Submit in Duplicate

STATE OF HAW All .04 JU~ -8 AlO :57

REQUEST FOR EJ(EMPTION FROM CHAPTER lO3D, IlKS
TO: Chief Procurement Officer 314TEPRoc/~[ M
S r~T~c.'[~
',i'lL!
F H ENT OFF/LF
:J\Yli',II"
FROM: DHS/Med-QUEST Division
(DepartmcntJDivision/Agency) I
Pursuant to § 103D-I02(b)( 4), HRS, and Ch:apter 3-120, BAR.the Department requests a procurement e~ernption to
'p"lD'Chase
the followin~
Description of goods, services, or construction:

Refer to attachment.

Name of Vendor: FourThought Group, Inc. . I Cost:

Address: 112 North Central Ave., Suite 700 I $1.8 m llion
Phoenix, Arizona 85004 I
I
I TmmofCoouact
July,ennofContract: F
From: July, 2004 To: June, 2006 IPriorExcmption ef.No.{ifappIicable)
I 02-28-R
I (See cOIY attached)
Explanation describing how procurement by competitive means is either not practicable or not advantag~us to the State:

Refer to attachment.

Details of the process or procedure to be followed in selecting the vendor to ensure maximum fair and open competition as
practicable:
Refer to attachment.

SPOF0Jm-7 (Rev.{7/1~2) 1 P.E.N -.a!l~~-M

I
Submit in Duplicate REQUEST F4[)R EXEMPTION FROM CHAPTER 103D, HRS (Conl)

A description of the agency's internal controls and approval requirements for the exempted procmement

The contract will be neglotiated with FourThought Group, Inc. b the DHS
HIPAA Project Director i:tl consultation with the Med-QUEST Div ion. The
contract will be reviewed and signed by the DHS Director. The HIPAA Projec
Director, with supervisi,on by the DHS Deputy Director, will h e responsib i
for working directly with the contractor to ensure the scope 0 work is
performed.

A list of agency personnel, by position title, who will be involved in the approval process and adminis n of the contract:
Lillian B. Koller, Esq., Director (approve and sign contract)
Henry Oliva, Deputy Director (will supervise the HIPAA Projec Director to
monitor the contract)
Andrea J. Armitage, HIPAA Project Director (will serve as pri ry contact
for the contractor and will negotiate and monitor the cont act)
Steven Kawada, Med-QUEST Division Assistant Administrator and andy Chau,
Med-QUEST Division Systems Officer (will consult with HIP Project
Director on the budgeting and scope of the contract).

Direct questions to:

Andrea J. Armitage 4

This exemption should be considered for list of exemptions attachedto Chapter 3-1 ;?O,HAR: No U
I CERTIFY THAT THE INFORMATION PROVIDED ABOVE IS, TO THE BEST OF MY WLEDGE,
TRUE AND CORRECT.

JUN 0 4 200,
Date

Title (If other than Depar1ment Heed)

Chief Procurement Officer's Comments:

Pleaseensure adherenceto applicable admiJ[listrativerequirements.

~ APPROVED 0 DI~)APPROVED ate

cc: Adminis1rator,
State Procurement Office I

SPOFonn-7 (Rev.(7/lx}2) 2 P.E. -11!l~~-tll

 RESPONSE TO
REQt1EST FOR EXE]MPTION FROM CHAPTER 103D, HRS

Description of goods, services,or construction:

IllP AA SecurityRule analysisand consulting services. As the stateMedicaid age cy,

the Departmentof Human Services.(DHS) is requiredto comply with the adminis ative
simplification requirementsof the ]H:ealthInsurancePortability and Accountabili Act
(HIPAA). The federal law affects :mosthealth care providers,all health plans (the DHS
meetsthe definition of a health plalfl)and clearinghouses.The law has several
componentswith different impleml~ntationdates. Thesecomponentsarethe Priv y
Rule, the Transactionsand Code SI~SRule, and the SecurityRule. The implemen tion
datefor compliancewith the Privac;yRule was April 14, 2003, and for the Transa ions
and Code SetsRule the implement:ationdate was October 16, 2003. The impleme tation
deadlinefor the SecurityRule, which was finalized in April, 2003, is April 20, 20 5.

