E-SIGNED by SOV ITcontracting-ADS on 2020-06-05 19:11 ...

STATE OF VERMONT CONTRACT SUMMARY AND CERTIFICATION - - - - - - - - - - - Form AA-14 (1/8/2019) Note: All sections must be completed. Incomplete forms will be returned to the originating department.

I. CONTRACT INFORMATION: Agency/Department: AHS/ Department of Corrections Contract #: 40006 Amendment #: Vendor Name: VitalCore Health Strategies, LLC VISION Vendor No: 384523 Vendor Address: 719 SW Van Buren Street, Topeka KS 66603 Starting Date: 07/01/20 Ending Date: 6/30/2023 Amendment Date: Summary of agreement or amendment: Comprehensive Correctional Health Care Services

II. FINANCIAL & ACCOUNTING INFORMATION

Maximum Payable: $65,534,608.83 Prior Maximum: $ Prior Contract # (If Renewal):

Current Amendment: $ Cumulative amendments: $ % Cumulative Change:

Business Unit(s): 3520; ; - [notes: ] VISION Account(s): 507500; Estimated Funding Split:

100.00 % GF % TF

% SF % GC % EF

% FF % Other (name)

III. PROCUREMENT & PERFORMANCE INFORMATION

A. Identify applicable procurement process utilized.

Standard Bid/RFP Simplified Sole Source (See B.) Qualification Based Selection Statutory

B. If Sole Source Contract, contract form includes self-certification language? Yes N/A C. Contract includes performance measures/guarantees to ensure the quality and/or results of the service? Yes No IV. TYPE OF AGREEMENT (select all that apply)

Personal Service Non-Personal Service Commodity

Construction Arch/Eng. Marketing Info. Tech. Prof. Service

Retiree/Former SOV EE Financial Trans Zero-Dollar Privatization Other V. SUITABILITY FOR CONTRACT FOR SERVICE

Yes No n/a Does this contract meet the determination of an Independent Contractor? If “NO”, the contractor must be set up and paid on payroll through the VTHR system.

VI. CONTRACTING PLAN APPLICABLE Is any element of this contract subject to a pre-approved Agency/Dept. Contracting Waiver Plan? Yes No

VII. CONFLICT OF INTEREST

By signing below, I (Agency/Dept. Head) certify that no person able to control or influence award of this contract had a pecuniary interest in its award or performance, either personally or through a member of his or her household, family, or business.

Yes No Is there an “appearance” of a conflict of interest so that a reasonable person may conclude that this party was selected for improper reasons: (If yes, explain)

VIII. PRIOR APPROVALS REQUIRED OR REQUESTED

Yes No Agreement must be Certified by the Attorney General under 3 V.S.A. § 342 (sign line #4 below) Yes No Attorney General review As To Form is required ($25,000 and above) or otherwise requested: (AAG initial) Yes No Agreement must be approved by the Secretary of ADS/CIO Yes No Agreement must be approved by the CMO: for Marketing services over $25,000 Yes No Agreement must be approved by Comm. Human Resources: for Privatization, Retirees, Former Employees, & if a

Contract fails the IRS test. Yes No Agreement must be approved by the Secretary of Administration

IX. AGENCY/DEPARTMENT HEAD CERTIFICATION; APPROVAL I have made reasonable inquiry as to the accuracy of the above information (sign in order): 1-Date 1-Agency/Department Head 2-Date 2-Agency Secretary (if required)

3a-Date 3a-CIO 3b-Date 3b-CMO 3c-Date 3c-Commissioner DHR

4-Date 4-Attorney General 5-Date 5-Secretary of Administration

E-SIGNED by Dawn O'Tooleon 2020-06-04 13:14:36 GMT

E-SIGNED by SOV ITcontracting-ADSon 2020-06-05 19:11:00 GMT

E-SIGNED by John Quinnon 2020-06-08 12:03:29 GMT

E-SIGNED by Candace Elmquiston 2020-06-10 14:32:48 GMT

E-SIGNED by Bradley Ferlandon 2020-06-10 14:34:35 GMT

E-SIGNED by James Bakeron 2020-06-03 18:27:44 GMT

E-SIGNED by Bob LaRoseon 2020-06-03 18:34:44 GMT

E-SIGNED by Diane Nealyon 2020-06-04 11:14:46 GMT

State of Vermont Agency of Digital Services 133 State Street, 5th Floor Montpelier, VT 05633-0210 [phone] 802-828-4141

MEMO

Date: 05/29/2020 To: John Quinn - CIO VIA: Jon Provost From: ADS Procurement Advisory Team (PAT) Subject: CIO approval of contract 40006 between the Department of Corrections and VitalCore, Inc. for Health Services for Inmates. The Agency of Digital Services (ADS) PAT team reviewed contract 40006 between the Department of Corrections and VitalCore, Inc. for Health Services for Inmates, at our May 21, 2020 meeting. This is a comprehensive Health Services contract in which VitalCore will provide the Department with Comprehensive Administration of all health-related services withing the State’s Correctional Facilities. The services include Personnel, Staffing and Training, Health Care and Pharmaceutical Services, on Site Health Care Services, Patient Care and Treatment as well as the maintenance of Health care records and claims processing. This contract is being awarded as the result of a competitive RFP issued last year. The contract term is from 07/01/2020 to 06/30/2023 and has a maximum payable value of $65,534,608.00.

The PAT review team now recommends approval of this contract.

E-SIGNED by Jonathan C Provoston 2020-06-05 11:02:49 GMT

Project Name:Agency/Dept.

Reviewer Name Date Received Date Review CompletedOk to Proceed to with project from

Reviewer's perspective?IT Contracting Specialist Jon ProvostChief Financial Officer Kate SlocumEnterprise Architecture John HuntDeputy CISO Scott CarbeeChief Data Officer Kristin McClureIT LeaderChief Technology Officer Mark CombsDeputy Secretary Shawn NailorCIO John Quinn Date e-signed approval:

Reviewer Name Date Received Date Review Completed Ok to Post RFP from Reviewer's perspective?IT Contracting Specialist Jon ProvostChief Financial Officer Kate SlocumEPMO/OPMEnterprise Architecture John HuntDeputy CISO Scott CarbeeChief Data Officer Kristin McClureIT LeaderRisk Management Rebecca WhiteCTO Mark CombsDeputy Secretary Shawn NailorCIO John Quinn Date e-signed approval:

Reviewer Name Date Received Date Review CompletedOk to Sign Contract from Reviewer's

perspective?IT Contracting Specialist Jon Provost 5/18/2020 5/21/2020 YesChief Financial Officer Kate Slocum 5/18/2020EPMO/OPM 5/18/2020Enterprise Architecture John Hunt 5/18/2020 5/21/2020 YesDeputy CISO Scott Carbee 5/18/2020 5/21/2020 YesChief Data Officer Kristin McClure 5/18/2020IT Leader Darin Prail 5/18/2020 5/21/2020 YesRisk Management Rebecca White 5/18/2020 5/21/2020 YesCTO Mark Combs 5/18/2020 5/21/2020 YesDeputy Secretary Shawn Nailor 5/18/2020CIO John Quinn 5/18/2020 Date e-signed approval:

Contract or Amendment

ADS Review Verification Sheet

ADS Reviewer Summary & Sign-offMemo

Reviewer

RFP

VitalCore Health Services Contract 40006ADS_DOC

ANY PROPRIETOR/PARTNER/EXECUTIVEOFFICER/MEMBER EXCLUDED?

INSR ADDL SUBRLTR INSD WVD

PRODUCER CONTACTNAME:

FAXPHONE(A/C, No):(A/C, No, Ext):

E-MAILADDRESS:

INSURER A :

INSURED INSURER B :

INSURER C :

INSURER D :

INSURER E :

INSURER F :

POLICY NUMBER POLICY EFF POLICY EXPTYPE OF INSURANCE LIMITS(MM/DD/YYYY) (MM/DD/YYYY)

AUTOMOBILE LIABILITY

UMBRELLA LIAB

EXCESS LIAB

WORKERS COMPENSATIONAND EMPLOYERS' LIABILITY

DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required)

AUTHORIZED REPRESENTATIVE

EACH OCCURRENCE $DAMAGE TO RENTEDCLAIMS-MADE OCCUR $PREMISES (Ea occurrence)

MED EXP (Any one person) $

PERSONAL & ADV INJURY $

GEN'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $PRO-POLICY LOC PRODUCTS - COMP/OP AGGJECT

OTHER: $COMBINED SINGLE LIMIT

$(Ea accident)ANY AUTO BODILY INJURY (Per person) $OWNED SCHEDULED

BODILY INJURY (Per accident) $AUTOS ONLY AUTOSHIRED NON-OWNED PROPERTY DAMAGE

$AUTOS ONLY AUTOS ONLY (Per accident)

$

OCCUR EACH OCCURRENCECLAIMS-MADE AGGREGATE $

DED RETENTION $PER OTH-STATUTE ER

E.L. EACH ACCIDENT

E.L. DISEASE - EA EMPLOYEE $If yes, describe under

E.L. DISEASE - POLICY LIMITDESCRIPTION OF OPERATIONS below

INSURER(S) AFFORDING COVERAGE NAIC #

COMMERCIAL GENERAL LIABILITY

Y / NN / A

(Mandatory in NH)

SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORETHE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED INACCORDANCE WITH THE POLICY PROVISIONS.

THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIODINDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THISCERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS,EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS.

THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THISCERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIESBELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZEDREPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER.IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed.If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement onthis certificate does not confer rights to the certificate holder in lieu of such endorsement(s).

COVERAGES CERTIFICATE NUMBER: REVISION NUMBER:

CERTIFICATE HOLDER CANCELLATION

© 1988-2015 ACORD CORPORATION. All rights reserved.ACORD 25 (2016/03)

CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY)

$

$

$

$

$

The ACORD name and logo are registered marks of ACORD

5/22/2020

(480) 730-4920 (480) 730-4929

20508

Vital Core Health Strategies, LLC719 SW Van Buren St. Ste. 100Topeka, KS 66603

2047815686

A 2,000,000

X CNP 6074618478 11/1/2019 11/1/2020 300,000BOP 10,000

2,000,0004,000,0004,000,000

1,000,000ACNP 6074618478 11/1/2019 11/1/2020

5,000,000B6080185479 1/1/2020 11/1/2020 5,000,000

0C

WC 6 76453786 11/1/2019 11/1/2020 1,000,0001,000,0001,000,000

D Medical Malpractice 005KS00028/155 11/1/2019 Limit per claim 1,000,000D Prof Liab Umbrella 005KS00028/155 11/1/2019 11/1/2020 Limit per claim 1,000,000

Medical Malpractice Aggregate Limit - $3,000,000

Certificate holder is included as an additional insured on the general liability if required by written contract per attached endorsement.Coverys Specialty Insurance Company Professional Policy # 005KS000028155 Sexual Misconduct Legal Limit $100,000 per Proceeding/$100,000 AggregateUnderwriters at Lloyd's Policy Certificate #1120431 Ref # B6089PRW191856 Cyber Policy Limit $2,000,000 per occurrence/$2,000,000 Aggregate

Vermont Department of CorrectionsNOB 2 South280 State DriveWaterbury, VT 05671

VITACOR-01 MKAHRS

The Mahoney Group - Mesa1835 South Extension RoadMesa, AZ 85210

Valley Forge Ins. CompanyCNA INSURANCE COMPANIESNatl. Fire Ins. Co of HartfordCoverys Specialty Insurance Company

Over GL not PLX

11/1/2020

XX

X

X

X X

X

X

X

1

Lawson, Kristin

From: White, Rebecca MSent: Friday, May 1, 2020 10:55 AMTo: Titus, Max; Daniels, CharlesCc: Lawson, Kristin; Herring, Lucas; Henkin, JudySubject: RE: Vermont Insurance Update

Good morning Max, Thanks for the update. Charlie and I reviewed this. We are satisfied with the Lloyds cyber coverage and limits. The quotes for increasing the Med Mal to $2M/$4M look good. We need an updated certificate of insurance from VitalCore. Rebecca M. White, J.D. Risk Management Director of Operations Agency of Administration, Financial Services Division Office of Risk Management 6 Baldwin St. Montpelier, VT 05633‐3801 Office Phone: (802) 828‐1010 Cell Phone: (802) 793‐5347 Facsimile: (802) 828‐0410 Email: [email protected] Website: http://aoa.vermont.gov/home This e‐mail, including attachments, is intended for the exclusive use of the addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any dissemination, use, distribution or copying is strictly prohibited. If you have received this email in error, please notify me via return e‐mail and permanently delete the original and destroy all copies.

From: Titus, Max <[email protected]> Sent: Friday, May 01, 2020 9:15 AM To: White, Rebecca M <[email protected]>; Daniels, Charles <[email protected]> Cc: Lawson, Kristin <[email protected]>; Herring, Lucas <[email protected]>; Titus, Max <[email protected]>; Henkin, Judy <[email protected]> Subject: FW: Vermont Insurance Update See attached and below the info I received back from VitalCore. Is this acceptable from the insurance perspective? Thanks, Max Titus, MLS, CHC Pronouns: they/them/theirs Assistant Director of Health Services Vermont Department of Corrections NOB 2 South 280 State Drive Waterbury, VT 05671‐2000 Cell (802) 917‐1009 [email protected]

2

From: Viola Riggin <[email protected]> Sent: Thursday, April 30, 2020 3:40 PM To: Titus, Max <[email protected]> Subject: Fwd: Vermont Insurance Update EXTERNAL SENDER: Do not open attachments or click on links unless you recognize and trust the sender.

Sent from my iPhone Begin forwarded message:

From: Guffy Wright <[email protected]> Date: April 29, 2020 at 7:07:06 PM CDT To: Viola Riggin <[email protected]> Cc: Nikki Gilliland <[email protected]>, Frank Fletcher <[email protected]> Subject: RE: Vermont Insurance Update

Attached is the pro‐rated quote for the excess and cyber policy. Thanks, Guffy Wright, CIC | Commercial Insurance Agent | [email protected] The Mahoney Group | Tel: 480-214-2714 | Mobile: 480-292-4266 | Fax: 480-730-4929 From: Guffy Wright Sent: Wednesday, April 29, 2020 5:05 PM To: 'Viola Riggin' Cc: Nikki Gilliland; 'Frank Fletcher' Subject: Vermont Insurance Update Dr. Riggin, Per our conference call this morning below is a summary of the action items and changes we propose to the current insurance program:

o The current medical Malpractice is a $1,000,000 / $3,000,000 limit and we have secured an $1,000,000 excess option bringing the per occurrence and aggregate limit to $2,000,000 / $4,000,000. The total annual premium for this additional coverage including all taxes and fees is $113,881 for the current term. This could increase come renewal as excess for medical malpractice is ticking up.

o Cyber Liability – I confirmed we currently have a 2 million per occurrence and 2 million aggregate on the Cyber Liability policy. In the call I mistakenly reported 1 million per occurrence.

o Additional Insured Status for the State of Vermont. We can add this to the General Liability policy since it is required via written contract. We can issue certificates accordingly.

o Sexual Abuse Sub Limit on the Coverys policy has a $100,000 sub limit for sexual misconduct. No additional limits required per our conversation with State of Vermont.

STATE OF VERMONT Contract # 40006 Page 1 of 450

STANDARD CONTRACT FOR SERVICES

1. Parties. This is a contract for services between the State of Vermont, Department of Corrections (hereinafter called “State”), and VitalCore Health Strategies with a principal place of business in Topeka, Kansas (hereinafter called “Contractor”). Contractor’s form of business organization is a Limited Liability Company. It is Contractor’s responsibility to contact the Vermont Department of Taxes to determine if, by law, Contractor is required to have a Vermont Department of Taxes Business Account Number.

2. Subject Matter. The subject matter of this contract is services generally on the subject of Comprehensive Correctional Health Care Services. Detailed services to be provided by Contractor are described in Attachment A.

3. Maximum Amount. In consideration of the services to be performed by Contractor, the State agrees to pay Contractor, in accordance with the payment provisions specified in Attachment B, a sum not to exceed $65,534,608.83.

4. Contract Term. The period of Contractor’s performance shall begin on July 1, 2020 and end on June 30, 2023. This contract may be extended for up to two, one-year periods at the State’s discretion.

5. Prior Approvals. This Contract shall not be binding unless and until all requisite prior approvals have been obtained in accordance with current State law, bulletins, and interpretations.

6. Amendment. No changes, modifications, or amendments in the terms and conditions of this contract shall be effective unless reduced to writing, numbered and signed by the duly authorized representative of the State and Contractor.

7. Termination for Convenience. This contract may be terminated by the State at any time by giving written notice at least thirty (90) days in advance. In such event, Contractor shall be paid under the terms of this contract for all services provided to and accepted by the State prior to the effective date of termination.

8. Attachments. This contract consists of 452 pages including the following attachments which are incorporated herein:

Attachment A - Statement of Work Attachment B - Payment Provisions Attachment C – “Standard State Provisions for Contracts and Grants” a preprinted form

(revision date 12/15/2017) Attachment D – Modification of Customary Provisions Attachment D – IT System Implementation Terms and Conditions Attachment E – Business Associate Agreement Attachment F - Agency of Human Services’ Customary Contract/Grant Provisions Appendix 1 – Staffing Matrix Appendix 2 – Mental Health and Co-Occuring Workflow


Appendix 3 – Act 78 Appendix 4 – Mental Health Units Appendix 5 – VT DOC MAT Clinical Guidelines Appendix 6 – MOU with VDH and DOC for HIV Testing Appendix 7 – SFI Designation Interim Memo Appendix 8 – SFI Identification DOC HS Policy G-12 Appendix 9 – Mobility Classification Codes Appendix 10 – Women’s Health Program Part 1 Appendix 11 – Women’s Health Program Part 2 Appendix 12 – Act 26 Appendix 13 – VitalCore Meta Report Appendix 14 – Price Proposal Per Inmate Per Month (PIPM) Calculator Appendix 15 – VT DOC HCV and MAT Expenses FY19 and FY20 Appendix 16 – Summary of Pay for Performance Metrics Appendix 17 – Pay for Performance Invoice Calculator Appendix 18 – Fusion Electronic Health Record Deliverable and Payment Worksheet Exhibit C – State of Vermont Bidders Response Form

9. Order of Precedence. Any ambiguity, conflict or inconsistency between the documents comprising this contract shall be resolved according to the following order of precedence:

(1) Standard Contract (2) Attachment D – Modification to Customary Provisions (3) Attachment D – IT System Implementation Terms and Conditions (4) Attachment C (Standard State Provisions for Contracts and Grants) (5) Attachment A (6) Attachment B (7) Attachment E (8) Attachment F (9) Appendix 1 – Staffing Matrix

(10) Appendix 2 – Mental Health and Co-Occurring Workflow (11) Appendix 3 – Act 78 (12) Appendix 4 – Mental Health Units (13) Appendix 5 – VT DOC Medically Assisted Treatment Clinical Guidelines (14) Appendix 6 – MOU with VDH and DOC for HIV Testing (15) Appendix 7 – SFI Designation Interim Memo (16) Appendix 8 – SFI Identification DOC HS Policy G-12 (17) Appendix 9 – Mobility Classification Codes (18) Appendix 10 – Women’s Health Program Part 1 (19) Appendix 11 – Women’s Health Program Part 2


(20) Appendix 12 – Act 26 (21) Appendix 13 – VitalCore Meta Report (22) Appendix 14 – Price Proposal Per Inmate Per Month (PIPM) Calculator (23) Appendix 15 – VT DOC HCV and MAT Expenses FY19 and FY20 (24) Appendix 16 – Summary Pay for Performance Metrics (25) Appendix 17 – Pay for Performance Invoice Calculator (26) Appendix 18 – Fusion Electronic Health Record Deliverable and Payment

Worksheet (27) Exhibit C – State of Vermont Bidders Response Form

WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS CONTRACT

By the State of Vermont: By the Contractor:

Date: Date:

Signature: Signature:

Name: James Baker Name: Viola Rigging

Title: Commissioner, DOC Title: Chief Executive Officer

E-SIGNED by Viola Riggingon 2020-06-17 20:15:03 GMT


ATTACHMENT A – STATEMENT OF WORK .................................................................................... 8

1 General Requirements, Governance and Administration .................................................................... 8

1.1 Definitions ..................................................................................................................................... 8

1.2 General Requirements .................................................................................................................. 8

1.3 Medical and Clinical Autonomy .................................................................................................... 9

1.4 Privacy, Confidentiality ................................................................................................................. 9

1.5 Medical/Mental Health Liaison and Consultation ........................................................................ 9

1.6 Equipment and Space ................................................................................................................. 10

1.7 Continuous Quality Improvement Program................................................................................ 10

1.8 Coordination, Communication, Meetings ................................................................................... 11

1.9 Coordination with the Department of Health ............................................................................ 12

1.10 Reserved...................................................................................................................................... 12

1.11 Transition of Contract ................................................................................................................. 12

2 Personnel, Staffing and Training ......................................................................................................... 13

2.1 In general: ................................................................................................................................... 13

2.2 Criminal History and Abuse Registry Check ................................................................................ 14

2.3 Security Clearances ..................................................................................................................... 14

2.4 Retained Staff .............................................................................................................................. 14

2.5 Licensing and Credentials ........................................................................................................... 15

2.6 Required Contractor Staffing ...................................................................................................... 15

2.7 Facility Staffing, Nursing ............................................................................................................. 16

2.8 Facility Staffing, Mental Health ................................................................................................... 16

2.9 Staff Safety .................................................................................................................................. 16

2.10 Contractor’s Responsibilities for Inmate Workers ...................................................................... 16

2.11 Vaccinations and TB Testing ....................................................................................................... 17

2.12 Staff Orientation ......................................................................................................................... 17

2.13 Staff training and retention program .......................................................................................... 18

2.14 Agency of Human Services (AHS) Training and Mandated Reporting Requirements ................. 19

2.15 Specialized Training for Mental Health Staff .............................................................................. 19

2.16 Training of Correctional Officers ................................................................................................. 19

2.17 Medication Administration Training ........................................................................................... 20

2.18 Nursing Assessment Protocols .................................................................................................... 20

2.19 Clinical Performance Enhancement ............................................................................................ 20

2.20 Professional Development .......................................................................................................... 21

3 Health Care Services ........................................................................................................................... 21


3.1 Pharmaceutical Services ............................................................................................................. 21

3.2 Hospital-Based Services .............................................................................................................. 22

3.3 Specialty Care .............................................................................................................................. 23

3.4 Off-Site Care, Care Coordination and Follow-Up care ................................................................ 23

3.5 Services pursuant to the Americans with Disabilities Act (ADA) ................................................ 24

3.6 Psychiatric Services ..................................................................................................................... 24

3.7 Mental Health Services ............................................................................................................... 25

3.8 Services for Incapacitated Persons ............................................................................................. 27

3.9 Withdrawal and Detoxification Services ..................................................................................... 28

3.10 Medication Assisted Treatment (MAT) ....................................................................................... 28

3.11 Obstetrics and Gynecology Services ........................................................................................... 28

3.12 Services for Pregnant Patients; Pregnancy Counseling .............................................................. 29

3.13 Gender Dysphoria Services ......................................................................................................... 29

3.14 Care for the Terminally Ill ........................................................................................................... 29

3.15 Treatment for Individuals with Hepatitis C ................................................................................. 30

3.16 Enhanced Substance Abuse Treatment for Women ................................................................... 30

3.17 Diagnostic Services ...................................................................................................................... 31

3.18 Radiology Services ....................................................................................................................... 31

3.19 EKG Services ................................................................................................................................ 32

3.20 Laboratory Services ..................................................................................................................... 32

3.21 Physical Therapy and Other Ancillary Services ........................................................................... 33

3.22 Optical Services ........................................................................................................................... 33

3.23 Oral Care; Dental Services ........................................................................................................... 33

3.24 Emergency Services .................................................................................................................... 34

3.25 First Aid Kits ................................................................................................................................ 35

4 Patient Care and Treatment ............................................................................................................... 35

4.1 Informing Patients About Health Care Services .......................................................................... 35

4.2 Patient Consent and Right to Refuse .......................................................................................... 35

4.3 Initial Healthcare Receiving Screening Upon Admission to a Facility ......................................... 35

4.4 Medical, Mental Health/Substance Use Screening and Assessment for Transferred and Readmitted Patients ............................................................................................................................... 37

4.5 Initial Comprehensive Health Assessment .................................................................................. 37

4.6 Mental Health/Substance Use Assessment ................................................................................ 38

4.7 Substance Abuse Screening, Assessment and Treatment .......................................................... 38

4.8 Continuation of Prescription Medication ................................................................................... 39

4.9 Guidelines for Prescribing and Monitoring Pharmaceuticals ..................................................... 39


4.10 Provision and Administration of Medications ............................................................................ 39

4.11 Keep-on-Person (KOP) Medications............................................................................................ 40

4.12 Patient Refusal and Non-Adherence to the Treatment Plan ...................................................... 40

4.13 Individualized Treatment Plans for Mental Health & Substance Use ......................................... 41

4.14 Non-Emergent Care; Request for services .................................................................................. 42

4.15 Patient Escort .............................................................................................................................. 42

4.16 Procedure in the Event of Sexual Assault ................................................................................... 43

4.17 Healthy Lifestyle Education and Promotion ............................................................................... 43

4.18 Medical Diet ................................................................................................................................ 43

4.19 Use of Tobacco ............................................................................................................................ 44

4.20 Mental Health Education and Self-Care ...................................................................................... 44

4.21 Continuity of care ........................................................................................................................ 45

5 Procedures, Notifications and Reporting ............................................................................................ 47

5.1 Patient Placement; Collaboration Between Staff and Facility Management ............................. 47

5.2 Grievance Procedure................................................................................................................... 48

5.3 Procedures to Facilitate Out-of-State Transfers ......................................................................... 48

5.4 Segregated Patients .................................................................................................................... 49

5.5 Restraints .................................................................................................................................... 49

5.6 Patient Safety .............................................................................................................................. 49

5.7 Infection Control Program .......................................................................................................... 49

5.8 Contaminated Waste .................................................................................................................. 49

5.9 Emergency Response Plan .......................................................................................................... 50

5.10 Procedures in the Event of Death ............................................................................................... 50

5.11 Notification Concerning Patient Transfers to Outside Medical Facilities ................................... 50

5.12 Reports ........................................................................................................................................ 51

5.13 Mental health treatment reporting ............................................................................................ 51

6 Records and Information Management .............................................................................................. 52

6.1 Procurement and Implementation of Solution (see Exhibit C - State of Vermont Bidder Response Form) ...................................................................................................................................... 52

6.2 Electronic Health Record System (see Exhibit C – State of Vermont Bidder Response Form) ... 52

6.3 Confidentiality of Medical and Mental Health Records and Information .................................. 53

6.4 Claims Processing ........................................................................................................................ 53

7 Compliance, Enforceability and Damages........................................................................................... 53

7.1 Deficiencies and Contract Compliance ....................................................................................... 54

7.2 Accountability and Quality Oversight ......................................................................................... 54

7.3 Liquidated Damages .................................................................................................................... 54


7.4 Catastrophic Loss ........................................................................................................................ 55


ATTACHMENT A – STATEMENT OF WORK

1 General Requirements, Governance and Administration

1.1 Definitions As used in this contract, 1. “Contract Manager” means the person designated to manage this Contract. 2. “Correctional staff,” “DOC staff,” or “DOC employees” means employees of the Vermont

Department of Corrections (“DOC”). 3. “Health Services Director” means a director of the DOC health services division, as

designated by the DOC Commissioner. If the DOC employs a Medical Director, it shall mean the Medical Director or designee.

4. “Health Services Division” means the team of individuals designated by the DOC Commissioner to work collaboratively to oversee the services provided or other activities as outlined in this Contract.

5. “NCCHC” means the National Commission on Correctional Health Care. 6. “Qualified healthcare professional” (QHCP) means a person licensed or certified or

authorized by law to provide professional health care service in this State to an individual during that individual’s medical care, treatment or confinement.

7. “Qualified mental healthcare professional” (QMHP) means a person with professional training, experience, and demonstrated competence in the treatment of mental illness, who shall be a physician, psychologist, social worker, mental health counselor, nurse or other qualified person as designated by the Commissioner of the Vermont Department of Mental Health (DMH).

8. “Staff” or “employees” means Contractor’s staff and employees, including subcontractors.

1.2 General Requirements 1. The Contractor shall act in good faith and comply with the Contract’s terms, State and

federal laws and professional standards. 2. The Contractor shall comply with:

a) All state and federal law. b) The Prison Rape Elimination Act of 2003 (PREA), 42 U.S.C. §§15601–15609 and

PREA Standards, 28 C.F.R. Part 115. c) The Americans with Disabilities Act (ADA), 42 U.S.C. §§12101–12213. d) All Vermont Department of Corrections’ policies, directives, rules, interim memos,

Memorandums of Understanding (MOUs), guidance documents, local procedures, intergovernmental agreements, and stipulated agreements.

e) NCCHC Standards for Health Services in Prisons. 3. The Contractor shall:

a) Be accountable to, and report to, the State through the Health Services Division (HSD) Health Services Director and designees.

b) Provide health care services to maintain and/or acquire NCCHC accreditation at all Vermont correctional facilities.

c) Employ QHCPs sufficient in type, number, location, and skills to meet all clinical, administrative, and performance-based requirements of this Contract.

d) Maintain a provider network sufficient in size, location, and scope to meet all clinical requirements outlined in this Contract.


e) Participate in applicable state-sponsored quality improvement projects as directed by DOC.

f) Develop and implement, in consultation with the DOC Health Services Division, programs that promote patients access to timely, appropriate, high quality health care services.

g) Implement evidence-based practices with a high degree of fidelity.

1.3 Medical and Clinical Autonomy Clinical decisions regarding a patient’s physical or mental healthcare are the sole responsibility of the Contractor and its QHCPs and shall not be influenced or limited by non-clinical staff, unless the State determines there is a direct threat to the safety and security of a facility or persons therein. The Contractor shall immediately notify the Health Services Director of any instances in which clinical staff believe that their clinical autonomy or clinical recommendations are being unduly or unjustifiably influenced or limited by non-clinical staff, to enable the DOC to review, investigate, and take remedial action, if appropriate.

1.4 Privacy, Confidentiality The Contractor shall:

1. Require that patients’ clinical encounters and discussion of their Protected Health Information (PHI) are conducted, to the maximum extent possible, in private.

2. Ensure the confidentiality and security of PHI in accordance with all applicable State and federal law and applicable regulations, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and 42 C.F.R. Part 2 (Confidentiality of Substance Use Disorder Patient Records).

3. Immediately report any suspected breach of confidentiality concerning PHI to the Health Services Director.

1.5 Medical/Mental Health Liaison and Consultation 1. The Contractor shall have designated and trained medical and mental health liaisons that

coordinate the delivery of health services, including the utilization of off-site specialists and hospitals. Each liaison will be under the general supervision of the Contractor’s Regional Office Manager.

2. The Contractor’s Regional Office shall be the liaison between the DOC’s Central Office and the Contractor’s Corporate Office. The Regional Office shall provide facility personnel with the resources necessary to fulfill the requirements of the Contract. The Regional Office shall meet weekly or as needed with the DOC to discuss health services and contract issues.

3. The Contractor shall provide the DOC with consultation services upon the State’s request. Consultation may include, but is not be limited to: a) Staffing plans. b) Treatment recommendations for patients in DOC custody. c) Communicable disease management. d) Electronic Health Records (EHR). e) Facility planning. f) Legislative proposals. g) Access to Contractor’s corporate clinical guidelines.


1.6 Equipment and Space The State will provide adequate and sufficient office and exam space in the correctional facilities for the Contractor and its employees and agents to use to carry out the requirements of the Contract, including but not limited to, office space for VitalCore staff, exam space for sick calls, and storage space for equipment, supplies, medications, and medical records.

1.7 Continuous Quality Improvement Program

1. The Contractor shall implement a Continuous Quality Improvement (CQI) Program. Under the Program, the Contractor shall: a) Support all auditing and quality assurance activities, including performance

improvements required by the State for contract compliance purposes. b) Participate in quality improvement projects as directed by the State. c) Monitor the Contractor’s procedures for compliance with State and federal law, DOC

policies, directives, rules, interim memos, MOUs, intergovernmental agreements, stipulated agreements, and guidance documents. Any discrepancies found shall be immediately communicated to the DOC and resolved expeditiously in collaboration with the State.

2. The Program will be overseen by a multi-disciplinary CQI Committee, the members of which shall be determined by the Health Services Director in consultation with the Contractor’s Medical Director. The Committee’s primary purpose shall be to identify problems and opportunities for improvement based upon the collection and assessment of relevant data. The Committee shall meet monthly.

3. No later than thirty (30) days prior to commencement of the Contract, the Contractor shall submit for DOC review and approval a CQI Manual that shall at minimum outline standards and measures relating to the following areas: a) Risk management. b) Infection control. c) Utilization of services. d) Sick slip responses. e) Cost containment. f) Health Services grievances. g) Quality monitoring. h) Chronic disease management and continuity of care. i) Review of serious reportable events (SREs)*. j) Appointments attended, missed, and refused. k) Reasons for missed appointments. l) Patient safety. m) Adverse or near-miss clinical events. n) Medication administration records (MAR) and physician prescribing reports. o) Care coordination activities. p) Future CQI projects and planning.

4. The CQI Committee shall review the CQI Manual on a quarterly basis at minimum, and update it as needed. All updates shall be reviewed and approved by DOC prior to their implementation.

* These are also referred to as critical clinical events (CCEs), or adverse events.


5. The Contractor shall create a CQI plan as requested by State if any of its procedures differ from, or are found out of compliance with, governing authority as referenced in this subsection. The CQI plan shall include: a) The specific section of the Contract where there is a deficiency or area of non-

compliance. b) A description of the deficiency or compliance issues. c) An action plan for addressing the issue. d) An agreed-upon timeline for addressing the issue and resolving the issue.

1.8 Coordination, Communication, Meetings

1. The Contractor shall communicate with the DOC Health Services Division to ensure Contract compliance. The Contractor shall: a) Coordinate its activities with the DOC. b) Communicate with management at each correctional facility all relevant information

regarding a patient’s physical and mental health needs that should be considered in determining security.

c) Cooperate with investigations by any State of federal agencies or law enforcement. In addition, the Contractor’s Regional Office staff shall meet with the DOC on a weekly or as needed basis to discuss health services or contract issues.

2. The Contractor shall perform the following with regards to all administrative meetings it is required to facilitate under the Contract: a) Invite and ensure attendance of all required participants, as determined by the State. b) Create an agenda to be submitted for DOC additions or edits no later than five (5) days

prior to the meeting date. c) Compile and distribute all materials for consideration and discussion at the meeting no

later than three (3) days prior to the meeting date. If relevant materials are unavailable or not yet available, they should be distributed as soon as practicable.

d) Compile meeting records and notes and distribute them to all required participants regardless of attendance.

3. The Contractor shall facilitate the following meetings, to be held at least quarterly: a) Pharmacy and Therapeutics (P&T) Committee. b) Utilization Review/Utilization Management. c) Medical Administrative Committee (MAC)/Continuous Quality Improvement (at each

facility). d) Behavioral Health Committee.

4. The Contractor shall attend and participate in the following meetings facilitated by the State at each correctional facility: a) Daily DOC “Morning Meetings,” at which the Contractor shall be prepared to discuss:

i. Any patient with physical or mental health needs. ii. Patients with, requesting, or in need of ADA accommodation.

iii. Any patient with behavioral issues or concerns. iv. Any information pertinent to the health and safety of any person at the facility.

b) Periodic facility meetings, but no less than weekly, to discuss patient health status and patient placement.

5. The Contractor shall attend and participate in other meetings required by the State , including, but not limited to: a) Monthly:


i. Environmental Safety and Sanitation Meeting. ii. CQI (see Section 1.7 – Continuous Quality Improvement Program).

iii. Executive Health Committee/Executive Business Meeting. iv. Medical and Psychiatric Provider Meetings. v. Operations Management Meeting.

vi. CATS Committee b) Audit and contract compliance reviews. c) Critical incident debriefings related to facility-based emergencies.

1.9 Coordination with the Department of Health

The Contractor shall: 1. Provide the Vermont Department of Health (VDH) information required pursuant to

law, rule, MOUs, Intergovernmental Agreements, DOC policy and procedure, or as directed by the Health Services Director or designee.

2. Provide all data required by VDH including, but not limited to, data regarding vaccines, HIV/AIDS and other communicable or infectious diseases. All reports shall be provided in the format and at the intervals requested.

3. Work collaboratively with the VDH in implementing programs or training modules approved by the Health Services Director or designee for delivery within the DOC on a variety of issues including, but not limited to:

a) Infection control. b) Detection, prevention, reporting, and contact tracing of Sexually Transmitted

Infections (STIs) including HIV/AIDS. c) Detection prevention, reporting, and contact tracing of blood-borne or other

pathogens (hepatitis A, B, C, and TB). d) Dissemination of public health information and education to patients and staff. e) Responding to public health threats. f) Responding to disease outbreaks. g) Medication Assisted Treatment. h) Options for more cost-effective laboratory services.

4. Provide continuity of care by collaborating with VDH on discharge plans for patients with chronic diseases. This includes discharge plans for patients with HIV/AIDS, pursuant to the process approved by the Health Services Director or designee.

1.10 Reserved

1.11 Transition of Contract Upon nearing the end of the final term of this Contract, and without respect to either the cause or time of such termination, the Contractor shall:

1. Take all reasonable and prudent measures to facilitate the transition to a successor provider, to the extent required by the State.

2. Submit a transition plan, by the date provided by the State, that contains a description of the resources that the Contractor shall commit and the functions the Contractor shall perform, along with time frames, in transferring the operation to the incoming Contractor, as appropriate.

3. During the six (6) months preceding termination and as sufficient to facilitate the uninterrupted provision of health services, provide information about the health services


provided by the Contractor to the State and/or the successor for purposes of planning the transition.

4. Perform, as the State may require, such knowledge transfer and other services required to allow medical services to continue without interruption or adverse effect and to facilitate orderly migration and transfer of the services to the successor provider.

5. Take such action as may be necessary, or as the State may direct, for the protection and preservation of the property, equipment, and supplies related to this Contract which are in the possession of the Contractor and in which the State has or may acquire an interest and to transfer that property to the State or a successor provider. All property, equipment, and supplies will be in good working order, with allowances made for reasonable wear and tear.

6. Cooperate with any incoming contractor, and provide requested documentation by the defined deadline, participate in meetings, complete assigned tasks in accordance with the incoming contractor’s work plan, and behave in a courteous and professional manner at all times in order to effectuate a seamless transition.

2 Personnel, Staffing and Training

2.1 In general:

The Contractor shall: 1. Employ medical, dental, mental health, substance abuse, and other professional staff

sufficient in number and professional expertise to deliver a comprehensive health services program that provides timely evaluation and treatment, including but not limited to routine, urgent, emergent, chronic, specialty, and follow-up care (see Appendix 1 – Staffing Matrix).

2. Require that all staff work as part of the multi-disciplinary treatment team, in collaboration with the Contractor’s Regional Office and DOC Facility Management.

3. Provide to the Health Services Director or designee for approval, upon the execution of this Contract, the names and employment information of all intended employees.

4. Obtain the pre-approval of the Health Services Director or designee before employing candidates for Contractor positions of Health Service Administrator and the Regional Office positions.

5. Require and verify that all personnel are currently and appropriately licensed, certified, credentialed or registered, as necessary, in conformance with Vermont laws and regulatory requirements. Establish a personnel file for each employee or subcontractor. Each employee's file will contain current licensure, registration and/or certification documentation.

6. Develop and implement an orientation program that each staff member must complete within thirty (30) days of commencing employment.

7. Provide all employees with a copy of the Contractor’s personnel policies and pertinent DOC policies, directives, rules, interim memos, MOUs, intergovernmental agreements, and guidance documents.

8. Develop an employee grievance and resolution process that provides the Contractor’s staff with a confidential means to address work-related issues.

9. Limit the amount of time that Regional Office employees backfill at the facilities. Regional Office employees’ duties focus on the supervision of staff, quality assurance and quality improvement activities, chart review, and providing consultation and


technical assistance at the request of the DOC. 10. Notify the Contract Manager in writing, within 24 hours, of all employees terminated

for cause and explain the reason for termination. 11. To the extent possible, avoid the regular use of Agency, per diem, or traveler staffing to

meet the staffing requirements of the Contract. 12. Utilize all available means to maintain a staffing vacancy rate of less than 11%. 13. Adjust work schedules and staffing patterns as needed, according to staffing workloads,

DOC operational needs, the needs of the inmate population, and settlement agreements. Staffing levels may also be adjusted based on the results of quality assurance activities.

2.2 Criminal History and Abuse Registry Check 1. The Contractor shall ensure that all contracted personnel have undergone and successfully

passed a current criminal history check and abuse registry check prior to entering a Vermont correctional facility. The Contractor shall require these checks of all personnel prior to their employment or promotion and at least every five (5) years thereafter. The checks shall include: a) State abuse registry checks. b) Fingerprint-supported background checks. c) State and national criminal history check.

2. The Contractor shall report any allegation of criminal activity by staff immediately to the DOC.

3. The Contractor shall notify and coordinate scheduling with the State when a criminal history check and abuse registry check need to be performed for a proposed or current staff person. The State shall perform and approve all required checks and shall determine DOC security clearance.

2.3 Security Clearances The Contractor shall:

1. Require that all staff maintain a DOC security clearance. 2. Require that all personnel maintain professional decorum during and after working

hours. Personnel who enter Vermont correctional facilities as an incapacitated person or as a lodged individual will lose their DOC security clearance.

3. Notify staff that their security clearance may be suspended, barring them from the facility, pending the results of any investigation of employee misconduct.

2.4 Retained Staff 1. The Contractor shall interview and consider for hire all staff employed by the current health

services contractor, including those working in the contractor’s Regional Office. Contractor shall give all such employees, if qualified, eligible, and pursuant to the staffing requirements set forth in the Contract, the right of first refusal for positions with the Contractor.

2. Contractor shall not compensate staff retained from the previous contract at a lower hourly wage or salary, and shall not provide lesser benefits than earned prior to the start of this Contract. Contractor shall maintain retained staff’s previous hiring date for the purposes of evaluations, merit increases, and calculations of vacation, sick, annual, or other leave accruals.

3. Contractor shall not subject retained staff to waiting periods for health insurance, employee stock options (if available), or any other benefits. Fringe benefits for retained staff shall be


comparable to those currently being earned in 2019 and shall begin immediately. Any 401(k) plans shall begin immediately unless specific laws or rules outside of the control of the Contractor require otherwise.

2.5 Licensing and Credentials

1. Contractor shall ensure that all health service staff and subcontractors that provide clinical services are licensed, certified, or registered in accordance with state and federal requirements. A restricted license that limits practice to correctional institutions is not in compliance with this section.

2. The Contractor shall: a) Verify that all personnel providing clinical care, including mental health staff, are

currently and appropriately licensed, certified, or registered in accordance with Vermont laws and regulatory requirements.

b) Ensure that the credential verification process includes inquiry regarding sanctions or disciplinary actions of state boards, employers, and the National Practitioner Data Bank (NPDB).

c) Within three (3) months of commencement of the Contract, develop and deliver to the Contract Manager or designee a plan that details how staff will, on an ongoing basis, access educational and training opportunities to maintain their credentials and knowledge of current best practices.

d) Require criminal history checks of all staff prior to employment or promotion, and every five (5) years thereafter. These criminal history checks shall include:

i. State abuse registry checks. ii. Fingerprint-supported background checks.

iii. State and national criminal history check. e) Maintain the results of all criminal history checks on all staff, including subcontractors. f) Provide personnel information, including any disciplinary or termination decisions, to

the Contract Manager, including complaints made to the Vermont Secretary of State, Office of Professional Regulation.

g) Maintain documentation in a readily available location of current licensure and credentials for all health care staff employed under this Contract.

h) Require that all health care staff inform the Contractor immediately of any changes or lapse in their credentials or any allegations of criminal activity.

i) Require that all health care staff perform only those tasks within the scope of their credentials, and not perform tasks beyond those permitted by their credentials.

2.6 Required Contractor Staffing 1. The Contractor shall dedicate to this Contract, and locate within the State, a Statewide

Medical Director. 2. Contractor shall designate the Statewide Medical Director as the Responsible Health

Authority for health care services at each of Vermont’s correctional facilities. The Responsible Health Authority shall ensure the delivery of health care services under this Contract and provides oversight of all health care services provided. The Responsible Health Authority must be an actively licensed Doctor of Medicine (MD) or Doctor of Osteopathic Medicine (DO).


2.7 Facility Staffing, Nursing The Contractor shall:

1. Provide and update as needed a nurse staffing plan. 2. Provide 24/7 on-site nursing coverage at each correctional facility with an infirmary. 3. Staff the infirmary at Southern State Correctional Facility by census number and acuity

level of the population, but no less than one Licensed Nursing Assistant and one Registered Nurse on-site for each shift.

4. Staff all other infirmaries by census number and acuity level of the population, but no less than one Registered Nurse on-site for each shift.

5. For any facility without an infirmary, provide appropriate nursing staff by census number and population acuity, but no less than one Registered Nurse on-call for each shift when one is not on-site.

2.8 Facility Staffing, Mental Health 1. The Contractor shall provide 24/7 coverage of each facility by one or more Qualified Mental

Health Professionals (QMHPs), with coverage of the first and second shifts provided on-site. 2. The Contractor shall provide on-call coverage at all other times. The on-call QMHP shall

either (a) report to the facility in person within one hour, or (b) report immediately via tele-health, as approved by the DOC, when: a) A patient is placed in restraints. b) A patient is placed in a suicide smock. c) A patient with an SMI or SFI is placed in segregation or similar restricted environment. d) At the request of DOC.

2.9 Staff Safety

The Contractor shall: 1. Create and maintain policies and procedures to protect the safety and well-being of all

health service staff working at the facility. 2. Maintain a list of workers’ compensation claims. 3. Provide necessary information to DOC or the Worker’s Compensation and Safety

Division of the Vermont Department of Labor, as requested, to ensure the proper reporting and resolution of claims.

2.10 Contractor’s Responsibilities for Inmate Workers 1. For all patients employed by or seeking employment by the DOC, the Contractor shall:

a) Examine and provide medical clearance for patients seeking employment as Food Service Workers.

b) Complete all laboratory testing that is necessary for a patient to receive a medical clearance for employment.

c) Provide medical clearance for patients referred for work camp placement within ten (10) business days of receiving the request from the DOC.

d) Complete and provide documentation supporting medical clearances, which shall include, at a minimum:

i. A statement that the patient’s health record was reviewed. ii. Information showing that all pertinent medical history (e.g., communicable

diseases, cardiac problems, pulmonary problems, allergies, and back problems) was reviewed.


iii. Indication of any current signs and symptoms of illness. iv. Brief, focused results of physical examination and vital signs. v. For those seeking food service work, verification the patient has no medical

conditions that preclude such work, based on criteria provided by the Vermont Department of Health.

vi. Documentation of assessment and/or screening for hepatitis A and B. The Contractor shall offer testing for immunity to both. Where no immunity is present, the Contractor shall (as clinically appropriate) offer the patient vaccination against both. Patients found with chronic, active hepatitis B shall be referred to the chronic disease clinic.

2. For patients at risk of exposure to bloodborne pathogens as part of their facility employment, Contractor shall provide training by a QHCP in the bloodborne pathogens exposure control plan. The training shall cover standard precautions and safe handling procedures to help protect the patient and others from bloodborne pathogen exposure. The training shall include: a) An introduction to the dangers posed by bloodborne pathogen exposure. b) Proper hand washing practices. c) Proper use of disposable gloves. d) Proper waste handling practices. e) Biohazard awareness. f) Precautions to prevent sharps injuries (e.g., puncture with contaminated or used

hypodermic needle, cuts). g) Procedures for cleaning medical isolation areas. h) Procedures to follow in the event of a sharp injury or possible exposure to a bloodborne

pathogen.

2.11 Vaccinations and TB Testing The Contractor shall be responsible for:

1. Providing, administering, and documenting the hepatitis B vaccine and tuberculosis (TB) testing for staff identified as being at significant risk of infection, consistent with the Occupational Safety and Health Administration (OSHA) Bloodborne Pathogens standard, 29 CFR 1910.1030, and any recommendation of the Vermont Department of Health.

2. Offering and administering the hepatitis A vaccine to all DOC food service employees. 3. Comply with all VDH and Centers for Disease Control and Prevention (CDC)

recommendations regarding vaccinations and emerging epidemics.

2.12 Staff Orientation 1. The Contractor shall develop and implement a program for orientation, exclusive of DOC

training on facility safety and security, for all health services staff and subcontracted staff. The orientation program shall provide on-the-job training, mentoring, and professional support to new staff, including sub-contractors.

2. The Contractor shall: a) Maintain a comprehensive orientation program that commences on or before the first

day of employment and is completed within thirty (30) days. b) Ensure that staff have reviewed and understand policies and procedures governing their

employment at the facility.


c) Provide all employees with a copy of the Contractor’s personnel policies and pertinent DOC policies, directives, rules, interim memos, MOUs, intergovernmental agreements, and guidance documents.

d) Train staff concerning federal and state privacy and security requirements including, but not limited to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and 42 CFR Part 2.

e) Require that staff attend a facility safety and security orientation screening, which includes PREA orientation, prior to unsupervised time with patients.

f) Provide training modules during employee orientation that include an introduction to Vermont’s correctional system, a review of DOC policies, directives, rules, interim memos, MOUs, governmental agreements, and guidance documents.

g) Develop and maintain an employee grievance and resolution process that provides the Contractor’s staff with a confidential means to address work-related issues.

h) Develop and maintain a mechanism for employees who voluntarily terminate to anonymously report information regarding the reason that they terminated employment with the Contractor. Staff shall be informed of this mechanism at the time of their hire.

i) Review and modify the orientation materials as needed.

2.13 Staff training and retention program The Contractor shall:

1. Within three (3) months of execution of the Contract, develop and implement a plan for the ongoing training, recruitment, and retention of staff. The plan shall be provided for comment and approval to the Contract Manager or designee.

2. Provide staff a comprehensive employee training program, customized for each position, within thirty (30) days of employee hire.

3. Provide a 30-day orientation period for each new employee. The orientation period shall provide on-the-job training, mentoring, and professional support to on-boarding employees.

4. Provide training modules during employee orientation that include an introduction to Vermont’s correctional system, a review of DOC procedures, directives, rules, interim memos, MOUs, intergovernmental agreements, and guidance documents.

5. Provide close supervision of each new employee during the orientation period by an experienced employee in the same profession. Specifically, new staff shall not be on a shift unsupervised during the first two weeks of the 30-day orientation period.

6. Review and modify (as needed) all employee orientation materials. 7. Develop and deliver trainings to all employees, including but not limited to, the OSHA

Safety and Health Achievement Recognition Program (SHARPS), 10-33s (emergencies), PREA, and Assertive Community Treatment (ACT).

8. Provide emergency response training which shall include the procedures outlined in DOC Administrative Directive #414.03 Emergency Preparedness, guidance, and local procedures. The Contractor, in coordination with the DOC Academy Director, DOC Director of Nursing, Health Services Director, and DOC Facilities Executive, shall develop and implement such training within three months of contract initiation, and implement it within six (6) months of contract initiation. The Health Services Director or designee and the DOC Facilities Executive shall approve the training prior to implementation.

9. Offer continuing education classes and training. Continuing education and training shall


be on topics that align with the provision of healthcare in corrections. The number of days and hours shall be determined by the Contractor and approved by the DOC.

10. Develop an employee grievance and resolution process that provides the Contractor’s staff with a confidential means to address work-related issues.

2.14 Agency of Human Services (AHS) Training and Mandated Reporting Requirements The Contractor shall:

1. Require that all staff are aware of the mandated reporter requirements under 33 V.S.A. § 4913 (“Reporting child abuse and neglect; remedial action”) and 33 V.S.A. § 6901 et seq. (Reports of Abuse of Vulnerable Adults) prior to working with patients.

2. Require all staff to complete mandated reporter training within thirty (30) days of employment.

2.15 Specialized Training for Mental Health Staff The Contractor shall, at a minimum, provide training requirements for mental health staff that include:

1. In-depth orientation to familiarize the employee with the mental health services delivery system (see Appendix 2 – Mental Health and Co-occurring Workflow).

2. Continuing education to maintain employees’ current licensure, accreditation, and clinical knowledge.

3. Best practices with regard to providing mental health care to patients including, but not limited to, motivational interviewing, cognitive behavioral therapy, risk-need-responsivity (RNR) concepts, a SMART (Specific, Measurable, Attainable, Results-oriented, and Timely) model for the development of Individualized Treatment Plans, and the standards for clinical documentation.

4. A process to become designated as a “Qualified Mental Health Professional” by the Commissioner of DMH.

5. Use of the Foundations of Clinical Supervision Model, utilizing Professional Development Plans (PDPs).

6. Training in any other evidence-based intervention as defined by the Health Services Director or designee.

2.16 Training of Correctional Officers

1. The Contractor shall provide special training to medical and DOC staff in accordance with the requirements set forth in 28 V.S.A. § 907 (mental health service for patients). The training will include in-person orientation and written materials.

2. The Contractor shall conduct in-service education and training sessions for DOC staff at each facility on a quarterly or more frequent basis, as requested by the DOC. The training curricula shall be reviewed and approved by the Health Services Director or designee, and may include, but not be limited to: a) Administration of first aid. b) Bloodborne pathogen training. c) Recognizing the need for emergency treatment. d) Recognizing acute manifestations of chronic illnesses. e) Recognizing chronic medical and disabling conditions. f) Recognizing signs and symptoms of detoxification and withdrawal.


g) Medication administration and side effects. h) Infectious and communicable diseases. i) Recognizing signs and symptoms of changes to mental status. j) Recognizing signs and symptoms of mental illness, psychological trauma, and acute and

chronic serious functional impairments. k) Recognizing suicidal behavior and procedures/protocols for suicide prevention. l) Recognizing signs and symptoms of detoxification and withdrawal. m) Stress management, basic principles. n) Trauma informed vs. trauma centered practice. o) Other topics as the DOC may deem necessary.

3. The Contractor shall develop a quarterly training calendar in coordination with the local facilities. The training calendar will be submitted to management at each facility one month prior to the beginning of each calendar quarter.

2.17 Medication Administration Training The Contractor shall ensure that all personnel who administer prescription medication are appropriately trained, with specific emphasis placed on psychotropic medication administration and the documentation and follow-up requirements related to medication refusals.

2.18 Nursing Assessment Protocols The Contractor shall:

1. Review and verify that nurse assessment protocols and pathways comply with applicable state statutes, scope of practice requirements, and standards of care.

2. Appropriately train and supervise nurses to effectively utilize the protocols and pathways.

3. Maintain written policies and procedures specifying the steps in the assessment and treatment of patients by nursing staff. Nursing protocols and pathways should address a range of contingencies, including but not limited to the use of over-the-counter medications, first aid procedures, chest pain, shortness of breath, withdrawal, detoxification, and intoxication.

4. Maintain clearly defined processes for evaluating and stabilizing patients experiencing physical or mental health pain or distress pending contact with the appropriate supervisor or medical provider for further instructions, or the arrival of emergency medical services or care provider.

5. Avoid the use of standing orders except for the administration of lifesaving medications and treatment practices, in accordance with 18 V.SA. § 4240 (Prevention and treatment of opioid-related overdoses).

2.19 Clinical Performance Enhancement At least annually, the Contractor shall require a peer-review of clinical performance of each of the facility’s health care providers, including nurse practitioners, physician assistants, advanced practice registered nurses, physicians, and licensed mental health professionals. In the event of an unsatisfactory review or termination, the Health Services Director or designee shall be informed and when applicable, shall receive a copy of the employee’s corrective action plan.


2.20 Professional Development 1. Contractor shall ensure that all health care professionals will participate in annual continuing

education appropriate for their positions. 2. For mental health staff, professional development should be guided by Professional

Development Plans (PDPs). PDPs should be developed for each mental health professional at a minimum of once every six (6) months. Contractor shall train supervising mental health staff in the development and use of PDPs and shall utilize the Foundations of Clinical Supervision Model.

3 Health Care Services

3.1 Pharmaceutical Services The Contractor shall:

1. Provide pharmaceutical services sufficient to meet the needs of the inmate population and which operate in accordance with all local, state, and federal laws and regulations regarding the dispensing, procurement, distribution, storage, and disposal of pharmaceuticals.

2. Maintain an electronic pharmaceutical interface that fulfills the requirements specified in Exhibit C “State of Vermont Bidder Response Form.”

3. Establish a Pharmacy and Therapeutics (P&T) Committee that shall: a) Within thirty (30) days after contract initiation, develop and submit to the Health

Services Director or designee for review a formulary that duplicates, or is reasonably consistent with, the Vermont Medicaid formulary.

b) Maintain the list of “essential medications” to guide staff decisions regarding medication ordering, interchange, substitution, and refusals.

c) Be composed of actively practicing physicians and other prescribers, pharmacists, nurses, administrators, quality improvement managers, and other health service staff that participate in the pharmaceutical operations.

d) Evaluate, educate, and advise medical staff and administrators in all matters that relate to the use of medications, including pertinent new medications, FDA changes/black box warnings, and corrections-specific best practices.

e) Review medication administration records (MAR) and physician prescribing reports as part of the CQI process.

f) Approve the use of generic rather than brand medications, unless otherwise specified by the P&T Committee.

g) Develop clinical guidelines for the use of medications. h) Establish a process for the Contractor’s Statewide Medical Director and Statewide

Supervisor of Psychiatric Services to review and approve all non-formulary requests through the EHR.

i) Conduct investigations into adverse drug events (including monitoring and reporting).

j) Develop clinical care guidelines for the development of clinical care plans. k) Within six (6) months of contract initiation, per direction and approval of the

Health Services Director or designee, develop and implement the use of reports and metrics which can be used to verify that medications are provided in a timely, effective, and appropriate manner. The reports and metrics shall include, but not be limited to, a monthly report of all medication errors, as well as identification of


trends and solutions to such errors. 4. Determine eligibility, requirements, costs and feasibility of pursuing and executing an

agreement to provide medications through the 340(b) Drug Pricing Program. 5. Maintain a pharmaceutical stock inventory utilizing its Primary Pharmacy Vendor

(PPV) and par levels at each site to facilitate the initiation and continuation of pharmaceutical therapies as ordered by a medical provider.

6. Retain the services of a licensed pharmacist who shall provide consultation and direct services to the Contractor and the Health Services Director as requested.

7. Contract with one or more community (including hospital) pharmacies near each correctional facility which shall serve as Back up Pharmacies (BUPs). The Contractor shall utilize the BUPs to provide timely access to essential medications for which no substitute is available within the stock supply.

a) Direct staff to access the BUP as an occasional supplement to, not as substitution for, the PPV.

b) Establish a protocol for the delivery of the pharmaceuticals from each BUP in a manner that does not utilize Contractor or State employees, who may be used only in limited, exigent circumstances. The Contractor will inform the Health Services Director or designee prior to requesting Contractor or State employees to pick up and deliver pharmaceutics from the BUP to DOC facilities.

8. Provide a method for identifying medications that a patient may bring with them to the correctional facility due to the nature of the drug (i.e., the medication cannot be immediately provided through stock or through the BUP)

9. Make pharmaceuticals available in the following manner: a) Prescriptions for new medications shall be available as per the prescriber’s order. b) Patients with active medication prescriptions shall have access to all prescribed

medications with no lapses in availability. Ordered pharmaceuticals for the provision of ongoing care shall be considered routine with respect to PPV delivery.

c) All keep-on-person (KOP) schedules and facility administration timelines shall be adhered to.

d) Routine administration shall occur within two hours of the time medication is scheduled to be administered.

e) Stat/urgent medication administration shall occur within one hour of the provider’s order.

10. Prepare, maintain, and store pharmaceuticals under secure conditions. 11. Continuously verify that each site has an adequate and proper supply of antidotes and

emergency medications. 12. Administer addictive, abusable, and/or psychotropic medications in crushed or liquid

form, when indicated. 13. Institute an automatic stop-order system for certain categories of drugs (i.e., antibiotics,

controlled substances, pain medications, all sedative-hypnotics).

3.2 Hospital-Based Services The Contractor shall:

1. Sub-contract or maintain written agreement(s) with one or more local hospitals to provide:

a) Emergency services to patients on a 24-hour basis.


b) Inpatient hospitalization for all patients in DOC custody. 2. Sub-contract with or maintain written agreement(s) with local EMS and ambulance

services for response to facilities and for the transfer of patients. 3. Be responsible for the costs of all emergency transports of patients by EMS, except for

EMS transports for incapacitated persons. 4. Coordinate transports with DOC facility staff. 5. Maintain access to the major medical centers’ EHRs or portals for the purposes of

reviewing the status of patients who are admitted to the hospital. 6. Develop a plan to ensure timely transmittal and receipt of nursing and medical reports,

include any related to a psychiatric diagnosis, with any hospital that may be utilized for a patient’s care.

7. Enter all external medical and psychiatric records of hospitalization or treatment into the EHR.

3.3 Specialty Care The Contractor shall:

1. Identify qualified medical specialists in the individual facilities’ service areas. 2. Provide access to specialty services in a timely manner, utilizing the major medical

centers (University of Vermont Medical Center and Dartmouth Hitchcock Medical Center) for specialty care when appropriate.

3. Submit requests for specialty services to the Contractor’s Utilization Management (UM) Nurse and the Statewide Medical Director for review. The UM Nurse and the Statewide Medical Director will review requests against InterQual and other pertinent criteria. The Statewide Medical Director will determine if the request shall be approved, denied, or if an alternative treatment plan is indicated. The results of the review shall be communicated to facility-based health services and documented in the patient’s EHR.

4. Collaborate with the infectious disease department of UVMMC to coordinate care for patients with Hepatitis C and/or HIV.

5. Arrange for diagnostic testing to occur within the facility whenever possible. 6. Provide timely and relevant information, including behaviors related to psychiatric

diagnosis, to outside specialists for facilitating treatment. 7. Authorize, schedule, and coordinate all specialty services. 8. Coordinate the movement of patients to off-site appointments with DOC Facility

Management and/or their designees.

3.4 Off-Site Care, Care Coordination and Follow-Up care 1. The Contractor shall:

a) Provide all patients receiving off-site specialty care or returning from outside hospital stays with timely follow-up appointments with QHCPs as recommended by a medical professional. The purpose of a follow-up encounter shall be to:

i. Discuss the treatment provided and outcome of the hospitalization or off-site care.

ii. Review with the patient any notes and recommendations from the off-site provider.

iii. Determine if further visits, provider follow-up, or diagnostic testing should be ordered.

b) Document pertinent information regarding the patient’s hospitalization or care received


off-site, and any observations and recommendations, in the EHR. Documentation may also include reasons that the visit may not have occurred (e.g., patient refusal or cancellation of the visit by the Contractor, DOC, or the off-site provider).

2. Under no circumstances shall the Contractor limit or delay a patient’s access to off-site services that are medically required. If the State believes that the Contractor is not providing such required services in a timely fashion, the Health Services Director or designee and the Contractor’s Statewide Medical Director shall immediately review and resolve any dispute.

3.5 Services pursuant to the Americans with Disabilities Act (ADA) 1. The Contractor shall immediately work with the ADA Coordinator at the facility via the

established process when any patient: a) Requests accommodation under the ADA; or b) Whose condition may require accommodation under the ADA.

2. The Contractor shall provide accommodations to patients in compliance with the ADA as required by law, and in consultation with the State.

3. The Contractor shall notify the DOC ADA Director of all ADA requests that are not approved via the established process.

4. In the event that there is disagreement between the Contractor and the DOC regarding ADA accommodations, the Contractor shall comply with the direction of the DOC ADA Director.

3.6 Psychiatric Services 1. The Contractor shall provide a range of evidence-based, trauma-informed, culturally

sensitive, and age- and gender-specific psychiatric services. Under the supervision of the Psychiatric Coordinator, the Contractor shall: a) Participate in emergency medication administration processes. b) Consult with a psychiatrist as required. c) Establish a process to obtain informed consent, review diagnosis, and discuss treatment

options with the patient. d) Coordinate with DOC to create a system of supervision for psychiatric services

providers. e) Provide for the prescription and management of medications in accordance with

evidence-based standards and general best practices for correctional settings. Medication management shall include but not be limited to:

i. Meeting with patients to assess their medication needs. ii. Scheduling patients for follow-up with psychiatric providers at clinically

indicated intervals to monitor progress. iii. Obtaining release of information forms (ROIs) to consult with collateral sources iv. Offering patients education regarding the risks of non-compliance or the

discontinuation of medications. v. The timely completion of all documentation related to psychiatric services in the

patients EHR. f) Review diagnostic assessments using Structured Clinical Interview for DSM-V (SCID-

5) or other tool specified by the Mental Health and Substance Abuse Systems Director or designee to aid in the assessment and diagnosis of mental illness. The SCID-5 shall be configured in the EHR.

g) Establish process of clinical review to ensure the appropriate differential diagnosis and level of care.


2. The Contractor shall: a) Participate in planning and providing for the needs of patients with symptoms of acute

mental health deterioration. b) Participate in the identification and treatment of patients who are designated as having a

serious functional impairment (SFI) or those with serious mental illness. c) Assure that all patients have provided informed consent for their treatment. d) Assure that individualized treatment plans incorporate interventions targeting at specific

needs identified in assessment. e) Assure that interventions are evidenced based and delivered to the modality and

intensity indicated in the assessment. f) Timely complete all documentation related to services (Refer to the Appendix 2 –

Mental Health Workflow). g) Develop staff training for mental health providers and DOC staff as requested. h) Coordinate with DOC to create a system of supervision for mental health providers,

including supervision for certification and licensure. i) Provide individual and group treatment at each facility. j) Collaborate in development of transitional support and/or continuing care plans. k) Provide for the treatment and needs of patients in segregation. l) Collaborate in developing support plans or discharge plans as required for the provision

of services to patients. m) Collaborate with, and require that all psychiatric providers collaborate with, mental

health professionals and DOC staff in the development of all plans for patient care, including safety plans, individualized treatment plans, discharge plans, and facility-based behavior management plans.

3.7 Mental Health Services 1. The Contractor shall provide a variety of services and levels of mental health and co-

occurring services and care to a patient with a mental condition, psychiatric disability or disorder, or SFI, up to but not including hospital level of care, consistent with the patient’s treatment plan.

2. The Contractor shall use a level of care/placement criteria approved by the State, such as the LOCUS, when determining the appropriate level of mental health care. These services shall include, as appropriate, the following: a) Follow-up evaluations. b) 24/7 crisis intervention. c) Crisis beds. d) Residential care within a correctional institution, assisting in determining the size and

location of designated units. e) Clinical services provided within the general population of the correctional facility f) Services provided in designated special units. g) Other services that the DOC, the Vermont Department of Disabilities, Aging, and

Independent Living, the Department of Vermont Health Access (DVHA), and the DMH jointly determine to be appropriate.

3. To the extent possible, Contractor shall develop and review mental health services collaboratively with the patient. The patient must give informed consent to any treatment, and Contractor shall honor a patient’s refusal of treatment. Exceptions to this shall proceed in compliance with prevailing federal, state statute, case law,


and state policy. 4. The Contractor shall provide 24/7 access to urgent and emergent on-call and on-site mental

health services that include, but are not be limited to: a) Face-to-face encounters with patients. b) Assessments to determine if the patient requires a hospital level of care. c) Discussion of patients with urgent or emergent mental health needs as part of the

facility’s morning meeting. d) Those necessary to comply with Vermont’s Act No. 78 (2017), related MOUs, and

deliver care in mental health units which may be developed in DOC in compliance with NCCHC essential standard MH-G-02. See Appendix 3 – Act 78 An Act Relating to Offenders with Mental Illness, Inmate Records, and Inmate Services and Appendix 4 – Mental Health Units.

e) Documentation of referral activity to inpatient psychiatric facilities, including but not limited to: when the patient was initially referred; the outcome of the referral (accepted or denied); if denied, reasons for denial; date of placement; and latency between the initial referral and date of placement.

f) Suicide prevention and intervention utilizing the Columbia Suicide Severity Rating Scale or other tool as indicated by the Mental Health and Substance Abuse Systems Director or designee. All patients shall be assessed by a QMHP using the Columbia Suicide Severity Rating Scale within one hour of any self-harming incident. The QMHP shall utilize all historical DOC or Contractor administered CSSRS responses.

g) Consultation with local facility leadership regarding potential contraindications to the use of force with patients and recommending alternatives to the use of force.

h) Evaluation of patients prior to segregation for potential contraindications to the use of segregation or consideration of less restrictive housing options.

i) Patients who are housed in segregation will have a plan to assist them in transitioning from segregation to the general population as well as a plan to remain in general population. The Contractor is required to contribute, participate, and meet plan expectations as determined by the patient’s needs.

j) Critical incident debriefing for patients, staff DOC staff and/or visitors, as requested or otherwise required.

k) QMHPs shall conduct regular mental health rounds, at least three (3) times per week, on all patients confined in segregation to ensure that the patients receive appropriate mental health services and that symptoms are detected and treated in a timely manner.

l) Provide that any patient determined to be “a person in need of treatment” pursuant to 18 V.S.A. § 7504 is seen by a QMHP twice daily unless clinically contraindicated while waiting for hospitalization.

5. For patients with Serious Mental Illness (SMI) or Serious Functional Impairment (SFI), the Contractor shall: a) Provide that all SFI patients have an Individualized Treatment Plan to address their

functional impairment. b) Utilize mental health staff to perform self-harm watch and mental health evaluations on

patients designated as SFI at least three (3) times per week. c) Utilize QMHPs to conduct periodic re-evaluation as required by law. d) Document all checks and encounters in the patient's EHR, to include, at least:

i. The results and clinical impressions of a brief mental status exam. ii. Any observable elements of mental status.


iii. Other observations (including those provided by DOC security staff) of patients’ recent behavior such as social functioning, personal hygiene, and activities of daily living (ADL).

iv. Administration of the Columbia Suicide Severity Rating Scale or another tool as approved by DOC.

v. Indications that the patient is decompensating and may require a higher level of care (i.e., inpatient psychiatric hospitalization).

vi. The development of an Individual Treatment Plan that is relevant to the patient's condition.

vii. Ensure a QMHP assess all patients with an SFI or SMI for contraindications prior to placement in disciplinary or administrative segregation.

viii. Provide alternatives to segregation when contraindications exist. ix. Have a physician review and approve/deny administrative or disciplinary

segregation placement based on medical judgment any patient with an SMI or SFI. A physician must review all disciplinary segregation placements regarding a patient with SMI or SFI prior to placement. SMI or SFI patients cannot be placed in disciplinary segregation without the approval of a physician.

x. Ensure a QMHP determines if the behavior for which the patient received the disciplinary report proximately results from an SMI or SFI. The QMHP shall inform and recommend options for disposition to the Hearing Officer (DOC staff).

xi. Ensure a Facility Psychiatrist or Advance Practice Nurse is available to the Hearing Officer during due process hearings when involving a patient with SMI or SFI.

xii. Patients with an SMI or SFI that are housed in segregation shall receive daily visits from QHCPs or QMHPs to assess their status and initiate/refer for any needed changes in the treatment regimen. These assessments shall document physical observations, the patient’s affect, any suicidal or self-harming ideation, and health complaints as per CVR 13-130-024. The needs of patients who are experiencing a current, severe psychiatric crisis, including but not limited to acute psychosis and suicidal depression, shall be addressed promptly, consistent with the patient’s willingness to accept treatment. Alternative placements, consistent with their security, health and mental health needs, shall be considered.

