confidential reporting service request for proposal

RFP Template >$75,000 – May, 2010

Request for Proposal

Confidential Reporting Service Vancouver Island Health Authority (VIHA) RFP Number: O5A-RFP-423

Issue date: April 8, 2011 VIHA Contact Person Closing time and location

Proposals must be sent by mail/courier/hand delivered. Proposals should be clearly marked with the name and address of the Proponent, the Request for Proposal number, and the project or program title. Two (2) complete copies of the proposal as well as one electronic version on a compact disk should be provided and the proposal must be received no later than 2:00 PM Pacific Time on: May 6th, 2011, to the following address:

All enquiries related to this Request for Proposal are to be directed, in writing, to the following person. Information obtained from any other source is not official and should not be relied upon. Enquiries and any responses will be recorded and may be distributed to all Proponents at the VIHA’s option. Attention: Mr. Jim Dempsey Manager, Contract Policy & Standards Vancouver Island Health Authority [email protected] Phone - 250-755-7691 ext. 54098 Fax - (250) 740-2619

Mail/Courier/Hand Delivered Attention: Mr. Jim Dempsey Manager, Contract Policy & Standards Vancouver Island Health Authority Nanaimo General Hospital Receiving 1200 Dufferin Crescent Nanaimo, V9S 2B7 Phone - 250-755-7691 ext. 54098 Fax - (250) 740-2619

Proponent Section: A person authorized to sign on behalf of the Proponent, and to bind the Proponent to statements made in response to this Request for Proposal, must complete and return this Proponent Section by mail/courier/hand delivered, leaving the rest otherwise unaltered, and return one original with the first copy of the proposal. The undersigned agrees that enclosed proposal is submitted in response to the above-referenced Request for Proposal, including any addenda. Through submission of this proposal we agree to all of the terms and conditions of the Request for Proposal and agree that any inconsistent provisions in our proposal will be as if not written and do not exist. We have carefully read and examined the Request for Proposal, and have conducted such other investigations as were prudent and reasonable in preparing the proposal. We agree to be bound by statements and representations made in our proposal.

Signature:

Legal Name of Proponent, and Doing Business As Name If Applicable:

Printed Name:

Title:

Address:

Date: Email:

2 of 45 RFP Template >$75,000 – May, 2010

Table of Contents

A. REQUIREMENTS AND RESPONSE 2

B. DEFINITIONS AND ADMINISTRATIVE REQUIREMENTS 7

APPENDIX A RECEIPT CONFIRMATION FORM 8

APPENDIX B CONTRACT FORM 9

A. REQUIREMENTS AND RESPONSE

1. VIHA SITUATION/OVERVIEW

The Vancouver Island Health Authority (VIHA) is one of six health authorities in the province of British Columbia, Canada. Through a network of hospitals, clinics, centres, health units, and residential facilities, VIHA provides health care to more than 752,000 people on Vancouver Island, on the islands of the Georgia Strait, and in mainland communities north of Powell River, and South of Rivers Inlet. Our health care services include hospital, community and home care. VIHA also provides environmental and public health services, including education and prevention.

Facts & Figures: Description Figures Annual Operating Budget $1.6 Billion Client Population 752,365 Employees 17,000 Staff Unions 14 Physicians 1,700 Facilities 138 Acute Care & Rehabilitation Beds 1,500 Residential Care Beds & Assisted Living Units 5,700

VIHA is governed by a board of directors, appointed by the provincial government. An executive team leads the delivery of health service within the health authority.

VIHA is publicly funded, and accountable to the provincial government and the public for resources used in delivering health care and services.

This Request for Proposal (RFP) is issued on behalf of the Risk Management and Human Resources Departments within VIHA in a joint effort to procure a system that will support VIHA’s allowing employees and the public to confidentially report perceived violations of policy, ethical practice and law.

2. SUMMARY OF REQUIREMENTS

Large organizations across Canada and the United States have procured confidential reporting services to allow employees and the public to confidentially report perceived violations of policy, ethical practice and law. Examples of organizations include Canada Post, Transportation Safety Board of Canada, Telus

CP&S Consulting/Professional Services – Long Form – September 28, 2010 3 of 45

and NASA. VIHA is committed to achieving best practices in these areas of transparency and accountability, and as such is seeking to procure a Confidential Reporting Services. The Confidential Reporting Service will be a third party confidential service accessible to the public and all VIHA employees, physicians and volunteers to report perceived wrong doing. The system will be free of charge to the end-user; and easy to use. It will also provide tools to allow VIHA to efficiently receive anonymous reports and respond appropriately. The term of this engagement is expected to be at least five years, with an option to renew for an additional 5 years. The successful proponent will design, implement and manage the Confidential Reporting Service for VIHA and provide ongoing related services. The Confidential Reporting Service will:

1. Enable anonymous and confidential reporting from members of the public, employees, volunteers and physicians (the “end user”) and route anonymous information to designated VIHA staff for follow-up.

2. Receive reports by phone or electronically (web) 24 hours a day, 365 days per year subject to the availability of Internet and utilities.

3. Be multi-lingual with instructions that are easily understood by the average person. 4. Discourage end users from providing personally identifiable information, unless they consent to

do so. 5. Advise end users about how to protect their privacy when reporting and how to correct personal

information if provided. 6. Provide confirmation of report receipt to the end user. 7. Advise end users of options available to resolve concerns, if the user if comfortable with a non-

anonymous process. 8. Classify complaints according to a prescribed VIHA framework that may change over time.

Examples include: • Theft • Fraud • Non-complaint activities • Client Abuse • Inappropriate/non approved use of online resources as set out in VIHA policy • Conflict of interest

9. Provide access to designated VIHA staff for web-based reporting to track complaints from intake to closure during reasonable business hours.

10. Track the progress of investigations and case management of the issues. 11. Include summary management reporting with metrics such as volume by defined time period, by

classification and length of time to resolve an issue.

VIHA may also structure its contractual relationship with the successful Proponent in a manner that would allow VIHA to extend the offering to other health authorities in the Province.

3. PROJECT SCOPE AND REQUIREMENTS

3.1 OVERVIEW OF REQUIREMENTS


The initial scope of reporting is related to code of conduct expected of VIHA staff, volunteers, contractors and physicians. This scope may be expanded during the term of engagement. The successful proponent will:

• Host and manage a solution as described in the summary requirements. • Have the qualifications and systems security measures to effectively manage confidential

personal and business information in accordance with the laws of Canada and the province of British Columbia.

• Have internal quality control processes to demonstrate compliance with privacy and security laws.

• Have a demonstrated track record providing such a service to other publicly operated organizations in Canada.

• Have expertise in system operation to assess VIHA’s needs and advise VIHA of internal process options and ongoing resources required to support the system.

• Have expertise in implementation planning to advise VIHA of change management activities required to ensure a successful project and operations.

• Have the ability to respond to any service problems identified by VIHA within reasonable time standards.

The technical solution must:

• Be capable of receiving reports 24 hours a day, 365 days per year via phone or web. • Provide confirmation of receipt to the end user, full disclosure of how their information will be

used, and how their information can be corrected if consent to provide personal information is given.

• Route reports maintaining anonymity of the end user to designated VIHA staff to review and determine action.

• Provide web based reporting capability for designated VIHA users with tracking ability from initial intake to closure. The reporting tools will be available Monday to Friday 8:00 am to 8:00 pm.

• Host and manage data external to VIHA in a secure environment that meets the laws of Canada, province of British Columbia and VIHA privacy requirements as defined herein.

• Maintain backup systems within acceptable response times and “up times” as required for delivery of the services.

Also, see section 3.5 for Technical, Privacy and Security requirements

3.2 WORK BREAKDOWN

1. Planning: a. Vendor assessment of local environment b. Shared Vendor and VIHA design of VIHA processes for responding to

complaints c. Shared Vendor and VIHA pilot testing with sample stakeholders for intake, of

VIHA internal processes including reporting requirements d. VIHA review of vendor technology, privacy and security policies and practices e. Shared Vendor and VIHA change management and communications planning

2. Implementation:

a. Vendor enables all User access b. Vendor and VIHA implement Change Management and Communications


c. First year service level agreement finalized

3. Review: a. Shared review on a quarterly basis during year one of operation to include all key

components of the services

4. Sustainability: a. Finalize ongoing review and administrative requirements for remainder of

contract term b. Finalize Service Level Agreement for remainder of contract

3.3 BC SHARED SERVICE ORGANIZATION In December 2007, the BC Health Authorities announced the creation of a BC Health Authority Shared Services Organization (“SSO”) to examine opportunities for Health Authorities to improve cost effectiveness by working collaboratively on common services such as Supply Chain (common products procurement), Payroll and Information Technology. For more information, please visit their website: https://www.bchealthsso.ca/default.htm. Without limiting this Section 3.4, if, at any time during this RFP process and prior to VIHA entering into a Contract, the SSO decides to issue a provincial RFP for services similar to the Services, VIHA may cancel this RFP process and participate in the provincial initiative.

3.4 RELATED CONSIDERATIONS

If a Proponent submits a Proposal which does not satisfy every VIHA request or requirement as described in this RFP, VIHA may, in its discretion, waive such deficiency, seek clarification or additional information from the Proponent, and consider and treat the Proposal as compliant with the requirements of this RFP. All Proponents should exercise extreme care when completing their Proposals as failure to comply with the requirements of this RFP may cause a Proposal to be rejected. A Proponent is deemed to have accepted and be bound by the Terms and Conditions of this RFP by the submission of a Proposal in response to this RFP. Once successful Proponents have been selected, each successful Proponent Representative will be notified in writing of its selection as a successful Proponent (the "Selection Notice"). The Selection Notice will constitute the only valid notice of a Proponent’s selection as a successful Proponent, and will not constitute in any way confirmation of an award of a contract to the successful Proponent. VIHA will not be obligated in any manner to any Proponent until appropriate written Agreements have been duly executed relating to an approved Proposal. Upon receipt of the Selection Notice, the successful Proponent and VIHA will proceed into the Negotiation Phase. Negotiations may then be held with each successful Proponent regarding the terms of any agreements, prior to the execution of any such agreements.


