Third Party Medical Reviews Services

The Vendor is required to provide for an external, independent third-party review process for medicaid providers who have received denials of a healthcare service to a managed care member or denials of payment for services rendered to a managed care member from an organization and have exhausted the organization internal appeals process.
- Transmit and receive all data via encryption or secure file transport protocol (FTP) site.
- Maintain a signed statement for each external independent third-party review stating the reviewer has no conflict of interest regarding the review.
- Have a formal process for the identification of appropriate clinicians, including physician reviewers, to review specific medical issues and timeframes associated with the review and submissions of medical determinations or opinions.
- Key personnel positions are identified as:
•    Project Director; and
•    Medical Staff, which shall include a physician Medical Director.
- Define, and document roles and responsibilities related to information security for the service, solution, software, data hosting, or interface;
- Implement user identification and access controls designed to limit access to users in accordance with the principles of least privilege;
- Ensure that all personnel with physical or logical access to the service, solution, software, data hosting, or interface will receive industry standard annual security awareness training;
- Maintain documentation regarding roles and responsibilities related to information security for the service, solution, software, or interface and review and update this document at least once per year.
- Ensure contractor’s data center and/or cloud environment is secure with industry standard encryption techniques that meets all legal requirements for data stored at rest and in transit ensure secure socket layers (SSL) configuration per industry best practices, session, and port management.
- Ensure that the Data Center will utilize industry standard firewalls regulating all data entering the internal data network from any external source which will enforce secure connections between internal and external systems and will permit only authorized data to pass through.
- Ensure that the service, software, solution, data hosting, or interface employs automated mechanisms to centrally review, analyze and correlate audit and log records from multiple components of the service, software, solution, data hosting, or an interface to support organizational processes for investigation, alerting and response to suspicious activities.
- Maintain an incident response program that implements incident handling for information security incidents that includes preparation, detection and analysis, containment, eradication, and recovery processes.
- The incident response program must have the capability to support automated mechanisms for supporting incident handling processes.

- Contract Period/Term: 3 years
- Questions/Inquires Deadline: September 02, 2025