The HIP AA SecurityRule will greatly affect how medical information will be rec ived,
used,shared,storedand destroyed. This affects information systems,processes
proceduresand potentially, facility layouts. Most organizationsneedthe assistan f
expertsto examine,assess,and remediateits operations. The DHS is no different

The contractwould be performed in two parts over a two year period. In the flfSt rt the
consultantwould review the IllP AA SecurityRisk Assessmentthat was previousl
completed,and then usethat infonnation to assistthe DHS to completethe Securi
Analysis and Risk ManagementPlan, and a ContingencyPlan. The consultantw uld
give the DHS recommendationsfor appropriate,cost-effectiveremediationand a 'ce on
how to maximize the federal matclting funds allowable. The consultantwould al assist
the DHS to draft justifications for ;anyaddressableimplementationspecifications ot
complied with. [The Rule statesthat implementationspecificationsare either req ired or
addressable~ if the entity doesnot l:omply with an addressablespecificationthen i must
documentits justification for the noncompliance.] The first part would also inclu e
assistingthe DHS SecurityTeamto draft policies and proceduresandto provide ecurity
policy awarenesstraining for DHS:staff as required by the Rule. In the secondp the
consultantwould conduct an audit of the implementationdone in the flfst part, an would
assistthe DHS with creatingand i1mplementing proceduresfor on-going auditing f
SecurityRule compliance,given t]tteconstantchangesto the DHS network infra cture,
network threats,and availablesoftware/hardware.The consultantwould further sist the
DHS with corrective measuresbas:edon the results of those audits. The consult t would
give the DHS the tools necessary1:0conducton-going training updatesand rernin ers as
requiredby the Rule. The secondpart of the contractwould also requirethe con ltant to
developa protocol for a StandardizedEnterpriseArchitecture for the DHS' info ation
technology systems.

---
 I
I
I

Explanation describing how pro(:urement by competitive means is either not

practicable or not advantageous to the State:

Procurementby competitive mean~;is not advantageousto the State. When the

Transactionsand Code SetsRules'werein draft form, the DHS madethe decision 0
comply with theseRules through an interstateagreementwith the Arizona Medic' d
agency,Arizona Health Care Cost ContainmentSystem(AHCCCS). AHCCCS i
processingthe Medicaid claims for both the Med-QUEST (MQD) and Social Se ices
(SSD) Divisions through its claims processingsystemwhich is referredto in Haw ii as
the Hawaii PrepaidMedicaid ManagementInformation System(HP:MMIS). In 0 der to
preparefor those changes,the DH~) and AHCCCS both contractedwith FourTho ht
Group, Inc., (FourThought)of Phoenix, Arizona, to completethe IllP AA transacton
analysesand remediation,and assi:stwith their Privacy and SecurityRule complia ce
efforts.

The DHS enteredinto a sole sourc,econtractwith FourThought in June,2002 to a sist

with its compliancewith the IllP AA Privacy and SecurityRules. This contract e ired
on January31, 2004.

During the contract,FourThought assistedthe DHS with determiningits covered ty

statusin the first phase;conducteda Privacy Rule Gap Analysis in the secondph and
in the third phaseassistedthe DH~; with drafting requiredPrivacy policies and
procedures,both at the DepartmentandDivision levels, conductedIllP AA Priva
training for all coveredcomponen1: staff on Oahu and on the Neighbor Islands,an
conductedIllP AA training for somenon-coveredcomponentstaff. Also in phas three,
FourThought,with its Honolulu-b.iSedsubcontractor,SecureTechnologyHawaii Inc.,
conductedand documenteda 1llP,~ SecurityRule Risk Assessmentwhich the 'RS
receivedin January2004. Because . . onstaints,
and the delayedfinalization of the finallllP AA SecurityRule ebruary,20 in eadof
the anticipatedOctober,2002), all 0 e secuntyrequirementsand assessments ere not
completed.
The implementationdate of April 20, 2005 for the IllP AA securityrequirements "Yes
the DHS only elevenmonthsto pE~rform all tasks required by the SecurityRule ( alysis,
evaluationof alternatives,and implementation,technical, physical and administr tive).
Given the short time frame availa1)le,it is necessaryto contractwith a consultant hat is
knowledgeableof:

. IllP AA Transactionsand Code Sets.Privacy. and SecurityRules - It is

imperativethat the consul1:ant
have expertisein all three IllP AA rules. T ey are
interrelatedand interdependent.Knowledge of generalinformation tech logy
securityprotocols only, wlouldbe unacceptable.

. The Medicaid Program- There are many consultantsknowledgeableof AA,

but the DHS is seekinga (~onsultant
that hasspecific knowledgeofMedi id and
public programs. Typical1y,Medicaid programsinterfacewith a numberof other

2
 stateand federal programs. There are interfaceswith the DepartmentofH lth
(DOH), Departmentof Education (DOE), andthe Departmentof Public S ety
(PSD). The Medicaid programreimbursesfor servicesrenderedby variou
divisions within the DOH and soonthe DOE. The DHS processesclaims or
PSD.lntemally, the DHS must assessand makedecisionson interfacesbe een
MQD, SSD,Vocational Rehabilitation Division (VRD) and the Benefit,
Employment and Support ~;ervicesDivision (BESSD). Expertisewith pu lic
programsand specific kno,vledgeof Medicaid paymentsis requiredto un erstand
how to apply IllP AA regulations. Finally, knowledge of the Medicaid pr am is
essentialto assistingthe DHS in maximizing federal reimbursementfor stem
and proceduralchanges.

. AHCCCS and DHS OQera1~ - While both programsare Medicaid pro ams
and are similar, there are dilfferencesand it is critical for the consultantto
understandthe similarities and differences. HP:MMIS is jointly sharedby awaii
and Arizona. Any policy changesaffecting the HP:MMIS information sys em
must be consistentwith b01thstates,asthesepolicies arewritten to protect he
information in the samesy:~tem.Consistencywill minimize systemmodi cations
and reducecosts. AHCCCS utilized the expertiseofFourThought for its
Transactionsand Code SetsandPrivacy Rules implementations.

AHCCCS is currently using FourThought Group, Inc. exclusively to assis in its

SecurityRule implementationand remediationefforts. The scopeof AHC CS
contractsincludes:
0 Developmentof a ]usk Analysis and Risk ManagementPlan
0 Developmentof HIP AA SecurityPolicies and Procedures
0 Developing a meth,odof distributing Securityremindersto staff
0 Integrating Securit;ytraining into currentPrivacy training program
0 Developing a methodof conductingand recording a IllP AA Secu "ty
evaluationaudit
0 Developing Securi1ty guidelinesfor new systemapplication softw e
0 Developingjustific:ationsfor noncompliantAddressableimpleme tation
specifications
Theseare the samedeliverablesthat the DHS will be requestingin this c tract.
Awarding a sole sourceccntract with FourThoughtwill allow the DHS t
leveragethe work that coJ1lsultant
hasalreadydone and is currently comp ing for
AHCCCS, at a reducedcost.

. DHS OQerations- After having worked with the DHS from June2002 tough
January2004 on the DHS' Transactionsand CodesSets,Privacy and Sec rity
Rules implementations,FourThought is familiar with the businessproces esthat
are unique to the DHS, aswell aswith respectto its relationshipswith ot er state
agenciesand AHCCCS. ]n January2004, FourThought completeda det led and
complex administrativeandtechnical SecurityRisk Assessmentof the D S'
current statuswith the Se<;urityRule requirements. They also made
recommendationsto the DHS on how to proceedwith SecurityRule co iance

-
 efforts. It is essentialthat this proposedcontractbe a continuationof the e lier
contract, addingPhasesFour andFive of the SecurityRule compliancee rts.
This would provide continulityof our current strategy. Other consultants ould
be at a severedisadvantage,asthey would not know the intricacies of the HS'
businessprocesses,nor wh:~tHIP AA implementationsefforts the DHS h
conductedto date.This wolllld clearly cost further time and money.