VIHA may agree, in its sole discretion and as part of such negotiations, to modify the terms of any agreement and/or negotiate whatever terms of any other agreements as may be required as VIHA, in its sole discretion, may deem necessary. VIHA may also, in its sole discretion, negotiate with the successful Proponent on whatever other matters VIHA may deem necessary.

3.5 OTHER REQUIREMENTS

The successful proponent must meet VIHA’s IM/IT technical, privacy and security requirements as outlined in Schedule D and E of this RFP. 4. EVALUATION

4.1 MANDATORY CRITERIA Proposals not clearly demonstrating that they meet the following mandatory criteria will be excluded from further consideration during the evaluation process.

4.2 DESIRABLE CRITERIA

Proposals meeting all of the mandatory criteria will be further assessed against desirable criteria.

Criterion Weight

Solution Extent to which solution meets the VIHA needs

30%

Qualifications Qualifications, experience, and expertise to provide serves

30%

Criteria

a) The proposal must be received at the closing location by the specified closing date and time.

b) The proposal must be in English and must be sent by mail/courier.

c) An unaltered, completed RFP cover page including proponent section must be submitted with the proposal by mail/courier/hand delivered.


Price 40%

4.3 PRODUCT DEMONSTRATION One or more of the leading proponents may be requested to provide a product demonstration and should be available for product demonstration approximately 2 - 4 weeks after the RFP closing date (at a location to be determined by VIHA and at the vendor’s expense). The product demonstration will be used to further evaluate the Functional Requirements in workflow scenarios. The scenarios will be provided by VIHA. Evaluation scores from Step 4.2 (100 maximum ponts) will be added to the Evaluation score (100 maximum points) as the demonstrations provide further clarity to the solution’s capabilities. 4.4 SITE VISITS VIHA may contact the proponents’ current customers to request site visits to view the application in an operational environment.

5. PROPOSAL FORMAT

The following format, sequence, and instructions should be followed in order to provide consistency in Proponent response and ensure each proposal receives full consideration. All pages should be consecutively numbered. A. An unaltered, completed and signed RFP cover page including Proponent Section.

B. The following must be addressed in the body of the “Proponent Response”:

5.1 SOLUTION

The solution must be documented according to the following outline:

i. System Design and Technical Components; including how the solution meets VIHA’s technical and policy requirements; and how ethical considerations are built into the solutions

ii. Description of the user interface and its functionality

iii. Description of how VIHA reports status of investigation and resolution iv. Implementation Planning and Testing

v. Implementation vi. Performance Review

vii. Sustainability and Ongoing Services

5.2 QUALIFICATIONS


i. Provide a profile of your organization and your qualifications and experience for providing this service including ethical principles and practices and legal and regulatory requirements that underpin the product design and implementation.

ii. Qualifications and experience providing the required service in comparable organizations.

iii. Provide detail on your organizations Technical Capacity and Capability

iv. Personnel or sub-contractor qualifications v. Proponent References – (with e-mail addresses) Minimum of 3 and Maximum

of 5

5.3 PRICING QUOTE

• It is expected that price will include costing rationale to provide the service (include HST as a separate cost, if applicable)

• Quotes will indicate pricing structure options

5.4 ADDITIONAL REQUIREMENTS

Proposal must indicate the vendor has reviewed VIHA’s IM/IT General Technical Requirements (Appendix C) and policies with respect to the privacy and security of information (Appendix D) and acknowledge how they will comply with these policies.


B. DEFINITIONS AND ADMINISTRATIVE REQUIREMENTS

1. Definitions: Throughout this Request for Proposal, the following definitions apply: a )“Contract” means the written agreement resulting from this Request for Proposal executed by the VIHA and the Contractor; b) “Contractor” means the successful Proponent to this Request for Proposal who enters into a written Contract with the VIHA; c) “VIHA” means Vancouver Island Health Authority d) “must”, or “mandatory” means a requirement that must be met in order for a proposal to receive consideration; e) “Proponent” means an individual or a company that submits, or intends to submit, a proposal in response to this Request for Proposal; f) “should” or “desirable” means a requirement having a significant degree of importance to the objectives of the Request for Proposal.

2. Terms and Conditions: The following terms and conditions will apply to this Request for Proposal process. Submission of a proposal in response to this Request for Proposal indicates acceptance of all the terms that follow and that are included in any addenda issued by the VIHA, as well as the VIHA contract attached. Provisions in proposals that contradict any of the terms of this Request for Proposal will be as if not written and do not exist.

3. Receipt Confirmation Form: Proponents are advised to fill out and return the attached Receipt Confirmation Form as specified. All subsequent information regarding this Request for Proposal, including changes made to this Request for Proposal, will be directed only to those Proponents who return the form and will be distributed by the method authorized on the form.

4. Late Proposals: Late proposals will not be accepted and will be returned to the Proponent at the proponents expense.

5. Eligibility: a) Proposals will not be evaluated if the Proponent’s current or past corporate or other interests may, in the VIHA’s opinion, give rise to a conflict of interest in connection with the project described in this Request for Proposal. This includes, but is not limited to, involvement by a Proponent in the preparation of this Request for Proposal. If a Proponent is in doubt as to whether there might be a conflict of interest, the Proponent should consult with the VIHA Contact Person listed on page 1 prior to submitting a proposal. b) Proposals from not-for-profit agencies will be evaluated against the same criteria as those received from any other Proponents.

6. Evaluation: Evaluation of proposals will be by a committee designated by the VIHA and may include employees and contractors of the VIHA in its sole discretion. The VIHA’s intent is to enter into a Contract with the Proponent who has the highest overall ranking.

7. Negotiation Delay: If a written Contract cannot be negotiated within thirty days of notification of the successful Proponent, the VIHA may, at its sole discretion at any time thereafter, terminate negotiations with that Proponent and either negotiate a Contract with the next qualified Proponent or choose to terminate the Request for Proposal process and not enter into a Contract with any of the Proponents.

8. Debriefing: At the conclusion of the Request for Proposal process, all Proponents will be notified. Unsuccessful Proponents may request a debriefing meeting with the VIHA.

9. Alternative Solutions: If alternative solutions are offered, please submit the information in the same format, as a separate proposal.

10. Changes to Proposals: By submission of a clear and detailed written notice, the Proponent may amend or withdraw its proposal prior to the closing date and time. Upon closing time, all proposals become irrevocable. The Proponent will not change the wording of its proposal after closing and no words or comments will be added to the proposal unless requested by the VIHA for purposes of clarification.

11. Proponents’ Expenses: Proponents are solely responsible for their own expenses in preparing a proposal and for subsequent negotiations with the VIHA, if any. If the VIHA elects to reject all proposals, the VIHA will not be liable to any Proponent for any claims, whether for costs or damages incurred by the Proponent in preparing the proposal, loss of anticipated profit in connection with any final Contract, or any other matter whatsoever.

12. Limitation of Damages: Further to the preceding paragraph, the Proponent, by submitting a proposal, agrees that it will not claim damages, for whatever reason, relating to the Contract or in respect of the competitive process, in excess of an amount equivalent to the reasonable costs incurred by the Proponent in preparing its proposal and the Proponent, by submitting a proposal, waives any claim for loss of profits if no Contract is made with the Proponent.

13. Proposal Validity: Proposals will be open for acceptance for at least 90 days after the closing date.

14. Firm Pricing. Prices will be firm for the entire Contract period unless this Request for Proposal specifically states otherwise.

15. Currency and Taxes. Prices quoted are to be:

a) in Canadian dollars; b) inclusive of duty, where applicable; FOB destination, delivery charges included where applicable; and c) exclusive of Goods and Services Tax and Provincial Sales Tax.

16. Completeness of Proposal: By submission of a proposal the Proponent warrants that, if this Request for Proposal is to design, create or provide a system or manage a program, all components required to run the system or manage the program have been identified in the proposal or will be provided by the Contractor at no charge.

17. Sub-Contracting

a) Using a sub-contractor (who should be clearly identified in the proposal) is acceptable. This includes a joint submission by two Proponents having no formal corporate links. However, in this case, one of these Proponents must be prepared to take overall responsibility for successful performance of the Contract and this should be clearly defined in the proposal. b) Sub-contracting to any firm or individual whose current or past corporate or other interests may, in the VIHA’s opinion, give rise to a conflict of interest in connection with the project or program described in this Request for Proposal will not be permitted. This includes, but is not limited to, any firm or individual involved in the preparation of this Request for Proposal. If a Proponent is in doubt as to whether a proposed subcontractor gives rise to a conflict of interest, the Proponent should consult with the VIHA Contact Person listed on page 1 prior to submitting a proposal. c) Where applicable, the names of approved sub-contractors listed in the proposal will be included in the Contract. No additional subcontractors will be added, nor other changes made, to this list in the Contract without the written consent of the VIHA.

