To: County of Sonoma Board of Supervisors
Department or Agency Name(s): Department of Health Services
Staff Name and Phone Number: Jennifer Solito, 707-565-4774; Ken Tasseff 707-565-4703
Vote Requirement: Majority
Supervisorial District(s): Countywide
Title:
Title
Modification to Contract with Securance Consulting LLP for HIPAA Security Risk Assessment Services in HIPAA Regulated Departments
End
Recommended Action:
Recommended action
Authorize the Director of Health Services, or designee, to execute an amendment to the agreement with Securance Consulting LLP, extending the term for two additional years, through December 31, 2027, and increasing the scope to add the Health Services Homelessness Services Division and additional technical testing, and adding $165,119 for a new total agreement cost not to exceed $339,304. In addition, authorize the Director of Health Services, or designee, to execute modifications thereto which do not significantly change the scopes of service and which do not change the contract total, to address potential amendments in service needs, subject to review and approval by County Counsel.
end
Executive Summary:
HIPAA regulations and the State Department of Health Services require the County to annually perform a HIPAA Security Risk Assessment on programs and systems that maintain protected health information. Sonoma County contracts with independent contractors to annually perform these risk assessments in HIPAA-regulated departments. Securance Consulting LLP has successfully conducted the 2023 and 2024 annual risk assessments and is scheduled to complete the 2025 annual risk assessment in February 2025. The Department of Health Services (hereinafter “the Department” or “DHS”) proposes to extend the contract for two additional years to confirm operations through 2027. In addition, the Department proposes to expand the scope of work to include additional internal system penetration testing and adding the Homelessness Services Division, which joined the department after the original contract was executed.
Discussion:
Background
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996, delegating authority to the federal Department of Health and Human Services (HHS) to adopt regulations concerning the privacy and security of health information. In August 2000, HHS adopted final regulations requiring covered entities that provide health care and health insurance, to implement administrative, physical, and technical safeguards that protect the privacy and security of patient health information. In response to the new regulation, the Sonoma County Board of Supervisors Resolution #03-0351 recognized the County as a covered entity and establishing DHS as the lead agency managing the County’s HIPAA privacy and security program.
In 2013, HHS updated HIPAA to include a section regulating the privacy and security of electronic systems that maintain protected health information. The updated HIPAA regulations as well as the county’s contracts with the California Department of Health Services require the County to annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. The County annually conducts the required risk assessments in all of its HIPAA covered components including Department of Health Services, Human Services Department, Information Services Department, and County Human Resources.
In 2022, DHS conducted a Request for Proposals (RFP), seeking qualified contractors to conduct annual HIPAA-compliant security risk assessments over a period of five years. Securance Consulting LLP was the successful proposer and was awarded a three-year contract to perform annual security risk assessments. On June 1, 2023, the Department entered into a contract with Securance from May 1, 2023 to December 31, 2025, for a total of $174,185. Securance Consulting LLP successfully conducted security risk assessments in 2023 and 2024. Securance Consulting LLP is scheduled to conduct the third annual risk assessment in February 2025.
Modification of Contract Scope and Term
The Department is requesting that the Board authorize the DHS Director, or designee, to enter into the first amendment to the contract with Securance Consulting LLP, extending the term and expanding the scope of work. The modified term will extend the contract from three years to five years, provided as an option in the RFP. The modified scope of the contract will: 1) Expand internal network penetration testing from 24 IP addresses to 60 IP addresses, and 2) Add the DHS Homelessness Services Division, which joined the Department in 2023, to the general scope of work.
The expanded scope, adding the Homelessness Services Division, is necessary due to U.S. Department of Housing and Urban Development (HUD) requirements for security of information maintained on the county’s Homeless Management Information System (HMIS). Similar to HIPAA regulations, HUD Regulations require annual security risk assessments of the HMIS system. The expansion of internal penetration testing is recommended by the County HIPAA Privacy & Security Officer in response to the ongoing increase in threats from malicious cyber-criminals.
The extension of the contract term to five years is contemplated in the RFP and supports internal succession planning. The current HIPAA Privacy and Security Officer will retire in January 2025 and extending the contract with a highly competent consultant with an understanding of Sonoma County systems will permit the new HIPAA Privacy and Security Officer time to learn Sonoma County systems before conducting a new RFP in 2027.
Strategic Plan:
Not applicable
Racial Equity:
Was this item identified as an opportunity to apply the Racial Equity Toolkit?
No
Prior Board Actions:
On April 8, 2003, the Sonoma County Board of Supervisors adopted Resolution 03-0351 providing for implementation of the Health Insurance Portability and Accountability Act (HIPAA), designating the County as a hybrid entity, delegating certain authority to the Compliance/Privacy Officer, and authorizing execution of HIPAA Business Associate Agreements.
Fiscal Summary
|
Expenditures |
FY24-25 Adopted |
FY25-26 Projected |
FY26-27 Projected |
|
Budgeted Expenses |
$81,000 |
$75,009 |
$81,010 |
|
Additional Appropriation Requested |
|
|
|
|
Total Expenditures |
$81,000 |
$75,009 |
$81,010 |
|
Funding Sources |
|
|
|
|
General Fund/WA GF |
|
|
|
|
State/Federal |
$81,000 |
$75,009 |
$81,010 |
|
Fees/Other |
|
|
|
|
Use of Fund Balance |
|
|
|
|
General Fund Contingencies |
|
|
|
|
|
|
|
|
|
Total Sources |
$81,000 |
$75,009 |
$81,010 |
Narrative Explanation of Fiscal Impacts:
This item extends the contract with Securance Consulting LLP through December 31, 2027, and increases the contract maximum from $174,185 to $339,304 to cover additional services. The fiscal year 2024-2025 budget includes $81,000 for these services, with no fiscal impact. The extension will be funded through 1991 Realignment revenues.
Future year funding will be included in the appropriate year budgets.
|
Staffing Impacts: |
|
|
|
|
Position Title (Payroll Classification) |
Monthly Salary Range (A-I Step) |
Additions (Number) |
Deletions (Number) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Narrative Explanation of Staffing Impacts (If Required):
N/A
Attachments:
Attachment 1 - Agreement
Related Items “On File” with the Clerk of the Board:
None