3.8 Services for Incapacitated Persons Upon admission of the Incapacitated person (INCAP) to a DOC facility, the Contractor shall: a) Provide an initial medical screening, ongoing observation, and medically necessary

services to the INCAP. b) If the results of the screening or observation indicate the INCAP has urgent needs which

are beyond the capacity of the facility to provide, or is in danger of imminent self-harm, the Contractor shall immediately notify the Shift Supervisor to arrange transportation for emergency medical care.

c) Notify, as necessary, the ER that an INCAP will be arriving. d) Provide emergency medical care as necessary until emergency responders arrive and

commence providing such care.


3.9 Withdrawal and Detoxification Services The Contractor shall:

1. Provide qualified, trained, and competent healthcare professionals to supervise withdrawal and detoxification services.

2. Train staff in the “Clinical Alcohol and Withdrawal Institute – Revised” (CIWA-r) which shall be used to track the severity of withdrawal symptoms. Staff training shall include the use of appropriate medications and other interventions to ease discomfort and ensure patient safety. The training shall include information regarding the seriousness (e.g., risk of death) of alcohol withdrawal.

3. Train staff in the Clinical Opiate Withdrawal Scale (COWS) which shall be used to track the severity of withdrawal symptoms over time. Staff training shall include the use of appropriate medications and other interventions to ease discomfort and ensure patient safety.

4. As clinically indicated, provide treatment, including medications, to improve comfort and address unnecessary suffering for patients who are under the influence of, or undergoing withdrawal from, alcohol, opioids, or other substances.

5. Provide appropriate health education and counseling to patients admitted under the influence of alcohol and other substances once the patient can provide informed consent.

3.10 Medication Assisted Treatment (MAT) The Contractor shall follow the processes identified in Appendix 5 – VT DOC MAT Clinical Guidelines.

3.11 Obstetrics and Gynecology Services Chittenden Regional Correctional Facility (CRCF) currently houses nearly all of the female patients in Vermont. The Contractor shall employ staff that includes OB/GYN-trained health care practitioners who are qualified to meet the needs of all patients requiring those services. The Contractor shall:

1. Provide routine health care services that includes, but is not limited to, Pap smears, breast exams, mammograms, and access to birth control.

2. Maintain agreements with local family planning agencies for the provision of weekly learning sessions and care coordination services related but not limited to:

a. Family planning. b. Referrals and access to health services upon discharge. c. The appropriateness of various birth control methods, including long-acting

reversible contraception. d. Intimate partner violence.

3. Administer care in a manner consistent with national guidelines, the patient’s history, and personal and family risk factors.

4. Provide staff trained in the health care needs of female patients across the life span. 5. Collaborate with external health organizations to provide education on family planning,

intimate partner violence, and birth control methods, including long-acting reversible contraception.

6. Provide discharge planning services to connect patients to appropriate health services upon release.


3.12 Services for Pregnant Patients; Pregnancy Counseling The Contractor shall:

1. Provide pregnant patients with timely and appropriate pre-natal and post-partum care including but not limited to medical examinations, health education on pregnancy, all needed laboratory and diagnostic testing, referrals to off-site specialists as needed, and pregnancy counseling by a provider to include (as appropriate) a discussion of the patient’s options. The Contractor may determine at its discretion that a local family planning agency may be a more appropriate entity to facilitate a discussion of options with the patient. All conversations will non-coercive. If the patient chooses, abortion services will be coordinated and provided off-site, with the costs of the procedure borne by the DOC.

2. Provide appropriate care for patients determined to be at high-risk for pregnancy and delivery complications.

3. Reduce the risk of complications and maintain the safety of the patient and the fetus by providing MAT (including initiation of MAT using methadone or other medication), as clinically indicated.

4. Develop and implement policies, procedures, and training programs which will support the provision of safe, timely, appropriate prenatal/post-partum care and, when appropriate, specialized obstetrical services.

5. Coordinate with Lund Family Center, Kids Apart Program, and Maternal Fetal Medicine (High Risk Obstetrics) regarding pregnancy (i.e. birthing plans, breast pumping and milk storage.)

3.13 Gender Dysphoria Services In providing services to patients with gender dysphoria the Contractor shall:

1. Have mental health professionals assess and provide services, as needed, to patients who may have gender dysphoria.

2. Assist the DOC in providing necessary accommodations, including property, to meet the needs of a patient’s gender identity.

3. Continue and/or initiate treatment, including but not limited to hormone therapy, as medically indicated and in accordance with law and DOC policy.

4. Provide gender-based care in accordance with the prevailing medical standard.

3.14 Care for the Terminally Ill Hospice/Palliative care units are currently located at Southern State Correctional Facility, Northern State Correctional Facility, and CRCF. The Contractor shall:

1. Develop and implement a hospice/palliative care program to direct the provision of care and services.

2. Recruit, train, and supervise patients as hospice workers. 3. Refer, utilize, and adhere to Vermont law related to advance directives for healthcare,

disposition of remains, and surrogate decision making. 4. Provide care for terminally ill patients in a manner that aligns with community

standards, including, but not limited to: a) Comfort care in accordance with palliative care/hospice standards as prescribed

by the provider. This is to include medications, food for comfort, and family visits as allowed by DOC security.

b) Use of appropriate advance directive forms and instructions located on the


Vermont Ethic’s Networks website. The Contractor shall record the completed forms in the offender management system (OMS) and the EHR and send a copy to the DOC Director of Nursing, Health Services Director and the Statewide registry for recording.

3.15 Treatment for Individuals with Hepatitis C The Contractor shall provide HCV treatment in the following manner, unless otherwise advised by a consulting infectious disease (ID) specialist and approved by the Health Services Director or designee:

1. For any patient with a fib-4 score of 1.45 or greater, the Contractor shall request an appointment for a FibroScan (elastography); when the appointment is scheduled will be dependent on the facility that performs the scan.

2. Regardless of F score (different than fib-4 score), the Statewide Medical Director shall seek advice from an infectious disease specialist (currently UVMMC Infectious Disease Department) to determine whether to initiate a patient on Direct Acting Antiviral (DAA) pharmaceutical treatment, and to ensure that the patient’s care is consistent with treatment guidelines. The Statewide Medical Director shall make the final decision regarding the provision of DAA therapy.

3. Unless medical contraindications exist, patients with HCV who will be in custody long enough to receive a full course of DAA treatment and who consent shall be prescribed such treatment. The duration of the course of treatment is dependent upon the type of medications prescribed and the patient’s response.

3.16 Enhanced Substance Abuse Treatment for Women

The Contractor will provide the following services for women who are currently placed at CRCF:

1. Develop and deliver, in collaboration with the State, evidence-based substance abuse and co-occurring treatment services for all incarcerated women regardless of criminal status. These services shall include early intervention/engagement as well as delivery of multiple group/individual/case management sessions each week.

2. Utilize the intake and mental health workflows as described in this Contract and appendices, in collaboration with the State, to conduct a screening and assessment for substance use and co-occurring disorders. Participate in multi-disciplinary treatment teams as designated by the State to assure a holistic, strength based, and gender responsive intervention approach.

3. Utilize the DOC’s risk assessment information as well as the DSM-5 (or its successors), TCU 5, SCID-5, TCU Opioid Supplemental and/or other State identified and approved tools in the development of enhanced programming at CRCF.

4. Identify, in collaboration with the State, evidence based, cognitive behavioral skill curriculums to be delivered within the facility (e.g. Seeking Safety, Criminal Conduct and Substance Abuse, Moving On, Thinking for a Change, Integrated Change Therapy)

5. Complete substance abuse assessments (TCU 5, SCID-5, TCU Opioid Supplemental) as per SUD and MAT workflow as approved by the State.

6. Conduct urinalysis and/or other proven reliable forms of drug and alcohol testing for program participants, including both periodic and random testing, while they are incarcerated.

http://www.vtethicsnetwork.org/forms/dnr_colst_instructions%20and%20Form%2009.pdf


7. Prior to release, develop comprehensive discharge plans. The discharge plans will be developed in coordination with community-based treatment resources including transition re-entry services, facility-based caseworkers and field supervision. This care coordination at release is to ensure the appropriate level of treatment and continuing care.

8. Develop staffing and services based upon the scheduling needs of the facility, which may include evenings and weekends.

9. Recruit and retain designated credentialed staff of up to three (3) full-time clinical staff, inclusive of a Substance Abuse Treatment Program Manager who shall, at a minimum, possess a master’s degree in a relevant field and certification in alcohol and drug abuse counseling.

10. Assure that all participants consent to release of information relevant to their program participation and case planning, to include transition and discharge planning.

11. Identify a supervision structure based on best practices which utilizes the existing administrative and clinical infrastructure at CRCF.

3.17 Diagnostic Services The Contractor shall:

1. Provide for on-site diagnostic services that are registered, accredited, and meet all applicable state and federal laws.

2. Maintain an electronic record that fulfills the requirements specified in Exhibit C “State of Vermont Bidder Response Form” for a user to electronically record, store, retrieve, and modify, at a minimum, the following order types:

a) Medications. b) Laboratory. c) Radiology/imaging.

3. Maintain an electronic record, or electronic log, that fulfills the requirements specified in Exhibit C “State of Vermont Bidder Response Form” for a user to maintain and document the type and number of specimens sent and returned.

3.18 Radiology Services

The Contractor shall: 1. Provide radiology services on-site to the extent possible. When provision of on-site

radiology services is not possible, patients will be referred off-site for such services. 2. Maintain in working order all x-ray equipment, currently located at Southern State

Correctional Facility, in accordance with state and federal standards. 3. Require any subcontractor to use a board-certified radiologist to review and report

findings of all diagnostic studies in a timely manner. 4. Promptly notify the appropriate provider when the results of radiology services indicate

positive or abnormal findings. Positive or abnormal findings should be provided verbally within three (3) business days, followed by written notification of the test results, whether normal or abnormal, within seven (7) business days.

5. Require the ordering provider, site physician, or medical designee to review, initial, and date all radiology reports upon receipt.

6. In the event of a positive or abnormal finding, require that the provider notify the patient and develop a plan of care within ten (10) business days of receiving the results.


7. In the event of normal findings, notify patients of the results within fourteen (14) business days. Nursing staff may notify the patient of normal results.

8. Document in the patient’s EHR all radiology information, including but not limited to reports, results, and conversations with patients about the treatment plan.

3.19 EKG Services The Contractor shall provide:

1. On-site EKG services. 2. All necessary elements relative to the provision of testing and maintenance of EKG

equipment. 3. Immediate reading and reporting of EKG results using EKG machines with auto-read

capabilities. 4. The capacity for over-reading of abnormal EKGs by an individual licensed or certified

to do so. 5. The ability to electronically transmit EKG tracing to a medical provider for immediate

review. 6. Adequate training of nursing personnel which is necessary to perform, interpret, and

communicate results of EKGs.

3.20 Laboratory Services The Contractor shall provide laboratory services which meet national (American College of Pathology), State, and federal requirements and standards. The Contractor shall sub-contract with a laboratory to provide full laboratory services, diagnostic testing, and a fully detailed lab manual with instructions in all areas of specimen collection, handling, and processing. This includes but is not limited to:

1. Available routine, stat, and special tests. 2. Turn-around times. 3. Procedures for the safe storage and transport of specimens. 4. Critical values reporting. 5. Special chemistry and toxicology analysis. 6. The location of reference laboratories for tests not conducted by the primary lab sub-

contractor. 7. Timely pickup and delivery of specimens. 8. Accurate reporting within a reasonable timeframe. 9. Maintenance of an electronic log to document the type and number of specimens sent

and returned. 10. Immediate reporting of lost specimens to the DOC Facility Management so that the lab

tests(s) may be repeated. 11. A process for physicians to review, date, and initial laboratory results. 12. A procedure for the timely review of laboratory results if the patient’s primary provider

is absent. 13. Documenting the results in the patient’s EHR. 14. Timely informing patients of their laboratory results. 15. Developing processes whereby providers can re-evaluate the patient and re-order

laboratory tests as appropriate, including instances when the patient has refused prior testing.


3.21 Physical Therapy and Other Ancillary Services The Contractor shall:

1. Establish and maintain a comprehensive range of ancillary support services, including but not limited to physical therapy. Physical therapy shall include but not be limited to specific equipment, home exercise programs, and a mechanism for the patient to receive follow-up care.

2. Coordinate all on-site and off-site ancillary diagnostic and treatment services. 3. Verify that all subcontractors:

a) Meet federal, state, and local licensure, certification or credentialing as required. b) Provide proof of professional liability insurance. c) Operate according to a Business Associate Agreement. d) Are registered to do business in Vermont.

3.22 Optical Services

The Contractor shall: 1. Screen all patients for need for optical services as part of the initial comprehensive

health assessment, utilizing the Snellen Chart or LogMAR Chart to evaluate visual acuity.

2. Provide timely evaluation and treatment of patients who may have visual problems and who may need optical services.

3. When a visual deficiency beyond 20/40 is identified, refer the patient to the Contractor’s optical service provider.

4. Consult with the Vermont Division of the Blind and Visually Impaired for all patients who are identified by the optical service provider as needing supplemental expert services. Any consultation with the Vermont Division of the Blind and Visually Impaired shall trigger an ADA accommodation.

5. Schedule and coordinate appointments for optical services. 6. Pay for the dispensing, evaluation, and fitting services of an optometrist. 7. Provide all monocular patients with a referral to the optometrist for a discussion of

vision preservation without regard for visual acuity testing. 8. Provide one set of eyeglasses to patients as prescribed and deemed necessary by the

optometrist. 9. Provide all eligible patients follow-up eye exams every two years. 10. Require that the patient bare responsibility for the cost of replacement of lost or

damaged prescription eyewear due to the patient’s negligence. DOC recognizes that some cases (e.g., indigence) may require an alternate approach.

3.23 Oral Care; Dental Services The Contractor shall:

1. Provide access to dental services, including preventive and restorative care, in accordance with industry standards and guidelines, including those set forth by the CDC, OSHA, and the DHVA.

2. Provide a manual of dental operations, a written general orientation for all dental staff, and a mandatory orientation and training for all dental staff, specific to their job duties.

3. Employ a sufficient number of licensed dentists, mid-levels, and dental assistants to meet the needs of the population. All employed and subcontracted dental staff must be appropriately trained and currently credentialed to practice in Vermont.


4. Within thirty (30) days of a patient’s admission, conduct an initial dental exam and provide instruction in oral hygiene.

5. In the case of a re-admitted patient who received a dental examination within the past six (6) months, the dentist shall determine the need for additional dental evaluations.

6. Provide a schedule, by facility, with the hours that dentists will be available to see patients. The hours across all facilities must be sufficient to meet the needs of the population.

7. Maintain a process whereby patients may request dental services by submitting a sick slip request. Nurses will triage the requests and submit them to a licensed dentist. Patients will be seen based on the list of dental priorities.

8. Respond to non-urgent/routine care requests within twenty-eight (28) calendar days. 9. Respond to urgent dental care requests within twenty-four (24) hours. 10. Respond to emergent dental needs (e.g., facial fractures, uncontrolled bleeding,

infections not responsive to antibiotics) immediately, which may include emergency transport to a hospital.

11. Maintain a wait list for dental services which shall not exceed 14 days. 12. Refer patients who require treatment that cannot be safely provided on-site or is beyond

the licensure or scope of practice of the Contractor’s licensed dentist, to an off-site dental specialist.

13. Provide dental prostheses, including dentures, as determined to be necessary, in conformance with the provisions of DOC Administrative Directive #351 Healthcare Services.

3.24 Emergency Services 1. The Contractor shall:

a) Maintain 24/7 on-site or on-call coverage by medical and mental health prescribers. b) Provide 24/7 access to emergency medical, mental health, and dental services. c) Adhere to DOC policies and procedures to address emergency response and the

emergency transfer of patients at each facility. d) Provide emergency medical care necessary to stabilize any DOC staff, contractors,

volunteers and visitors for assessment, stabilization, and referral. Any required follow-up care will be the responsibility of the non-inmate.

e) Provide staff with emergency response training in the following, but not limited to: i. Automated External Defibrillator (AED).

ii. Bag valve masks (BVM). iii. Suction devices. iv. Other essential equipment for resuscitation and stabilization of patients pending

the arrival of EMS. 2. Provide patients on work release with urgent and emergent medical care, regardless of

patient’s access to third-party coverage, including but not limited to referrals for necessary follow-up treatment. Care shall be provided at the most appropriate facility (community or DOC) based on the patient’s health condition.

3. For patients injured while on work release whose injuries are covered under workers’ compensation insurance, coordinate follow-up care with the employer’s workers’ compensation insurer until 1) the patient’s treating physician has released the patient to return to work, or 2) until the patient is discharged from the DOC facility, whichever occurs first.


4. Immediately report all serious or life-threatening injuries or deaths.

3.25 First Aid Kits The Contractor shall:

1. Provide and maintain first aid kits for DOC staff and patients. 2. Secure first aid kits with a plastic tear-away lock. Each time the lock is broken,

Contractor shall initiate a supply request to replace it. 3. Check and replenish the contents of each kit monthly or as requested. 4. Document monthly kit checks. 5. Determine the location and contents of the first aid kits for each site in coordination

with the Contractor’s Statewide Medical Director, Contractor’s facility healthcare staff, and facility management.

4 Patient Care and Treatment

4.1 Informing Patients About Health Care Services The Contractor shall provide each patient, at the time of initial intake, information on how to access health care services while in the facility, to include at minimum the following:

1. How to access routine health care services through the healthcare request (Sick Slip) process.

2. How to access health care services while in segregation. 3. How to request an accommodation pursuant to the ADA.

4.2 Patient Consent and Right to Refuse

The Contractor shall: 1. Obtain a patient’s informed consent prior to all examinations, treatments, and

procedures. 2. Obtain informed consent from patients before reporting information about prior sexual

victimization that did not occur in an institutional setting, unless the patient is under the age of eighteen.

3. Respect a patient’s right to refuse healthcare services. 4. Provide patients with education on the potential risks of refusing healthcare

interventions. Provide the information in a format which is free of language, literacy, vision, hearing, or other barriers to comprehension.

5. Document all patient consent to, and refusal of, treatment in the patient’s EHR. 6. Whenever possible or upon request, maintain consent and refusals forms for specific

interventions.

4.3 Initial Healthcare Receiving Screening Upon Admission to a Facility 1. The Contractor shall conduct an Initial Healthcare Receiving Screening (screening) within

four (4) hours of admission, unless extenuating circumstances exist, for each patient admitted to a correctional facility. The screening shall be documented on a standardized Initial Healthcare Receiving Screening Form approved by the Health Services Director. At a minimum, the screening will include: a) Consent (or refusal) for treatment, signed by the patient. b) A release of information (or refusal), signed by the patient. c) An acknowledgement, signed by the patient, that information regarding the ADA has


been provided verbally and in writing. d) Review of any current disabilities the patient has and request or need for

accommodations under the ADA. e) Provision of ADA accommodations to meet the immediate needs of the patient. f) Review of past and current health conditions, including but not limited to, allergies,

infections, mental health conditions, communicable diseases, gynecological problems, special health (including dietary) requirements, and any hospitalizations.

g) Screening and assessment for substance use disorders, including opioid use disorders. h) Opt-out testing for HIV/AIDS in accordance with Appendix 6, “MOU with VDH and

DOC for HIV Testing.” i) Opt-out testing for Hepatitis C. j) A urine pregnancy test, if applicable. k) A process to verify and track insurance enrollment status through discharge, including

enrollment in Medicaid, as appropriate. l) Administration of a Tuberculin skin test and reading of the results within 48-72 hours. m) Verification of currently prescribed medications including buprenorphine, methadone,

or other medication prescribed in the course of medication-assisted treatment. Medications shall be verified by the patient’s pharmacy of record, primary care provider, other licensed care provider, the Vermont Prescription Monitoring System or other prescription monitoring or information system.

n) Continuance of prescribed medication, or specific explanation of reason if prescribed medication is discontinued.

o) Mental health screening to include, but not be limited to, information specified in NCCHC essential standard MH-E-04 and the following:

i. Review of any mental health records from prior incarceration episode(s). ii. Determination if the patient had been previously designated as SFI.

iii. Current diagnosis, as verified by community records. iv. Patient’s report of any current mental health diagnoses. v. Mental Status Exam.

vi. Relevant psychosocial history vii. Screening for traumatic brain injury (TBI) utilizing the “HELPS” Brain Injury

Screening Tool (or another tool approved by the Health Services Director or designee), with referral to provider or services for patients that screen positive.

viii. The Columbia Suicide Severity Rating Scale or another tool as approved by the Mental Health and Substance Abuse Systems Director or designee to assist in determining the most appropriate and least restrictive placement for the patient.

ix. Administration of the “NIDA Quick Screen,” (or other screening tool approved by the Health Services Director or designee).

p) Date and time that the screening was completed. q) Title and signature of the QHCP completing the screening.

2. As needed, the Contractor shall initiate referrals for follow-up and evaluation to the appropriate medical, mental health, substance use, or psychiatric provider, or to the emergency room. If any of a patient’s responses indicate that referral for mental health or substance use treatment is needed, mental health staff shall conduct a mental health assessment within seven (7) days. See Section 4.6; Mental Health/Substance Use Assessment – Part A; and Appendix 2 – Mental Health Workflow.

3. The Contractor shall initiate routine referrals for medical, mental health or substance use


treatment and complete, as appropriate, an Initial Comprehensive Health Assessment or Mental Health/Substance Use Assessment - Part A, within seven (7) days of screening. See Appendix 2 (Mental Health Workflow).

4. Urgent referrals to medical or mental health shall be seen within twenty-four (24) hours of the Initial Healthcare Receiving Screening.

5. Emergent referrals shall be seen immediately.

4.4 Medical, Mental Health/Substance Use Screening and Assessment for Transferred and Readmitted Patients 1. For patients transferred or readmitted to the facility who received an Initial Healthcare

Receiving Screening no more than thirty (30) days immediately prior to their re-entry to the facility, the Contractor shall at a minimum: a) Review the last Initial Healthcare Receiving Screening. b) Review the last initial or comprehensive health assessment. c) Review pertinent laboratory results. d) Inquire whether there have been any significant changes to the patient’s health status

since the last admission. e) As needed, consult with the on-site or on-call provider to determine if a new Initial

Healthcare Receiving Screening or Initial Comprehensive Healthcare Assessment may be necessary.

2. For patients transferred or readmitted to the facility who, within the past ninety (90) days, received a Mental Health/Substance Use Assessment, the QMHP shall at minimum: a) Review the prior assessment. b) Meet with the patient to determine if there have been significant changes or events since

the prior assessment. c) Determine if patient’s current mental health status requires a new Mental

Health/Substance Use Assessment, referrals, or changes in treatment plan. 3. All medical and mental health reviews of transferred and re-admitted patients shall be

documented in the patient’s EHR and Individualized Treatment Plan updated as required.

4.5 Initial Comprehensive Health Assessment The Contractor shall conduct an Initial Comprehensive Health Assessment of each patient within seven (7) days of the patient’s admission to a facility. The assessment shall be documented on a standardized Initial Comprehensive Health Assessment Form approved by the Health Services Director. At a minimum, the assessment shall include:

1. Requests for consent for treatment and releases of information, if not already obtained. 2. Review of the receiving screening results. 3. Collection of additional data, as needed, to complete the medical, dental, and mental

health histories. 4. Physical examination, including vital signs, weight and BMI assessment. 5. Screening for need for optical services. 6. RAST testing for allergies, if appropriate. 7. Ordering of laboratory and/or diagnostic tests, as clinically indicated. 8. Opportunity for HIV testing and brief counseling. 9. Immunization history and administration, when appropriate. 10. HELPS screening to determine if the patient has a traumatic brain injury. 11. For female patients, inquiry about:


a) date of last pap smear. b) date of mammogram. c) past pregnancies. d) any other gynecological problems.

12. A plan of care and referrals for treatment to address each health concern. 13. Date and time of completion. 14. Signature and title of individual completing the assessment.

4.6 Mental Health/Substance Use Assessment

1. The Contractor’s mental health staff shall conduct a Mental Health/Substance Use Assessment and complete a Mental Health/Substance Use Assessment – Part A, see Appendix 2 (Mental Health Workflow) whenever: a) The patient’s responses on any component of the Initial Healthcare Receiving Screening

indicate that referral for mental health or substance use treatment is required. Nursing staff will determine whether an emergent, urgent, or routine referral is indicated.

b) The patient requests to be seen by mental health via the “sick slip” process. c) DOC Security or DOC’s Chief of Mental Health or designee requests it.

2. Mental Health Assessment – Part A shall include but not be limited to: a) Structured Clinical Interview for DSM-V (SCID-5; or its successor or as otherwise

specified by the Mental Health and Substance Abuse Systems Director). Using the results of the SCID-5, the clinician will decide whether the patient meets the clinical criteria for a mental health and/or substance use disorder consistent with the Diagnostic and Statistical Manual of Mental Disorders (DSM-5).

b) Adverse Childhood Experiences (ACE; or as otherwise specified by the Mental Health and Substance Abuse Systems Director or designee).

c) Personality Inventory for DSM-5-Brief Form (PID-5-BF) or as otherwise specified by the Mental Health and Substance Abuse Systems Director or designee).

d) The Corrections Modified Global Assessment of Functioning (CM-GAF), the results of which will be used to determine if the patient should be considered for SFI designation.

e) Review of urine drug screen (UDS) results. f) Administration of the General Ability Measure for Adults (GAMA) (or other tool as

specified by the Mental Health and Substance Abuse Systems Director or designee) for patients suspected of having low cognitive functioning.

g) A pathway for referring patients to a psychiatric provider if the results of the assessment indicate that the patient may benefit from psycho-pharmacological treatment. The psychiatric provider shall evaluate the patient within thirty (30) days of the referral.

3. As a result of the completion of the Mental Health/Substance Use Assessment – Part A, the Contractor shall: a) Include all patients with a clinically verifiable diagnosis, for either a mental health

condition or substance use disorder or both, and all patients prescribed a psychotropic medication on the Mental Health and Co-occurring Caseload.

b) Enter diagnoses into the patient’s problem list using DSM-V codes. c) Complete an Individualized Treatment Plan.

4.7 Substance Abuse Screening, Assessment and Treatment

The Contractor shall screen all patients for substance use disorders upon intake using a tool that is approved by the Mental Health and Substance Abuse Systems Director or designee. If a patient


screens positive, the Contractor shall conduct the Structured Clinical Interview for DSM-5, and shall refer a patient with a verified substance use disorder to receive the following continuum of services:

1. Development of an Individualized Treatment Plan. 2. Substance abuse groups or individual treatment program. 3. Provide access to technology-enabled substance abuse treatment, if available. 4. Refer to Peer Recovery and Support Services, if available. 5. Encourage attendance at AA or NA.

4.8 Continuation of Prescription Medication

1. Upon admission to a facility, the Contractor shall continue any patient who is under the medical care of a licensed physician, licensed physician assistant, or licensed advanced practice registered nurse, on a verified prescription medication, pending review and evaluation of the patient’s health status and health care needs. The review and evaluation shall be conducted by a licensed physician, a licensed physician assistant, or a licensed advanced practice registered nurse.

2. Notwithstanding the above, the Contractor may discontinue a verified prescription medication that is not medically necessary. The decision to discontinue medication shall be based on the clinical judgment of a licensed physician, licensed physician assistant, or licensed advanced practice registered nurse, who shall document the reasons for discontinuation in the patient’s medical record. In addition, the Contractor shall provide written and oral explanation of the decision to discontinue to the patient, and an opportunity for the patient to authorize notification of the community-based prescriber.

4.9 Guidelines for Prescribing and Monitoring Pharmaceuticals The following shall apply as minimal guidelines for pharmaceutical prescribing and monitoring:

1. The prescriber will evaluate each patient prior to renewing prescriptions and if the prescription is not renewed, document in the EHR the rationale for discontinuing the medication.

2. Prescribers will adhere to best practice guidelines that are relevant to their scope of practice for the prescribing of medication, ordering follow-up care, and documenting of patients’ responses to medications.

3. The Contractor shall provide and implement written protocols for prescribing narcotics that include 1) best practice processes for evaluating the patient’s condition, and 2) a step-wise approach to pain control that considers non-narcotic treatments (e.g. physical therapy, acupuncture, NSAIDS). The protocols shall be evidence-based and comply with applicable laws and guidelines.

4. The Contractor shall provide and implement written protocols for prescribing and monitoring opioids and buprenorphine that are evidence-based and comply with applicable laws and guidelines.

4.10 Provision and Administration of Medications 1. The Contractor shall provide timely, safe, and clinically appropriate medication services. A

DOC officer shall be present during medication administration to perform a visual mouth check on each patient receiving medication.

2. The Contractor shall: a) Provide medications, when clinically indicated, in a manner which is predicated on


evidence-based literature and consistent with best practices and national guidelines. b) Monitor provider orders and require providers to review patients’ medication histories. c) Provide on-call provider coverage. Nursing staff may contact the on-call provider for a

verbal order after nursing staff verify a patient’s medication prescription. d) Maintain an electronic record that fulfills the requirements specified in Exhibit C (State

of Vermont Bidder Response Form) for a user to sign all medication orders in a timely fashion, including but not limited to, the electronic signing of verbal orders.

e) Sign all medication orders in a timely fashion, including but not limited to the electronic signing of verbal orders.

f) Maintain a medication administration system which provides the following: i. Internal controls to provide for a re-order prior to the expiration of the initial or

renewal order, when required. ii. A process for timely and appropriate transcription or order entry by nursing or

other personnel (as permissible by Vermont Statute or Board of Pharmacy rules) so that the order may be transmitted to the appropriate pharmacy.

iii. Utilization of stock medication whenever possible to provide the initial doses of the prescribed medication, pending arrival of the patient’s individual order from the PPV or BUP.

iv. Administration of medications by trained nurses. Ideally, med passes should occur at least two times daily in coordination with DOC Facility Management.

v. Adjustment of medication administration times when necessary to meet the needs of patients who participate in work details, classes, or programming.

vi. Notification to DOC security staff and documentation in the EHR when a patient conceals medications without ingesting them.

vii. Administration of OTC medications not accessible through the commissary. g) Provide work release patients with all necessary medications. h) Provide patients with a planned release date with their prescribed medication(s) at

release, or the date, time and contact information for an appointment with a community provider in order to prevent a lapse in medication access.

4.11 Keep-on-Person (KOP) Medications

The KOP program allows patients to possess a supply of certain medications. The Contractor shall:

1. Instruct patients about the KOP program and the appropriate use of the medication they are prescribed.

2. Routinely review and update the lists of acceptable and unacceptable KOP medications included in the DOC’s Administrative Directive #351 (Healthcare Services).

3. Confirm that employees involved in the administration of the KOP program reference the most current lists to avoid the inadvertent release of medications that may be considered unsafe.

4.12 Patient Refusal and Non-Adherence to the Treatment Plan The Contractor shall:

1. Develop a list of “essential medications” which, when missed or refused by a patient, may adversely affect the patient’s medical or psychiatric well-being.

2. Document in the patient’s EHR whenever the patient refuses or is not available to receive a medication. Documentation shall include the name of the medication, whether


it is an essential medication, whether it was refused or missed, and action taken or to be taken, including but not limited notification to the provider.

3. Obtain from the patient a signed, written refusal form for all refused medications which shall be uploaded into the patient’s EHR.

4. Train all nursing staff in obtaining signed refusals. 5. Notify DOC security staff if a patient refuses a medication that may adversely affect the

patient’s behavior or functional capabilities. 6. Provide education to patients on the potential consequences of refusing medical, mental

health, pharmaceutical, or other interventions. 7. Provide education to patients on the benefits of complying with their medication

regimen. All patient education shall be documented in the EHR.

4.13 Individualized Treatment Plans for Mental Health & Substance Use The Contractor shall develop Individual Treatment Plans that comply with NCCHC standard MH-G-03 and the following:

1. For the process of SFI designation, the DOC SFI interim memo (Appendix 7) should be followed. Additionally, ongoing SFI assessment, re-assessment and removal should be done according to Appendix 8 – SFI Identification).

2. For patients who have a mental health condition, substance use disorder, or psychiatric disability or disorder as defined by the DSM-V or its successor, develop and maintain Mental Health - Individualized Treatment Plans which are specific, measurable, attainable, realistic, and time-limited (SMART). The Individualized Treatment Plans will include, but not be limited to:

a) The members of the multi-disciplinary treatment team, including local ADA coordinators and security staff as needed.

b) Current, within the last 30 days, medications. c) Current SCID-5 results. d) Current CM-GAF results. e) Current diagnoses to be addressed. f) Collateral information including information from Community High School of

Vermont, past community treatment providers, etc. g) Strengths relevant to the patient’s successful completion of treatment goals. h) Problem statements relevant to current diagnosis and corresponding treatment

goals. i) The specific goals of treatment. j) The objectives of treatment (what the patient will do to achieve the goals). k) The specific evidenced based interventions that the Behavioral Health Contractor

and/or security staff will provide. l) The type, frequency and duration of all interventions.

m) Duration of the plan, including the date that progress towards the goals will be reviewed.

n) Patients involvement in the treatment planning process. o) ADA accommodations needed.

3. Perform Utilization Review and update treatment plans every ninety (90) days or as clinically indicated, but in no event beyond their expiration. As part of this update, the patient shall be re-assessed for diagnostic impression. Review of Individualized Treatment Plans shall:


i. Include all members of the multi-disciplinary treatment team, whenever possible. ii. Include a re-evaluation of the patient using the SCID-5 (or as otherwise specified

by the Mental Health and Substance Abuse Systems Director) and CM-GAF. Changes from the prior SCID-5 and CM-GAF scores will be documented on the Individualized Treatment Plan.

iii. Result in the re-formulation of the Individualized Treatment Plan as previously described in this section.

4. List patient’s special needs and DSM-V diagnosis on the master problem list in the EHR and in the OMS, as appropriate.

5. Maintain an ongoing list of special needs patients, which shall be communicated to facility administration and custody staff via the OMS.

4.14 Non-Emergent Care; Request for services The Contractor shall:

1. Conduct daily, visual rounds to assess the patients’ needs for health care services. 2. Implement a secure and efficient healthcare request (sick slip) process that enables all

patients, including those in segregation, to report their health concerns and request healthcare services.

3. Triage each patient request for services within twenty-four (24) hours of the request. 4. Document the request, including the date and time received, in the patient’s EHR via a

Sick Slip Order that includes: i. Transcription of the patient’s statement from the Healthcare Request Form.

ii. Nursing staff triage and determination of priority (Priority 1 = Emergent, Priority 2= Urgent, Priority 3 = Routine).

5. Document sick slip responses in the patient’s EHR. 6. Consult with the on-site or on-call provider if the patient’s condition at the time of

nursing triage or assessment requires emergency care beyond the established nursing protocols.

7. Regardless of whether the patient has requested services, under no circumstances defer or unnecessarily delay the care of any patient requiring urgent or emergent care pending discussion with management or supervisory staff.

8. Monitor sick slip responses as part of the CQI process.

4.15 Patient Escort The Contractor shall:

1. Collaborate with the DOC facility Shift Supervisor to facilitate the timely and safe escort/transport of patients for medical, mental health, and dental appointments that occur within and outside the facility.

2. Alert the DOC’s Shift Supervisor regarding accommodations that may be needed for the patient during transport, including but not limited to assistive devices or contraindications to the use of shackles or other restraint devices. The QHCP shall enter all necessary accommodations into the patient’s EHR and the OMS.

3. Take appropriate measures to protect the confidentiality, in accordance with federal and state privacy and security requirements, of all documents that may contain PHI.

4. Enter the appropriate mobility code into OMS and EHR so that patients for whom transfer is contraindicated are not transferred without approval of medical and/or mental health. See Appendix 9 – Mobility (M) Codes.


4.16 Procedure in the Event of Sexual Assault

In the event of a sexual assault, the Contractor shall: 1. Provide prompt and appropriate trauma-informed medical and psychological treatment

services. 2. Refrain from providing services outside of those required to assess the patient for

physical injuries that may potentially require immediate medical attention. At no time shall the Contractor provide what could be considered a “forensic” examination.

3. Assist DOC in coordinating transfer of the patient to a local ER where the patient shall be offered an examination by a Sexual Assault Nurse Examiner (SANE) or other QHCP.

4. When evaluating the extent of injuries or the need for outside medical services, avoid taking any actions, whether intentional or accidental, that may remove, dilute, or destroy evidence.

5. Provide medical care, including medication, follow-up treatment or referral, as directed by the SANE or ER provider.

4.17 Healthy Lifestyle Education and Promotion The Contractor shall provide formalized health education to patients. The Contractor shall document the patient’s attendance and individualized instruction in self-care for their health condition as “health education activity” in the EHR. Activities shall include, but not be limited to:

1. Providing printed educational materials for health maintenance, disease prevention, and treatment of chronic illnesses.

2. Providing individual health education during medical, dental, and nursing encounters. 3. Assigning a lead nursing staff member at each facility to conduct and monitor all health

education and disease prevention activities. 4. Those referenced in Appendix 10 – Women’s Health Program (1)) and Appendix 11 –

Women’s Health Program (2)). The Health Services Director or designee shall approve all curricula.

5. Within three (3) months of contract initiation, providing an annual Patient Health Education Calendar that describes the patient health education activities planned for each month of the contract year. Thereafter, the calendar will be provided as an annual report, within fifteen (15) days of the close of the first contract year. Changes to the calendar will be made at the discretion of the Health Services Director or designee to address specific needs when identified. The calendar will be reviewed and approved by the Health Services Director or designee prior to implementation. Additionally, the calendar should be coordinated with the facility and other DOC divisions to ensure that any competing activities or requirements that may affect scheduling are taken into account.

6. Reporting of patients per facility who have participated in a health education/disease prevention activity each month.

7. Providing individual health education during mental health encounters.

4.18 Medical Diet Medical diets will be provided to address the unique healthcare needs of patients with medical conditions which require modifications to the standard diet. The Contractor shall:

1. Comply and adhere to the DOC Administrative Directive #354 (Food Services


Operations). 2. Have the Statewide Medical Director review and approve all medical diets. 3. Provide allergy testing to any patient requesting a medical diet based on food allergies

to determine limitations. 4. Communicate all information on medical diets in a timely manner to DOC Food

Services. 5. Document the need for medical diets in the OMS and in the patient’s EHR. 6. Utilize providers and nurses to engage patients in health education regarding nutrition

and as part of health promotion and disease prevention programming. 7. Advise patients regarding the consequences of refusing their medical diet or consuming

items that are contraindicated to the medical diet.

4.19 Use of Tobacco The Contractor shall, as applicable:

1. Provide a brief screening on tobacco use during the initial healthcare receiving screening or another health encounter.

2. Provide patients with self-reported use of tobacco products with: a) Information on the health impacts of continued use. b) Group interventions and support programs, written materials, and individual

education. c) As part of release planning, information on community resources that can provide

support with tobacco use cessation.

4.20 Mental Health Education and Self-Care 1. The Contractor shall provide mental health education and self-care education to patients with

mental illness, substance abuse, and co-occurring disorders. Within six (6) months of contract initiation, the Statewide Director of Behavioral Health will create a calendar that describes the patient mental health activities planned for each month of the contract year. Thereafter, the calendar will be provided as an annual report, within fifteen (15) days of the close of the first contract year. Changes to the calendar will be made at the discretion of the Mental Health and Substance Abuse Systems Director or designee to address specific needs when identified. The calendar and proposed curricula will be reviewed and approved by the Mental Health and Substance Abuse Systems Director or designee prior to implementation. Additionally, the calendar should be coordinated with the facility and other DOC divisions to ensure that any competing activities or requirements that may affect scheduling are taken into account.

2. Programming, education, and interventions may include, but will not be limited to: a) Education on relapse prevention. b) Education on the appropriate and effective use of medications. c) Medication side effects. d) Development of coping skills for the self-management of stress, anxiety, anger, sleep

disorders, depression, and thoughts of self-harm/suicidal ideation. e) Individual/group psycho-education. f) Self-directed Cognitive Behavioral Therapy.


4.21 Continuity of care 1. Continuity of care begins at admission and occurs at all transitions of care, including but not

limited to intra-system transfers, transfer to community-based facilities, discharges from custody, and re-admission to the DOC. The Contractor shall provide a Statewide Director of Care Coordination and Care Coordinator(s) to supervise the continuity of care practices upon admission, transfer, and discharge from DOC.

2. To facilitate continuity of care, the Contractor shall: a) Oversee the coordination of comprehensive health services as patients transfer between

settings. b) Monitor care coordination activities at the facilities. c) Collaborate with DOC staff on care coordination activities. d) Verify and continue patients on medications on intake and on release as appropriate, and

as required by law. e) Establish a process for identifying, tracking, notifying and referring individuals with

chronic illnesses to appropriate health care services, while in custody and upon release to the community

f) Establish a process for identifying, tracking, notifying and referring individuals with mental health conditions to appropriate mental health care services, while in custody and upon release to the community.

g) Collect and analyze data on care coordination activities for the purposes of CQI. h) Develop and implement processes (utilizing the EHR to the extent possible) to

standardize and improve care coordination and continuity of care to community-based entities.

i) Standardize processes so patients are initiated on MAT as required by law. j) Coordinate discharge plans for patients as requested by the DOC.

3. For patients with acute and/or chronic health conditions, the Contractor shall: a) Develop a comprehensive, multi-disciplinary treatment plan for the management and

improvement of the patient’s condition(s), in compliance with the security and safety requirements of the facility.

b) Enroll patients in chronic care clinic. c) Obtain and review all relevant community-based treatment plans, especially those for

individuals designated as SFI, and determine if the plan should be continued or modified in some manner during the patient’s incarceration.

d) Obtain a signed release that allows relevant information from any community-based organizations that provided treatment to the patient prior to admission to DOC to be obtained.

e) Notify medical, mental health, psychiatric providers, nurses, and appropriate individuals at the DOC (e.g., Director of Nursing, Chief of Mental Health) when patients are sent to or returned to the facility following an emergency room encounter or inpatient hospital stay.

f) Provide a timely follow-up encounter upon the patient’s return to the facility from receiving off-site services.

g) Transmit follow-up orders to the appropriate provider who shall review and approve or modify the orders, as required.

h) Document that a review of all discharge orders from off-site providers was completed. i) Coordinate intra-system transfers, sharing all relevant information between the sending

and receiving facilities regarding the patient’s acute or chronic health conditions.


j) Enter appropriate alerts or special needs into the OMS and the EHR. k) Schedule the patient to be seen by a psychiatric or other provider within seventy-two

(72) hours or another timeframe as deemed appropriate by the QHCP. l) Document all follow-up encounters in the patient’s EHR with the date, time, and

signature/title of the QHCP. m) Provide the DOC Director of Nursing with weekly reports indicating patients with off-

site appointments, including when and where the appointment is scheduled, the anticipated length of the appointment, and the reason for the appointment.

4. For patients designated as SFI or SMI, the Contractor shall: a) For patients designated as SFI during a previous incarceration, determine within thirty

(30) days if the patient should be re-designated as SFI. For patients previously designated as SFI, there is no predetermination in advance of meeting the criteria whether through administrative review or clinical and functional impairment.

b) Coordinate all intake and discharge planning with appropriate agencies, including but not limited to the DMH, Designated Agencies (DAs), Special Service Agencies (SSAs), and DAIL.

c) Cause that QMHPs perform ongoing assessments of the patient’s mental health and functional status, and when there is a concern that the patient’s condition cannot be treated within the DOC setting, refer the patient for hospital level of care, if appropriate.

d) Process all referrals for hospital-level care through the appropriate channels, including but not limited to the processes for Emergency Evaluation or voluntary admissions. See Appendix 3, Act 78 – An Act Relating to Offenders with Mental Illness, Inmate Records, and Inmate Services.

5. Upon notice of a patient’s pending release from incarceration (to the community, the Contractor shall: a) Collaborate with DOC staff regarding release planning. b) Coordinate with the Facility Corrections Service Specialist on referrals, appointments,

and the exchange of information with community-based organizations of the patient’s choice, including but not limited to FQHCs, hubs/spokes, and DAs, with the intent of immediately connecting patients to appropriate health care services upon discharge. The Contractor shall make appointments and share the details with the Facility Corrections Service Specialist.

c) Inform the patient of all pending appointments in the community, including the date, time, location, phone number, and name of the provider.

d) Refer patients with communicable or other serious medical or mental health conditions to specialized clinics or a patient-centered medical home of the patient’s choosing.

e) Provide the patient with a list of community health professionals. f) Discuss with the patient the importance of appropriate follow-up and aftercare. g) Verify the patient’s enrollment, and if necessary, enroll the patient, onto Medicaid or

other health benefit plan. h) Provide patients with a discharge plan or Continuity of Care Document. i) Depending on the status of interface development, share the Continuity of Care

Document and other specified information, via the EHR, with the Vermont Health Information Exchange.

6. Discharge Planning & Bridge Medications: The DOC wants as many individuals as possible to be enrolled onto Medicaid or other health benefit plan upon discharge from custody to ensure continuity of care. Because there are circumstances that prevent or delay enrollment,


the Contractor shall: a) Provide patients with important and essential bridge medications. b) Determine the amount and category of medication provided at the time of release based

on the patient’s known history or risk profile for abuse, diversion, or accidental or intentional overdose. The Contractor shall provide patients with a sufficient supply of bridge medications as follows:

i. All patients prescribed HIV medications shall be provided with a minimum of a 30-day supply of bridge medications

ii. Patients released to the community without active health insurance and whose next appointment date is unknown shall be provided with a 30-day supply of bridge medications.

iii. All patients prescribed psychotropic medications shall be provided with a 30-day supply of bridge medications. If the patient is prescribed Clozapine, Lithium, or any other drug that requires close monitoring, the Contractor shall counsel the patient regarding their next mandatory lab draw. All patients will be advised of follow-up care needs including lab studies.

iv. Patients enrolled or immediately eligible for Medicaid or other health benefit plan shall be provided with a known appointment date in the community and a sufficient supply of prescription medication(s) to last until the patient’s next appointment.

c) Pay for the costs of all bridge medications unless, within thirty (30) days of contract initiation, the Contractor verifies with DVHA that the costs of the medications can be processed through the patient’s Medicaid or other health benefit plan.

5 Procedures, Notifications and Reporting

5.1 Patient Placement; Collaboration Between Staff and Facility Management

Collaboration between DOC facility staff (e.g., Facility Management, correctional officers, living unit supervisors) and the Contractor’s staff is vital for determining the most appropriate and least restrictive placement for patients and for maintaining a safe and secure correctional environment. The Contractor shall, in compliance with federal and state privacy and security requirements:

1. Coordinate meetings between DOC facility staff and the Contractor’s staff as needed, but no less than weekly. Meeting topics may include, but are not limited to, placement of patients that are: a) “Delayed Placement Persons,” or pending placement at an inpatient psychiatric

hospital. b) Seriously functionally impaired (SFI) See Appendix 12, Act 26 (Seriously

Functionally Impaired). c) Designated as potentially vulnerable to sexual victimization. d) Transgender, intersex, and gender non-conforming. e) Infected with serious communicable diseases. f) Receiving an ADA accommodation. g) risk of self-harm or suicide. h) Adolescents in adult facilities. i) On the mental health and co-occurring caseload. j) Chronically or terminally ill.


k) Seriously mentally ill. l) Frail or elderly. m) In segregation. n) Hospitalized. o) Pregnant. p) Disabled. q) Receiving a special diet.

2. Inform DOC facility staff of any aspect of a patient’s physical or mental health status that may affect housing, work assignments, programming requirements, or pose a risk to the safe and orderly operation of the facility.

3. Immediately notify DOC Facility Management regarding patients that are acutely ill, decompensating, or whose physical or mental health is destabilized.

5.2 Grievance Procedure The Contractor shall:

1. Recognize that patients may file informal grievances at any time. In certain circumstances, an initial formal grievance may be submitted.

2. Respond to grievances in a manner that complies with DOC policies and directives. 3. Upon request, provide patients with assistance in filing a grievance. 4. Work with patients to resolve complaints and issues relating to the provision of health

care. 5. Resolve emergency grievances in consultation with the Medical Contractor's Statewide

Medical Director or designee, and/or Behavioral Health Contractor’s Statewide Director of Behavioral Health or designee (as applicable). An emergency grievance is defined as “[a] grievance processed by expedited methods to resolve an issue which presents: (1) a threat of death or injury; (2) a threat of disruption of facility operations; or (3) a need for prompt disposition because the time is lapsing when meaningful action or decision is possible.”

5.3 Procedures to Facilitate Out-of-State Transfers 1. The State maintains a contract for inmate housing outside the State of Vermont. To facilitate

out-of-state transfers, the Contractor shall conduct an evaluation of a proposed transferee’s health status and enter its findings on a form provided by the DOC, within ten (10) days of the State’s request. The Contractor’s evaluation shall include: a) Review of the proposed transferee’s health records. b) Determination whether the patient has health condition(s) that would preclude out-of-

state transfer, using protocols and criteria provided by DOC. c) Medical clearance for the patient if found to be appropriate.

2. For patients that receive medical clearance or are returning to Vermont from an out-of-state facility, the Contractor shall: a) Develop a care plan that provides for the patient’s uninterrupted access to appropriate

medical treatment upon transfer. b) Transmit all health information to the receiving facility. c) Obtain all health information for patients returning to Vermont.


5.4 Segregated Patients For patients placed in segregation or other restrictive housing environment separate from the general population, the Contractor shall comply with the DOC Directive #410 (Responding to Inmate Behavior that Violates Facility Rules) and APA Rule #370.

5.5 Restraints

The Contactor shall comply with DOC Directive #413.08 (Use of Restraints and Roles of Security and Healthcare Professionals in Facilities).

5.6 Patient Safety

The Contractor shall: 1. Have a program in place to prevent adverse and near-miss clinical events. 2. Address patient safety concerns during facility morning meetings or as otherwise

indicated. 3. Timely report adverse and near-miss clinical events to the Health Services Director or

designee and address the events through the CQI program. 4. At a minimum, include an error reporting system that outlines how health service staff

can identify and report errors, whether errors occurred through omission or commission, and a process for calculating the number and type of adverse clinical events and near-miss events.

5. Address patient safety issues as part of the CQI program.

5.7 Infection Control Program The Contractor shall have an infection control program in place and shall follow the DOC’s Incident Checklists. The program shall include, at a minimum:

1. Procedures for screening for infectious diseases during the initial health assessment 2. An exposure control plan for communicable and infectious diseases, approved by the

Statewide Medical Director. 3. Provisions for reporting infectious diseases in accordance with state and federal

requirements. 4. Standard for universal precautions to minimize the risk of exposure to blood and bodily

fluids. 5. Medical isolation capacity, including negative pressure. 6. Procedures for ectoparasites (lice and scabies).

5.8 Contaminated Waste

The Contractor shall: 1. Properly dispose of all contaminated waste. This may include waste generated outside

the facility while a patient is on authorized absence such as during transport to or from outside medical appointments, hospital or emergency department visits, or during transfer and the duration of court appointments or similar authorized absences.

2. Contract with a company authorized to provide for the disposal of all bio-hazardous and contaminated waste. Bio-hazardous and contaminated waste will be maintained and disposed of in accordance with the standards and guidelines established by the Occupational Safety and Health Administration (OSHA).


5.9 Emergency Response Plan The Contractor shall:

1. Maintain written policies and procedures to address emergency situations and the emergent transfer of patients at each facility, in coordination with DOC Facility Management.

2. Cooperate with investigations by any State or federal government agencies or law enforcement.

3. Provide for any coordinated emergency response with DOC staff including, but not limited to: a) Man-down drills for staff requiring immediate medical intervention. b) A mass disaster drill involving multiple casualties that require triage by medical and

mental health staff. c) Responses to incidents or allegations which are sexual in nature. d) Establishment of an emergency medical triage area inside a correctional facility at

the direction of the incident commander. e) Procurement and maintenance of emergency medical equipment in a secure

location, determined by DOC. f) Ensuring equipment and Emergency Medical Services are onsite to allow for

moving infirmary, non-ambulatory, and critically ill patients during an evacuation or other emergency.

g) Certifying medical staff in ICS-100 within six (6) months of hire. h) Participating in post-drill debriefs that will review the responses of participants,

response times of participants, and include a written summary to the Health Services Director or designee to improve future responses.

5.10 Procedures in the Event of Death

The Contractor shall: 1. In all cases of an unexpected death, immediately call Emergency Medical Services. 2. Immediately notify Facility Management and the DOC Director of Nursing or designee

of any patient death. 3. Provide the DOC Director of Nursing and Facility Management with a copy of any

advance directive. 4. Document in the EHR all relevant circumstances and clinical observations related to the

death. 5. Coordinate with the State in the acquisition and submission of all relevant information

concerning the death of any patient within ten (10) business days of the event. 6. Upon DOC request and as otherwise stipulated, complete all remediation required

through any third-party review or CQI Action Plan process. 7. Complete a Mortality Review within thirty (30) days of the event. Should a law

enforcement investigation be required, the DOC may revise the timeframe for completion of the mortality review and notify the Contractor of the revised mortality review due date.

8. Cooperate with investigations by any state or federal government agencies or law enforcement.

5.11 Notification Concerning Patient Transfers to Outside Medical Facilities

The Contractor shall:


1. Notify the DOC Director of Nursing and Health Services Director when patients are determined to require emergent transfer to an outside medical facility. The notification shall adhere to the specifications of the DOC Director of Nursing and shall include, at a minimum:

a) Name and date of birth. b) Facility where incarcerated. c) Reason(s) for transfer. d) Vital signs (if taken). e) Transfer location.

2. Notify the DOC Director of Nursing and Health Services Director when patients are returned to a correctional facility from an outside medical facility. The notification shall adhere to the specifications of the DOC Director of Nursing and shall include a summary of the patient’s condition on return and required follow-up care.

3. For email notifications, Contractor shall utilize an email platform which will allow the DOC to immediately forward the email to other parties.

4. Regularly communicate between shifts any updated information from the outside medical facility concerning follow-up care and treatment and provide all updates to the DOC Director of Nursing and the Health Services Director or designee(s).

5.12 Reports

1. The Contractor shall configure, produce, and batch all reports utilizing the EHR. All reports shall be provided in the format requested by the State. The DOC may request any reports on data points maintained in the EHR. The Contractor shall supply DOC with any requested reports within 30 days of request. At times, the DOC may request reports to be completed within less than 30 days and the Contractor shall make every effort to comply with the requested timeframe.

2. The Contractor shall provide MONTHLY reports (see Appendix 13 – Contractor Meta Report 2020) within 15 days of the close of the previous month.

3. The Contractor shall QUARTERLY provide a budget-to-actual summary of all expenses reconciled directly to the Price Proposal. The report shall be provided within 15 days of the closing of the previous month.

4. The Contractor shall produce the following ANNUAL reports: a) Financial statements which report the Contractor's performance under its contract with

the DOC and which reconcile directly to the approved budget and payment provisions of the contract.

b) Audited financial statements which reconcile to the Price Proposal. c) For all sites with on-site dental clinics, a completed CDC Appendix A (Infection

Prevention Checklist for Dental Settings: Basic Expectations for Safe Care), found at https://www.cdc.gov/oralhealth/infectioncontrol/pdf/safe-care2.pdf. (Medical Contractor only)

d) Patient Health Education Calendar for the following contract year.

5.13 Mental health treatment reporting 5. Concerning patient mental health treatment, the Contractor shall:

a) Provide a daily written report to the DOC Chief of Mental Health or designee(s) which shall include, at a minimum, the status of patients that are: i. awaiting voluntary or involuntary hospitalization placement.


ii. acutely decompensating. iii. self-injurious. iv. on suicide watch. v. on involuntary medication orders.

vi. going to or returning from inpatient psychiatric hospitalization. vii. inducted on or tapered from MAT.

b) Provide a weekly report which includes, at a minimum, a brief summary of each patient located in segregation or special MH housing units.

c) Maintain a Mental Health and Co-occurring caseload (see Section 4.6). The data recorded via the Mental Health and Co-occurring Caseload should be created so that it is easily reviewed and analyzed and should contribute to a mental health classification system that should be developed according to a national model approved by the DOC.

6 Records and Information Management

6.1 Procurement and Implementation of Solution (see Exhibit C - State of Vermont Bidder

Response Form) The Contractor shall procure, implement, and provide the following, which relates to the DOC’s Electronic Health Record System (EHR):

1. A technology solution, Fusion’s Centricity, that addresses the business needs. 2. Professional services for project management to manage the implementation of the

technology solution. 3. Professional services to perform technical work in support of the implementation. 4. Professional services for maintenance and support of the implemented technology.

6.2 Electronic Health Record System (see Exhibit C – State of Vermont Bidder Response

Form) The Contractor shall:

1. Provide an EHR that conforms to the functional, non-functional, and other requirements in the Exhibit C – State of Vermont Bidder Response Form.

2. Provide all ongoing support, maintenance, and configuration of CorrecTek, the State’s current EHR system until Fusion’s Centricity is fully operational.

3. Provide hosting services for the EHR, including continuation of the current hosting through Kalleo until Fusion’s Centricity is fully operational.

4. Propose a plan to maintain CorrecTek and Kalleo and to migrate to Fusion’s Centricity and corresponding hosting service. That plan must include: a) The specific steps and details of how the Contractor and Subcontractor (Fusion)

will work together to effectively deliver a comprehensive EHR with minimal disruption to the DOC and patient care.

b) An updated project timeline that: i. Ties the deliverables and payments to the phases of the project,

ii. Includes projected User Acceptance Testing (UAT) related activities and documentation of system test results.

5. Maintain contractual agreements for the ongoing and uninterrupted provision of an EHR.

6. Provide the DOC HSD with full access to the EHR.


7. Provide all services related to the EHR in a manner that minimizes disruptions to facility operations.

8. Immediately notify the DOC of all expected or unexpected downtime, including the start and end date/time of the service disruptions.

9. Understand that health care records are, and will remain, the property of the DOC. 10. Conform to all State rules regarding ownership of patient’s health records. 11. In any criminal or civil litigation, provide the State with full and unrestricted access to

copies of appropriate health records.

6.3 Confidentiality of Medical and Mental Health Records and Information The Contractor shall:

1. Maintain the privacy and security of all current and former patients’ PHI in accordance with federal and state privacy and security requirements.

2. Understand and adhere to rules regarding the sharing of information with DOC personnel that includes, but may not be limited to, information that is necessary for inmate classification and security of the patients, staff, and the facility.

3. Retain the health records of discharged patients in accordance with federal and state law, and in accordance with applicable state retention policies.

4. Incorporate external healthcare records into the EHR. 5. As required, make records available to DOC’s legal/defense staff and the Vermont

Attorney General’s Office. 6. Promptly make all records available to a patient’s legal, fiduciary, or other

representative in accordance with a Release of Information. 7. Respond to DOC’s request for medical information within the timeframes specified in

the request. 8. Immediately notify the Health Services Director or designee whenever Vermont

Information Technology Leader’s (VITL’s) “break the glass” feature is used to access patient records.

6.4 Claims Processing 1. The Contractor shall utilize a claims processing system that:

a) Accurately adjudicates all claims. b) Processes pharmacy claims by the Contractor’s pharmacy vendor. c) Processes clean claims within thirty (30) days of receipt. d) Identifies, processes, and adjudicates claims for health services provided within DOC

facilities to pre-trial detainees who have an active health insurance policy purchased through the State exchange.

e) Identifies and adjudicates claims for patients designated as Federal (United States Marshall Service), Immigrations and Customs Enforcement (ICE), or Inter-State Compact (ISC).

f) Verifies that all claims for inpatient hospitalization services are adjudicated through Green Mountain Care (Vermont’s Medicaid program).

2. The Contractor is responsible for the recovery and payment of inappropriately processed or applied claims.

7 Compliance, Enforceability and Damages


7.1 Deficiencies and Contract Compliance 1. Deficiencies and Contract compliance issues shall be addressed through the CQI program.

The CQI plan shall include but not be limited to: a) The specific section of the Contract where there is a deficiency or area of non-

compliance. b) A description of the deficiency or compliance issue. c) An action plan for addressing the issue. d) The resources necessary to address the issue. e) An agreed-upon timeline for addressing the issue. f) Status of resolution.

2. The DOC may be entitled to liquidated damages for failure by the Contractor to verify that deficiencies or Contract compliance issues have been addressed within the governing timeframe.

7.2 Accountability and Quality Oversight 1. The Contract Manager or designee shall monitor and facilitate contract compliance and be

the primary point of contact for the State. 2. The State will conduct scheduled and unannounced chart reviews to verify and validate the

delivery of services provided by the Contractor. 3. The DOC may in its discretion utilize an independent entity or person (Health Service

Monitor) to perform audits and chart reviews. 4. The Contractor shall:

a) Cooperate with the State or Health Service Monitor to facilitate scheduled or unscheduled chart reviews and audits.

b) Comply with all quality improvements and remediations recommended as a result of the review or audit.

c) Timely perform all remediation as requested by the State within the recommended timeframe for compliance.

d) Create a CQI plan to address areas of deficiency or non-compliance.

7.3 Liquidated Damages 1. The DOC may be entitled to liquidated damages, which may be deducted from the

Contractor’s standard monthly invoice, for failure by the Contractor to: a) Verify that deficiencies or contract compliance issues have been addressed within the

governing timeframe. b) Provide timely patient health information, updates, and reporting to the DOC Director of

Nursing, the Health Services Director or the Mental Health Systems Director, or their designees.

2. The liquidated damages shall be based on the labor cost and other expenses incurred by the State as a result of such failure by the Contractor.

3. Any claim to liquidated damages shall be documented by the State and provided to the Contractor. If the Contractor disagrees with the State’s assessment of damages, it may submit additional materials in support of the standard having been met. The materials shall be reviewed by the State who shall have final decision-making authority.

4. The parties agree that the State shall not seek liquidated damages in situations where the Contractor’s failed performance is related to events or actions wholly outside of the control of the Contractor.


7.4 Catastrophic Loss

The State will cover expenses for catastrophic loss cases, defined as off-site health care expenses exceeding $85,000 per contract year, per patient. The Contractor shall be responsible for paying the initial $85,000 for catastrophic loss cases.


ATTACHMENT B – PAYMENT PROVISIONS

The maximum dollar amount payable under this agreement is not intended as any form of a guaranteed amount. The Contractor will be paid for products or services actually delivered or performed, as specified in Attachment A, up to the maximum allowable amount specified on page 1 of this contract. The payment schedule for delivered products, or rates for services performed, and any additional reimbursements, are included in this attachment. The following provisions specifying payments are:

1. Prior to commencement of work and release of any payments, Contractor shall submit to the State:

a. a certificate of insurance consistent with the requirements set forth in Attachment C, Section 8 (Insurance), and with any additional requirements for insurance as may be set forth elsewhere in this contract; and

b. a current IRS Form W-9 (signed within the last six months).

2. Payment terms are Net 30 days from the date the State receives an error-free invoice with all necessary and complete supporting documentation.

3. Contractor shall submit detailed invoices itemizing all work performed during the invoice period, including the dates of service, rates of pay, hours of work performed, and any other information and/or documentation appropriate and sufficient to substantiate the amount invoiced for payment by the State. All invoices must include the Contract # for this contract.

4. Contractor shall submit invoices to the State in accordance with the schedule set forth in this Attachment B. Unless a more particular schedule is provided herein, invoices shall be submitted not more frequently than monthly.

5. The payment schedule for delivered products, or rates for services performed, and any additional reimbursements, are as follows:

Contractor payment will be based on a capitated, pay-for-performance, risk-based model, other than the terms specified in Section 8.4 “Pharmaceuticals”. Some payment provisions of the contract will be based on a fixed fee.

6. Payment Adjustments

All performance incentives, liquidated damages, and holdbacks will be documented by the State and discussed with Contractor. If the Contractor disagrees with the findings they may submit additional material in support of the standard having been met. These materials will be reviewed by the DOC Health Services Director or designee who shall have final decision-making authority.


The parties agree that liquidated damages included in this contract shall not apply in situations where the Contractor’s failed performance is related to events or actions outside of the control of the Contractor.

7. Pricing – Appendix 14 Price Proposal – Per Inmate Per Month Calculator

The Contractor’s three-year price is inclusive of Comprehensive Health Services, Pharmacy, Off-Site Services, Regional Office, and Corporate Overhead and Profit (see Appendix 14) based on the contracted Per Inmate Per Month (PIPM) charge. In years one through three, the PIPM shall be multiplied by 1450 if the average daily population (ADP) is between 1300-1600. Payment will be as follows: Year 1 – PIPM = $1,118.24 Year 2 – PIPM = $1,136.94 Year 3 – PIPM = $1,165.37 However, if the ADP is outside of the 1300-1600 range, the Contractor and the State agree to negotiate in good faith to address any adjustment to compensation or service.

8. Comprehensive Health Services, Pharmaceuticals, Off Site Services, Regional Office, Corporate Overhead and Profit, and Catastrophic Loss Cases

8.1 “Base Compensation”: “Contractor payment for Comprehensive Health Care Services

will be based on a capitated, pay-for-performance, risk-based model. Some payment provisions of the contract will be based on a fixed fee. Comprehensive Health Services and Pharmacy will be paid at the PIPM included in Appendix 14 of this contract (subject to the terms below). Off Site Services, Regional Office and Corporate Overhead and Profit will be paid at flat rates based on Appendix 14 of this contract (subject to the terms below). Contractor’s responsibility for the cost of provision of Catastrophic Loss cases, Pharmaceutical services, and Off-Site services will be subject to an annual limit as described further herein.

8.2 Comprehensive Health Care Services (exclusive of Catastrophic Loss cases, Pharmaceuticals, Off-Site, Regional Office Expenses, and Corporate Overhead and Profit): Contractor will receive a minimum payment based on the contracted PIPM charge multiplied by the average daily population (ADP). The Contractor will receive payment for 1,450 inmates based on an ADP range of 1,300-1,600.

8.3 Catastrophic Loss: The State will cover expenses for Catastrophic Loss cases, defined as when the off-site expenses for any particular individual exceed $85,000 per contract year. The Contractor shall be responsible for paying the initial $85,000 for catastrophic loss cases and should already be included in the total PIPM. The State shall be responsible for all off-site expenses for any particular individual which exceed $85,000 in any contract year. The threshold for Catastrophic Loss cases was derived from historical off-site financial data by the State.


8.4 Pharmaceuticals: Contractor has established a target PIPM for each contract year as set forth on Appendix 14 of this contract (the “Target Pharmacy PIPM”). The Contractor will receive a minimum payment based on the contracted PIPM charge multiplied by the average daily population (ADP).

The Contractor shall “bill back” the following costs, which shall not be included in the PIPM, to the State. DAAs for HCV treatment, as well as buprenorphine and methadone for MAT, are demand-driven and total expenses have fluctuated due to cost of the medications and number of patients being treated at any given time. For this reason, the costs have been estimated based on the expense history (see Appendix 15 – VT DOC HCV and MAT Expenses FY19-FY20). The Contractor’s negotiated corporate overhead and profit shall be included in these “bill back” invoices:

� DAAs for a full course of treatment, as clinically indicated. The invoice for the costs described above shall include:

� Patient name. � Date(s) of service. � Service provided. � Contractors’ incurred costs per service � Invoices or subcontracts from the pharmacy which are consistent with the

Contractor’s reported incurred costs per service. The DOC shall reimburse the Contractor for the costs of DAAs for HCV treatment within thirty (30) days of receiving an accurate bill. The costs related to buprenorphine shall not be included in the PIPM charge. The Contractor shall “bill back” the costs of buprenorphine for MAT on a “per medication, per day” basis. The DOC shall reimburse the Contractor for the costs of buprenorphine for MAT within 30 days of receiving an accurate bill. The invoice for the costs of buprenorphine shall include the following:

� Number of doses of buprenorphine per day � Unit cost of buprenorphine per day � Contractor’s incurred costs of buprenorphine per day � Invoices from the pharmacy which are consistent with the contractor’s reported

incurred costs per day

The costs related to methadone shall not be included in the PIPM charge. The Contractor will pay the HUBS directly for the costs associated with methadone and will bill those costs back to the DOC. The Contractor shall not be responsible for the costs associated with methadone for MAT.


8.5 Off-Site Services: Contractor has established an annual limit for each contract year as set forth on Appendix 14 of this contract (the “Annual Off-Site Limit”).

8.6 Cost Differentials. 8.6.1 In the event that actual expenses for Pharmaceuticals or Off-Site Services, excluding

the costs associated with Section 8.4 “Pharmaceuticals”, exceed each year’s Target Pharmacy PIPM and Annual Off-Site Limit, respectively, the Contractor agrees to accept financial responsibility for 3% of the amount in excess of the budgeted amounts; the State agrees that it shall be responsible for amounts in excess of the 3% payment by the Contractor. It shall be understood with regard to the State’s payment of amounts in excess of the Contractor’s 3% that the Contractor must demonstrate through documentation that it used industry-standard best practices to control these costs. With regard to Off-Site Services, this documentation could include but is not limited to attempts to innovatively (including but not limited to using telemedicine and contracting with off-site providers for reduced rates using Medicaid, Medicare or other reduced-cost rates) managing the utilization of Off-Site services, including new programs, and processes or more effective planning of off-site care. Reports such as claims and other financial information shall be used to demonstrate the Contractor’s efforts.

8.6.2 In the event that in any particular contract year, excluding the costs associated with Section 8.4 “Pharmaceuticals”, the Contractor’s actual expenses in one category of the budget (i.e. Pharmaceuticals) is less than the budgeted amount (actual amount less than budgeted amount) the Contractor has agreed that the State shall apply the difference in the actual and budgeted amounts (Contractor Savings) to reduce expenses that may be in excess of their budgeted amounts in another budget category (including but not limited to Off-Site Services). The Contractor agrees that the application of any such savings shall occur prior to the State’s financial responsibility for costs in excess of 3% of budgeted amounts.

8.7 Reserved 8.8 Corporate Overhead and Profit 8.8.1 For Year 1, the Contractor’s profit and corporate overhead shall be a flat rate based on

the total budgeted amount for the sum of Comprehensive Health Services, Pharmacy, Off-site Services, and Regional Office of the contract. The total budgeted amount for Year 1 of the contract is $19,457,340.21 which includes a negotiated rate of 6% ($1,101,358.88) for profit and corporate overhead. In the event that the Contractor’s overall expenses, after consideration of Section 8.6.2, are less than the overall budgeted amount, the Contractor shall reimburse the State for the variance on an annual basis no later than 30 days after the contract year end (due 30 days after June 30, 2021 for the time period covering July 2020-June 2021). The funds will be retained by the State and allocated at its discretion.

For Year 2, the Contractor’s profit and corporate overhead shall be a flat rate based on the

total budgeted amount for the sum of Comprehensive Health Services, Pharmacy, Off-site Services, and Regional Office of the contract. The total budgeted amount for Year 2 of the


contract is $19,782,786.22 which includes a negotiated rate of 6% ($1,119,780.35) for profit and corporate overhead. In the event that the Contractor’s overall expenses, after consideration of Section 8.6.2, are less than the overall budgeted amount, the Contractor shall reimburse the State for the variance on an annual basis no later than 30 days after the contract year end (due 30 days after June 30, 2020 for the time period covering July 2021-June 2022). The funds will be retained by the State and allocated at its discretion.