18. Acceptance of Proposals

a) This Request for Proposal should not be construed as an agreement to purchase goods or services. The VIHA is not bound to enter into a Contract with the Proponent who submits the lowest priced proposal or with any Proponent. Proposals will be assessed in light of the evaluation criteria. The VIHA will be under no obligation to receive further information, whether written or oral, from any Proponent. b) Neither acceptance of a proposal nor execution of a Contract will constitute approval of any activity or development contemplated in any proposal that requires any approval, permit or license pursuant to any federal, provincial, regional district or municipal statute, regulation or by-law.

19. Definition of Contract. Notice in writing to a Proponent that it has been identified as the successful Proponent and the subsequent full execution of a written Contract will constitute a Contract for the goods or services, and no Proponent will acquire any legal or equitable rights or privileges relative to the goods or services until the occurrence of both such events.

20. Contract: By submission of a proposal, the Proponent agrees that should its proposal be successful the Proponent will enter into a Contract with the VIHA on the terms set out in Appendix B.

21. Liability for Errors: While the VIHA has used considerable efforts to ensure information in this Request for Proposal is accurate, the information contained in this Request for Proposal is supplied solely as a guideline for Proponents. The information is not guaranteed or warranted to be accurate by the VIHA, nor is it necessarily comprehensive or exhaustive. Nothing in this Request for Proposal is intended to relieve Proponents from forming their own opinions and conclusions with respect to the matters addressed in this Request for Proposal.

22. Modification of Terms: The VIHA reserves the right to modify the terms of this Request for Proposal at any time in it sole discretion. This includes the right to cancel this Request for Proposal at any time prior to entering into a Contract with the successful Proponent.

23. Ownership of Proposals: All proposals submitted to the VIHA become the property of the VIHA. They will be received and held in confidence by the VIHA, subject to the provisions of the Freedom of Information and Protection of Privacy Act and this Request for Proposal.

24. Use of Request for Proposal: Any portion of this document, or any information supplied by the VIHA in relation to this Request for Proposal may not be used or disclosed, for any purpose other than for the submission of proposals.


Appendix A Receipt Confirmation Form

Confidential Reporting Service Request for Proposal #: O5A-RFP-423

Vancouver Island Health Authority

To receive any further information about this Request for Proposal Proponents should return this form by April 20, 2011 to:

Mr. Jim Dempsey Manager, Contract Policy & Standards

Vancouver Island Health Authority [email protected]

Phone - 250-755-7691 ext. 54098 Fax - (250) 740-2619

Company

Street address:

City/Province: Postal Code:

Mailing address if different:

Phone number: Facsimile number:

Contact person: Title:

e-mail: ________________


Appendix B Contract Form By submission of a proposal, the Proponent agrees that should its proposal be successful the Proponent will enter into a Contract with the VIHA in accordance with the terms of the VIHA’s Service Contract; a copy of which is attached:

STANDARD AGREEMENT PROFESSIONAL SERVICES BETWEEN

Vancouver Island Health Authority AND

(Enter Contractor’s Name)

Department/Program: ________________ (the “VIHA”)

(the “Contractor”)

At the following address: At the following address: 1952 Bay Street Victoria, BC V8R 1J8

Fax: (250) 370-8713

Telephone: (250) Fax: (250)

WHEREAS: A. The VIHA is responsible for establishing regional health care priorities, specifying regional

service standards and monitoring the performance of service providers for the provision of health care in the Vancouver Island health region.

B. In connection with the fulfillment of its responsibilities, the VIHA has agreed to engage the

Contractor, and the Contractor has agreed to accept such engagement, in each case, to provide to the VIHA the services described in Schedule A to this Agreement (the “Services”) on the terms and conditions set out in this Agreement.

IN CONSIDERATION of the mutual covenants hereinafter appearing, the parties agree as follows: Engagement:


1. Subject to Section 3 below, the VIHA hereby engages the Contractor and the Contractor hereby accepts such engagement, in each case, to provide the Services in accordance with the specifications, if any, and by the times specified in this Agreement.

2. Upon the request of the VIHA, the Contractor shall conduct a criminal records check against

the Contractor, its employees and sub-contractors (as the VIHA may direct) under the Criminal Records Review Act (British Columbia). If the VIHA does not receive an acceptable criminal records check against the Contractor, its employees and sub-contractors (as the VIHA may direct) prior to the commencement of the Term, this Agreement shall be of no force or effect without further obligation of either party to the other.

Term: 3. The Contractor will provide the Services during the period commencing upon

_____________________, 201_ and ending, subject to earlier termination as herein provided, on____________________, 201_ (the “Term”). The Contractor hereby represents and warrants that all Services provided prior to the date of execution of this Agreement, if any, were provided in accordance with the terms and conditions of this Agreement.

Independent Contractor: 4. The Contractor will be an independent contractor and not the employee, agent, partner or

joint venturer of the VIHA, and the Contractor will not hold itself out to the public as such. The Contractor agrees that neither the Contractor nor any person employed by or associated with the Contractor in the performance of the Services or otherwise is an employee of, or has an employment relationship of any kind with, the VIHA.

5. The VIHA will have no liability or responsibility for the withholding, collection or payment

of income taxes, unemployment insurance, statutory or other taxes or payments of any other nature on behalf of, or for the benefit of, the Contractor or any other persons.

6. The Contractor will not in any manner whatsoever commit or purport to commit the VIHA to

the payment or receipt of any money or other consideration, or the acceptance or provision of any goods or services, except as expressly authorized by this Agreement.

7. The Contractor will provide and pay for all labour, materials, tools or approvals necessary to

provide the Services. Standard of Care: 8. The Contractor will perform the Services to a standard of care, skill, and diligence exercised

by persons providing, on a commercial basis, services similar to the Services. 9. The Contractor will ensure that all persons who perform the Services are competent to

perform the Services and are properly trained, instructed, and supervised. The Contractor will be solely responsible for the acts and omissions of the Contractor’s employees and agents in performing the Services.


10. The Contractor will perform the Services in accordance with: (a) all applicable laws; (b) the provisions of this Agreement including the decisions of arbitrators pursuant to this Agreement; (c) any instructions or directions that may be given by the VIHA to the Contractor from time to time with respect to the provision of the Services; (d) all policies, guidelines and directives established from time to time by the VIHA (including in particular, any policies of VIHA regarding confidentiality); and (e) all required permits and licenses.

11. Where by virtue of this Agreement or of any law or governing body having jurisdiction with respect to the same, the Services are required to be provided by a duly qualified or licensed practitioner, professional, or a person with a specified qualification, level of training, or competence and experience, the Contractor will, upon request of the VIHA from time to time, provide evidence satisfactory to the VIHA that the Contractor and all persons engaged by the Contractor to deliver the Services has the requisite qualification, level of training, competence or experience, holds or has been issued all required licenses, certificates and memberships and that such licenses, certificates and memberships are in good standing.

Intellectual Property: 12. Subject to section 13, VIHA acknowledges and agrees that all right, title and interest in

anything conceived, developed or made by the Contractor in connection with the delivery of the Services, including all intellectual property rights associated thereto, will be for the benefit of the Contractor and will be the property of the Contractor.

13. Notwithstanding section 12, the Contractor will not own any of the data that is entered,

exchanged, stored or manipulated in connection with the Services (the “VIHA Data”). The Contractor acknowledges that VIHA Data contains Confidential Information that is protected by section 15.

14. Intentionally Deleted Confidentiality: 15. The Contractor will treat as confidential and will not, without the prior written consent of the

VIHA, publish, release, or disclose or permit to be published, released or disclosed either before or after the termination of this Agreement, any Confidential Information (as defined below) nor will the Contractor use or exploit, directly or indirectly, any Confidential Information for any purpose other than for the fulfillment of obligations under this Agreement. Notwithstanding the foregoing, the Contractor will be entitled to disclose Confidential Information if required by law including the Freedom of Information and Protection of Privacy Act (British Columbia), provided that the Contractor will promptly notify, consult with, and cooperate with the VIHA, prior to any disclosure, in any attempt to resist or narrow such disclosure or to obtain an order or other assurance so that such information will be accorded confidential treatment.

16. “Confidential Information” for the purpose of this Agreement means any and all information

supplied to, obtained by or which comes to the knowledge of the Contractor as a result of this Agreement with respect to the VIHA including, without limitation, all patient and client information (including patient names, addresses, telephone numbers and medical history), all


trade secrets, know-how, processes, formulas, standards, product specifications, marketing plans and techniques, cost figures, access or security codes, all systems software applications, all software/systems source and object codes, data, documentation, program files, flow charts, drawings and all operational procedures except that Confidential Information does not include information which the Contractor can prove is information which is in the public domain at the date of disclosure by VIHA to the Contractor, is received by the Contractor without obligation of confidence from a third party who is in lawful possession of such information free of any obligation of confidence and is not otherwise prohibited from transmitting such information to the Contractor by a contractual, legal or fiduciary obligation.

17. The Contractor acknowledges and agrees that its compliance with the Act and this

Agreement in respect of Data shall supercede and have paramountcy over any compliance with privacy laws of general application in the private sector having application to the Contractor.

Further Agreements: 18. The Contractor agrees that no person will provide any Services (directly or indirectly)

hereunder either as an employee, contractor, sub-contractor or agent unless such person first agrees, in writing, to be bound by the terms of Sections 12 to 17 as if such person had contracted with the VIHA directly.

Indemnity, Insurance and Liability: 19. The Contractor will indemnify and save harmless the VIHA, its governors, directors, officers,

employees and agents, from and against any and all losses, claims, damages, actions, causes of action, costs and expenses the VIHA may sustain or incur, at any time, either before or after the expiration or termination of this Agreement, which are based upon, arise out of or occur, directly or indirectly, by reason of, any act or omission by the Contractor or of any agents, employees, officers, directors or subcontractors in providing the service except, with respect to the extent any such claim arises solely from the negligence of the VIHA.

