Privacy Monitoring Software

The Vendor is required to provide a patient privacy monitoring software that provides the following required features:
- Data Sources
• Must have the ability to support importing raw records from epic.
• Must have the ability to support receipt of data via secure channels (e.g., sftp, api and web service).
• Must maintain data integrity from collection at the source (customer sites) to the destination.
• The office must have access to data as close to real-time no later than 24-48 hours of user access date to ensure timely investigations.
- Data analytics and use cases
1. Shall provide historical data to include but not limited to the following:
• Total number of alerts generated.
• Total number of alerts reviewed.
• Total number not reviewed.
• Total number of investigations opened, etc.
• Must provide details on any cost impact if fully analyzed data is retained beyond the default period and kept available online.
• Shall use automated algorithms to access rules that can be customized based on organizations policies and workflows.
• Shall detect users modifying their own records, or records of their family/household members.
• Shall identify employees who access records of patients within one quarter of a mile in radius of their address to that of the patients.
• This feature shall be customizable – e.g., neighbors, neighborhoods etc.
• Shall identify any trends of user activities and detect access outside their normal behavior on a specific date or time which may be suspicious for specific access.
• Shall have the ability to identify multiple repeat privacy incidents reflecting a long-term pattern of suspicious activity.
• Shall detect access by terminated workforce members.
• Shall identify staff members who are snooping on co-workers without a valid reason to do so.
• Shall identify staff members who are snooping on VIP patients without a valid reason to do so.
• Shall identify staff members snooping on deceased patients without a valid reason.
• Shall identify stolen, compromised, or misused user credentials.
• Shall have the ability to pull user activity reports from epic, link them with limited data from an HR feed that will be supplied by agency (this report excludes SSN and DOB), and generate audit reports identifying potential unauthorized access incidents.
• Shall have role based access available for various application users (e.g., administrator, reviewer, etc.).
• Shall have the capability to allow the user to bookmark employees and patients of interest for targeted monitoring.
• Shall send real time alerts/notifications for critical events along with daily email summarizing the activities detected to user.
• Shall interface with NAVEX to reduce manual labor of transferring information from privacy manual tool.
• Shall have the ability to manage investigation that the system identifies and those that it identifies as ad-hoc.
• Shall have the ability to easily create customizable filtering for data specific investigations and reporting categories.
• Shall be capable of uploading external documents to support an investigation (e.g., Word, Excel, PDF, JPEG, etc.).
- Contract Period/Term: 3 years
- Pre-Proposal Meeting Date: June 17, 2025
- Questions/Inquires Deadline: June 24, 2025