For Year 3, the Contractor’s profit and corporate overhead shall be a flat rate based on the total budgeted amount for the sum of Comprehensive Health Services, Pharmacy, Off-site Services, and Regional Office of the contract. The total budgeted amount for Year 3 of the contract is $20,277,355.87 which includes a negotiated rate of 6% ($1,147,774.86) for profit and corporate overhead. In the event that the Contractor’s overall expenses, after consideration of Section 8.6.2, are less than the overall budgeted amount, the Contractor shall reimburse the State for the variance on an annual basis no later than 30 days after the contract year end (due 30 days after June 30, 2021 for the time period covering July 2022-June 2023). The funds will be retained by the State and allocated at its discretion.

9. Holdbacks A 5% holdback of the Contractor’s total monthly invoice may be retained if the Contractor fails to follow the clinical or administrative processes which are necessary for generating timely and accurate monthly, quarterly, and/or annual reports, as specified in Section 5.12 “Reports.” The State shall release the holdback for that month once the Contractor has fulfilled the reporting requirements specified herewith and in Section 5.12. The Contractor shall maintain NCCHC accreditation for healthcare services for every current and future facility in the State. If certification accreditation by the NCCHC is lost at any time, a $500 holdback per day per non-accredited facility will be assessed against the Contractor until the non-accredited facility(ies) receive(s) either provisional or full accreditation. If NCCHC issues provisional accreditations, the $500 per day/per facility(ies) will be waived up to one hundred eighty (180) days. The beginning and ending dates of the holdback will be governed by any written communication from the NCCHC. by the State in the event that the Contractor fails to provide the monthly, quarterly, and/or annual reports due for that month within timelines specified in Attachment A, Section 5.12 “Reports.” The State shall release the holdback for that month with the next payment scheduled to be made to the Contractor, once the Contractor has fulfilled the reporting requirements specified herewith and in Attachment A, Section 5.12.

10. Liquidated Damages Liquidated damages are intended to represent estimated actual damages and are not intended as a penalty and Contractor shall pay them to the State without limiting the State’ s right to terminate this agreement for default as provided elsewhere herein. If there is a determination of actual damage, the calculated amount may be deducted from the Contractor’s total remittance for the month. Refer to Attachment A, Section 7.3 “Liquidated Damages” for additional information.


11. Performance Incentives 11.1 NCCHC Accreditation Contractor is required to maintain NCCHC accreditation for every current and future facility in the State system. Beginning July 1, 2020 through the contract end date, if certification accreditation by the NCCHC is lost, a $500 holdback per day/per non-accredited facility may be assessed against the vendor until the non-accredited facility (ies) receives either a provisional accreditation or is fully accredited. If the NCCHC issues a provisional accreditation, the $500 per day/per facility will be waived up to one hundred and eighty (180) days. The beginning and ending dates of the holdback will be governed by any written communication from the NCCHC.

11.2 Reserved

11.3 Calculating Pay-for-Performance Incentive Payments Throughout this section, refer to Appendix 16 “Summary of Performance Based Metrics” and 17 “Pay-for-Performance (P4P) Incentive Calculator.” “Pay-for-performance” (P4P) shall be defined as: Financial incentives earned by the Contractor based upon a fixed model of performance indicators, the Contractor’s actual performance for a given reporting period, and a minimum score for achievement. The Contractor will have the opportunity to earn P4P incentives based on the proportion of the range that is achieved for a specific metric. The percentage achieved will be calculated based on the overall performance of all sites. Other germane terms are described below:

Performance Indicator – A measure, usually displayed in numerator/denominator format, used to evaluate completion of a particular activity in which the Contractor is responsible. Performance indicators shall be determined by the DOC.

Numerator – From the denominator, the total number of instances that fulfill the numerator definition for the specific metric.

Denominator – The total number of instances that fulfill the denominator definition for the specific metric.

Range – The difference between the “threshold” and 100%. For example, metrics with a threshold of 85% have a range of 15% (100%-85%=15%).

Percent Achievement – The proportion of the range that the Contractor has achieved for the reporting period.

Threshold – The minimum score required to begin earning P4P incentive payments. Performance on a particular metric below the threshold will be addressed in the contractor’s monthly CQI reporting and facility audits until performance improves.

Refer to Appendix 14 “Price Proposal PIPM Calculator.” To encourage the provision of high-quality services that lead to improvements in healthcare outcomes and processes, the Contractor will have the opportunity to earn an additional amount of the total yearly price proposal, excluding the "Corporate Overhead and Profit" indicated on Tab F. The maximum available P4P incentive payment for the contract term will be three percent (3%) of the annual budgeted amount excluding “Corporate Overhead and Profit (see Appendix 14).


Refer to Appendix 16, “Summary of Pay-for-Performance (P4P) Metrics” which will be linked to the financial incentives described above in Tab E of Appendix 14 “Price Proposal PIPM Calculator.” At any time during the contract term, the State may add, eliminate, or modify any metric in Appendix 16 “Summary of Pay-for-Performance (P4P) Metrics” to reflect the priorities of the State and any quality improvement/corrective action planning that has occurred. Changes to the set of metrics in Appendix 16 “Summary of Pay-for-Performance (P4P) Metrics” will not impact the total available amount that the Contractor could earn in additional financial incentive payments. Refer to Appendix 17 “Pay-for-Performance (P4P) Incentive Calculator.” This tool will be used to calculate the Contractor’s monthly P4P incentive payment. The Contractor shall submit a monthly invoice within 15 days of the close of the previous month which includes the ADP from the Contractor’s monthly reports. For each P4P metric, the Contractor will submit the numerator and denominator calculations to the DOC HSD, and the DOC HSD will enter the data into Appendix 17. The DOC HSD will add the calculated incentive payment to the Contractor’s monthly remittance. 11.4 Innovative Reform Initiatives Electronic Health Record: In accordance with the requirements of Section 6 of Attachment A of this contract, “Records and Information Management,” the Contractor shall receive payment for the procurement and maintenance of the EHR in the following manner: The maintenance, hosting, and licensing costs of the current EHR, Correctek, and the future EHR, Fusion’s Centricity, are included in the yearly PIPM rates included in tab A of Appendix 14 “Price Proposal and PIPM Calculator.” Payment for the implementation costs of the new EHR shall be paid according to Appendix 18, “Deliverables and Payment Schedule” as approved by DOC. Enhanced Substance Abuse Treatment for Women: Payment for the Enhanced Substance Abuse Treatment for Women is included in the PIPM as indicated in Appendix 14, “Price Proposal and PIPM Calculator”. At such time as the State and the Contractor agree to implement additional Innovative Reform Initiatives not currently budgeted, payment provisions for the initiative(s) will be negotiated and added to this agreement.

12. Miscellaneous Provisions

a) Change in Scope of Services. The parties agree that should there be any change in or modification of inmate population distribution, standards of care, including but not limited to a change in any material respect to any treatment protocol or modality or if any new medication or therapy is introduced to treat any illness, disease or condition, scope of services, Green Mountain Care laws, regulations or policy or the number of facilities that results in material


costs or savings to the Contractor, the costs or savings related to such changes or modifications are not covered in this Agreement, and shall be negotiated in good faith between the parties. Any such adjustments shall be fully documented and attached to the Agreement in the form of amendments. If the parties are unable to agree upon an appropriate compensation adjustment resulting from a change in scope of services, the parties shall resolve such dispute in accordance with the dispute resolution provisions specified in Section b below.

b) Dispute Resolution. For any and all claims, controversies or disputes (collectively

“dispute”) arising under this Agreement or the breach thereof, the parties shall work together in good faith to resolve the dispute. In the event the parties cannot resolve their dispute, either party shall have the right to request mediation (“Mediation Request”) by a neutral and/or disinterested third-party (the “Mediator”) who shall, at a minimum, be an attorney licensed to practice law in the State of Vermont. The parties agree to share equally the cost of the mediation. After the request by a party is made for mediation, no party may initiate litigation until such time as the dispute

is deemed “irreconcilable” as described below. In the event the parties must mediate any aspect of this contract, they will agree to terms and conditions of such mediation at the appropriate time and in consultation with the mediator.

Within 15 working days of the receipt of any Mediation Request, the parties shall agree upon a Mediator. Upon reaching an agreement upon a Mediator, the parties shall then participate in and complete mediation before the Mediator within 90 days thereafter. If the parties (1) are unable to agree upon a Mediator within this designated timeframe, (2) do not complete mediation within the designated timeframe, or (3) are unable to reach a mutual resolution of the dispute during the course of mediation, then the dispute shall be deemed as “irreconcilable” at that time and legal remedies may be pursued.

c) Reconciliation of Costs.

The parties shall perform reconciliations of the Actual Costs incurred versus the Budgeted Costs quarterly during the term of the Agreement (collectively the “Quarterly Reconciliations”). Such Quarterly Reconciliations will be provided to the State within thirty (30) days after the end of each quarter. Contractor’s documentation will be submitted in a format that provides both a cumulative contract year-to-date report and a quarterly report. In addition to the Quarterly Reconciliations, the Contractor will provide a final reconciliation (the “Final Reconciliation”) of the Actual Costs versus Budgeted Costs within 150 days after the end of each annual contract year. The parties recognize that Contractor will make every reasonable effort to control the timeliness of the submission of claims from third party providers, but there may be instances in which claims are received by Contractor after the 150th day of the final reconciliation period. In such instances, notwithstanding anything in this paragraph to the contrary, State agrees that it will pay such claims to the extent the State is responsible under the provisions of this Attachment B.


d) Annual Limits. Contractor’s responsibility for the cost of provision of Catastrophic Loss cases, Pharmaceutical services, and Off-Site services will be subject to an annual limit as described further herein. The State will cover expenses for Catastrophic Loss cases, defined as when the expenses for any particular individual exceed $85,000 for Off-Site expenditures per contract year. The Contractor shall be responsible for paying the initial $85,000 for catastrophic loss cases and should already be included in the total PIPM. The State shall be responsible for all expenses for any particular individual which exceed $85,000 in Off-Site expenditures in any contract year.

13. Modifications

The parties agree that the nature of the services to be provided by the Contractor may warrant adjustments or modifications to the scope of services to be provided by the Contractor over the term of the contract, and that in the event such adjustments have a material effect on the cost of services, the parties will negotiate such adjustments in good faith. Any such adjustments shall be fully documented and attached to the contract in the form of amendments. Such changes will not require revision of the entire contract. The changes that do not have a material effect on the maximum of the contract will be agreed to in writing and signed by the Health Services Director or designee and the Contractor Regional Manager or designee. The change orders will be considered part of the contract and binding on both parties. Additionally, it is hereby agreed and understood that this contract has no minimum amount. The Contractors’ services will be required on an “as needed” basis.

14. Invoices shall be submitted to the State at the following address:

[email protected] AHS/Dept. of Corrections Health Services Director 280 State Drive, NOB 2 South Waterbury, VT 05671-2000

mailto:[email protected]


ATTACHMENT C – STANDARD STATE PROVISIONS FOR CONTRACTS AND GRANTS

REVISED DECEMBER 15, 2017

1. Definitions: For purposes of this Attachment, “Party” shall mean the Contractor, Grantee or Subrecipient, with whom the State of Vermont is executing this Agreement and consistent with the form of the Agreement. “Agreement” shall mean the specific contract or grant to which this form is attached.

2. Entire Agreement: This Agreement, whether in the form of a contract, State-funded grant, or Federally-funded grant, represents the entire agreement between the parties on the subject matter. All prior agreements, representations, statements, negotiations, and understandings shall have no effect.

3. Governing Law, Jurisdiction and Venue; No Waiver of Jury Trial: This Agreement will be governed by the laws of the State of Vermont. Any action or proceeding brought by either the State or the Party in connection with this Agreement shall be brought and enforced in the Superior Court of the State of Vermont, Civil Division, Washington Unit. The Party irrevocably submits to the jurisdiction of this court for any action or proceeding regarding this Agreement. The Party agrees that it must first exhaust any applicable administrative remedies with respect to any cause of action that it may have against the State with regard to its performance under this Agreement. Party agrees that the State shall not be required to submit to binding arbitration or waive its right to a jury trial.

4. Sovereign Immunity: The State reserves all immunities, defenses, rights or actions arising out of the State’s sovereign status or under the Eleventh Amendment to the United States Constitution. No waiver of the State’s immunities, defenses, rights or actions shall be implied or otherwise deemed to exist by reason of the State’s entry into this Agreement.

5. No Employee Benefits For Party: The Party understands that the State will not provide any individual retirement benefits, group life insurance, group health and dental insurance, vacation or sick leave, workers compensation or other benefits or services available to State employees, nor will the State withhold any state or Federal taxes except as required under applicable tax laws, which shall be determined in advance of execution of the Agreement. The Party understands that all tax returns required by the Internal Revenue Code and the State of Vermont, including but not limited to income, withholding, sales and use, and rooms and meals, must be filed by the Party, and information as to Agreement income will be provided by the State of Vermont to the Internal Revenue Service and the Vermont Department of Taxes.

6. Independence: The Party will act in an independent capacity and not as officers or employees of the State.

7. Defense and Indemnity: The Party shall defend the State and its officers and employees against all third party claims or suits arising in whole or in part from any act or omission of the Party or of any agent of the Party in connection with the performance of this Agreement. The State shall notify the Party in the event of any such claim or suit, and the Party shall immediately retain counsel and otherwise provide a complete defense against the entire claim or suit. The State retains the right to participate at its own expense in the defense of any claim. The State shall have the right to approve all proposed settlements of such claims or suits.


After a final judgment or settlement, the Party may request recoupment of specific defense costs and may file suit in Washington Superior Court requesting recoupment. The Party shall be entitled to recoup costs only upon a showing that such costs were entirely unrelated to the defense of any claim arising from an act or omission of the Party in connection with the performance of this Agreement. The Party shall indemnify the State and its officers and employees if the State, its officers or employees become legally obligated to pay any damages or losses arising from any act or omission of the Party or an agent of the Party in connection with the performance of this Agreement. Notwithstanding any contrary language anywhere, in no event shall the terms of this Agreement or any document furnished by the Party in connection with its performance under this Agreement obligate the State to (1) defend or indemnify the Party or any third party, or (2) otherwise be liable for the expenses or reimbursement, including attorneys’ fees, collection costs or other costs of the Party or any third party. 8. Insurance: Before commencing work on this Agreement the Party must provide certificates of insurance to show that the following minimum coverages are in effect. It is the responsibility of the Party to maintain current certificates of insurance on file with the State through the term of this Agreement. No warranty is made that the coverages and limits listed herein are adequate to cover and protect the interests of the Party for the Party’s operations. These are solely minimums that have been established to protect the interests of the State. Workers Compensation: With respect to all operations performed, the Party shall carry workers’ compensation insurance in accordance with the laws of the State of Vermont. Vermont will accept an out-of-state employer's workers’ compensation coverage while operating in Vermont provided that the insurance carrier is licensed to write insurance in Vermont and an amendatory endorsement is added to the policy adding Vermont for coverage purposes. Otherwise, the party shall secure a Vermont workers’ compensation policy, if necessary to comply with Vermont law. General Liability and Property Damage: With respect to all operations performed under this Agreement, the Party shall carry general liability insurance having all major divisions of coverage including, but not limited to:

Premises - Operations Products and Completed Operations Personal Injury Liability Contractual Liability The policy shall be on an occurrence or claims made with a retroactive date no later than inception date of this contract and three year extended reporting form endorsement form and limits shall not be less than:

$1,000,000 Each Occurrence or per claim $2,000,000 General Aggregate $1,000,000 Products/Completed Operations Aggregate $1,000,000 Personal & Advertising Injury

Automotive Liability: The Party shall carry automotive liability insurance covering all motor vehicles, including hired and non-owned coverage, used in connection with the Agreement. Limits of coverage shall not be less than $1,000,000 combined single limit. If performance of this Agreement involves construction, or the transport of persons or hazardous materials, limits of coverage shall not be less than $1,000,000 combined single limit.


Additional Insured. The General Liability Auto Liability coverages required for performance of this Agreement shall include the State of Vermont and its agencies, departments, officers and employees as Additional Insureds. If performance of this Agreement involves construction, or the transport of persons or hazardous materials, then the required Automotive Liability coverage shall include the State of Vermont and its agencies, departments, officers and employees as Additional Insureds. Coverage shall be primary and non-contributory with any other insurance and self-insurance. Notice of Cancellation or Change. There shall be no cancellation, change, potential exhaustion of aggregate limits or non-renewal of insurance coverage(s) without thirty (30) days written prior written notice to the State.

9. Reliance by the State on Representations: All payments by the State under this Agreement will be made in reliance upon the accuracy of all representations made by the Party in accordance with this Agreement, including but not limited to bills, invoices, progress reports and other proofs of work.

10. False Claims Act: The Party acknowledges that it is subject to the Vermont False Claims Act as set forth in 32 V.S.A. § 630 et seq. If the Party violates the Vermont False Claims Act it shall be liable to the State for civil penalties, treble damages and the costs of the investigation and prosecution of such violation, including attorney’s fees, except as the same may be reduced by a court of competent jurisdiction. The Party’s liability to the State under the False Claims Act shall not be limited notwithstanding any agreement of the State to otherwise limit Party’s liability.

11. Whistleblower Protections: The Party shall not discriminate or retaliate against one of its employees or agents for disclosing information concerning a violation of law, fraud, waste, abuse of authority or acts threatening health or safety, including but not limited to allegations concerning the False Claims Act. Further, the Party shall not require such employees or agents to forego monetary awards as a result of such disclosures, nor should they be required to report misconduct to the Party or its agents prior to reporting to any governmental entity and/or the public.

12. Location of State Data: No State data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or transferred by any means outside the continental United States, except with the express written permission of the State. 13. Records Available for Audit: The Party shall maintain all records pertaining to performance under this agreement. “Records” means any written or recorded information, regardless of physical form or characteristics, which is produced or acquired by the Party in the performance of this agreement. Records produced or acquired in a machine readable electronic format shall be maintained in that format. The records described shall be made available at reasonable times during the period of the Agreement and for three years thereafter or for any period required by law for inspection by any authorized representatives of the State or Federal Government. If any litigation, claim, or audit is started before the expiration of the three-year period, the records shall be retained until all litigation, claims or audit findings involving the records have been resolved.

14. Fair Employment Practices and Americans with Disabilities Act: Party agrees to comply with the requirement of 21 V.S.A. Chapter 5, Subchapter 6, relating to fair employment practices, to the full extent applicable. Party shall also ensure, to the full extent required by the Americans


with Disabilities Act of 1990, as amended, that qualified individuals with disabilities receive equitable access to the services, programs, and activities provided by the Party under this Agreement.

15. Set Off: The State may set off any sums which the Party owes the State against any sums due the Party under this Agreement; provided, however, that any set off of amounts due the State of Vermont as taxes shall be in accordance with the procedures more specifically provided hereinafter.

16. Taxes Due to the State: A. Party understands and acknowledges responsibility, if applicable, for compliance with

State tax laws, including income tax withholding for employees performing services within the State, payment of use tax on property used within the State, corporate and/or personal income tax on income earned within the State.

B. Party certifies under the pains and penalties of perjury that, as of the date this Agreement is signed, the Party is in good standing with respect to, or in full compliance with, a plan to pay any and all taxes due the State of Vermont.

C. Party understands that final payment under this Agreement may be withheld if the Commissioner of Taxes determines that the Party is not in good standing with respect to or in full compliance with a plan to pay any and all taxes due to the State of Vermont.

D. Party also understands the State may set off taxes (and related penalties, interest and fees) due to the State of Vermont, but only if the Party has failed to make an appeal within the time allowed by law, or an appeal has been taken and finally determined and the Party has no further legal recourse to contest the amounts due.

17. Taxation of Purchases: All State purchases must be invoiced tax free. An exemption certificate will be furnished upon request with respect to otherwise taxable items.

18. Child Support: (Only applicable if the Party is a natural person, not a corporation or partnership.) Party states that, as of the date this Agreement is signed, he/she:

A. is not under any obligation to pay child support; or B. is under such an obligation and is in good standing with respect to that obligation; or C. has agreed to a payment plan with the Vermont Office of Child Support Services and is in

full compliance with that plan. Party makes this statement with regard to support owed to any and all children residing in Vermont. In addition, if the Party is a resident of Vermont, Party makes this statement with regard to support owed to any and all children residing in any other state or territory of the United States.

19. Sub-Agreements: Party shall not assign, subcontract or subgrant the performance of this Agreement or any portion thereof to any other Party without the prior written approval of the State. Party shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing work under this Agreement pursuant to an agreement with Party or any subcontractor. In the case this Agreement is a contract with a total cost in excess of $250,000, the Party shall provide to the State a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and


additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54). Party shall include the following provisions of this Attachment C in all subcontracts for work performed solely for the State of Vermont and subcontracts for work performed in the State of Vermont: Section 10 (“False Claims Act”); Section 11 (“Whistleblower Protections”); Section 12 (“Location of State Data”); Section 14 (“Fair Employment Practices and Americans with Disabilities Act”); Section 16 (“Taxes Due the State”); Section 18 (“Child Support”); Section 20 (“No Gifts or Gratuities”); Section 22 (“Certification Regarding Debarment”); Section 30 (“State Facilities”); and Section 32.A (“Certification Regarding Use of State Funds”).

20. No Gifts or Gratuities: Party shall not give title or possession of anything of substantial value (including property, currency, travel and/or education programs) to any officer or employee of the State during the term of this Agreement.

21. Copies: Party shall use reasonable best efforts to ensure that all written reports prepared under this Agreement are printed using both sides of the paper.

22. Certification Regarding Debarment: Party certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, neither Party nor Party’s principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in Federal programs, or programs supported in whole or in part by Federal funds. Party further certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, Party is not presently debarred, suspended, nor named on the State’s debarment list at: http://bgs.vermont.gov/purchasing/debarment

23. Conflict of Interest: Party shall fully disclose, in writing, any conflicts of interest or potential conflicts of interest.

24. Confidentiality: Party acknowledges and agrees that this Agreement and any and all information obtained by the State from the Party in connection with this Agreement are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq.

25. Force Majeure: Neither the State nor the Party shall be liable to the other for any failure or delay of performance of any obligations under this Agreement to the extent such failure or delay shall have been wholly or principally caused by acts or events beyond its reasonable control rendering performance illegal or impossible (excluding strikes or lock-outs) (“Force Majeure”). Where Force Majeure is asserted, the nonperforming party must prove that it made all reasonable efforts to remove, eliminate or minimize such cause of delay or damages, diligently pursued performance of its obligations under this Agreement, substantially fulfilled all non-excused obligations, and timely notified the other party of the likelihood or actual occurrence of an event described in this paragraph.

26. Marketing: Party shall not refer to the State in any publicity materials, information pamphlets, press releases, research reports, advertising, sales promotions, trade shows, or marketing materials or similar communications to third parties except with the prior written consent of the State.


27. Termination: A. Non-Appropriation: If this Agreement extends into more than one fiscal year of the State

(July 1 to June 30), and if appropriations are insufficient to support this Agreement, the State may cancel at the end of the fiscal year, or otherwise upon the expiration of existing appropriation authority. In the case that this Agreement is a Grant that is funded in whole or in part by Federal funds, and in the event Federal funds become unavailable or reduced, the State may suspend or cancel this Grant immediately, and the State shall have no obligation to pay Subrecipient from State revenues.

B. Termination for Cause: Either party may terminate this Agreement if a party materially breaches its obligations under this Agreement, and such breach is not cured within thirty (30) days after delivery of the non-breaching party’s notice or such longer time as the non-breaching party may specify in the notice.

C. Termination Assistance: Upon nearing the end of the final term or termination of this Agreement, without respect to cause, the Party shall take all reasonable and prudent measures to facilitate any transition required by the State. All State property, tangible and intangible, shall be returned to the State upon demand at no additional cost to the State in a format acceptable to the State.

28. Continuity of Performance: In the event of a dispute between the Party and the State, each party will continue to perform its obligations under this Agreement during the resolution of the dispute until this Agreement is terminated in accordance with its terms.

29. No Implied Waiver of Remedies: Either party’s delay or failure to exercise any right, power or remedy under this Agreement shall not impair any such right, power or remedy, or be construed as a waiver of any such right, power or remedy. All waivers must be in writing.

30. State Facilities: If the State makes space available to the Party in any State facility during the term of this Agreement for purposes of the Party’s performance under this Agreement, the Party shall only use the space in accordance with all policies and procedures governing access to and use of State facilities which shall be made available upon request. State facilities will be made available to Party on an “AS IS, WHERE IS” basis, with no warranties whatsoever.

31. Requirements Pertaining Only to Federal Grants and Subrecipient Agreements: If this Agreement is a grant that is funded in whole or in part by Federal funds:

A. Requirement to Have a Single Audit: The Subrecipient will complete the Subrecipient Annual Report annually within 45 days after its fiscal year end, informing the State of Vermont whether or not a Single Audit is required for the prior fiscal year. If a Single Audit is required, the Subrecipient will submit a copy of the audit report to the granting Party within 9 months. If a single audit is not required, only the Subrecipient Annual Report is required. For fiscal years ending before December 25, 2015, a Single Audit is required if the subrecipient expends $500,000 or more in Federal assistance during its fiscal year and must be conducted in accordance with OMB Circular A-133. For fiscal years ending on or after December 25, 2015, a Single Audit is required if the subrecipient expends $750,000 or more in Federal assistance during its fiscal year and must be conducted in accordance with 2 CFR Chapter I, Chapter II, Part 200, Subpart F. The Subrecipient Annual Report is required to be submitted within 45 days, whether or not a Single Audit is required.


B. Internal Controls: In accordance with 2 CFR Part II, §200.303, the Party must establish and maintain effective internal control over the Federal award to provide reasonable assurance that the Party is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

C. Mandatory Disclosures: In accordance with 2 CFR Part II, §200.113, Party must disclose, in a timely manner, in writing to the State, all violations of Federal criminal law involving fraud, bribery, or gratuity violations potentially affecting the Federal award. Failure to make required disclosures may result in the imposition of sanctions which may include disallowance of costs incurred, withholding of payments, termination of the Agreement, suspension/debarment, etc.

32. Requirements Pertaining Only to State-Funded Grants: A. Certification Regarding Use of State Funds: If Party is an employer and this Agreement

is a State-funded grant in excess of $1,001, Party certifies that none of these State funds will be used to interfere with or restrain the exercise of Party’s employee’s rights with respect to unionization.

B. Good Standing Certification (Act 154 of 2016): If this Agreement is a State-funded grant, Party hereby represents: (i) that it has signed and provided to the State the form prescribed by the Secretary of Administration for purposes of certifying that it is in good standing (as provided in Section 13(a)(2) of Act 154) with the Agency of Natural Resources and the Agency of Agriculture, Food and Markets, or otherwise explaining the circumstances surrounding the inability to so certify, and (ii) that it will comply with the requirements stated therein.

(End of Standard Provisions)


ATTACHMENT D – MODIFICATION OF CUSTOMARY PROVISIONS OF

ATTACHMENT C OR ATTACHMENT F

1. The insurance sections contained in Attachment C, Section 8 are hereby modified as follows:

A. By deleting that portion of Section 8 titled Insurance which states:

General Liability and Property Damage: With respect to all operations performed under the Agreement, the Party shall carry general liability insurance having all major divisions of coverage including, but not limited to:

Premises - Operations Products and Completed Operations Personal Injury Liability Contractual Liability

And replacing it with:

General Liability: With respect to all operations performed under the Agreement, the Party shall carry general liability insurance having all major divisions of coverage including, but not limited to:

Premises - Operations Products and Completed Operations Personal Injury and Advertising Liability Contractual Liability Sexual Abuse and Molestation [no sublimit]

B. By deleting that portion of Section 8 titled Insurance which states:

The policy shall be an occurrence form and limits shall not be less than:

$1,000,000 per Occurrence $2,000,000 General Aggregate $2,000,000 Products/Completed Operation Aggregate $ 50,000 Fire/Legal/Liability

And replacing it with:

The policy shall be on a claim made basis and limits shall not be less than:

$2,000,000 per Claim $4,000,000 General Aggregate


C. To add to that portion of Section 8 titled Insurance:

Professional Liability: Before commencing work on this Agreement and throughout the term of this Agreement, the Party shall procure and maintain claims made professional liability insurance for any and all services performed under this Agreement, with minimum coverage of $__2M_____ per claim, and $____4M___ annual aggregate.

Excess Liability:

Before commencing work on this Agreement and throughout the term of this Agreement, the Party shall procure and maintain claims made excess general liability insurance for any and all services performed under this Agreement, with minimum coverage of $__2M_____ per claim, and $____4M___ annual aggregate

Cyber/Network Security and Data Privacy Liability Insurance Before commencing work on this Agreement and throughout the term of this Agreement, the Party shall procure and maintain claims made Cyber/Network Security and Data Privacy Liability Insurance {“Cyber ”} for any and all services performed under this agreement, with minimum coverage of $2M per claim and annual aggregate that covers losses arising from actual or alleged acts, errors or omissions and intentional, fraudulent or criminal acts. Further, the policy will expressly provide, but not be limited to, coverage for losses arising from the following: (a) unauthorized use/access of computer systems (including mobile devices), servers, client’s data or software; (b) defense of any regulatory action involving a breach of privacy; (c) failure to protect the confidential or proprietary information (personal and commercial information) and intellectual property from unauthorized disclosure or unauthorized access; (d) failure to adequately protect physical security of servers and systems including from cyber terrorism; (e) the costs for: notification, whether or not required by statute, credit file or identity monitoring, identity restoration, public relations or legal experts; (f) third party liability; (g) cyber extortion and cyber terrorism; and (h) no exclusion for actual or alleged breaches of professional services agreements associated with the above The General Liability, Excess Liability, Professional Liability, and “Cyber” claims made policies will be endorsed with a retroactive date no later than inception date of this contract and will include a three year extended reporting form endorsement in the event coverage is cancelled or non-renewed. Reasons for Modifications:

The insurance sections contained in Attachment C, Section 8 have been added to allow a different level of liability insurance because of the amount of excess coverage that applies and to change from occurrence coverage to claims made coverage allowing for a claims made basis.


2. Requirements of other Sections in Attachment C are hereby modified to include:

3. By adding as additional paragraphs to Section 7, titled Defense and Indemnity, the following:

If the Office of the Attorney General or other representative of the State tenders, in writing, a claim and/or lawsuit to Contractor for defense and indemnification in accordance with the aforementioned paragraph, the Contractor shall respond, in writing, to the Attorney General or State within ten (10) business days of such tender. In the event a response to the claim or suit is required prior to the expiration of the ten (10) business days period of time, including but not limited to court action, the Contractor will be so notified. The Contractor’s response to the Attorney General’s or State’s tendering of any such claim or lawsuit shall include an acknowledgment of receipt of the claim and/or lawsuit, a response on whether Contractor will accept or decline the tendering of any such claim and/or lawsuit and, if accepted, the identity of counsel retained to defend any such claim and/or lawsuit. in the event the Contractor does not comply with any aspect of this provision, and such non-compliance also constitutes a material violation of this provision, as so determined either judicially or by mutual agreement of the parties, the Contractor shall be responsible for any and all costs and/or fees that were reasonably-incurred by the Attorney General’s Office and/or the State as a direct consequence of such non-compliance.

The Contractor agrees to cooperate with the Office of the Attorney General and the State in the investigation and handling of any claim and/or lawsuits filed by patient(s), and/or other person(s) and/or entity or entities in connection with the Contractor’s performance of services under this contract.

Reason for this change is: “to add Contractor’s responsibilities as to tendering of claims and cooperation with State.

3. Requirements of Sections in Attachment F are hereby modified:

By adding to Paragraph 10, titled Intellectual Property/Work Product Ownership, the following:

“Except for proprietary or commercial software not purchased by the State or developed for the State” to the beginning of the first paragraph.

Reasons for Modifications: Reason for this change is: “Proprietary software not developed for the State or purchased by the State remains the Contractor’s property.”


ATTACHMENT D - IT INFORMATION TECHNOLOGY SYSTEM IMPLEMENTATION

TERMS AND CONDITIONS (rev. 3/08/19)

1. MODIFICATIONS TO CONTRACTOR DOCUMENTS

The parties specifically agree that the Contractor Documents are hereby modified and superseded by Attachment C and this Attachment D. “Contractor Documents” shall mean one or more document, agreement or other instrument required by Contractor in connection with the performance of the products and services being purchased by the State, regardless of format, including the license agreement, end user license agreement or similar document, any hyperlinks to documents contained in the Contractor Documents, agreement or other instrument and any other paper or “shrinkwrap,” “clickwrap,” “browsewrap” or other electronic version thereof.

2. NO SUBSEQUENT, UNILATERAL MODIFICATION OF TERMS BY CONTRACTOR

Notwithstanding any other provision or other unilateral license terms which may be issued by Contractor during the Term of this Contract, and irrespective of whether any such provisions have been proposed prior to or after the issuance of an order for the products and services being purchased by the State, as applicable, the components of which are licensed under the Contractor Documents, or the fact that such other agreement may be affixed to or accompany the products and services being purchased by the State, as applicable, upon delivery, the terms and conditions set forth herein shall supersede and govern licensing and delivery of all products and services hereunder.

3. TERM OF CONTRACTOR’S DOCUMENTS; PAYMENT TERMS

Contractor acknowledges and agrees that, to the extent a Contractor Document provides for alternate term or termination provisions, including automatic renewals, such sections shall be waived and shall have no force and effect. All Contractor Documents shall run concurrently with the term of this Contract; provided, however, to the extent the State has purchased a perpetual license to use the Contractor’s software, hardware or other services, such license shall remain in place unless expressly terminated in accordance with the terms of this Contract. Contractor acknowledges and agrees that, to the extent a Contractor Document provides for payment terms which differ from the payment terms set forth in Attachment B, such sections shall be waived and shall have no force and effect and the terms in Attachment B shall govern.

4. OWNERSHIP AND LICENSE IN DELIVERABLES

4.1 Contractor Intellectual Property. Contractor shall retain all right, title and interest in and to any work, ideas, inventions, discoveries, tools, methodology, computer programs, processes and improvements and any other intellectual property, tangible or intangible, that has been created by Contractor prior to entering into this Contract (“Contractor Intellectual Property”). Should the State require a license for the use of Contractor Intellectual Property in connection with the development or use of the items that Contractor is required to deliver to the State under this Contract, including Work Product (“Deliverables”), the Contractor shall grant the


State a royalty-free license for such development and use. For the avoidance of doubt, Work Product shall not be deemed to include Contractor Intellectual Property, provided the State shall be granted an irrevocable, perpetual, non-exclusive royalty-free license to use any such Contractor Intellectual Property that is incorporated into Work Product.

4.2 State Intellectual Property. The State shall retain all right, title and interest in and to (i) all content and all property, data and information furnished by or on behalf of the State or any agency, commission or board thereof, and to all information that is created under this Contract, including, but not limited to, all data that is generated under this Contract as a result of the use by Contractor, the State or any third party of any technology systems or knowledge bases that are developed for the State and used by Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks, trade names, logos and other State identifiers, Internet uniform resource locators, State user name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this Contract (collectively, “State Intellectual Property”). Contractor may not use State Intellectual Property for any purpose other than as specified in this Contract. Upon expiration or termination of this Contract, Contractor shall return or destroy all State Intellectual Property and all copies thereof, and Contractor shall have no further right or license to such State Intellectual Property. Contractor acquires no rights or licenses, including, without limitation, intellectual property rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the Contractor claim any security interest in State Intellectual Property.

4.3 Work Product. All Work Product shall belong exclusively to the State, with the State having the sole and exclusive right to apply for, obtain, register, hold and renew, in its own name and/or for its own benefit, all patents and copyrights, and all applications and registrations, renewals and continuations thereof and/or any and all other appropriate protection. To the extent exclusive title and/or complete and exclusive ownership rights in and to any Work Product may not originally vest in the State by operation of law or otherwise as contemplated hereunder, Contractor shall immediately upon request, unconditionally and irrevocably assign, transfer and convey to the State all right, title and interest therein. “Work Product” means any tangible or intangible ideas, inventions, improvements, modifications, discoveries, development, customization, configuration, methodologies or processes, designs, models, drawings, photographs, reports, formulas, algorithms, patterns, devices, compilations, databases, computer programs, work of authorship, specifications, operating instructions, procedures manuals or other documentation, technique, know-how, secret, or intellectual property right whatsoever or any interest therein (whether patentable or not patentable or registerable under copyright or similar statutes or subject to analogous protection), that is specifically made, conceived, discovered or reduced to practice by Contractor, either solely or jointly with others, pursuant to this Contract. Work Product does not include Contractor Intellectual Property or third-party intellectual property. To the extent delivered under this Contract, upon full payment to Contractor in accordance with Attachment B, and subject to the terms and conditions contained herein, Contractor hereby (i) assigns to State all rights in and to all Deliverables, except to the extent they include any Contractor Intellectual Property; and (ii) grants to State a perpetual, non-exclusive, irrevocable, royalty-free license to use for State’s internal business purposes, any Contractor Intellectual Property included in the Deliverables in connection with its use of the Deliverables


and, subject to the State’s obligations with respect to Confidential Information, authorize others to do the same on the State’s behalf. Except for the foregoing license grant, Contractor or its licensors retain all rights in and to all Contractor Intellectual Property. The Contractor shall not sell or copyright a Deliverable without explicit permission from the State. If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor Intellectual Property or Contractor Intellectual Property developed outside of this Contract with no assistance from State. 4.1 Contractor Intellectual Property. As between the parties, and subject to the terms and conditions of this Contract, Contractor and its third-party suppliers will retain ownership of all intellectual property rights in the [System], and any and all derivative works made to the [System] or any part thereof, as well as all Work Product provided to the State (“Contractor Proprietary Technology”). The State acquires no rights to Contractor Proprietary Technology except for the licensed interests granted under this Contract. The term “Work Product” means all other materials, reports, manuals, visual aids, documentation, ideas, concepts, techniques, inventions, processes, or works of authorship developed, provided or created by Contractor or its employees or contractors during the course of performing work for the State (excluding any State Data or derivative works thereof and excluding any output from the [System] generated by the State’s use of the [System], including without limitation, reports, graphs, charts and modified State Data, but expressly including any form templates of such reports, graphs or charts by themselves that do not include the State Data). Title, ownership rights, and all Intellectual Property Rights in and to the [System] will remain the sole property of Contractor or its suppliers. The State acknowledges that the source code is not covered by any license hereunder and will not be provided by Contractor. Except as set forth in this Contract, no right or implied license or right of any kind is granted to the State regarding the [System] or any part thereof. Nothing in this Contract confers upon either party any right to use the other party's trade names and trademarks, except for permitted license use in accordance with this Contract. All use of such marks by either party will inure to the benefit of the owner of such marks, use of which will be subject to specifications controlled by the owner. 4.2 State Intellectual Property; User Name The State shall retain all right, title and interest in and to (i) all content and all property, data and information furnished by or on behalf of the State or any agency, commission or board thereof, and to all information that is created under this Contract, including, but not limited to, all data that is generated under this Contract as a result of the use by Contractor, the State or any third party of any technology systems or knowledge bases that are developed for the State and used by Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks, trade names, logos and other State identifiers, Internet uniform resource locators, State user name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this Contract (collectively, “State Intellectual Property”).


Contractor may not collect, access or use State Intellectual Property for any purpose other than as specified in this Contract. Upon expiration or termination of this Contract, Contractor shall return or destroy all State Intellectual Property and all copies thereof, and Contractor shall have no further right or license to such State Intellectual Property. Contractor acquires no rights or licenses, including, without limitation, intellectual property rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the Contractor claim any security interest in State Intellectual Property.

5. CONFIDENTIALITY AND NON-DISCLOSURE; SECURITY BREACH REPORTING

5.1 For purposes of this Contract, confidential information will not include information or material which (a) enters the public domain (other than as a result of a breach of this Contract); (b) was in the receiving party’s possession prior to its receipt from the disclosing party; (c) is independently developed by the receiving party without the use of confidential information; (d) is obtained by the receiving party from a third party under no obligation of confidentiality to the disclosing party; or (e) is not exempt from disclosure under applicable State law.

5.2 Confidentiality of Contractor Information. The Contractor acknowledges and agrees that this Contract and any and all Contractor information obtained by the State in connection with this Contract are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. The State will not disclose information for which a reasonable claim of exemption can be made pursuant to 1 V.S.A. § 317(c), including, but not limited to, trade secrets, proprietary information or financial information, including any formulae, plan, pattern, process, tool, mechanism, compound, procedure, production data, or compilation of information which is not patented, which is known only to the Contractor, and which gives the Contractor an opportunity to obtain business advantage over competitors who do not know it or use it.

The State shall immediately notify Contractor of any request made under the Access to Public Records Act, or any request or demand by any court, governmental agency or other person asserting a demand or request for Contractor information. Contractor may, in its discretion, seek an appropriate protective order, or otherwise defend any right it may have to maintain the confidentiality of such information under applicable State law within three business days of the State’s receipt of any such request. Contractor agrees that it will not make any claim against the State if the State makes available to the public any information in accordance with the Access to Public Records Act or in response to a binding order from a court or governmental body or agency compelling its production. Contractor shall indemnify the State for any costs or expenses incurred by the State, including, but not limited to, attorneys’ fees awarded in accordance with 1 V.S.A. § 320, in connection with any action brought in connection with Contractor’s attempts to prevent or unreasonably delay public disclosure of Contractor’s information if a final decision of a court of competent jurisdiction determines that the State improperly withheld such information and that the improper withholding was based on Contractor’s attempts to prevent public disclosure of Contractor’s information. The State agrees that (a) it will use the Contractor information only as may be necessary in the course of performing duties, receiving services or exercising rights under this Contract; (b) it will provide at a minimum the same care to avoid disclosure or unauthorized use of Contractor information as it provides to protect its own similar confidential and proprietary information;


(c) except as required by the Access to Records Act, it will not disclose such information orally or in writing to any third party unless that third party is subject to a written confidentiality agreement that contains restrictions and safeguards at least as restrictive as those contained in this Contract; (d) it will take all reasonable precautions to protect the Contractor’s information; and (e) it will not otherwise appropriate such information to its own use or to the use of any other person or entity. Contractor may affix an appropriate legend to Contractor information that is provided under this Contract to reflect the Contractor’s determination that any such information is a trade secret, proprietary information, or financial information at time of delivery or disclosure.

5.3 Confidentiality of State Information. In performance of this Contract, and any exhibit or schedule hereunder, the Contractor acknowledges that certain State Data (as defined below), to which the Contractor may have access may contain individual federal tax information, personal protected health information and other individually identifiable information protected by State or federal law or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“State Data”). In addition to the provisions of this Section, the Contractor shall comply with the requirements set forth in the State’s HIPAA Business Associate Agreement attached to this Contract as Attachment E.

State Data shall not be stored, accessed from, or transferred to any location outside the United States. Unless otherwise instructed by the State, Contractor agrees to keep confidential all State Data. The Contractor agrees that (a) it will use the State Data only as may be necessary in the course of performing duties or exercising rights under this Contract; (b) it will provide at a minimum the same care to avoid disclosure or unauthorized use of State Data as it provides to protect its own similar confidential and proprietary information; (c) it will not publish, reproduce, or otherwise divulge any State Data in whole or in part, in any manner or form orally or in writing to any third party unless it has received written approval from the State and that third party is subject to a written confidentiality agreement that contains restrictions and safeguards at least as restrictive as those contained in this Contract; (d) it will take all reasonable precautions to protect the State’s information; and (e) it will not otherwise appropriate such information to its own use or to the use of any other person or entity. Contractor will take reasonable measures as are necessary to restrict access to State Data in the Contractor’s possession to only those employees on its staff who must have the information on a “need to know” basis. The Contractor shall not retain any State Data except to the extent required to perform the services under this Contract. Contractor shall not access State user accounts or State Data, except in the course of data center operations, response to service or technical issues, as required by the express terms of this Contract, or at State’s written request. Contractor may not share State Data with its parent company or other affiliate without State’s express written consent. The Contractor shall promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for State Data to which the Contractor or any third party hosting service of the Contractor may have access, so that the State may seek an appropriate protective order.


6. SECURITY OF STATE INFORMATION

6.1 Security Standards. To the extent the Contractor or its subcontractors, affiliates or agents handles, collects, stores, disseminates or otherwise deals with State Data, the Contractor represents and warrants that it has implemented and it shall maintain during the term of this Contract the highest industry standard administrative, technical, and physical safeguards and controls consistent with NIST Special Publication 800-53 (version 4 or higher) and Federal Information Processing Standards Publication 200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect against any anticipated security threats or hazards to the security or integrity of the State Data; and (iii) protect against unauthorized access to or use of State Data. Such measures shall include at a minimum: (1) access controls on information systems, including controls to authenticate and permit access to State Data only to authorized individuals and controls to prevent the Contractor employees from providing State Data to unauthorized individuals who may seek to obtain this information (whether through fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption of electronic State Data while in transit from the Contractor networks to external networks; (4) measures to store in a secure fashion all State Data which shall include, but not be limited to, encryption at rest and multiple levels of authentication; (5) dual control procedures, segregation of duties, and pre-employment criminal background checks for employees with responsibilities for or access to State Data; (6) measures to ensure that the State Data shall not be altered or corrupted without the prior written consent of the State; (7) measures to protect against destruction, loss or damage of State Data due to potential environmental hazards, such as fire and water damage; (8) staff training to implement the information security measures; and (9) monitoring of the security of any portions of the Contractor systems that are used in the provision of the services against intrusion on a twenty-four (24) hour a day basis.

6.2 Security Breach Notice and Reporting. The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below, which shall be made available to the State upon request.

In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Contract, in the event of any actual security breach or reasonable belief of an actual security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (a “Security Breach”), the Contractor shall notify the State within 24 hours of its discovery. Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security. Contractor shall report to the State: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. Contractor shall analyze and document the incident and provide all notices required by applicable law.


In accordance with Section 9 V.S.A. §2435(b)(3), the Contractor shall notify the Office of the Attorney General, or, if applicable, Vermont Department of Financial Regulation (“DFR”), within fourteen (14) business days of the Contractor’s discovery of the Security Breach. The notice shall provide a preliminary description of the breach. The foregoing notice requirement shall be included in the subcontracts of any of Contractor’s subcontractors, affiliates or agents which may be “data collectors” hereunder. The Contractor agrees to fully cooperate with the State and assume responsibility at its own expense for the following, to be determined in the sole discretion of the State: (i) notice to affected consumers if the State determines it to be appropriate under the circumstances of any particular Security Breach, in a form recommended by the AGO; and (ii) investigation and remediation associated with a Security Breach, including but not limited to, outside investigation, forensics, counsel, crisis management and credit monitoring, in the sole determination of the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

6.3 Security Policies. To the extent the Contractor or its subcontractors, affiliates or agents handles, collects, stores, disseminates or otherwise deals with State Data, the Contractor will have an information security policy that protects its systems and processes and media that may contain State Data from internal and external security threats and State Data from unauthorized disclosure, and will have provided a copy of such policy to the State. The Contractor shall provide the State with not less than thirty (30) days advance written notice of any material amendment or modification of such policies.

6.4 Operations Security. To the extent the Contractor or its subcontractors, affiliates or agents handles, collects, stores, disseminates or otherwise deals with State Data, the Contractor shall cause an SSAE 18 SOC 2 Type 2 audit report to be conducted annually. The audit results and the Contractor’s plan for addressing or resolution of the audit results shall be shared with the State within sixty (60) days of the Contractor's receipt of the audit results. Further, on an annual basis, within 90 days of the end of the Contractor’s fiscal year, the Contractor shall transmit its annual audited financial statements to the State.

6.5 Redundant Back-Up. The Contractor shall maintain a fully redundant backup data center geographically separated from its main data center that maintains near realtime replication of data from the main data center. The Contractor’s back-up policies shall be made available to the State upon request. The Contractor shall provide the State with not less than thirty (30) days advance written notice of any material amendment or modification of such policies.


6.6 Vulnerability Testing. The Contractor shall run quarterly vulnerability assessments and promptly report results t o the State. Contractor shall remediate all critical issues within 90 days, all medium issues within 120 days and low issues within 180 days. Contractor shall obtain written State approval for any exceptions. Once remediation is complete, Contractor shall re-perform the test.

7. CONTRACTOR’S REPRESENTATIONS AND WARRANTIES

7.1 General Representations and Warranties. The Contractor represents, warrants and covenants that:

(i) The Contractor has all requisite power and authority to execute, deliver and perform its obligations under this Contract and the execution, delivery and performance of this Contract by the Contractor has been duly authorized by the Contractor.

(ii) There is no outstanding litigation, arbitrated matter or other dispute to which the Contractor is a party which, if decided unfavorably to the Contractor, would reasonably be expected to have a material adverse effect on the Contractor’s ability to fulfill its obligations under this Contract.

(iii) The Contractor will comply with all laws applicable to its performance of the services and otherwise to the Contractor in connection with its obligations under this Contract.

(iv) The Contractor (a) owns, or has the right to use under valid and enforceable agreements, all intellectual property rights reasonably necessary for and related to delivery of the services and provision of the Deliverables as set forth in this Contract; (b) shall be responsible for and have full authority to license all proprietary and/or third party software modules, including algorithms and protocols, that Contractor incorporates into its product; and (c) none of the Deliverables or other materials or technology provided by the Contractor to the State will infringe upon or misappropriate the intellectual property rights of any third party.

(v) The Contractor has adequate resources to fulfill its obligations under this Contract.

(vi) Neither Contractor nor Contractor’s subcontractors has past state or federal violations, convictions or suspensions relating to miscoding of employees in NCCI job codes for purposes of differentiating between independent contractors and employees.

7.2 Contractor’s Performance Warranties. Contractor represents and warrants to the State that:

(i) All Deliverables will be free from material errors and shall perform in accordance with the specifications therefor for a period of at least one year.


(ii) Contractor will provide to the State commercially reasonable continuous and uninterrupted access to the Service, and will not interfere with the State’s access to and use of the Service during the term of this Contract;

(iii) The Service is compatible with and will operate successfully with any environment (including web browser and operating system) specified by the Contractor in its documentation;

(iv) Each and all of the services shall be performed in a timely, diligent, professional and skillful manner, in accordance with the highest professional or technical standards applicable to such services, by qualified persons with the technical skills, training and experience to perform such services in the planned environment.

(v) All Deliverables supplied by the Contractor to the State shall be transferred free and clear of any and all restrictions on the conditions of transfer, modification, licensing, sublicensing and free and clear of any and all leins, claims, mortgages, security interests, liabilities and encumbrances or any kind.

(vi) Any time software is delivered to the State, whether delivered via electronic media or the internet, no portion of such software or the media upon which it is stored or delivered will have any type of software routine or other element which is designed to facilitate unauthorized access to or intrusion upon; or unrequested disabling or erasure of; or unauthorized interference with the operation of any hardware, software, data or peripheral equipment of or utilized by the State. Without limiting the generality of the foregoing, if the State believes that harmful code may be present in any software delivered hereunder, Contractor will, upon State’s request, provide a new or clean install of the software. Notwithstanding the foregoing, Contractor assumes no responsibility for the State’s negligence or failure to protect data from viruses, or any unintended modification, destruction or disclosure.

(vii) To the extent Contractor resells commercial hardware or software it purchased from a third party, Contractor will, to the extent it is legally able to do so, pass through any such third party warranties to the State and will reasonably cooperate in enforcing them. Such warranty pass-through will not relieve the Contractor from Contractor’s warranty obligations set forth herein.

7.3 Limitation on Disclaimer. The express warranties set forth in this Contract shall be in lieu of all other warranties, express or implied.

7.4 Effect of Breach of Warranty. If, at any time during the term of this Contract, software or the results of Contractor’s work fail to perform according to any warranty of Contractor under this Contract, the State shall promptly notify Contractor in writing of such alleged nonconformance, and Contractor shall, at its own expense and without limiting any other rights or remedies of the State hereunder, re-perform or replace any services that the State has determined to be unsatisfactory in its reasonable discretion. Alternatively, with State consent,


the Contractor may refund of all amounts paid by State for the nonconforming deliverable or service

8. PROFESSIONAL LIABILITY AND CYBER LIABILITY INSURANCE COVERAGE

In addition to the insurance required in Attachment C to this Contract, before commencing work on this Contract and throughout the term of this Contract, Contractor agrees to procure and maintain (a) Technology Professional Liability insurance for any and all services performed under this Contract, with minimum third party coverage of $2,000,000 per claim, $2,000,000 aggregate; and (b) first party Breach Notification Coverage of not less than $1,000,000. Before commencing work on this contract, the Contractor must provide certificates of insurance to show that the foregoing minimum coverages are in effect. With respect to the first party Breach Notification Coverage, Contractor shall name the State of Vermont and its officers and employees as additional insureds for liability arising out of this Contract.

9. LIMITATION OF LIABILITY.

CONTRACTOR’S LIABILITY FOR DAMAGES TO THE STATE ARISING OUT OF THE SUBJECT MATTER OF THIS CONTRACT SHALL NOT EXCEED THREE TIMES THE MAXIMUM AMOUNT PAYABLE UNDER THIS CONTRACT, OR $3,000,000 PER CLAIM/$3,000,000 AGGREGATE, WHICHEVER IS GREATER. LIMITS OF LIABILITY FOR STATE CLAIMS SHALL NOT APPLY TO STATE CLAIMS ARISING OUT OF: (A) CONTRACTOR’S OBLIGATION TO INDEMNIFY THE STATE; (B) CONTRACTOR’S CONFIDENTIALITY OBLIGATIONS TO THE STATE; (C) PERSONAL INJURY OR DAMAGE TO REAL OR PERSONAL PROPERTY; (D) CONTRACTOR’S GROSS NEGLIGENCE, FRAUD OR INTENTIONAL MISCONDUCT; OR (E) VIOLATIONS OF THE STATE OF VERMONT FRAUDULENT CLAIMS ACT. IN NO EVENT SHALL THIS LIMIT OF LIABILITY BE CONSTRUED TO LIMIT CONTRACTOR’S LIABILITY FOR THIRD PARTY CLAIMS AGAINST THE CONTRACTOR WHICH MAY ARISE OUT OF CONTRACTOR’S ACTS OR OMISSIONS IN THE PERFORMANCE OF THIS CONTRACT. NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL OR SPECIAL DAMAGES, DAMAGES WHICH ARE UNFORESEEABLE TO THE PARTIES AT THE TIME OF CONTRACTING, DAMAGES WHICH ARE NOT PROXIMATELY CAUSED BY A PARTY, SUCH AS LOSS OF ANTICIPATED BUSINESS, OR LOST PROFITS, INCOME, GOODWILL, OR REVENUE IN CONNECTION WITH OR ARISING OUT OF THE SUBJECT MATTER OF THIS CONTRACT. The provisions of this Section shall apply notwithstanding any other provisions of this Contract or any other agreement.

10. TRADE SECRET, PATENT AND COPYRIGHT INFRINGEMENT

The State shall not be deemed to waive any of its rights or remedies at law or in equity in the event of Contractor’s trade secret, patent and/or copyright infringement.

11 REMEDIES FOR DEFAULT; NO WAIVER OF REMEDIES


In the event either party is in default under this Contract, the non-defaulting party may, at its option, pursue any or all of the remedies available to it under this Contract, including termination for cause, and at law or in equity. No delay or failure to exercise any right, power or remedy accruing to either party upon breach or default by the other under this Contract shall impair any such right, power or remedy, or shall be construed as a waiver of any such right, power or remedy, nor shall any waiver of a single breach or default be deemed a waiver of any subsequent breach or default. All waivers must be in writing.

12 NO ASSUMPTION OF COSTS

Any requirement that the State defend or indemnify Contractor or otherwise be liable for the expenses or reimbursement, including attorneys’ fees, collection costs or license verification costs of Contractor, is hereby deleted from the Contractor Documents.

13 TERMINATION

Upon termination of this Contract for any reason whatsoever, Contractor shall immediately deliver to the State all State information, State Intellectual Property or State Data (including without limitation any Deliverables for which State has made payment in whole or in part) (“State Materials”), that are in the possession or under the control of Contractor in whatever stage of development and form of recordation such State property is expressed or embodied at that time. In the event the Contractor ceases conducting business in the normal course, becomes insolvent, makes a general assignment for the benefit of creditors, suffers or permits the appointment of a receiver for its business or assets or avails itself of or becomes subject to any proceeding under the Federal Bankruptcy Act or any statute of any state relating to insolvency or the protection of rights of creditors, the Contractor shall immediately return all State Materials to State control; including, but not limited to, making all necessary access to applicable remote systems available to the State for purposes of downloading all State Materials. Contractor shall reasonably cooperate with other parties in connection with all services to be delivered under this Contract, including without limitation any successor provider to whom State Materials are to be transferred in connection with termination. Contractor shall assist the State in exporting and extracting the State Materials, in a format usable without the use of the Services and as agreed to by State, at no additional cost. Any transition services requested by State involving additional knowledge transfer and support may be subject to a contract amendment for a fixed fee or at rates to be mutually agreed upon by the parties. If the State determines in its sole discretion that a documented transition plan is necessary, then no later than sixty (60) days prior to termination, Contractor and the State shall mutually prepare a Transition Plan identifying transition services to be provided.

14. ACCESS TO STATE DATA:

The State may import or export State Materials in part or in whole at its sole discretion at any time (24 hours a day, seven (7) days a week, 365 days a year), during the term of this Contract or for up to [three (3) months] after the Term (so long as the State Materials remain in the Contractor’s possession) without interference from the Contractor in a format usable without the Service and in an agreed-upon file format and medium at no additional cost to the State.


The Contractor must allow the State access to information such as system logs and latency statistics that affect its State Materials and or processes. The Contractor’s policies regarding the retrieval of data upon the termination of services have been made available to the State upon execution of this Contract under separate cover. The Contractor shall provide the State with not less than thirty (30) days advance written notice of any material amendment or modification of such policies.

15. AUDIT RIGHTS

Contractor will maintain and cause its permitted contractors to maintain a complete audit trail of all transactions and activities, financial and non-financial, in connection with this Contract. Contractor will provide to the State, its internal or external auditors, clients, inspectors, regulators and other designated representatives, at reasonable times (and in the case of State or federal regulators, at any time required by such regulators) access to Contractor personnel and to any and all Contractor facilities or where the required information, data and records are maintained, for the purpose of performing audits and inspections (including unannounced and random audits) of Contractor and/or Contractor personnel and/or any or all of the records, data and information applicable to this Contract. At a minimum, such audits, inspections and access shall be conducted to the extent permitted or required by any laws applicable to the State or Contractor (or such higher or more rigorous standards, if any, as State or Contractor applies to its own similar businesses, operations or activities), to (i) verify the accuracy of charges and invoices; (ii) verify the integrity of State Data and examine the systems that process, store, maintain, support and transmit that data; (iii) examine and verify Contractor’s and/or its permitted contractors’ operations and security procedures and controls; (iv) examine and verify Contractor’s and/or its permitted contractors’ disaster recovery planning and testing, business resumption and continuity planning and testing, contingency arrangements and insurance coverage; and (v) examine Contractor’s and/or its permitted contractors’ performance of the Services including audits of: (1) practices and procedures; (2) systems, communications and information technology; (3) general controls and physical and data/information security practices and procedures; (4) quality initiatives and quality assurance, (5) contingency and continuity planning, disaster recovery and back-up procedures for processes, resources and data; (6) Contractor’s and/or its permitted contractors’ efficiency and costs in performing Services; (7) compliance with the terms of this Contract and applicable laws, and (9) any other matters reasonably requested by the State. Contractor shall provide and cause its permitted contractors to provide full cooperation to such auditors, inspectors, regulators and representatives in connection with audit functions and with regard to examinations by regulatory authorities, including the installation and operation of audit software.

16. DESTRUCTION OF STATE DATA

At any time during the term of this Contract within (i) thirty days of the State’s written request or (ii) [three (3) months] of termination or expiration of this Contract for any reason, and in any event after the State has had an opportunity to export and recover the State Materials, Contractor shall at its own expense securely destroy and erase from all systems it directly or indirectly uses or controls all tangible or intangible forms of the State Materials, in whole or in part, and all copies thereof except such records as are required by law. The destruction of State Data and State Intellectual Property shall be performed according to National Institute of Standards and


Technology (NIST) approved methods. Contractor shall certify in writing to the State that such State Data has been disposed of securely. To the extent that any applicable law prevents Contractor from destroying or erasing State Materials as set forth herein, Contractor shall retain, in its then current state, all such State Materials then within its right of control or possession in accordance with the confidentiality, security and other requirements of this Contract, and perform its obligations under this section as soon as such law no longer prevents it from doing so. Further, upon the relocation of State Data, Contractor shall securely dispose of such copies from the former data location and certify in writing to the State that such State Data has been disposed of securely. Contractor shall comply with all reasonable directions provided by the State with respect to the disposal of State Data.

17 CONTRACTOR BANKRUPTCY.

Contractor acknowledges that if Contractor, as a debtor in possession, or a trustee in bankruptcy in a case under Section 365(n) of Title 11, United States Code (the "Bankruptcy Code"), rejects this Contract, the State may elect to retain its rights under this Contract as provided in Section 365(n) of the Bankruptcy Code. Upon written request of the State to Contractor or the Bankruptcy Trustee, Contractor or such Bankruptcy Trustee shall not interfere with the rights of the State as provided in this Contract, including the right to obtain the State Intellectual Property.

18 SOFTWARE LICENSEE COMPLIANCE REPORT.

In lieu of any requirement that may be in a Contractor Document that the State provide the Contractor with access to its System for the purpose of determining State compliance with the terms of the Contractor Document, upon request and not more frequently than annually, the State will provide Contractor with a certified report concerning the State’s use of any software licensed for State use pursuant this Contract. The parties agree that any non-compliance indicated by the report shall not constitute infringement of the licensor’s intellectual property rights, and that settlement payment mutually agreeable to the parties shall be the exclusive remedy for any such non-compliance.

19 IRS TERMS IF FEDERAL TAX INFO WILL BE PROCESSED OR STORED (Per IRS Publication 1075)

To the extent Contractor’s performance under this Contract involves the processing or storage of Federal tax information, then, pursuant to IRS Publication 1075, the following provisions shall apply in addition to any other security standard or requirements set forth in this Contract:

A. PERFORMANCE

In performance of this Contract, the Contractor agrees to comply with and assume responsibility for compliance by its employees with the following requirements: 1. All work will be done under the supervision of the Contractor or the Contractor's

employees. 2. The Contractor and the Contractor’s employees with access to or who use Federal tax

information must meet the background check requirements defined in IRS Publication 1075.


3. Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this Contract. Disclosure to anyone other than an officer or employee of the Contractor will be prohibited.

4. All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

5. The Contractor certifies that the data processed during the performance of this Contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the Contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures.

6. Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the State or his or her designee. When this is not possible, the Contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the State or its designee with a statement containing the date of destruction, description of material destroyed, and the method used.

7. All computer systems processing, storing, or transmitting Federal tax information must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal tax information.

8. No work involving Federal tax information furnished under this Contract will be subcontracted without prior written approval of the IRS.

9. The Contractor will maintain a list of employees authorized access. Such list will be provided to the State and, upon request, to the IRS reviewing office.

10. The State will have the right to void the Contract if the Contractor fails to provide the safeguards described above.

B. CRIMINAL/CIVIL SANCTIONS:

1. Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.


2. Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Contract. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431, and set forth at 26 CFR 301.6103(n)-1.

3. Additionally, it is incumbent upon the Contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to State records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

4. Prior to Contractor having access to Federal tax information, Contractor shall certify that each Contractor employee or other individual with access to or who use Federal tax information on Contractor’s behalf pursuant to this Contract understands the State’s security policy and procedures for safeguarding Federal tax information. Contractor’s authorization to access Federal tax information hereunder shall be contingent upon annual recertification. The initial certification and recertification must be documented and placed in the State's files for review. As part of the certification, and at least annually afterwards, Contractor will be advised of the provisions of IRCs 7431, 7213, and 7213A (see IRS Publication 1075 Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches (See Publication 1075, Section 10). For both the initial certification and the annual certification, the Contractor must sign a confidentiality statement certifying its understanding of the security requirements.

C. INSPECTION:

The IRS and the State, with 24 hours’ notice, shall have the right to send its officers, employees, and inspectors into the offices and plants of the Contractor for inspection of the


facilities and operations provided for the performance of any work under this Contract for compliance with the requirements defined in IRS Publication 1075. The IRS’s right of inspection shall include the use of manual and/or automated scanning tools to perform compliance and vulnerability assessments of information technology assets that access, store, process or transmit Federal tax information. On the basis of such inspection, corrective actions may be required in cases where the Contractor is found to be noncompliant with Contract safeguards.

20. SOV Cybersecurity Standard 19-01 All products and service provided to or for the use of the State under this Contract shall be in compliance with State of Vermont Cybersecurity Standard 19-01, which Contractor acknowledges has been provided to it, and is available on-line at the following URL: https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives

https://digitalservices.vermont.gov/cybersecurity/cybersecurity-standards-and-directives


ATTACHMENT E BUSINESS ASSOCIATE AGREEMENT

SOV CONTRACTOR/GRANTEE/BUSINESS ASSOCIATE: VITALCORE HEALTH STRATEGIES, LLC. SOV CONTRACT NO. 40006 CONTRACT EFFECTIVE DATE: 07/01/2020

This Business Associate Agreement (“Agreement”) is entered into by and between the State of Vermont Agency of Human Services, operating by and through its Department of Corrections (“Covered Entity”) and Party identified in this Agreement as Contractor or Grantee above (“Business Associate”). This Agreement supplements and is made a part of the contract or grant (“Contract or Grant”) to which it is attached.

Covered Entity and Business Associate enter into this Agreement to comply with the standards promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 (“Privacy Rule”), and the Security Standards, at 45 CFR Parts 160 and 164 (“Security Rule”), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations.

The parties agree as follows: 1. Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations. Terms defined in this Agreement are italicized. Unless otherwise specified, when used in this Agreement, defined terms used in the singular shall be understood if appropriate in their context to include the plural when applicable.

“Agent” means an Individual acting within the scope of the agency of the Business Associate, in accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c) and includes Workforce members and Subcontractors.

“Breach” means the acquisition, Access, Use or Disclosure of Protected Health Information (PHI) which compromises the Security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164.402.

“Business Associate” shall have the meaning given for “Business Associate” in 45 CFR § 160.103 and means Contractor or Grantee and includes its Workforce, Agents and Subcontractors.

“Electronic PHI” shall mean PHI created, received, maintained or transmitted electronically in accordance with 45 CFR § 160.103.

“Individual” includes a Person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).


“Protected Health Information” (“PHI”) shall have the meaning given in 45 CFR § 160.103, limited to the PHI created or received by Business Associate from or on behalf of Covered Entity.

“Required by Law” means a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law and shall have the meaning given in 45 CFR § 164.103.

“Report” means submissions required by this Agreement as provided in section 2.3.

“Security Incident” means the attempted or successful unauthorized Access, Use, Disclosure, modification, or destruction of Information or interference with system operations in an Information System relating to PHI in accordance with 45 CFR § 164.304.

“Services” includes all work performed by the Business Associate for or on behalf of Covered Entity that requires the Use and/or Disclosure of PHI to perform a Business Associate function described in 45 CFR § 160.103.

“Subcontractor” means a Person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.

“Successful Security Incident” shall mean a Security Incident that results in the unauthorized Access, Use, Disclosure, modification, or destruction of information or interference with system operations in an Information System.

“Unsuccessful Security Incident” shall mean a Security Incident such as routine occurrences that do not result in unauthorized Access, Use, Disclosure, modification, or destruction of information or interference with system operations in an Information System, such as: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above with respect to Business Associate’s Information System.

“Targeted Unsuccessful Security Incident” means an Unsuccessful Security Incident that appears to be an attempt to obtain unauthorized Access, Use, Disclosure, modification or destruction of the Covered Entity’s Electronic PHI.

2. Contact Information for Privacy and Security Officers and Reports.

2.1 Business Associate shall provide, within ten (10) days of the execution of this Agreement, written notice to the Contract or Grant manager the names and contact information of both the HIPAA Privacy Officer and HIPAA Security Officer of the Business Associate. This information must be updated by Business Associate any time these contacts change.

2.2 Covered Entity’s HIPAA Privacy Officer and HIPAA Security Officer contact information is posted at: http://humanservices.vermont.gov/policy-legislation/hipaa/hipaa-info-beneficiaries/ahs-hipaa-contacts/

http://humanservices.vermont.gov/policy-legislation/hipaa/hipaa-info-beneficiaries/ahs-hipaa-contacts/

http://humanservices.vermont.gov/policy-legislation/hipaa/hipaa-info-beneficiaries/ahs-hipaa-contacts/


2.3 Business Associate shall submit all Reports required by this Agreement to the following email address: [email protected]

3. Permitted and Required Uses/Disclosures of PHI.

3.1 Subject to the terms in this Agreement, Business Associate may Use or Disclose PHI to perform Services, as specified in the Contract or Grant. Such Uses and Disclosures are limited to the minimum necessary to provide the Services. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the Privacy Rule if Used or Disclosed by Covered Entity in that manner. Business Associate may not Use or Disclose PHI other than as permitted or required by this Agreement or as Required by Law and only in compliance with applicable laws and regulations.

3.2 Business Associate may make PHI available to its Workforce, Agent and Subcontractor who need Access to perform Services as permitted by this Agreement, provided that Business Associate makes them aware of the Use and Disclosure restrictions in this Agreement and binds them to comply with such restrictions.

3.3 Business Associate shall be directly liable under HIPAA for impermissible Uses and Disclosures of PHI.

4. Business Activities. Business Associate may Use PHI if necessary for Business Associate’s proper management and administration or to carry out its legal responsibilities. Business Associate may Disclose PHI for Business Associate’s proper management and administration or to carry out its legal responsibilities if a Disclosure is Required by Law or if Business Associate obtains reasonable written assurances via a written agreement from the Person to whom the information is to be Disclosed that such PHI shall remain confidential and be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the Person, and the Agreement requires the Person to notify Business Associate, within five (5) business days, in writing of any Breach of Unsecured PHI of which it is aware. Such Uses and Disclosures of PHI must be of the minimum amount necessary to accomplish such purposes.

5. Electronic PHI Security Rule Obligations.

5.1 With respect to Electronic PHI, Business Associate shall:

a) Implement and use Administrative, Physical, and Technical Safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312;

b) Identify in writing upon request from Covered Entity all the safeguards that it uses to protect such Electronic PHI;

c) Prior to any Use or Disclosure of Electronic PHI by an Agent or Subcontractor, ensure that any Agent or Subcontractor to whom it provides Electronic PHI agrees in writing to implement and use Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic PHI. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the Use or Disclosure of Electronic PHI, and be provided to Covered Entity upon request;

mailto:


d) Report in writing to Covered Entity any Successful Security Incident or Targeted Security Incident as soon as it becomes aware of such incident and in no event later than five (5) business days after such awareness. Such report shall be timely made notwithstanding the fact that little information may be known at the time of the report and need only include such information then available;

e) Following such report, provide Covered Entity with the information necessary for Covered Entity to investigate any such incident; and

f) Continue to provide to Covered Entity information concerning the incident as it becomes available to it.