20. The aggregate liability of the VIHA to the Contractor for any matters or claims of whatsoever nature and kind under or in connection with this Agreement will be limited to the “Maximum Amount” specified in Schedule B.

21. The Contractor will maintain and pay for insurance on the terms, including form, amounts,

and deductibles, outlined in Schedule E, and on such other terms, as may from time to time be directed by the VIHA.

22. The Contractor will comply with the Workers' Compensation Act of the Province of British

Columbia and in particular will obtain and maintain during the Term the necessary coverage as specified in Schedule G.

Assignment and Sub-contracting:


23. The Contractor may not assign its rights under this Agreement without prior written consent by the VIHA. Any attempt to assign any of the rights, duties or obligations of this Agreement without such written consent is void.

24. The Contractor will perform its obligations under this Agreement either itself or through the

independent contractors listed in Schedule D, if any. The Contractor will not sub-contract any obligation under this Agreement other than to persons listed in Schedule D, if any, without the prior written consent of the VIHA.

25. The Contractor shall be fully responsible to the VIHA for acts and omissions of sub-

contractors and of persons directly and indirectly employed by them. No sub-contract, whether consented to or not, relieves the Contractor from any of its obligations under this Agreement.

Conflict of Interest: 26. The Contractor will not perform a service for or provide advice to any person, firm or

corporation where the performance of the service or the provision of the advice may or does, in the reasonable opinion of the VIHA, give rise to a conflict of interest between the obligations of the Contractor to the VIHA under this Agreement and the obligations of the Contractor to such other person, firm or corporation.

Payment: 27. In consideration of the Contractor providing Services, VIHA will pay the Contractor fees

described in Schedule B. 28. The VIHA will reimburse the Contractor for expenses, if any, described in Schedule B

provided such expenses are supported, where applicable, by proper receipts and, in the opinion of the VIHA, such expenses were reasonably and necessarily incurred by the Contractor in providing the Services.

29. In no circumstances will the aggregate amount required to be paid by VIHA to the Contractor

on account of fees and expenses exceed the "Maximum Amount" specified in Schedule B. The Contractor is not entitled to any other amounts or benefits other than the fees and expenses set out in Schedule B.

30. The VIHA may treat amounts owing by it under this Agreement as fully paid and satisfied by

way of set-off against amounts owing by the Contractor to the VIHA, including in amounts owing by the Contractor under Section 19.

31. The Contractor will invoice the VIHA with respect to the amounts in Sections 27 and 28 of

this Agreement in accordance with Schedule B. If the VIHA agrees with the amount and form of the invoice, the VIHA will pay such invoice within 60 days of receipt.

Termination: 32. The VIHA may terminate this Agreement:


(a) immediately, if the Contractor is in default of any of its obligations under this Agreement and if in the reasonable opinion of the VIHA such breach is material;

(b) upon 10 days' written notice to the Contractor, for any reason; or (c) immediately, if the Contractor is in default of any obligations under this Agreement

(which default, in the reasonable opinion of VIHA is not material) and fails to cure such default within a period of not less than 30 days after notice of such default from VIHA.

33. Notwithstanding the termination of this Agreement (for any reason other than pursuant to

Section 32(a)), the VIHA will remain obligated to pay the Contractor all of the fees for, and disbursements incurred in connection with, the Services rendered prior to such termination. Payment of such invoice will discharge the VIHA from all liability to the Contractor under this Agreement.

34. Upon termination of this Agreement, the Contractor will release to the VIHA all property of

the VIHA which is in the control of the Contractor pursuant to this Agreement. Notice: 35. Any notice contemplated by this Agreement, to be effective, must be in writing and be:

(a) faxed to the addressee's fax number specified in this Agreement, (b) delivered by hand to the addressee's address specified in this Agreement, or (c) mailed by prepaid registered mail to the addressee's address specified in this Agreement.

36. Any notice issued in accordance with Section 35 is deemed to be received 96 hours after

mailing if mailed, on receipt if delivered by hand, or on the next business day if sent by facsimile. Either of the parties may give notice to the other of a substitute address or fax number from time to time.

General: 37. Each provision of this Agreement is several. If any provision of this Agreement is or

becomes illegal, invalid or unenforceable in any jurisdiction, the illegality, invalidity or unenforceability of that provision will not affect: the legality, validity or enforceability of the remaining provisions of this Agreement or the legality, validity or enforceability of that provision in any other jurisdiction.

38. Time is of the essence in this Agreement. 39. The schedules attached to this Agreement, will, for all purposes, form an integral part of the

Agreement. 40. This Agreement enures to the benefit of and binds the Parties and their respective successors,

heirs, executors, administrators, personal and legal representatives and permitted assigns. 41. All disputes arising out of or in connection with this Agreement must, unless the parties

otherwise agree, be submitted to arbitration under the Commercial Arbitration Act (British Columbia). The award of the arbitrator will be final and binding on the parties.


42. No failure to exercise, and no delay in exercising, any right or remedy under this Agreement will be deemed to be a waiver of that right or remedy. No waiver of any breach of any provision of this Agreement will be deemed to be a waiver of any subsequent breach of that provision or of any similar provision.

43. Any party may deliver an executed copy of this Agreement by fax but that party will

immediately dispatch by delivery in person to the other parties an originally executed copy of this Agreement. This Agreement and all documents contemplated by or delivered under or in connection with this Agreement may be executed and delivered in any number of counterparts with the same effect as if all parties had signed and delivered the same document and all counterparts will be construed together to be an original and will constitute one and the same agreement.

44. No amendment, supplement, restatement or termination of any provision of this Agreement is

binding unless it is in writing and signed by each person that is a party to this Agreement at the time of the amendment, supplement, restatement or termination.

45. This Agreement and all documents contemplated by or delivered under or in connection with

this Agreement, constitute the entire agreement between the parties with respect to the subject matter of this Agreement and supercede all prior agreements, negotiations, discussions, undertakings, representations, warranties and understandings, whether written or oral, express or implied, statutory or otherwise.

46. All provisions of this Agreement which are expressly or by implication to come into or

continue in force and effect after the expiration or termination of this Agreement will remain in effect and be enforceable following expiration or termination, including without limiting the generality of the foregoing, Sections 12 to 17 inclusive, 19 and 20.

47. This Agreement is governed by and is to be construed in accordance with the laws of British

Columbia and the federal laws of Canada applicable therein. 48. If there is a conflict between a Schedule to this Agreement and any other provision of this

Agreement, the Agreement shall govern to the extent of the conflict. 49. The Contractor will execute such further assurances and other documents and instruments

and do such further and other things as may be necessary to implement and carry out the intent of this Agreement.


THE PARTIES have duly executed this Agreement the ____ day of ______________, 20___. SIGNED AND DELIVERED on behalf of the Vancouver Island Health Authority by an authorized representative of the VIHA:

SIGNED AND DELIVERED by or on behalf of the Contractor (or by an authorized signatory of the Contractor if a corporation):

Authorized Representative: (signature) Authorized Representative: (print name) Authorized Representative: (print title) Department:__________________________

Contractor or Authorized Signatory: (signature) Contractor or Authorized Signatory: (print name) Contractor or Authorized Signatory: (print title)

Contractor: Term:

Contract No.:


SCHEDULE A

SERVICES

To be negotiated

Contractor: Term:

Contract No.:


SCHEDULE B

FEES AND EXPENSES

To be negotiated

Contractor: Term:

Contract No.:


SCHEDULE C

REPORTING ACCOUNTABILITIES

The Contractor will keep full and detailed records dealing with all aspects of the Services performed by it hereunder, including without limitation, time records, invoices, receipts, and vouchers of all expenses incurred and shall provide the VIHA with access thereto at all reasonable times and maintain the same in a form and content satisfactory to the VIHA, in accordance with good records management practices and, to the extent applicable, in accordance with Schedule F – Privacy (in accordance with the Freedom of Information and Protection of Privacy Act). Upon the request of the VIHA, the Contractor will provide the VIHA with a report of all work done by the Contractor or a sub-contractor in connection with the Services. In addition to the VIHA’s rights under Section 12 to 17 of this Agreement, during the Term, the Contractor will permit the VIHA at all reasonable times to inspect and copy all material that has been produced or received by the Contractor or any sub-contractor as a result of or in connection with this Agreement or the performance of the Services, including, without limitation, all findings, software, data, specifications, drawings, case files, reports, and documents, whether complete or not (collectively, the "Material"). Performance Management: To be negotiated

Contractor: Term:

Contract No.:


SCHEDULE D

APPROVED SUB-CONTRACTOR(S)

The approved sub-contractor(s) to whom the Contractor may sub-contract under this Agreement include:

Name of Sub-contractor Type of Service

Contractor: Term:

Contract No.:


SCHEDULE E

INSURANCE (S)

1. The Contractor shall, without limiting its obligations or liabilities herein and at its own

expense, provide and maintain the following insurances with insurers licensed in British Columbia and in forms and amounts acceptable to the VIHA:

1.1 Automobile Liability on all vehicles owned, operated or licensed in the name of the

Contractor, in an amount not less than $2,000,000.

