audits: SSAE 16 (SOC 1, SOC 2, or SOC 3); include Issue Date, Type, and Opinion (If you have not yet conducted a SSAE 16 SOC Audit, explain plans/timing of doing so.) Response 1b. Question 1c. c. SECURITY & TECHNICAL audits: Tests and reviews including the following: Answer 1c. Performed Internal/External (If external, who performed?) IT Risk Assessment Audit consistent with the ISO 2700 Standard Application Code Reviews Additional Details 5

7 Question 1d. Penetration or Vulnerability Scans Security Audits Stress Testing for Peak Periods d. Insurance Coverages, Name of Carrier and Coverage Level for General Liability Response 1d. Question 1e. Response 1e. e. Tech Errors & Omissions (E&O) and Cyber Crime Insurance Coverage (Not Regular E&O): Name of carrier and coverage level for Tech E&O coverage in force Name of carrier and coverage level for Cyber Crime coverage in force Question 1f. f. Are the Tech E&O and Cyber Crime policies referenced in Question 1e. paid in full for the full-term and currently in force? Response 1f. Question 1g. Response 1g. g. Financial Audits, Tests and Reviews including: Financial statements audited by public accountants resulting in an opinion (Include issue date, and opinion type issued: Unqualified, Qualified, or Adverse) Question 1h. Response 1h. 2. SECURITY RFP QUESTION: Question 2a. Response 2a. h. If you are a privately held firm, are you willing to share your last two years of audited financial statements if selected as a finalist? a. Do you have a data breach plan in place? Have you ever been required to disclose a HIPAA breach of information for a client s employee population? If Yes: o What steps were taken to resolve? o Was your breach: 1) Unintentional (stolen laptop), 2) Intentional (disgruntled employee) or 3) Outside breach? Question 2b. Response 2b. b. Has your company been under examination by the Department of Labor (DOL) or Department of Health and Human Services (HHS) within the last 4 years in relation to HIPAA security or procedures? If so, was remedial action required and/or were fines assessed in relation to service failures affecting your current or former clients? 6

8 Question 2c. Response 2c. c. Describe your process for storing client data (i.e., servers, locations, cloud, etc.). What redundancy and security processes are used to ensure continuity of service? Question 2d. Response 2d. d. Confirm compliance with all HIPAA & HITECH requirements and regulations. Confirm you have a dedicated department and/or dedicated staff members responsible for monitoring and assuring HIPAA compliance. Question 2e. Response 2e. e. Confirm all subcontractors' compliance with all HIPAA & HITECH requirements and regulations. Confirm you will be responsible for executing BAAs with subcontractors and will be responsible for any subcontractor breaches in data security. Question 2f. f. Please detail your background check policy for employees and if it s performed by a third party. Response 2f. 3. ENCYPTION RFP QUESTION: Question 3a-h. Description of your encryption protocol? Response 3a-h. Encrypted (Yes/No) Additional Details a. Level: Database b. Level: Field c. At Rest d. In Transit e. Internal to your Network f. External to your Network g. Back-Up Data h. Test Database Question 3i. i. Who has control over the decryption keys? Response 3i. Question 3j. j. Are your data files encrypted during transmission (i.e., SFTP)? Response 3j. Question 3k. k. How is it protected at the destination? Response 3k. Question 3l. l. Outline the front door protection (i.e., protected using IDs and passwords). Response 3l. 7

9 Question 3m-o. Password Protocols Response 3m-o. m. Length? n. Construct? o. Duration? 4. OTHER RFP QUESTION: Question 4a. a. Detail your firewall and intrusion protections, network and host-based. Response 4a. Question 4b. b. Detail your user authentication process and restrictions. Response 4b. Question 4c. c. Detail your network access policy/approach as it relates to external interfaces. Response 4c. Question 4d. d. Detail your network integration abilities. Response 4d. Question 4e. e. Is your platform one single database or multiple? Response 4e. Question 4f. f. Detail your networks scalability to meet increases in demand. Response 4f. Question 4g. Response 4g. Question 4h. g. How many years of historical data can be kept? Is there a mechanism to archive/purge this information per regulatory guidelines? h. What operating systems (including mobile devices) and browsers are supported? Response 4h. 1. PROCESS RFP QUESTION: Question 1a. Response 1a. Question 1b. ACA COMPLIANCE ADMINISTRATION a. Is your ACA Compliance Administration available in a modular format (i.e., hours tracking on a stand-alone basis, reporting on a stand-alone basis)? b. Can you manage the tracking of multiple eligibility groups? Response 1b. Question 1c. c. Can you load data for the historical portion of the current measurement period? Response 1c. 8