5.2 Reporting Unsuccessful Security Incidents. Business Associate shall provide Covered Entity upon written request a Report that: (a) identifies the categories of Unsuccessful Security Incidents; (b) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (c) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies.

5.3 Business Associate shall comply with any reasonable policies and procedures Covered Entity implements to obtain compliance under the Security Rule.

6. Reporting and Documenting Breaches.

6.1 Business Associate shall Report to Covered Entity any Breach of Unsecured PHI as soon as it, or any Person to whom PHI is disclosed under this Agreement, becomes aware of any such Breach, and in no event later than five (5) business days after such awareness, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Such Report shall be timely made notwithstanding the fact that little information may be known at the time of the Report and need only include such information then available.

6.2 Following the Report described in 6.1, Business Associate shall conduct a risk assessment and provide it to Covered Entity with a summary of the event. Business Associate shall provide Covered Entity with the names of any Individual whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected Individual, as set forth in 45 CFR § 164.404(c). Upon request by Covered Entity, Business Associate shall provide information necessary for Covered Entity to investigate the impermissible Use or Disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available.

6.3 When Business Associate determines that an impermissible acquisition, Access, Use or Disclosure of PHI for which it is responsible is not a Breach, and therefore does not necessitate notice to the impacted Individual, it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). Business Associate shall make its risk assessment available to Covered Entity upon request. It shall include 1) the name of the person making the assessment, 2) a brief summary of the facts, and 3) a brief statement of


the reasons supporting the determination of low probability that the PHI had been compromised.

7. Mitigation and Corrective Action. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible Use or Disclosure of PHI, even if the impermissible Use or Disclosure does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible Use or Disclosure of PHI. Business Associate shall make its mitigation and corrective action plans available to Covered Entity upon request.

8. Providing Notice of Breaches.

8.1 If Covered Entity determines that a Breach of PHI for which Business Associate was responsible, and if requested by Covered Entity, Business Associate shall provide notice to the Individual whose PHI has been the subject of the Breach. When so requested, Business Associate shall consult with Covered Entity about the timeliness, content and method of notice, and shall receive Covered Entity’s approval concerning these elements. Business Associate shall be responsible for the cost of notice and related remedies.

8.2 The notice to affected Individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Business Associate reported the Breach to Covered Entity.

8.3 The notice to affected Individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHI that were involved in the Breach, 3) any steps Individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach to mitigate harm to Individuals and to protect against further Breaches, and 5) contact procedures for Individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c).

8.4 Business Associate shall notify Individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of Individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following the requirements set forth in 45 CFR § 164.406.

9. Agreements with Subcontractors. Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI to require compliance with HIPAA and to ensure Business Associate and Subcontractor comply with the terms and conditions of this Agreement. Business Associate must enter into such written agreement before any Use by or Disclosure of PHI to such Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the Use or Disclosure of PHI. Business Associate shall provide a copy of the written agreement it enters into with a Subcontractor to Covered Entity upon request. Business Associate may not make any Disclosure of PHI to any Subcontractor without prior written consent of Covered Entity.


10. Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR § 164.524. Business Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within five (5) business days, Business Associate shall forward to Covered Entity for handling any request for Access to PHI that Business Associate directly receives from an Individual.

11. Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request of Covered Entity or an Individual. Business Associate shall make such amendments in the time and manner reasonably designated by Covered Entity. Within five (5) business days, Business Associate shall forward to Covered Entity for handling any request for amendment to PHI that Business Associate directly receives from an Individual.

12. Accounting of Disclosures. Business Associate shall document Disclosures of PHI and all information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate shall provide such information to Covered Entity or as directed by Covered Entity to an Individual, to permit Covered Entity to respond to an accounting request. Business Associate shall provide such information in the time and manner reasonably designated by Covered Entity. Within five (5) business days, Business Associate shall forward to Covered Entity for handling any accounting request that Business Associate directly receives from an Individual.

13. Books and Records. Subject to the attorney-client and other applicable legal privileges, Business Associate shall make its internal practices, books, and records (including policies and procedures and PHI) relating to the Use and Disclosure of PHI available to the Secretary of Health and Human Services (HHS) in the time and manner designated by the Secretary. Business Associate shall make the same information available to Covered Entity, upon Covered Entity’s request, in the time and manner reasonably designated by Covered Entity so that Covered Entity may determine whether Business Associate is in compliance with this Agreement.

14. Termination.

14.1 This Agreement commences on the Effective Date and shall remain in effect until terminated by Covered Entity or until all the PHI is destroyed or returned to Covered Entity subject to Section 18.8.

14.2 If Business Associate fails to comply with any material term of this Agreement, Covered Entity may provide an opportunity for Business Associate to cure. If Business Associate does not cure within the time specified by Covered Entity or if Covered Entity believes that cure is not reasonably possible, Covered Entity may immediately terminate the Contract or Grant without incurring liability or penalty for such termination. If neither termination nor cure are feasible, Covered Entity shall report the breach to the Secretary of HHS. Covered Entity has the right to seek to cure such failure by Business Associate. Regardless of whether Covered Entity cures, it retains any right or remedy available at law, in equity, or under the Contract or Grant and Business Associate retains its responsibility for such failure.


15. Return/Destruction of PHI.

15.1 Business Associate in connection with the expiration or termination of the Contract or Grant shall return or destroy, at the discretion of the Covered Entity, PHI that Business Associate still maintains in any form or medium (including electronic) within thirty (30) days after such expiration or termination. Business Associate shall not retain any copies of PHI. Business Associate shall certify in writing and report to Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate does not continue to maintain any PHI. Business Associate is to provide this certification during this thirty (30) day period.

15.2 Business Associate shall report to Covered Entity any conditions that Business Associate believes make the return or destruction of PHI infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI.

16. Penalties. Business Associate understands that: (a) there may be civil or criminal penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure organizations.

17. Training. Business Associate understands its obligation to comply with the law and shall provide appropriate training and education to ensure compliance with this Agreement. If requested by Covered Entity, Business Associate shall participate in Covered Entity’s training regarding the Use, Confidentiality, and Security of PHI; however, participation in such training shall not supplant nor relieve Business Associate of its obligations under this Agreement to independently assure compliance with the law and this Agreement.

18. Miscellaneous.

18.1 In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the Contract or Grant, the terms of this Agreement shall govern with respect to its subject matter. Otherwise, the terms of the Contract or Grant continue in effect.

18.2 Each party shall cooperate with the other party to amend this Agreement from time to time as is necessary for such party to comply with the Privacy Rule, the Security Rule, or any other standards promulgated under HIPAA. This Agreement may not be amended, except by a writing signed by all parties hereto.

18.3 Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the Privacy Rule, Security Rule, or any other standards promulgated under HIPAA.

18.4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIPAA, the Privacy Rule, Security Rule, and HITECH) in construing the meaning and effect of this Agreement.

18.5 Business Associate shall not have or claim any ownership of PHI.


18.6 Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI even if some of that information relates to specific services for which Business Associate may not be a “Business Associate” of Covered Entity under the Privacy Rule.

18.7 Business Associate is prohibited from directly or indirectly receiving any remuneration in exchange for an Individual’s PHI. Business Associate will refrain from marketing activities that would violate HIPAA, including specifically Section 13406 of the HITECH Act. Reports or data containing PHI may not be sold without Covered Entity’s or the affected Individual’s written consent.

18.8 The provisions of this Agreement that by their terms encompass continuing rights or responsibilities shall survive the expiration or termination of this Agreement. For example: (a) the provisions of this Agreement shall continue to apply if Covered Entity determines that it would be infeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Business Associate to provide an accounting of disclosures as set forth in Section 12 survives the expiration or termination of this Agreement with respect to accounting requests, if any, made after such expiration or termination.

Rev. 05/21/2019


ATTACHMENT F – AGENCY OF HUMAN SERVICES’ CUSTOMARY CONTRACT/GRANT PROVISIONS

1. Definitions: For purposes of this Attachment F, the term “Agreement” shall mean the form of

the contract or grant, with all of its parts, into which this Attachment F is incorporated. The meaning of the term “Party” when used in this Attachment F shall mean any named party to this Agreement other than the State of Vermont, the Agency of Human Services (AHS) and any of the departments, boards, offices and business units named in this Agreement. As such, the term “Party” shall mean, when used in this Attachment F, the Contractor or Grantee with whom the State of Vermont is executing this Agreement. If Party, when permitted to do so under this Agreement, seeks by way of any subcontract, sub-grant or other form of provider agreement to employ any other person or entity to perform any of the obligations of Party under this Agreement, Party shall be obligated to ensure that all terms of this Attachment F are followed. As such, the term “Party” as used herein shall also be construed as applicable to, and describing the obligations of, any subcontractor, sub-recipient or sub-grantee of this Agreement. Any such use or construction of the term “Party” shall not, however, give any subcontractor, sub-recipient or sub-grantee any substantive right in this Agreement without an express written agreement to that effect by the State of Vermont.

2. Agency of Human Services: The Agency of Human Services is responsible for overseeing all contracts and grants entered by any of its departments, boards, offices and business units, however denominated. The Agency of Human Services, through the business office of the Office of the Secretary, and through its Field Services Directors, will share with any named AHS-associated party to this Agreement oversight, monitoring and enforcement responsibilities. Party agrees to cooperate with both the named AHS-associated party to this contract and with the Agency of Human Services itself with respect to the resolution of any issues relating to the performance and interpretation of this Agreement, payment matters and legal compliance.

3. Medicaid Program Parties (applicable to any Party providing services and supports paid for

under Vermont’s Medicaid program and Vermont’s Global Commitment to Health Waiver):

Inspection and Retention of Records: In addition to any other requirement under this Agreement or at law, Party must fulfill all state and federal legal requirements, and will comply with all requests appropriate to enable the Agency of Human Services, the U.S. Department of Health and Human Services (along with its Inspector General and the Centers for Medicare and Medicaid Services), the Comptroller General, the Government Accounting Office, or any of their designees: (i) to evaluate through inspection or other means the quality, appropriateness, and timeliness of services performed under this Agreement; and (ii) to inspect and audit any records, financial data, contracts, computer or other electronic systems of Party relating to the performance of services under Vermont’s Medicaid program and Vermont’s Global Commitment to Health Waiver. Party will retain for ten years all documents required to be retained pursuant to 42 CFR 438.3(u). Subcontracting for Medicaid Services: Notwithstanding any permitted subcontracting of services to be performed under this Agreement, Party shall remain responsible for ensuring that this Agreement is fully performed according to its terms, that subcontractor remains in


compliance with the terms hereof, and that subcontractor complies with all state and federal laws and regulations relating to the Medicaid program in Vermont. Subcontracts, and any service provider agreements entered into by Party in connection with the performance of this Agreement, must clearly specify in writing the responsibilities of the subcontractor or other service provider and Party must retain the authority to revoke its subcontract or service provider agreement or to impose other sanctions if the performance of the subcontractor or service provider is inadequate or if its performance deviates from any requirement of this Agreement. Party shall make available on request all contracts, subcontracts and service provider agreements between the Party, subcontractors and other service providers to the Agency of Human Services and any of its departments as well as to the Center for Medicare and Medicaid Services. Medicaid Notification of Termination Requirements: Party shall follow the Department of Vermont Health Access Managed-Care-Organization enrollee-notification requirements, to include the requirement that Party provide timely notice of any termination of its practice. Encounter Data: Party shall provide encounter data to the Agency of Human Services and/or its departments and ensure further that the data and services provided can be linked to and supported by enrollee eligibility files maintained by the State. Federal Medicaid System Security Requirements Compliance: Party shall provide a security plan, risk assessment, and security controls review document within three months of the start date of this Agreement (and update it annually thereafter) in order to support audit compliance with 45 CFR 95.621 subpart F, ADP System Security Requirements and Review Process.

4. Workplace Violence Prevention and Crisis Response (applicable to any Party and any subcontractors and sub-grantees whose employees or other service providers deliver social or mental health services directly to individual recipients of such services):

Party shall establish a written workplace violence prevention and crisis response policy meeting the requirements of Act 109 (2016), 33 VSA §8201(b), for the benefit of employees delivering direct social or mental health services. Party shall, in preparing its policy, consult with the guidelines promulgated by the U.S. Occupational Safety and Health Administration for Preventing Workplace Violence for Healthcare and Social Services Workers, as those guidelines may from time to time be amended.

Party, through its violence protection and crisis response committee, shall evaluate the efficacy of its policy, and update the policy as appropriate, at least annually. The policy and any written evaluations thereof shall be provided to employees delivering direct social or mental health services. Party will ensure that any subcontractor and sub-grantee who hires employees (or contracts with service providers) who deliver social or mental health services directly to individual recipients of such services, complies with all requirements of this Section.


5. Non-Discrimination:

Party shall not discriminate, and will prohibit its employees, agents, subcontractors, sub-grantees and other service providers from discrimination, on the basis of age under the Age Discrimination Act of 1975, on the basis of handicap under section 504 of the Rehabilitation Act of 1973, on the basis of sex under Title IX of the Education Amendments of 1972, and on the basis of race, color or national origin under Title VI of the Civil Rights Act of 1964. Party shall not refuse, withhold from or deny to any person the benefit of services, facilities, goods, privileges, advantages, or benefits of public accommodation on the basis of disability, race, creed, color, national origin, marital status, sex, sexual orientation or gender identity as provided by Title 9 V.S.A. Chapter 139. No person shall on the grounds of religion or on the grounds of sex (including, on the grounds that a woman is pregnant), be excluded from participation in, be denied the benefits of, or be subjected to discrimination, to include sexual harassment, under any program or activity supported by State of Vermont and/or federal funds.

Party further shall comply with the non-discrimination requirements of Title VI of the Civil Rights Act of 1964, 42 USC Section 2000d, et seq., and with the federal guidelines promulgated pursuant to Executive Order 13166 of 2000, requiring that contractors and subcontractors receiving federal funds assure that persons with limited English proficiency can meaningfully access services. To the extent Party provides assistance to individuals with limited English proficiency through the use of oral or written translation or interpretive services, such individuals cannot be required to pay for such services.

6. Employees and Independent Contractors:

Party agrees that it shall comply with the laws of the State of Vermont with respect to the appropriate classification of its workers and service providers as “employees” and “independent contractors” for all purposes, to include for purposes related to unemployment compensation insurance and workers compensation coverage, and proper payment and reporting of wages. Party agrees to ensure that all of its subcontractors or sub-grantees also remain in legal compliance as to the appropriate classification of “workers” and “independent contractors” relating to unemployment compensation insurance and workers compensation coverage, and proper payment and reporting of wages. Party will on request provide to the Agency of Human Services information pertaining to the classification of its employees to include the basis for the classification. Failure to comply with these obligations may result in termination of this Agreement.

7. Data Protection and Privacy:

Protected Health Information: Party shall maintain the privacy and security of all individually identifiable health information acquired by or provided to it as a part of the performance of this Agreement. Party shall follow federal and state law relating to privacy and security of individually identifiable health information as applicable, including the Health Insurance Portability and Accountability Act (HIPAA) and its federal regulations.


Substance Abuse Treatment Information: Substance abuse treatment information shall be maintained in compliance with 42 C.F.R. Part 2 if the Party or subcontractor(s) are Part 2 covered programs, or if substance abuse treatment information is received from a Part 2 covered program by the Party or subcontractor(s). Protection of Personal Information: Party agrees to comply with all applicable state and federal statutes to assure protection and security of personal information, or of any personally identifiable information (PII), including the Security Breach Notice Act, 9 V.S.A. § 2435, the Social Security Number Protection Act, 9 V.S.A. § 2440, the Document Safe Destruction Act, 9 V.S.A. § 2445 and 45 CFR 155.260. As used here, PII shall include any information, in any medium, including electronic, which can be used to distinguish or trace an individual’s identity, such as his/her name, social security number, biometric records, etc., either alone or when combined with any other personal or identifiable information that is linked or linkable to a specific person, such as date and place or birth, mother’s maiden name, etc. Other Confidential Consumer Information: Party agrees to comply with the requirements of AHS Rule No. 08-048 concerning access to and uses of personal information relating to any beneficiary or recipient of goods, services or other forms of support. Party further agrees to comply with any applicable Vermont State Statute and other regulations respecting the right to individual privacy. Party shall ensure that all of its employees, subcontractors and other service providers performing services under this agreement understand and preserve the sensitive, confidential and non-public nature of information to which they may have access. Data Breaches: Party shall report to AHS, though its Chief Information Officer (CIO), any impermissible use or disclosure that compromises the security, confidentiality or privacy of any form of protected personal information identified above within 24 hours of the discovery of the breach. Party shall in addition comply with any other data breach notification requirements required under federal or state law.

8. Abuse and Neglect of Children and Vulnerable Adults: Abuse Registry. Party agrees not to employ any individual, to use any volunteer or other service provider, or to otherwise provide reimbursement to any individual who in the performance of services connected with this agreement provides care, custody, treatment, transportation, or supervision to children or to vulnerable adults if there has been a substantiation of abuse or neglect or exploitation involving that individual. Party is responsible for confirming as to each individual having such contact with children or vulnerable adults the non-existence of a substantiated allegation of abuse, neglect or exploitation by verifying that fact though (a) as to vulnerable adults, the Adult Abuse Registry maintained by the Department of Disabilities, Aging and Independent Living and (b) as to children, the Central Child Protection Registry (unless the Party holds a valid child care license or registration from the Division of Child Development, Department for Children and Families). See 33 V.S.A. §4919(a)(3) and 33 V.S.A. §6911(c)(3). Reporting of Abuse, Neglect, or Exploitation. Consistent with provisions of 33 V.S.A. §4913(a) and §6903, Party and any of its agents or employees who, in the performance of services connected with this agreement, (a) is a caregiver or has any other contact with clients and (b) has reasonable cause to believe that a child or vulnerable adult has been abused or neglected as defined in Chapter 49 or abused, neglected, or exploited as defined in Chapter 69


of Title 33 V.S.A. shall: as to children, make a report containing the information required by 33 V.S.A. §4914 to the Commissioner of the Department for Children and Families within 24 hours; or, as to a vulnerable adult, make a report containing the information required by 33 V.S.A. §6904 to the Division of Licensing and Protection at the Department of Disabilities, Aging, and Independent Living within 48 hours. Party will ensure that its agents or employees receive training on the reporting of abuse or neglect to children and abuse, neglect or exploitation of vulnerable adults.

9. Information Technology Systems:

Computing and Communication: Party shall select, in consultation with the Agency of Human Services’ Information Technology unit, one of the approved methods for secure access to the State’s systems and data, if required. Approved methods are based on the type of work performed by the Party as part of this agreement. Options include, but are not limited to:

1. Party’s provision of certified computing equipment, peripherals and mobile devices, on a separate Party’s network with separate internet access. The Agency of Human Services’ accounts may or may not be provided.

2. State supplied and managed equipment and accounts to access state applications and data, including State issued active directory accounts and application specific accounts, which follow the National Institutes of Standards and Technology (NIST) security and the Health Insurance Portability & Accountability Act (HIPAA) standards.

Intellectual Property/Work Product Ownership: All data, technical information, materials first gathered, originated, developed, prepared, or obtained as a condition of this agreement and used in the performance of this agreement -- including, but not limited to all reports, surveys, plans, charts, literature, brochures, mailings, recordings (video or audio), pictures, drawings, analyses, graphic representations, software computer programs and accompanying documentation and printouts, notes and memoranda, written procedures and documents, which are prepared for or obtained specifically for this agreement, or are a result of the services required under this grant -- shall be considered "work for hire" and remain the property of the State of Vermont, regardless of the state of completion unless otherwise specified in this agreement. Such items shall be delivered to the State of Vermont upon 30-days notice by the State. With respect to software computer programs and / or source codes first developed for the State, all the work shall be considered "work for hire,” i.e., the State, not the Party (or subcontractor or sub-grantee), shall have full and complete ownership of all software computer programs, documentation and/or source codes developed.

Party shall not sell or copyright a work product or item produced under this agreement without

explicit permission from the State of Vermont. If Party is operating a system or application on behalf of the State of Vermont, Party shall not

make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Party’s materials.


Party acknowledges and agrees that should this agreement be in support of the State's implementation of the Patient Protection and Affordable Care Act of 2010, Party is subject to the certain property rights provisions of the Code of Federal Regulations and a Grant from the Department of Health and Human Services, Centers for Medicare & Medicaid Services. Such agreement will be subject to, and incorporates here by reference, 45 CFR 74.36, 45 CFR 92.34 and 45 CFR 95.617 governing rights to intangible property.

Security and Data Transfers: Party shall comply with all applicable State and Agency of Human Services' policies and standards, especially those related to privacy and security. The State will advise the Party of any new policies, procedures, or protocols developed during the term of this agreement as they are issued and will work with the Party to implement any required. Party will ensure the physical and data security associated with computer equipment, including desktops, notebooks, and other portable devices, used in connection with this Agreement. Party will also assure that any media or mechanism used to store or transfer data to or from the State includes industry standard security mechanisms such as continually up-to-date malware protection and encryption. Party will make every reasonable effort to ensure media or data files transferred to the State are virus and spyware free. At the conclusion of this agreement and after successful delivery of the data to the State, Party shall securely delete data (including archival backups) from Party’s equipment that contains individually identifiable records, in accordance with standards adopted by the Agency of Human Services. Party, in the event of a data breach, shall comply with the terms of Section 7 above.

10. Other Provisions:

Environmental Tobacco Smoke. Public Law 103-227 (also known as the Pro-Children Act of 1994) and Vermont’s Act 135 (2014) (An act relating to smoking in lodging establishments, hospitals, and child care facilities, and on State lands) restrict the use of tobacco products in certain settings. Party shall ensure that no person is permitted: (i) to use tobacco products or tobacco substitutes as defined in 7 V.S.A. § 1001 on the premises, both indoor and outdoor, of any licensed child care center or afterschool program at any time; (ii) to use tobacco products or tobacco substitutes on the premises, both indoor and in any outdoor area designated for child care, health or day care services, kindergarten, pre-kindergarten, elementary, or secondary education or library services; and (iii) to use tobacco products or tobacco substitutes on the premises of a licensed or registered family child care home while children are present and in care. Party will refrain from promoting the use of tobacco products for all clients and from making tobacco products available to minors.

Failure to comply with the provisions of the federal law may result in the imposition of a civil monetary penalty of up to $1,000 for each violation and/or the imposition of an administrative compliance order on the responsible entity. The federal Pro-Children Act of 1994, however, does not apply to portions of facilities used for inpatient drug or alcohol treatment; service providers whose sole source of applicable federal funds is Medicare or Medicaid; or facilities where Women, Infants, & Children (WIC) coupons are redeemed.


2-1-1 Database: If Party provides health or human services within Vermont, or if Party provides such services near the Vermont border readily accessible to residents of Vermont, Party shall adhere to the "Inclusion/Exclusion" policy of Vermont's United Way/Vermont 211 (Vermont 211), and will provide to Vermont 211 relevant descriptive information regarding its agency, programs and/or contact information as well as accurate and up to date information to its database as requested. The “Inclusion/Exclusion” policy can be found at www.vermont211.org. Voter Registration: When designated by the Secretary of State, Party agrees to become a voter registration agency as defined by 17 V.S.A. §2103 (41), and to comply with the requirements of state and federal law pertaining to such agencies.

Drug Free Workplace Act: Party will assure a drug-free workplace in accordance with 45 CFR Part 76.

Lobbying: No federal funds under this agreement may be used to influence or attempt to influence an officer or employee of any agency, a member of Congress, an officer or employee of Congress, or an employee of a member of Congress in connection with the awarding of any federal contract, continuation, renewal, amendments other than federal appropriated funds.

AHS ATT. F 5/16/2018

http://www.vermont211.org/


APPENDIX 2 MENTAL HEALTH WORKFLOW


APPENDIX 3 – ACT 78 – 2017


APPENDIX 4 – DOC HS Policy I-02

MENTAL HEALTH UNITS


APPENDIX 5 VERMONT DOC MEDICATION-ASSISTED TREATMENT (MAT) PROGRAM

CLINICAL GUIDELINES

Written and revised by Sharif Nankoe, MD, MPA, FASAM

Treatment guidelines to not apply to all patients. Please use your clinical judgment, and always document the clinical rationale for your treatment decisions.


APPENDIX 6 MEMORANDUM OF UNDERSTANDING

VERMONT DEPARTMENT OF HEALTH (VDH) AND VERMONT DEPARTMENT OF CORRECTIONS (DOC)

Memorandum of understanding

Between

Vermont department of corrections

And

Vermont department of health


APPENDIX 7 SERIOUS FUNCTIONAL IMPARMENT (SFI) DESIGNATION

INTERIM MEMO


APPENDIX 8 DOC HS POLICY G-12

SERIOUS FUNCTIONAL IMPAIRMENT (SFI) DEISGNATION


APPENDIX 9 MOBILITY CLASSIFICATION CODES


APPENDIX 9

WOMENS HEALTH PROGRAM PART 1


APPENDIX 11

WOMENS HEALTH PROGRAM PART 2


APPENDIX 12 ACT 26

OFFENDERS WITH MENTAL ILLNESS OR OTHER FUNCTIONAL IMPAIRMENT


APPENDIX 13 VITALCORE META-REPORT


APPENDIX 14 PER INMATE PER MONTH CALCULATOR

COMPREHENSIVE HEALTH CARE INCLUDING HER


APPENDIX 15 DOC HCV AND MAT EXPENSES FY 19 – FY 20


APPENDIX 16 PAY FOR PERFORMANCE (P4P) METRICS


APPENDIX 17

PAY FOR PERFORMANCE INCENTIVE PAYMENT CALCULATOR


APPENDIX 18

FUSION EHR DELIVERABLE AND PAYMENT WORKSHEET

Exhibit C

State of Vermont Bidder Response Form

Request for Proposal Name: COMPREHENSIVE CORRECTIONAL HEALTHCARE SERVICES

STATE OF VERMONT CONTRACT #40006 Page 217 of 450

Vendor Instructions:

Provide the information requested in this form and submit it to the State of Vermont as part of your Request for Proposal (RFP) response. All answers must be provided within the form unless otherwise specified.

Important: This form must be completed and submitted in response to this RFP for your proposal to be considered valid. The submission must also include the eight (8) additional artifacts requested within this form (denoted by underlined green font).

See the RFP for full instructions for submitting a bid. Bids must be received by the due date and at the location specified on the cover page of the RFP.

Direct any questions you have concerning this form or the RFP to:

Stephen Fazekas, Technology Procurement Administrator State of Vermont

Office of Purchasing & Contracting 109 State Street

Montpelier VT 05609-3001 E-mail Address: [email protected]



Part 1: VENDOR PROFILE

1. Complete the table below.

Item Detail

Company Name: Fusion Capital Management, LLC d.b.a. Fusion

Physical Address: 10 Woodbridge Center Drive, Suite 1010 Woodbridge, NJ

Postal Address: N/A

Business Website: www.FusionMGT.com

Type of Entity (Legal Status): Limited Liability Company

Primary Contact: Michael Jakovcic

Title: EVP of Business Development

Email Address: [email protected]

Phone Number: 732-218-5705

Fax Number: 732-218-5769

2. Provide a brief overview of your company including number of years in business, number of employees, nature of business, anddescription of clients. Identify any parent corporation and/or subsidiaries.

Fusion was founded in 2006 as a Health Information Technology (HIT) consulting firm specializing in the procurement, implementation and project management of Electronic Health Records (EHRs) within the Department of Corrections. Our ability to seamlessly identify solutions for our client and actually provide those solutions earned us the reputation of being able to provide a full-service solution within the time frame needed and within budget. As more and more Correctional Health facilities began adopting Electronic Health Records (EHRs), Fusion became the consulting firm of choice in assisting numerous County, City, and State Correctional Health Agencies in the selection and implementation of these EHR’s.

After being hands-on with nearly every EHR system over the past decade, Fusion took their expertise and knowledge of the Correctional Health industry and



coupled it with the most flexible, robust, and configurable EHR system for Correctional Health – Centricity Electronic Health Record System. Realizing the potential and hoping to make a lasting impact, Fusion partnered to become an authorized value-added reseller (VAR) of Centricity EHR software and the company began to take shape. And today, the legacy continues with each new client who joins Fusion’s consortium. In Layman’s terms, we take our consulting background and use our know-how in every implementation of Centricity.

We hire the best-of-the-best to keep doing what we do best – Centricity EHR consulting, implementations, configurations, training, and support. Our colleagues are among the most experienced, most knowledgeable and most innovative in the industry. We are out-of-the-box thinkers. We have worked our way up through the ranks to the most senior levels of the Correctional Healthcare industry. This unique perspective translates into an intimate understanding of how the Correctional Healthcare works – and doesn’t. We understand the challenges and constraints our customers face. We stay ahead of healthcare rules, trends and changes, new initiatives, and business opportunities to keep our customers informed. We have the relationships which give us national reach.

Centricity is utilized by seven (7) State Department of Corrections agencies and manages over 250,000 offenders in over 200 correctional and juvenile justice institutions throughout the country, making Fusion the largest EHR vendor for State DOC agencies in the United States. Centricity allows our clients to receive the value of more efficient operations, improved service, and an enhanced work environment. Our focus is on providing clinicians with products that deliver higher quality of care at lower costs. Our service offerings help to strengthen our client’s healthcare delivery, which in turn helps them build and maintain leading positions within their own markets, particularly in corrections and juvenile justice. Unlike other vendors, Fusion is positioned to offer significant advantages in meeting your requirements for EHR software, services and support. With our vast experience implementing, training and supporting Centricity within the correctional health industry throughout the US, we are prepared to offer VTDOC a complete level of knowledge, commitment and expertise that will exceed your expectations. For nearly 15 years, Fusion has been delivering EHR solutions nationwide to agencies like VTDOC that meet NCCHC & ACA accreditation requirements.

Fusion will dedicate a team of about twenty-five (25) employees consisting of Centricity EHR implementation, training, and support specialists and as well as multiple employees who specialize in correctional health consulting. Additionally, we have a network of consultants nationwide who subcontract through Fusion on larger scale and/or super-specialty projects as well as access to Centricity EHR specialist staff for overflow work. For this project, Fusion intends to provide all services and support in-house.

Fusion approaches every project with a partnership mentality, working in conjunction with the client to ensure that the EHR is implemented on time, on budget and complete. Unlike any other vendor, Fusion intimately understands what it takes to get an EHR system live at correctional health facilities. Fusion leverages its extensive knowledge of the EHR and Correctional Health space and will collaborate with VTDOC to ensure that the system truly meets their workflow both now and for the future. Our SMEs come with years of experience to be much more than ‘yes-folks’ when it comes to clinical content development and overall implementation and go-live of Centricity. Fusion will leverage its knowledge and experience of how things are done throughout the country to provide VTDOC with proven options and alternatives throughout the implementation.

Fusion is dedicated to seeing the successful implementation of Centricity at Vermont Department of Corrections. Our team is highly experienced and knowledgeable in all functional aspects of correctional health-specific clinical delivery and electronic clinical documentation and workflow processes, which a company only like Fusion can provide. We have developed a systematic process to ensure that Fusion provides VTDOC with the right number of people


with the right skills to fulfill the EHR implementation. We use a Responsibility Assignment Matrix for all of our projects, which details the nature of responsibility assignments for project staff as they relate to key activities and deliverables.

3. Is your organization currently or has it previously provided solutions and/or services to any agency or entity of the Vermont State government? If so, name the State entity, the solution and/or services provided, and the dates.

Centricity has over 6,000 total client installations across the country. These clients include numerous County, City and State Department of Corrections, Department of Juvenile Justice, and Public Health Departments, Community Health Centers, Federally Qualified Health Centers, among others. In the State of Vermont, Centricity EHR is being utilized by multiple Community Health Centers and Federally Qualified Health Center’s including:

- Southwestern Vermont Health Care & Medical Center - Northern Counties Health Care - The Health Center

Outside of Vermont, Centricity is utilized by seven (7) State Department of Corrections agencies and manages over 250,000 offenders in over 200 correctional facilities throughout the country. Not only are we the largest EHR vendor for State DOCs and DJJs, we are also the industry leader in the replacement of legacy EHR systems for State DOCs and DJJ’s across the country. Over the past three years alone, we have a 100% RFP win rate and have contracted and implemented three State DOCs. Also, Centricity is currently being utilized by two State DOC’s (CTDOC & RIDOC) that are Unified Prison and Jail system’s similarly to VTDOC.

4. Provide a Financial Statement* for your company and label it Attachment #1. A confidentiality statement may be included if this financial information is considered non-public information. This requirement can be filled by:

� A current Dun and Bradstreet Report that includes a financial analysis of the firm; � An Annual Report if it contains (at a minimum) a Compiled Income Statement and Balance Sheet verified by a

Certified Public Accounting firm; or � Tax returns and financial statements including income statements and balance sheets for the most recent 3 years, and any

available credit reports.

*Some types of procurements may require bidders to provide additional or specific financial information. Any such additional requirements will be clearly identified and explained within the RFP, and may include supplemental forms in addition to this Bidder Response Form.

Please refer to Exhibit C - Attachment #1 for Fusion’s Financial Statement.


5. Disclose any judgments, pending or expected litigation, or other real potential financial reversals, which might materially affect the viability or stability of your company or indicate below that no such condition is known to exist.

No previous judgments or litigation, or real potential financial reversals are pending, expected, or, to the knowledge of offeror, threatened against or affecting offeror in connection with any of the transactions contemplated by this request for proposal (RFP) or any other agreement to which offeror is or is to become a party or that would, to offeror's knowledge, have a material adverse effect on offeror's business considered as a whole. 6. Provide a list of three references similar in size and industry (preferably another governmental entity). References shall be clients

who have implemented your Solution within the past 48 months.

Reference 1 Detail

Reference Company Name: Rhode Island Department of Corrections

Company Address: 18 Wilma Schesler Lane, Cranston, Rhode Island 02920

Type of Industry: Government / Department of Corrections

Contact Name: Pauline Marcussen, Associate Director – Healthcare Services

Contact Phone Number: 401.462.3880

Contact Email Address: [email protected]

Description of system(s) implemented:

Implemented Centricity EHR inclusive of eMAR, Dental, Group Notes, Orders Manager, Infirmary/BedBoard, eSigntature, and Document Scanning Software. Project details include: Business requirements gathering, replaced NextGen EHR, Developed OMS, Lab and Pharmacy interfaces, created custom forms and reports, provided comprehensive training and go-live services and support over a 3-week period.

Date of Implementation: 11/2017


Reference 2 Detail

Reference Company Name: Connecticut Department of Corrections

Company Address: 24 Wolcott Hill Road, Wethersfield, Connecticut 06109

Type of Industry: [industry type: e.g., government, telecommunications, etc.]

Contact Name: Government / Department of Corrections

Contact Phone Number: Kirsten Shea, Project Manager



Implemented Centricity EHR inclusive of eMAR, Dental, Group Notes, Orders Manager, Infirmary/BedBoard, eSigntature, and Document Scanning Software. Project details include: Business requirements gathering, developed OMS, Lab and Pharmacy interfaces, integration with the States HIE platform, created custom forms and reports, provided comprehensive training and go-live services and support over a 4-week period.


Reference 3 Detail

Reference Company Name: Bergen County Corrections

Company Address: 160 S. River Street, Hackensack, NJ 07601

Type of Industry: Government / Department of Corrections

Contact Name: Patrick Hughes, Mental Health Director

Contact Phone Number: 201.336.3577



Implemented Centricity EHR inclusive of eMAR, Dental, Group Notes, Orders Manager, Infirmary/BedBoard, eSigntature, and Document Scanning Software. Project details include: Business requirements gathering, developed OMS, Lab and Pharmacy interfaces, created custom forms and reports, provided comprehensive training and go-live services and support over a 2-week period.



PART 2: VENDOR PROPOSAL/SOLUTION

1. Provide a description of the technology solution you are proposing.

Centricity is a fully integrated, all-in-one EHR system inclusive of medical, behavioral health, dental, electronic medication administration capabilities and numerous other clinical documentation tools. The system supports a variety of services including but not limited to medical Services, ambulatory care units, dental Services, mental health Services, as well as telemedicine functionality. Centricity has been at the forefront of Electronic Health Records for nearly two decades in the correctional health setting. Centricity offers the DOC a cost-effective, flexible Commercial-Off-The-Shelf (“COTS”) solution in compliance with Centers for Medicare and Medicaid Services (“CMS”) regulations, the Health Information Portability and Accountability Act (“HIPAA”), ICD-10 and is a Certified Electronic Health Record Technology (CEHRT) as defined by the Office of the National Coordinator for Health Information Technology (ONC) compatible to meet and exceed Vermont Department of Corrections’ goals and the functional requirements detailed in this RFP. Through the implementation of Centricity, DOC will enhance the quality of Medical, Dental, Mental Health, Nursing, Dietary, Rehabilitation, Orthopedic, Urology, Gastroenterology, General Surgery Clinic, Ophthalmology, Pain Management, Emergency Medical Services, Primary Care Services, Pharmaceutical, Laboratory, Radiology, Administrative Services, and more. Centricity is the EHR system the DOC needs to make day-to-day operations easier and efficient. The design of Centricity will dramatically increase your organization’s efficiencies for your inpatient and outpatient services, including but not limited to annual exams/initial intake screenings, clinic visits, chronic disease monitoring, telemedicine, vaccine records, sick call triage, medication administration, mental health and discharge planning for inmates. It also possesses a robust reporting environment that provides real time data to enable effective decision making through the integration with third party systems. There is no other corrections-centric EHR system which can support the quality of care to inmates like Centricity. Being an all-in-one solution for Vermont DOC, Centricity provides you with an EHR that will help your organization:

• Improve quality of care • Improve the coordination of care by enhancing interoperability among internal business units and external partners in care • Increase health care staff productivity • Decrease administrative expenses • Provide effective discharge planning • Assist enrolling discharging patients into benefit programs • Permit emergency management tracking of patients • Streamline and standardize workflow between sites and specialties • Maximize the integration of primary and behavioral health care • Improve patient safety and operations efficiency • Implement a quality assurance and continuous improvement program


• Reduce errors, redundant or unnecessary tests and medications • Improve management of chronic care conditions and communications within health care units • Comply with Local, State and Federal health care regulations • Ensure timely access to healthcare services • Establish an Inmate Medical Program addressing the full continuum of health care services • Be completely paperless/electronic organization

2. Provide a description of the capabilities of the technology solution you are proposing.

Centricity is a fully integrated, all-in-one EHR system inclusive of medical, behavioral health, dental, electronic medication administration capabilities and numerous other clinical documentation tools. The system supports a variety of services including but not limited to medical Services, ambulatory care units, dental Services, mental health Services, as well as telemedicine functionality. Centricity has been at the forefront of Electronic Health Records for nearly two decades in the correctional health setting. The design of Centricity supports VTDOC goals and enables the organization to achieve its objectives. Centricity will dramatically increase your organization’s efficiencies for your inpatient and outpatient services, including but not limited to annual exams/initial intake screenings, clinic visits, chronic disease monitoring, telemedicine, vaccine records, sick call triage, medication administration, mental health and discharge planning for inmates. It also possesses a robust reporting environment that provides real time data to enable effective decision making through the integration with third party systems. There is no other corrections-centric EHR system which can support the quality of care to inmates like Centricity. Being an all-in-one solution for VTDOC, Centricity will help meet and exceed your organization’s goals and requirements by providing you with an EHR that will help your organization achieve the following goals:

• Replace the existing electronic-based health record system; • Implement a comprehensive-corrections specific EHR system that will address the full continuum of prison health care services to include practice

management and electronic medication administration delivery; • Improve quality of care; • Increase patient safety; • Increase health care staff productivity; • Decrease administrative expenses; • Provide effective discharge planning; • Integrate with providers in the community to share information; • Assist enrolling discharging inmates into benefit programs; and • Permit emergency management tracking of patients.


Centricity is a fully integrated, one-for-all EHR system inclusive of medical, behavioral health, dental, pharmacy and numerous other clinical documentation tools. Centricity meets VTDOC’s requirements in that Centricity encompasses primary, specialty and clinic scheduling capabilities with a core set of functions that allow for:

• System integration with current Offender Management System and other third-party vendors • User friendly record search, retrieval, and display • Compliance with National Commission on Correctional Health Care Standards and best practice delivery • Electronic Clinical documentation • Electronic medication management and administration system • Scheduling system • Standard and ad hoc reports • Queries • Scanning and storing files • Interface functionality with current vendors • Medical encounters that are pharmacological and non-pharmacological • Support testing in a fully duplicated environment • Support and provide training for identified personnel

As VTDOC will notice throughout our response, Fusion is best-suited for this project and will work with VTDOC’s project management personnel to get all goals and objectives completed on time and within budget. Fusion has the appropriate technical, functional and project management staff available to manage implementation of this project. There is no other corrections-centric EHR system which can support the quality of care to inmates like Centricity.


3. If a proprietary software is being proposed, provide a description of the: A. Standard features and functions of the software: B. The software licensing requirements for the solution: C. The standard performance levels:

� Hours of system availability: � System response time: � Maximum number of concurrent users: � Other relevant performance level information:

Centricity is a fully integrated, one-for-all EHR system inclusive of medical, behavioral health, dental, optometry, electronic medication administration capabilities and numerous other clinical documentation tools that offers you a cost-effective, flexible Commercial-Off-The-Shelf (“COTS”) solution in compliance with Centers for Medicare and Medicaid Services (“CMS”) regulations, the Health Information Portability and Accountability Act (“HIPAA”), ICD-10 and is compatible to meet and exceed VTDOC’s goals and the functional requirements detailed in this RFP. Centricity is also a Certified Electronic Health Record Technology (CEHRT) 2015 as defined by the Office of the National Coordinator for Health Information Technology (ONC). Centricity is the EHR system VTDOC needs to make day-to-day operations easier and more efficient. There is no other corrections-centric EHR system which can support the quality of care to offenders like Centricity.

4. Give a brief description of the evolution of the system/software solution you are proposing. Include the date of the first installed site

and major developments which have occurred (e.g. new versions, new modules, specific features).

2002Centricity EHR installed at first

State Department of Corrections Agency

(New Jersey)

2006Version

9.0 released

2010Version

10 released

2012Version

11 released

2014Version

12 Released

2014eMAR and

Dental Developed

2015 Orders

Manager, Trreatment Planner and eSignature Developed

2016 EPCS,

GroupNotes and BedBoard

Developed

Fusion becomes

largest EHR vendor for

State DOCs

2017 HospitalConnect

Developed

Fusion recieves INC 5000 Award.

2018 Compliance

Manager Developed.

Fusion recieves INC 5000 Award.


5. List the total number of installations in the last 3 years by the year of installation.

Within the past three years alone we have implemented Centricity in over 70 facilities throughout the country. In addition, we have had a 100% RFP win rate and have contracted and implemented three State DOCs, two of which included migrating from their legacy EHR solution.

6. Provide the total number of current users for the proposed system and indicate what version they are using. Centricity has over 6,000 total client installations across the country. These clients include numerous County and State Department of Corrections, Juvenile Justice Agencies, and Department of Health agencies, among other large institutions with multiple clinics. In the corrections industry, Centricity manages over 250,000 offenders in over 200 correctional facilities throughout the US. Not only are we the largest EHR vendor for State DOCs and DJJs, we are also the industry leader in the replacement of legacy EHR systems for State DOCs and DJJ’s across the country. All Centricity users in the corrections industry are on the latest version of Centricity.

7. Have you implemented the proposed solution for other government entities? If so, tell us who, when, and how that implementation went? Centricity is utilized by seven (7) State Department of Corrections agencies and manages over 250,000 offenders in over 200 correctional and juvenile justice institutions throughout the country, making Fusion the largest EHR vendor for State DOC agencies in the United States. Centricity allows our clients to receive the value of more efficient operations, improved service, and an enhanced work environment. Our focus is on providing clinicians with products that deliver higher quality of care at lower costs. Our service offerings help to strengthen our client’s healthcare delivery, which in turn helps them build and maintain leading positions within their own markets, particularly in corrections and juvenile justice. Unlike other vendors, Fusion is positioned to offer significant advantages in meeting your requirements for EHR software, services and support. With our vast experience implementing, training and supporting Centricity within the correctional health industry throughout the US, we are prepared to offer VTDOC a complete level of knowledge, commitment and expertise that will exceed your expectations. For nearly 15 years, Fusion has been delivering EHR solutions nationwide to agencies like VTDOC that meet NCCHC & ACA accreditation requirements. Below is a sample list of Fusions current State client list as well as a case study from the Connecticut Department of Corrections a Unified Prison and Jail system.

DOC Agency Approximate ADP Ohio Department of Rehabilitation and Corrections 50,000

Mississippi Department of Corrections 30,000 New Jersey Department of Corrections 23,000

Connecticut Department of Corrections (Unified County/State DOC) 17,000 Louisiana Department of Corrections 16,000

Rhode Island Department of Corrections (Unified County/State DOC) 4,000 Washington DC Department of Corrections 3,000

Colorado Department of Juvenile Justice 600 Connecticut Department of Juvenile Justice 500


Washington DC Department of Youth and Rehabilitation Services 400

Connecticut DOC Overview The Connecticut Department of Correction (DOC) chose Fusion to provide Centricity, a Health Information Exchange (HIE) and provider portal to serve the state’s correctional facilities. Centricity was chosen to convert the current system of handwritten documentation on hard copy (paper) records to an integrated EHR to be used by internal and external DOC customers. With Centricity, the DOC will improve the quality, timeliness and effectiveness of offender care by providing real time access to comprehensive clinical information wherever and whenever needed.

UCHC/CMHC Overview The University of Connecticut Health Center (UCHC) provides comprehensive health care services to offenders under the jurisdiction of the DOC. Correctional Managed Health Care (CMHC) is a division of UCHC, and oversees the implementation and management of health services for the DOC. Health services include medical, mental health, dental, nursing, substance abuse intervention and pharmaceutical services. As of July, 2013, services were provided by 748 full-time equivalent staff to a population of 16,986 incarcerated inmates and approximately 1,000 inmates residing in halfway houses. CMHC is the largest state staff model health maintenance organization in New England. The majority of care is provided at the correctional facilities. University of Connecticut’s John Dempsey Hospital (John Dempsey) provides additional inpatient and outpatient services as required. John Dempsey has a 10 bed inpatient unit for those in DOC custody; however, emergency care or specialty services are provided when needed at other hospitals and facilities across the state. The DOC works closely with CMHC to develop and administer programs that improve inmate health and develop skills to maintain health upon release. Examples include smoking cessation, methadone maintenance and substance abuse. In addition, DOC monitors and oversees the care provided by CMHC. Organizational Structure Health care includes global medical, mental health, pharmacy, and dental services. Services are provided at 17 DOC facilities statewide. Healthcare is also currently provided for approximately 1000 inmates residing at 42 DOC-contracted halfway houses and at John Dempsey, one facility for women prisoners (York), and one for youth offenders (Manson).

Connecticut is one of six states with an integrated jail and prison system. Jails have a high inmate admission and discharge rate, and present distinct management and clinical challenges. The Hartford jail averages over 35 intakes every night. Statewide, each of the 24,936 annual admissions requires a medical and mental health intake health screening. Generally, one out of five requires prompt medical or mental health intervention. The only population with a constitutional right to healthcare (general medical and mental health) is incarcerated offenders, whether sentenced or unsentenced. These rights include access to professional medical care equivalent to the community standard. In Connecticut, there are court orders, consent decrees and settlement agreements that focus on HIV/AIDS, mental health, and timely general medical care.

The facilities are divided into 10 functional units. Each functional unit has a Health Services Administrator responsible for the operations at one or more facilities. Each facility is staffed with nursing, medical, mental health, and dental employees which may be assigned anywhere within a functional unit as


needed. Clinical direction is provided by a Statewide Director of Medical Services, Director of Nursing and Patient Care Services and Director of Mental Health Services and Psychiatric Care. Pharmacy Services are provided by a dedicated Correctional Managed Health Care pharmacy unit. Scope of Services The DOC chose Fusion to provide Centricity EHR and a HIE solution designed to support medical, dental, behavioral health and addiction services for 17,000 inmates. Centricity is certified by the ONC-Authorized Certification Body under the 2014 edition standards and this is extremely important since Connecticut DOC intends to participate in the Medicaid EHR Incentive Program for Eligible Providers. The project is being completed in two phases: Phase 1 includes the implementation of the EHR across all DOC facilities, including:

• Registration and appointment scheduling • Electronic support for care provided within the facilities, including medical, dental, mental health, addiction services, women’s health and

adolescent medicine. • Case management and discharge planning (re-entry services) • Real-time integration with all CMHC and UCHC systems that are used to care for offenders including but not limited to pharmacy, lab,

radiology and ambulatory EHR • Integration with DOC information systems, including but not limited to the Offender Management Information System (OMIS). • Ability to financially value the services provided to the inmate population. • Clinical and administrative reporting that meets the needs of CMHC and DOC; extract of data to meet additional reporting needs • Backload of electronic data from existing systems • Scanning of paper records into the electronic system. • HIPAA-compliant Electronic data interchange with our ASO (Administrative Services Organization) for utilization review and management as

well as other external Contractors Phase 2 of the project involves the implementation of the health information exchange including:

• Integration of patient-related state systems including but not limited to those used at DSS and DMHAS • Real-time interoperability/electronic exchange of clinical information with care partners in the community including but not limited to FQHCs

(Federally Qualified Health Centers) and hospitals, customized to meet the specialized needs of the Correction environment. • Web-based portal that provides community partners with access to information in the DOC EHR. • Cross-population disease management • Integration in to the Connecticut Health Information Exchange and other information exchanges.

8. Provide a Road Map that outlines the company’s short term and long-term goals for the proposed solution/software and label it Attachment #2.

Please refer to Exhibit C - Attachment #2 for Fusion’s Road Map that outlines the company’s short term and long term goals.

9. Provide a PowerPoint (minimum of 1 slide and maximum of 10 slides) that provides an Executive level summary of your proposal to the


State. Label it Attachment #3.

Please refer to Exhibit C - Attachment #3 for Fusion’s PowerPoint that provides an Executive Level Summary of the Proposal.

10. Does your proposed solution include any warranties? If so, describe them and provide the warranty periods.

This document provides an overview of the ‘scope of services’ provided under the annual maintenance and support services provided by Fusion to its EHR system. This is not a definitive list, any and all maintenance and support requests will be received, interpreted, and resolved on a case by case basis by Fusion. Any item not specifically addressed herein should be brought to Fusion’s attention so that it can be reconciled with client accordingly. What is Covered?

1. System Configuration & Management. a. Monthly installation of ICD and KnowledgeBase Updates. b. Installation of Centricity Service Packs (as made available) c. Resolution of ICD, Knowledgebase and Version Upgrade Failures. d. Management of the Server Environment e. Management of the Database Environment. f. Restart JBOSS Service on Failure g. Restart eMAR Service on Failure.

2. System Usage. a. Provide Tier 2 and Tier 3 level support. b. Access to Centricity Healthcare Learning System (HLS)/Computer Based Training (CBT) Portal for ALL Users.

3. Interfaces. a. Interfaces not importing after restarting DTS and after contacting direct vendor sending source data does not resolve issue b. Mitigation and correction of wide-spread interface issue, to the extent it is directly resulting from Fusion.

4. Computers and Peripherals. a. None. Client is responsible for its own equipment utilized to access EHR.

5. Clinical Content. a. Material defects and errors in clinical forms. Ex: Functionality breakage & misspelling. b. Access, when requested, to Fusion’s stock correctional Clinical Content. (Does not include training or additional

customization/implementation of selected forms). c. Updates to stock correctional clinical content as they are made available by Fusion across its client base from time to time.

6. Reports & Inquiries. a. Modify reports where approved logic is broken; must be vetted first that reporting ‘error’ in production report is not originating from system

user error.


Representation and Warranties Fusion’s standard representation and warranties is as follows: 1. Each Party represents, warrants, and covenants to the other Party that:

(a) it is duly organized, validly existing and in good standing as a corporation or other entity under the Laws of the jurisdiction of its incorporation or other organization; (b) it has the full right, power and authority to enter into and perform its obligations and grant the rights, licenses and authorizations it grants and is required to grant under this Agreement; (c) the execution of this Agreement by its representative whose signature is set forth at the end of this Agreement has been duly authorized by all necessary corporate or organizational action of such Party; and (d) when executed and delivered by both Parties, this Agreement will constitute the legal, valid and binding obligation of such Party, enforceable against such Party in accordance with its terms.

2. Limited Warranty. Subject to the limitations and conditions set forth in this Agreement, Licensor warrants to Licensee that for a period of twelve (12) months from Go-Live date of installation of the Licensed Software (the "Warranty Period"):

(a) the Licensed Software will conform in all material respects to the specifications set forth in the Documentation, when installed, operated and used as recommended in the Documentation and in accordance with this Agreement; (b) the Documentation will include the specifications necessary to install, operate and use the Licensed Software as intended; and (c) any media on which Licensor supplies the Licensed Software to Licensee will be free of material damage and defects in materials and workmanship under normal use.

11. Describe any infrastructure, equipment, network or hardware required to implement and/or run the solution.

Please review the table below for the Minimum and Recommended Hardware for Centricity EHR:

Resource Minimum Recommended Form Factor Preference

In Order: Desktop, Laptop, Tablet In Order: Desktop, Laptop, Tablet

CPU Single dual core 3 Ghz or faster (Pentium 4th Generation Intel i-3 or

better)

Single dual core 3 Ghz or faster (Pentium 6th Generation Intel i-5 or

better) RAM 4GB 8GB OS Windows 7, Windows 8, Windows 10

32 or 64 Bit Operating System Windows 7, Windows 8, Windows 10

32 or 64 Bit Operating System Network 100Mbps 1Gbps


Browser Internet Explorer 11 Internet Explorer 11 Storage SATA with 5GB available space SSD Hard drive with 50GB available

space Monitor 19” Color SVGA with 1600 x 900 or

better resolution 23” Color LED with 1920 x 1080 or better

resolution

12. What is your recommended way to host this solution?

Fusion offers the flexibility of remotely hosting Centricity in our data centers. Hosting allows you to enjoy the benefits of Centricity without having to install, configure, and maintain an internal server. Our hosting option also gives you the ability to move the system in-house at a future point based on your business needs. Our Tier III Data Center, located in Philadelphia, PA is our primary ASP hosting site. We also use our backup Data Centers strategically located in low-threat areas throughout the continental United States. The data centers all are SSAE-18 audited and are ISO22301, SOC-2, PCI DSS and HIPAA compliant, among others. For nearly a decade, Fusion has been offering Centricity as a hosted solution to its clients. With Fusion’s Hosting Services, Fusion takes responsibility for resource-intensive IT management tasks, so you can focus on your clinical mission – not your technology.

Comparison: Fusion Hosting Services and the Traditional IT Model Task Who Manages It

Fusion Hosting Services Traditional IT Model Ownership of Centricity licenses Client Client Ownership of clinical data Client Client Ownership and management of workstations and peripherals Client Client

Customization of clinical content Client Client Client VPN for connectivity to Centricity Client Client (optional) Provisioning of server infrastructure, backups and recovery Fusion Client

Staffing to manage server infrastructure, backups and recovery Fusion Client

Secured data center Fusion Client Implementation of upgrades/patches Fusion Client Fusion implementation services Fusion Fusion


Fusion’s Hosting Services comply with all of the requirements in this section. Our hosting services enable Correctional Agencies to leverage the full capabilities of Centricity, without the additional up-front capital costs and management associated with a traditional IT system. Fusion’s Hosting Services for Centricity offer an economical way to access integrated applications, customizable workflows, and a fully-managed infrastructure serviced by Fusion. Fusion offers the flexibility of remotely hosting Centricity in our data centers. Hosting allows you to enjoy the benefits of Centricity without having to install, configure, and maintain an internal server. Our hosting option also gives you the ability to move the system in-house at a future point based on your business needs. Our Tier III Data Center, located in Philadelphia, PA is our primary ASP hosting site. We also use our Level 1 Data Centers in Chicago, IL and Milwaukee, WI. The data centers are SSAE-16 audited. Centricity leverages industry-standard license(s) of Microsoft SQL Server Enterprise for the flexibility of the vast array of SQL Server disaster recovery performance tuning tools available in the IT industry. As a result, the industry best practice data loss prevention and recovery solutions will apply to Centricity’s product line. Daily full, incremental, differential and transaction log backups are available along with clustered databases hot and warm failover server solutions for full high-availability capabilities.


Extensive internal monitoring systems are in place to ensure the critical uptimes and system health imperative of an offender care environment. Centricity also has network monitoring with Orion & HP Network Node Manager (NNMi).

During a service impacting event (decreased functionality or outage), the Fusion command center will manage the internal communication. A change or problem manager will be brought in to document the issue, pull in any necessary resources from the extended teams, and authorize any emergency change control approvals. The escalation path for the Hosting team is as follows:

• Engineer will contact Hosting Support Manager. • Hosting Support Manager will contact Hosting Leader. • Communication will be sent to internal teams and client with status updates detailing the current status, next steps, and timeline. • Once the root cause is identified and service is returned to fully functional, the Incident Manager will schedule any necessary calls to close the incident

and identify/document corrective action.

Fusion has implemented transactional and server monitoring via the HP Business Service Management application. The application is monitored 24x7x365 by the command center team. Output of the Fusion monitoring allows Fusion to plan capacity management. We’ve implemented a Capacity Management Plan which is reviewed on a monthly basis with the appropriate support teams.


13. Describe how your solution can be integrated to other applications and if you offer a standard-based interface to enable integrations.

Integration and coexistence with other computer systems is an integral part of every Centricity installation. As such, we are committed to the delivery of the products and services required for the effective deployment of fully functional interfaces. This is accomplished through a combination of:

1. Excellence in product functionality and continued development 2. Adherence to interface standards 3. Provision of the services and tools required to implement interfaces 4. Partnerships with other information system vendors

Results are processed and automatically matched back to the offender using the OffenderID. As part of the interface development, Fusion will identify both inbound and outbound data elements to be extracted. Centricity’s LinkLogic interface engine can exchange any set of data required and have successfully done so for each and every one of our clients regardless if a COTS OMS system was used or if it was developed as a home-grown solution internally. Fusion will develop specific interfaces to external systems as part of this project. Several interfaces for this project have already been developed, and for those that haven’t, Fusion will configure, code, and test all application, application extensions, data conversion, and data acquisition/interfaces once agreed upon between both Fusion and VT DOC. Fusion understands that VT DOC would like for the following interfaces to be developed, as stated in the RFP:

• JailTracker/Harris (Offender Management System)- accepting new bookings, moves, and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc.

• Boswell (Pharmacy) – orders of new medications entered into the EHR will go directly to the pharmacy vendor. • BioReference (Lab) – orders to and results from the laboratory vendor populate directly to/from the offender’s chart. • MobilexUSA (Radiology) - orders for external imaging and links to new images will populate directly to/from the offender’s chart. • Vermont Health Information Exchange (HIE) - outbound diagnostic lab/image orders & inbound results; outbound consultation orders and inbound

clinical encounter notes/orders; inbound inpatient encounter notes and discharge orders; inbound ER clinical encounter notes and discharge orders.

In addition to automatically uploading files directly into the offender’s chart via electronic interfaces with various 3rd party systems, Centricity robust interface capabilities, paper documents can also be scanned and indexed to the offender’s chart as well.


14. Respond to the following questions about the solution being proposed:

Vendor Response/Explanation

Question Yes or No A. Does the solution use Service Oriented Architecture for

integration? Yes Centricity uses standard protocols and conventional interfaces that are typically provided as Web services.

B. Does the solution use a Rules Engine for business rules? Yes Centricity is a fully-integrated EHR inclusive of a Rules Engine.

C. Does the solution use any Master Data Management? Yes Centricity is a fully-integrated EHR solution that provides Master Data Management capabilities.

D. Does the solution use any Enterprise Content Management software? Yes Centricity is a fully-integrated EHR solution that provides Enterprise Content

Management capabilities. E. Does the solution use any Case Management software? Yes

Centricity is a fully-integrated EHR solution that provides Case Management capabilities.

F. Does the solution use any Business Intelligence software? Yes Centricity is a fully-integrated EHR solution that provides Business Intelligence

capabilities. G. Does the solution use any Database software?

Yes Centricity leverages industry-standard license(s) of Microsoft SQL Server Enterprise.

H. Does the solution use any Business Process Management software? Yes Centricity is a fully-integrated EHR solution developed for correctional health. No

third-party applications are necessary to meet these requirements. I. Is this a browser based solution and if so what

browsers do you support? Yes Centricity is a web-based solution utilizing Internet Explorer 9+.

J. Does the solution include an API for integration? Yes Centricity was one of the first adopters of the new HL7 FHIR API. Centricity has always had the latest standards when it comes to data interfacing.


PART 3: FUNCTIONAL REQUIREMENTS The table below lists the State’s Functional Requirements. Indicate the “Availability” for each requirement for your proposed solution. Use the “Vendor Comments” column to provide any additional information or explanations.

A - Feature is available in the core (“out-of-the-box”) solution. D - Feature is currently under development (indicate anticipated date of availability in the “Vendor Comments” column). C - Feature is not available in the core solution, but can provided with customization. N - Feature is not available.


ID #

Functional Requirement Description Availability Vendor Comments

Technical Functionality

1 The Solution shall allow users to record program admission, transfer, and discharge information for each inmate. A Centricity allows users to record, store, and track each inmate record from

admission to a facility, to a facility transfer, and to the inmate’s discharge.

2 The Solution shall support tracking referral sources and the related workflow for managing admissions to the DOC.

A

A wide variety of orders are included in Centricity, including screens to order recurring tasks for nursing, like vital signs monitoring, treatments, detox monitoring, and wound care. There is also the ability to order labs and referrals to other disciplines (mental health, dental, ob/gyn) within the facility, and also orders relating to the correctional setting directly, including housing placement orders for medical or mental health housing, restrictions work duty due to medical reasons, etc. Recurring orders can also be placed, and custom orders can also be created and saved for ease of use to the end user. Centricity allows for administrative users to audit what users placed orders or referrals.

3

The Solution shall support Scanning, Document Management, and Records Release Capabilities. This shall include scanning and managing documents that are created by other parties so that they can be included in a medical record.

A

Centricity’s document management tool allows prisons to easily scan paper documents and correctly index them directly into the offender 's chart, of which they become a permanent part. Any documents created outside of the EHR can easily be scanned and attached to an offender record in the EHR, allowing for one cohesive record and reducing the need for physical storage space. In addition, users can retrieve indexed documents such past medical charts, HIPAA release, or physician transcription – among others - with a single click. This tool, called DocuTrak, provides built-in support for importing observations terms, routing documents, and leveraging Centricity security permissions. Our ImageLink interface enables successful desktop integration with DocuTrak or third-party image management and display systems.

4

The Solution may have the capability to identify and record the staff member who submitted the OCR/OMR form into the inmate's electronic medical record - the individual who scanned the document as well as the individual who documented inmate care.

A

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, scanned documents and other information such as report or document names, names of clinical values changed, and the value changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging. Auditing of viewing, previewing, printing, and faxing non-confidential patient information can be turned off, to reduce the scope of activity information logged and stored in the database. However, activity involving confidential documents and sensitive charts is always audited.


Audit trail reports that come with Centricity include patient audit reports and user audit reports.

5

The Solution shall allow users to indicate required components of medical records, files, outcome measures, satisfaction surveying, and/or required actions, and also have a companion reporting and editing Solution for identifying incomplete files or pending requirements. Ideally, the “tickler” Solution shall be linked to the staff alert and messaging Solution.

A

Centricity’s Orders Manager provides VT DOC with a task management functionality to help manage offender care within a correctional environment. Track upcoming and overdue services such as follow up care, sick call, labs, blood glucose tests, specialty services, etc. by order date, priority, or any other key filters. Fusion Order Manager is easily customizable to meet your clinical needs. In addition, call out sheets can be electronically generated and printed to hand to the CO’s. For HIPAA compliance, a toggle on the tool allows users to hide PHI prior to printing the call out sheet. In addition, Centricity provides staff with efficient ways of managing work queues, no matter what job role the staff member has. The chart desktop is an area within Centricity where providers can manage their tasks, making sure that they complete and sign off on certain documentation, review and sign off on pending items such as lab results, and anything else that has to do with their day-to-day work activities. In the chart desktop view providers can easily see if they have any messages needing a response, along with unique task items. The task list can be filtered by service/document types, by name, by status, or anything else they want to prioritize and concentrate on so that they only see the work needed for completion on that particular service (i.e. diagnostic results review).

6

The Solution shall have the functionality to limit access to all or part of an inmate medical record using role-based permissions. Role-based permissions must be easily configurable through an Administrative interface to allow staff to change and add roles as needed.

A

Centricity enforces the most restrictive set of rights/privileges or accesses needed by users/groups, such as System Administration, Clerical, Nurse, Doctor, and so on, or processes acting on behalf of users, for the performance of specified tasks. Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups. Centricity enables to associate permissions with a user using one or more of the following access controls: • User-based (access rights assigned to each user) • Role-based (users are grouped and access rights assigned to these groups) • Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, and so on.)


7

The Solution shall have the ability to generate a “Continuity of Care” or “Discharge Summary” document with Demographics, Insurance, Summary of Assessment and Care, and other customizable components.

A

Centricity can also exchange offender health information with external systems in CCD (Continuity of Care Document) or CCR (Continuity of Care Record) format. Users can generate export, import, and display CCD documents for offenders with charts in the Centricity database. CCD documents can be given to the officer or offender on an encrypted jump drive or other storage device or sent by secure clinical messaging to another provider, so they can import it into their system. The XML-Formatted documents can also be opened in a Web browser window and printed. Transfer templates for both sending and receiving of offender’s capture content necessary to provide for continuity of care. Release planning and discharge planning templates will assist in transitioning offenders back to the community, an activity becoming ever more important for correctional facilities.

8 The Solution shall allow users to record all assigned care providers (see definitions) and be date-of-service sensitive.

A

Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, scanned documents and other information such as report or document names, names of clinical values changed, and the value changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging.

9

The Solution shall support the ability to import and document inmate and responsible party signatures from signature pad devices (for consents for treatment, etc.) A

Centricity includes the ability to integrate an electronic signature pad for offenders and/or healthcare staff to sign paperwork and consent forms as well as the ability to generate an electronic signature for users. We recommend Topaz’s Siglite t-l460 digital signature pad.

10 The Solution shall support the national standards for signing electronic medical records.

A

Yes, Centricity meets and exceeds the national standards for signing electronic medical records. Centricity includes the ability to integrate an electronic signature pad for offenders and/or healthcare staff to sign paperwork and consent forms as well as the ability to generate an electronic signature for users. We recommend Topaz’s Siglite t-l460 digital signature pad. Centricity also includes an electronic signature stamp when signing off on a document. The ‘Sign Document’ button allows the provider to sign off and finalize the document/encounter. Once that button is pressed, an electronic signature is captured and stamped on the document itself, showing the person who signed off on the note, the date, and the time. All of this information is captured and is auditable.

11

The Solution must be highly configurable so that established processes and data elements can be modified as new demands for tracking data are made on the State. A

Centricity is an extremely configurable and responsive system, designed to function in a manner that does not demand the user to work ‘for the system’, but rather ‘with the system.’ Fusion will work with VT DOC’s project team to collaborate and ensure the software is being configured and installed to meet all recommendations and requirements.


12

The Solution must include an Administration module that allows non-technical staff to establish new user permissions and to change existing permissions

A

Centricity enforces the most restrictive set of rights/privileges or accesses needed by users/groups, such as System Administration, Clerical, Nurse, Doctor, and so on, or processes acting on behalf of users, for the performance of specified tasks. Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups. Centricity enables to associate permissions with a user using one or more of the following access controls:

• User-based (access rights assigned to each user) • Role-based (users are grouped and access rights assigned to these groups) • Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, and so on.)

13

The Solution shall include Stedman's Medical Dictionary for spellchecking transcriptions such as radiology and pathology. Local spell-checking software, like TinySpell, can be utilized in documentation template text fields.

A

Being a Gold-Certified Microsoft partner, in addition to being built on the Windows platform, Centricity provides the use of spell check in the text views of the documents. In addition, users can utilize Quick Text, which is a shortcut tool that lets you insert common phrases, Form Components, Text Components, and data symbols into a document by typing a few characters. Quick Text can be designed at a very simple level (i.e., text only), or it can be designed at a very complex level. Users have the ability to establish their own Quick Text for personal use. Administrators of Centricity have the ability to establish Quick Text on the Global List for all users to utilize.

14

The Solution shall use check-boxes or numerically coded references in the template for the "Inmate Activity Record/Timeline", as a user-friendly method of inputting routine data.

A

Centricity incorporates familiar charting methodologies to speed offender encounters, such as default charting, charting by exception, picklists and checkboxes. For example, a provider can click one button to indicate all of an offender’s systems are normal. In addition, protocols can be set up to automate workflows. For example, if a score of X is calculated during a PREA encounter, a referral will be generated to the individual/group for follow up. Visual Form Editor can easily be used to customize protocols and alerts to meet your unique needs

15

The Solution shall have the ability to view and access other Solution functionality, such as assessments and documents while the user is on the Inmate Activity Record/Timeline.

A Centricity allows users to view multiple documents while in the inmate’s activity records. Centricity also allows users to view an inmate’s records while performing certain activities.

16

The Solution shall support notifying medical, mental health, care coordination, administration, and other staff of key events when they occur for inmates in care (e.g. admissions and discharges, critical incidents, referrals, etc.) A

Alerts and flags allow users to securely communicate with any other authorized health staff member. Internal communications can easily be accommodated via the integrated tasking, alerts, and email functionalities, which are linked to role-based permission sets that are configured by your System Administrator. Automatic triggers and alerts can also be set up during the development of any forms. Problem notification reporting can be applied both within the application as


well as externally. From an external, system perspective, triggers can be built and configured to send alerts to designated individual(s) on a specified interval. Fusion also has a proprietary interface monitoring tool to notify designated user(s) if an interface has not sent or transmitted files in a given interval timeframe. Alerts/Flags Flags are electronic “sticky notes” that can stand alone on a recipient’s desktop or be attached to an offender’s appointments, registration or EHR chart. Flags can be routed to one or multiple recipients, a predefined group, or even to yourself. Flags can also be sent immediately or scheduled to be sent on a future date. All Flags are “public” meaning that a Flag can be seen by other EHR users even if they are not the sender or receiver. They do not become a permanent part of a offender’s EHR record unless they are changed into a note using the Convert button. Flags remain visible until they are removed, or the set expiration date is reached. A removed or expired flag can be accessed with the “View removed flags” function for 30 days and then becomes completely inaccessible Care Alerts are special kinds of Flags that are connected to an offender chart. They allow you to remind yourself or notify other users of care-related information for a specific offender. A Care Alert is visible in the offender’s chart as long as it is active and can have start and expiration dates. Critical Care Alerts can also be set to “Popup” whenever the offender’s chart is opened. Centricity features robust application security features. Permissions help manage access to job functions as well as offender information. Users with privileges pertaining to the creation of alerts/flags will be identified and set up via the administration function of Centricity to be granted such permissions.