1.2 Comprehensive General Liability in an amount not less than $5,000,000 (for a different amount of General Liability Limit contact the Manager, Contract Policy & Development) inclusive per occurrence, insuring against bodily injury, personal injury and property damage. The VIHA is to be added as an additional insured under this policy. Such insurance shall include, but not be limited to:

1. Products and Completed Operations Liability; 2. Owner's and Contractor's Protective Liability; 3. Blanket Written Contractual Liability; 4. Contingent Employer's Liability; 5. Personal Injury Liability; 6. Non-Owned Automobile Liability; 7. Cross Liability; 8. Employees as Additional Insureds; 9. Broad Form Property Damage; and 10. if applicable, Tenant's Legal Liability in an amount adequate to cover a loss to

premises of the VIHA occupied by the Contractor.

1.3 Professional Liability in an amount not less than $5,000,000 insuring the Contractor's liability for errors and omissions in the performance of professional services under this Agreement. (If lower professional liability coverage is being considered, contact the Manager, Contract Policy & Development).

2. The Contractor shall have their insurance agent or broker complete the Certificate of

Insurance form verifying the Contractor’s insurance coverage. The Certificate of Insurance form is found on the following page of this Schedule. This form shall be completed on an annual basis, during the term of this contract, and provided to the VIHA.


CERTIFICATE OF INSURANCE

Freedom of Information and Protection of Privacy Act The personal information requested on this form is collected under the authority of and used for the purposes of contract review.

To be completed by Agent or Broker CERTIFICATE IS ISSUED TO: CONTRACTOR NAME

CONTRACTOR ADDRESS

And certifies that policies of insurance as herein described have been issued to the insured(s) named below and are in full force and effect as of the effective date of the agreement.

NAME

INSURED

ADDRESS PROVIDE DETAILS

OPERATIONS

INSURED

TYPE OF INSURANCE COMPANY NAME AND POLICY NO.

EXPIRY DATE

Y M D

LIMIT OF LIABILITY/AMOUNT

COMPRHENSIVE/ COMMERCIAL GENERAL

LIABILITY

INCLUSIVE LIMITS $ ___________________________

AUTOMOBILE LIABILITY (OWNED OR LEASED

VEHICLES)

PRIMARY $ _____________________

EXCESS $ _____________________

UMBRELLA LIABILITY LIMITS $ ____________________

EXCESS OF $ ____________________

PROFESSIONAL LIABILITY

LIMITS $ _______________________

PROPERTY

DETAILS $_______________________

$_______________________

OTHER

DETAILS $ ______________________

$ _______________________

These policies comply with the insurance requirements of the governing contract, permit or license with the Health Region / Health Council / Community Health Services Society or other stand alone entity. It is understood and agreed that where required by the governing contract/permit or license, the Health Region / Health Council / Community Health Services Society or other stand alone entity has been added as an additional insured and that thirty (30) days' notice of any material change or cancellation of any of the policies listed herein, either in part or in whole will be given by the insurers to the holder of this certificate.

DATE SIGNED SIGNED BY THE CONTRACTOR/PERMITTEE/LICENSEE Y

M D

DATE SIGNED SIGNED ON BEHALF OF THE CONTRACTOR'S/PERMITTEE'S/LICENSEE'S INSURERS Y

M

D

TO BE REPLACED WITH ORIGINAL ‘CERTIFICATE OF INSURANCE

Contractor: Term:

Contract No.:


SCHEDULE F (H)

PRIVACY

Custody and Control of Data 1. Purpose

The purpose of this Schedule is to: (a) enable the Customer to comply with its statutory obligations under the Act with respect to personal information; and (b) ensure that the Service Provider is aware of and complies with its statutory obligations under the Act with respect to personal information.

2. Definitions

“Act” means the Freedom of Information and Protection of Privacy Act (British Columbia), as amended from time to time.

“Associate” has the meaning specified in the Act. “Authorized Site” means Service Provider’s head office in British Columbia or at such other location in Canada as may be approved in writing by the Customer. “Agreement” means the Agreement to which the Schedule is appended.

“Commissioner” means the BC Information and Privacy Commissioner appointed under the Act.

“Conflicting Foreign Order” means any order, subpoena, directive, ruling, judgement, injunction, award or decree, decision, request or other requirement issued from a foreign court, agency of a foreign state or other authority outside Canada or any foreign legislation the compliance with which would likely render the Customer or its employees in non-compliance with the Act. “Contact Information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.

“Customer” means Vancouver Island Health Authority. “Foreign Access Conditions” means:

(i) the Service Provider must ensure that such access is limited to temporary access and storage for the minimum time necessary for the Permitted Purpose; and

(ii) if such access is for the Permitted Purpose of data recovery, the Service Provider must ensure such access is limited to access and storage only after the system failure has occurred.

“Permitted Purpose” means access to Records containing Personal Information that is necessary for:


(i) installing, implementing, maintaining, repairing, trouble-shooting or upgrading an electronic system used by the Customer or by the Service Provider to provide services to the Customer pursuant to the Agreement, or any equipment that includes an electronic system used by the Customer or by the Service Provider to provide services to the Customer or by the Service Provider to provide services to the Customer pursuant to the Agreement; or

(ii) recovery of data (including Personal Information) undertaken following the failure of an electronic system used by the Customer or by the Service Provider to provide services to the Customer.

“Personal Information” means recorded information about an identifiable individual, other than contact information, collected or created by the Service Provider or otherwise held on behalf of the Service Provider as a result of the Agreement or any previous agreement between the Customer and the Service Provider dealing with the same subject matter as the Agreement but excluding any such information that, if this Schedule did not apply to it, would not be under the “control of a public body” within the meaning of the Act. “Personnel” means any employees, agents, representatives or Associates of the Service Provider who provide the Services or to whom access is made available to Personal Information for the purposes of fulfilling the Service Provider’s obligations under the Agreement. “Access Agreement” means an agreement between Personnel and the Service Provider requiring the security of Personal Information. “Record” includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information, including Personal Information, is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records. “Service Provider” has the meaning set out on page one of this Agreement.

“Schedule” means this Privacy Schedule, as may be amended from time to time. 3. Interpretation

In this Schedule, references to sections by number are to sections of this Schedule unless otherwise specified in this Schedule.

4. Service Provider Subject to the Act

(a) The Service Provider must in relation to Personal Information comply with: (a) the requirements of the Act applicable to the Service Provider, including any applicable order of the Commissioner under the Act; and (b) any direction given by the Customer under this Schedule. If the Customer learns of a Commissioner order applicable to the Service Provider’s services, it will notify the Service Provider.

(b) The Service Provider acknowledges that it is familiar with the requirements of the Act governing Personal Information that are applicable to it as a service provider.

5. Collection of Personal Information


(a) Unless the Agreement otherwise specifies or the Customer otherwise directs in writing, the Service Provider may only collect, create or hold, on behalf of the Customer, Personal Information that is necessary for the performance of the Service Provider’s obligations, or the exercise of the Service Provider’s rights, under the Agreement.

(b) The Service Provider may only collect Personal Information if expressly authorized by the Agreement. Where authorized to do so, and unless the Agreement otherwise specifies or the Customer otherwise directs in writing, the Service Provider shall: (i) collect Personal Information directly from the individual the information is about; and (ii) tell an individual from whom the Service Provider collects Personal Information the purpose for collecting it; the legal authority for collecting it; and the title, business address and business telephone number of the person designated by the Customer to answer questions about the Service Provider’s collection of Personal Information.

6. Accuracy of Personal Information

Where applicable to the Services provided by the Service Provider pursuant to the Agreement, the Service Provider shall make every reasonable effort to ensure the accuracy and completeness of any Personal Information that comes into their custody pursuant to this Agreement and which may be used by the Service Provider or the Customer to make a decision that directly affects the individual the information is about.

7. Receiving Requests for Access or Correction to Personal Information

If a request is received under the Act for access to, or correction of, Records that are in the custody of the Service Provider but under the control of the Customer, the Service Provider must promptly advise the person to make the request to the Customer and if the Customer has advised the Service Provider of the name or title and contact information of an official of the Customer to whom such requests are to be made, the Service Provider must also promptly provide that official’s name or title and contact information to the person making the request. The Service Provider must provide the Records to the Customer for management by the Customer’s Information and Privacy Officer. This shall occur within a reasonable time frame to enable the Customer to comply with the Act. If a request is permitted by the Act, the Service Provider shall be responsible for providing the Records at the Service provider’s expense to the Customer. If the Service Provider is expressly authorized by the Agreement to manage the request for correction of records, the Service Provider shall do so in accordance with Section 8 of this schedule.

8. Correction of Personal Information

The Service Provider may only correct Personal Information f expressly authorized by the Agreement. Where authorized to do so, and unless the Agreement otherwise specifies or the Customer otherwise directs in writing:

(a) Within 5 business days of receiving a written direction from the Customer to correct or annotate any Personal Information, the Service Provider must annotate or correct the information in accordance with the direction.


(b) When issuing a written direction under paragraph (a), the Customer must advise the Service Provider of the date the correction request to which the direction relates was received by the Customer in order that the Service Provider may comply.

(c) Within 5 business days of correcting or annotating any Personal Information, the Service Provider must provide the corrected or annotated information to any party to whom, within one year prior to the date the correction request was made to the Customer, the Service Provider disclosed the information being corrected or annotated.

9. Control or and Rights in the Record

All right, title and interest in, and control and custody of, all Records shall remain with the Customer. No interest or any right respecting the Record, other than as expressly set out herein, is granted to the Service Provider under this Schedule, by implication or otherwise. If Personal Information is collected by the Service Provider and transmitted to the Customer, such Personal Information is deemed to be under the control of the Customer.