10 Question 1d. d. Do you have the capability to track multiple and variable measurement periods? Response 1d. Question 1e. e. Are you able to apply both monthly and look-back measurement methods? Response 1e. Question 1f. f. Are you able to track limited non-assessment periods? Response 1f. Question 1g. Response 1g. Question 1h. Response 1h. g. Are you able to track hours of service for non-hourly employees, including per diem employees? h. Can your system manage measurement and stability periods based on payroll dates as opposed to the first of the month? Question 1i. i. Describe your Employer Notification and Reporting Process for status changes, including dashboard capabilities, if applicable. Response 1i. Question 1j. j. Describe your Employee Notification Process for status changes. Response 1j. Question 1k. k. Are you able to include retirees and COBRA in the data for reporting? Response 1k. Question 1l. l. Are you able to forecast and trend Benefit Eligible Status on an on-going basis? Response 1l. Question 1m. Response 1m. Question 1n. Response 1n. 2. DATA FILES RFP QUESTION: Question 2a. Response 2a. Question 2b. Response 2b. m. Are you able to calculate Affordability? Please describe the process and the Safe Harbor options supported. n. Describe your employer reporting capabilities specific to forecasting full-time status changes and the associated impacts. a. Are you able to import data from multiple 3 rd party data sources? If so, please outline any limitations with this process. b. Do you require input data to be provided in a pre-determined template or do you have custom data intake capabilities? 9

11 Question 2c. c. Describe your audit process for 3 rd party data intake. Response 2c. Question 2d. Response 2d. 3. REPORTING RFP QUESTION: Question 3a. Response 3a. d. Can the 3 rd party data be edited once it is loading into your system? If so, please outline any limitations with this process. a. Are you able to manage (compile, e-file, distribute) the ACA IRS Reporting Requirements (Sections 6055 and 6056)? If so, describe your process for managing these requirements. Question 3b. Response 3b. b. Specifically, are you able to manage the ACA IRS Reporting Requirements for Form 1095-C, Lines 14, 15 and 16 (including Interpreting benefit data for indicator codes for Line 14, 15 And 16 on the 1095-C)? Please describe any limitations with FULLY completing this section of Form 1095-C. Question 3c. Response 3c. c. Has offeror s solution been audited by a 3 rd party to verify that all ACA regulations are accounted for and calculated correctly? If so, please list the 3 rd party auditor. Question 3d. d. Is the 1095-C reporting available online for employees to access? Response 3d. Question 3e. Response 3e. e. Do you integrate with 3 rd party tax systems like Turbo Tax or Quicken? If so, please list the providers. Question 3f. f. How long will you retain data and IRS reports for employee and employer inquiries? Response 3f. Question 3g. Response 3g. g. Is the 1095-C reporting online available for employers to access, review, audit and update both pre and post filing. If so, is there an audit trail? If a correction filing is required, does it automatically generate an updated e-file? 4. IRS SUPPORT SERVICES RFP QUESTION: Question 4a. a. Do you provide call center services for employee inquiries regarding 1095 Reporting? Response 4a. 10