17

The Solution shall support reminding, monitoring, and documenting periodic checks on inmates in care (such as checking vital signs or other medical metrics for inmates with special needs, in detoxification, on suicide watch, encounters for those that are SFI, etc.) A

Centricity has comprehensive medical and behavioral health offerings that can cover anything from the smallest psychiatric evaluation, group therapy sessions, partial hospital extensive group therapy sessions, and inpatient admissions and monitoring. Centricity has the ability to process intake, assessment of needs, plan of care, monitoring, follow-up, and reassessment for medical and behavioral health. In addition, Centricity enables configurable templates, offender notes and other offender-related data that may require diverse configurations and support creation of custom fields.


Centricity has a library of forms that can be leveraged for documenting behavioral health visits. Centricity contains a specific system to track and document the status of offender’s in segregation across multiple housing units. Offenders can be filtered by housing location so staff with assignments to different housing units can easily identify who they need to see. They can document on each offender on one screen without having to look-up offenders individually, document relevant findings, and then document on the next offender without going to another screen. Each offender’s individual record is maintained in their own chart and a record of the rounds can be generated in seg log document form at any interval chosen by the staff member. In addition, offenders who are on suicide precautions can be tracked and receive visits from behavioral health staff at any interval dictated by facility policy and procedure. Progress notes are captured of these visits and next visits are scheduled through tasking to the appropriate group of staff members from the same template. Innovative segregation rounds templates allow behavioral health clinicians to document initial segregation screenings and clearances, and ongoing observations and care for as long as offenders remain in segregation. Medical and mental health templates are available for easy documentation.

18

The Solution shall remind staff to complete the entry of required information, by providing an on-screen indicator. The Solution shall not prevent the access to other sections of a medical record due to incomplete fields.

A

Centricity can be configured with hard and soft stop functionality. Hard stops can be configured to VT DOC’s business rules to prohibit users from proceeding with the desired action until action is taken, whereas soft stops will alert the user of such action missing but does not mandate them to complete the task in order to continue on with their work.

19 The Solution shall include the ability to send a reminder to staff for completions of required information.

A

Centricity EHR is equipped with Care Alerts which are special kinds of Flags that are connected to an offender’s chart. They allow users to remind themselves or notify other users of care-related information for a specific offender. A Care Alert is visible in the offender’s chart as long as it is active and can have start and expiration dates. Critical Care Alerts can also be set to “Popup” whenever the offender’s chart is opened.

20 The Solution shall assign a unique identifier to every individual admitted to the DOC.

A

Centricity ensures that all pertinent offender identifiers are stored and made useful in the EHR. The EHR banner has the ability to depict the offender’s demographics information with identification such as the SBI, Booking #, Commitment # and any other unique identifiers the State may currently utilize. While inside the offender’s Chart, the Banner containing demographic information about the offender, along with the offender’s


picture will be seen. The offender banner is customizable through set-up and can contain the demographic information you feel is pertinent. The banner also shows the picture of the offender and will remain at the top of the screen while in any portion of the offender’s chart.

21 The Solution shall assign a unique identifier to all clinical and administrative staff.

A

Centricity features robust application security features. Permissions help manage access to offender information. In the application, users can be granted or denied permission to perform tasks. For example, you can deny a user permission to update a visit but allow that user to read visit information. Any task, like reading reports, adding a user, or deleting an offender, can be granted or denied for each user logon. During the implementation phase, system administrators will assign unique identifiers to determine each user permission levels. If a staff member does not have permission to complete a task, the application displays a message explaining why. In some cases, another user with the required permissions can unblock access to the feature or module.

22 The Solution shall have the ability to upload and store documents from DOC and non-DOC facilities.

A

Centricity’s document management tool allows prisons to easily scan paper documents and correctly index them directly into the offender 's chart, of which they become a permanent part. Any documents created outside of the EHR can easily be scanned and attached to an offender record in the EHR, allowing for one cohesive record and reducing the need for physical storage space. In addition, users can retrieve indexed documents such past medical charts, HIPAA release, or physician transcription – among others - with a single click. This tool, called DocuTrak, provides built-in support for importing observations terms, routing documents, and leveraging Centricity security permissions. Our ImageLink interface enables successful desktop integration with DocuTrak or third-party image management and display systems.

23

The Solution shall easily integrate with voice recognition applications. The Solution shall facilitate the capture of transcription via a local third-party voice recognition application in any text field including transcriptions and clinical documentation templates. Voice recognition shall also be used for template navigation. The Solution shall provide signature capabilities and version tracking for both transcription documents and template documents.

A

Centricity provides users with rapid data entry functionality with an advanced interface with a variety of data-entry methods, including voice, templates, and quick text. When dictation solutions are utilized, users can insert Dictation Placeholders in their documents to note exactly where dictation should be merged. There are a variety of dictation solutions available for Centricity, but we recommend either Nuance’s Dragon or Clinically Speaking’s CSpeak voice recognition software, although our preferred solution is CSpeak. CSpeak is a secure, cloud-based speech recognition solution that allows clinicians to document using voice recognition while allowing


healthcare organizations to easily deploy medical speech recognition across the enterprise while saving IT expense. Built on the Nuance Speech Anywhere Services technology, CSpeak is highly scalable and ready-to-use. CSpeak provides cloud-based clinical speech recognition across your existing infrastructure of Windows-based devices, including virtualized and remote-access PCs. Additional features include specialty-specific medical language models, automated user accent detection, gain control, custom vocabularies and templates, and voice-based correction. CSpeak has all of the capabilities of traditional Dragon while streamlining your IT requirements.

Documentation Functionality & Medical Record Functionality


The Solution shall have the ability for the DOC to develop customizable templates.

A

VT DOC will have complete access to the 2,000 corrections-specific clinical forms and templates that come standard with Centricity and will also have the ability to create and modify customized forms and templates with Centricity’s Visual Form Editor (VFE). VFE is a WYSIWYG (What You See Is What You Get) editor. Training can be provided for an additional cost which can be discussed during contracting. Some key features of VFE are:

• Visual Design (WYSIWYG) editor speeds the development of encounter forms, eliminating the need to preview or load forms to view visual display. Overlapping visibility regions can also be viewed.

• Drag and Drop allows for the rapid development and modification of encounter forms. Moving single components or groups of components becomes the easy task of dragging and dropping them in position. VFE will recalculate the exact positions where the objects will be placed when displayed in Centricity.

• Resizing of form fields is accomplished visually. • Document Variable Naming supports the creation of user friendly

variable naming. • Copy and Paste functionality simplifies the reusing of components

within a form or between forms. • Multiple Document Interface facilitates design of several forms

simultaneously. This feature also simplifies the sharing of components between forms.

• Split View permits form design and MEL code development in the same window.

• Container / Server Functionality enables the user to design forms to share the same Subjective, Objective, Assessment and Plan regions.

• Control Improvements have been developed which allow for greater control of form display and translation. These include:

o Suppression of entire block (including text and data display)

o Suppression of visibility region translation o Optional display of headings for group boxes

2 The Solution shall assist users by supporting a medical and medication spell-check functionality.

A

Being a Gold-Certified Microsoft partner, in addition to being built on the Windows platform, Centricity provides the use of spell check in the text views of the documents. In addition, users can utilize Quick Text, which is a shortcut tool that lets you insert common phrases, Form Components, Text Components, and data symbols into a document by typing a few characters.


Quick Text can be designed at a very simple level (i.e., text only), or it can be designed at a very complex level. Users have the ability to establish their own Quick Text for personal use. Administrators of Centricity have the ability to establish Quick Text on the Global List for all users to utilize.

3 The Solution shall include the ability to pull existing inmate data into all Solution screens, reports, templates, and forms.

A

Centricity provides users with rapid data entry functionality with an advanced interface with a variety of data-entry methods, including voice, templates, and quick text. Centricity pulls in offender data from across the system and pre-populates the electronic medical record with recent history, vital signs, and other information collected prior to the physician’s exam.

4

The Solution shall have appropriate mechanisms for archiving and retrieving historical records as well as purging records when needed. A

Centricity has the ability to store all pertinent inmate records for both active and inactive patients. During the implementation phase, Fusion will work with the States project team to decide what records will be purged based on the State’s rules and regulations.

5

The Solution shall include on-screen reminders of required information to users and include the ability for "dead stops" according to the needs of the DOC. A

As stated earlier in the RFP, Centricity can be configured with hard (dead stops) and soft stop functionality. Hard stops (dead stops) can be configured to VT DOC’s business rules to prohibit users from proceeding with the desired action until action is taken, whereas soft stops will alert the user of such action missing but does not mandate them to complete the task in order to continue on with their work.

6 Through an interface to OMS, the Solution shall have the ability to document inmate status.

A

As part of Centricity’s interface with the OMS, Centricity will be able to have real time, bi-directional communication related to information such as accepting new bookings, moves, status’ and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc.

7

The Solution shall include the ability to add customized categories for clinical notes to best meet the needs of individual programs and are time stamped with the name, title and date/time of the individual submitting the note.

A

VTDOC will be able to easily create custom forms for Clinical Notes using Visual Form Editor. VFE is a tool for rapid design of encounter forms, for use with Centricity, enabling you to concentrate on creating quality forms rather than overcoming design considerations. Automatic triggers and alerts can also be set up during the development of any forms. Centricity records all accesses to offender clinical or registration data, by user and by date/time stamp. This provides traceability of which charts have been accessed by certain individuals, or who has accessed a particular offender’s data. A report on attempted and successful accesses to charts marked as Sensitive is also available. In this way, an organization can be confident that as long as user ID/password integrity is maintained, inappropriate accesses cannot be disguised

8 The Solution shall include the ability for progress notes to be done simultaneously and become part of individual records. A

Centricity’s multi-user capability allows for simultaneous access to a patient’s chart by clinical staff. Multiple staff members can chart on a patient simultaneously however, Centricity has built-in mechanisms to


ensure clinical safety by only allowing one person to document a new medication, allergy or problem at a single point-in-time. This is done intentionally to ensure that there are no contraindications or adverse reactions being entered into the system at the exact same time.

9

The Solution shall support the DOC’s need to track the completion of a variety of individual treatment, group treatment, educational activities, referral activity, care coordination activities, workflow activities, demographic data, such as the number of participants in a particular group, the program type, and location where the service was provided.

A

GroupNotes allows users the ability to book groups of offenders, check offender in, mark No Shows, and create group documentation.

• Schedule group appointments from one appointment block on the Centricity schedule.

• Mark offender’s arrival status. • Documentation can also be created, reviewed, and signed. • Upon session close, a visit gets created in Centricity. • Upon signature, a document is created and clinical lists are

updated in the offender’s EHR chart.

Centricity comes with DSM-5 psychiatric diagnoses included. The diagnosis codes are available utilizing the same functionality as the problems/diagnosis search. This seamless and unified diagnosis search has been proven and is currently utilized in numerous correctional agencies throughout the country who utilize Centricity. Centricity provides group activity templates that enable clinicians to document in one area and have that information put into all the health records for those who attended. In addition, this same screen facilitates easy retrieval of group attendees for simplifying the addition of the unique individual notes. As an example, group therapy notes take advantage of advanced technology allowing information to be added to all group members’ charts at once, while still enabling individualizing of information that is offender-specific. This saves therapists a lot of time in documenting group therapy. The DOC will have the ability to track the completion of the different services provided to the group or at an individual level.

10

The Solution shall have the ability to produce a printable Summary of Assessment and Care document for every inmate, populated with existing data, and able to be accessed and viewed by a customizable range of time.

A

Centricity has the capability to print or copy any documents for any offender. This includes Assessment and Care Documents which can be provided for the offender or other health care providers that can include all pertinent offender data i.e. Active Medications, Problems, Mental Health History, etc.

11 The Solution shall allow for the ability to document progress notes, customizable by role and function. A

Centricity provides content (forms, templates, etc) and structured data for multiple clinical functionalities. This content includes treatment plans and progress notes that can be customized based on the clinical functionality.


12

The Solution shall support routing medical record documents to supervisors or others for signature or approval as required. The routing shall be configurable to meet the DOC's needs.

A

When a user has completed all necessary medical record documentation for the particular encounter the user has the ability to route the information to a user or a user group. When routing documents, the user has the ability to require specific actions and the priority of the action required. The user routing the document can Require Action, require a Signature, or require Review by another user.

13 The Solution shall include the ability to lock a medical record so that only specific individual staff members can access it.

A

Centricity supports multiple separate user privileges in registration, charts, flags, inquiry/reports, appointments, setup, and LinkLogic categories. Additional privileges support multiple confidential document types as indicated by a user, such as mental health, STD, alcohol/drug abuse, and HIV/AIDS document types. These privileges can also be administered at two levels: per user or per role. That is, a standard set of roles, with associated privileges, can be defined and then those roles used to quickly and easily assign and maintain individual user rights. Role-based security applies down to the field level.

14

The Solution shall produce a small pop-up window when a locked file is accessed that explains why the case is locked, a timestamp of when it was locked and who locked it.

A

Centricity features robust application security features. Permissions help manage access to job functions as well as offender information. Users with privileges pertaining to the creation of alerts/flags will be identified and set up via the administration function of Centricity to be granted such permissions. In additional to general alerts/flags, triggers can be implemented with VTDOC business rules behind all triggers and alerts that are client configurable as well, providing you the ability to be as self-sufficient as needed.

15

The Solution shall include the ability for an administrator to override the current level of permissions for any one inmate at any one time.

A




16 The Solution shall maintain and support the tracking of all versions of medical record forms. A Fusion stamps all medical record forms with a Version Number for users to

easily identify each form.

17 The Solution shall have some mechanism for tracking and verifying that progress notes have been completed for all services entered. The Solution shall allow reminders of notes to complete.

A

Centricity’s Orders Manager provides VTDOC with a task management functionality to help manage offender care within a correctional environment. Track upcoming and overdue services such as follow up care, sick call, labs, blood glucose tests, specialty services, etc. by order date, priority, or any other key filters. Fusion Order Manager is easily customizable to meet your clinical needs. In addition, call out sheets can be electronically generated and printed to hand to the CO’s. For HIPAA compliance, a toggle on the tool allows users to hide PHI prior to printing the call out sheet. In addition, Centricity provides staff with efficient ways of managing work queues, no matter what job role the staff member has. The chart desktop is an area within Centricity where providers can manage their tasks, making sure that they complete and sign off on certain documentation, review and sign off on pending items such as lab results, and anything else that has to do with their day-to-day work activities. In the chart desktop view providers can easily see if they have any messages needing a response, along with unique task items. The task list can be filtered by service/document types, by name, by status, or anything else they want to prioritize and concentrate on so that they only see the work needed for completion on that particular service (i.e. diagnostic results review).

18 The Solution shall enable the easy release of all or part of an electronic medical record, both electronically and via printing.

A

Centricity has the capability to print or copy any documents for any offender. This includes the Discharge Summary which can be provided for the offender or other health care providers that can include all pertinent offender data i.e. Active Medications, Problems, Mental Health History, etc. Centricity is capable of sending this information electronically through appropriate interfaces such as a bi-directional interface with the VT HIE.

19 The Solution shall allow multiple staff members to write and sign a medical record note.

A

Centricity’s multi-user capability allows for simultaneous access to a patient’s chart by clinical staff. Multiple staff members can chart on a patient simultaneously however, Centricity has built-in mechanisms to ensure clinical safety by only allowing one person to document a new medication, allergy or problem at a single point-in-time. This is done intentionally to ensure that there are no contraindications or adverse reactions being entered into the system at the exact same time.


Log-In Functionality

1 The Solution shall be accessed through an icon on the Desktop or via the MS Windows Start Menu. A User’s will access Centricity through either an icon on the Desktop or via

the MS Windows Start Menu.

2

The Solution shall time out and lock after a period of inactivity and allow the user to log back in and continue the function they were in the process of completing. The time out period shall be configurable to the needs of the DOC. A

The system upon detection of inactivity of an interactive session prevents further viewing and access to the system by that session by terminating the session, or by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures. The inactivity timeout is configurable.

3 The Solution shall present a Log-In screen after being initiated, requesting User ID and Password credentials.

A

At the application level, Centricity heavily supports user login security, where a user’s login name and password must be entered before any application features are available for use. The system administrator may elect to invoke password encryption to further enhance security. Note: There is a single sign-on for Centricity. The system administrator can also establish password characteristics such as minimum length, requirement for alphanumeric format, and password expiration time. In addition, a quick logout/screen-locking facility is always available, as is an idle-user logout.

Scheduling Requirements

1 The Solution shall have a scheduling function for the correctional facilities.

A

Centricity includes an extremely powerful and flexible scheduling system. Centricity provides staff with the ability to effectively manage and schedule offender care within a correctional environment. All onsite scheduling is done in similar fashion, no matter what the service being provided is. Track upcoming and overdue services such as follow up care, sick call, labs, blood glucose tests, specialty services, etc. by order date, priority, or any other filter provided.

2

The Solution shall provide tracking of all offender activities including, but not limited to, healthcare appointments and attendance at treatment programs, and provide an alert if there is a scheduling conflict.

A

Centricity transforms scheduling into a quick and simple process. Designed for high offender and clinic satisfaction, Centricity’s scheduling provides a flexible, customizable interface as well as clear, easy-to-follow guidelines. Centricity’s Scheduling system allows users to search for first available appointments, track recalls, manage authorizations and referrals, and much more. The real-time view of daily schedules enables effective time management and a seamless experience, keeping the organization more informed. Centricity accommodates both on-site and off-site scheduling, so hospital visits or consultant appointments can be tracked as well. While schedules can be color-coded and organized into custom groups to be viewed by different users (multi-view), the system also allows a variety of views by a single resource, so providers can track their own daily lists.

3 The Solution shall be able to allow users to view schedules for the entire facility or specific inmates by day, month, or year. A Centricity’s scheduling system was developed specifically for the way

correctional health schedules offenders for medical services. In addition to


utilizing this tool as the central scheduling station, Centricity’s scheduling functionality provides resource-based scheduling that supports centralized scheduling at the facility level, as well as the enterprise level, with customizable color-coded scheduling templates with adjustable time increments, sequential “event-chain” scheduling, real-time wait listing, recurring appointments, appointment listing reports and full audit trails.

4 The Solution shall maintain detailed records of all internal and external scheduled and unscheduled movements of offenders.

A

Centricity’s scheduling functionality provides resource-based scheduling that supports centralized scheduling at the facility level, as well as the enterprise level, with customizable color-coded scheduling templates with adjustable time increments, sequential “event-chain” scheduling, real-time wait listing, recurring appointments, appointment listing reports and full audit trails.

Intake Functionality

1 The Solution shall support tracking the intake-related workflow for managing admissions to correctional facilities.

A

Centricity’s automated workflows and rapid documentation streamline repetitive tasks and instantly updates offender charts. Centricity features automated workflows, pre-built templates and commands that work the way you do to help improve clinical effectiveness and efficiency and enable more informed clinical decision-making. Centricity provides VT DOC with hundreds of templates that can be used for any services’ of the intake screening process. In addition, it can also be customized to the clinical operations of the facility. Our experience also ensures that the intake process adheres to NCCHC, ACA and PBNDS standards. Typically, the intake screening process is initiated by the nursing staff upon intake with a full H&P conducted by a physician within a specified duration through the Practitioner Intake. The correctional forms have been designed in such a way to allow for a minimal amount of clicks, with additional logic built in to allow for automatic routing (I.E. high score on mental health questionnaire) as well as a dynamic workflow which shows specific fields based on the values of other fields.

2 The Solution shall support tracking previous names and aliases for the inmate throughout the Solution.

A

Centricity has an extremely fluid user interface, always ensuring that key navigational components are within one click to access. Fusion has enhanced on Centricity’s base search functionality to allow offenders to be searched by name, birthday, SSN, Permanent ID, Commitment/Booking #, Alien #, etc. Centricity has the ability to include any known alias’ on the patient’s banner which can be configured during the implementation phase.

3

Through an interface to OMS, the Solution shall support the import and viewing of inmate photos at admission with the option to import and view three subsequent photos per admission, for identification purposes.

A

Fusion will develop specific interfaces to external systems as part of this project. Including but not limited to VTDOC’s OMS system JailTracker / Harris. Fusion will configure, code, and test all application, application extensions, data conversion, and data acquisition/interfaces once agreed


upon between both Fusion and VTDOC. Through Fusion’s interface with JailTracker, the systems will share data including accepting new bookings, moves, and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc.

Centricity ensures that all pertinent offender identifiers are stored and made useful in the EHR. While inside the offender’s Chart, the Banner containing demographic information about the offender, along with the offender’s picture will be seen. During the implementation phase Fusion will work with the DOC to import and store multiple inmate photo’s in Centricity.

4 The Solution shall include an intake form that is customizable to meet the DOC's needs.

A

Centricity provides VT DOC with hundreds of templates that can be used for any services’ intake screening process. In addition, it can also be customized to the clinical operations of the facility. Our experience also ensures that the intake process adheres to NCCHC, ACA and PBNDS standards. Typically, the intake screening process is initiated by the nursing staff upon intake with a full H&P conducted by a physician within a specified duration through the Practitioner Intake. The correctional forms have been designed in such a way to allow for a minimal amount of clicks, with additional logic built in to allow for automatic routing (I.E. high score on mental health questionnaire) as well as a dynamic workflow which shows specific fields based on the values of other fields. One of the most important components in the implementation and design of an EHR is the assurance that the clinical workflow is comprehensive and intuitive. Centricity’s intuitive design coupled with our team’s knowledge of the correctional clinical workflow will ensure that the form components are intuitive, organized and sequential. Questions will be asked in a logical manner, for example, ensuring that in the intake screening if a translator is requested is one of, if not the first question. Our understanding of corrections will ensure that the workflow is for the correctional clinical workflow; not a clinical workflow that is manipulated to work in a correctional setting as seen in other EHRs. Many of Fusion’s forms and automatic protocols are used by many of our clients where Centricity has assisted their compliance towards NCCHC, ACA and/or PBNDS accreditation.


5

The Solution shall include the ability to record inmate monthly and annual income as well as Federal Welfare Benefits, State of Vermont Economic Services Benefits, and insurance benefits (including but not limited to Medicaid, Medicare, and private insurance).

A

The user interface for Centricity EHR was developed based on extensive input from physicians, designed to be intuitive and reduce the number of clicks all the way from patient registration through clinical evaluation. The resulting solution is one that physicians will want to adopt, and one with which your agency can integrate with minimal disruption to your workflow. In addition, Centricity’s patient engagement tools streamline patient/clinic communications and give patients round-the- clock access to portal services allowing the City to free up staff with patient self-registration, allowing patients to register online and new patients to enroll online. Centricity allows users to record valuable data needed for financial and compliance reporting, to determine a family’s federal poverty level for use in calculating a sliding fee, and to successfully file claims electronically to Medicare, Medicaid, and other private and public insurance entities.

6

The Solution shall support tickler functionality for inmate-specific pre-admission task completion, such as completing clinical reviews and approvals, obtaining required medical equipment before admission, etc. A

The Orders Manager provides additional task management functionality to manage offender care within a correctional environment. It allows users to track upcoming and overdue services such as follow up care, sick call, labs, blood glucose tests, specialty services, clinical reviews, obtaining proper equipment, etc. by order date, priority, or any other filter provided. The Orders Manager Tool is easily customizable to meet your clinical needs.

Assessment and Treatment Planning Functionality

1

The Solution shall have tools to aid care providers in assessment and treatment planning processes. This includes tools to assist in diagnosing conditions, selecting treatment goals, developing treatment plans, documenting progress towards goals, preventing medication errors, etc. This also includes standard assessment tools used by clinical staff as well as direct access to up-to-date ICD-10 and DSM criteria for diagnosing.

A

Centricity offers the Treatment Plan Manager that allows users to plan and create long term offender goals, devise a plan to achieve those goals, and track the progress towards attaining those goals. The Treatment Plan Manager captures offender progress on treatment plans over time through the completion of Centricity Encounters. On the landing page of the Treatment Plan Manager, the treatment plans for the offender are filtered by plans that are in progress, completed, or a concatenation of both statuses. The statuses of these treatment plans can be updated as they are selected and worked on distinctly through Encounters. When a treatment plan is selected to be worked on, the goals are filtered by ones that are in progress, completed, or both. Any goals or objectives that are in progress are highlighted a light blue color in the table. As they are completed, the row color will change to white and an end date replaces the In Progress text in the table underneath the End Date column. As Encounters are completed, Documents are added to the offender’s Chart to record what was done during the session. Centricity follows all Healthcare IT standards. The system’s inherent functionality supports standards such as ICD-10, DSM-V, SNOMED-CT,


etc.

2

The Solution shall allow users to record an unlimited number of DSM diagnoses (using the most up-to-date version of the DSM) and translates the diagnosis to ICD codes (using the most up-to- date version of the ICD). This should include support for all ICD diagnoses for medical conditions. The diagnosis data should be date-sensitive.

A

Centricity is designed to allow for the user to create, maintain, edit, inactivate or update an offender’s problem list with one click from anywhere in the system. The intuitive user interface also presents the problem list when loading an offender’s chart. The problems list is pre-loaded with the entire ICD-9, ICD-10 and psychiatric diagnostic codes (DSM-V) and is updated periodically to ensure it is always up to date. Problems can be searched out with partial word searches to return a list of viable problems to select from. The EHR can also be configured to allow users to enter un-coded problems, which are designated in the EHR by an asterisk. Once selecting a problem to assign, the user can add additional comments, set an approximate or exact onset and end data and/or enter the duration which will automatically calculate the date. Centricity comes with DSM-5 psychiatric diagnoses included. The diagnosis codes are available utilizing the same functionality as the problems/diagnosis search. This seamless and unified diagnosis search has been proven and is currently utilized in numerous correctional agencies throughout the country who utilize Centricity.

3

The Solution shall support the ability to create custom assessment tools with the ability to store, print, and export assessment scores as well as supporting standardized assessment tools.

A

The Treatment Plan Manager captures offender progress on treatment plans over time through the completion of Centricity Encounters. The out of the box version of the Treatment Plan Manager comes with multiple templates that outline common goals, and measurable objectives associated with each treatment plan template. However, staff members can create custom treatment plan templates that are unique per offender within the Treatment Plan Manager.

4

The Solution shall allow users to record all individual treatment plans in SMART (Specific, Measurable, Achievable, Realistic, Timely) format, including identified problems, goals for treatment, objectives, and interventions to be provided. A

Fusion, along with the Centricity EHR solution, is the largest EHR provider to State Department of Corrections in the United States. Centricity provides VTDOC with over 2,000 corrections-specific encounter templates many of which adhere to NCCHC, ACA, and/or PBNDS Standards. In addition to having out of the box content, VTDOC can also modify existing forms or develop new ones to meet any special requirements on documentation.

5

The Solution shall have a dedicated section and specialized template, accessible and modifiable by select users, called "Individualized Treatment Plan". The "Individualized Treatment Plan" clinical note shall be generated during the admission process.

A

As stated in the response above, Fusion, along with the Centricity EHR solution, is the largest EHR provider to State Department of Corrections in the United States. Centricity provides VTDOC with over 2,000 corrections-specific encounter templates many of which adhere to NCCHC, ACA, and/or PBNDS Standards. In addition to having out of the box content, VTDOC can also modify existing forms or develop new ones to meet any special requirements on documentation. Fusion has the ability to incorporate a set of Forms that will be inclusive of


the Admission Process. During the implementation phase Fusion and the DOC will review pre-made form templates and discuss any modifications that may be needed.

6

Using role-based permissions, the Solution shall pend "Individual Treatment Plan" notes and remain as Read/Write accessible, until finalized, by the respective staff member (e.g., nurses, Psychiatrists, Psychologists, Social Workers, Psychiatric Nurses, Mental Health Professionals, etc.).

A



7

The Solution shall divide the “Individualized Treatment Plan” section into customizable subsections, based on the needs of the DOC.

A

The Treatment Plan Manager captures offender progress on treatment plans over time through the completion of Centricity Encounters. The out of the box version of the Treatment Plan Manager comes with multiple templates that outline common goals, and measurable objectives associated with each treatment plan template. However, staff members can create custom treatment plan templates that are unique per offender within the Treatment Plan Manager. During the implementation phase, Fusion will work with DOC Staff to meet the needs of the DOC.

8

The Solution shall cease populating Problems, Goals, Objectives, and Interventions from the Problem list once they have been marked “Inactive”. A

While in the inmate’s chart, Centricity Problem List includes all Active Problems. Centricity also offers users the ability to toggle between Active Only and All Items when viewing the inmates Problems List which will allow users to view both Active and Inactive Problems.

9

The Solution shall have the capability to reflect multiple signatures from all the treatment disciplines involved in inmate care, including the inmate’s signature.

A

Centricity’s multi-user capability allows for simultaneous access to a patient’s chart by clinical staff. Multiple staff members can chart on a patient simultaneously however, Centricity has built-in mechanisms to ensure clinical safety by only allowing one person to document a new medication, allergy or problem at a single point-in-time. This is done intentionally to ensure that there are no contraindications or adverse reactions being entered into the system at the exact same time. Centricity also includes the ability to integrate an electronic signature pad for offenders and/or healthcare staff to sign paperwork and consent forms as well as the ability to generate an electronic signature for users. We


recommend Topaz’s Siglite t-l460 digital signature pad.

10

The Solution shall have the ability to categorize the status of the Individualized Treatment Plan clinical note. The status shall be configurable according to the needs of the DOC.

A

Treatment Plan Manager allows users to plan and create long term offender goals, devise a plan to achieve those goals, and track the progress towards attaining those goals. The Treatment Plan Manager captures offender progress on treatment plans over time through the completion of Centricity Encounters. On the landing page of the Treatment Plan Manager, the treatment plans for the offender are filtered by plans that are in progress, completed, or a concatenation of both statuses. The statuses of these treatment plans can be updated as they are selected and worked on distinctly through Encounters. When a treatment plan is selected to be worked on, the goals are filtered by ones that are in progress, completed, or both. Any goals or objectives that are in progress are highlighted a light blue color in the table. As they are completed, the row color will change to white and an end date replaces the In Progress text in the table underneath the End Date column. As Encounters are completed, Documents are added to the offender’s Chart to record what was done during the session.

11 The Solution shall include the capability to mark a treatment plan as deleted based on permission roles. A

Changes within the system can typically be made with the appropriate security permission sets, which are determined by your System Administrator. Full audit trails are maintained during system use.

Individual Inmate Functionality

1 The Solution shall have the ability to access individual inmate records by "drilling down" using a double-click on the inmate's name or cell number.

A

Centricity has an extremely fluid user interface, always ensuring that key navigational components are within one click to access. Fusion has enhanced on Centricity’s base search functionality to allow offenders to be searched by name, birthday, SSN, Permanent ID, Commitment/Booking #, Alien #, etc. Users can also search out partial information for example, when searching for Smith, Daryl the user can simply put Sm, D and the offender is easily able to be selected. This is especially useful for complicated names which saves considerable time. In addition, users can search in specific locations/buildings/units (where they have the appropriate permission). Should one user prefer a specific default for searching, they can set this value as well.

2

The Solution shall populate data from all permission roles into the inmate's individual record. There shall be no duplication of data entry. A

Centricity pulls in offender data from across the system and pre-populates the EHR with recent history, vital signs, and other information collected prior to the physician’s exam that are relevant for the encounter which minimizes duplicate data entry.


3 The Solution shall include the capability to customize chart layout screens. A

Centricity’s is an exceptionally customizable product, tailored to boost your organization’s efficiency. Centricity is based on physician input and has the built-in ability to customize forms and functions to meet the organization’s needs.

4 The Solution shall include the capability to view a summary of clinical and medication information for individual inmates. A

Centricity’s Chart Summary provides a quick snapshot of clinical data contained within the offender’s chart. Five of the main clinical information areas can quickly be seen: Problems, Medications, Allergies, Directives, and Alerts/Flags.

5

The Solution shall allow authorized users to assign labels/alerts to offenders for easy recognition of special case needs, including but not limited to Serious Functional Impairments (SFI), Delayed Placement Persons, and Prison Rape Elimination Act (PREA) Standards.

A

Care Alerts are special kinds of Flags that are connected to a offender chart. They allow you to remind yourself or notify other users of care-related information for a specific offender. A Care Alert is visible in the offender’s chart as long as it is active and can have start and expiration dates. Critical Care Alerts can also be set to “Popup” whenever the offender’s chart is opened.

Medication Administration

1 The Solution shall allow users to record and monitor medications for inmates in care, including drug name, dosage, date range, and prescriber.

A Centricity allows users to record and monitor inmates’ medications. Specifically, the user can record and monitor the drug name, dosage, start and stop date, prescriber, instructions, and more.

2

The system shall maintain an active medication list and allow a user to electronically record, modify, and retrieve an inmate's active medication list as well as medication history for longitudinal care. A

While in the inmate’s chart, Centricity Medication List includes all Active Medications. Centricity also offers users the ability to toggle between Active Only and All Items when viewing the inmates Medication List which will allow users to view both Active and Inactive Medications.

3 The system shall maintain active medication allergy list and allow a user to electronically record, modify, and retrieve an inmate's active medication allergy list as well as medication allergy history for longitudinal care.

A

Centricity is capable of checking interactions between medications, medication allergies, and non-drug agents and visually notify the user of such interactions. When completing an update, if medications, allergies or problems are entered into the update, the system will check the update and notify the user if any interactions were identified and prompt the user for action. Interactions are marked with an exclamation where appropriate with severity distinguished by color. In addition, the system can be configured to display a popup warning of such interactions when accessing the offender’s chart. Centricity EHR permits the organization to set an enterprise-wide level of severity for an interaction that requires the user to manually acknowledge and override the interaction to produce a prescription for a medication. This feature complies with the requirements for meeting this measure.

4

The Solution shall allow for web-based access to information about drug interactions, contraindications, and inmate drug information. (e.g. up-to-date.com). A

Centricity has a full allergy and medication interaction system which will alert the provider if they are creating orders which may have adverse reactions to the offender. Drug – Drug, Drug – Food, Drug – Allergy, Drug – Diagnosis, Dose Range Checking, Weight Based Dosing, Dosing Calculator and more alerts are inherent Centricity. The system can also be


configured to allow the alert to be overwritten where documentation is created as to the cause of such. In addition, reports can be developed to review causes for why providers overrode the alert. Centricity also has the ability to add Navigational Links for users. The links can include websites such as up-to-date.com for easy access to the end users.

5

The subcontracted pharmacy vendor will send refill requests electronically to the Solution and shall remind prescribers when inmate prescriptions need to be refilled.

A

As part of Centricity’s interface with the Pharmacy Vendor, Centricity will be able to have real time, bi-directional communication related to information such as sending refill requests to the Pharmacy. Centricity’s foundation is extremely robust, capable of reporting on an expansive list of system audited events, such as chart access, clinical documentation and viewing of patient charts. Reports can be run both ad-hoc for simple querying of statistical information as well as having the capability to develop a complicated, analytical report for advanced forecasting. All data stored on the SQL database can be searched, sorted and reported on and a number of reporting options can be supported, including integrated ad-hoc report writing, Crystal Reports and 3rd party options via the SQL database. This enables our clients to generate statistical reporting and reports to participate in quality assurance programs. During the implementation Phase, reports can be configured to send daily reports of all inmate’s medications ending in a set period of time.

6

The Solution shall include the capability to track formularies so that prescribers can select medications based upon tiered formularies, if required. A

Fusion’s Formulary Manager which seamlessly integrates your preferred or customized drug list within Centricity. If end users prescribe a medication that is off the formulary they are notified and can be provided preferred or alternative medications. The Formulary Manager platform allows you to easily manage your preferred formulary with updates taking a matter of moments.

7

The Solution shall support DEA requirements for instances such as controlled medication refills and the faxing/printing of controlled medications. A

To meet the DEA Requirements, Centricity allows care providers to prescribe controlled substances electronically – a process that has been historically paper-based. EPCS limits the occurrence of forged or stolen prescriptions by authenticating prescribers and increasing security. Various biometric devices can be utilized for EPCS, such as barcode, fingerprint, etc.

8 The Solution shall support printing inmate information for prescribed medications.

A

Patient education can be accessed from an offender 's chart at any time by simply clicking the ‘Handouts’ button on the left side of the navigation screen. You can access Handouts when actively creating a document to update the offender’s chart or when you simply need to print a Handout. In addition to the Handouts Custom List that is maintained by


administration, you have the ability to create your own list of Favorites by accessing the binoculars icon. After selecting your Favorite Handouts, they will now be viewable from the main Handouts window (as seen). Within the medications module numerous forms of educational materials are provided for both the prescriber and the offender, including monographs and much more. The Handouts folder provides you with the ability to design and organize your Handouts that will be used for offender care. Although you cannot access or edit the set of standard Handouts that come with Centricity, you do have the ability to create/edit your own.

9

The Solution shall have appropriate alerts as needed when ordering medications (e.g., medication allergies, medication interactions, dosage warnings, etc.). The Solution should also warn about drug interactions or contraindications when acknowledged by nursing staff. A

Centricity has a full allergy and medication interaction system which will alert the provider if they are creating orders which may have adverse reactions to the offender. Drug – Drug, Drug – Food, Drug – Allergy, Drug – Diagnosis, Dose Range Checking, Weight Based Dosing, Dosing Calculator and more alerts are inherent Centricity. The system can also be configured to allow the alert to be overwritten where documentation is created as to the cause of such. In addition, reports can be developed to review causes for why providers overrode the alert.

10

The Solution shall include the capability to manage the DOC pharmacy; including inventory management of pharmacy supplies and non-controlled medications, controlled substances management, that interfaces with the electronic medication ordering, and dispensing (Medication Administration Record).

A

The Pharmacy Vendor is the primary party who will handle the inventory management of pharmacy supplies. Although, as part of Centricity’s interface with the Pharmacy Vendor, Centricity will be able to have real time, bi-directional communication related to information such ordering and dispensing medications. Additionally, our eMAR can add inventory management functionality as well.

11 The system shall allow authorized users to adjust notifications provided for drug-drug and drug-allergy interaction checks.

A


12

The systems shall meet the 2014 criteria for computerized provider order entry (CPOE) available to staff for the purposes of electronically recording, changing, and accessing pharmacy and pharmaceutical data.

A

Centricity offers a fully integrated clinical order entry (CPOE) and electronic medication administration record (eMAR) solution that contains components that work together. Centricity is a Certified Electronic Health Record Technology (CEHRT) for the 2015 Edition (CHPL ID: 15.04.04.2902.Cent.12.00.1.171016) in accordance with the definition provided 45 CFR Part 170.102 as defined by the Office of the National Coordinator for Health Information Technology (ONC). Having the 2015 certification at a time where very few EHRs have the 2014 certification showcases and attests both Centricity EHR and Fusion’s commitment to


healthcare IT excellence.

Medication Administration Record (MAR)

1 The system shall maintain an electronic inventory process (e-MAR) to ensure the availability of daily, stock medication, and other necessary and commonly prescribed medications.

A

Centricity is a fully integrated, one-for-all EHR system inclusive of a Correction specific eMAR, designed to increase productivity for medication administration within a prison system. Our eMAR is robust, yet simple and has a fluid UX for faster user adoption and ease of use. From basic system interfaces between Centricity and the DOC’s Pharmacy Vendor to complex systems such as automated packaging and dispensing systems, Fusion has worked with countless vendors to successfully integrate any of these pharmacy solutions with Centricity.

A comprehensive clinical workflow which includes an eMAR, in best practices, will allow for a unified system whereby the EHR serves as the official clinical file, supported by an eMAR for effective and accountable medication administration. Through this eMAR, the ability to order medications directly to the pharmacy ensures one completely unified system.

The eMAR allows for bi-directional communication between the systems, and minimizes the number of staff who will have to be trained on two systems. This integration allows for Centricity to send the eMAR the following:

• All Demographics • Intake, Booking and Release documentation • Medications entered from Centricity’s Computerized Physician

Order Entry (CPOE) Additionally, our eMAR can add inventory management functionality as well.

2

The Solution shall include a medication administration record (MAR) to verify that all medications are administered correctly to the right inmate.

A

Fusions eMAR includes many features that allow for rapid and efficient medication administration with minimum clicks, text entry field and or screens including but not limited to:

• The ability to scan the barcode on the medication and offender’s wristband/ badge to provide an electronic recording of the actual medication administration date, time, and nurse’s initials.


• For specialty units such as a psychiatric unit housing offender without wristbands/badges, the system allows for manual entry of an offender’s number.

• Injection location can be charted. • Capability of printing a paper med pass list in an easy-to-use grid

format, sorted by offender and unit, and providing all medications and administration times. (Note: This is an especially efficient way to inform staff of offenders who need to report to the med line for stock medications.)

• A list of offenders missed during regularly scheduled med pass, making it easy to identify which offenders need to be called down to receive their medications.

• The ability for your staff to indicate reasons a medication was not administered (e.g., offender refused or dropped, offender no shows, out to court).

• Throughout the med pass process, the system informing you the percentage completion of the med pass, by entire population and by individual cellblock.

• For remote med pass or in areas without Wi-Fi, working off-line with a laptop and synchronizing later when Internet access is restored.

• The ability to archive 24 hours of previous med pass information, in cases of power outage and Internet down times.

3 The MAR should also have a comment section (up to 500 characters) for specialty instructions. A

When ordering medications, Centricity allows providers to add Instructions as well as Comments in regards to each specific medication. The eMAR also has the ability to add additional information whether the inmate is administered or not administered their medication.

4

The MAR shall record the time/date of medication administration, to whom the medication was administered, and who administered the medication. A

The eMAR records all pertinent information during the medication administration. Including a date/time stamp of the administration, the inmate that the medication was administered to, the user who administered the medication, as well as the location. All of this information is reportable.

5 The Solution shall include the ability to record an electronic inmate signature on the MAR to verify receipt of the medication A

Centricity includes the ability to integrate an electronic signature pad for offenders and/or healthcare staff to sign paperwork and consent forms as well as the ability to generate an electronic signature for users.

Off-Site Documentation

1 The Solution shall track inmate transports to off-site facilities such as court and medical appointments.

A

As part of Centricity’s interface with VT DOC’s Offender Management System, JailTracker, Centricity will be able to have real time, bi-directional communication related to information such as accepting new bookings, moves, status’ and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc. Fusion’s interface with JailTracker


will allow users to track and review any transports to off-site facilities.

2 The Solution shall track inmate leave status, including the type of leave and the times inmates came and left the building.

A

As stated in the response above, As part of Centricity’s interface with VT DOC’s Offender Management System, JailTracker, Centricity will be able to have real time, bi-directional communication related to information such as accepting new bookings, moves, status’ and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc. Fusion’s interface with JailTracker will allow users to track and review any transports to off-site facilities.

3

The Solution shall note physical attributes of the inmate when the inmate travels outside of the facility but remains in the care and custody of the DOC.

A Fusion has Form Templates available for users to note physical attributes of inmates prior to any offsite referrals as well as on their return to the facility.

Laboratory Requirements

1

The Solution shall support managing routine laboratory functions, including receipt and managing of doctor’s orders for laboratory work, support for tracking in-house laboratory testing and results, and tracking routing select orders to outside laboratories and importing results from them.

A


• Excellence in product functionality and continued development • Adherence to interface standards • Provision of the services and tools required to implement

interfaces • Partnerships with other information system vendors

When it comes to interfaces with 3rd party systems such as lab and radiology, results are identified by an InmateID to create a seamless and fluid data push bringing significant value to the client in terms of increased quality of care delivered, reduced time to perform critical tasks and reduced risk of litigation. Labs are ordered from the ordering template, either as its own encounter or more typically during some sort of checkup. Once the lab is ordered, the group and/or individual responsible for scheduling and collecting is notified. Once the offender’s lab draw is completed, a label is printed out for the specimen container. Specimens are then sent to the contract lab vendor, in this case BioReference who we have worked with on numerous occasions. Lab results are then sent back into Centricity via the interface, results are processed and automatically matched back to the inmate using the InmateID. Once results are imported into the EHR, such as lab results, flags can be


automatically generated to notify individuals that the results are available for further review and/or sign off.

2 The systems shall display the laboratory tests and values/results received in human readable format

A

As stated in the response above, Labs are ordered from the ordering template, either as its own encounter or more typically during some sort of checkup. Once the lab is ordered, the group and/or individual responsible for scheduling and collecting is notified. Once the offender’s lab draw is completed, a label is printed out for the specimen container. Specimens are then sent to the contract lab vendor, in this case BioReference who we have worked with on numerous occasions. Lab results are then sent back into Centricity via the interface, results are processed and automatically matched back to the inmate using the InmateID. Once results are imported into the EHR, such as lab results, flags can be automatically generated to notify individuals that the results are available for further review and/or sign off.

3 The systems shall attribute, associate, or link a laboratory test and value/result with a laboratory order and inmate record.

A

As stated in the response above, Labs are ordered from the ordering template, either as its own encounter or more typically during some sort of checkup. Once the lab is ordered, the group and/or individual responsible for scheduling and collecting is notified. Once the offender’s lab draw is completed, a label is printed out for the specimen container. Specimens are then sent to the contract lab vendor, in this case BioReference who we have worked with on numerous occasions. Lab results are then sent back into Centricity via the interface, results are processed and automatically matched back to the inmate using the InmateID. Once results are imported into the EHR, such as lab results, flags can be automatically generated to notify individuals that the results are available for further review and/or sign off.

4 The systems shall store laboratory tests and values/results.

A

Once the lab results are sent back into Centricity via the interface, results are processed and automatically matched back to the inmate using the InmateID. These results then become a permanent part of the Inmate’s medical record.

5 The Solution shall support alerting clinical staff when lab results or other medical metrics are outside normal criteria. A

Once results are imported into the EHR, such as lab results, flags can be automatically generated to notify individuals that the results are available for further review and/or sign off.

6 The Solution shall support creation of sets of commonly grouped laboratory orders. A

Generating orders is one of the single most productive, and important, workflows within Centricity. Centricity provides VTDOC with all of the necessary components to streamline clinical charting and delivery within a


correctional healthcare environment. Preconfigured order sets can be used to streamline the order entry process. In addition, recurring orders can also be placed. Customized order sets can be set up by the provider as well. If the order sets are standardized across the entire organization, these will be documented in the business process analysis and will collaborate with VTDOC on setup.

7

The Solution shall support sending data to and from laboratories for laboratory testing as well as the ability to track laboratory results over time for individual inmates.

A

Labs are ordered from the ordering template, either as its own encounter or more typically during some sort of checkup. Once the lab is ordered, the group and/or individual responsible for scheduling and collecting is notified. Once the offender’s lab draw is completed, a label is printed out for the specimen container. Specimens are then sent to the contract lab vendor, in this case BioReference who we have worked with on numerous occasions. Lab results are then sent back into Centricity via the interface, results are processed and automatically matched back to the inmate using the InmateID. Once results are imported into the EHR, such as lab results, flags can be automatically generated to notify individuals that the results are available for further review and/or sign off.

8

The systems shall electronically receive and incorporate clinical laboratory tests and values/results in accordance with the standard specified in § 170.205(j) and, at a minimum, the version of the standard specified in §170.207(c)(2).

A

Centricity’s laboratory interface will send orders to and results from BioReference and will populate directly to/from the offender’s chart.

9

The systems shall display all the information for a test report that complies with CMS regulations found at 42 CFR 493.1291(c)(1) through (7).

A Centricity displays all the information for a test report that complies with CMS regulations found at 42 CFR 493.1291(c)(1) through (7).

Emergency Documentation

1

The Solution shall include the ability to document Emergency Involuntary Procedures such as segregation, restraints, or emergency medication. This shall include the ability to document de-escalation procedures used before the EIP was ordered and document the enactment of a plan to protect the inmate, other inmates and other staff.

A

Fusion delivers built-in corrections-specific functionality and pre- existing content to plan for discharges. Centricity offer both external and internal transfer/discharge templates depending on the type of transfer. It allows clinicians to denote whether the transfer was voluntary/involuntary and/or what treatment had been completed. In addition, varying documentation can be added to the medical record such as a discharge summary and discharge risk assessments. With regards to transfers, Centricity stores multiple levels of housing granularity, so a transfer may be from one bunk to another, one floor to another, one pod to another, one building to another, etc. The client decides how to use the granularity to describe their specific group of facilities and the internal layout of each. Transfers enable the sending facility to move all open activities, including tasks associated with an offender from the


sending location to the receiving location to help ensure continuity of care.

2

The Solution shall have the ability to emergently generate a Facesheet, Summary of Assessment and Care, and Code Documentation as part of the transfer of care to EMS personnel.

A

Centricity can also exchange offender health information with external systems in CCD (Continuity of Care Document) or CCR (Continuity of Care Record) format. Users can generate export, import, and display CCD documents for offenders with charts in the Centricity database. CCD documents can be given to the officer or offender on an encrypted jump drive or other storage device or sent by secure clinical messaging to another provider so they can import it into their system. The XML-Formatted documents can also be opened in a Web browser window and printed.

Consultation Functionality

1 The Solution shall include the ability to record a consultant assessment, findings, and recommendations.

A

Any user with access to Centricity has the ability to record an assessment, findings, and recommendations into an inmate’s chart. If the Consultant does not have access, the user can document their findings and all the information can be scanned into centricity to become aan official document in the inmate’s medical record. Centricity’s document management tool allows prisons to easily scan paper documents and correctly index them directly into the offender 's chart, of which they become a permanent part. Any documents created outside of the EHR can easily be scanned and attached to an offender record in the EHR, allowing for one cohesive record and reducing the need for physical storage space. In addition, users can retrieve indexed documents such past medical charts, HIPAA release, or physician transcription – among others - with a single click. This tool, called DocuTrak, provides built-in support for importing observations terms, routing documents, and leveraging Centricity security permissions.

2

The Solution shall have a template for consultant staff (optometrists, psychologists, internists, neurologist and other specialists).

A

Centricity provides VTDOC with over 2,000 corrections-specific encounter templates many of which adhere to NCCHC, ACA, and/or PBNDS Standards. Centricity also has over 500 additional encounter templates of various specialty and subspecialty clinical workflows. Working with seven other State DOC’s allows VTDOC to have ‘out-of-the-box’ options for all healthcare services. Forms will be identified during the implementation phase. Centricity’s encounter templates support administrative, nursing, pharmacy and licensed provider job functions, including discipline specific templates that incorporate clinical practice guidelines, including:

- OB/GYN - Internal Medicine - Adolescent Medicine


- Respiratory Therapy - Psychiatry/Mental Health - Dental - Substance Abuse/Addiction Services - Orthopedic Consultation and Follow-up - General Surgery Consultation and Follow-up - Podiatry - Optometry - Physical Therapy - Infectious Disease - Endocrinology

Various specialty encounters exist, including but not limited to:

- Cardiology - Surgical Oncology - Dermatology - Dialysis - Urology - Rheumatology - Neurology - Gastroenterology - Nephrology - Hematology/Oncology - Otolaryngology - Pulmonary - Speech Pathology - Neurosurgery - Vascular Surgery - Neurophysiology

In addition, each of the providers that work within the application have their own unique preference custom list for offender charts which include a medication list, problem list, orders list and allergies.

3

The Solution shall have a template to electronically document their specialty assessment findings (e.g. neurological exam for neurologists, affective or cognitive assessment inventories for psychologists, etc.). A

As stated in the above response, Centricity provides VTDOC with over 2,000 corrections-specific encounter templates many of which adhere to NCCHC, ACA, and/or PBNDS Standards. Centricity also has over 500 additional encounter templates of various specialty and subspecialty clinical workflows. Working with seven other State DOC’s allows VTDOC to have ‘out-of-the-box’ options for all healthcare services. Forms will be identified during the implementation phase. These forms include templates for specialty encounters for use by neurologists and psychologists.


Inmate Discharge Functionality

1 The Solution shall include the capability to record discharge information. The discharge checklist and summary shall be configurable.

A

Fusion delivers built-in corrections-specific functionality and pre- existing content to plan for discharges. Centricity offer both external and internal transfer/discharge templates depending on the type of transfer. It allows clinicians to denote whether the transfer was voluntary/involuntary and/or what treatment had been completed. In addition, varying documentation can be added to the medical record such as a discharge summary and discharge risk assessments.

2 The Solution shall support the creating and faxing of letters to referral sources. A

Centricity has the ability to preview, print or fax confidential documents to referral sources with the appropriate permissions. All of which is recorded and auditable by administrators.

3 The Solution shall support sending electronic prescriptions or faxes to the external pharmacies.

A

Centricity has the ability to discharge medications to external pharmacies. As part of a typical discharge process, discharge medications are prepared for the offender to either be released with medications or to go to a community pharmacy to have a prescription filled.

4 The Solution shall support printing prescriptions that comply with CMS’ requirements regarding tamper-resistant prescription pads. A

Centricity has the capability for users to print on tamper-resistant prescription pads. During the implementation phase Fusion would need to configure the sizing and metrics to fit accordingly.

5

The Solution shall interface with the pharmacy when an inmate is scheduled to be discharged from the facility so that appropriate medications can be released.

A

Fusion will develop specific interfaces to external systems as part of this project. Several interfaces for this project have already been developed, and for those that haven’t, Fusion will configure, code, and test all application, application extensions, data conversion, and data acquisition/interfaces once agreed upon between both Fusion and VTDOC. Fusion will have an interface with the Pharmacy Management System, Boswell, the systems will be able to have real time, communication related to medication information. Fusion delivers built-in corrections-specific functionality and pre- existing content to plan for discharges. Centricity offer both external and internal transfer/discharge templates depending on the type of transfer. Centricity has the capability to print or copy any documents for any offender. This includes the Discharge Summary which can be provided for the offender or other health care providers that can include all pertinent offender data i.e. Active Medications, Problems, Mental Health History, etc.

6

The Solution shall generate a customizable discharge report, known as the “Discharge Summary” or “Continuity of Care Document” that is customizable. C

Fusion delivers built-in corrections-specific functionality and pre- existing content to plan for discharges. Centricity offer both external and internal transfer/discharge templates depending on the type of transfer. It allows clinicians to denote whether the transfer was voluntary/involuntary and/or what treatment had been completed. In addition, varying documentation can


be added to the medical record such as a discharge summary and discharge risk assessments. Centricity has the capability to print or copy any documents for any offender. This includes the Discharge Summary which can be provided for the offender or other health care providers that can include all pertinent offender data i.e. Active Medications, Problems, Mental Health History, etc. Centricity can also exchange offender health information with external systems in CCD (Continuity of Care Document) or CCR (Continuity of Care Record) format. Users can generate export, import, and display CCD documents for offenders with charts in the Centricity database. CCD documents can be given to the officer or offender on an encrypted jump drive or other storage device or sent by secure clinical messaging to another provider so they can import it into their system. The XML-Formatted documents can also be opened in a Web browser window and printed. Fusion will provide VTDOC with our Out of The Box templates and during the implementation phase the templates can be configured to meet the DOC’s needs.

7

The Solution shall record the location in which the inmate was discharged to (0.5/0.75 house, shelter, other non-DOC facility, home, etc.).

A

As part of Centricity’s interface with VT DOC’s Offender Management System, JailTracker, Centricity will be able to have real time, bi-directional communication related to information such as accepting new bookings, moves, status’ and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc. Fusion’s interface with JailTracker will allow users to track and review inmates’ locations.

8

Through an interface to the Offender Management System, the Solution shall include the ability to record customizable inmate release statuses. A

As part of Centricity’s interface with the OMS, Centricity will be able to have real time, bi-directional communication related to information such as accepting new bookings, moves, status’ and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc.

9 The Solution shall support detailed discharge planning, including community providers referred to and their areas of expertise.

A

Centricity is extremely efficient in handling the discharge planning process for offenders in addition to generating referrals, alerts and reports to those who need to complete components to the discharge planning process. By leveraging the protocols module, Centricity has the capacity to identify a discharge protocol where once an offender is identified to be discharged, they will be assigned to the specific protocol where individuals associated to the discharge planning process will be notified. Fusion will provide VTDOC with our Out of The Box templates and during the implementation phase the templates can be configured to meet


the DOC’s needs.

CPOE Requirements

1 The Solution shall include the ability to utilize CPOE to order blood, urine and other laboratory tests, specialty consults, nursing orders, imaging requests and medication orders.

A

Centricity has a powerful yet easy to use Ordering Component. Lab, radiology, specialty consults, nursing orders, etc are organized into Custom Order Lists that are easily created and tailored. Orders can be entered manually or be a part of Automated Protocol Driven Care – making ordering extremely fast and efficient. Once orders are entered, they are seamlessly routed to the appropriate department, person or provider for completion. Every step of the ordering process is monitored for safety and compliance.

2

The Solution shall include the ability to utilize Computerized Order Review to alert staff to new orders, review and acknowledge orders, and mark new orders as completed.

A

As stated in the above response, Centricity has a powerful yet easy to use Ordering Component. Lab, radiology, specialty consults, nursing orders, etc are organized into Custom Order Lists that are easily created and tailored. Orders can be entered manually or be a part of Automated Protocol Driven Care – making ordering extremely fast and efficient. Once orders are entered, they are seamlessly routed to the appropriate department, person or provider for completion. Every step of the ordering process is monitored for safety and compliance. Centricity’s Orders Manager provides VTDOC with a task management functionality to help manage offender care within a correctional environment. Track upcoming and overdue services such as follow up care, sick call, labs, blood glucose tests, specialty services, etc. by order date, priority, or any other key filters. Fusion Order Manager is easily customizable to meet your clinical needs. The Orders Completion Assistant allows for an automated workflow in the completing of an Order once the end documentation has been received. Documents with a status of Unsigned appear on the clinician’s Desktop needing review and signature. For example, a Lab Report comes in from the interface with the lab vendor. When the clinician attempts to Sign the document, a window appears illustrating all the incomplete Orders that have matched the data represented on the unsigned document. The window allows the user to complete the necessary Orders as the signing workflow occurs.

3 The Solution shall use CPOE to order medications to be administered to inmates.

A

Centricity offers a fully integrated clinical order entry (CPOE) and electronic medication administration record (eMAR) solution that contains components that work together. Centricity comes with CPOE - Medication ordering component, a powerful medication ordering component that gives the provider every tool to order medication safely and


efficiently. Med ordering is one step away from most clinical screens. Centricity has a full allergy and medication interaction system which will alert the provider if they are creating orders which may have adverse reactions to the offender. Drug – Drug, Drug – Food, Drug – Allergy, Drug – Diagnosis, Dose Range Checking, Weight Based Dosing, Dosing Calculator and more alerts are inherent Centricity. The system can also be configured to allow the alert to be overwritten where documentation is created as to the cause of such. In addition, reports can be developed to review causes for why providers overrode the alert. Centricity’s CPOE offers Eligibility Checking, Formulary Checking with suggested alternatives, Diagnosis Association, flexible selection of Custom Med Order list, easy real-time updating of Custom Med List, adding new Problem from Med Ordering component and more.

4

The Solution shall generate medication orders, synthesizing a recommended medication based on available medication formularies.

A

Centricity’s CPOE offers Eligibility Checking, Formulary Checking with suggested alternatives, Diagnosis Association, flexible selection of Custom Med Order list, easy real-time updating of Custom Med List, adding new Problem from Med Ordering component and more. Centricity also comes with, Formulary Manager, which seamlessly integrates the State’s preferred or customized drug list within Centricity. If end users prescribe a medication that is off the formulary they are notified and can be provided preferred or alternative medications. The Formulary Manager platform allows you to easily manage your preferred formulary with updates taking a matter of moments.

5 The Solution shall populate applicable data from the inmate chart into the medication order. A Centricity inherently pulls data from the inmate’s chart into the medication

order. Including but not limited the inmate’s allergies, problems, etc.

6 The Solution shall record, track, and route various types of orders generated by the physician or other prescribers.

A

Centricity has a powerful yet easy to use Ordering Component. Lab, radiology, consults are organized into Custom Order Lists that are easily created and tailored. Orders can be entered manually or be a part of Automated Protocol Driven Care – making ordering extremely fast and efficient. Once orders are entered, they are seamlessly routed to the appropriate department, person or provider for completion. Every step of the ordering process is monitored for safety and compliance.

7 The Solution shall notify providers of new or unreviewed laboratory and imaging results as well as consultant's notes.

A

When it comes to interfaces with 3rd party systems such as lab and radiology, results are identified by an OffenderID to create a seamless and fluid data push bringing significant value to the client in terms of increased quality of care delivered, reduced time to perform critical tasks and reduced risk of litigation.


Labs are typically ordered during the encounter’s workflow with lab draws and Ask On Collection (AOCs) being managed through Fusion’s Lab Requisition system. Once the lab is ordered, the group and/or individual responsible for scheduling and collecting is notified. Once the offender’s lab draw is completed, a label is printed out for the specimen container. Specimens are then sent to the contract lab vendor, in this case BioReference, who we have worked with on numerous occasions. Lab results are then sent back into Centricity via the interface, results are processed and automatically matched back to the offender using the Offender’s Permanent ID number. Once results are imported into the EHR, such as lab results, flags can be automatically generated to notify individuals that the results are available for further review and/or sign off.

8

The Solution shall include decision support mechanisms that interact with other subsections of the chart to determine and prevent administration of medications known to produce sensitivities, allergies, and interaction errors. A


9

The Solution shall generate non-medication orders, such as 1:1 observation, close observation, infirmary admission and discharge, q15m observation, q60m observation and general observation, activity privileges (such as "yard usage").

A

A wide variety of orders are included in Centricity, including screens to order recurring tasks for nursing, like vital signs monitoring, treatments, detox monitoring, and wound care. There is also the ability to order labs and referrals to other disciplines (mental health, dental, ob/gyn) within the facility, and also orders relating to the correctional setting directly, including housing placement orders for medical or mental health housing, restrictions work duty due to medical reasons, etc. Recurring orders can also be placed, and custom orders can also be created and saved for ease of use to the end user. Regarding the offender’s Orders, we can see all the details concerning the following 3 Order Types: Service, Tests, and Referrals can be viewed.

10 The system shall meet the NCCHC standards P-D-04 and MH-D-04 for CPOE.

A

Fusion, along with the Centricity EHR solution, is the largest EHR provider to State Department of Corrections in the United States. Centricity provides VTDOC with over 2,000 corrections-specific encounter templates many of which adhere to NCCHC, ACA, and/or PBNDS Standards. In addition to having out of the box content, VTDOC can also modify existing forms or develop new ones to meet any special requirements on documentation. Centricity is a Certified Electronic Health Record (CEHR) system provides


every functionality that meets and exceeds all requirements in this RFP.

Forms to be Electronically Signed

1 The Solution shall record inmate signature collectively accepting or refusing a list of notices. The list shall be configurable to meet the DOC's needs. A

Centricity includes the ability to integrate an electronic signature pad for offenders to sign paperwork and consent forms as well as the ability to generate an electronic signature for users. It also has the ability to customize the forms for the electronic signature. Centricity’s out of the box forms include refusals, consents, etc.

2

The Solution shall support generation of required forms for responsible party review and signature (e.g., financial status updates, consumer rights information, authorizations for treatment, etc.) as well as remind staff of due dates for completion. A

When a user has completed all necessary medical record documentation for the particular encounter the user has the ability to sign the document, route the document to a user or a user group. When routing documents, the user has the ability to require specific actions and the priority of the action required. The user routing the document can Require Action, require a Signature, or require Review by another user.

Data Exchanges

1 The Solution shall support Interface and Data Exchange Capabilities within DOC and to external organizations.

A


5. Excellence in product functionality and continued development 6. Adherence to interface standards 7. Provision of the services and tools required to implement

interfaces 8. Partnerships with other information system vendors

Results are processed and automatically matched back to the offender using the OffenderID. As part of the interface development, Fusion will identify both inbound and outbound data elements to be extracted. Centricity’s LinkLogic interface engine can exchange any set of data required and have successfully done so for each and every one of our clients regardless if a COTS OMS system was used or if it was developed as a home-grown solution internally.

Fusion will develop specific interfaces to external systems as part of this project. Several interfaces for this project have already been developed, and for those that haven’t, Fusion will configure, code, and test all application, application extensions, data conversion, and data acquisition/interfaces once agreed upon between both Fusion and VT DOC. Fusion understands that VT DOC would like for the following interfaces to be developed, as stated in the RFP:



• Boswell (Pharmacy) – orders of new medications entered into the EHR will go directly to the pharmacy vendor.

• BioReference (Lab) – orders to and results from multiple laboratory vendors must populate directly to/from the offender’s chart.

• MobilexUSA (Radiology) - orders for external imaging and links to new images must populate directly to/from the offender’s chart.

• Vermont Health Information Exchange (HIE) - outbound diagnostic lab/image orders & inbound results; outbound consultation orders and inbound clinical encounter notes/orders; inbound inpatient encounter notes and discharge orders; inbound ER clinical encounter notes and discharge orders.

In addition to automatically uploading files directly into the offender’s chart via electronic interfaces with various 3rd party systems, Centricity robust interface capabilities, paper documents can also be scanned and indexed to the offender’s chart as well.

2

The Solution shall provide the interfaces and data exchanges requested by the DOC in “Enhanced Data Sharing for DOC,” found in Appendix 5.24, Tab H of the RFP for comprehensive healthcare services.

A

As stated in the response above, Fusion will develop specific interfaces to external systems as part of this project. Several interfaces for this project have already been developed, and for those that haven’t, Fusion will configure, code, and test all application, application extensions, data conversion, and data acquisition/interfaces once agreed upon between both Fusion and VT DOC. Fusion understands that VT DOC would like for the following interfaces to be developed, as stated in the RFP:


• Boswell (Pharmacy) – orders of new medications entered into the EHR will go directly to the pharmacy vendor.

• BioReference (Lab) – orders to and results from multiple laboratory vendors must populate directly to/from the offender’s chart.


• MobilexUSA (Radiology) - orders for external imaging and links to new images must populate directly to/from the offender’s chart.

• Vermont Health Information Exchange (HIE) - outbound diagnostic lab/image orders & inbound results; outbound consultation orders and inbound clinical encounter notes/orders; inbound inpatient encounter notes and discharge orders; inbound ER clinical encounter notes and discharge orders.

In addition to automatically uploading files directly into the offender’s chart via electronic interfaces with various 3rd party systems, Centricity robust interface capabilities, paper documents can also be scanned and indexed to the offender’s chart as well. Please refer to the Innovative Reform Initiatives – Enhanced Data Sharing for DOC for a detailed description.

3 The system shall be able to process and import data including, but not limited to, a comma separated file format. A Centricity provides capability of viewing reports online within the EHR or

importing/exporting data to PDF, word, excel or CSV format.

4

The system shall be configurable for 15-minute increment, daily, weekly, or monthly scheduled imports from external data sources or timeframes currently contained in the Electronic Health Record System.

A

Centricity offers powerful interoperability and imports and exports data using interfaces. HL7-compliant inbound and outbound data exchange interfaces are built-in to Centricity. Centricity is capable and is currently utilized in numerous correctional settings to exchange data in real time through direct database connection through secure VPN tunnels, through FTP/SFTP as well as numerous other delivery methods. This scalable, robust system will be able to meet all current and future organizational needs. Fusion is capable of building interfaces with 3rd party vendors to exchange data in real time. If the State prefers scheduled imports based on time intervals, Fusion can configure scheduled data dumps based off the States requirements.

Management and Reporting Functionality


1 The Solution shall include an ad-hoc report-writer interface that is comprehensive and easy to use.

A

Centricity is a completely ‘out-of-the-box’ EHR system for correctional health. Centricity’s foundation is extremely robust, capable of reporting on any and all data entered into the system. Reports can be run both ad-hoc for simple querying of statistical information as well as having the capability to develop a complicated, analytical report for advanced forecasting. Ad-hoc reports, or ‘inqueries’ allow for instant access to clinical data that is available in the Chart module. Unlike Reports, the average user can customize an Inquiry to meet a specialized need in the moment. For example, you’d like a list of all offenders on a specific medication. Or, you’d like a list of clinical providers who have more than 15 documents that are not signed on their Desktop. Ad-hoc reports are extremely easy to use and anyone at the end user level will be able to create and/or modify these kinds of reports.

2 The Solution shall include a report-writer interface that supports all regulatory reporting requirements.

A

Centricity is compatible with any ODBC-compliant report writer to create custom reports, Crystal Reports is recommended. Crystal Reports is the basis of all of the standard Centricity reports. Using Crystal Reports together with Centricity provided data schema information, custom reports can be designed and imported into Centricity for direct use within Centricity. Such imported reports appear to the user alongside the Centricity-provided reports. Writing custom reports requires a staff member of moderate technical ability who has some comfort with SQL queries and macro-level programming. Fusion offers classes in Crystal Reports specific to the Centricity data schema.

3 The Solution shall include a report-writer interface that allows users to save reports to a library of commonly used reports.

A

Centricity is compatible with any ODBC-compliant report writer to create custom reports, Crystal Reports is recommended. Crystal Reports is the basis of all of the standard Centricity reports. Using Crystal Reports together with Centricity provided data schema information, custom reports can be designed and imported into Centricity for direct use within Centricity. Such imported reports appear to the user alongside the Centricity-provided reports. Writing custom reports requires a staff member of moderate technical ability who has some comfort with SQL queries and macro-level programming. Fusion offers classes in Crystal Reports specific to the Centricity data schema.

4 The Solution shall include a report-writer interface with the ability to run reports in batches at scheduled times.

A

Crystal Reports is the basis of all of the standard Centricity reports. Using Crystal Reports together with Centricity provided data schema information, custom reports can be designed and imported into Centricity for direct use within Centricity. Such imported reports appear to the user alongside the Fusion-provided reports. Writing custom reports requires a staff member of moderate technical ability who has some comfort with SQL queries and macro-level programming. Fusion offers classes in Crystal Reports specific to the Centricity data schema. These reports can be


scheduled to be run periodically (Daily, weekly, monthly, temporarily for a range of dates).

5 The system shall be able to export datasets in formats including but not limited to Excel, comma delimited, and fixed width. A Centricity provides capability of viewing reports online within the EHR or

saving/exporting the reports to PDF, word, excel or CSV format.

6 The Solution shall have the ability for reports to export to Microsoft Excel, Word, and Adobe PDF. A

As stated in the response above, Centricity provides capability of viewing reports online within the EHR or saving/exporting data to PDF, word, excel or CSV format.

7 The Solution shall include the capability to support all state and other externally mandated reporting requirements for providers in all states in which the organization operates.

A

Centricity is a completely ‘out-of-the-box’ EHR system for correctional health. Centricity’s foundation is extremely robust, capable of reporting on any and all data entered into the system. Reports can be run both ad-hoc for simple querying of statistical information as well as having the capability to develop a complicated, analytical report for advanced forecasting. From simple inquiries which can be developed and managed by staff (with appropriate permissions) to complete access to the database for comprehensive analysis and reporting by your database team, Fusion provides our clients with the tools needed to obtain meaningful information out of Centricity. During the Implementation Phase, Fusion will work with the DOC to confirm that all mandated reporting requirements are met.

8 The Solution shall have a management reporting dashboard to help monitor key strategic and operational metrics.

A

Centricity provides summary information in graphical view. It displays crucial clinical, financial, and operational data in a format that is easily interpreted using charts and graphs. The dashboard application pulls data from the database in real time and updates each of its associated charts.

9 The Solution shall support management efforts to manage clinical

staff productivity by recording requirement productivity standards and supporting reporting and dashboard capabilities for managing actual productivity in comparison to requirements.