10. Access to and Use of Personal Information

(a) The Service Provider is hereby granted temporary access to Personal Information pursuant to the terms and conditions of this Schedule, for the sole and express purpose of fulfilling its obligations under the Agreement and for no other use or purpose except as required to comply with any Canadian statutory or other legal requirement, including an Order of a Canadian Court, although any disclosure of Personal Information remains subject to Section 12 of this Schedule. The Service Provider shall not copy or reproduce any written materials containing Personal Information without the Customer’s prior written consent as defined in the Terms and Conditions. Notwithstanding the foregoing, the Service Provider may access Records containing Personal Information for a Permitted Purpose. However, if Records containing Personal Information are disclosed outside of Canada or accessed from outside of Canada, the Service Provider must comply with the Foreign Access Conditions.

(b) The Service Provider shall not take any action to obtain access of any kind to any Personal Information from any location outside of Canada except for a Permitted Purpose or as permitted by the Act and then only subject to the Foreign Access Conditions and such other processes and access controls as may be imposed by the Customer.

(c) Except as otherwise permitted under this Schedule, the Service Provider shall not remove, physically, electronically or in other manner whatsoever from the authorized premises of the Customer, any Personal Information, without the Customer’s prior written consent. Except as otherwise permitted under this Schedule, the Service Provider shall not store any Personal Information or permitted back-up copies of the Personal Information off-site unless expressly authorized by Customer. Where authorized, Service Provider must store back-up records off-site in Canada under conditions that are the same as or better than on-site storage conditions for original Records.

(d) The Service Provider will ensure that only Personnel who have entered into an Access Agreement may access the Personal Information. Unless approved by the Customer, the


Service Provider may not enter into any form of a Personal Information sharing relationship with any other party.

11. Return or Destruction of the Record Upon Request

(a) Unless the Agreement otherwise specifies, the Service provider must retain Personal Information until directed by the Customer in writing to dispose of it or deliver it as specified in the direction. Upon the request of the Customer for any reason whatsoever, and unless required to do otherwise in order to comply with any Canadian statutory or other legal requirement, including an Order of a Canadian Court, although any disclosure of Personal Information remains subject to Section 12 of this Schedule, the Service Provider shall deliver to the Customer or destroy promptly, according to the Customer’s instructions, all documents or other Records in any form or format whatsoever in the Service Provider’s possession constituting or based upon Personal Information and shall confirm that delivery or destruction to the Customer in writing. If, for any reason, the Service Provider fails to return or destroy any Record in accordance with this Section 11, the Service Provider’s obligations pursuant to this Schedule will continue in full force and effect.

(b) In the event of destruction of electronic Personal Information by the Service Provider, the following instructions shall be adhered to: (i) Personal Information erasure may be accomplished by software erasure (where

feasible) or by physical destruction of the media; (ii) Software erasure must be at a minimum to US DoD standard 5220.22-M (this

standard is achievable through a number of products such as Norton WipeInfo); (iii) Physical destruction of paper media can be done by burning, by crosscut shredding,

or by pulping; (iv) Physical destruction of disc media can be done by use of tools such as hammers, band

saws, or drills in order to render the device no longer useable; and (v) Some media such as diskettes can be run through a degausser in order to render them

no longer readable. 12. Disclosure to Third Parties

Except as specifically permitted by the Customer in writing, the Service Provider shall not disclose and shall not allow any Personnel to disclose in any manner whatsoever any Personal Information to any person, firm or corporation without the prior written consent of the Customer. The Service Provider agrees that such consent shall only be provided if such disclosure is permitted under the Act and the third party agrees, in writing, to be bound by the Act. If the Service Provider or anyone to whom the Service Provider transmits Personal Information pursuant to a Permitted Purpose, becomes legally compelled or otherwise receives a demand to disclose Personal Information other than as permitted by the Act, including without limitation pursuant to any Conflicting Foreign Order, the Service Provider will not do so unless: (a) the Customer has been notified; (b) the parties have appeared


before a Canadian Court; and (c) the Court has ordered the disclosure. Unauthorized disclosure is subject to penalties under the Act.

13. Privacy Representative

If required by the Customer, immediately upon execution of the Agreement the Service Provider shall appoint a representative to be responsible for the Service Provider’s compliance with this Schedule and the Act (the “Privacy Representative”). The Service Provider shall grant its Privacy Representative sufficient authority to communicate and execute documents on behalf of the Service Provider as may be required from time to time for this purpose. The Service Provider shall promptly provide the Customer with the name of its Privacy Representative and shall promptly notify the Customer of any change of its Privacy Representative.

14. Notice of Breach

(a) If for any reason the Service Provider does not comply, or anticipates that it will be unable to comply, with a provision in this Schedule in any respect, the Service Provider must promptly notify the Customer of the particulars of the non-compliance or anticipated non-compliance and what steps it proposes to take to address, or prevent recurrence of the non-compliance or anticipated non-compliance.

(b) The Service Provider shall notify the Customer immediately of the disclosure of Personal Information to any person or entity not authorized by the Agreement to have such Personal Information, including full details of such disclosure. The Service Provider shall co-operate with the Customer in preventing the recurrence of such disclosure and to the extent feasible, in recovering the disclosed Personal Information, including any copies thereof.

15. Personnel Bound by the Act

(a) The Service Provider and the Customer hereby further acknowledge and agree that in order to fulfill its obligations under the Agreement or in connection with a Permitted Purpose it may be necessary for the Service Provider to grant to Personnel access to Personal Information. The Service Provider hereby agrees that:

(i) it shall only make Personal Information available to Personnel to the extent it is necessary for the purpose of fulfilling the Service Provider’s obligations under the Agreement and for a Permitted Purpose;

(ii) it shall not make Personal Information available to any Personnel while any such persons are physically located outside of Canada, except for a Permitted Purpose under the Foreign Access Conditions or as permitted by the Act;

(iii) if and whenever requested by the Customer, the Service Provider shall cause each of the Personnel providing services on behalf of the Service Provider under the Agreement to enter into an Access Agreement, in a form and substance acceptable to the Customer wherein the Personnel agree, among other things, to comply with the requirements of all applicable laws including in particular the requirements of the Act as if that person were originally bound by the Act; and


(iv) the customer is granted the right to demand that the Personnel who breached the obligation be removed from the provision of services pursuant to the Agreement.

The Service Provider shall be required to renew and refresh any or all such agreements from time to time at the reasonable request of the Customer.

(b) The Service Provider shall properly advise each of the Personnel providing services under the Agreement of the requirements of the Service Provider under this Schedule and the Act. If requested by the Customer, the Service Provider shall provide and conduct specific ongoing training for all such individuals in form and substance reasonably satisfactory to the Customer. The Service Provider acknowledges its obligations and, to the extent legally permissible, will address any non-compliance with this Agreement, by their staff, at their discretion.

(c) Notwithstanding the foregoing, the Service Provider specifically assumes all responsibility for the Personnel and for the breach by any of them of any provision of the Act or this Schedule. The Service Provider hereby agrees to defend, indemnify and hold harmless the Customer, and its directors and officers from and against any and all loss, cost, liability or expense suffered or incurred by the Customer, and its directors, officers, employees or representatives or any of them with respect to any breach or alleged breach by the Service Provider of any of its covenants or obligations under this Schedule, or its non-compliance with the provisions of the Act.

(d) The Service Provider shall, upon request by Customer, provide a copy of the access agreement, the process for executing the agreements and the list of staff associated with the client’s project or initiative who have signed the agreement within the last 12 months.

16. Subcontractors

Any reference to the Service Provider in this Schedule includes any subcontractor or agent retained by the Service Provider to perform obligations under the Agreement and the Service Provider must ensure that any such subcontractors and agents comply with this Schedule.

17. Audit and Inspection

In addition to any other rights of inspection the Customer may have under the Agreement or under statute, the Service Provider shall permit the Customer and/or its representatives and agents to conduct periodic audits of Records related to performance by the Service Provider and the Personnel and permitted subcontractors, if any, of the Service Provider’s obligations under this Schedule. The Customer may, at any reasonable time and on reasonable notice to the Service Provider, enter on the Service Provider’s premises to inspect any Personal Information in the possession of the Service Provider or any of the Service Provider’s information management policies or practices relevant to its management of Personal Information or its compliance with this Schedule and the Service Provider must permit, and provide reasonable assistance to, any such inspection.

18. Default


(a) In addition to any other rights of termination which the Customer may have under the Agreement or otherwise at law, the Customer may, subject to any provisions in the Agreement establishing mandatory cure periods for defaults by the Service Provider, terminate the Agreement by giving written notice of such termination to the Service Provider, upon any failure of the Service Provider to comply with this Schedule in a material respect.

(b) Without limiting the generality of the foregoing, the Service Provider agrees that in addition to any other rights or remedies the Customer may have for material breach of this Schedule, the Customer has the right to an injunction or other equitable relief in any court of competent jurisdiction enjoining a threatened or actual material breach of this Schedule by the Service Provider.

19. Termination

(a) Upon the expiration or earlier termination of the Agreement, the Service Provider shall promptly return to the Customer or destroy promptly, according to the Customer’s instructions, all Records in the Service Provider’s possession pursuant to the Agreement, whether created by the Service Provider or by others, constituting or based upon Personal Information and shall confirm that delivery or destruction to the Customer in writing.

(b) In the event of a change to the Act or any other applicable privacy legislation or the issuance of a directive or policy by the government of the Province of British Columbia or a finding or report by the Commissioner, such that the Customer reasonably considers that the terms and conditions of the Agreement for the protection of Personal Information are deficient, the Customer and the Service Provider will enter into good faith negotiations in an effort to cure any deficiency and agree to new or amended terms of the Agreement such that it is no longer deficient. Should such negotiations fail, the Customer may terminate all or any portion of the Agreement in accordance with the termination requirements in the Agreement, upon provision of written notice to the Service Provider or upon such other future date as the Customer may specify in writing in such notice.

