Contract 2023-103ADocuSign Envelope ID: OC2D83B1-B5D1-4E9C-ACE9-02C3OB438646
A COLINGTON CONSULTING 2023-103
HELPING ORGANIZATIONS ACHIEVE HIPAA COMPLIANCE"m
P.O. Box 10391 1 Burke, Virginia 22009 1844.740.71001 info@cchipaa.com I https://www.cchipaa.com
CONTRACT
HIPAA COMPLIANCE SERVICES
FOR
Clermont, Florida Fire Department
Colington Security Consulting, LLC d/b/a Colington Consulting (CC) is pleased to offer the following contract
for HIPAA Compliance Services to Clermont, Florida Fire Department (CLIENT), a HIPAA Covered Entity.
The Client's address:
City of Clermont
Procurement Services Department
685 W. Montrose Street
Clermont, FL 34711
PROJECT OBJECTIVE
The objective of this project is to establish and implement a comprehensive compliance program and risk
management objectives for the client as specified in the Health Insurance Portability and Accountability Act
(HIPAA). Specifically, the project will focus on access to electronic protected health information (ePHI)
maintained by the client and assist the client in improving the effectiveness of existing or the implementation of
security programs while reducing the potential for security and data breaches.
Having a HIPAA Security Risk Assessment and HIPAA Risk Management Plan are required to be compliant
with the HIPAA "Security Rule." The purpose of the HIPAA Security Risk Assessment is to determine if
proper security safeguards are in place to protect the facility and address employee security policies for those
who must access ePHI. This assessment does not guarantee the elimination of all risks associated with ePHI but
will include recommendations that, if successfully implemented, should help protect ePHI from natural and
environmental hazards as well as unauthorized access. All recommendations are designed to protect the
confidentiality, integrity, and accessibility of ePHI.
The HIPAA Risk Management Plan (all required HIPAA policies, procedures, forms, logs) will be provided for
the sole use and benefit of the Client. CC will provide assistance in implementing this plan. The plan is
designed to provide the Client a structure for evaluation, prioritization, and risk -reducing security measures. It
also serves as the Client's guidelines for compliance with the required specifications in the HIPAA Security
Rule and other related requirements.
SCOPE OF ANALYSIS
The HIPAA Security Risk Assessment will address existing organizational security safeguards that are currently
in place to prevent unauthorized access, tampering, and theft. The scope of the risk assessment will identify the
DocuSign Envelope ID: OC2D83B1-B5D1-4E9C-ACE9-02C3OB438646
A COLINGTON CONSULTING
HELPING ORGANIZATIONS ACHIEVE HIPAA COMPLIANCET"
P.O. Box 10391 1 Burke, Virginia 22009 1 844.740.71001 info@cchipaa.com I https://www.cchipaa.com
potential risks and vulnerabilities to the confidentiality, access, and integrity of ePHI that the Client creates,
receives, maintains, or transmits. The assessment questions are based on the HIPAA implementation
specifications, along with HITECH, Omnibus, and NIST 800 security controls. The assessment will gather data;
identify and document potential threats and vulnerabilities; determine the level of risk; identify current security
measures; and provide documentation. Policy and procedure requirements found in areas of the assessment will
be implemented in the HIPAA Risk Management Plan, which will assist the Client in complying with the
established guidelines regarding security safeguard standards as outlined in the HIPAA Security Series. The
HIPAA Privacy Assessment will evaluate compliance with the HIPAA Privacy Rule.
METHODOLOGY
This HIPAA Security Risk Assessment will be accomplished by conducting an accurate and thorough
assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by
the Client. The methodology followed is consistent with the HIPAA Security Series regarding security
safeguard standards.
The HIPAA Risk Management Plan is the foundation for the HIPAA "Security Rule" compliance efforts. The
Risk Management Plan will include written policies and procedures regarding the implementation of security
measures which reduce risks and vulnerabilities to a reasonable and appropriate level in compliance with CFR §
45 C.F.R. 164.306(a)(1). Such plan shall include specific procedures for the Client on safeguards necessary to
effectively manage any risks or vulnerabilities determined by the HIPAA Security Risk Assessment.
DESCRIPTION OF SERVICES
1. A HIPAA Risk Management Plan (HIPAA Policy and Procedures Manual) will be developed. This
includes any necessary changes and edits to the plan for one year. The plan will be a PDF version.
Needed HIPAA forms, logs, reports, and Security and Privacy Official job descriptions will be provided.