A

Centricity prioritizes risk groups, aligns resources to population needs, and measures performance to drive early interventions within priority offender populations. Assess Population Risk


Data Enhancement. offender data from the EHR is constantly refreshed and augmented with third party sources, creating a complete and accurate offender profile. Risk Stratification. Calculate population risk using multiple data types (HCC, HRA, hospital and pharmacy), and create cohorts that align population health with resources, program objectives, and financial outcomes. Population Registries. Segment populations based on risk factors and treatment opportunities, using the latest evidence-based clinical guidelines, integrated into the software. Identify Cohorts Pre-Built & Configurable Filters. Rapidly segment the offender population based on condition, current risk, projected risks, demographics, and other parameters, eliminating manual segmentation, and reducing the need for data analysts or IT support. Automatic Cohort Assignment to Central Worklist. Automatically assign offenders to the appropriate clinical or administrative program in Centricity, supporting best practice workflows and reducing variations in care. Targeted Communications at Scale. Issue batch communications for services due or share a patient-friendly version of the care plan based on selected parameters in the population registry, improving offender understanding and reducing gaps in care. Measure Performance Payer Contract Reporting (If Applicable). Reporting dashboards surface information on performance in risk-based contracts, including specific attributes with the greatest potential impact on financial success. Provider Performance Benchmarking. Dashboards give visibility to create success benchmarks and goals based on individual, group, or organizational outcomes.

10 The Solution shall support required reporting of, or the ability to extract data for, the core and quality measures to the DOC’s regulatory, contract compliance, and accreditation agencies.

A

Centricity is a completely ‘out-of-the-box’ EHR system for correctional health. Centricity’s foundation is extremely robust, capable of reporting on any and all data entered into the system. Reports can be run both ad-hoc for simple querying of statistical information as well as having the capability to develop a complicated, analytical report for advanced forecasting. From simple inquiries which can be developed and managed by staff (with appropriate permissions) to complete access to the database for comprehensive analysis and reporting by your database team, Fusion provides our clients with the tools needed to obtain meaningful information out of Centricity.


CQI reporting can also be defined and implemented and will require input from the State as to the reportables. Centricity has had immense success as a complete correctional EHR. Clinical Quality Reporting (CQR), an optional add-on, offers a fully integrated MU reporting solution for Centricity EHR. CQR is a cloud-hosted platform that allows quick and easy access to view provider performance against Meaningful Use clinical quality measures, as specified by Office of the National Coordinator of Health IT (ONC) within CMS. Data is sent to a sophisticated database that normalizes and processes the raw data. Performance is tracked for individual offenders, providers, and multiple organizational hierarchies to focus clinical quality improvement efforts. Protected health information (PHI) is incorporated into this platform; security of your offender data is a core element of CQR and the environment enables you to comply with privacy regulations. With Centricity, VTDOC can visualize its progress toward achieving CQI measures at the provider and patient level. Advanced visual dashboarding calls attention to measures requiring improvement first with the ability to link back into individual EHR records to focus improvement efforts. These reports, combined with your review and verification of the data accuracy and completeness, help move towards achievements in CQI. Centricity's quality improvement and reporting tools provide timely clinical information about problems like diabetes, myocardial infarction, strokes, hypertension, congestive heart failure, and other costly, chronic conditions that are targeted in many pay-for- performance initiatives. By feeding quality metrics data back into care team workflow, you have easy access to more clinical information to manage specific conditions and populations—and enhance the quality of care. Centricity’s reporting capabilities include, but are not limited to the following: • Provides flexible query tools capable of building complex queries

with multiple conditions • Capable of running queries and reports on demand (ad hoc),

scheduling to be run at another time, or scheduling to be run periodically (Daily, weekly, monthly, temporarily for a range of dates)

• Capable of automatically sending scheduled reports via secure email or SFTP

• Provides capability of viewing reports online within the EHR or saving to PDF, word, excel or CSV format


• Running any query, canned or standard report does not degrade system performance

• Provides a standard patient summary report that prints out key clinical data such as problems, medications, allergies, current orders, labs and vitals

• System reports are written in a standard reporting tool (i.e. Microsoft SQL Reporting Services or Crystal Reports)

• Provides detailed and summary security audit reports that may be used to track activity by provider, by offender, and by activity type

• Provides data warehouse functionality (cross- patient reporting, statistical analysis, data mining, etc.)

• All data in the system including metadata is available for reporting • A comprehensive audit report that includes all chart access activities

including print, fax and export actions on chart documents that would be performed by staff as part of normal “healthcare operations” in HIPAA terminology

11

In addition to the standard system reports, the system shall allow users to create automated reports as agreed upon by the State and the Contractor.

A

Centricity is a completely ‘out-of-the-box’ EHR system for correctional health. Centricity’s foundation is extremely robust, capable of reporting on any and all data entered into the system. Reports can be run both ad-hoc for simple querying of statistical information as well as having the capability to develop a complicated, analytical report for advanced forecasting. From simple inquiries which can be developed and managed by staff (with appropriate permissions) to complete access to the database for comprehensive analysis and reporting by your database team, Fusion provides our clients with the tools needed to obtain meaningful information out of Centricity. CQI reporting can also be defined and implemented and will require input from the State as to the reportables. Centricity has had immense success as a complete correctional EHR. Crystal Reports is the basis of all of the standard Centricity reports. Using Crystal Reports together with Centricity provided data schema information, custom reports can be designed and imported into Centricity for direct use within Centricity. Such imported reports appear to the user alongside the Fusion-provided reports. Writing custom reports requires a staff member of moderate technical ability who has some comfort with SQL queries and macro-level programming. Fusion offers classes in Crystal Reports specific to the Centricity data schema. These reports can be scheduled to be run periodically (Daily, weekly, monthly, temporarily for a


range of dates).

Quality Assurance Functionality 1 The System shall provide fields, as defined by the State, required

for the continuous quality improvement (CQI) program based on the National Commission on Correctional Health (NCCHC) essential and important standards for same, as well as selected measures from National Commission on Quality Assurance-Health Evaluation Data Information Set (NCQA-HEDIS), the Centers for Medicaid and Medicare Services (CMS).

A

Centricity is a completely ‘out-of-the-box’ EHR system for correctional health. Centricity’s foundation is extremely robust, capable of reporting on any and all data entered into the system. Reports can be run both ad-hoc for simple querying of statistical information as well as having the capability to develop a complicated, analytical report for advanced forecasting. From simple inquiries which can be developed and managed by staff (with appropriate permissions) to complete access to the database for comprehensive analysis and reporting by your database team, Fusion provides our clients with the tools needed to obtain meaningful information out of Centricity. CQI reporting can also be defined and implemented and will require input from the State as to the reportables. Centricity has had immense success as a complete correctional EHR. Clinical Quality Reporting (CQR), an optional add-on, offers a fully integrated MU reporting solution for Centricity EHR. CQR is a cloud-hosted platform that allows quick and easy access to view provider performance against Meaningful Use clinical quality measures, as specified by Office of the National Coordinator of Health IT (ONC) within CMS. Data is sent to a sophisticated database that normalizes and processes the raw data. Performance is tracked for individual offenders, providers, and multiple organizational hierarchies to focus clinical quality improvement efforts. Protected health information (PHI) is incorporated into this platform; security of your offender data is a core element of CQR and the environment enables you to comply with privacy regulations. With Centricity, VTDOC can visualize its progress toward achieving CQI measures at the provider and patient level. Advanced visual dashboarding calls attention to measures requiring improvement first with the ability to link back into individual EHR records to focus improvement efforts. These reports, combined with your review and verification of the data accuracy and completeness, help move towards achievements in CQI. Centricity's quality improvement and reporting tools provide timely clinical information about problems like diabetes, myocardial infarction, strokes, hypertension, congestive heart failure, and other costly, chronic conditions that are targeted in many pay-for- performance initiatives. By feeding


quality metrics data back into care team workflow, you have easy access to more clinical information to manage specific conditions and populations—and enhance the quality of care. Centricity’s reporting capabilities include, but are not limited to the following: • Provides flexible query tools capable of building complex queries

with multiple conditions • Capable of running queries and reports on demand (ad hoc),

scheduling to be run at another time, or scheduling to be run periodically (Daily, weekly, monthly, temporarily for a range of dates)

• Capable of automatically sending scheduled reports via secure email or SFTP

• Provides capability of viewing reports online within the EHR or saving to PDF, word, excel or CSV format

• Running any query, canned or standard report does not degrade system performance

• Provides a standard patient summary report that prints out key clinical data such as problems, medications, allergies, current orders, labs and vitals

• System reports are written in a standard reporting tool (i.e. Microsoft SQL Reporting Services or Crystal Reports)

• Provides detailed and summary security audit reports that may be used to track activity by provider, by offender, and by activity type

• Provides data warehouse functionality (cross- patient reporting, statistical analysis, data mining, etc.)

• All data in the system including metadata is available for reporting • A comprehensive audit report that includes all chart access activities

including print, fax and export actions on chart documents that would be performed by staff as part of normal “healthcare operations” in HIPAA terminology

2

The Solution shall support an Internal Staff Alert and Messaging Solution to the organization's clinical and administrative staff either directly or via an interface with Microsoft Outlook. A

Alerts and flags allow users to securely communicate with any other authorized health staff member. Internal communications can easily be accommodated via the integrated tasking, alerts, and email functionalities, which are linked to role-based permission sets that are configured by your System Administrator.


3 The system shall have data fields to input and store CQI, operational efficiency, and Pay for Performance (P4P) program data.

A

Centricity's quality improvement and reporting tools provide timely clinical information about problems like diabetes, myocardial infarction, strokes, hypertension, congestive heart failure, and other costly, chronic conditions that are targeted in many pay-for- performance initiatives. By feeding quality metrics data back into care team workflow, you have easy access to more clinical information to manage specific conditions and populations—and enhance the quality of care.

4 The System shall be compliant with all current (2008 and 2014) and future NCCHC standards for jails and prisons. A Yes, Centricity shall be compliant with all current and future NCCHC

standards for jails and prisons. 5 The Solution shall support customization of values in data elements

(e.g. labelling code 11 v. code 12 admissions). A

Centricity is an exceptionally customizable product, tailored to boost your organization’s efficiency. Centricity is based on physician input and has the built-in ability to customize forms and functions to meet the organization’s needs.

Other Health Services Requirements

1

The system shall meet the criteria for 2014 Meaningful Use (MU) Ambulatory Criteria. Criteria can be found at http://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Stage_2.html and http://www.gpo.gov/fdsys/pkg/FR-2012-09-04/pdf/2012-20982.pdf

A

Centricity is a Certified Electronic Health Record Technology (CEHRT) for the 2015 Edition (CHPL ID: 15.04.04.2902.Cent.12.00.1.171016) in accordance with the definition provided 45 CFR Part 170.102 as defined by the Office of the National Coordinator for Health Information Technology (ONC). Having the 2015 certification at a time where very few EHRs have the 2014 certification showcases and attests both Centricity EHR and Fusion’s commitment to healthcare IT excellence.

2

The System shall meet the 2014 Edition EHR Certification General Criterion. These criterion can be found at http://healthcare.nist.gov/use_testing/finalized_requirements.html

A

As stated in the response above, Centricity is a Certified Electronic Health Record Technology (CEHRT) for the 2015 Edition (CHPL ID: 15.04.04.2902.Cent.12.00.1.171016) in accordance with the definition provided 45 CFR Part 170.102 as defined by the Office of the National Coordinator for Health Information Technology (ONC). Having the 2015 certification at a time where very few EHRs have the 2014 certification showcases and attests both Centricity EHR and Fusion’s commitment to healthcare IT excellence.

3

The system shall integrate physical, behavioral, mental, pharmacy, dietary, lab functions, and care coordination in a single system. These features and functions shall be present in the initial system.

A

Centricity is a fully integrated, one-for-all EHR system inclusive of medical, behavioral health, dental, optometry, electronic medication administration capabilities and numerous other clinical documentation tools that offers you a cost-effective, flexible Commercial-Off-The-Shelf (“COTS”) solution in compliance with Centers for Medicare and Medicaid Services (“CMS”) regulations, the Health Information Portability and Accountability Act (“HIPAA”), ICD-10 and is compatible to meet and exceed VTDOC’s goals and the functional requirements detailed in this RFP. Centricity is also a Certified Electronic Health Record Technology (CEHRT) 2015 as defined by the Office of the National Coordinator for Health Information Technology (ONC). Centricity is the EHR system VTDOC needs to make day-to-day operations easier and more efficient.


http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Stage_2.html

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Stage_2.html

http://www.gpo.gov/fdsys/pkg/FR-2012-09-04/pdf/2012-20982.pdf

http://healthcare.nist.gov/use_testing/finalized_requirements.html

There is no other corrections-centric EHR system which can support the quality of care to offenders like Centricity. Centricity provides VTDOC with over 2,000 corrections-specific encounter templates many of which adhere to NCCHC, ACA, and/or PBNDS Standards. Centricity also has over 500 additional encounter templates of various specialty and subspecialty clinical workflows. Centricity meets VTDOC’s requirements in that Centricity encompasses primary, specialty and clinic scheduling capabilities and will provide VTDOC with:

• Improved clinical effectiveness and improved healthcare for offenders

• Improved communication among providers • Decreased records supply and storage requirements • Increased process efficiency • Enhanced clinical/financial/management reporting

4 The system shall integrate utilization management, using InterQual and other relevant criteria, in a single system.

A

Centricity supports numerous approval work flows such as non-formulary medications, non-formulary labs, off-site referrals, peer reviews, treatment plan approvals, lab result review/approvals, etc. Centricity provides a tasking and approval queue to support activities that require review and approval before completion. We have numerous out of the box workflows; however clients have the ability to create and add entirely new workflows into approval queues using Visual Form Editor. Centricity’s comprehensive alerts and triggers functionality combine to allow clients enforce their business rule, such as document sign off or order approvals. For example, Utilzation Review can easily be conducted by the appropriate individuals to conduct case management services for key encounters as outlined by VTDOC. If the DOC prefers to utilize InterQual, an interface can be developed to share information with Centricity.

5

The Solution shall have data fields populated from the OMS interface to view individual inmate exact daily housing designation (cell and restriction level specific).

A

Fusion will develop specific interfaces to external systems as part of this project. Including but not limited to VTDOC’s OMS system JailTracker / Harris. Fusion will configure, code, and test all application, application extensions, data conversion, and data acquisition/interfaces once agreed upon between both Fusion and VTDOC. Through Fusion’s interface with JailTracker, the systems will share data including accepting new bookings, moves, and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc.


Centricity ensures that all pertinent offender identifiers are stored and made useful in the EHR. While inside the offender’s Chart, the Banner containing demographic information about the offender, along with the offender’s picture will be seen. During the implementation phase Fusion will work with the DOC to define what information will be displayed on the Inmate’s banner from the OMS interface.

6

The system shall have data fields populated from the OMS interface to notify users of items including, but not limited to, Special Needs, Alerts, Holds, Medical or Mental Health Conditions or Accommodations, in accordance with P-E-03 and MH-E-03.

A

Through Fusion’s interface with JailTracker, the systems will share data including accepting new bookings, moves, and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc.

Centricity ensures that all pertinent offender identifiers are stored and made useful in the EHR. While inside the offender’s Chart, the Banner containing demographic information about the offender, along with the offender’s picture will be seen. During the implementation phase Fusion will work with the DOC to define what information will be displayed on the Inmate’s banner from the OMS interface. In addition to the information that will be displayed in the inmate’s banner, Care alerts can allow users to be notified of any special needs, medical/mental conditions, etc. Care Alerts are special kinds of Flags that are connected to a offender chart. They allow you to remind yourself or notify other users of care-related information for a specific offender. A Care Alert is visible in the offender’s chart as long as it is active and can have start and expiration dates. Critical Care Alerts can also be set to “Popup” whenever the offender’s chart is opened.

7

The system shall have data fields to input, store, and, if applicable, import data for documentation of health benefit plan information including, but not limited to, the name of the insurer, coverage type, group/policy number, expiration date, and other information necessary for filing a claim if applicable, or determining health coverage upon release as defined by the State. Any additional requirements identified by the State that are not contained in the system will require a Change Order. A

The user interface for Centricity EHR was developed based on extensive input from physicians, designed to be intuitive and reduce the number of clicks all the way from patient registration through clinical evaluation. The resulting solution is one that physicians will want to adopt, and one with which your agency can integrate with minimal disruption to your workflow. In addition, Centricity’s patient engagement tools streamline patient/clinic communications and give patients round-the- clock access to portal services allowing the City to free up staff with patient self-registration, allowing patients to register online and new patients to enroll online. Centricity allows users to record valuable data needed for financial and compliance reporting, to determine a family’s federal poverty level for use in calculating a sliding fee, and to successfully file claims electronically to


Medicare, Medicaid, and other private and public insurance entities.

8

The systems shall store, display, and permit changes in the appropriate movement code (M-Code) to ensure that inmates for whom transfer would interfere with treatment planning or whose medical or mental health condition would be negatively affected are not transferred without approval of medical or mental health in accordance with NCCHC standards P-E-10 and MH-E-08. A

As part of Centricity’s interface with VT DOC’s Offender Management System, JailTracker, Centricity will be able to have real time, bi-directional communication related to information such as accepting new bookings, moves, status’ and releases along with other demographic information including pictures as well as sending log information of treatment, procedure, appointment, med pass, etc. Fusion’s interface with JailTracker will allow users to track and review any transports to off-site facilities. Fusion will develop a Bi-Directional interface with VTDOC’s OMS system which will allow certain information sent from the EHR to the OMS.

9

The Solution shall permit the ordering of “Medical Diets.” The list of available “Medical Diets” will be customizable for the DOC. The Solution application shall provide the ability to document meals.

A

Centricity provides robust dietary management to assure that the correct nutrition care plan, referrals, and diet orders are always associated to an offender’s chart when applicable. Through the use of Centricity’s protocols feature, users can be alerted of any specific dietary needs or constraints for additional clinical decision support. In addition, Centricity has a full allergy and medication interaction system which will alert the provider if they are creating orders which may have adverse reactions to the offender. The system can also be configured to allow the alert to be overwritten where documentation is created as to the cause of such. In addition, reports can be developed to review causes for why providers overrode the alert. Centricity has multiple forms specific for establishing, regulating, and tracking special diets. The Diet Order Log is very comprehensive and allows the user to add allergies and place dietary orders for the offender directly through the form. The form will show any prior allergies the offender has, the length of time you want the offender to be on the diet, as well as any special instructions. Medical Diets can be configured to meet the States goals.

10 The system shall utilize a standardized workflow to increase inmate care and decrease errors.

A

The design of Centricity supports VT DOC’s goals and enables the State to achieve its objectives. Centricity will dramatically increase your organization’s efficiencies for your inpatient and outpatient services, including but not limited to annual exams/initial intake screenings, clinic visits, chronic disease monitoring, telemedicine, vaccine records, sick call triage, medication administration, mental health and discharge planning for offenders. Centricity incorporates familiar charting methodologies to speed offender encounters, such as default charting, charting by exception, picklists and checkboxes. For example, a provider can click one button to indicate all of an offender’s systems are normal. In addition, protocols can be set up to


automate workflows. For example, if a score of X is calculated during a PREA encounter, a referral will be generated to the individual/group for follow up. Visual Form Editor can easily be used to customize protocols and alerts to meet your unique needs.


PART 4: NON- FUNCTIONAL REQUIREMENTS The tables below list the State’s Non-Functional Requirements. Indicate if your proposed solution complies in the “Comply” column.

Yes = the solution complies with the stated requirement. No = the solution does not comply with the stated requirement. N/A = Not applicable to this offering.

Describe how the requirement is met in the “Vendor Description of Compliance” column.

4.1 Hosting

ID # Non-Functional Requirement Description Comply Vendor’s Description of Compliance

H1 Any technical solution must be hosted in a data center.

YES

Fusion offers the flexibility of remotely hosting Centricity in our data centers. Hosting allows you to enjoy the benefits of Centricity without having to install, configure, and maintain an internal server. Our hosting option also gives you the ability to move the system in-house at a future point based on your business needs. Our Tier III Data Center, located in Philadelphia, PA is our primary ASP hosting site. We also use our backup Data Centers strategically located in low-threat areas throughout the continental United States. The data centers all are SSAE-18 audited and are ISO22301, SOC-2, PCI DSS and HIPAA compliant, among others.

H2 Any hosting provider must provide for back-up and disaster recovery models and plans as needed for the solution.

YES

Fusion is a partner of TierPoint, who provides information technology and data center services. The company offers TierPoint Cloud, an Infrastructure-as-a-Service (IaaS) that includes public, private, multi-tenant, and hybrid deployments for production, disaster recovery, and backup services. Its services include colocation, cloud computing, backup and business continuity, managed security, and professional services. TierPoint infrastructure is built on best-in-class technology and backed by a dedicated team of cloud experts. TierPoint hosted and public cloud solutions helps our clients improve performance, manage costs, maintain compliance and enable disaster recovery.

H3 Any hosting provider will abide by ITIL best practices for change requests, incident management, problem management and service desk.

YES

The ITIL framework implemented by Fusion and our hosting provider follows a set of best practices that describes how IT resources will be organized to deliver business value, process documentation, and ITSM. Fusion’s ITIL cover the following areas, including:

• Incident management • Change management • Problem management • Service-level management • Continuity management • Configuration management


• Release management • Capacity management • Financial management • Availability management • Security management • Help desk management • Knowledge management


4.2 Application Solution

ID # Non-Functional Requirement Description Comply Vendor’s Description of Compliance

A1 Any solutions vendor must provide for the backup/recovery, data retention, and disaster recovery of a contracted/hosted application solution.

YES

Backup Procedures Centricity offers full and incremental backup solution on a daily basis within the data center environment with adjustable frequency to the tolerance level of DOC’s desire and performance configuration of the server array. Time to restore will be a function of the volume of data being restored and the performance of the storage area environment. Offsite backups, log shipping and server clustering are available to the extent of the clients’ needs and scope of project. Hot backups are conducted daily with snapshots of the database taken as well. The database backup is then archived for up to 90 days to allow for full restoration. In addition, transaction logs are also created consistently which allow for rapid recovery should the event arise. There are also 4 Hour Incremental Hot Backups with zero (0) downtime. Recovery procedures are tested to ensure restoration procedures are operational. In addition, testing will be conducted with DOC’s archived data to the testing environment to ensure that both the backups work as designed as well as to ensure recent test data is available. Should system modifications be performed between the scheduled recovery tests, one will be conducted immediately before the planned update/upgrade as well as following the commitment of the updates to the system. Should data need to be restored, the length of time to restore will vary on the size of the restoration; from minutes for a partial restore to up to 2-3 hours for a full system restore. Disaster Recovery As part of your Centricity implementation, a disaster recovery plan will be created whereby the location of the backup data as well as the method which the backups are created will be decided. Our co-location sites will be used as our offsite disaster recovery location. Natural disasters and emergencies will failover to Fusion’s Disaster Recovery facility. Centricity provides industry best-practice for HIPAA compliant high-availability clinical data at rest and network security solutions. Our data centers are SSAE-18 audited and pass all HIPAA and PHI security measures. Centricity is certified with MS Server, SQL and VMWare to allow industry standard High Availability, DR strategies, tools, process and procedures that secure industrial internet solutions. Centricity has dual/redundant infrastructure


for network, switches, routers, servers, etc. in order to maximize uptime capabilities. Centricity’s scalable and highly redundant infrastructure provides a multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery. The system includes built-in redundancy so that in case of a power failure or hardware issue at the primary data center, a duplicate backup is activated and the network’s function is not interrupted. Centricity’s average uptime has been 99.99% in the last twelve months and that is what we strive to achieve.

A2 Any solutions vendor must provide for application management and design standard of all technology platforms and environments for the application solution (Development, Staging, Productions, DR, etc.)

YES

Fusion typically sets up three separate environments when the system is initially installed; development, training and production. The intended use of each is given in its name. A best practice communicated to the client is to build all new or updated content in the Development environment. Once it has been completed it is moved into the Test environment for testing and certification by some combination of staff that typically includes a few end users. Once it has been certified, it is scheduled and moved into the Production environment where it immediately becomes available to all users. This will ensure that any bugs/issues are addressed prior to commitment of the update to ensure minimal disruption to the client. This model is the same whether the system is self-hosted or vendor-hosted.

A3 Any solutions vendor must engage the State of Vermont using Service Level Agreements for system and application performance, incident reporting and maintenance.

YES

To help us manage your support issues, Fusion’s Support Services uses a three-tiered priority system to log your application support service requests. To help manage technical support issues, clients are asked to identify the priority of the issue according to the following guidelines. Fusion encourages you to report Emergency and High issues by telephone because of the escalated response time. Fusion’s average percentage of first call resolutions is at 95%. Below are Fusion’s standard support tiers and response times: Incident Level 3 – Immediate Initial Response Contact Methods: Fusion Support Line & Fusion Help Desk Portal (24x7) Incident Level 2 – Immediate to 8-hour initial response Contact Method: Fusion Help Desk Portal (24x7) Incident Level 1– Immediate to 24 business hour response. Contact Method: Fusion Help Desk Portal (24x7)

A4 The State owns any data they or their Contractor enter, migrate, or transmit into the solution and the vendor shall allow the State to pull or copy this data at any time free of charge.

YES

The State will own any and all data entered, migrated, or transmitted into Centricity. There is no charge for the State pull or copy this data at any time considering they will own the system.


A5 As a contract deliverable, the vendor shall supply an up-to- date data dictionary that represents all data respective of the solution it will provide. The data dictionary must contain the following attributes:

1. The technology (RDBMS platform) that hosts the data

source, i.e. Oracle, SQL Server, MySQL, DB2, etc. 2. The location where the data source is hosted 3. Thorough descriptions of each table in the data source 4. Thorough descriptions of each column within each

table in the data source. In addition to business definitions, column descriptions must include the following detail: schema names; file group names (if applicable); data types; lengths; primary and foreign key constrains; applied formatting; applied calculations; applied aggregations; NULL-ability; default values.

YES

Fusion provides a full data dictionary and documentation of the entire database schema within Centricity.


4.3 Security As a solution vendor, you must have documented and implemented security practices for the following and have a process to audit/monitor for adherence. Indicate “Yes” or “No” in the “Comply” column or “N/A” if the requirement is not applicable to this offering. Use the “Vendor Description of Applicable Security Processes” column to describe how you meet the requirement and the “Audit/Monitor” column to indicate how you monitor for compliance.

ID # Non-Functional Requirement

Description Comply Vendor’s Description

of Applicable Security Processes Audit/Monitor Process

S1 Input validation

YES

Fusion validates and tests against injections as part of its content development standards. In addition, fields can handle a variety of input validations that include or limit special characters and validate and prompt the user for inputs that are outside of normal ranges

Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software products, software process, and services offered allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

S2 Output encoding

YES

All outputted data is designated with security that follows best practices including security group management and encryption.


S3 Authentication and password management

YES

The first line of security is user authentication to first log in to the system. Centricity uses Active Directory. The Active Directory user name and password are the credentials used to log into the network/workstation. User passwords are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash algorithm. The logon ID and password are stored and maintained in the Microsoft Windows Active Directory, often on a separate server, as well as in the Centricity EHR database. You must maintain logon IDs and passwords using Active Directory maintenance tools. Your IT staff can manage your application users and groups and their credentials for you in Active Directory. All Microsoft User IDs and Passwords will be the exact same information used to sign into Centricity. Centricity provides the capability of using Active Directory via LDAP to create and disable

Centricity is able to detect security-relevant events that it mediates and generate audit records for them. The events include the following, among others: start/stop, user login/logout, session timeout, account lockout, patient record created/viewed/updated/deleted, scheduling, query, order, node-authentication failure, signature created/validated, PHI export such as print, PHI import, and security administration events. The system is responsible for auditing security events that it mediates. A mediated event is an event that the system has some active role in allowing or causing to happen or has opportunity to detect.


new users in the system, as well as for user authentication, warning of password expiration and password change. State staff can use their active logins and passwords, saving them the hassle of having to maintain different User IDs and passwords. Centricity users log on to the application by logging into Active Directory (“to the network”) using a password. This way, users are not required to have both a network password and an application database password. With Active Directory, as needed, users can sign in and out with multiple user identities, without having to log in and out of the current user workstation logon. For organizations without Active Directory, Centricity also allows for the creation and management of users and their respective permissions, just as if it were tied into active directory. User authentication is an application process that verifies a logon ID and password entered by a user against the ID and password stored for that user. If a match is found, it helps assure that the person attempting to log into Centricity is who he or she claims. If a match is not found, the application blocks access to the application. User passwords are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash algorithm.

S4 Session management

YES

The system upon detection of inactivity of an interactive session prevents further viewing and access to the system by that session by terminating the session, or by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures. The inactivity timeout is configurable. Centricity enforces a limit of (configurable) consecutive invalid access attempts by a user. The system protects against further, possibly malicious, user authentication attempts using an appropriate mechanism, such as locking the account/node until released by an administrator, locking the account/node for a configurable time period, or delaying the next login

Centricity is able to detect security-relevant events that it mediates and generate audit records for them. The events include the following, among others: start/stop, user login/logout, session timeout, account lockout, patient record created/viewed/updated/deleted, scheduling, query, order, node-authentication failure, signature created/validated, PHI export such as print, PHI import, and security administration events. The system is responsible for auditing security events that it mediates. A mediated event is an event that the system has some active role in allowing or causing to happen or has


prompt according to a configurable delay algorithm

opportunity to detect.

S5 Access control

YES

Centricity EHR system is a comprehensive system that ensures compliance with applicable provisions of the Health Insurance Portability and Accountability Act (HIPAA). Additionally, as a CCHIT Certified® for Certification Commission for Healthcare Information Technology (CCHIT®) EHR, role-based securities apply down to the field level. Centricity enforces the most restrictive set of rights/privileges or accesses needed by users/groups, such as System Administration, Clerical, Nurse, Doctor, and so on, or processes acting on behalf of users, for the performance of specified tasks. Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups. Centricity enables to associate permissions with a user using one or more of the following access controls: • User-based (access rights assigned to each user) • Role-based (users are grouped and access rights assigned to these groups) • Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, and so on.)


S6 Cryptographic practices

YES

Fusion follows industry best practices for encrypting all aspects of the application in compliance with NIST.


S7 Error handling and logging

YES

Filed in Error is utilized only on Signed Documents when a portion, or the entire document is incorrect, and the entire document needs to be eliminated from the inmate’s chart. Filed in Error works with the whole document, not portions of the document. There is no functionality to File in Error a portion of the document and leave the rest intact.

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, and other information such as report or document names, names of clinical values changed, and the value


changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging. Auditing of viewing, previewing, printing, and faxing non-confidential inmate information can be turned off, to reduce the scope of activity information logged and stored in the database. However, activity involving confidential documents and sensitive charts is always audited. Audit trail reports that come with Centricity include offender audit reports and user audit reports.

S8 Data protection from unauthorized use, modification, disclosure or destruction (accidental or intentional). YES

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, and other information such as report or document names, names of clinical values changed, and the value changes.

All user activity is audited. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging. Audit trail reports that come with Centricity include inmate audit reports and user audit reports.

S9 Communication security

YES

A connected Department of Corrections is an efficient Department of Corrections. Integration and coexistence between staff and with other computer systems is an integral part of every Centricity installation. Communication across the enterprise and with other third-party vendors and agencies with which you work is often time sensitive and involves inmate safety. Centricity leverages standards-based interoperability and communication methods for compatibility with eachother and with other vendor solutions and devices. All data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm. SQL Server has built-in encryption capabilities for PHI data. It can encrypt both at rest and data in motion.

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, and other information such as report or document names, names of clinical values changed, and the value changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging. Auditing of viewing, previewing, printing, and faxing non-confidential inmate information can be turned off, to reduce the scope of activity information logged and stored in the database. However, activity involving confidential documents and sensitive charts is always audited. Audit trail reports that come with Centricity include offender audit reports and user audit reports.


S10 System configuration

YES

Within Centricity, all data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm. SQL Server has built-in encryption capabilities for PHI data. It can encrypt both at rest and data in motion. AES encryption can be used for data at rest. SSL can be used for data in motion that is transferred between client workstations and the database server. Centricity provides encrypted passwords and encryption at the VPN level, Internet, Intranets, and wireless networks and devices. At the application level, Centricity heavily supports user login security, where a user’s login name and password must be entered before any application features are available for use. The system administrator may elect to invoke password encryption to further enhance security. Note: There is a single sign-on for Centricity. The system administrator can also establish password characteristics such as minimum length, requirement for alphanumeric format, and password expiration time. In addition, a quick logout/screen-locking facility is always available, as is an idle-user logout.

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, and other information such as report or document names, names of clinical values changed, and the value changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging. Auditing of viewing, previewing, printing, and faxing non-confidential inmate information can be turned off, to reduce the scope of activity information logged and stored in the database. However, activity involving confidential documents and sensitive charts is always audited. Audit trail reports that come with Centricity include offender audit reports and user audit reports.

S11 Database security

YES

Database-level security is assured by Centricity’s use of SQL Server, an industry-leading relational database management system, for storing all offender information. This ensures all information is stored on the database server, which can be fully protected by the IT organization, with no offender data being stored on the desktop. Even if a PC is stolen, no offender data is exposed. The SQL Server database can be installed on a fully protected subsystem of a server, preventing malicious access by those attempting to “snoop” on the database. The database management system provides secure logon ID protection, allowing, for example:

• Read/write access only by the Centricity application and the Centricity merge/delete application



• Read-only access to data from third-party applications (such as report writers, statistical analysis packages, etc. for enterprise-wide reporting) under a single user ID/password, which can have very carefully controlled distribution within an organization

• Though the sniffing and interpretation of Centricity’s network packets is extremely difficult and time consuming, their physical security can be assured by using the SQL*Net driver, which can encrypt data prior to transfer across the network.

S12 File management

YES

Fusion uses SolarWinds monitoring to screen all servers and their disk size. The tool notifies us of any servers that need attention, or are growing at a rapid pace.


S13 Memory management

YES

Fusion uses SolarWinds to monitor all RAM usage on all systems and alerts the support staff of any critical issues.


S14 Fraud detection YES

Centricity provides the ability to provide a secure environment that can detect and block common security vulnerabilities through antivirus.

Vulnerability assessments are completed by Fusion on a regular basis.

S15 General coding practices

YES

Fusion develops its application following industry best practices in accordance to AGILE development.



S16 POA&M management

YES

Fusion utilizes A Plan of Action and Milestones in accordance with FISMA to outline our corrective action plan for tracking and planning the resolution of information security weaknesses.


S17 Risk Assessment Practices including but not limited to vulnerability assessment and pen testing

YES

Fusion’s approach to managing security risks are:

• security risk management is the business of each staff member

• risk management, including security risk management, is part of day-to-day business

• the process for managing security risk is logical and systematic, and should form part of the standard management process of the agency

• changes in the threat environment are continuously monitored and necessary adjustments made to maintain an acceptable level of risk and a balance between operational needs and security

Fusion’s ongoing security risk management process continuously monitors and identifies these security risks and allows use to quickly devise plans to address them. Fusion determines risk by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Fusion’s adoption of a comprehensive risk management approach covers all areas of protective security activity across our organization and our clients’, where we:

• establish the scope of any security risk assessment and identify the people, information and assets to be safeguarded

• determine the threats to people, information and assets, and assess the likelihood and impact of a threat occurring

Vulnerability assessments are completed by Fusion on a regular basis.


• assess the risk based on the adequacy of existing safeguards and vulnerabilities

• implement any supplementary protective security measures that will reduce the risk to an acceptable level.

S18 Incident response planning and testing

YES

We understand the corrections business because we only work in the corrections business. Fusion offers all clients with 24x7x365 US based support. Designated personnel can open a support ticket at any time via the provided and dedicated toll-free number or through our dedicated helpdesk portal. Our client support staff utilize a Customer Relationship Management (CRM) incident tracking software to collect initial incident information and track progress and status of reported incidents. Incident reporting should be assigned to a consistently available staff member, who is familiar with the incident reporting process and is familiar with the operation of the Centricity application in general, typically the initial Project Manager. Our team’s familiarity with your organization and the agreed upon SLA expedites the incident resolution time for all issues surrounding your agency.

To help us manage your support issues, Fusion’s Support Services uses a three-tiered priority system to log your application support service requests. To help manage technical support issues, clients are asked to identify the priority of the issue according to the following guidelines. Fusion encourages you to report Emergency and High issues by telephone because of the escalated response time. Fusion’s average percentage of first call resolutions is at 95%. Below are Fusion’s standard support tiers and response times: Incident Level 3 – Immediate Initial Response Contact Methods: Fusion Support Line & Fusion Help Desk Portal (24x7)

1. Centricity client will not launch for all users.

Fusion monitors and audits incident response times and resolution. Centricity provides proactive system monitoring and ITIL processes for change control and incident management. Incident resolution will be provided by support staff. Fusion’s customer support staff document all problem determination and resolution procedures in the CRM. Incident resolution will be validated by the client contact that made the initial report prior to Fusion’s support staff “closing” the incident. Please not that we will support only those applications represented on your software maintenance agreement. Issues related to hardware, operating systems, network, backup software, and other software should be addressed by your organization or the appropriate third-party vendor.


2. Fusion web applications (i.e. eMAR, Orders Manager…etc.) will not load for all users and the user has the appropriate security permissions to access the applications. 3. An incident where patient safety may be affected that was triaged by your facility superusers and/or IT.

* For fastest resolution, it is recommended that the client open a helpdesk ticket with the appropriate issue type as well as a call to our support line.

Incident Level 2 – Immediate to 8-hour initial response Contact Method: Fusion Help Desk Portal (24x7)

1. Interface related issues such as demographics not importing, lab results not importing or pharmacy message errors. 2. Defects relating to clinical content

(Centricity encounters/forms). 3. Component of the system not functioning as

designed.

Incident Level 1– Immediate to 24 business hour response. Contact Method: Fusion Help Desk Portal (24x7)

1. Functionality questions. 2. Clinical content or report enhancements. 3. Component of the system not functioning as

expected.

S19 System Security Plan delivery

YES

Fusion will deliver a System Security Plan (SSP). The purpose of our SSP is:

• To document the security requirements of the system and describe the controls in place or planned to meet all applicable State requirements and ultimately reduces the risk introduced by the system/application.

• To delineate responsibilities and expected behavior of all individuals who access the system.

• To establish and document the security controls, and form the basis for the

Fusion will coordinate with DOC for SSP review and sign off. Once the plan has been signed off on, Fusion will execute the agreed upon SSP.


authorization of individuals to perform security related activities in the system, supplemented by the Risk Assessment Report (RAR), Classification of Assets based on Risk Evaluation (CARE) and the Plan Of Actions and Milestones (POAM).

The objectives of our SSP are:

• To improve protection of information system resources.

• To document the protection of the system security.

• To respond to Internal and External system security Audits.

• To demonstrate documented compliance to state and federal mandates.


4.4 Other Non-Functional Requirements For each requirement listed, indicate if and how you comply or type “N/A” if it is not applicable to your offering.

ID # General Non-Functional Requirement

Description Comply Vendor’s Description

of Applicable Security Processes Audit/Monitor Process

General Requirements

G1.1 The Solution will provide a user interface that will be simple and consistent throughout all areas and functions of the Solution

YES

Built on the ease-of-use and familiarity of Microsoft Windows, Centricity EHR features an intuitive graphical user interface to streamline clinical documentation.

The design philosophy is heavily based on Microsoft’s Ribbon UI with a XAML grid based layout. Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software products, software process, and services offered allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

G1.2

The Solution will minimize the number of mouse clicks / user interaction to complete any action.

YES

Centricity is extremely efficient in getting users where they need to be in the minimal amount of clicks in order to ensure maximum efficiency. Users can easily jump between frequently accessed charts, as well as easily continue held documents all within one click. In addition, the quick text functionality allows for even greater efficiency. Users document within the visual form and can review the text form following completion of the update if they so wish. Centricity is also loaded with numerous keyboard shortcuts which can be customized to support greater navigation efficiency.


G1.3

The Solution will use a Graphical User Interface (GUI) to help the user navigate to the next logical step in the workflow (or freely navigate to other parts of the Solution functionality) and then allow the user to return to complete the in-process task.

YES

Built on the ease-of-use and familiarity of Microsoft Windows, Centricity EHR features an intuitive graphical user interface to streamline clinical documentation.

The design philosophy is heavily based on Microsoft’s Ribbon UI with a XAML grid based layout. Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software


products, software process, and services offered allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

G1.4

The Solution will speak the user’s language, with words, phrases, and concepts familiar to the user, rather than Solution-oriented terms.

YES

Centricity features automated workflows, pre-built templates and commands that work the way you do to help improve clinical effectiveness and efficiency and enable more informed clinical decision-making. The clinical content available in Centricity can easily be customized for use yet is also exceptional in providing a consistent clinical vocabulary across your agency.


G1.5

The Solution will allow the users to easily navigate to a variety of functions available to them without having to move sequentially through excessive menus and screens.

YES

Centricity is extremely efficient in getting users where they need to be in the minimal amount of clicks in order to ensure maximum efficiency. The overall navigation of the system is very intuitive, with primary navigation buttons always being in view regardless of where the user is in the system. Screens are organized by meaningful relationships. Centricity provides users with a familiar, problem-oriented format with a one-screen summary and detailed inmate information with a single click. In addition to pre-existing templates and system logic, customizations can easily be accommodated via Visual Form Editor, according to your needs.


G1.6

The Solution will include (at minimum) the following features and capabilities: a) Drill down and look up functionality to minimize re-entry of information across multiple screens b) Multi-tasking and multiple window capability, including split screens (logging in twice or once with 2 windows?) c) Search capabilities to allow retrieval by Provider, inmate, procedure code, or others as defined by the State.

YES

Centricity provides users with the following features and capabilities, among many others:

• Drill down and look up functionality to minimize re-entry of information across multiple screens

• Multi-tasking and multiple window capability, including split screens (logging in twice or once with 2 windows?)

• Search capabilities to allow retrieval by Provider, inmate, procedure code, or others as defined by the State.



G1.7

The Solution will support undo and redo (or provide onscreen confirmation/acceptance to the user to confirm a change that is permanent and cannot be "undone"). YES

Prompts appear throughout the system notifying users of permanent clinical list changes. Once a document is signed, the only way to change it is to ‘append’ the document.


G1.8

The Solution will follow standardized conventions and limit the use of words, situations, or actions that have multiple meanings. YES

Centricity provides standardized conventions and limits the use of words, situations, or actions that have multiple meanings.


G1.9

The Solution will eliminate error-prone conditions or check for them and present users with a confirmation option before they commit to the action. YES

Clinical decision support is provided in a number of ways throughout Centricity. Chronic care protocols, nurse protocols, alerts and triggers are among the chief mechanisms used by the system to provide this type of support. All of these mechanisms are fully editable by the client, so they can be tailored to the specific client needs and desired outcomes.


G1.10

The Solution will minimize the user’s memory load by making objects, actions, and options visible.

YES

Clinical decision support is provided in a number of ways throughout Centricity. Chronic care protocols, nurse protocols, alerts and triggers are among the chief mechanisms used by the system to provide this type of support. All of these mechanisms are fully editable by the client, so they can be tailored to the specific client needs and desired outcomes.


G1.11

The Solution will provide all user instructions in a visible or easily retrievable location, when appropriate.

YES

Centricity provides all user instructions in a visible or easily retrievable location, when appropriate.



G1.12

The Solution will allow the user to navigate to any functional component from a client landing page.

YES

Depending on user permissions, Centricity allows the user to navigate to any functional component from a client landing page.


G1.13 The Solution will alert the user with information relevant to required next steps.

YES

Centricity alerts the user with information relevant to required next steps. general alerts/flags, triggers can be implemented with DOC business rules behind all triggers and alerts that are client configurable as well, providing you the ability to be as self-sufficient as needed.


G1.14

The Solution will accommodate point and click selection and check box entry for all relevant data entries to ensure that the user does not have to enter textual data that may already be available to the Solution.

YES

Centricity accommodates point and click selection and check box entry for all relevant data entries to ensure that the user does not have to enter textual data.


G1.15 The Solution will provide field level on-screen edits with limited user override capabilities.

YES

Centricity provides field level on-screen edits with limited user override capabilities so long as the note has note been signed. Only users with the appropriate permissions can append a signed document.


G1.16

The Solution will not show fields not accessible to a given user based on access rights.

YES

Centricity supports multiple separate user privileges in registration, charts, flags, inquiry/reports, appointments, setup, etc. Additional privileges support multiple confidential document types as indicated by a user, such as mental health, STD, alcohol/drug abuse, and HIV/AIDS document types. These privileges can also be administered at two levels: per user or per role. That is, a standard set of roles, with associated privileges, can be defined

Centricity records all accesses to inmate clinical or registration data, by user and by date/time stamp. This provides traceability of which charts have been accessed by certain individuals, or who has accessed a particular offender’s data. A report on attempted and successful accesses to charts marked as Sensitive is also available. In this way, an organization can be confident that as long as user ID/password integrity is maintained,


and then those roles used to quickly and easily assign and maintain individual user rights. Role-based security applies down to the field level.

inappropriate accesses cannot be disguised.


G1.17

The Solution cursor will automatically advance to the next logical input field when the maximum allowed numbers of characters have been entered for the keyed field or when the user presses the "Enter" key.

YES

Users can press the ‘Tab Key’ to move onto the next field.


G1.18

The Solution will provide the option of having a selection from the drop-down boxes automatically take the user to the next field.

YES

Centricity’s clinical content guides the users through documentation by opening up new data fields which are dependent on answers previously documented within the encounter.


G1.19 The Solution will identify invalid entries to the user as immediately as possible.

YES

General alerts/flags, triggers can be implemented with DOC business rules behind all triggers and alerts that are client configurable as well, providing you the ability to be as self-sufficient as needed.


G1.20

The Solution will be designed to include only the necessary information and functionality on screens and will be based on the user’s access level and the user’s configuration.

YES

Centricity is designed to include only the necessary information and functionality on screens and will be based on the user’s access level and


G1.21

The Solution will be designed to include logical transitions between screens and level of detail during navigation.

YES

Centricity is designed to include logical transitions between screens and level of detail during navigation.



G1.22

The Solution will provide templates for data entry with identified mandatory and optional data fields.

YES

Centricity provides hard and soft stop functionality. Hard stops can be configured to DOC’s business rules to prohibit users from proceeding with the desired action until action is taken, whereas soft stops will alert the user of such action missing but does not mandate them to complete the task in order to continue on with their work.


G1.23

The Solution will allow incomplete data sets to be saved for completion of the workflow at a later time.

YES

Centricity allows for incomplete data sets to be saved for completion of the workflow at a later time.


G1.24 The Solution will highlight and flag required and incomplete data fields.

YES

Required data fields left incomplete will appear in red font.


G1.25

The Solution will include a graduated Solution of alert levels to allow users to determine urgency and relevancy.

YES

Centricity provides alert levels to allow users to determine urgency and relevancy


G1.26

The Solution will allow configuration of alerts by a user, for a user by a supervisor, and for a user by a Solution administrator.

YES

Users with appropriate privileges can create alerts and send such alerts to fellow staff members. Alerts can be setup as pop up alerts or care alerts and can either be attached to a user’s account or an inmate’s chart. Care Alerts are special kinds of Flags that are connected to an inmate chart. They allow you to remind yourself or notify other users of care-related information for a specific inmate. A Care Alert is visible in the inmate’s chart as long as it is active and can have start and expiration



dates. Care Alerts felt to be so important they should not be dismissed can also be set to “Popup” whenever the inmate’s chart is opened.

G1.27 The Solution will enable central workflow alerts and transactional status. The Solution will centralize pending work items for the user as in a "work queue."

YES

Centricity’s Orders Manager tool is a service queue that provides staff with the ability to effectively manage and schedule inmate care within a correctional environment. Track and manage upcoming and overdue services such as follow up care, sick call, labs, blood glucose tests, specialty services, etc. by order date, priority, or any other filter provided. Orders Management is easily customizable to meet your clinical needs.


G1.28

The Solution will have the capability to push messages to the intended workers without requiring them to specifically inquire for the data (inside the Solution). YES

Centricity provides a clinical messenger application to send a direct message to a specific user or group.


Audit and Compliance Requirements

G2.1

The Solution will maintain a record (e.g. audit trail) of all additions, changes, and deletions made to data in the Solution. This should be readily searchable by user ID or inmate ID. This must include, but is not limited to: - The user ID of the person who made the change - The date and time of the change - The information that was changed - The outcome of the event - The data before and after it was changed, and which screens were accessed and used.

YES

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, and other information such as report or document names, names of clinical values changed, and the value changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging.

All user activity can be audited and reported on.


G2.2

The Solution will be able to detect security- relevant events that it mediates and generate audit records for them. At a minimum the events will include those listed here: -start/stop -user login/logout -session timeout -account lockout client record created/viewed/updated/deleted -scheduling -query -order -node-authentication failure -signature created/validated -Personally Identifiable Information (PII) Export -PII import -security administration events -backup and restore IRS 1075 and NIST 800- 53 moderate baseline rev 54

YES

Centricity is able to detect security- relevant events that it mediates and generate audit records for them. At a minimum the events will include those listed here: -start/stop -user login/logout -session timeout -account lockout client record created/viewed/updated/deleted -scheduling -query -order -node-authentication failure -signature created/validated -Personally Identifiable Information (PII) Export -PII import -security administration events -backup and restore IRS 1075 and NIST 800-

53 moderate baseline rev 54

Centricity provides industry best-practice for HIPAA compliant high-availability clinical data at rest and network security solutions. Information logged includes user and workstation IDs, user actions, date and time, and other information, such as clinical report or document names, names of clinical values changed, and the value changes. All user activity can be audited and reported on.

G2.3

The Solution will provide authorized administrators with the capability to read all audit information from the audit records in the following two ways: 1) The Solution will provide the audit records in a manner suitable for the user to interpret the information. The Solution will provide the capability to generate reports based on ranges of Solution date and time that audit records were collected. 2) The Solution will be able to export logs into text format in such a manner as to allow correlation based on time (e.g. Coordinated Universal Time [UTC].

YES

With the appropriate permissions, authorized administrators can have the capability to read all audit information from the audit records in the following two ways:

• Centricity will provide the audit records in a manner suitable for the user to interpret the information. Centricity will provide the capability to generate reports based on ranges of Solution date and time that audit records were collected.

• Centricity will be able to export logs into text format in such a manner as to allow correlation based on time (e.g. Coordinated Universal Time [UTC].


G2.4

The Solution will be able to perform time synchronization using NTP/SNTP, and use this synchronized time in all security records of time.

YES

Centricity can perform time synchronization using NTP/SNTP, and use this synchronized time in all security records of time.

Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software products, software process, and services offered


allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

G2.5

The Solution will have the ability to format for export recorded time stamps using UTC based on ISO 8601.

YES

Centricity provides the ability to format for export recorded time stamps using UTC based on ISO 8601.


G2.6

The Solution will prohibit all users read access to the audit records, except those users that have been granted explicit read access (only security administrators).

YES

Centricity features robust application security features. Permissions help manage access to offender information. In the application, users can be granted or denied permission to perform tasks. For example, you can deny a user permission to update a visit but allow that user to read visit information. Any task, like reading reports, adding a user, or deleting an offender, can be granted or denied for each user logon. Permissions may also be granted or denied on a group basis by assigning a user to a group. This grants to the user the permissions assigned to the group. For example, you can create an Office group and give it permission to read reports, or a Nurse group with permission to read charts. A user assigned to the Office group can read reports (unless denied on the user level, as explained later). A user assigned to the Nurse group can read charts (unless denied on the user level).


G2.7

The Solution will protect the stored audit records from unauthorized deletion. The Solution will prevent modifications to the audit records. YES

Centricity protects the stored audit records from unauthorized deletion. Centricity also prevents modifications to the audit records.



G2.8 The Solution will prevent modifications to the audit records.

YES

To facilitate compliance with your healthcare organization’s security and privacy policies, Centricity does not allow for modifications to audit records for security purposes.

Centricity monitors and logs many user activities, including user and workstation IDs, user actions, date and time, scanned documents and other information such as report or document names, names of clinical values changed, and the value changes. Changes to chart documents such as adding or changing clinical values or text are tracked via Document Contribution Logging. All user information and documentation is captured and audited.

G2.9 The Solution will provide logging, reporting, and accessing errors and exceptions.

YES

Centricity provides logging, reporting, and accessing errors and exceptions.


G2.10

The Solution will provide capability for integrating consent audit trails and data access audit trails in a consolidated searchable Solution for search/report to support consent rule enforcement or investigation including audit trails based on deprecated rules or policies.

YES

Centricity provides the capability for integrating consent audit trails and data access audit trails in a consolidated searchable Solution for search/report to support consent rule enforcement or investigation including audit trails based on deprecated rules or policies.


G2.11

The Solution will generate and protect consent audit events at the same or better levels as other data access audit records.

YES

Centricity can generate and protect consent audit events at the same or better levels as other data access audit records.


SLRs and Performance Requirements.


G3.1

The Solution response time (defined as the time elapsed after depressing an ENTER key (or clicking on a button that submits the screen for processing) until a response is received back on the same screen) during operations will be sub second average response time for 95 percent of the Real Time, search, and lookup queries (does not include ad hoc queries and analytics). Maximum response time will not exceed 15 seconds except for agreed-to exclusions.

YES

Centricity’s robust architecture allows for timely response times in all aspects of the system.


G3.2

The Solution will achieve performance for interactive transactions other than the reporting-related transactions above, conforming to the minimum acceptable performance standard of a 2 second average response time, for 95% of interactions.

YES

Centricity has dual/redundant infrastructure for network, switches, routers, servers, etc. in order to maximize uptime capabilities. Centricity’s scalable and highly redundant infrastructure provides a multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery. The system includes built-in redundancy so that in case of a power failure or hardware issue at the primary data center, a duplicate backup is activated and the network’s function is not interrupted. Centricity’s average uptime has been 99.95% in the last twelve months and that is what we strive to achieve.


G3.3

The components of the Solution under Contractor control as delivered into production shall be available at a level agreed in the contract (the contracted target level of availability). This will be chosen from one of the three availability levels 99.9%, 99.95% or 99.99%. YES

Centricity has dual/redundant infrastructure for network, switches, routers, servers, etc. in order to maximize uptime capabilities. Centricity’s scalable and highly redundant infrastructure provides a multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery. The system includes built-in redundancy so that in case of a power failure or hardware issue at the primary data center, a duplicate backup is activated and the network’s function is not interrupted. Centricity’s average uptime has been 99.95% in the last twelve months and that is what we strive to achieve.


G3.4

The Solution will be architected with no single point of failure, supporting a high-availability enterprise. YES

Centricity has dual/redundant infrastructure for network, switches, routers, servers, etc. in order to maximize uptime capabilities. Centricity’s scalable and highly redundant infrastructure provides a

Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software


multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery.


G3.5

The Solutions hours of operations will be 24 hours per day, 7 days per week, and 365 days a year. YES

Fusion has implemented transactional and server monitoring. The application is monitored 24x7x365 by the command center team. Output of the Fusion monitoring allows Fusion to plan capacity management.

We’ve implemented a Capacity Management Plan which is reviewed on a monthly basis with the appropriate support teams.

G3.6

The Solution will be designed to support the planned Vermont Solutions and any anticipated expansion in scope of connectivity.

YES

Centricity is scalable up to 10,000 concurrent users. Centricity can be configured based on need to utilize multiple database and frontend servers for load balancing. Centricity provides migration tools to move components of the system, as well as the whole system itself to the latest architectures and technologies as they progress for both an on-premise or cloud hosted solution. This scalable, robust system will be able to meet all current and future State needs.


G3.7

The Solution Administration staffing requirements and workload should be minimally impacted with expanded Solution usage. YES

Centricity’s Administration staffing requirements and workload are minimally impacted with expanded software usage.


G3.8

The Solution must be built so that there is a near-linear relationship between each additional server added, and the additional load that can be accommodated (load vs. capacity added), up to specified limits. YES

The underlying system architecture uses a SOAP based client server model. This allows the server to remain lightweight and focus solely on retrieving, securing, and sending data to the client, while the Client can use its local processing power to render the UI. This model was chosen due to the efficient delegation of tasks. It allows the server to focus on processing of data, while the client queries it based on what the user wants.


G3.9

The Solutions Recovery Time Objective (RTO) will be within 1 hour. In case of a disaster that effects the DOC’s operations, the entire service will be restored within 1

YES

The Solutions Recovery Time Objective (RTO) will be within 1 hour. In case of a disaster that effects the DOC’s operations, the entire service will be restored within 1 hour.



hour. products, software process, and services offered allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

G3.10

The Solutions Recovery Point Objective (RPO) will be no more than 0.5 hour of data loss. In case of a disaster that effects the Care Management operations, 0.5 hour of data inputs to the Solution (but no more) may be lost and need to be re-entered.

YES

The Solutions Recovery Point Objective (RPO) will be no more than 0.5 hour of data loss. In case of a disaster that effects the Care Management operations, 0.5 hour of data inputs to the Solution (but no more) may be lost and need to be re-entered.


G3.11

The Solution will use fully redundant network and hardware. Hardware components (such as processor and memory) should have built- in redundancy to allow a second component to take over in the event of a failure in the primary component. Similarly, redundant paths should also exist for networks.

YES

Centricity has dual/redundant infrastructure for network, switches, routers, servers, etc. in order to maximize uptime capabilities. Centricity’s scalable and highly redundant infrastructure provides a multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery.


G3.12

The Solution will leverage virtualization to expedite disaster recovery. Virtualization enables Solution owners to quickly reconfigure Solution platforms without having to acquire additional hardware.

YES

Centricity leverages virtualization to expedite disaster recovery. Centricity’s scalable and highly redundant infrastructure provides a multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery.



G3.13

The Solution will have the ability to support either a Production and hot (real time replication) disaster recovery design or a multi-host site Production design that would allow one site to seamlessly be offline and the other site would maintain service without interruption.

YES

Centricity leverages industry-standard license(s) of Microsoft SQL Server Enterprise for the flexibility of the vast array of SQL Server disaster recovery performance tuning tools available in the IT industry. As a result, the industry best practice data loss prevention and recovery solutions will apply to Centricity’s product line. Daily full, incremental, differential and transaction log backups are available along with clustered databases hot and warm failover server solutions for full high-availability capabilities.


G3.14

The Solution will include a disaster recovery plan and provide contingency plans for client lookup capabilities and online collaboration in the event of a disaster.

YES

Disaster recovery plans are client/site specific. Fusion works with each client to develop a plan to meet the needs of the organization. If Fusion is to host Centricity, Fusion completes backups, as well as incorporates and maintains the disaster recovery plan for DOC. As part of your Centricity implementation, a disaster recovery plan will be created whereby the location of the backup data as well as the method which the backups are created will be decided. Our co-location is in Philadelphia which is used as our offsite disaster recovery location. Natural disasters and emergencies will failover to Fusion’s Disaster Recovery facility.


G3.15

The Solution will provide the ability to recover from data loss due to end user error and end application error.

YES

Recovery procedures are tested to ensure restoration procedures are operational. In addition, testing will be conducted with DOC’s archived data to the testing environment to ensure that both the backups work as designed as well as to ensure recent test data is available. Should system modifications be performed between the scheduled recovery tests, one will be conducted immediately before the planned update/upgrade as well as following the commitment of the updates to the system. Should data need to be restored, the length of time to restore will vary on the size of the restoration; from minutes for a partial restore to up to 2-3 hours for a full system restore.



G3.16

The Solution will provide the ability to perform archival/incremental backups and the ability to perform open/closed database backups. YES

Hot backups are conducted daily with snapshots of the database taken as well. The database backup is then archived for up to 90 days to allow for full restoration. In addition, transaction logs are also created consistently which allow for rapid recovery should the event arise. There are also 4 Hour Incremental Hot Backups with zero (0) downtime.


G3.17

The Solution will provide tools for managing an environment that supports both high availability and disaster recovery.

YES

Centricity is certified with MS Server, SQL and VMWare to allow industry standard High Availability, DR strategies, tools, process and procedures that secure industrial internet solutions.


G3.18

The Solution will have the capability of maintaining all data according to State- defined records retention guidelines (i.e. record schedule). General schedules can be found at: http://vermont- archives.org/records/schedules/general/. Specific retention disposition orders can be found at: http://vermont- archives.org/records/schedules/orders/. In general, document retentions range from 3 to 10 years. In addition to the above, note that health record data must be retained for a minimum of 7 years after Case closure.

YES

Centricity has the capability of maintaining all data according to State- defined records retention guidelines (i.e. record schedule).



http://vermont-archives.org/records/schedules/general/


http://vermont-archives.org/records/schedules/orders/


G3.19

The Solution will include the capability to maintain all images and electronic documents according to state defined document retention guidelines (i.e. record schedule). General schedules can be found at: http://vermont- archives.org/records/schedules/general/. Specific retention disposition orders can be found at: http://vermont- archives.org/records/schedules/orders/. In general, document retentions range from 3 to 10 years.

YES

Centricity includes the capability to maintain all images and electronic documents according to state defined document retention guidelines (i.e. record schedule).


G3.20

The Solution will provide on-line access of all active cases and up to 24 months for closed cases.

YES

Centricity can provide on-line access of all active cases and up to 24 months for closed cases.


G3.21

All software developed and delivered by the Contractor must be free of viruses, malware, backdoors

YES

The quality assurance team has developed a comprehensive test plan that includes sophisticated, automated regression, and coverage testing processes. Our QA lab executes the test plan on every software release to ensure that a highly reliable application is delivered for support and maintenance in all supported platform environments. The implementation for VTDOC will maintain a test environment to maintain test and implementation standards appropriate to their environments.


G3.22

The service providers Help Desk Mean Time to Restore Severity Level 1 will take no longer than 4 clock hours from notification.

YES

To help us manage your support issues, Fusion’s Support Services uses a three-tiered priority system to log your application support service requests. To help manage technical support issues, clients are asked to identify the priority of the issue according to the following guidelines. Fusion encourages you to report Emergency and High issues by telephone because of the escalated response time. Fusion’s average percentage of first call resolutions is at 95%.







Below is Fusion’s standard Severity Level 1 support response times: Incident Level 3 – Immediate Initial Response Contact Methods: Fusion Support Line & Fusion Help Desk Portal (24x7)

G3.23

The service providers Help Desk Mean Time to Restore Severity Level 2 will take no longer than 8 clock hours from notification.

YES

To help us manage your support issues, Fusion’s Support Services uses a three-tiered priority system to log your application support service requests. To help manage technical support issues, clients are asked to identify the priority of the issue according to the following guidelines. Fusion encourages you to report Emergency and High issues by telephone because of the escalated response time. Fusion’s average percentage of first call resolutions is at 95%. Below is Fusion’s standard Severity Level 2 support response times: Incident Level 2 – Immediate to 8-hour initial response Contact Method: Fusion Help Desk Portal (24x7)


G3.24

The service providers Help Desk Mean Time to Restore Severity Level 3 will take no longer than 24 hours (calendar day) from notification.

YES

To help us manage your support issues, Fusion’s Support Services uses a three-tiered priority system to log your application support service requests. To help manage technical support issues, clients are asked to identify the priority of the issue according to the following guidelines. Fusion encourages you to report Emergency and High issues by telephone because of the escalated response time. Fusion’s average percentage of first call resolutions is at 95%. Below is Fusion’s standard Severity Level 3 support response times:




G3.25

All priority 3 or higher defects (testing defects) resulting from software development activities shall be resolved by the Contractor prior to the software being delivered for User Acceptance Testing and prior to deployment to production.

YES

Fusion will resolve all priority 3 or higher defects (testing defects) resulting from software development activities prior to the software being delivered for User Acceptance Testing and prior to deployment to production.


G3.26 The Contractor must respond to priority 1 test defects within 1 hour of notification.

YES

Fusion will respond to priority 1 test defects within 1 hour of notification.


G3.27 The Contractor must resolve priority 2 test defects within 4 clock hours of notification.

YES

Fusion will resolve priority 2 test defects within 4 clock hours of notification.


G3.28 The Contractor must respond to priority 3 test defects within 8 hours of notification.

YES

Fusion will respond to priority 3 test defects within 8 hours of notification.


G3.29 The Contractor must respond to priority 4 test defects within 5 days of notification.

YES

Fusion will respond to priority 4 test defects within 5 days of notification.




G3.30 The Contractor must report on all priority 5 test defects with each reporting phase.

YES

Fusion will report on all priority 5 test defects with each reporting phase.


Interface List

G4.1

The Solution has the capacity to interface with the statewide HIE Solution supported by VITL to obtain details of interactions with and services provided to inmates by the provider in real-time.

YES

Centricity’s ability to connect to VT’s HIE can facilitate the sharing of clinical data across the continuum of care to help clinicians make more informed decisions. There are numerous Centricity clients who are benefiting from the system’s interoperability which demonstrates success of linking EHRs to share clinical data, ensuring Continuity of Care using ARRA standards. This capability is made possible through Centricity’s adherence to Integrating the Healthcare Enterprise (IHE) framework and Healthcare Information Technology Standards Panel (HITSP) Capability Specifications recommended for ARRA adoption.


G4.2

The Solution will maintain the interfaces to the statewide HIE which currently exist:

� Lab results � Radiology results � Transcription

YES

Integration and coexistence with other computer systems is an integral part of every Centricity installation. HL7-compliant inbound and outbound data exchange interfaces are built-in to Centricity. Centricity is capable and is currently utilized in numerous correctional settings to exchange data in real time through direct database connection through secure VPN tunnels, through FTP/SFTP as well as numerous other delivery methods. Fusion will maintain the interfaces to the statewide HIE which currently exist: • Lab results • Radiology results • Transcription



As such, we are committed to the delivery of the products and services required for the effective deployment of fully functional interfaces. This is accomplished through a combination of:

• Excellence in product functionality and continued development

• Adherence to interface standards • Provision of the services and tools

required to implement interfaces • Partnerships with other information

system vendors Interoperability / Interfaces Requirements

T1.1

The Solutions interfaces shall secure and protect the data and the associated infrastructure from a confidentiality, integrity, and availability perspective.

YES

A connected Department of Corrections is an efficient Department of Corrections. Integration and coexistence between staff and with other computer systems is an integral part of every Centricity installation. Communication across the enterprise and with other third-party vendors and agencies with which you work is often time sensitive and involves inmate safety. Centricity leverages standards-based interoperability and communication methods for compatibility with eachother and with other vendor solutions and devices. All data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm. SQL Server has built-in encryption capabilities for PHI data. It can encrypt both at rest and data in motion.


T1.2

The Solution’s interface infrastructure shall continue to operate despite failure or unavailability of individual technology components such as a server platform or network connection. YES

Currently, the eMAR can facilitate online/offline capabilities. The eMAR includes the capacity to create documents offline as well. This functionality is continually being developed and included in our upcoming releases. It is our intention to have a standalone component for basic offline documentation available in the next twelve months or so.



T1.3

The Solutions interfaces shall be scalable to accommodate changes in scale including changes in inmate population, transaction volume, through-put and geographical distribution. The Solution shall easily make any changes to the interface data elements/layouts and to test those changes to confirm functionality.

YES

Centricity is scalable up to 10,000 concurrent users. Centricity can be configured based on need to utilize multiple database and frontend servers for load balancing. Centricity provides migration tools to move components of the system, as well as the whole system itself to the latest architectures and technologies as they progress for both an on-premise or cloud hosted solution. The design philosophy is heavily based on Microsoft’s Ribbon UI with a XAML grid based layout. Windows can be shrunk into a dashboard for an overview of the content, or maximized to get into more detail (without a redraw of the entire screen). The common core of the application is used throughout the entire chart experience. The data layer is based on a SOAP web service that feeds all of the application. These same SOAP endpoints are used for both populating the UI with data and exporting data for various interfaces (CCD based HIEs, ADT Feeds, Document Export/Import, etc). The underlying system architecture uses a SOAP based client server model. This allows the server to remain lightweight and focus solely on retrieving, securing, and sending data to the client, while the Client can use its local processing power to render the UI. This model was chosen due to the efficient delegation of tasks. It allows the server to focus on processing of data, while the client queries it based on what the user wants.


T1.4

The Solution shall implement, at a minimum, interfaces (both real-time or batch) with the applications and data sources listed in the section "G4 Interface List". These interfaces shall be implemented using HL7 or other applicable standard as determined by the DOC.

YES

Integration and coexistence with other computer systems is an integral part of every Centricity installation. HL7-compliant inbound and outbound data exchange interfaces are built-in to Centricity. Centricity is capable and is currently utilized in numerous correctional settings to exchange data in real time through direct database connection through secure VPN tunnels, through FTP/SFTP as



well as numerous other delivery methods.

T1.5

The Solution shall provide the capability to perform source-to-destination file integrity checks for exchange of data and alert appropriate parties with issues. YES

Centricity can provide the capability to perform source-to-destination file integrity checks for exchange of data and alert appropriate parties with issues.


T1.6

The Solution shall integrate with Vermont Health Information Exchange using VITLs Service Oriented Architecture (Medicity), using an Enterprise Service Bus, responsible to monitor and control routing of message exchange between services, resolve contention between communicating service components, control deployment and versioning of services and marshal use of redundant services.

YES

Centricity will integrate with Vermont Health Information Exchange.


T1.7

The Solution’s interface interoperability shall follow the National Institute of Standards (NIST)- adopted encryption standards.

YES

Fusion follows industry best practices for encrypting all aspects of the application in compliance with NIST.


T1.8

The Solution shall provide the capabilities for a Real-Time (or near real-time) bi-directional Integrated Enterprise communication using standard PIX/PDQ XCPD/XCA, XDS.b Query or SSO formats.

YES

Centricity provides the capabilities for a Real-Time (or near real-time) bi-directional Integrated Enterprise communication using standard PIX/PDQ XCPD/XCA, XDS.b Query or SSO formats.

Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software products, software process, and services offered allow us to assess compliance with specifications, standards, contractual


agreements, and other criteria.

T1.9

All Solution services shall be reviewed, classified, and cataloged prior to use. The Documentation Artifacts shall be modeled per ISO/IEC/IEEE 42010 Architecture Description Template as part of the Vermont Enterprise Architecture Program Requirements.

YES

All services shall be reviewed, classified, and cataloged prior to use.


T1.10

All Solution services shall have key stakeholder/owners identified following the ADM Architecture Model. Role Matrix should include s/w developers, integrationists, technologists, Enterprise Architects, Business Leads, Testing teams, UAT Teams.

YES

All Solution services will have key stakeholder/owners identified following the ADM Architecture Model.


T1.11

The Solution shall provide the functionality that provides reliability for applications, services, or message flows: Load balancing, High availability, Fault tolerance, Failover, In- order delivery, Transaction support, Execution prioritization, Message prioritization. Tests for High Availability and Failover shall be completed prior to the release to UAT.

YES

Centricity provides the functionality that provides reliability for applications, services, or message flows: Load balancing, High availability, Fault tolerance, Failover, In- order delivery, Transaction support, Execution prioritization, Message prioritization. Tests for High Availability and Failover will be completed prior to the release to UAT.


T1.12

The Solution shall have the ability to use standards-based communication protocols, such as TCP/IP, HTTP, HTTP/S and SMTP. Protocol bridging: The ability to convert between the protocol native to the messaging platform and other protocols, such as Remote Method Invocation (RMI), IIOP and .NET remote-ing.