20. No Withholding

The Service Provider shall not be entitled to, and hereby waives any and all right to, withhold any Personal Information from the Customer to enforce any alleged payment obligation or in connection with any dispute relating to the terms of the Agreement or any other matter between the Customer and the Service Provider.

21. Investigation

The Service Provider shall co-operate with any Customer investigation of a complaint that the Customer’s Personal Information has been used contrary to the Act or this Schedule.

22. Storage and Access to Personal Information


The Service Provider shall maintain Personal Information only at an Authorized Site. Except in relation to a Permitted Purpose under Foreign Access Conditions, no services that require access to Personal Information shall be provided or performed by the Service Provider in any location outside Canada and no Personal Information may be stored, transmitted or otherwise made available in any manner or accessed from outside Canada and no person outside Canada shall have access in any manner to Personal Information except as expressly approved by the Customer in writing. The Service Provider will notify the Customer prior to changing the Authorized Site.

23. Segregation of Data

The Service Provider shall take reasonable steps to ensure that all Personal Information is securely segregated from any information owned by the Service Provider or third parties, including access barriers, physical segregation, password authorization and public key encryption systems. The Service Provider must store Personal Information on agreed-upon media using techniques enabling access only by authorized persons, including encryption and compression of Personal Information.

24. Protection of Personal Information

The Service Provider must protect Personal Information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal, including any expressly set out in the Agreement.

25. Paramountcy

(a) The Service Provider must comply with the provisions of this Schedule despite any conflicting provision of this Agreement or, subject to section 25 (b), the law of any jurisdiction outside Canada or any conflicting Foreign Order.

(b) Nothing in this Schedule requires the Service Provider to contravene the law of any jurisdiction outside Canada unless such contravention is required to comply with the Act.

(c) The Service Provider acknowledges that the Customer is subject to the Act. (d) The Service Provider shall immediately inform the Customer if the Service Provider or

any of the Personnel receive any Conflicting Foreign Order. 26. Survival

The obligations of the Service Provider in this Schedule will survive the termination of the agreement.

27. Amendment

Upon enactment of any British Columbia law or regulation or amendment to such law or regulation affecting the use or disclosure of Personal Information, or the publication of any


decision of a British Columbia court relating to such law or regulation, or the publication of any interpretive policy or opinion of any government agency charged with the enforcement of any such law or regulation, the Customer, by written notice to the Service Provider, may specify the amendment of this Schedule in such manner as the Customer reasonably determines necessary to comply with such law or regulation to the extent such law or regulation is directly applicable and enforceable against the Service Provider. This provision is additional to any rights of the Customer to terminate pursuant to Section 19(b) of this Schedule.

28. Inconsistency

If a provision of the Agreement (including any direction given by the Customer under this Schedule) conflicts with a requirement of the Act or an applicable order of the Commissioner under the Act, the conflicting provision of the Agreement (or direction) will be inoperative to the extent of the conflict. Where in the Customer’s reasonable opinion, there is ambiguity regarding whether a provision conflicts, the conflicting provision will be inoperative to the extent determined by the Customer. The Service Provider must comply with the provisions of this Schedule despite any conflicting provision of this Agreement or the law of any jurisdiction outside Canada.

29. Specific Covenants – Personal Information Handling

The Service Provider shall: (a) take a physical inventory, at least annually, of all Personal Information, to identify any

losses; (b) ensure that access systems require individual user identification to be unique and re-

authenticated each time access is made to the Personal Information ; (c) implement appropriate controls for the issue, change, cancellation, and audit-process of

user identifications and authentication mechanisms; (d) ensure authentication codes and passwords are confidential, are pseudo-random in nature

or vetted through a verification technique designed to counter triviality and repetition, are no fewer than 6 characters in length, are one-way encrypted, are excluded from automatic log-in procedures and are changed irregularly and at least semi-annually;

(e) maintain and implement formal procedures for terminated employees, agents, representatives and Associates who have had access to Personal Information; and

(f) design and implement an automated, always-on auditing system which can be accessed by the Customer to monitor access to and use of Personal Information, which system creates an audit trail that automatically records the identity of anyone who accesses Personal Information, recording the date and time of access, and which flags access or access attempts that fall outside set criteria (e.g. access outside regular business hours).

30. Excluded Records

This Schedule does not apply to any information, documents or records that:


(a) do not contain Personal Information; (b) relate solely to the Service Provider’s internal administration, finances or

management, unless they contain Personal Information about an individual other than the Service Provider’s own employees, officers, directors, agents, service providers, suppliers or contractors;

(c) relate solely to the Service Provider’s internal labour and employment matters, unless they contain Personal Information about an individual other than the Service Provider’s own employees, officers, directors, agents, service providers, suppliers or contractors; or

d) the Customer and the Service Provider have expressly agreed in writing fall outside the scope of this Schedule.


SCHEDULE G

WCB INSURANCE (M)

The Contractor will comply with the Workers' Compensation Act of the Province of British Columbia and in particular will obtain and maintain during the Term the necessary coverage for the Contractor and the Contractor's employees, and will, provide particulars of such coverage. The following information is required for this contractor: The Contractor’s WorksafeBC registration number is _____________________.


Appendix C: VIHA’s Current Standard Supported IM/IT Environment

INTENT OF THIS DOCUMENT This document describes the standard technologies supported by VIHA IM/IT. The text may be used for reference in Requests for Proposal (RFPs). The document should be maintained as a whole if inserted into another document. This is a living document, refreshed biannually. The most recently published version will be found at https://intranet.viha.ca/departments/imit/Pages/standards_guidelines.aspx. This document should only be presented along with the VIHA policies numbered under 16.4.2. Validity: The statements in this document are valid as of January 1, 2011. Expiry: This document should be considered obsolete after December 31, 2011.

AUTHENTICATION, ACCESS AND PRIVACY

1.1.1 AUTHENTICATION & ACCESS • Microsoft Active Directory (Core Domain) Win 2003 Native Mode • Microsoft ADAM, or LDAP (as required by application); Secure LDAP required for

authentication • Microsoft Identity Integration Server (MIIS) (limited support) • Microsoft Internet Security & Acceleration Server (ISA) 2006 • Single Sign-On using Citrix Password Manager • RDP and Citrix Client through Web Interface for remote access • SSL-VPN client (VIHA-owned laptops & tablets only) • Remote access to desktops or laptops not permitted/supported • Preference for SPMLv2 – compliant applications

1.1.2 CERTIFICATE SERVICES • PKI through MS Certificate Authority (Windows Server 2003 R2) using custom v2

certificate templates

1.1.3 PRIVACY AND SECURITY STANDARDS • See the policy documents under section 16.4.2 appended to this document

CLIENT DEVICES

1.1.4 DESKTOPS • Standardized, organization wide HP desktops & Laptops • Images custom designed for individual HP hardware configurations


o Configurations are reviewed and updated on a regular basis o Screen standard of 1024 x 768 o Preferences for all local devices is USB – serial not always natively available

1.1.5 STANDARDIZED WORKSTATION SOFTWARE ENVIRONMENT (DESKTOP & LAPTOP/TABLET) • Windows XP SP3 • Microsoft Office 2007 • IE 7 • Citrix Client 11 • RDP Client 6.0 • Cisco VPN client (tablets only) • Adobe Reader 9.1.2 • Pathworks VT320 • Macromedia Flash Player 10.1 • Macromedia Shockwave 10 • Windows short-date format: DD-MMM-YYYY • PointSec Hardware Encryption on laptops and tablets • McAfee VirusScan Enterprise Version: 8.7.0i • Group-policy managed desktop settings

1.1.6 MOBILE DEVICES • Mobile devices must adhere to policy 16.4.2.5 • Blackberry OS 4.1 and higher • All new devices must be pre-approved prior to being added to the Enterprise servers

1.1.7 DEPLOYMENT & SUPPORT TOOLS

1.1.7.1 Microsoft Systems Center Configuration Manager: • Microsoft Updates deployment and management • Core Software updates and large scale software package distributions • Support Desk remote support • Device Inventory

1.1.7.2 Altiris Deployment Solution: • Standardized Operating system image and post configuration deployment for

workstations, Notebooks and servers. • Software deployment at initial workstation and server deployment.