. The DHS HIP AA SecurityRisk Assessment-- The HIP AA SecurityRis

Assessmentperformedand documentedby FourThought last Januaryis a
extremely sensitiveand coltfidential document. It containsdetailedtechni al
information about all the Vtllnerabilitieswith the DHS' current informatio
technology systemsand ne1tworks, including the DHS' connectivity to oth r State
of Hawaii departments(su(;hasthe Departmentof Accounting and Gener I
Services,Information and C::omrnunication ServicesDivision) and AHCC S
through HP:MMIS. Prospectivebidders pursuantto an RFP would not be llowed
to seethis documentunles~~ and until the DHS actually had a contractwit them.
However, it would be essentialfor any consultantbidding on this contract 0
know this information for t:heconsultantto makean informed proposalon the
scopeof the project. Without it, the proposalwould be purely guesswork.
FourThoughtdidthe assessmentand wrote the document. They are intim ely
familiar with the scopeof the work that remainson our HIPAA Securityp oject.

In summary,the DHS hasbeenworking with FourThought on HIPAA implemen tion

for two years,and AHCCCS curre:ntlyis working exclusively with FourThought 0
completeits SecurityRule impleltlentation. There are currently only a small nu er of
consultantswith expertisein both IllP AA and Medicaid programs.In order to e ctively
and efficiently implement phases1:ourand five of the DHS' HIP AA Project, expe ise in
HIP AA andMedicaid, familiarity with AHCCCS and the DHS operationsand
informational systems,and knowl~dgeof the resultsof the SecurityRisk Assess tare
critical. Only FourThought will meet all of theserequirements.

- ~--
 Submit in Duplicate

STATE OF HAWAII
NOTICE OF EXEMPTION FROM CHAPTER lO3D, H]~S

The Chief ProcurementOfficer is in the processof reviewingthe requestfrom the Departmentof Hum~n Services-
Med-Ouest Division for exemptionfrom ChapterlO3D, HRS, for the following goods,services,or onstruction:

HIPAAsecurity rule analysisand conslJltingservices.1stpart would involvethe review of the HIPAA

SecurityRiskAssessment,completeth,eSecurityAnalysisand RiskManagementPlan ~ndContingency
Plan.2ndpart would involvean audit o,fthe implementationdone in the 1stpart, the eptablishingand
implementingproceduresfor on-going auditing of SecurityRulecomplianceand develppa protocolfor
a StandardizedEnterpriseArchitecture:for DHSinformationtechnologysystems.

Vendor: FourThought
Group,In!:.
Address: 112 North CentralAvenue,Suite 700
Phoenix,AZ 85004

Term of Contract: From: To: I Cost:

July 200'~ June 2006 I $l,800,pOO.00
I
Direct any inquiries to: I
Department: HumanServices-Med Quest Division I
I PhoneNum er:
Contact
Name/Title: Andrea J. Armitage I (808) 58 -4954
I
Address: I
I Fax Numbe
I
I
I

... ... ... ..' ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
Date Posted: une 10-L 2004

A copy of this notice of exemption from Chap1er lO3D, HRS, shall be posted by the Chief Procurement pfficer and the
purchasing agency in an area accessible to the public, at least seven (7) calendar days prior to any appro al action.

Submit written objections to this notice to issue an exemption from Chapter lO3D, HRS, within seven (7 calendar days from
the date posted to:
Chief Procurement Officer
Office/Agency~tate Procurement Office
Address 1151 Punchbowl Street. Room 416
I-ionolulu. Hawaii 96813

spa Fom1-7A(Rev.7/1/02) P.E.No. 04-54-M

- -