YES

Centricity uses standards-based communication protocols, such as TCP/IP, HTTP, HTTP/S and SMTP.



T1.13

The Solution shall have the capability to integrate with VITL’s MDM technology for Enterprise Master Person Index (EMPI) implemented (using Medicity) as part of the VHIE Platform in a centralized or registry style implementation.

YES

Centricity has the capability to integrate with VITL’s MDM technology for Enterprise Master Person Index (EMPI) implemented (using Medicity) as part of the VHIE Platform in a centralized or registry style implementation.


Scalability and Extensibility Requirements

T2.1

The Solution will be designed for ease of maintenance and readily allow future functional enhancements. This will be accomplished through use of modern design principles for Service Oriented Architecture, applying principles of modularity, interface abstraction, and loose coupling.

YES

Centricity is designed for ease of maintenance and readily allow future functional enhancements.


T2.2

The Solution will be adequately flexible to keep up with ever changing technology and regulatory changes. This will be accomplished by separating workflow and business rules into their own separate tiers.

YES

Centricity is very flexible, allowing for customization and adjustment of existing screens in the system, as well as creation of new ones, as required. Centricity is continuously adopting the newest and latest technologies to meet all regulatory changes. Built on the ease-of-use and familiarity of Microsoft Windows, Centricity offers DOC a cost-effective, flexible Commercial-Off-The-Shelf (“COTS”) solution in compliance with Centers for Medicare and Medicaid Services (“CMS”) regulations, the Health Information Portability and Accountability Act (“HIPAA”), ICD-10 and is compatible to meet and exceed DOC’s goals and the functional requirements detailed in this RFP.


T2.3

The Solution will be scalable and adaptable to meet future growth and expansion/contraction needs such that the Solution can be expanded on demand and be able to retain its performance levels when adding additional users, functions, and data.

YES

Centricity is scalable up to 10,000 concurrent users. Centricity can be configured based on need to utilize multiple database and frontend servers for load balancing. Centricity provides migration tools to move components of the system, as well as the whole system itself to the latest architectures and technologies as they progress for both an on-premise or cloud hosted solution.



The design philosophy is heavily based on Microsoft’s Ribbon UI with a XAML grid based layout. Windows can be shrunk into a dashboard for an overview of the content, or maximized to get into more detail (without a redraw of the entire screen). The common core of the application is used throughout the entire chart experience. The data layer is based on a SOAP web service that feeds all of the application. These same SOAP endpoints are used for both populating the UI with data and exporting data for various interfaces (CCD based HIEs, ADT Feeds, Document Export/Import, etc). The underlying system architecture uses a SOAP based client server model. This allows the server to remain lightweight and focus solely on retrieving, securing, and sending data to the client, while the Client can use its local processing power to render the UI. This model was chosen due to the efficient delegation of tasks. It allows the server to focus on processing of data, while the client queries it based on what the user wants.

T2.4

The Solution will provide screens that are highly re-configurable based on the needs of the Vermont DOC specifically, providing the ability to reposition and rename field labels / data fields, remove or “turn-off” unused fields, maintain data, and allow addition of custom-defined fields. YES

Centricity enables configurable templates, inmate notes and other inmate-related data that may require diverse configurations and support creation of custom fields. Some adjustments can be accomplished through configuration of the system, and do not require customization at all. For example, the navigation can be easily adjusted as desired, picklists and database picklists appearing in fields can be adjusted, order sets can be configured, and so on. Some of these configuration settings can be set at the facility level, and others can vary by specialty (medical vs. mental health) or by provider.



T2.5

The Solution will enable the State to modify the labels and arrangement of information in the data model documentation templates and can create custom data fields.

YES

In addition to pre-existing content and plans of care, customizations can be easily created via Visual Form Editor. VFE is a tool for rapid design of encounter forms, for use with Centricity, enabling you to concentrate on creating quality forms rather than overcoming design considerations. Automatic triggers and alerts can also be set up during the development of any forms. This reduces the time and costs associated with designing and modifying forms.


T2.6

The Solution will provide the ability to create and/or modify edits and business rules which determine the correctness/integrity of data.

YES

Protocols can be set up to automate workflows. For example, if a score of X is calculated during a PREA encounter, a referral will be generated to the individual/group for follow up. Visual Form Editor can easily be used to customize protocols and alerts to meet your unique needs. Triggers can be easily implemented with DOC business rules behind all triggers and alerts that are client configurable as well, providing you the ability to be as self-sufficient as needed.


Regulatory & Security Requirements


T3.1

The Solution will, at a minimum, provide a mechanism to comply with security requirements and safeguard requirements of the following Federal agencies / entities: - Health & Human Services (HHS) Center for Medicare & Medicaid Services (CMS) - Administration for Children & Families (ACF) - NIST 800-53r4, MARS-E and DOD 8500.2 - Federal Information Security Management Act (FISMA) of 2002 - Health Insurance Portability and Accountability Act (HIPAA) of 1996 - Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 - Privacy Act of 1974 - e-Government Act of 2002 - Patient Protection and Affordable Care Act of 2010, Section 1561 Recommendations - Vermont Statute 9 V.S.A. § 2440. Social security number protection (http://www.leg.state.vt.us/statutes/fullsecti on.cfm?Title=09&Chapter=062&Section=024 40) - Vermont Statute 9 V.S.A. § 2435. Notice of security breaches (http://www.leg.state.vt.us/statutes/fullsecti on.cfm?Title=09&Chapter=062&Section=024 35)

YES

Centriciry provides a mechanism to comply with security requirements and safeguard requirements of the following Federal agencies / entities: - Health & Human Services (HHS) Center for Medicare & Medicaid Services (CMS) - Administration for Children & Families (ACF) - NIST 800-53r4, MARS-E and DOD 8500.2 - Federal Information Security Management Act (FISMA) of 2002 - Health Insurance Portability and Accountability Act (HIPAA) of 1996 - Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 - Privacy Act of 1974 - e-Government Act of 2002 - Patient Protection and Affordable Care Act of 2010, Section 1561 Recommendations - Vermont Statute 9 V.S.A. § 2440. Social security number protection (http://www.leg.state.vt.us/statutes/fullsecti on.cfm?Title=09&Chapter=062&Section=024 40) - Vermont Statute 9 V.S.A. § 2435. Notice of security breaches (http://www.leg.state.vt.us/statutes/fullsecti

on.cfm?Title=09&Chapter=062&Section=024 35)


T3.2

The Contractor will provide all their corresponding NIST 800-53 procedures and policies to the State security officer.

YES

Fusion will provide all their corresponding NIST 800-53 procedures and policies to the State security officer upon request.



http://www.leg.state.vt.us/statutes/fullsection.cfm?Title=09&Chapter=062&Section=02440

















T3.3

The Solution will comply with all applicable State and Federal laws and regulations, including 42 CFR Part 2 and Health Insurance Privacy and Accountability Act (HIPAA) including privacy and client consent for release requirements.

YES

Centricity complies with all applicable State and Federal laws and regulations, including 42 CFR Part 2 and Health Insurance Privacy and Accountability Act (HIPAA) including privacy and client consent for release requirements.


T3.4

The Solution will follow HIPAA 278 standard for the electronic exchange of prior authorization information between Providers and AHS. YES

Centricity follows HIPAA 278 standard for the electronic exchange of prior authorization information between Providers and AHS.


T3.5

The Solution will conform with the sub-parts of Section 508 of the Americans with Disabilities Act (ADA), and any other appropriate State or Federal disability legislation.

YES

Centricity conforms with the sub-parts of Section 508 of the Americans with Disabilities Act (ADA), and any other appropriate State or Federal disability legislation.


T3.6

The Solution will comply with all applicable State security policies and adhere to all legal, statutory, and regulatory requirements, as determined by Vermont leadership. YES

Centricity complies with all applicable State security policies and will adhere to all legal, statutory, and regulatory requirements, as determined by Vermont leadership.


T3.7

The Solution will implement security controls in accordance with all Federal and State security policy and regulations. YES

Centricity’s security controls have been developed in accordance with all Federal and State security policy and regulations. Centricity goes through vigorous testing to meet such federal and state requirements.

Centricity is a Certified Electronic Health Record Technology (CEHRT) 2015 as defined by the Office of the National Coordinator for Health Information Technology (ONC).

T3.8 The Solution will comply with Vermont branding standards as defined by the state. YES

Centricity complies with Vermont branding standards as defined by the state.




T3.9

The Contractor will adhere to the principle of “Fail Safe” to ensure that a Solution in a failed state does not reveal any sensitive information or leave any access controls open for attacks. YES

Fusion implements “Fail Safe” measures to ensure that if in a failed state Centricity does not reveal any sensitive information or leave any access controls open for attacks.


T3.10

The Solution will allow for controlled access to participant records. Users will be able to view participant data within the Solution at the State-defined levels of access based on user security privileges.

YES

Centricity supports multiple separate user privileges in registration, charts, flags, inquiry/reports, appointments, setup, etc. Additional privileges support multiple confidential document types as indicated by a user, such as mental health, STD, alcohol/drug abuse, and HIV/AIDS document types. These privileges can also be administered at two levels: per user or per role. That is, a standard set of roles, with associated privileges, can be defined and then those roles used to quickly and easily assign and maintain individual user rights. Role-based security applies down to the field level.


T3.11

The Solution will maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of information.

YES

Centricity maintains a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of information.


T3.12

Information security will be built into the Solution from its inception rather than “bolted on” after the Solution has been implemented. YES

Centricity is a fully integrated solution where information security is built into the system.



T3.13 The Solution will support security at the object level (e.g. Table, View, Index).

YES

Centricity supports security at the object level (e.g. Table, View, Index).


T3.14 The Solution will support security at the row and column level

YES

Centricity supports security at the row and column level.


T3.15 The Solution will support auditing at the object level (i.e. Table, Column).

YES

Centricity provides industry best-practice for HIPAA compliant high-availability clinical data at rest and network security solutions. Information logged includes user and workstation IDs, user actions, date and time, and other information, such as clinical report or document names, names of clinical values changed, and the value changes. All user activity can be audited and reported on.


T3.16

The Solution will provide the ability for concurrent users to simultaneously view the same record, documentation, and/or template. YES

If multiple users access a chart at the same time, the users can document on the chart at the same time. The only limitation is that the first person in a given chart who starts adding a medication, problem or allergy will block the other user from adding a medication, problem or allergy until the first person completed the document.

This is done purposefully to prevent one user from adding a medication while one adds another that can potentially have negative interactions.

T3.17

The Solution will provide protection to maintain the integrity of data during concurrent access.

YES

Centricity provides protection to maintain the integrity of data during concurrent access.



T3.18

The software used to install and update the Solution, independent of the mode or method of conveyance, will be certified free of malevolent software (“malware”). Contractor may self-certify compliance with this standard through procedures that make use of commercial malware scanning software.

YES

Fusion will certify the system is free of malevolent software (“malware”).


T3.19

The Solution will be configurable to prevent corruption or loss of data already accepted into the Solution in the event of a Solution failure (e.g. integrating with a UPS, etc.). YES

Centricity will be configurable to prevent corruption or loss of data already accepted into the Solution in the unlikely event of a system failure.


T3.20

The Solution will support protection of confidentiality of all Protected Health Information (PHI) delivered over the Internet or other known open networks via encryption using Advanced Encryption Standard (AES) and an open protocol such as Transport Layer Security (TLS), Secure Sockets Layer (SSL), Internet Protocol Security (IPsec), XML encryptions, or Secure/Multipurpose Internet Mail Extensions(S/MIME) or their successors. This Solution will be subject to external Audit checks.

YES

Centricity supports protection of integrity of all Protected Health Information (PHI) delivered over the Internet or other known open networks via SHA hashing and an open protocol such as TLS, SSL, IPSec, XML digital signature, or S/MIME or their successors.


T3.21

The Solution, when storing PHI on any device intended to be portable/removable (e.g. smartphones, portable computers, portable storage devices), will support use of a standards-based encrypted format using AES or their successors. YES

Within Centricity, all data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm. SQL Server has built-in encryption capabilities for PHI data. It can encrypt both at rest and data in motion. SSL can be used for data in motion that is transferred between client workstations and the database server. Centricity provides encrypted passwords and encryption at the VPN level, Internet, Intranets, and wireless networks and devices.



T3.22

The Solution, prior to access to any PHI, will display a configurable warning or login banner approved by the State (e.g. "The Solution should only be accessed by authorized users"). If a Solution does not support pre-login capabilities, the Solution will display the banner immediately following authorization.

YES

Popups can be configured to notify users of important information. Permissions are set based on user access/roles so that only certain individuals can have access to certain information. This is set up per State requirements.


T3.23

The Contractor will review and analyze the key risks to the important assets and functions provided by the Solution to certify that the CWE/SANS Top 25 Most Dangerous Software Errors (http://cwe.mitre.org/top25) have been mitigated and document the mitigation.

YES

Fusion will review and analyze the key risks to the important assets and functions.


T3.24

The Contractor will review the Solution and certify that the code and any new development meets or exceeds the OWASP Application Development Security Standards outlined on the www.OWASP.org site (currently https://www.owasp.org/images/4/4e/OWAS P_ASVS_2009_Web_App_Std_Release.pdf) and document in writing that they have been met.

YES

Fusion will review Centricity and certify that the code and any new development meets or exceeds the OWASP Application Development Security Standards


Identity and Access Management

T4.1 The Solution will support a form of user authentication.

YES

Centricity uses Microsoft Active Directory authentication to access the application. Database-level security is assured by Centricity’s use of SQL Server, an industry-leading relational database management system, for storing all offender information. This ensures all information is stored on the database server, which can be fully protected by the IT organization, with no offender data being stored on the desktop. Even if a PC is stolen, no offender data is exposed. The SQL Server database can be installed on a fully protected subsystem of a server, preventing



http://cwe.mitre.org/top25

http://www.owasp.org/

https://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf

https://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf

malicious access by those attempting to “snoop” on the database. The database management system provides secure logon ID protection, allowing, for example:

• Read/write access only by the Centricity application and the Centricity merge/delete application

• Read-only access to data from third-party applications (such as report writers, statistical analysis packages, etc. for enterprise-wide reporting) under a single user ID/password, which can have very carefully controlled distribution within an organization

• Though the sniffing and interpretation of Centricity’s network packets is extremely difficult and time consuming, their physical security can be assured by using the SQL*Net driver, which can encrypt data prior to transfer across the network.

T4.2 The Solution, upon detection of inactivity of an interactive session, will prevent further viewing and access to the Solution by that session by terminating the session (or by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures). The inactivity timeout will be configurable.

YES

The system upon detection of inactivity of an interactive session prevents further viewing and access to the system by that session by terminating the session, or by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures. The inactivity timeout is configurable.



T4.3 The Solution will enforce a limit of (configurable) consecutive invalid access attempts by a user. The Solution will protect against further, possibly malicious, user authentication attempts using an appropriate mechanism (e.g. locks the account/node until released by an administrator, locks the account/node for a configurable time period, or delays the next login prompt according to a configurable delay algorithm).

YES

Centricity enforces a limit of (configurable) consecutive invalid access attempts by a user. The system protects against further, possibly malicious, user authentication attempts using an appropriate mechanism, such as locking the account/node until released by an administrator, locking the account/node for a configurable time period, or delaying the next login prompt according to a configurable delay algorithm.


T4.4 The Solution will have the capability of preventing database administrators from seeing the data in databases they maintain.

YES

Centricity has the capability of preventing database administrators from seeing the data in databases they maintain.


T4.5 The Solution will support grouping users by Roles, functional departments, or other organization to simplify security maintenance. YES

Privileges can also be administered at two levels: per user or per role. That is, a standard set of roles, with associated privileges, can be defined and then those roles used to quickly and easily assign and maintain individual user rights. Role-based security applies down to the field level.


T4.6 The Solution will provide the ability to maintain a directory of all personnel who currently use or access the Solution/IVR/SQL database. YES

Centricity provides the ability to maintain a directory of all personnel who currently use or access the Solution/IVR/SQL database.


T4.7 The Solution will provide the ability to create and maintain a directory of external providers to facilitate communication and information exchange. YES

Centricity provides the ability to create and maintain a directory of external providers to facilitate communication and information exchange.




T4.8 The Solution will restrict access to summarized information according to organizational policy, scope of practice, and jurisdictional law. YES

Centricity provides the ability to restrict access to summarized information according to organizational policy, scope of practice, and jurisdictional law.


T4.9 The Solution must be able to associate permissions with a user using one or more of the following access controls: 1) Role-Based Access Controls (RBAC; users are grouped by role and access rights assigned to these groups) 2) Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time- of-day, workstation-location, emergency- mode, etc.). YES

Centricity enforces the most restrictive set of rights/privileges or accesses needed by users/groups, such as System Administration, Clerical, Nurse, Doctor, and so on, or processes acting on behalf of users, for the performance of specified tasks. Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups. Centricity enables to associate permissions with a user using one or more of the following access controls: • User-based (access rights assigned to each user) • Role-based (users are grouped and access rights assigned to these groups) • Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, and so on.)


T4.10 The Solution will provide the ability to prevent specified user(s) or groups from accessing confidential information such as a SSN, medication information and other confidential data.

YES

Centricity supports multiple separate user privileges in registration, charts, flags, inquiry/reports, appointments, setup, etc. Additional privileges support multiple confidential document types as indicated by a user, such as mental health, STD, alcohol/drug abuse, and HIV/AIDS document types.




T4.11 The Solution will provide the ability to limit access to certain confidential information such as an inmate’s SSN and other confidential data to providers directly involved in service of the inmate, or providers involved in review of the service.

YES

Centricity provides the ability to limit access to certain confidential information such as an inmate’s SSN and other confidential data to providers directly involved in service of the inmate, or providers involved in review of the service.


T4.12 The Solution will enforce the most restrictive set of rights/privileges or accesses needed by users/groups or processes acting on behalf of users, for the performance of specified tasks. YES

Centricity enforces the most restrictive set of rights/privileges or accesses needed by users/groups, such as System Administration, Clerical, Nurse, Doctor, and so on, or processes acting on behalf of users, for the performance of specified tasks.


T4.13 The Solution will provide the ability for authorized administrators to assign restrictions or privileges to users or groups.

YES

Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups.


T4.14 The Solution will support removal of a user's privileges without deleting the user from the Solution to ensure that the history of user’s identity and actions are maintained. YES

Centricity supports the removal of a user's privileges without deleting the user from the system to ensure that the history of user’s identity and actions are maintained.


T4.15 The Solution will be able to support RBAC in compliance with the HL7 Permissions Catalog.

YES

Centricity supports RBAC in compliance with the HL7 Permissions Catalog.




T4.16 The Solution will be capable of operating within an RBAC infrastructure conforming to ANSI INCITS 359-2004, American National Standard for Information Technology – Role Based Access Control. YES

Centricity is capable of operating within an RBAC infrastructure conforming to ANSI INCITS 359-2004, American National Standard for Information Technology – Role Based Access Control.


T4.17 The Solution will provide more advanced session management abilities such as prevention of duplicate logins, remote logout, and location-specific session timeouts. YES

Centricity provides advanced session management abilities such as prevention of duplicate logins, remote logout, and location-specific session timeouts.


T4.18 The Solution will provide the ability to perform Solution administration functions such as reference table maintenance and adding / removing users from the Solution. YES

Centricity provides the ability to perform administration functions such as reference table maintenance and adding / removing users from the system.


T4.19 The Solution will allow users access based on their roles irrespective of their geographical location.

YES

Access permissions can be setup and based on the user’s roles, irrespective of their geographical location.


T4.20 The Solution will provide the capability to integrate with existing authentication and authorization mechanisms. YES

Sites using Active Directory authentication can choose whether to maintain user for their groups within the application, or within Active Directory. An option in Administration allows you to automatically synchronize Active Directory



security groups with security groups created in the application database. This provides a single source for managing your site’s group membership. If the option is not enabled, you’ll manage security groups completely within the application, using Active Directory only for authenticating users.


T4.21 The Solution will provide the capability to create temporary and emergency accounts and terminate those accounts automatically after a user-defined period of time. YES


T4.22 The Solution will provide the capability to monitor events on the information Solution, detect attacks, and provide identification of unauthorized use of the Solution. YES

Centricity provides the capability to monitor events in Centricity, detect attacks, and provide identification of unauthorized use of Centricity.


T4.23 The Solution will provide the capability to identify and report on inappropriate access to information in the Solution, based on user defined criteria. YES

Centricity provides the capability to identify and report on inappropriate access to information in the system, based on user defined criteria.


T4.24 The Solution will enforce minimum password requirements compliant with State-provided security policies.

YES

Centricity uses the following access controls available through Microsoft Windows Security and Active Directory:

• case-sensitive and alphanumeric passwords

• case-insensitive user names • password history (how many passwords

are remembered) • maximum and minimum password age

settings • minimum password length



• password strength (complexity) options • maximum failed login attempts • limited feedback of ID or password

failures at login • automatic logoff after idle user timeout

T4.25 The Solution will allow User to change his or her password at any time.

YES

Centricity uses Active Directory. The Active Directory user name and password are the credentials used to log into the network/workstation. User passwords are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash algorithm. The logon ID and password are stored and maintained in the Microsoft Windows Active Directory, often on a separate server, as well as in the Centricity EHR database. You must maintain logon IDs and passwords using Active Directory maintenance tools. Through a web portal, users will be allowed to make edits to the Active Directory Account, including changing the Users passcode at any given time.


T4.26 The Solution will have mandatory security questions for the User to answer for username and password validation in case of any user requested changes.

YES

Centricity uses Active Directory. The Active Directory user name and password are the credentials used to log into the network/workstation. User passwords are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash algorithm. The logon ID and password are stored and maintained in the Microsoft Windows Active Directory, often on a separate server, as well as in the Centricity EHR database. You must maintain logon IDs and passwords using Active Directory maintenance tools. Through a web portal, users will be allowed to make edits to the Active Directory Account, including requiring mandatory security questions for the User to answer for username and password validation.


T4.27 The Solution will allow for online automated password reset.

YES

Centricity uses Active Directory. The Active Directory user name and password are the credentials used to log into the network/workstation. User passwords are encrypted with Advanced Encryption Standard



(AES) encryption with a SHA2/SHA-256 hash algorithm. The logon ID and password are stored and maintained in the Microsoft Windows Active Directory, often on a separate server, as well as in the Centricity EHR database. You must maintain logon IDs and passwords using Active Directory maintenance tools. Through a web portal, users will be allowed to make edits to the Active Directory Account, including allowing for an online automated password reset.


T4.28 The Contractor will monitor, alert, and protect against web application attacks of internet-facing applications. Solution/hosting provider will install, configure, and manage a web application firewall on Vermont's internet-facing Solution/hosting provider ePHI Environments. Alerts and/or reports will be provided to Security officers at specified intervals.

YES

Our hosting services provide a dedicated firewall and VPN to block unauthorized access. They also require all users to authenticate before they may access any system. We typically deploy remote access via a WebSSL VPN and all data is encrypted behind each firewall. WebSSL connections are provided for remote-access, and only authorized users will have the ability to connect remotely.

We use aggressive antivirus and intrusion protection software and follows all industry best practices for information security and must do so in order to maintain their SSAE18 certification. We recommend Symantec Norton Anti-Virus.

T4.29 The Contractor will conduct and provide a risk assessment based upon NIST 800 - 30 guidance and methodology.

YES

Fusion will conduct risk assessments based upon NIST 800-30 methodology. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.


T4.30 The Contractor will conduct quarterly scans of Vermont's externally-accessible web services in the Production Environment and provide reports on the scans to VT Information Security officer/representative, including the severity of the vulnerabilities and remediation recommendations.

YES

Fusion will conduct quarterly scans of Vermont's externally-accessible web services in the Production Environment and provide reports on the scans to VT Information Security officer/representative, including the severity of the vulnerabilities and remediation recommendations.


T4.31 The Contractor will provide third-party conducted penetration tests on production releases of the externally accessible web application as requested by the change control board entity. The reports shall be provided to the security officer upon request.

YES

Fusion will provide third-party conducted penetration tests on production releases of the externally accessible web application as requested by the change control board entity.

Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software products, software process, and services offered allow us to assess compliance with


specifications, standards, contractual agreements, and other criteria.

T4.32 The Contractor will not transmit or store any Personally Identifiable Information (PII) using publicly available storage over the Internet or any wireless communication device, unless: 1) the PII is “de-identified” in accordance with 45 C.F.R § 164.514(b) (2); or 2) encrypted in accordance with applicable law, including the American Recovery and Reinvestment Act of 2009 and as required by policies and procedures established by VT Information Security Officer.

YES

Fusion will not transmit or store any Personally Identifiable Information (PII) using publicly available storage over the Internet or any wireless communication device.


T4.33 The Contractor will perform Security Impact Assessments prior to releasing solutions into production.

YES

Fusion will perform Security Impact Assessments prior to releasing solutions into production.


T4.34 The Solution will include the same security provisions for the development, Solution test, acceptance test, and training environment as those used in the production environment. YES

Centricity will include the same security provisions for the development, Solution test, acceptance test, and training environment as those used in the production environment.


T4.35 The Contractor will complete and supply to VT Information Security Officer all CMS Security required documentation to include but not limited to Solution Security Plan (SSP), Risk Assessment (RA), Contingency Plan (CP).

YES

Fusion will complete and supply to VT Information Security Officer all CMS Security required documentation to include but not limited to Solution Security Plan (SSP), Risk Assessment (RA), Contingency Plan (CP).




T4.36 The Contractor must pass the Privacy/security and FTI data handling training provided by the State. FTI training is required regardless of the presence or absence of FTI data. YES

Fusion will complete all necessary steps to pass the Privacy/security and FTI data handling training provided by the State.


T4.37 All servers shall have hardened operating Solutions by eliminating any unnecessary Solution services, accounts, network services, and limited user access rights throughout all environments.

YES

The servers have hardened operating Solutions by eliminating any unnecessary Solution services, accounts, network services, and limited user access rights throughout all environments.


T4.38 The Contractor will review and monitor logs for forensic purposes and security Incidents, and any anomalous activities are incorporated into the Incident management process. In the event of a security incident, the Contractor shall collect and retain evidence related to the incident. A detailed report must be provided to the State Security Officer.

YES

Fusion will review and monitor logs for forensic purposes and security Incidents, and any anomalous activities are incorporated into the Incident management process. In the event of a security incident, Fusion will collect and retain evidence related to the incident.


T4.39 The Contractor will ensure that high severity patches will be applied within seven (7) calendar days; Medium severity patches will be applied within fifteen (15) calendar days; and all others within thirty (30) calendar days. The Contractor will further ensure that required IT security notices and advisories are distributed to appropriate personnel.

YES

Fusion will ensure that high severity patches will be applied within seven (7) calendar days; Medium severity patches will be applied within fifteen (15) calendar days; and all others within thirty (30) calendar days.


Project Management Requirements


I1.1

For Solutions which are not the incumbent EHR, once an installation date is scheduled, a Contractor installation management team will travel to the DOC to discuss the implementation process and conduct a site evaluation meeting to assess the DOC's installation needs. A customized Implementation and Training plan including specific dates, deadlines, and milestones will be produced and provided to the DOC as a result of this meeting.

YES

Fusion will travel to the DOC to discuss the implementation process and conduct a site evaluation meeting to assess the DOC's installation needs. A customized Implementation and Training plan including specific dates, deadlines, and milestones will be produced and provided to the DOC as a result of this meeting.


I1.2

The Contractor will describe the project management approach and methodology to be used for all Solution project life cycles.

YES

Please refer to Fusion’s completed Appendix 5.27 for a comprehensive overview of our project management approach, methodologies, and implementation plan.


I1.3

The Contractor’s installation management team will cover all of these topics during discussions addressing the unique needs of the State in a personalized manner: -Project Integration Management -Project Scope Management -Project Time Management -Project Cost Management -Project Quality Management -Project Human Resource Management -Project Communication Management -Project Risk Management -Project Procurement Management

YES



I1.4 The Contractor will develop a Project Charter.

YES

This document will outline project scope, project deliverables, project timeline, key roles and responsibilities, and approaches that will be used in obtaining the successful implementation of Centricity. This document will be accepted and signed off on by the State.


I1.5

The Contractor’s installation management team will clearly define roles, accountability, timelines, and all necessary performance criteria for a successful implementation.

YES




I1.6

The Contractor will provide best practices throughout the implementation of the Solution.

YES

As a standard for all of our projects, Fusion’s project managers use PMI’s PMBOK as a basis for all project management efforts. PMBOK is widely recognized as the standard for project management in many industries as well as by many state and local government departments of Information Technology (IT).


I1.7

Where available and agreed between the Contractor and the State, the Contractor will use State templates for project management deliverables. State templates listed in EPMO templates from the link: http://dii.vermont.gov/pm/pmtemplates

YES

Where available and agreed between the Fusion and the State, Fusion will use State templates for project management deliverables.


I1.8

The Contractor will develop a PMI-compliant Communications Management Plan as part of Appendix 5.27 “EHR Project Management Documentation and Implementation Project Schedule.” The Communications Management Plan must describe participant's roles and responsibilities, internal communications, external communications, other communications, and information management including communications protocols.

YES

The Communications Management portion of the Implementation Project Plan will describe the approach Fusion will use to provide a detailed communication plan that includes discussion of key implementation metrics that will be used to track progress; types of communication methods (i.e., memo, email, one-on-one meetings, Project team meetings, stakeholder group meetings, online web progress reporting tools, etc.) that Fusion will use; frequency of these communications; and key Fusion points-of-contact with overall responsibility for ensuring these communications are provided as scheduled. Fusion will make key personnel and staff available for certain meetings either on-site or via teleconference or web- conference that may be required should major issues arise during the implementation that significantly impact the schedule, or budget of Centricity.



http://dii.vermont.gov/pm/pmtemplates

I1.9

The Contractor will leverage ADS’ EPMO Project Log template as applicable to establish an “Action Items Process and Tracking Document” as part of Appendix 5.27 “EHR Project Management Documentation and Implementation Project Schedule.” The document shall be used to track and verify that unanticipated issues, action items, and tasks are assigned to a specific person for action and tracked through resolution.

ADS EPMO Project Log Template can be found in http://dii.vermont.gov/sites/dii/files/pdfs/EP MO-Project-Log-Template.pdf

The “Action Items Process and Tracking Document” issue and action item tracking document must include the following: - Date of occurrence - Description of the issue - Priority level - Impact level - Date of occurrence - Remediation strategy - Current status - The individual responsible - Target resolution date - Actual resolution date

YES




http://dii.vermont.gov/sites/dii/files/pdfs/EPMO-Project-Log-Template.pdf

http://dii.vermont.gov/sites/dii/files/pdfs/EPMO-Project-Log-Template.pdf

I1.10

The Contractor must electronically provide project management documents (e.g., Project Management Plan, Project Schedule, Work Breakdown Structure, etc.) using Microsoft software products and/or PDF. The software version must be no less than a version still available on the common market and that is still supported by the manufacturer. The State will work with the Contractor in approving specific versions to assure that the application is synchronized with the State's plans.

YES

Fusion will work in conjunction with DOC to collaborate on deliverables which have been identified in this proposal. Throughout the project, all deliverables which will reside on our Microsoft SharePoint server and on the Microsoft Project page(s) and will identify and deliverables and who will work in conjunction with our team to limit any risk delays and more importantly, increase transparency of all outstanding deliverables.

Microsoft SharePoint is a browser-based collaboration and document management platform from Microsoft. This system allows Fusion to set up a centralized, password protected space for document sharing with DOC. DOC will have continuous access to SharePoint after go-live and will be the owner of all the documents available in the PIL.


I1.11

The Contractor will advise the State and Contractor management of progress in meeting goals and schedules contained in the work plans as well as any risks and issues during weekly progress meetings attended by the Contractor and the State. These may include walkthroughs of selected deliverables as requested by State staff.

YES

Fusion will prepare weekly Status and Monthly Risk and Issues Reports and highlight when a variance from the baseline plan has occurred or is likely to occur. We will work with DOC to initiate appropriate actions to address the variance and track the identification and resolution of project issues. The Status and Monthly Risk and Issues Reports will provide a summary of activities completed during the status period, activities that are in progress, any open issues with assignments for their resolution, and reasons for delays encountered. We will identify project risks with related mitigation activities as part of our weekly and monthly reporting commitments. An updated project schedule will be included with the status report, as necessary. We will provide these project status meetings to discuss the following criteria:

• Summary of Accomplishments and Activities for the Period



• Review SLA against Supplement 5 specifications

• Planned Activities of the Next Period • Status Milestones and Deliverables • Status of Concerns, Problems and

Recommendations • Status of Risks, Issues and Change

Requests • Status of Project Work Plan and Schedule • Other Discussion Topics, as required


I1.12

The Contractor will develop weekly progress reports (see Appendix 5.27). Weekly written progress reports will be provided by the Contractor to the State one working day before each weekly meeting, and containing items to be discussed at the meeting, including: - Progress of each task/activity. - Action items and decisions from the previous meeting. - Problems encountered, proposed resolutions, and projected completion dates for problem resolution. - Planned activities for the next two reporting periods. - Status of contractually defined deliverables, milestones, and walkthroughs scheduled in the project schedule. - Updating of information on a weekly basis in the State project and portfolio management tool. - Other information as needed (per Contractor or the State). - Risks and mitigations. - Total budget and cost variance reporting - Lessons learned - Percentage complete - Resources and time required to completion Frequency of periodic reports" can be adjusted during the course of project as agreed by the State and Contractor.

YES



I1.13

If the Contractor must substitute key staff during the project, the Contractor will submit to the State, in writing, the reason for the change and provide a completed staff experience reference form and resume for the substitute personnel. The DOC Health Services Administrator or designee will either approve or reject the substitution.

YES

If Fusion must substitute key staff during the project, Fusion will submit to the State, in writing, the reason for the change and provide a completed staff experience reference form and resume for the substitute personnel.



I1.14

The Contractor will provide contract close-out plans and manage project close-out activities in accordance with the plan.

YES



I1.15

As part of the proposal, the Contractor will describe the staffing approach and methodology used for the project, which will include: - Estimated number of Contractor's resources needed per each phase of the project. - The number of staff resources within the following categories: Management, Business, and Technical. - The number of staff resource onsite vs. remote per the phase of the project - A description of the methodology used for releasing and adding staff to the project and managing staff PTOs - Outsourcing staff, if applicable - Types and number of resources that State needs to provide per the phase of the project and expected hours from those resources - Providing a project organization chart. YES

Fusion will dedicate a team of about twenty-five (25) employees consisting of Centricity EHR implementation, training, and support specialists and as well as multiple employees who specialize in correctional health consulting. Additionally, we have a network of consultants nationwide who subcontract through Fusion on larger scale and/or super-specialty projects as well as access to Centricity EHR specialist staff for overflow work. For this project, Fusion intends to provide all services and support in-house.

Fusion approaches every project with a partnership mentality, working in conjunction with the client to ensure that the EHR is implemented on time, on budget and complete. Unlike any other vendor, Fusion intimately understands what it takes to get an EHR system live at correctional health facilities. Fusion leverages its extensive knowledge of the EHR and Correctional Health space and will collaborate with VTDOC to ensure that the system truly meets their workflow both now and for the future. Our SMEs come with years of experience to be much more than ‘yes-folks’ when it comes to clinical content development and overall implementation and go-live of Centricity. Fusion will leverage its knowledge and experience of how things are done throughout the country to provide VTDOC with proven options and alternatives throughout the implementation.

Fusion is dedicated to seeing the successful implementation of Centricity at Vermont Department of Corrections. Our team is highly experienced and knowledgeable in all functional aspects of correctional health-specific clinical delivery and electronic clinical documentation and workflow processes, which a company only like



Fusion can provide. We have developed a systematic process to ensure that Fusion provides VTDOC with the right number of people with the right skills to fulfill the EHR implementation. We use a Responsibility Assignment Matrix for all of our projects, which details the nature of responsibility assignments for project staff as they relate to key activities and deliverables.

I1.16

The Contractor will describe issue escalation processes to settle disputes related to roles, responsibilities, or unmatchable level of service (i.e. what is their escalation chain), and this will be aligned with the States escalation plan.

YES

Fusion will provide its standard escalation plan as part of its SLA and, upon agreement, will work with the State to align such plans accordingly.


I1.17

The Contractor will describe their approach to remediate and realign the project and project plan if the Contractor or the State decides that any aspect necessitates immediate attention and/or State/Contractor management intervention.

YES



I1.18

The Contractor will provide a project manager with AT LEAST 6 years of experience overseeing successful EHR implementations. YES

Fusion has proposed a Project Manager with at least 6 years of experience overseeing EHR implementations. Please refer to Attachment 5to review the proposed Project Manager’s Resume.


I1.19

The Contractor will use the documentation repository that is in the "best interests of the State".

YES

Although Fusion utilizes MS SharePoint as its central documentation repository, Fusion is open to utilizing another the documentation repository that is in the "best interests of the State".


Environment Installation and Configuration Requirements


I2.1

The Contractor will submit to the State as part of their proposal, specifications for all necessary hardware, software, and tools for the six (6) environments listed here. The Contractor can propose to combine certain environments, where appropriate. The six (6) environments include: 1. Production 2. QA/Staging 3. Development 4. Test 5. Training 6. Disaster Recovery Contractor will submit as a component of proposal specifications for all software, hardware, and tools that would be inclusive of a full SDLC, including environment to support the following needs: Prod, QA, Staging, Development, Test, Training, Disaster Recovery.

YES

Fusion typically sets up three separate environments when the system is initially installed; development, training and production. The intended use of each is given in its name. A best practice communicated to the client is to build all new or updated content in the Development environment. Once it has been completed it is moved into the Test environment for testing and certification by some combination of staff that typically includes a few end users. Once it has been certified, it is scheduled and moved into the Production environment where it immediately becomes available to all users. This will ensure that any bugs/issues are addressed prior to commitment of the update to ensure minimal disruption to the client. This model is the same whether the system is self-hosted or vendor-hosted.


I2.2

The Contractor will develop a technical infrastructure document which describes all hardware, Solution software, and tools necessary for each of the environments proposed. YES

Fusion will develop a technical infrastructure document which describes all hardware, software, and tools necessary for each of the environments proposed.


I2.3

The Contractor is responsible for procuring and maintaining all hardware, software, and tools purchased under the contract until Solution acceptance for all proposed environments.

YES

Fusion will maintain all EHR software purchased as part of this agreement. Fusion does not provide/sell hardware, but will recommend any necessary hardware/tools the State may want to consider.


I2.4 The Contractor will source code held in escrow by an escrow agent. YES

Fusion will source code held in escrow by an escrow agent.

Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients.


Our independent examination of our software products, software process, and services offered allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

I2.5

The Contractor will provide a data dictionary, data models, data flow models, process models, and other related planning and design documents to the State based on state standards (when available).

YES

Fusion provides a full data dictionary and documentation of the entire database schema within Centricity.


Knowledge Transfer & Training Requirements

I3.1

Refer to Appendix 5.27. The Contractor will develop (in cooperation with the State) and execute a “Knowledge Transfer and Training Plan” that describes roles and responsibilities of the State and Contractor and the approach for bringing managers, end users, and technical personnel to an appropriate level of understanding with the Solution.

YES

As part of the Project Scope, Fusion will develop, provide, and manage a detailed plan for training. The plan will include, at a minimum:

• The role and responsibility of Fusion and DOC in the design and implementation of the training plan (e.g., development of customized training materials, delivering training to DOC end users)

• The role and responsibility of DOC staff in the design and implementation of the training plan.

• Overview of proposed training plan/strategy, including options for on-site or off-site training services, for the core project team, end users, and technology personnel.

• Proposed training schedule for DOC personnel of various user and interaction levels.

• Descriptions of classes/courses proposed in the training plan.

• The knowledge transfer strategy proposed as to prepare DOC staff to maintain the system after it is placed into production.



• Detailed description of system documentation and resources that will be included as part of the implementation by Fusion including, but not limited to, detailed system user manuals, “Quick Reference” guides, online support, help desk support, user group community resources, and others as available.


I3.2

The Knowledge Transfer and Training Plan will address and describe, at a minimum: - Training goals/standards and the specific plan for training technical personnel and end users. - Size of population and types of roles that need training - Strategy for providing training early in the project to allow the training goals to be implemented throughout the project life Phase. - Tasks, deliverables, and resources necessary to complete the training effort and identify tools and documentation that will be necessary to support the proposed effort. - Types of training, the specific courses and course materials, the training approach for both technical personnel and end users, and how training effectiveness will be measured. - Deliverables to support initial and ongoing training including user manuals, Solution manuals, and on-line help and training materials for technical/non-technical personnel. - Knowledge Transfer to enable the State personnel to operate, maintain, configure and modify the Solution including operation of the testing tools, supporting infrastructure, report generation, role-based permissions, and security as agreed between the State and Contractor. - Metrics for tracking progress in achieving training and knowledge transfer objectives. - Reporting progress of training and knowledge transfer activities. - Additional training for technical staff on development, reporting and maintenance including processes and tools as needed.

YES




I3.3

The Contractor will provide train-the-trainer and end user training documentation (including user manuals, online content, reference cards, etc.).

YES

Fusion’s training utilizes a consultative approach. This approach has many benefits and a “train-the-trainer” strategy allows you to fully understand the setup of their system the independence to adjust, change, or recreate workflows in the future. Our implementation focuses on your business objectives. Upfront scoping of business needs defines common project expectations, establishes mutual goals and objectives, and solidifies agreement on the project plan. Fusion’s Project Manager and Implementation Consultant (s), along with the client’s Project Manager, will follow an implementation plan based on best practices from many successful implementations. Super-Users serve as your in-house EHR software experts. Super-Users will be designated by you and should have an advanced understanding of computers, as well as be able to provide effective training if required. Super-Users will complete all the training modules to ensure they are able to effectively navigate the program in its entirety. As part of Fusion’s training services, DOC staff will be provided unlimited access to the Health Learning System (HLS). HLS is a web-based video tutorial that outlines the general navigation and functionality of Centricity. Enrollment and completion of HLS is strongly recommended as a pre-requisite for all staff to ensure the best outcome following more detailed training. Access to HLS will be available to all current and future staff of DOC and is an excellent tool for onboarding new staff as well as refresher training.


I3.4

The Contractor will provide the State a training course outline for review and acceptance at least thirty (30) calendar days prior to the beginning of scheduled training. YES

Fusion will provide the State a training course outline for review and acceptance at least thirty (30) calendar days prior to the beginning of scheduled training.



I3.5

The Contractor will submit all training packages to the State for review and acceptance at least twenty-one (21) calendar days prior to the beginning of scheduled training.

YES

Fusion will submit all training packages to the State for review and acceptance at least twenty-one (21) calendar days prior to the beginning of scheduled training.


I3.6

The Contractor will provide training materials for each enhancement release and will publish the updated manuals online in the User Areas. The manuals are provided in Adobe PDF format. YES

Fusion will provide training materials for each enhancement release and will publish the updated manuals online in the User Areas. The manuals are provided in Adobe PDF format.


I3.7

The Contractor will provide all training materials developed for the Solution to the State. Those materials will become the property of the State and may be modified and duplicated by the State.

YES

Our clients are always given full ownership of their data. Fusion will provide all training material both in hard copy and online via training portal. We will also provide the data dictionary, data model, and system integration kit training material as well. Technical staff will be trained in the areas of system configuration, database management, troubleshooting, and system maintenance and support, among others. These documents, combined with our commitment to excellence in training and support, empowers our clients to be 100% self-sufficient.

Fusion recognizes training as one of the most important investments you can make with regards to the success of your new EHR. Because the EHR’s ultimate success will rely heavily on the users who input the data, Fusion is extremely serious about training and system setup. Our company has developed a dynamic, hands-on training program which we will precisely tailor to meet your needs. Our training is designed to provide detailed role specific instruction to all users through the use of training modules.

I3.8

The Contractor will provide electronic copies of all training materials (end-user, technical, trainee, and instructor) in a format (Word, Excel, PDF) that can be easily accessed, updated, and printed by State staff using software for which the State owns licenses, prior to deployment onto the staging platform.

YES

Fusion offers online training videos and a workflow training manual both in print and in digital format.



I3.9

The Contractor will provide updated training documentation for all departments and agencies using the platform, as necessary, to incorporate new processes or functionality due to Solution releases, upgrades, or changes throughout the contract term.

YES

Fusion will provide updated training documentation for all departments and agencies using the platform, as necessary, to incorporate new processes or functionality due to system releases, upgrades, or changes throughout the contract term.


I3.10

The Contractor will schedule all training during regular work hours as approved by the State, unless the Contractor receives advance approval from the State for specific training at other times. YES

Fusion will work with the State to schedule all training during regular work hours unless the Fusion receives advance approval from the State for specific training at other times.


I3.11

The Contractor will provide all training within the State of Vermont at locations convenient to the attendees of the training.

YES

Onsite training will be provided within the State of Vermont at locations convenient to the attendees of the training.


I3.12

The Contractor will schedule staff training in a manner that is least disruptive to normal business operations.

YES

Fusion will work with the State to schedule staff training in a manner that is least disruptive to normal business operations.


I3.13

The Contractor will provide instructions to the State on Contractor tools and procedures used to support the training.

YES

Fusion will provide instructions to the State on Fusion’s tools and procedures used to support the training. For example, as part of Fusion’s online training services/offerings DOC staff will be provided unlimited access to the Health Learning System (HLS). HLS is a web-based video tutorial that outlines the general navigation and functionality of Centricity. Enrollment and completion of HLS is strongly recommended as a pre-requisite for all staff to ensure the best



outcome following more detailed training. Access to HLS will be available to all current and future staff of DOC and is an excellent tool for onboarding new staff as well as refresher training

I3.14

The Contractor will ensure that Contractor staff members are not assigned to train State staff while concurrently working on critical path development tasks. YES

Fusion will ensure that Fusion staff members are not assigned to train State staff while concurrently working on critical path development tasks.


I3.15 The Contractor will develop end-user training on the Solution’s business functionality.

YES

Fusion will provide end-user training on the Solution’s business functionality.


I3.16

The Contractor will provide both end-user classroom training/train-the-trainer sessions, and on-line, interactive training as agreed with the State for all end-users. YES

As part of Fusion’s training services, we will provide you with onsite and remote job‐specific, interactive training to staff who will be using Centricity. An introductory video and online pre‐coursework material will be offered to your staff to ensure full comprehension of Centricity, followed by onsite training prior to go-live.


I3.17

The Contractor will develop and perform train-the-trainer training sessions, as appropriate.

YES

Fusion’s training utilizes a consultative approach. This approach has many benefits and a “train-the-trainer” strategy allows you to fully understand the setup of their system the independence to adjust, change, or recreate workflows in the future.


I3.18

The Contractor will identify the number of staff necessary for maintenance and operations of the Solution as well as the skill sets necessary, with the States agreement.

YES

Fusion will identify the number of staff necessary for maintenance and operations of Centricity as well as the skill sets necessary, with the States agreement.




I3.19

The Contractor will develop and provide training for the technical support staff including State staff and contractors.

YES

Technical employees will be trained in the use of the system and assessed upon the completion of each unit. Technical employees will work directly with the EHR software during the training course to ensure competency. Each technical employee will be walked through their business workflow within the system. Technical employees will also be given educational documentation which they keep. We will work with client staff who are responsible for technical training and installation of Centricity. We will provide the staff with all of the necessary technical training materials. The training will consist of, but not be limited to:

• All pre-implementation, post-implementation and maintenance of all operational software

• Testing and quality assurance of patches and upgrades in test environment

• System troubleshooting • Communication updates • Post-implementation technical support


I3.20

For the duration of the contract, the Contractor will provide training to the technical staff if Solution upgrades have been installed and if there is a change in Solution components functionality YES

As part of ongoing QA and Support by Fusion, meetings will be conducted post-implementation which will address EHR related projects. Included in these meetings will be a review of upcoming or current upgrades/updates. A change-list will be reviewed as well as discussion on how to conduct additional training.



I3.21

The Contractor will create a training approach and needs analysis early in each project Phase which will determine the training requirements. The State of Vermont has invested in the Oracle User Productivity Kit (UPK) and has a strong preference to use this investment to provide training to end users.

YES

Fusion will create a training approach and needs analysis early in each project Phase which will determine the training requirements.


Solution Design, Development & Customization Requirements

I4.1

The State utilizes a structured Software Development Life Phase (SDLC) that is consistent with industry-standard best practices as well as State requirements for Information Technology projects. The Contractor must use a structured SDLC process, including an iterative software development methodology and incremental deployment of functionality to the production environment. This includes software and database design, Solution configuration management plan and procedures, and user interface standards.

YES

Fusion uses a structured SDLC process, including an iterative software development methodology and incremental deployment of functionality to the production environment. This includes software and database design, system configuration management plan and procedures, and user interface standards.


I4.2 The Contractor will develop a Solution Software Development Life Cycle Plan.

YES

Fusion will develop a Solution Software Development Life Cycle Plan.


I4.3

The Contractor must submit a narrative describing the design and development approach and methodology with their proposal.

YES

Please refer to the previous answer as well as Fusion’s completed Appendix 5.27 for a comprehensive overview of our project management approach, methodologies, and implementation plan.


I4.4

All Contractor "change request" cost estimates must be fully explained, documented, approved, and available in Excel.

YES

Fusion’s Change Management process establishes an orderly and effective procedure for tracking the submission, coordination, review, evaluation, categorization, and approval for release of all changes to the project’s baselines.

Change requests are evaluated and assigned one or more of the following change types: Scope, Time, Duration, Cost, Resources, Deliverables, Product, Process, and Quality.


I4.5

The Contractor will incorporate the design and development approach into a comprehensive Design and Development Plan. YES

Fusion’s Design and Development Plan will describe the process that DOC and Fusion will engage in for accepting the design and development of the system.


I4.6

The Contractor will apply consistent development standards for all development works as described in offeror's SDLC such as coding convention, database, and field naming convention

YES

Fusion will apply consistent development standards for all development works as described in offeror's SDLC such as coding convention, database, and field naming convention


I4.7 The Contractor will provide the State access to all data on the test and production server.

YES

Fusion will provide the State access to all data on the test and production server.


I4.8

The Contractor will acquire authorization from the State for the use of production Solution resources (legacy data or source files), or data derived from the States production resources.

YES

Fusion will acquire authorization from the State for the use of production resources (legacy data or source files), or data derived from the State’s production resources.


I4.9

The Contractor will describe the overall testing approach and methodology used for the Solution deployment. The Contractor will work with the States Business Units in fine tuning the testing approach and get the States approval before starting the testing phase.

YES

There is no such thing as over testing and too much QA. We believe that having a full proof solution prior to deployment is what separates us from the competition. We will coordinate with DOC to devise a System Test Plan and include outcomes of the testing in a System Test Results Document. Testing begins with initial resource planning during the initiate phase, is designed in the Plan phase, and then is conducted during the Execute



and Control phases. Initially, we advise regarding the testing effort, with leadership and ownership gradually transferring to DOC. Once UAT is completed, Fusion will provide a UAT Results Document certifying that all required activities are completed to the satisfaction of the DOC. Unit/component testing Unit Stress testing is conducted using software best practices for HIPAA-compliant health record application design using the Microsoft Test Manager suite of products in the Microsoft Visual Studio development product line. The software test strategy focuses on access control, data sanitization, audit trails, accurate timestamping of data, data security and performance metrics.

Integration testing Centricity leverages Microsoft Team Foundation services to coordinate and regressively test all Centricity modules and components for integration and performance modeling.

Regression testing Centricity employs Telerik and Microsoft Test Manager products for bug mapping and regression testing of its Centricity EHR user interface.

Parallel testing The Visual Studio Microsoft Test Manager test platform suit used to develop Centricity simulates hundreds of combination of operating systems and browser versions for consistency of user experience and interface testing.

Stress/load/performance testing Stress/Load capacity testing is virtualized through the Microsoft Test Manager software suite simulating hundreds of concurrent user sessions in the Centricity web application for both single instance and multi-instance deployments.

Client acceptance testing Designated client project testers will be provided


during Dev and UAT, who will be testing credentials for proofing and user acceptance testing of all clinical forms, user interface modifications, security group mappings and data integration. All feedback with be integrated into final revisions for production rollout.

I4.10

Refer to Appendix 5.27, “EHR Project Management Documentation,” and complete the “Test Plans” section. All Integrated Solution Testing will be performed on the Enterprise Testing platform while the UAT will be performed on the Staging platform. No testing may be conducted on the production platform and all testing must be completed prior to deployment.

YES



I4.11

Testing and Development will have their own environments, separate from Production. Neither testing nor development will be performed in the production environment.

YES

Fusion sets up separate environments when the system is initially installed; test, development, and production. The intended use of each is given in its name. A best practice communicated to the client is to build all new or updated content in the Development environment. Once it has been completed it is moved into the Test environment for testing and certification by some combination of staff that typically includes a few end users. Once it has been certified, it is scheduled and moved into the Production environment where it immediately becomes available to all users. This will ensure that any bugs/issues are addressed prior to commitment of the update to ensure minimal disruption to the client. This model is the same whether the system is self-hosted or vendor-hosted.


I4.12

The Contractor will repeat the test life cycle when a failure occurs at any stage (e.g., a failure in Acceptance Testing that necessitates a code change will require the component to go back through Unit Testing, Integration Testing, and so forth).

YES

Fusion will repeat the test life cycle when a failure occurs at any stage (e.g., a failure in Acceptance Testing that necessitates a code change will require the component to go back through Unit Testing, Integration Testing, and so forth).



I4.13

The Contractor will build test plans, execute test plans, and create reports. The State will evaluate the Contractor’s test plans and Contractor test results. The State may validate the testing done by augmenting it with State testing.

YES

Fusion will build test plans, execute test plans, and create reports.


I4.14

The Contractor will document the testing tools, test configurations, and related documentation. The Contractor will provide all necessary performance testing scripts with input from the States Business Units. The State will have the final say on what is an acceptable performance.

YES

Fusion will document the testing tools, test configurations, and related documentation.

Fusion will provide all necessary performance testing scripts with input from the States Business Units.

I4.15 The Contractor will provide the State with the test scripts, test results, and quality reports.

YES

Fusion will provide the State with the test scripts, test results, and quality reports.


I4.16

The Contractor will provide staff to the State to answer questions and address any problems that may arise during testing conducted by the State. YES

Staff will be provided to answer questions and address any problems that may arise during testing conducted by the State.


I4.17

The Contractor will refine the test documents, procedures, and scripts throughout development and through full Solution acceptance to reflect the as-built design and current requirements. YES

Fusion will refine the test documents, procedures, and scripts throughout development and through full system acceptance to reflect the as-built design and current requirements.



I4.18

The Contractor will allow the State to run validation and testing software against externally facing Internet applications to help identify potential security issues and shall repair any deficiencies found during this testing.

YES

Fusion will allow the State to run validation and testing software against externally facing Internet applications to help identify potential security issues and shall repair any deficiencies found during this testing.


I4.19

As Solution events contain date and time- sensitive elements, the testing infrastructure must provide a method of altering and synchronizing the Solution date throughout each test phase. This requires the ability to change the Solution date and time in some scenarios.

YES

The testing infrastructure will provide a method of altering and synchronizing Centricity’s date throughout each test phase.


I4.20

All components of the Solution will accommodate leap year processing and daylight savings time start/end dates.

YES

All components of Centricity will accommodate leap year processing and daylight savings time start/end dates.


Implementation Plan

I5.1

Refer to and complete Appendix 5.27. The Contractor will describe the implementation approach and methodology to be used for the Solution.

YES

Please refer to Fusion’s completed Appendix 5.27 for a comprehensive overview of our implementation plan.



I5.2

Refer to and complete Appendix 5.27. The Contractor will incorporate the implementation approach into a comprehensive “Implementation Project Schedule” which will be added to other PM plans as part of the PMO. The State requires incremental deliveries of functionality to the production environment. The State anticipates considerable collaboration with the Contractor in the plan's construction, with attention to high complexity components of the existing the State Solutions as well as the proposed Solution.

YES



I5.3

Disaster recovery requirements relative to the physical Solution components and planning for recovery from operational failures are the responsibility of the Contractor. The Contractor will develop an Operational Recovery Plan – refer to Appendix 5.27.

YES



I5.4

Refer to Appendix 5.27. As part of its “Implementation Plan,” the Contractor will incorporate the interface management approach for all interface mechanisms used for the Solution (e.g. batch, ESB/web services).

YES



I5.5

The Contractor will validate that each interface is working correctly. The Contractor will repair all interface-related problems caused by Contractor-developed interfaces. YES

Fusion will validate that each interface is working correctly. Fusion will repair all interface-related problems caused by Fusion-developed interfaces.


I5.6

The Contractor will assist the State in identifying root causes for all Solution interface related problems.

YES

Fusion will assist the State in identifying root causes for all Solution interface related problems.




I5.7

The Contractor will provide a software configuration management Solution to store, control, and track instances (baselines during the construction life cycle) of all software configuration items that will be developed for the Solution.

YES

Fusion will provide configuration management solution to store, control and track instances through our project management software (Jira) and our document store (SharePoint).


I5.8

The Contractor must use a widely used "industry standard" software configuration management tool.

YES

Fusion will provide configuration management solution through our project management software (Jira) and our document store (SharePoint).


I5.9

The Contractor will describe the requirements management approach and methodology used for the Solution Project.

YES

Fusion will describe the requirements management approach and methodology used for the EHR Project.



I5.10

When functionality is ready to be delivered to the State for User Acceptance Testing (UAT), it will be delivered in the form of a pre- production release (defined as ready for production in every respect but just not yet in production). Since the State will approve all releases into production, a pre-production release is equivalent to a production release and requires the rigor associated with a production release. Upon successful completion of UAT, the State will schedule a release to be moved to the production environment. Each pre-production release will include the following: - Release-specific hardware and software Solution components. - Release description including architecture or design updates, new functionality introduced, defects fixed, modifications to interfaces with other Solutions, other changes to existing code, and any software and hardware configuration changes. - Release contents including a description of the release structure and contents and instructions for assembling and/or configuring the components of the release. - Test Plan and test execution results. - Detailed hardware and software configuration information including any software and hardware dependencies and instructions at a level of detail that will enable administration staff to rebuild and configure the hardware environment without outside assistance. - Database documentation conforming to industry standards. - Detailed configuration information for any 3rd party hardware and software. The Contractor will provide updated documentation when Solution upgrades to software or equipment occurs through the

YES

When functionality is ready to be delivered to the State for User Acceptance Testing (UAT), it will be delivered in the form of a pre- production release (defined as ready for production in every respect but just not yet in production).



life of the contract.


I5.11

Deployment will be iterative from both a business process and applied technology perspective and will be accepted by the State through application of the acceptance criteria in testing plans

YES

Deployment will be iterative from both a business process and applied technology perspective and will be accepted by the State through application of the acceptance criteria in testing plans


I5.12

The Contractor will assist the State with testing and release preparation in the pre- production environment

YES

Fusion will assist the State with testing and release preparation in the pre- production environment


I5.13

The Contractor must provide support staffing information such as the proposed number, ratios, duration, and roles/responsibilities for on-going support (as identified in previously submitted implementation approach and plan).

YES

Fusion will provide support staffing information such as the proposed number, ratios, duration, and roles/responsibilities for on-going support (as identified in previously submitted implementation approach and plan).



I5.14

Upon successful completion of the pre- production testing, the Contractor will, in coordination with the State, create a Production Release Plan that will consist of an updated Pre-Production Release notification to assist the State in successfully releasing and maintaining the Solution in the Production environment. It must include, but not be limited to, the following components: - Updated Configuration Information required satisfying the Solution production configuration management requirements. - Updated Solution Architecture. - Updated Detailed Design, including detailed Solution, technical, and user documentation. - Deployment schedule - Blackout plan (complete/incremental)

YES

Upon successful completion of the pre- production testing, Fusion will, in coordination with the State, create a Production Release Plan that will consist of an updated Pre-Production Release notification to assist the State in successfully releasing and maintaining the Solution in the Production environment. It must include, but not be limited to, the following components: - Updated Configuration Information required satisfying the Solution production configuration management requirements. - Updated Solution Architecture. - Updated Detailed Design, including detailed Solution, technical, and user documentation. - Deployment schedule

Blackout plan (complete/incremental)


I5.15

For proposals that would migrate the State from its existing EHR, the Contractor will provide data conversion from the legacy Solutions to the new Solution.

YES

Our team has extensive experience in roll-over implementations, keeping legacy systems alive and running, while scripts port over information from the legacy system(s) into Centricity. Our team is more than capable of migrating the data from CorrecTek to Centricity within the time required. As part of our project plan, we will discuss other data elements DOC would like to capture, discuss various methods of data conversion, and then come up with the proper plan for the project. Following final acceptance of Centricity by DOC and appropriate user training, we can simply ‘switch’ the facilities from CorrecTek to Centricity.


Quality Management Requirements

I6.1

The Contractor will describe the quality management approach and methodology used for the Solution with input from the Business Units. YES

The purpose of Fusion’s Quality Management Plan is to develop a reasonable and appropriate method to arrange for reviews of Deliverables, particularly as they relate to the configuration and build of the system, to ensure delivery meets the standards of the agency. Our plan includes the process for finalizing the configuration build, as well as all interfaces and data migrations needed for a

Step 1: Component, content, quality, and other criteria that will comprise the Deliverables will be discussed and agreed upon between the respective Project Managers (Fusion & DOC). Step 2: Draft Deliverables will be delivered to the DOC Project Manager according to the approved Project Schedule. Step 3: DOC Project Manager will arrange for


successful go live. Prior to deployment, all phases of the configuration build will be signed off on.

team and interested project team members to review of Deliverables within three to five day period as defined the Project Schedule. Step 4: Reviews shall provide written feedback on the Deliverables to include comments on accuracy of information captured, insufficiency of description, and completeness to described scope, ensuring that the product and project deliverables meet industry standards and are fit for use in executing and/or controlling objectives. Step 5: Deliverable owner will take note of and address comments and feedback from Reviewer and make needed improvements and clarifications to Deliverable and resubmit to the DOC Project Manager for Final Review and Approval. Step 6: Project Manager will send Deliverable to DOC Project Manager for approval.

Production Support and Transition Requirements

O1.1

If the Contractor is proposing to migrate from the current EHR Solution to a new Solution, the Contractor will describe the production support and transition approach and methodology for the Solution, as agreed between the Contractor and the State.

YES

The data conversion process is a highly detailed aspect of most installations. Understanding the desired-end state of your Centricity implementation is a key consideration when deciding the type of conversions to do. Fusion has performed virtually every type of conversion that can be done, from large to small, brand-named systems to homegrown. We recognize the critical nature of converting your existing data from your current CorrecTek EHR system and factor conversion planning and specification design into our project plans. We will conduct a review of the project management plans, methodologies and approach to monitoring the critical elements of the EHR implementation work plan and schedule. In addition, we will develop agreed-upon quality control criteria and review their deliverables against those criteria.

Fusion will draft a data migration audit plan which includes the following audit objectives:

• Ensure that the source data is being properly extracted prior to conversion as well as preserved and protected post conversion.

• Ensure that controls are in place to verify that data transferred accurately and completely between systems.

• Ensure that appropriate testing, including regression analysis, is being done with converted data on impacted applications and management reporting.


O1.2 The Contractor will describe their “Production Support and Transition Plan” in the “Implementation Project Schedule” section of Appendix 5.27.

YES



O1.3

The Contractor will identify the root cause of corrupted data, identify Solution for fix, and repair corrupted data that is associated with a problem in the Solution. YES

Fusion will identify the root cause of corrupted data, identify the fix, and repair corrupted data that is associated with a problem in Centricity.


O1.4

With concurrence from the State, the routine planned maintenance activities will be scheduled without disrupting the negotiated operational hours. Contractor will provide the State with a copy of the schedule at least 30 days in advance of the scheduled maintenance date for approval.

YES

Routine planned maintenance activities will be scheduled without disrupting the negotiated operational hours. Fusion will provide the State with a copy of the schedule at least 30 days in advance of the scheduled maintenance date for approval.


O1.5

The testing tools and test configurations will be provided to the State and responsible entities and appropriate training to the State personnel will be provided as the Solution are transitioned into support YES

Testing tools and test configurations will be provided to the State and responsible entities and appropriate training to the State personnel will be provided.


O1.6

The Contractor will provide instructions and training for responsible entity support staff that may need to access and support the Solution remotely (e.g. through PDAs, tablet PCs through a VPN).

YES

Fusion will provide instructions and training for responsible entity support staff that may need to access and support Centricity remotely (e.g. through PDAs, tablet PCs through a VPN).


O1.7

The Contractor will develop an automated process for purging production Solution files as determined by the State data governance team.

YES

Fusion will develop an automated process for purging production Solution files as determined by the State data governance team.




O1.8

Upon completion of any maintenance call, the Contractor will furnish a maintenance activity report to the State within 24 hours and provide any clarification to the questions as needed, which will include, at minimum, the following: - Date and time notified. - Date and time of arrival. - If hardware, type and serial number(s) of machine(s). - If software, the module or component name of the affected software code. - Time spent for repair. - List of parts replaced and/or actions taken. - Description of malfunction or defect. - Description of root cause of malfunction or defects. - Description of fixes.

YES

Upon completion of any maintenance call, Fusion will furnish a maintenance activity report to the State within 24 hours and provide any clarification to the questions as needed, which will include, at minimum, the following: - Date and time notified. - Date and time of arrival. - If hardware, type and serial number(s) of machine(s). - If software, the module or component name of the affected software code. - Time spent for repair. - List of parts replaced and/or actions taken. - Description of malfunction or defect. - Description of root cause of malfunction or defects.

Description of fixes.


O1.9

The Contractor will produce a Solution Training Manual, which will serve as an operator's instruction manual. It will include Solution administration procedures and describe the scheduled operations of the production Solution. It will include but not be limited to specific instructions on things an operator needs to do to manage the Solution on a daily basis, descriptions of administrative tasks, instructions on how to run the job, and what to do in abnormal situations.

YES

Fusion will produce a Training Manual, which will serve as an operator's instruction manual. It will include administration procedures and describe the scheduled operations of Centricity. It will include but not be limited to specific instructions on things an operator needs to do to manage Centricity on a daily basis, descriptions of administrative tasks, instructions on how to run the job, and what to do in abnormal situations.



O1.10

The Solution component documentation will include at a minimum: - A Data Dictionary - Data Model(s) - Interface design specifications - Passwords & activation codes - A Developer's Manual outlining and detailing operating, maintenance, development, processes, standards, procedures, plus any other technical information required to fully support the application. - Operations Phases and procedures including batch or background process schedule, dependencies, sequencing, and timing. - Administrative Tasks including users administration, Solution security administration, reference data maintenance, creation of report templates and maintenance of service provider data and contracts. - Other reference materials and presentations required to supplement the training and support activities.

YES

Documentation will include at a minimum: - A Data Dictionary - Data Model(s) - Interface design specifications - Passwords & activation codes - A Developer's Manual outlining and detailing operating, maintenance, development, processes, standards, procedures, plus any other technical information required to fully support the application. - Operations Phases and procedures including batch or background process schedule, dependencies, sequencing, and timing. - Administrative Tasks including users administration, Solution security administration, reference data maintenance, creation of report templates and maintenance of service provider data and contracts. - Other reference materials and presentations required to supplement the training and

support activities.


O1.11

The Contractor will provide documentation that describes the procedures for Solution administrators to add, update, or remove user IDs and passwords. YES

Fusion will provide documentation that describes the procedures for Solution administrators to add, update, or remove user IDs and passwords.


O1.12

The Contractor will provide the responsible entity with help and service desk scripts and decision trees for tier 1 help desk and tier 2+ service desk support. YES

Fusion will provide Service Level Agreement (SLA) monitoring and reporting capabilities. Service Level definitions will be drafted into a single document provided as an attachment to the contract.



O1.13

The Contractor will provide instructions and training for responsible support staff that may need to access and support the Solution remotely. YES

Fusion will provide instructions and training for responsible support staff that may need to access and support the Centricity remotely.


O1.14

The Contractor will agree to continue normal operational activities pending completion of the Transition-Out Plan activities and readiness assessment, as approved by the DOC Health Services Administrator or designee.

YES

Fusion agrees to continue normal operational activities pending completion of the Transition-Out Plan activities and readiness assessment, as approved by the DOC Health Services Administrator or designee.


Defect Resolution and Solution Acceptance Requirements

O2.1

During the maintenance period, the maximum time to restore the functionality of the Solution and resolve incidents will be within the timeframes listed below: -Severity Level One incidents will not exceed four (1) clock hours between the opening of an incident and final closure, unless a time extension is approved by the State. -Severity Level Two incidents will not exceed four (4) business hours between the opening of an incident and final closure, unless a time extension is approved by the State. -Severity Level Three incidents will not exceed twenty-four (24) business hours between the opening of an incident and final closure, unless a time extension is approved by the State.

YES

Fusion will abide to the State’s defect resolution and solution acceptance requirements, which are as follows: -Severity Level One incidents will not exceed four (1) clock hours between the opening of an incident and final closure, unless a time extension is approved by the State. -Severity Level Two incidents will not exceed four (4) business hours between the opening of an incident and final closure, unless a time extension is approved by the State. -Severity Level Three incidents will not exceed twenty-four (24) business hours between the opening of an incident and final closure, unless a time extension is approved by the State.

Agreed upon defect resolution and solution acceptance criteria will be implemented to measure the performance of specific Services or Service Elements. It will contain descriptions that provide the State’s framework and requirements relating to defect resolution commitments.

Solution Administration Requirements

O3.1 The Solution will provide data archiving capabilities based on State defined criteria

YES

Centricity can provide data archiving capabilities based on State defined criteria.




O3.2

The Solution will provide the capability to move all historical, expired and/or unnecessary data to offline storage according to a set of business rules and schedules to be defined by the State.

YES

Centricity provides the capability to move all historical, expired and/or unnecessary data to offline storage according to a set of business rules and schedules to be defined by the State.


O3.3

The Solution will maintain an archival process so that accumulated historical records and log files do not consume large amounts of disk space. YES

Centricity maintains an archival process so that accumulated historical records and log files do not consume large amounts of disk space.


O3.4

The Solution will provide an auto archive/purge of the log files to prevent uncontrolled growth of the log and historical records storage using administrator-set parameters.

YES

Centricity provides an auto archive/purge of the log files to prevent uncontrolled growth of the log and historical records storage using administrator-set parameters.


O3.5

The Solution will provide version control capabilities to ensure the integrity of all software releases.

YES

Centricity provides version control capabilities to ensure the integrity of all software releases.


O3.6 The Solution will provide logging and reporting for accessing errors and exceptions.

YES

Centricity provides logging and reporting for accessing errors and exceptions




O3.7 The Solution will monitor and provide reports on any unauthorized access.

YES

Centricity monitors and provides reports on any unauthorized access.


O3.8

The Solution will provide user privilege reports on demand. The format shall minimally provide role, last login, date of account creation, account type. YES

Administrators can run user privilege reports. Fusion has implemented a comprehensive internal audit and monitoring process on all software and services it provides to its clients. Our independent examination of our software products, software process, and services offered allow us to assess compliance with specifications, standards, contractual agreements, and other criteria.

O3.9 All Solution communications will be protected by at least 128-bit encryption.