12 Question 4b. b. Do you manage IRS inquires and penalties? Response 4b. Question 4c. Response 4c. c. Describe any support provided with Public Exchanges for penalty verifications and appeals. 5. OTHER ACA REQUIREMENTS RFP QUESTION: Question 5a. a. Do you report the employer and employee Total Premium Cost of applicable plans to payroll to be included on the W2? Please include method of reporting (payroll feed or other report) and frequency (per payroll or year-end files). Response 5a. Question 5b. Response 5b. Question 5c. Response 5c. Question 5d. Response 5d. b. What level of customization is available for the Notice of Exchanges? What Is the method of distribution and associated costs? c. Please indicate how you can support the calculation of the Number of Covered Lives for the Patient-Centered Outcomes Research Institute (PCORI) Fee. Please include a description of your reporting capabilities, including counting methods supported. d. Please Indicate the reporting available for Hours Data. Please indicate if the reports can be scheduled, are available as of a point in time, available on-demand and if a custom report design is available to the client. ROLL OUT AND SERVICE MODEL 1. IMPLEMENTATION GO LIVE ROLL OUT RFP QUESTION: Question 1a. a. Your standard implementation timeline. Response 1a. Question 1b. Response 1b. Question 1c. Response 1c. b. Internal quality control procedures in place to audit and review all implementation related tasks. c. Detail how you manage and monitor your implementation and ongoing service capacity. 2. SERVICE MODEL RFP QUESTION: Question 2a. a. Client Services Account Management Team structure. Response 2a. Question 2b. b. Location and hours the Client Services Account Management Team (not Service Center Team) is available for HR administrations (specify time zone). 11

13 Response 2b. Question 2c. Response 2c. c. Ongoing client stewardship process include details on: a. Methods used to monitor ongoing client satisfaction b. Frequency you review client satisfaction with clients c. Ongoing stewardship reports & stewardship analytics d. Ability to show trends and/or areas that need improvement ACA COMPLIANCE SERVICES DATA MANAGEMENT Pricing TASK SERIVE PROVIDER RESPONSE: a. Load Historical Employee Payroll, Time and Benefit Data from 3 rd party data sources (HCM, Benefit Administration system, etc. b. Load Ongoing Employee Data Files from payroll systems and other data sources COUNTING AND TRACKING TO FULFILL ELIGIBILITY REQUIREMENTS a. Support historical and/or on-going calculations of full-time status based on the client specific measurement method b. Tracking and notification process (reporting, dashboard, etc.) for benefit eligibility status changes IRS/REPORTING (SECTION 6055/6056) a. Fulfill reports for Section 6055 and 6056 b. Distribute Form 1095-C to employees c. E-file Form 1094-C with IRS d. Distribute Form 1095-C to employees e. Manage Public Exchange inquiries PER INQUIRY f. Manage IRS appeals PER APPEAL 12

14 Appendix 1 Statement of Work (To Be Customized) This Statement of Work (SOW) is made and entered by and between CLIENT and the chosen ACA Compliance Service Provider. The chosen ACA Compliance Service Provider agrees as follows: 1. Identify/quantify Risks: Describe risks to the project 2. Scope of Work Describe in detail the work the chosen ACA Compliance Service Provider will perform 3. Inclusions Describe: Tasks to be performed Resources assigned to tasks Location(s) where task(s) to be performed 4. Exclusions Describe: Tasks that are not part of the scope of this project 5. Deliverables by Phases Describe: Items that will be developed or provided (i.e., products, service, plans, status reports, documentation) Dates for delivery Implementation plan 13

15 ADDITIONAL APPENDICES To be included as attachments 1. Standard Contract 2. Standard Service Level Agreement/Performance Guarantees 3. Standard Business Associate Agreement 4. Latest Audit Reports (or other External Audit Reports including: SSAE 16 (SOC 1, SOC 2, or SOC 3); include Issue Date and Type 5. Tech Errors & Omissions Insurance Certificate 6. Cyber Crime Insurance Certificate 7. Implementation Timelines and other implementation documentation 8. Administrator Training documentation 9. Standard Ongoing Stewardship Reports 10. Results of Client Satisfaction Surveys 11. Sample Reporting Package and listing of all reports available 12. ACA Compliance Documentation and Samples 13. Security, Privacy Policies and Procedures 14. Technology Infrastructure Documents such as: a. Network and System Infrastructure Diagrams b. System Dataflow / Integration Diagrams c. Business Continuity and Disaster Recovery Plans d. Overview of Data Center Infrastructure 15. Any other materials you believe are relevant 16. Pricing Proposal 14