The Plan is customized for your organization and does comply with all required areas of the HIPAA
Security Rule. The plan will contain 52 sections of policy and procedure that cover all the HIPAA
implementation specifications found in the Code of Federal Regulations including a breach notification
policy. Any current or draft policies/procedures the Client may have will be incorporated into the plan,
if applicable. This plan meets CFR §164.308(a)(1) and CFR § 164.316(a) requirements.
Other HIPAA guidance documents will be provided, as necessary.
2. An organizational -wide HIPAA Security Risk Assessment will be conducted. The assessment questions
are based on the HIPAA Security Standards and Implementation Specifications, along with HITECH,
HIPAA Omnibus Rule, and NIST 800 security controls. This HIPAA Security Risk Assessment will be
accomplished by conducting an accurate and thorough assessment of potential risks and vulnerabilities
to the confidentiality, integrity, and availability of ePHI held by the Client. The methodology followed is
consistent with the HIPAA Security Series regarding safeguard standards. This assessment meets CFR
§164.308(a)(1) requirements.
2
DocuSign Envelope ID: OC2D83B1-B5D1-4E9C-ACE9-02C3OB438646
A COLINGTON CONSULTING
HELPING ORGANIZATIONS ACHIEVE HIPAA COMPLIANCET"
P.O. Box 10391 1 Burke, Virginia 22009 1 844.740.71001 info@cchipaa.com I https://www.cchipaa.com
3. An organizational -wide HIPAA Privacy Assessment will be conducted to evaluate compliance
requirements of the HIPAA Privacy Rule.
4. An organization -wide HIPAA Breach Rule Assessment will be conducted.
5. A HIPAA Information Security (InfoSec) Assessment will be conducted.
6. Under the HIPAA Security Standards and Implementation Specifications; Physical Safeguards; Facility
Access Controls; CFR § 164.3 1 0(a)(1), a basic Facility Security Plan will be developed and included in
the Risk Management Plan. Facility Security Surveys will be conducted for four (4) locations; Fire
Administration/Station 1 and Stations 2 - 4.
7. A Contingency/Disaster Recovery Plan will be developed and added as an appendix in the HIPAA Risk
Management Plan. This plan meets CFR § 164.308(a)(7) requirements.
8. Conduct an evaluation of the agency's current HIPAA Security Awareness & Privacy Training to
determine CFR § 164.308(a)(5) requirements. Provide written findings on the strengths and weaknesses
of the current training program. Provide recommendations and guidance for future training programs
for Chief Officers and City personnel.
9. Provide a full range of assistance to ensure the organization's HIPAA Privacy & Security Officials have
the proper processes and procedures in place to implement and manage a HIPAA compliance program
in an operational environment based on the nature of health services being provided.
10. As part of the listed services, provide consultation on HIPAA related issues, as needed, as part of a one-
year contract for services.
The assessment process reviews the administrative, technical, and physical safeguards in place. We
utilize a web -based application for our documentation. Access to the web -based application will be
available for the duration of this contract. Asset inventory is a critical component for HIPAA
compliance. If requested and not already in place, we can include several spreadsheets for hardware and
software asset tracking. PDF versions of all reports are available in the application. Upon conclusion of
the assessment process, we issue a HIPAA Compliance Program Report, a HIPAA Privacy Controls
Report, a HIPAA Security Risk Assessment (security controls and breach notification) Report, a HIPAA
Information Security Report, a Facility Security Survey Report, and a Mitigation Action Plan, if needed.
11. This contract covers the period from October 12, 2023, until October 11, 2024. All services are to
be provided remotely.
DocuSign Envelope ID: OC2D83B1-B5D1-4E9C-ACE9-02C3OB438646
A COLINGTON CONSULTING
HELPING ORGANIZATIONS ACHIEVE HIPAA COMPLIANCET"
P.O. Box 10391 1 Burke, Virginia 22009 1 844.740.71001 info@cchipaa.com I https://www.cchipaa.com
DELIVERABLES
A draft HIPAA Risk Management Plan will be generated and delivered to the Client within 30 days after the
risk plan questionnaire is completed and returned. Once the Client reviews the draft Risk Management Plan and
provides approval or requested modifications, we shall perform any required revisions and deliver the final
HIPAA Risk Management Plan to the Client within 10 days of completing the risk assessments. Upon
conclusion of conducting the risk assessment process, written reports will be delivered to the Client within 25
days.
MANAGEMENT PRACTICES
Those workforce members who have any role involving managing the HIPAA compliance program should be
part of the assessment process.
The HIPAA Security, Breach, and Privacy Risk Assessments may take up to 2 hours to complete. The date and
time of the assessment will be mutually agreed upon by the Client and CC. Once scheduled, additional
information will be provided on preparing for the risk assessment process.