SERVERS AND STORAGE

1.1.8 SERVERS: • Preference for Virtualized Servers running on VMware ESX 4.1 • Where physical server is required, standardized HP Servers;

• Standard O/S software and utilities; o Windows 2008 R2 Standard or Enterprise Server (x64 preferred) o Windows 2008 Standard or Enterprise Server (x64 preferred) o Windows 2003 R2 Standard or Enterprise Server (x64 preferred) only to support

legacy applications o NetBackup 7.0 o McAfee 4.5 EPO o McAfee Antivirus Agent 8.7 o Diskeeper v2010

o VMware ESX Virtualization (VI 4.1) o MS SCOM 2007 R2

o Console support via ILO, Terminal Services and Citrix

• All servers must be supportable in a lights-out facility

1.1.9 ENTERPRISE SYSTEMS • VIHA back end systems consist of HP servers of a variety of models and operating systems.

For example, we currently have in production:

o Legacy Cluster with two AlphaServer ES47’s running OpenVMS 7.3-2 with the following add-on products:

Diskeeper for automated disk defragmentation Hitman for automated system monitoring (ie low disk alerts) ECP for performance monitoring ABS for system backups Multinet for TCP/IP networking


o Integrated Clinicals (ICS) consisting of HP Service Guard Clusters running HP-UX on HP Integrity servers. In production there will be two HP AlphaServer rx8640’s running HP-UX 11.31 with the following add-on products:

• Serviceguard clustering • MirrorDisk/UX • HP GlancePlus/UX • Netbackup

• All systems are fibre connected via HP Director class SAN switches to HP and EMC SAN

storage:

• Tier 2 Storage (standard for clusters) on EVA 5000 @ 2Gbps or EVA 6000 @ 2 Gbps providing FC storage

• Tier 2 Storage (standard for clusters) on NS480 @ 4Gbps providing both FC and NAS storage

• Tier 1 Storage (mission critical, high I/O) on XP24000 @ 4Gbps

1.1.9.1 Enterprise Server Models • HP Integrity rx8640 Server * 4 • AlphaServer GS1280 * 2 (retired) • AlphaServer GS160 * 2 (retired) • AlphaServer ES47 * 2 • AlphaServer ES40 * 2 • AlphaServer DS20E * 2

1.1.9.2 Enterprise Storage • HP StorageWorks XP24000 Disk Array * 2 • HP StorageWorks EVA6000 Disk Array * 2 • HP StorageWorks EVA5000 Disk Array * 3 • HP StorageWorks 4/256 SAN Director Switch * 4 • HP MSL6062 4 Drive LTO-4 Ultrium 1840 Tape Library * 4 • HP MSL6000 2 Drive SDLT2 Tape Library * 1 • HP MLS5052 2 Drive SDLT Tape Library * 2

IM/IT SERVICES

1.1.10 COLLABORATION AND WEB SERVICES • WS28R2 64-bit OS only • IIS 7.5 running 32-bit application pools standard, 64-bit pools supported; Integrated Mode

pools only (no Classic) • .NET 2.0, 3.0, 3.5, 4.0 and ASP are supported • Application delivery is through a combination of Cisco ACE load balancing, Microsoft

Application Request Routing, and load-balanced web farm. • No vendor access to web servers


• Web apps are hosted under apps.viha.ca URL but don’t necessarily have to reside on the same farm

• SSL is required; Port 80 connections are not supported • NTLM authentication is standard; forms-based authentication under special circumstances; • Basic and Digest authentication not supported • Native support of MS SQL

1.1.11 PRINTERS • Business (and some clinical) application printing for Windows is available to a variety of

HP laser printers via server-based print queues hosted on a Windows 2008 R2 Active-Passive print cluster.

• Cerner-based clinical application printing for Windows is available to a variety of HP laser printers via server-based print queues hosted on a Windows 2003 R2 Active-Passive print cluster.

• HPUX printing to certain devices is available through managed HPUX server print queues used for printing clinical data direct from HPUX applications.

• The list of currently supported HP print and MFP devices is as follows:

o HP LaserJet P3015x o HP LaserJet P4015x o HP LaserJet 9050dn o HP Color LaserJet CP3525x o HP Color LaserJet CP4525dn o HP Color LaserJet CP6015x o HP LaserJet M3035xs mfp o HP LaserJet M5035xs mfp o HP LaserJet M4345x mfp o HP LaserJet M4345xs mfp o HP LaserJet M9050mfp o HP Color LaserJet CM3530fs mfp o HP Color LaserJet CM4730fsk mfp o HP Color LaserJet CM6040f mfp

• HPUX printing available through managed HPUX server print queues pointing to certain

printers (not all printers have been set up with queues in HPUX ) used for printing clinical data direct from HPUX applications.

1.1.12 NETWORK • There are approximately 175 sites connected to the VIHA network. • The medium to larger sites are typically connected via Telus Metro WAN services at

bandwidths of either 1.5, 10, 100 or 1000 Mbps. • The smaller sites are typically connected via hardware VPN services using broadband ISP

services. • The LAN infrastructure is typically configured with either 1 or 10 Gbps backbones and

10/100 Mbps access ports.


• A wireless LAN infrastructure has been deployed at some of the largest acute care sites, supporting the 802.11a/b/g protocols.

• Approximately 15,000 devices are connected to the VIHA network. Connected devices include desktops, laptops, printers, MFPs, auto-analyzers, CTs, MRIs, videoconferencing systems, VoIP phones and related infrastructure, voicemail systems, card access systems, building management systems, various alarms systems and a variety of others.

• The network infrastructure is constructed using a variety of Cisco products, including Cisco switches, routers, firewalls, VPN concentrators, VoIP Call Managers, WLAN controllers, wireless access points, network authentication servers, etc.

• The network infrastructure is QoS (Quality of Service) aware, with marking and queuing based on pre-defined types of application traffic.

• The network is configured with multiple VLANs, with assignment of specific devices or applications to certain VLANs based on either QoS or security considerations.

• The network infrastructure supports only one device (MAC address) per access port • The network infrastructure provides for routed TCP/IP communications between devices. • The VIHA network has connectivity to the other BC Health Authority networks via an eNG

(eHealth Network Gateway) service.

1.1.13 WIRELESS LAN • The VIHA wireless LAN infrastructure has been deployed at a number of acute care

facilities and some smaller sites. • Wireless deployment is intended for in-building coverage only. • Not all areas within the buildings of sites having wireless are covered (such as mechanical

or electrical spaces, elevators and stairwells). • The WLAN infrastructure uses Cisco WLCs (Wireless LAN Controllers), LWAPs

(Lightweight Access Points) and WCS (Wireless Control System). • The WLAN supports all of the 802.11 a/b/g protocols. • The infrastructure is configured with multiple WLANS used to support a variety of

computing and communications devices.

1.1.14 COLLABORATION AND WEB SERVICES • WS28R2 64-bit OS only • IIS 7.5 running 32-bit application pools standard, 64-bit pools supported; Integrated Mode

pools only (no Classic) • .NET 2.0, 3.0, 3.5, 4.0 and ASP are supported • Application delivery is through a combination of Cisco ACE load balancing, Microsoft

Application Request Routing, and load-balanced web farm. • No vendor access to web servers • Web apps are hosted under apps.viha.ca URL but don’t necessarily have to reside on the

same farm • SSL is required; Port 80 connections are not supported • NTLM authentication is standard; forms-based authentication under special circumstances; • Basic and Digest authentication not supported • Native support of MS SQL


APPLICATION MANAGEMENT SERVICE SUPPORTED CONFIGURATIONS

1.1.15 INTEGRATION AND INTERFACES • Interface Engines Supported:

o Cloverleaf Interface o Sybase eBiz o Mirth o Cerner OpenPort

• Messaging Standards Supported: o HL7 v. 2.2 to 2.5

ADT Orders Results

• Transport Protocols Supported: o FTP internally, secure FTP externally o TCP/IP o HTTPS

• Integration Standards Supported: o CCOW (note: VIHA does not have a CCOW server) o SALM

1.1.16 DATABASE ENVIRONMENTS • Oracle Version 10g • Microsoft SQL Server 2005 SP1, 2008, 2008 R2

1.1.17 REPORTING TOOLS • Microsoft Reporting Services (SQL) 2005, 2008, 2008 R2 • Crystal Reports Version XI • Cognos Version 8.

1.1.18 MAIN APPLICATION ENVIRONMENTS • Clinical – Cerner Millenium (Cerner Corporation) and PARIS Community Care System

(In4Tek Corp) • Business – MediTech (Medical Information Technology, Inc.), ESP (Kronos Corporation)

1.1.19 DEVELOPMENT LANGUAGES SUPPORTED: • Microsoft .Net • Perl • Java

1.1.20 SERVICE LEVELS • Platinum Service – 100% business hours uptime 7X24 support including service request

facilitation


o Fully redundant production environment with no single points of failure in the architecture and/or downtime/failover capabilities allowing for continued automation of workflows with minimal manual intervention required to recover the system and system data.

o Platinum service not available where solution architecture/technology prevents achievement of 100% uptime target.

o Separate production, test and development environments • Gold Service – 99.94% business hours uptime target, 7X24 break/fix support, client

business hour service request facilitation o Architecture appropriate to uptime target (4 hours of planned downtime per month

for 7X24 systems) o Separate test environment that duplicates core production architecture o Separate development environment if VIHA responsible for development

• Silver Service – 99.94% client business hours uptime target, client business hours break/fix support, IMIT business hours service request facilitation (6am to 6pm M-F)

o Architecture appropriate to uptime target • Bronze Service – 99.94% regular business hours uptime target (M-F 8am-5pm), regular

business hour break/fix and service request support General Standards in Scope for all Solutions: • Application Services – runnable under OS system account • Monitoring – all production components hardware/software monitored and alerted on.

Response appropriate to Service level. • Security – systems must have the capability to capture/audit end user interaction with the

system. • Systems need to have multi-factor authentication consisting of a minimum a username and

strong password as per the VIHA strong password guidelines. • Privacy – access to system information needs to be configurable/lockable such that end user

access/views of the information comply with VIHA privacy regulations. • Security and Privacy – Foreign systems receiving/processing information originating from

the VIHA enterprise systems must support the same level of information security and privacy as applied to the information in the source system.

• Web, 3 tier, service oriented architectures are desirable for ease of deployment and management. Ability to run under Citrix is preferred.

• Documentation – architecture is fully documented


Appendix D Relevant IM-IT Security Policies under policy # 6.2 16.4.2.1P Security of Electronic Information 16.4.2.2P Security of Health Records N/A 16.4.2.3P Acceptable Use of Assets and Resources 16.4.2.4P Remote Access 16.4.2.5P Mobile Computing 16.4.2.6 Remote Assistance and Session Sharing for Support Purposes Policies attached as separate documents to this RFP.

confidential reporting service request for proposal

Documents