CONSULTING FEES
The total cost for this project, as described under "Description of Services" is $4500.00
Full payment in the amount of $4500 is due upon the execution of this contract. An invoice will be provided for
payment.
Payment for services can be made by check payable to "Colington Consulting" or by ACH payment process
on the invoice. There will be a 3% processing fee added for credit card payments.
This is an all-inclusive contract for HIPAA compliance services, as detailed under Description of
Services, for providing a full range of assistance in implementing and maintaining a HIPAA Compliance
Program.
If any additional services are needed beyond the scope of this contract, the billable rate is $175/hour. The
client will be notified in writing in advance before any additional work beyond the scope of this contract
is undertaken and agreed to by both parties.
HIPAA MAINTENANCE SERVICES CONTRACT
CC shall provide the Client with an option for a HIPAA Maintenance Services Contract upon conclusion of this
current contract. Maintenance Services include reviewing and updates, as needed, to the HIPAA Risk
Management Plan (policies and procedures) to meet CFR § 164.316(b)(2)(iii) requirements, conducting the
annual assessments, conducting an updated facility security survey, and consultation, as needed, on HIPAA
related issues.
The fee for HIPAA Maintenance Services contract will be $3600. Please note: This fee may be subject to
change based on any additional requirements or services requested by the Client.
El
DocuSign Envelope ID: OC2D83B1-B5D1-4E9C-ACE9-02C3OB438646
A COLINGTON CONSULTING
HELPING ORGANIZATIONS ACHIEVE HIPAA COMPLIANCET"
P.O. Box 10391 1 Burke, Virginia 22009 1 844.740.71001 info@cchipaa.com I https://www.cchipaa.com
TRAVEL EXPENSES AND TRAVEL TIME FEES
There are no travel expenses or travel time fees required for this project. All services are to be provided
remotely.
INDEMNIFICATION CLAUSE
Client shall indemnify and hold harmless CC and its successors, assigns, and affiliates and each of their
respective directors, officers, employees, stockholders, agents, and representatives from any third -party loss,
liability, claim, damage, or expense (including reasonable attorney fees and legal expenses) suffered or
incurred, either directly or indirectly, by any such indemnified party arising from, relating to, in connection
with, or otherwise in respect with the products offered and services performed by CC under this contract and
agreement.
INSURANCE COVERAGE
CC maintains professional liability insurance in accordance with the type of work to be performed. Upon
request in writing from Client, CC shall provide proof of such insurance.
CONFIDENTIALITY AGREEMENT
Upon execution of this contract, all recommendations and identified deficiencies, oral and written,
communicated to representatives of the Client by CC in the course of the services outlined in this contract and
agreement will remain confidential. All information discovered in connection with the services to be provided
hereunder will be held in confidence and not discussed, communicated, or transmitted to others.
NON -DISCLOSURE AGREEMENT
The Client will not, except as authorized or required by the Client's legal and regulatory duties hereunder,
reveal or divulge to any person or outside entity any information concerning the content of the completed
HIPAA Risk Assessment and Risk Management Plan provided by CC. The Client will keep in complete secrecy
all confidential information entrusted to the Client and will not use or attempt to use any such information in
any manner which may injure or cause loss, either directly or indirectly, to CC's business interests. The Client
can disclose any reports, policy and procedures, guidelines, security procedures, recommendations, or other
content contained within the completed HIPAA Risk Assessment and Risk Management Plan for business
purposes, such as engaging prospective clients, forging business partnerships, raising capital, at the request of a
Covered Entity, and for client's own office or facility implementation. All other disclosures require written
consent from CC as long as CC exists and contact with CC can be made in a reasonable time period. The
covenants of this paragraph shall be on -going and shall survive without limit even when the products and
services offered or contemplated under this agreement and contract have been fully delivered and/or performed
by CC.
DocuSign Envelope ID: OC2D83B1-B5D1-4E9C-ACE9-02C3OB438646
MI COLINGTON CONSULTING
HELPING ORGANIZATIONS ACHIEVE HIPAA COMPLIANCETm
P.O. Box 103911 Burke, Virginia 22009 1844.740.71001 info@cchipaa.com I https://www.cchipaa.com
SIGNATURE PAGE
At your earliest convenience, please sign where indicated below and return a copy of this contract by mail
or a scanned copy along with the payment. If mailing, send it to Colington Consulting, P.O. Box 10391,
Burke, Virginia, 22009.
I ��
Jay Hodes
President, Colington Consulting
October 12, 2023
City of Clermont, FL
Accepted
Date:
10/12/2023
Freddy Suarez
Name:
Sue
Signature:
Title: Procurement Services Director
on