YES

Within Centricity, all data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm and 256-bit SSL document transmission. SQL Server has built-in encryption capabilities for PHI data. It can encrypt both at rest and data in motion. AES encryption can be used for data at rest. SSL can be used for data in motion that is transferred between client workstations and the database server. Centricity provides encrypted passwords and encryption at the VPN level, Internet, Intranets, and wireless networks and devices.


O3.10

The Solution will be supported by public key/private key encryption Secure Socket Layer (SSL) certificates.

YES

Since Centricity provides access to PHI through a web browser interface, such as HTML over HTTP, the system includes the capability to encrypt the data communicated over the network via SSL (HTML over HTTPS). Centricity supports protection of integrity of all Protected Health Information (PHI) delivered over the Internet or other known open networks via SHA hashing and an open protocol such as TLS,

Within Centricity, all data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm and 256-bit SSL document transmission. SSL can be used for data in motion that is transferred between client workstations and the database server. Centricity provides encrypted passwords and encryption at the VPN level, Internet, Intranets, and wireless networks and devices.


SSL, IPSec, XML digital signature, or S/MIME or their successors.

O3.11

The Solution will use firewalls and Demilitarized Zones (DMZs) for external access and remote access.

YES

Our hosting services provide a dedicated firewall and VPN to block unauthorized access. They also require all users to authenticate before they may access any system. We typically deploy remote access via a WebSSL VPN and all data is encrypted behind each firewall. WebSSL connections are provided for remote-access, and only authorized users will have the ability to connect remotely.


O3.12 The Solution will prevent creation of duplicate accounts.

YES

Centricity can prevent creation of duplicate accounts.


O3.13

The Solution will have the option to indicate the type of user to be set up (e.g. Solution Administrator, Case Manager).

YES

The system administrator will have the option of setting up permissions for each kind of user (i.e. solution admin, case manager, etc.)


O3.14 The Solution will create a user profile for the new user.

YES

Administrators can create a user profile for the new user.


O3.15

The Solution will assign a user the proper access roles and create a user name and temporary password. YES

At the application level, Centricity heavily supports user login security, where a user’s login name and password must be entered before any application features are available for use. The system administrator may elect to invoke password encryption to further enhance security.



Note: There is a single sign-on for Centricity. The system administrator can also establish password characteristics such as minimum length, requirement for alphanumeric format, and password expiration time. In addition, a quick logout/screen-locking facility is always available, as is an idle-user logout.


O3.16

The Solution will have the capability to automatically deactivate a user account if there has been no log-in for a specified time (e.g., 90 days). The deactivation policy, related rules and final review requirements to be configurable by the State.

YES

Centricity can automatically deactivate a user account if there has been no log-in for a specified time (e.g., 90 days).

The deactivation policy, related rules and final review requirements to be configurable by the State.

O3.17 The Solution will lock out a user after a specified number of failed log-in attempts.

YES

Centricity enforces a limit of (configurable) consecutive invalid access attempts by a user. The system protects against further, possibly malicious, user authentication attempts using an appropriate mechanism, such as locking the account/node until released by an administrator, locking the account/node for a configurable time period, or delaying the next login prompt according to a configurable delay algorithm.


O3.18 The Solution will provide an online mechanism to unlock Users.

YES

Centricity uses Active Directory. The Active Directory user name and password are the credentials used to log into the network/workstation. User passwords are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash algorithm. The logon ID and password are stored and maintained in the Microsoft Windows Active Directory, often on a separate server, as well as in the Centricity EHR database. You must maintain logon IDs and passwords using Active Directory maintenance tools. Through a web portal, users will be allowed to make edits to the Active Directory Account, including unlocking users through an online mechanism.



O3.19

The Solution will display all current user- specified preferences (if existing) or default preferences (if none exist).

YES

In the administration portion of the EHR user preferences can be found and changed as needed. Only users with the appropriate permissions can view/edit permissions and preferences of other users.


O3.20

The Solution will allow users to set up or modify user preferences with possible override by (a) designated supervisor(s) within each department. Preferences may include but are not limited to:

a) Preferred method of communication (e.g., email, SMS, phone).

b) Subscription to alerts and notifications (e.g., changes to client record, new messages, referral changes).

c) Notification types desired.

YES

Centricity allows users to set up or modify user preferences with possible override by (a) designated supervisor(s) within each department. Preferences may include but are not limited to:

• Preferred method of communication (e.g., email, SMS, phone).

• Subscription to alerts and notifications (e.g., changes to client record, new messages, referral changes).

• Notification types desired.


O3.21

The Solution will display the selected preferences and allow the user to confirm or modify preferences.

YES

Administrators with proper permissions can have access to preferences and allow the user to confirm or modify preferences.


O3.22

The Solution will send a notification to the user that the personal preferences have been updated.

N/A

The System Administrator(s) will have the ability to send out a message to any user whose permissions have been changed.



O3.23

The Solution will have the ability to provide Users role-based access (as assigned/decided by VT, roles to be determined) to case management data. Users can be defined as any of the following: a) Nurses b) Charge Nurses c) Directors of Nursing d) Mental Health Professionals e) Care Coordinators f) Mid-Level Providers g) Medical Doctors h) Psychiatrists i) Recreational Therapists j) Physical Therapists k) Psychologists l) Health Services Administrators m) Regional Office Staff n) DOC Health Services Division staff o) Other entities as defined by VT

YES

Centricity enforces the most restrictive set of rights/privileges or accesses needed by users/groups, such as System Administration, Clerical, Nurse, Doctor, and so on, or processes acting on behalf of users, for the performance of specified tasks. Role-based security applies down to the field level.


O3.24

The Solution will allow Solution administrators to create user groups to manage workflow.

YES

Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups. Centricity enables to associate permissions with a user using one or more of the following access controls: • User-based (access rights assigned to each user) • Role-based (users are grouped and access rights assigned to these groups) • Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, and so on.)


O3.25

The Solution will allow Solution administrators to assign users to specific facilities.

YES

Centricity provides the ability for authorized administrators to assign restrictions or privileges to users/groups.



Centricity enables to associate permissions with a user using one or more of the following access controls: • User-based (access rights assigned to each user) • Role-based (users are grouped and access rights assigned to these groups) • Context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, and so on.)


O3.26

The Contractor will establish an automated maintenance routine that will at a minimum: - Backup the user IDs and password data - Identify expired IDs and related data YES

Fusion will establish an automated maintenance routine that will at a minimum:

- Backup the user IDs and password data Identify expired IDs and related data


O3.27

The Contractor will use offsite storage. Data backup should be stored off-site in the event of a physical disaster.

YES

As part of your Centricity implementation, a disaster recovery plan will be created whereby the location of the backup data as well as the method which the backups are created will be decided. Our co-location is in Philadelphia, PA which is used as our offsite disaster recovery location. Natural disasters and emergencies will failover to Fusion’s Disaster Recovery facility.


O3.28

The Contractor will provide disk (or equivalent) backups to protect Vermont data, with procedures in place for regular backup protection with a defined timeline and scheduling. Backups of Vermont data will take place using dedicated backup servers. The Contractor will provide documentation of processes for archiving and retrieving material from the off-site storage Contractor.

YES

As part of your Centricity implementation, a disaster recovery plan will be created whereby the location of the backup data as well as the method which the backups are created will be decided. Our co-location is in Philadelphia, PA which is used as our offsite disaster recovery location. Natural disasters and emergencies will failover to Fusion’s Disaster Recovery facility.


Solution Management Requirements


O4.1

The Solution will have the ability to generate administrative alerts and warnings when statistics indicate an impact or potential limits on Solution component performance and availability. The specific alerts will be defined by the hosting services provider. The State has a preference for the Oracle Performance Management toolsets such as Oracle Enterprise Manager, Grid Control, etc.

YES

Centricity provides the ability to generate administrative alerts and warnings when statistics indicate an impact or potential limits on Solution component performance and availability.


O4.2

The Solution will allow for all changes/updates to the distributed components to be administered and completed centrally and available immediately to all source Solutions and sites. YES

As part of the ongoing QA and Support by Fusion, meetings will be conducted post-implementation which will address reviews of upcoming or current upgrades/updates. A change-list will be reviewed as well as discussion on how to conduct additional training.

Even though Fusion has a comprehensive test plan for releases and updates, DOC will have access to a testing environment which will allow for key stakeholders to validate the update prior to committing it to the production environment. Upon sign off, all changes/updates to the distributed components will be administered and completed centrally and available immediately to all source Solutions and sites.

O4.3

The Solution will provide Service Level Agreement (SLA) monitoring and reporting capabilities. Service Level definitions will be drafted into a single document provided as an attachment.

YES

Fusion will provide Service Level Agreement (SLA) monitoring and reporting capabilities. Service Level definitions will be drafted into a single document provided as an attachment to the contract. Below are Fusion’s standard support tiers and response times: Incident Level 3 – Immediate Initial Response Contact Methods: Fusion Support Line & Fusion Help Desk Portal (24x7) Incident Level 2 – Immediate to 8-hour initial response Contact Method: Fusion Help Desk Portal (24x7) Incident Level 1– Immediate to 24 business hour response. Contact Method: Fusion Help Desk Portal (24x7)

Agreed upon specific Service Levels will be implemented to measure the performance of specific Services or Service Elements. It will contain descriptions that provide the State’s framework and requirements relating to service level commitments.


O4.4

The Solution will securely support the State’s and/or the Contractor’s existing remote control (i.e. support personnel ability to take over the user device for troubleshooting and support) capabilities deployed for any type of client workstation.

YES

Centricity will securely support the State’s and/or Fusion’s existing remote control (i.e. support personnel ability to take over the user device for troubleshooting and support) capabilities deployed for any type of client workstation.


O4.5

The Solution will provide event management and monitoring functionality according to Information Technology Infrastructure Library version 3 (ITIL v3) or equivalent best practices.

YES

Centricity is constantly monitored and possesses the necessary infrastructure and support, providing you with:

• Scalable infrastructure and storage for hosting applications

• Operating System management for industry standard vendors

• Management of vendor relationships for critical issues and on-site support

• On-site hardware support and remote problem diagnosis

• Proactive system monitoring and ITIL processes for change control and incident management

• 24/7 monitoring of infrastructure to ensure continuous service


O4.6

The Solution will provide Application Performance Monitoring and Management capabilities (i.e. transaction monitoring, synthetic transactions, component root cause analysis (e.g. Application Server Management)).

YES

Extensive internal monitoring systems are in place to ensure the critical uptimes and system health imperative of an inmate care environment.


O4.7

The Solution will provide transaction tracking and log consolidation capabilities across all tiers of the application.

YES

Transaction logs are constantly created which allow for rapid recovery of data should any issues arise.



4.5 Data Compliance Vendors and their solutions must adhere to applicable State and Federal standards, policies, and laws based on the type of data that will be stored, accessed, transmitted and/or controlled by the solution. If the “Type of Data” column is checked below, respond “Yes” or “No” in the “Comply” column and provide an explanation on how you comply in the “Vendor’s Description of Compliance” column.

Type of Data Applicable State &

Federal Standards, Policies, and Laws

Comply Vendor’s Description of Compliance

☒ Publicly available information

� NIST 800-171 YES

Centricity complies with 800-171. Centricity manages and protects the storing, processing, and transmitting of Controlled Unclassified Information (CUI).

☒ Confidential Personally Identifiable Information (PII)

� State law on Notification of Security Breaches � State Law on Social Security Number Protection � State law on the Protection of Personal

Information � National Institute of Standards & Technology:

NIST SP 800-53 Revision 4 “Moderate” risk controls

� Privacy Act of 1974, 5 U.S.C. 552a.

YES

Centricity data encryption capabilities coupled with Microsoft SQL Server RDMS for the industry best practice in securing Personally Identifiable Information (PII). Centricity's web technology further utilize HTTPS/SSL sessions and Microsoft Active Directory authentication to secure client server communication of inmate data.

☐ Payment Card Information � Payment Card Industry Data Security Standard (PCI DSS) v 3.2 -

☐ State Financial Data • Annual SSAE 18 SOC 2 Type 2 audit -

☐ Federal Tax Information � Internal Revenue Service Tax Information Security Guidelines for Federal, State and Local Agencies: IRS Pub 1075

-

☒ Personal Health Information (PHI)

� Health Insurance Portability and Accountability Act of 1996: HIPAA

� The Health Information Technology for Economic and Clinical Health Act HITECH

� Code of Federal Regulations 45 CFR 95.621

YES

Centricity provides industry best-practice for HIPAA compliant high-availability clinical data and network security solutions. Centricity is a fully functioning EHR that offers you a cost-effective, flexible Commercial-Off-The-Shelf (“COTS”) solution in compliance with Centers for Medicare and Medicaid Services (“CMS”) regulations, the Health Information Portability and Accountability Act (“HIPAA”), ICD-10 and is compatible to meet and exceed DOC’s goals and the functional requirements detailed in this RFP. Centricity is a Certified Electronic Health Record Technology (CEHRT) for the 2015 Edition (CHPL ID: 15.04.04.2902.Cent.12.00.1.171016) in accordance with the definition provided 45 CFR Part 170.102 as defined by the Office of the National Coordinator for Health Information Technology (ONC).


http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

http://legislature.vermont.gov/statutes/section/09/062/02435


http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

https://www.justice.gov/opcl/privacy-act-1974

https://www.pcisecuritystandards.org/document_library



http://www.irs.gov/pub/irs-pdf/p1075.pdf

http://www.hhs.gov/hipaa/index.html

http://www.hipaasurvivalguide.com/hitech-act-text.php

Type of Data Applicable State & Federal Standards, Policies, and Laws

Comply Vendor’s Description of Compliance

☒ Affordable Care Act Personally Identifiable Information (PII)

� Internal Revenue Service Tax Information Security Guidelines for Federal, State and Local Agencies: IRS Pub 1075

� Minimum Acceptable Risk Standards for Exchanges MARS-E 2.0

YES

Centricity data encryption capabilities coupled with Microsoft SQL Server RDMS for the industry best practice in securing Personally Identifiable Information (PII). Centricity's web technology further utilize HTTPS/SSL sessions and Microsoft Active Directory authentication to secure client server communication of inmate data.

☒ Medicaid Information � Medicaid Information Technology Architecture MITA3.0

� Code of Federal Regulations 45 CFR 95.621 YES

Centricity is a Certified Electronic Health Record Technology (CEHRT) for the 2015 Edition (CHPL ID: 15.04.04.2902.Cent.12.00.1.171016) in accordance with the definition provided 45 CFR Part 170.102 as defined by the Office of the National Coordinator for Health Information Technology (ONC).

☒ Prescription Information � State law on the Confidentiality of Prescription Information

YES

Within Centricity, all data are encrypted with Advanced Encryption Standard (AES) encryption with a SHA2/SHA-256 hash Algorithm. SQL Server has built-in encryption capabilities for PHI data. It can encrypt both at rest and data in motion. Centricity’s inherent infrastructure securely connects the solutions used by health care professionals, prescribers, pharmacies, health care facilities and pharmacy benefit managers, health insurers, third-party administrators, and agents and contractors of those persons in order to facilitate the secure transmission of an individual's prescription drug order, refill, authorization request, claim, payment, or other prescription drug information.

☐ Student Education Data � Family Educational Rights and Privacy Act: FERPA -

☐ Personal Information from Motor Vehicle Records

� Driver’s Privacy Protection Act (“DPPA”) 18 U.S.C. Chapter 123, §§ 2721 – 2725 -

☒ Criminal Records � Criminal Justice Information Security Policy: CJIS

YES

The data centers are SSAE-18 audited and are CJIS compliant. We are also ISO 27001 certified using AES-256 standard data centers with 256-bit SSL document transmission. Fusion’s data centers are audited annually and are consistently meeting and exceeding data center security standards for healthcare.




https://www.medicaid.gov/medicaid-chip-program-information/by-topics/data-and-systems/mita/medicaid-information-technology-architecture-mita-30.html




http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view

PART 5: IMPLEMENTATION/PROJECT MANAGEMENT APPROACH

1. Describe the approach you would recommend for project managing this engagement.

Fusion leverages industry best practices and approaches every project with a partnership mentality, working in conjunction with the client to ensure that the EHR is implemented on time, on budget and complete. Unlike any other vendor, Fusion intimately understands what it takes to get an EHR system live at correctional health facilities. Fusion leverages its extensive knowledge of the EHR and Correctional Health space and will collaborate with VTDOC to ensure that the system truly meets their workflow both now and for the future. Our Subject Matter Experts (SMEs) come with years of experience to be much more than ‘yes-folks’ when it comes to clinical content development and overall implementation and go-live of Centricity. Fusion will leverage its knowledge and experience of how things are done throughout the country to provide VTDOC with proven options and alternatives throughout the implementation. Centricity has been at the forefront of Electronic Health Records for nearly two decades in the correctional health setting. Centricity has over 6,000 total client installations across the country. These clients include numerous County, City and State Department of Corrections, Department of Juvenile Justice, and Public Health Departments, among others. Centricity manages over 250,000 offenders in over 200 correctional facilities throughout the country. Not only are we the largest EHR vendor for State DOCs and DJJs, we are also the industry leader in the replacement of legacy EHR systems for State DOCs and DJJ’s across the country. Over the past three years alone, we have a 100% RFP win rate and have contracted and implemented three State DOCs. Our team has extensive experience in roll-over implementations, keeping legacy systems alive and running, while scripts port over information from the legacy system(s) into Centricity. Our team is more than capable of migrating the data from CorreccTek to Centricity within the time required. As part of our project plan, we will discuss the data elements VTDOC would like to capture, discuss various methods of data conversion, and then come up with the proper plan for the project. Following final acceptance of Centricity by VTDOC and appropriate user training, we can simply ‘switch’ the facilities from CorrecTek to Centricity. Most recently we partnered with Rhode Island Department of Corrections to implement Centricity and replace Nextgen EHR, which was all successfully completed within 30 days. A system installed for one Correctional Agency can be a resounding success. Another organization may use the same system inefficiently and get marginal results. The difference is often in the way it is installed, whether it is thoughtfully tailored, whether the users are well-trained and engaged in their jobs, and whether top-level management supports it. The Centricity EHR methodology ensures that implementations are on time, on budget, and, most importantly, that they meet VTDOC’s business objectives. The Centricity mission is simple: All clients should be best performers. Fusion’s approach to a successful implementation is based on a winning combination of:

• People – a partnership between your committed team and our expert Centricity Services consultants • Process – proven Six Sigma, change management, and data tools to set targets and maintain improvements


• Plan – the right implementation methodology, project milestones and a variety of learning options to meet the specific training needs of your organization. Our Blended learning approach includes onsite training, WebEx sessions and Computer Based Training delivered at the appropriate time to the appropriate audience.

Engagement Preparation (Initiate) Fusion will organize and deliver detailed requirements specific to the EHR project. We will hold a Kick-Off Meeting to provide a high level Project Schedule/Work Plan with key tasks, dates, milestones, deliverable descriptions and VTDOC staffing requirements that are necessary to ensure a successful go-live. Initial Assessments and Planning Fusion’s methodology provides the framework and approach needed to identify, collect, analyze and validate the operational, functional, and technical performance requirements for the new EHR. Our methodical approach allows us to dig deep in identifying the true workflow and includes some of the following metrics:

• Review & Analysis of the current business process and practices • Analyzing existing technologies and associated system documentation • Interviewing representatives of impacted functional areas and work groups • Other healthcare affiliates and partners for gathering data regarding their business and technical needs.

Our approach for an EHR project starts with consultation with the representatives of VTDOC and the awarded Health Service Vendor who will be involved in the project as well as those whose operations are in line with the EHR. This will allow us to establish a baseline of understanding and to further confirm particulates of the overall project plan. Project Initiation and Planning Our project team will initially meet with the Healthcare and IT Leadership Team to plan the activities to complete the scope of work for this phase of the EHR project, including confirming the objectives, defining our approach and timeframes, identifying key user groups and gaining agreement on the Phase One (1) deliverables. We will document the resulting information in our project management system which will serve as the key data repository for the entire process. Risks and issues identified during the process will be captured in the Risk and Issues logs and included in the final Project Management Plan (PMP). The project team will meet with VTDOC’s project team to review our initial draft for the Communications Plan. We will work with the team to identify members of the work groups representing the affected functional areas, stakeholders and other key personnel within the organization. We will prepare the initial draft of the Communications Plan for review and comment and finalize the Plan for acceptance by the leadership team and project sponsors. Next we will refine the high level work plan and specify at a detailed level all of the tasks, sub tasks and milestones necessary to complete this phase of the EHR project. The revised Project Charter, Detailed Project Plan and Schedule, Communication Plan PMP and Risk and Issue logs will be included in the final PMP for the EHR Requirements Definition phase of the EHR project.


Solution Planning (Analyze) Fusion will deliver Centricity to meet its primary requirements and deliver the functionality identified for this project. Conceptual Design Task Developing a conceptual design will allow for the identification of existing key components of the EHR and supplemental information systems while allowing the development of enhanced workflows. Centricity will enhance the operations of VTDOC, including:

• Availability and maintenance of healthcare data; • Access to EHR data and sharing of data on an enterprise-wide basis; • Management information based on real time data that is reliable, accurate and provides transparency and accountability, enhanced reporting

capabilities, ease of use, and portability; • Scalable as demands increase and support integration with other agency systems; • Quickly adapt to approved an/or pending local, state and federal legislation and regulations; and • Leverage industry best practices and adaptable to emerging technologies and future trends in health information technology.

We will then create the future “conceptual” EHR model including a high-level technology environment, security constructs, high level data schema, and business process descriptions that are enabled by Centricity. We believe that the benefits of this approach is that it presents the stakeholders with a potential vision to focus the discussion on tangible solutions and avoids “blue sky” scenarios which result in process decisions to fall short on account of technological or operations limitations. We will create a secured documentation library to deposit pertinent project documents, interview notes, weekly and monthly reports, and other project documents that is accessible by the project team members for each phase of the EHR project. This will be accessible by key stakeholders in the EHR implementation. Requirements Analysis The project team will leverage the Requirements Traceability Matrix (RTM) to finalize the EHR’s operational requirements. We will update the RTM that documents the business, functional, technical and performance requirements for the EHR. The RTM will list requirements within functional areas and provide for the classification of requirements by requirement ID, name and source. The RTM provides our project team and VTDOC with the opportunity to ensure completeness and that requirements are not omitted as work proceeds. EHR Fit/Gap Analysis Our approach provides VTDOC with a Fit/Gap Assessment Report of the EHR’s capabilities as compared with the organization’s RTM. We will document how the EHR proposes to meet each of the organization’s business, functional, technical and performance requirements and provide solutions to meet any identified gaps. We will document our findings and observations in the EHR Fit/Gap Analysis Report.


Solution Implementation (Design, Build, Test, Deploy) Our implementation approach streamlines the process of system design and allows VTDOC to take rapid advantage of the benefits of Centricity by shortening the duration of the implementation and improving the outcome. We back our model with the processes and people that facilitate communication and decision-making and effectively identify and overcome roadblocks to success. There are numerous benefits of the Centricity implementation approach, including but not limited to:

• Implementation of the system focuses on VTDOC’s business objectives. • VTDOC realizes the business benefits of their system sooner. • The scope of the project is detailed up front and is defined largely by the Sales Order. The benefits include:

o Common project expectations o Documented goals and objectives o A clear, mutually agreed upon project plan

• The design and build of the system are driven by the results of the initiate phase, which is tied to the VTDOC’s business context. Business context consists of your project objectives, business drivers, and critical success factors.

• We take on the role of "consultant," providing you with direction on setting up the system. • We facilitate a timely implementation. • Knowledge is transferred at the appropriate time using various training methods.

Up-Front Planning Implementation starts with a cross-functional, process-based analysis of VTDOC’s business objective, mapping our system functionality to meet organizational goals. Project phases and timetables are prioritized according to your business needs. The result is a detailed plan that yields the highest value in the shortest time. Up-front planning creates a better understanding of required resources and interdependencies, identifies risk factors and trade-offs earlier, and maximizes project control and predictability. Consultative Approach We assign Implementation Consultants with the healthcare experience and product knowledge necessary to advise VTDOC on best practice workflows and design decisions. These decisions will help you achieve optimal use of the software. Our consultants are assigned for the duration of the implementation project and become the VTDOC’s primary contact for application tasks. Tools We incorporate a number of standardized tools that build on our extensive experience to speed the implementation process. One of these tools, in particular, is our Computer Based Training suite (CBTs) which is available online anywhere an employee has Internet access. Our CBTs provide value in two distinct ways during an implementation. First, they offer the project team and Super-Users the ability to acquire base-line product knowledge in a self-paced and independent manner. When our implementation consultants engage to discuss workflows or provide product training, your team will be prepared to fully leverage their services. Secondly, by having end users take our CBTs, VTDOC will reduce the time it takes to train and ensure consistency in employee product knowledge.


We also leverage Cisco WebEx®, an online collaboration tool for real-time meetings, training, knowledge transfers, and product support sessions. This software allows all parties to view the same screen, whether that is a presentation or our application. Different parties can take control of the screen for hands on experience. This tool allows our remote training to be very effective and interactive, while allowing VTDOC participants, as well as Fusion, to be in different locations. Fusion will work in conjunction with VTDOC to collaborate on deliverables which have been identified in this proposal. Throughout the project, all deliverables which will reside on our Microsoft SharePoint server and on the Microsoft Project page(s) and will identify and deliverables and who will work in conjunction with our team to limit any risk delays and more importantly, increase transparency of all outstanding deliverables. Microsoft SharePoint is a browser-based collaboration and document management platform from Microsoft. This system allows Fusion to set up a centralized, password protected space for document sharing with VTDOC. VTDOC will have continuous access to SharePoint after go-live and will be the owner of all the documents available in the PIL. Key Features of the Centricity EHR Approach Several key features differentiate our implementation approach. The following sections provide additional detail. To ensure that communication during the implementation is effective, it is necessary for VTDOC and Fusion to follow standard communication methods. Along with the communication methods discussed, you and Fusion can maintain open lines of communication through more informal techniques. By working together at all times, we can solve implementation issues as they arise and not allow them to impede progress. The following communication methods are used throughout the implementation:

• Communication plan • Scope management process • Decision-making process • Status meetings/conference calls • General and Milestone status reports • Implementation survey

The following sections explain these communication methods. Communication Plan The specific communication plan is developed for each project. Successful projects require a clearly defined communication infrastructure. This communication plan details the stakeholders, the specific types of communication that will be delivered, timeline, and ownership. Scope Management Process As with all projects, the possibility of scope change exists throughout the implementation. Scope changes are a single item or group of items that create an alteration in the project plan requiring a modification in the project timeline, budget, or resource requirements. Scope changes are documented and evaluated on a case-by- case basis against the project and business objectives established by the client at the onset of the implementation. These changes are


reviewed with the steering committee for approval. If the change request is approved, the committee approves the required budget, resources, or system functionality change. The project plan is then adjusted as appropriate. Decision-Making Process The project team needs a well-developed, documented, and distributed decision- making process that everyone understands. This will remove barriers and contribute to meeting all project milestones. The assumption is that decision makers are present and involved in the implementation process. A clearly defined decision-making process has four key components:

• Identify project decision makers in the organization • Empower decision making at the lowest level of the project • Establish an effective escalation process from the project manager up • Document and communicate the decision making and escalation process

Status Meetings and Conference Calls Regular status meetings and conference calls between VTDOC and the designated project manager help maintain lines of communication throughout the implementation. General and Milestone Status Reports Status reports are documents that reflect the overall state of the project and of individual project plan tasks at each milestone. We provide status reports to ensure that the members of your implementation team know about the progress of and the impediments to implementation tasks. Implementation Survey Once your implementation is complete, your organization will receive the Centricity implementation survey. The implementation survey is a questionnaire designed to review the quality of your implementation. The survey poses questions about the overall implementation process and specific questions about events in each phase of the implementation. We will provide VTDOC’s project manager with the implementation survey at the transition meeting. The survey should be returned to the implementation manager. Responses to the implementation survey are used by us to evaluate the implementation process and to make continual improvements. Project Management As a standard for all of our projects, Fusion’s project managers use PMI’s PMBOK as a basis for all project management efforts. PMBOK is widely recognized as the standard for project management in many industries as well as by many state and local government departments of Information Technology (IT). The following provides a high level overview of the components of project management. Project management occurs throughout the entire implementation cycle. The implementation project manager has a hands-on role to manage and drive the


implementation to a successful conclusion. The emphasis is on joint ownership of the project between Fusion and VTDOC. The project manager provides leadership for both our internal team and the client team. We will provide a dedicated project manager that acts as VTDOC’s focal point of contact throughout the entire implementation and will guide and direct VTDOC staff through the steps of the implementation process. As part of the project plan, our project manager and the project lead trainer will perform facility assessments in which information will be shared and gathered by our project manager with VTDOC’s project team. We will then provide VTDOC with a project plan with milestones and guidelines that we will collectively and interactively discuss and complete on a weekly basis. Fusion’s project manager will actively participate in and contribute to the following project activities and phases. The PM team will then develop specific sections in the PMP for the EHR Implementation phase specifying the scope, schedule, resources and acceptance criteria for each of the required deliverables. We will conduct a review of the project management plans, methodologies and approach to monitoring the critical elements of the EHR implementation work plan and schedule. In addition, we will develop agreed-upon quality control criteria and review their deliverables against those criteria. During the implementation of Centricity, Fusion’s project team will discuss and mentor VTDOC’s project team on qualities of sound project management practices, project monitoring and quality assurance techniques that can be leveraged to minimize project related risks. The PM team will track progress against the work plans for each task and will meet with the organization on a regular basis to discuss progress, review any risk that have been identified or issues that have occurred and what we anticipate accomplishing in the upcoming weeks. Our approach to providing project management services has been proven on multiple projects to provide the guidance and oversight necessary to identify and mitigate risk, improve project results, and contribute to the overall success of the project. Systems Integration and Data Conversion The Systems integration and conversion portion of your implementation must be carefully incorporated into your project timeline. These services include demographics and clinical data migration from VTDOC’s current EHR system - CorrecTek, integration with other State HIE, interfaces to third-party applications like the OMS, pharmacy management system, and many more. Testing Testing begins with initial resource planning during the initiate phase, is designed in the Plan phase, and then is conducted during the Execute and Control phases. Initially, we advise regarding the testing effort, with leadership and ownership gradually transferring to VTDOC. Training Plan Fusion recognizes training as one of the most important investments you can make with regards to the success of your new EHR. Because the EHR’s ultimate success will rely heavily on the users who input the data, Fusion is extremely serious about training and system setup. Our company has developed a dynamic, hands-on training program which we will precisely tailor to meet your needs. Our training is designed to provide detailed role specific instruction to all users through the use of training modules. Our Education Services are designed for individuals or groups to acquire, refresh and increase proficiency in using Centricity. With flexible delivery options and a wide range of technical and functional courses, Fusion has developed a comprehensive set of modules and courses that are tailored for Correctional Health Services as well as many other modules and courses that can be tailored to fit any of your specific needs.


As part of Fusion’s implementation services, we will provide you with job‐specific, interactive training to staff who will be using Centricity. An introductory video and online pre‐coursework material will be offered to your staff to ensure full comprehension of Centricity prior to go-live. Our trainers are job-role specific and will train each one of VTDOC’s staff members accordingly. We train specific to job roles, allowing our detailed training activities to be presented to those who will use it most, allowing users to become Centricity experts in their respective areas. Beyond on-site training, we will provide access to additional online training videos and a workflow training manual both in print and also digitally. The training sessions will be comprehensive and modular. Our remote training options include: ¾ Unlimited Online Training - Unlimited access to e-learning courses available 24/7 ¾ Instructor-Led Training - Sign up for remote classes and dive deeper into a functional or technical class of your choosing ¾ Seminars - Virtually attend sessions on key EHR topics.

This section has been designed to coordinate training while setting the proper expectations for the training sessions. Fusion’s recommended approach will be provided for VTDOC as well as offering additional online training videos and a workflow training manual both in print and in digital format. Custom training material will be made available for staff and client personnel. The training sessions will be comprehensive and modular. Engagement Closure This is the fourth and final phase of the implementation. We understand that this is a critical step in the success of this project, and we are dedicated in seeing the successful use of Centricity at all of VTDOC’s facilities. Our project closure phase consists of system rollout and go-live events which include the following at a minimum:

• Alpha preview of EHR system • Any necessary additional system modifications • Beta preview of EHR system • All necessary training for all users; train the trainer and individual users through module training • Site Roll-out and go-live • Live support by consultants at each site for go-live

Fusion will support end to end system testing and final training for the final “go live”. This will entail the final cutover from all the functionality in the State legacy system, CorrecTek, to Centricity including all specified interfaces. Our technical team and analysts will review data being entered into the system to ensure accuracy and consistency. Should variations or errors be identified, trainers will discuss and spot-train staff accordingly. Our technical team will also make sure that the system is running smoothly and that all interfaces are running properly in real-time. The project manager will coordinate with VTDOC IT to ensure that all peripherals and technologies are configured and ready. The project manager will also provide a port go-live report to document the overall outcome of go-live. Also, in an unlikely event go-live is unsuccessful, the PM will have a contingency plan in place to resolve the current issue. Any and all issues are presented to the project manager for resolution.


Fusion is committed to continuously improving our processes and deliverables and a project de-brief is conducted to gather feedback and identify lessons learned.

2. Provide a list of the standard project management deliverables that you would normally produce for this type of engagement.

Project Timeline In this section you will find a comprehensive project and implementation GANNT chart showing the steps and projected length of time to complete each implementation step based on the information provided by VTDOC. The Project plan will meet the requirement of converting to Centricity from CorrecTek by 1/31/20. Fusion recently worked with Rhode Island Department of Corrections (RIDOC) to replace their legacy EHR system with Centricity all within a 30 day period. We understand VTDOC would like a quick turnaround time to replace CorrecTek, and if chosen as VTDOC’s partner for this project, we will absolutely be able to accomplish this feat.

Vermont DOC 1,260.3 hrs

174.25 days

Sat 6/1/19

Fri 1/31/20

TRACK 1 - CONTRACTING & LICENSING 34 hrs 7.25 days Sat 6/1/19 Wed 6/12/19 Begin Contract Negotiations 0 hrs 0 days Sat 6/1/19 Sat 6/1/19 Contract Review and Negotiations 20 hrs 5 days Mon 6/3/19 Fri 6/7/19 Contract Signature 1 hr 0.13 days Mon 6/10/19 Mon 6/10/19 Fiscal Organization 8 hrs 1 day Mon 6/10/19 Tue 6/11/19 PO Issued 1 hr 0.13 days Tue 6/11/19 Tue 6/11/19 Enterprise Licensing Activated 4 hrs 1 day Tue 6/11/19 Wed 6/12/19 TRACK 2 - PROJECT INITATION & PLANNING 61.55 hrs 14.25 days Mon 6/3/19 Fri 6/21/19 Project Initation & Planning 59.55 hrs 13.25 days Mon 6/3/19 Thu 6/20/19 Identification of Project Sponsor 0.3 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Selection of Steering Committee (If Necessary) 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Identification of Fusion Project Team 1 hr 1 wk Mon 6/3/19 Fri 6/7/19 Identification of Client Project Team 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19

Initial Risks and Issues Log 1 hr 1 wk Mon 6/3/19 Fri 6/7/19


Business Category & Membership Identification 8 hrs 1 wk Mon 6/3/19 Fri 6/7/19

Registry of Stakeholders 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19

Draft Communications Plan 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Draft Project Management Plan 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Draft Quality Management Plan 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Draft Training Plan 2 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Obtain Client IT Helpdesk Information (if available) 1 hr 1 wk Mon 6/3/19 Fri 6/7/19 Obtain identification badges for Fusion Staff (if necessary) 1 hr 1 wk Mon 6/3/19 Fri 6/7/19 Client Submission of Clinical Content Uploaded to Sharepoint 24 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Stage Template Weekly Template Document 0.5 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Stage Template Weekly Project Status Document 0.5 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Prepare Business Kickoff Deck 3 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Prepare Technical Kickoff Deck 3 hrs 1 wk Mon 6/3/19 Fri 6/7/19 Site Survey 2.25 hrs 6 days Wed 6/12/19 Thu 6/20/19

Site Survey Provided 0.25 hrs 1 day Wed 6/12/19 Thu 6/13/19

Site Survey Completed 2 hrs 1 wk Thu 6/13/19 Thu 6/20/19 Project Kickoff Meeting 2 hrs 1 day Thu 6/20/19 Fri 6/21/19 Business Kickoff Meeting 1 hr 1 day Thu 6/20/19 Fri 6/21/19 Technical Kickoff Meeting 1 hr 1 day Thu 6/20/19 Fri 6/21/19 TRACK 3 - FACILITY TOURS (As Needed) 21 hrs 2 days Fri 7/5/19 Tue 7/9/19 Facility #1 3.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Staffing Structure 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Encounter Statistics 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Med Passes 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Ancillary Systems 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Workflow Analysis 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Locations of Care 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Accessibility/Movement for Go-Live Effort 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Facility #2 3.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19


Staffing Structure 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Encounter Statistics 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Med Passes 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Ancillary Systems 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Workflow Analysis 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Locations of Care 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Accessibility/Movement for Go-Live Effort 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Facility #3 3.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Staffing Structure 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Encounter Statistics 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Med Passes 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Ancillary Systems 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Workflow Analysis 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Locations of Care 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Accessibility/Movement for Go-Live Effort 0.5 hrs 0.5 days Fri 7/5/19 Fri 7/5/19 Facility #4 3.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Staffing Structure 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Encounter Statistics 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Med Passes 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Ancillary Systems 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Workflow Analysis 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Locations of Care 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Accessibility/Movement for Go-Live Effort 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Facility #5 3.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Staffing Structure 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Encounter Statistics 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Med Passes 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Ancillary Systems 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Workflow Analysis 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Locations of Care 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Accessibility/Movement for Go-Live Effort 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19


Facility #6 3.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Staffing Structure 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Encounter Statistics 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Med Passes 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Ancillary Systems 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Workflow Analysis 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Locations of Care 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 Accessibility/Movement for Go-Live Effort 0.5 hrs 0.5 days Mon 7/8/19 Tue 7/9/19 TRACK 4 - CLINICAL CONTENT DEVELOPMENT 285 hrs 91 days Fri 6/21/19 Mon 10/28/19 Clinical Content Identification 4 hrs 8 days Fri 6/21/19 Wed 7/3/19 Fusion Review of Clinical Content 2 hrs 1 wk Fri 6/21/19 Fri 6/28/19 Catalog of Forms to be Developed 2 hrs 3 days Fri 6/28/19 Wed 7/3/19 Business Category (BC) Workshops 281 hrs 83 days Wed 7/3/19 Mon 10/28/19 Nursing / Medical Assistant Services 72 hrs 60 days Wed 7/3/19 Wed 9/25/19

BC/Fusion Form Review and Workflow Discovery 10 hrs 1 day Wed 7/3/19 Thu 7/4/19

Intake & Transfers 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Sick Call 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Med Pass 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Infirmary 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Detox 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Urgent Emergent 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Lab/Radiology/Orders 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Referral Process 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Point of Care / Clinic Services 1 hr 1 day Wed 7/3/19 Thu 7/4/19 Other 1 hr 1 day Wed 7/3/19 Thu 7/4/19

Upload BC Specific Forms to SharePoint 4 hrs 1 wk Thu 7/4/19 Thu 7/11/19

Clinical Content Development Drafting 0 hrs 14 days Thu 7/11/19 Wed 7/31/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/11/19 Thu 7/11/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/11/19 Fri 7/12/19


<FORM NAME HERE> 0 hrs 0.5 days Fri 7/12/19 Fri 7/12/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/12/19 Mon 7/15/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/15/19 Mon 7/15/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/15/19 Tue 7/16/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/16/19 Tue 7/16/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/16/19 Wed 7/17/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 7/17/19 Wed 7/17/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 7/17/19 Thu 7/18/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/18/19 Thu 7/18/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/18/19 Fri 7/19/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/19/19 Fri 7/19/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/19/19 Mon 7/22/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/22/19 Mon 7/22/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/22/19 Tue 7/23/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/23/19 Tue 7/23/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/23/19 Wed 7/24/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 7/24/19 Wed 7/24/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 7/24/19 Thu 7/25/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/25/19 Thu 7/25/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/25/19 Fri 7/26/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/26/19 Fri 7/26/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/26/19 Mon 7/29/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/29/19 Mon 7/29/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/29/19 Tue 7/30/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/30/19 Tue 7/30/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/30/19 Wed 7/31/19 Form Review Sessions 12 hrs 50.5 days Wed 7/3/19 Wed 9/11/19 BC/Fusion Form Review Session #1 3 hrs 0.5 days Wed 7/31/19 Wed 7/31/19 BC/Fusion Form Review Session #2 3 hrs 0.5 days Wed 7/3/19 Wed 7/3/19 BC/Fusion Form Review Session #3 3 hrs 0.5 days Wed 7/3/19 Wed 7/3/19 Final BC/Fusion Form Review Session #4 3 hrs 0.5 days Wed 9/11/19 Wed 9/11/19


Clinical Content Development Refinment 25 hrs 30 days Wed 7/31/19 Wed 9/11/19 Training/Functionality Scripts 4 hrs 10 days Wed 9/11/19 Wed 9/25/19 Creation of Training/Functionality Scripts for Forms 2 hrs 7 days Wed 9/11/19 Fri 9/20/19 Sign-Off by Fusion Management 2 hrs 3 days Fri 9/20/19 Wed 9/25/19 BC Member Training 17 hrs 35 days Thu 7/4/19 Thu 8/22/19 BC Computer Based Training (HLS) 3 hrs 3 wks Thu 7/4/19 Thu 7/25/19 BC/Fusion System Access, Form & Workflow Training 0 hrs 1 day Wed 7/31/19 Thu 8/1/19 BC Self Guided Form & Workflow Review 6 hrs 3 wks Thu 8/1/19 Thu 8/22/19

BC Development of BC specific 'How-To' documentation 8 hrs 3 wks Thu 8/1/19 Thu 8/22/19

Advance Level Provider Services 72 hrs 57 days Wed 7/17/19 Fri 10/4/19


Intake & Transfers 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Sick Call 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Infirmary 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Chronic Care 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Annual Assessments 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Referral Process 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Urgent Emergent 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Dental 1 hr 1 day Wed 7/17/19 Thu 7/18/19 Other 1 hr 1 day Wed 7/17/19 Thu 7/18/19 On-Site Specialty Services (Ortho, OB/GYN, etc.) 1 hr 1 day Wed 7/17/19 Thu 7/18/19

Upload Missing BC Specific Forms to SharePoint 4 hrs 1 wk Thu 7/18/19 Thu 7/25/19

Clinical Content Development Drafting 0 hrs 11 days Thu 7/25/19 Fri 8/9/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/25/19 Thu 7/25/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 7/25/19 Fri 7/26/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/26/19 Fri 7/26/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 7/26/19 Mon 7/29/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 7/29/19 Mon 7/29/19


<FORM NAME HERE> 0 hrs 0.5 days Mon 7/29/19 Tue 7/30/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/30/19 Tue 7/30/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 7/30/19 Wed 7/31/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 7/31/19 Wed 7/31/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 7/31/19 Thu 8/1/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/1/19 Thu 8/1/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/1/19 Fri 8/2/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/2/19 Fri 8/2/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/2/19 Mon 8/5/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/5/19 Mon 8/5/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/5/19 Tue 8/6/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/6/19 Tue 8/6/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/6/19 Wed 8/7/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/7/19 Wed 8/7/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/7/19 Thu 8/8/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/8/19 Thu 8/8/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/8/19 Fri 8/9/19 Form Review Sessions 12 hrs 47.5 days Wed 7/17/19 Fri 9/20/19 BC/Fusion Form Review Session #1 3 hrs 0.5 days Fri 8/9/19 Fri 8/9/19 BC/Fusion Form Review Session #2 3 hrs 0.5 days Wed 7/17/19 Wed 7/17/19 BC/Fusion Form Review Session #3 3 hrs 0.5 days Wed 7/17/19 Wed 7/17/19 Final BC/Fusion Form Review Session #4 3 hrs 0.5 days Fri 9/20/19 Fri 9/20/19 Clinical Content Development Refinment 25 hrs 30 days Fri 8/9/19 Fri 9/20/19 Training/Functionality Scripts 4 hrs 10 days Fri 9/20/19 Fri 10/4/19 Creation of Training/Functionality Scripts for Forms 2 hrs 7 days Fri 9/20/19 Tue 10/1/19 Sign-Off by Fusion Management 2 hrs 3 days Tue 10/1/19 Fri 10/4/19 BC Member Training 17 hrs 32 days Thu 7/18/19 Mon 9/2/19 BC Computer Based Training (HLS) 3 hrs 3 wks Thu 7/18/19 Thu 8/8/19 BC/Fusion System Access, Form & Workflow Training 0 hrs 1 day Fri 8/9/19 Mon 8/12/19 BC Self Guided Form & Workflow Review 6 hrs 3 wks Mon 8/12/19 Mon 9/2/19


BC Development of BC specific 'How-To' documentation 8 hrs 3 wks Mon 8/12/19 Mon 9/2/19

Mental Health 71 hrs 56 days Wed 7/31/19 Thu 10/17/19


Initial Screening 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Case Loads & Follow Up Assessments 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Chronic Care 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Suicide Protocols 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Treatment Plans 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Group Counseling 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Referral Process 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Substance Use / Addiction Services 1 hr 1 day Wed 7/31/19 Thu 8/1/19 Other 1 hr 1 day Wed 7/31/19 Thu 8/1/19


Clinical Content Development Drafting 0 hrs 10 days Thu 8/8/19 Thu 8/22/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/8/19 Thu 8/8/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/8/19 Fri 8/9/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/9/19 Fri 8/9/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/9/19 Mon 8/12/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/12/19 Mon 8/12/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/12/19 Tue 8/13/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/13/19 Tue 8/13/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/13/19 Wed 8/14/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/14/19 Wed 8/14/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/14/19 Thu 8/15/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/15/19 Thu 8/15/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/15/19 Fri 8/16/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/16/19 Fri 8/16/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/16/19 Mon 8/19/19


<FORM NAME HERE> 0 hrs 0.5 days Mon 8/19/19 Mon 8/19/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/19/19 Tue 8/20/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/20/19 Tue 8/20/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/20/19 Wed 8/21/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/21/19 Wed 8/21/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/21/19 Thu 8/22/19 Form Review Sessions 12 hrs 46.5 days Wed 7/31/19 Thu 10/3/19 BC/Fusion Form Review Session #1 3 hrs 0.5 days Thu 8/22/19 Thu 8/22/19 BC/Fusion Form Review Session #2 3 hrs 0.5 days Wed 7/31/19 Wed 7/31/19 BC/Fusion Form Review Session #3 3 hrs 0.5 days Wed 7/31/19 Wed 7/31/19 Final BC/Fusion Form Review Session #4 3 hrs 0.5 days Thu 10/3/19 Thu 10/3/19 Clinical Content Development Refinment 25 hrs 30 days Thu 8/22/19 Thu 10/3/19 Training/Functionality Scripts 4 hrs 10 days Thu 10/3/19 Thu 10/17/19 Creation of Training/Functionality Scripts for Forms 2 hrs 7 days Thu 10/3/19 Mon 10/14/19 Sign-Off by Fusion Management 2 hrs 3 days Mon 10/14/19 Thu 10/17/19 BC Member Training 17 hrs 31 days Thu 8/1/19 Fri 9/13/19 BC Computer Based Training (HLS) 3 hrs 3 wks Thu 8/1/19 Thu 8/22/19 BC/Fusion System Access, Form & Workflow Training 0 hrs 1 day Thu 8/22/19 Fri 8/23/19 BC Self Guided Form & Workflow Review 6 hrs 3 wks Fri 8/23/19 Fri 9/13/19

BC Development of BC specific 'How-To' documentation 8 hrs 3 wks Fri 8/23/19 Fri 9/13/19

Support Staff Services 66 hrs 53 days Wed 8/14/19 Mon 10/28/19


Scheduling (On-site/Off-site) 1 hr 1 day Wed 8/14/19 Thu 8/15/19 Medical Records 1 hr 1 day Wed 8/14/19 Thu 8/15/19 Referral Process 1 hr 1 day Wed 8/14/19 Thu 8/15/19 Discharge Planning 1 hr 1 day Wed 8/14/19 Thu 8/15/19


Clinical Content Development Drafting 0 hrs 7 days Thu 8/22/19 Mon 9/2/19


<FORM NAME HERE> 0 hrs 0.5 days Thu 8/22/19 Thu 8/22/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/22/19 Fri 8/23/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/23/19 Fri 8/23/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/23/19 Mon 8/26/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/26/19 Mon 8/26/19 <FORM NAME HERE> 0 hrs 0.5 days Mon 8/26/19 Tue 8/27/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/27/19 Tue 8/27/19 <FORM NAME HERE> 0 hrs 0.5 days Tue 8/27/19 Wed 8/28/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/28/19 Wed 8/28/19 <FORM NAME HERE> 0 hrs 0.5 days Wed 8/28/19 Thu 8/29/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/29/19 Thu 8/29/19 <FORM NAME HERE> 0 hrs 0.5 days Thu 8/29/19 Fri 8/30/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/30/19 Fri 8/30/19 <FORM NAME HERE> 0 hrs 0.5 days Fri 8/30/19 Mon 9/2/19 Form Review Sessions 12 hrs 43.5 days Wed 8/14/19 Mon 10/14/19 BC/Fusion Form Review Session #1 3 hrs 0.5 days Mon 9/2/19 Mon 9/2/19 BC/Fusion Form Review Session #2 3 hrs 0.5 days Wed 8/14/19 Wed 8/14/19 BC/Fusion Form Review Session #3 3 hrs 0.5 days Wed 8/14/19 Wed 8/14/19 Final BC/Fusion Form Review Session #4 3 hrs 0.5 days Mon 10/14/19 Mon 10/14/19 Clinical Content Development Refinment 25 hrs 30 days Mon 9/2/19 Mon 10/14/19 Training/Functionality Scripts 4 hrs 10 days Mon 10/14/19 Mon 10/28/19 Creation of Training/Functionality Scripts for Forms 2 hrs 7 days Mon 10/14/19 Wed 10/23/19 Sign-Off by Fusion Management 2 hrs 3 days Wed 10/23/19 Mon 10/28/19 BC Member Training 17 hrs 31 days Thu 8/15/19 Fri 9/27/19 BC Computer Based Training (HLS) 3 hrs 3 wks Thu 8/15/19 Thu 9/5/19 BC/Fusion System Access, Form & Workflow Training 0 hrs 1 day Thu 9/5/19 Fri 9/6/19 BC Self Guided Form & Workflow Review 6 hrs 3 wks Fri 9/6/19 Fri 9/27/19

BC Development of BC specific 'How-To' documentation 8 hrs 3 wks Fri 9/6/19 Fri 9/27/19

TRACK 5 - SERVER STAGING 170.75 hrs 81 days Fri 6/21/19 Mon 10/14/19 Physical Environment Established 32 hrs 20 days Fri 6/21/19 Fri 7/19/19


Dev Server Setup 34 hrs 12 days Fri 7/19/19 Tue 8/6/19 UAT Server Setup 34 hrs 12 days Tue 8/6/19 Thu 8/22/19 Production Server Setup 54.75 hrs 37 days Thu 8/22/19 Mon 10/14/19 Centricity Installed on Client at each facility 16 hrs 4 wks Fri 6/21/19 Fri 7/19/19 TRACK 6 - INTERFACE DEVELOPMENT 326.75 hrs 75 days Mon 9/9/19 Mon 12/23/19 Demographic Interface (JailTracker/Harris) 60.75 hrs 63 days Mon 9/9/19 Thu 12/5/19 Pharmacy Interface (Boswell) 91 hrs 75 days Mon 9/9/19 Mon 12/23/19 Laboratory Interface (BioReference) 63 hrs 55 days Mon 9/9/19 Mon 11/25/19 Radiology Interface (MobilexUSA) 56 hrs 50 days Mon 9/9/19 Mon 11/18/19 Health Information Exchange (HIE) Interface (Vermont Information Exchange) 56 hrs 50 days Mon 9/9/19 Mon 11/18/19 TRACK 7 - DATA MIGRATION 19 hrs 93 days Tue 8/6/19 Fri 12/13/19 CorrecTek Migration 19 hrs 93 days Tue 8/6/19 Fri 12/13/19 Planning 19 hrs 30 days Tue 8/6/19 Tue 9/17/19 Obtain Database 8 hrs 5 days Tue 8/6/19 Tue 8/13/19 Database Analysis 8 hrs 5 wks Tue 8/13/19 Tue 9/17/19 Data Migration Discovery Kickoff 1 hr 1 day Tue 8/6/19 Wed 8/7/19 CorrecTek Demo Review 2 hrs 1 day Tue 8/6/19 Wed 8/7/19 Development 0 hrs 80 days Tue 8/6/19 Tue 11/26/19 Data Mapping 0 hrs 4 wks Wed 8/7/19 Wed 9/4/19 Script Development and Data Porting 0 hrs 54 days Wed 9/4/19 Tue 11/19/19 Patients 0 hrs 6 days Wed 9/4/19 Thu 9/12/19 Medications 0 hrs 6 days Thu 9/12/19 Fri 9/20/19 Allergies 0 hrs 6 days Fri 9/20/19 Mon 9/30/19 Problems 0 hrs 6 days Mon 9/30/19 Tue 10/8/19 Documents 0 hrs 6 days Tue 10/8/19 Wed 10/16/19 Lab Results 0 hrs 6 days Wed 10/16/19 Thu 10/24/19 Vitals 0 hrs 6 days Thu 10/24/19 Fri 11/1/19 Tasks/Orders 0 hrs 6 days Fri 11/1/19 Mon 11/11/19 Scanned Documents 0 hrs 6 days Mon 11/11/19 Tue 11/19/19 Establish replica CorrecTek database for incremental updates 0 hrs 6 wks Tue 8/6/19 Tue 9/17/19 Initial Client Review in Dev 0 hrs 1 wk Tue 11/19/19 Tue 11/26/19


QA 0 hrs 10 days Tue 11/26/19 Tue 12/10/19 Migration Cleanup 0 hrs 1 wk Tue 11/26/19 Tue 12/3/19 Final Client Review 0 hrs 1 wk Tue 12/3/19 Tue 12/10/19 Migration Script Implementation 0 hrs 3 days Tue 12/10/19 Fri 12/13/19 TRACK 8 - TRAINING & GO-LIVE PREPARATION 50.25 hrs 142.25 days Mon 6/3/19 Wed 12/18/19 Training & Go-Live Booked 1 hr 1 day Mon 6/3/19 Mon 6/3/19 Training Plan 39.75 hrs 42 days Mon 10/21/19 Wed 12/18/19 Enrollment of Client in HLS 0.5 hrs 5 days Mon 10/21/19 Mon 10/28/19 Submission of How-To for HLS Completion Status 0.25 hrs 1 day Mon 11/25/19 Tue 11/26/19 Submission of Template/Draft Training Plan 4 hrs 10 days Mon 10/28/19 Mon 11/11/19 Staff Enrollment and Participation in HLS 3 hrs 2 wks Tue 12/3/19 Tue 12/17/19 Completion of Staff HLS 0 hrs 1 day Tue 12/17/19 Wed 12/18/19 Identifcation of forms to be trained on in each session 4 hrs 2 wks Mon 11/11/19 Mon 11/25/19 Identification of Staffing Plan relating to Training 4 hrs 2 wks Mon 11/11/19 Mon 11/25/19 Preparation of Training Syllabus 4 hrs 2 wks Mon 11/11/19 Mon 11/25/19 Identification of Training Rooms & Equipment 4 hrs 2 wks Mon 11/11/19 Mon 11/25/19 Scheduling of Client IT Staff to be Available During Training 4 hrs 2 wks Mon 11/11/19 Mon 11/25/19 Submission of Staff Attendance for Training Sessions 4 hrs 2 wks Mon 11/11/19 Mon 11/25/19 Submission of Training Plan 8 hrs 2 days Mon 11/25/19 Wed 11/27/19 Go-Live Plan 9.5 hrs 12 days Mon 10/28/19 Wed 11/13/19 ReviewTemplate/Draft Go-Live Plan 2 hrs 5 days Mon 10/28/19 Mon 11/4/19 Submission of Client Medical/MH Staff Schedule for Week of Go-Live 1 hr 5 days Mon 11/4/19 Mon 11/11/19 Scheduling of Client IT Staff to be ON SITE during Go-Live 1 hr 5 days Mon 11/4/19 Mon 11/11/19 Discussion and Determination of Backloading Information 1 hr 5 days Mon 11/4/19 Mon 11/11/19 Discussion on MAR to eMAR Transition 1 hr 5 days Mon 11/4/19 Mon 11/11/19 Discussion and Determination of Go-Live Support 1 hr 5 days Mon 11/4/19 Mon 11/11/19 Set up One-Note for Go-Live Documentation 1 hr 5 days Mon 11/4/19 Mon 11/11/19 Schedule Daily De-Briefings 0.5 hrs 5 days Mon 11/4/19 Mon 11/11/19 Submission of Final Go-Live Plan 1 hr 2 days Mon 11/11/19 Wed 11/13/19 TRACK 9 - TRAINING, GO-LIVE & GO-LIVE SUPPORT 292 hrs 22 days Wed 1/1/20 Fri 1/31/20 Super User Training 4 hrs 1 day Wed 1/1/20 Thu 1/2/20


Training Items 4 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - General Navigation and System Features 0.5 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Enterprise, Group & User Preferences 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Setting up New Users 0.5 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Setting Up Security Groups 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Managing Medication Custom Lists 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Managing Problem Custom Lists 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Managing Custom Orders Lists 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Orders Manager 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - Document Management Administration 0.25 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - LinkLogic Training 0.5 hrs 1 day Wed 1/1/20 Thu 1/2/20 S/U Training - How To Documentation Overview 0.75 hrs 1 day Wed 1/1/20 Thu 1/2/20 Group 1 Go-Live 144 hrs 6 days Wed 1/15/20 Thu 1/23/20 Facility 1 48 hrs 6 days Wed 1/15/20 Thu 1/23/20 Training 16 hrs 2 days Wed 1/15/20 Fri 1/17/20 Medical Assistants/LPN/RN 4 hrs 0.5 days Wed 1/15/20 Wed 1/15/20 Providers/NP 4 hrs 0.5 days Wed 1/15/20 Thu 1/16/20 Mental Health 4 hrs 0.5 days Thu 1/16/20 Thu 1/16/20 Support Staff 4 hrs 0.5 days Thu 1/16/20 Fri 1/17/20 Go-live 0 hrs 0 days Fri 1/17/20 Fri 1/17/20 On-site Go-live support 32 hrs 4 days Fri 1/17/20 Thu 1/23/20 Facility 2 48 hrs 6 days Wed 1/15/20 Thu 1/23/20 Training 16 hrs 2 days Wed 1/15/20 Fri 1/17/20 Medical Assistants/LPN/RN 4 hrs 0.5 days Wed 1/15/20 Wed 1/15/20 Providers/NP 4 hrs 0.5 days Wed 1/15/20 Thu 1/16/20 Mental Health 4 hrs 0.5 days Thu 1/16/20 Thu 1/16/20 Support Staff 4 hrs 0.5 days Thu 1/16/20 Fri 1/17/20 Go-live 0 hrs 0 days Fri 1/17/20 Fri 1/17/20 On-site Go-live support 32 hrs 4 days Fri 1/17/20 Thu 1/23/20 Facility 3 48 hrs 6 days Wed 1/15/20 Thu 1/23/20 Training 16 hrs 2 days Wed 1/15/20 Fri 1/17/20


Medical Assistants/LPN/RN 4 hrs 0.5 days Wed 1/15/20 Wed 1/15/20 Providers/NP 4 hrs 0.5 days Wed 1/15/20 Thu 1/16/20 Mental Health 4 hrs 0.5 days Thu 1/16/20 Thu 1/16/20 Support Staff 4 hrs 0.5 days Thu 1/16/20 Fri 1/17/20 Go-live 0 hrs 0 days Fri 1/17/20 Fri 1/17/20 On-site Go-live support 32 hrs 4 days Fri 1/17/20 Thu 1/23/20 Group 2 Go-Live 144 hrs 6 days Thu 1/23/20 Fri 1/31/20 Facility 4 48 hrs 6 days Thu 1/23/20 Fri 1/31/20 Training 16 hrs 2 days Thu 1/23/20 Mon 1/27/20 Medical Assistants/LPN/RN 4 hrs 0.5 days Thu 1/23/20 Thu 1/23/20 Providers/NP 4 hrs 0.5 days Thu 1/23/20 Fri 1/24/20 Mental Health 4 hrs 0.5 days Fri 1/24/20 Fri 1/24/20 Support Staff 4 hrs 0.5 days Fri 1/24/20 Mon 1/27/20 Go-live 0 hrs 0 days Mon 1/27/20 Mon 1/27/20 On-site Go-live support 32 hrs 4 days Mon 1/27/20 Fri 1/31/20 Facility 5 48 hrs 6 days Thu 1/23/20 Fri 1/31/20 Training 16 hrs 2 days Thu 1/23/20 Mon 1/27/20 Medical Assistants/LPN/RN 4 hrs 0.5 days Thu 1/23/20 Thu 1/23/20 Providers/NP 4 hrs 0.5 days Thu 1/23/20 Fri 1/24/20 Mental Health 4 hrs 0.5 days Fri 1/24/20 Fri 1/24/20 Support Staff 4 hrs 0.5 days Fri 1/24/20 Mon 1/27/20 Go-live 0 hrs 0 days Mon 1/27/20 Mon 1/27/20 On-site Go-live support 32 hrs 4 days Mon 1/27/20 Fri 1/31/20 Facility 6 48 hrs 6 days Thu 1/23/20 Fri 1/31/20 Training 16 hrs 2 days Thu 1/23/20 Mon 1/27/20 Medical Assistants/LPN/RN 4 hrs 0.5 days Thu 1/23/20 Thu 1/23/20 Providers/NP 4 hrs 0.5 days Thu 1/23/20 Fri 1/24/20 Mental Health 4 hrs 0.5 days Fri 1/24/20 Fri 1/24/20 Support Staff 4 hrs 0.5 days Fri 1/24/20 Mon 1/27/20 Go-live 0 hrs 0 days Mon 1/27/20 Mon 1/27/20 On-site Go-live support 32 hrs 4 days Mon 1/27/20 Fri 1/31/20


3. Complete Appendix 5.27, and label this as Attachment #4.

Please refer to Exhibit C - Attachment #4 for Fusion’s completed Appendix 5.27.

4. What types of difficulties have other clients experienced with implementation of the proposed solution?

When adopting any new software, users regularly run into issues that stem from the transition of one software to the next. Through the implementation and the training plan that Fusion has developed for VTDOC we are confident that we will mitigate all of the issues that come along with an agency adopting a new software.

5. Describe the experience and qualifications of the Project Manager you would offer as the resource for this engagement. Provide a copy

of their resume and label it Attachment #5.

Fusion will dedicate a team of about twenty-five (25) employees consisting of Centricity EHR implementation, training, and support specialists and as well as multiple employees who specialize in correctional health consulting. Additionally, we have a network of consultants nationwide who subcontract through Fusion on larger scale and/or super-specialty projects as well as access to Centricity EHR specialist staff for overflow work. For this project, Fusion intends to provide all services and support in-house. Fusion approaches every project with a partnership mentality, working in conjunction with the client to ensure that the EHR is implemented on time, on budget and complete. Unlike any other vendor, Fusion intimately understands what it takes to get an EHR system live at correctional health facilities. Fusion leverages its extensive knowledge of the EHR and Correctional Health space and will collaborate with VTDOC to ensure that the system truly meets their workflow both now and for the future. Our SMEs come with years of experience to be much more than ‘yes-folks’ when it comes to clinical content development and overall implementation and go-live of Centricity. Fusion will leverage its knowledge and experience of how things are done throughout the country to provide VTDOC with proven options and alternatives throughout the implementation. Fusion is dedicated to seeing the successful implementation of Centricity at Vermont Department of Corrections. Our team is highly experienced and knowledgeable in all functional aspects of correctional health-specific clinical delivery and electronic clinical documentation and workflow processes, which a company only like Fusion can provide. We have developed a systematic process to ensure that Fusion provides VTDOC with the right number of people with the right skills to fulfill the EHR implementation. We use a Responsibility Assignment Matrix for all of our projects, which details the nature of responsibility assignments for project staff as they relate to key activities and deliverables.


From our experience in working with correctional health agencies similar to VTDOC, we will allocate nine (9) key resources for this project who are dedicated in providing the management and services needed for this engagement. In total, approximately twenty-five (25) staff members will be involved in this project, including trainers, business analysts, etc. All project team members have extensive correctional health and IT experience. Their roles and responsibilities for this project are as follows:

Please refer to Exhibit C - Attachment #5 for Fusion’s Project Manager’s Resume.

Roles/Responsibilities Team Member Project Manager Kansas Jackson

IT Manager Dan Brunell Clinical Manager Oscar Anzaldua

Systems Analyst/EHR Consultant Crystal Price Testing/QA Specialist Amanda Adegboyega

Migration/Interface Engineer Patrick Chan Security & Privacy Manager John Casey

Training Specialist Olivia Bell Lead Installation Engineer Dan Anderson


PART 6: TECHNICAL SERVICES

1. Describe the technical services included in your proposal (e.g., business analysis, configuration, testing, implementation, etc.).

We are pleased to have the opportunity to earn the business of Vermont Department of Corrections. As further explained throughout our proposal, we are excited to partner with VTDOC to improve their correctional healthcare delivery with the Centricity EHR system. Our comprehensive, corrections-specific EHR system coupled with our team of highly experienced and knowledgeable personnel in all aspects of correctional clinical delivery, electronic clinical documentation and workflow processes allows VTDOC to retain the most capable, experienced, and thorough team to provide EHR services. Centricity is utilized by seven (7) State Department of Corrections agencies and manages over 250,000 offenders in over 200 correctional and juvenile justice institutions throughout the country, making Fusion the largest EHR vendor for State DOC agencies in the United States. Centricity allows our clients to receive the value of more efficient operations, improved service, and an enhanced work environment. Our focus is on providing clinicians with products that deliver higher quality of care at lower costs. Our service offerings help to strengthen our client’s healthcare delivery, which in turn helps them build and maintain leading positions within their own markets, particularly in corrections and juvenile justice. Unlike other vendors, Fusion is positioned to offer significant advantages in meeting your requirements for EHR software, services and support. With our vast experience implementing, training and supporting Centricity within the correctional health industry throughout the US, we are prepared to offer VTDOC a complete level of knowledge, commitment and expertise that will exceed your expectations. For nearly 15 years, Fusion has been delivering EHR solutions nationwide to agencies like VTDOC that meet NCCHC & ACA accreditation requirements.

Centricity is a fully integrated, all-in-one EHR system inclusive of medical, behavioral health, dental, electronic medication administration capabilities and numerous other clinical documentation tools. The system supports a variety of services including but not limited to medical Services, ambulatory care units, dental Services, mental health Services, as well as telemedicine functionality. Centricity has been at the forefront of Electronic Health Records for nearly two decades in the correctional health setting. Centricity offers the DOC a cost-effective, flexible Commercial-Off-The-Shelf (“COTS”) solution in compliance with Centers for Medicare and Medicaid Services (“CMS”) regulations, the Health Information Portability and Accountability Act (“HIPAA”), ICD-10 and is a Certified Electronic Health Record Technology (CEHRT) as defined by the Office of the National Coordinator for Health Information Technology (ONC) compatible to meet and exceed Vermont Department of Corrections’ goals and the functional requirements detailed in this RFP. Through the implementation of Centricity, DOC will enhance the quality of Medical, Dental, Mental Health, Nursing, Dietary, Rehabilitation, Orthopedic, Urology, Gastroenterology, General Surgery Clinic, Ophthalmology, Pain Management, Emergency Medical Services, Primary Care Services, Pharmaceutical, Laboratory, Radiology, Administrative Services, and more. Centricity is the EHR system the DOC needs to make day-to-day operations easier and efficient. The design of Centricity will dramatically increase your organization’s efficiencies for your inpatient and outpatient services, including but not limited to annual exams/initial intake screenings, clinic visits, chronic disease monitoring, telemedicine, vaccine records, sick call triage, medication administration, mental health and discharge planning for inmates. It also possesses a robust reporting environment that provides real time data to enable effective


decision making through the integration with third party systems. There is no other corrections-centric EHR system which can support the quality of care to inmates like Centricity. Being an all-in-one solution for Vermont DOC, Centricity provides you with an EHR that will help your organization:

• Improve quality of care • Improve the coordination of care by enhancing interoperability among internal business units and external partners in care • Increase health care staff productivity • Decrease administrative expenses • Provide effective discharge planning • Assist enrolling discharging patients into benefit programs • Permit emergency management tracking of patients • Streamline and standardize workflow between sites and specialties • Maximize the integration of primary and behavioral health care • Improve patient safety and operations efficiency • Implement a quality assurance and continuous improvement program • Reduce errors, redundant or unnecessary tests and medications • Improve management of chronic care conditions and communications within health care units • Comply with Local, State and Federal health care regulations • Ensure timely access to healthcare services • Establish an Inmate Medical Program addressing the full continuum of health care services • Be completely paperless/electronic organization

Fusion’s ability and experience in working effectively alongside key administrators, stakeholders and facility departments has allowed us to become a multifaceted correctional health IT services firm. Fusion’s thorough understanding and extensive experience in providing correctional facilities with business process analysis, EHR implementation, data migration, integration services and project management services allows VTDOC to retain the most capable, experienced and thorough team to provide implementation, training, customization, data migration and integration, support and hosting services of the Centricity EHR system in establishing industry best practices and VTDOC’s overall agenda.

We are unwavering in our commitment to bring creative, yet practical solutions to our clients. We provide our best information, best analysis, best counsel and best possible results every time. Simply put, no one knows Correctional Healthcare and Correctional EHR’s like we do.

2. Provide a list of the standard deliverables for the technical services described above.

Please refer to Exhibit C – Part 5: Implementation/Project Management Approach for Fusion’s standard Technical and Project Management Deliverables.


3. Provide a description of the roles/services/tasks that you will need the State to perform as part of this engagement. Describe any additional roles/services/tasks that are optional but would be beneficial for the State to provide.

Client’s Anticipated Project Team & Roles The staffing resources provided by the client are vital to the project’s success. Each individual staff member themselves are organic and will ebb and flow as the project does. The following client personnel roles are recommended for a timely implementation, in addition to any of the specified resources that have been allocated to this project as identified in the RFP:

EHR Team Members

Role Responsibilities Steering Team Serves as leaders and sponsors of the Centricity EHR implementation project. The

members will ensure that the organization as a whole understands and recognizes the importance and priority of the project.

Project Manager Takes responsibility for managing the project as a whole, leads the Core Project Team, and coordinates project planning, timeline, and task management as well as day-to-day implementation activities.

Core Project Team Is responsible for the development and management of the Centricity EHR implementation project plan. This includes the completion of all tasks and activities related to the project, as well as the appointment of members to guide and support the efforts of the Design and Clinic/Practice Teams.

EHR Analyst(s)/Trainer(s)

Participates in and shadows Fusion staff in the Enterprise Planning sessions, EHR Functionality, EHR Setup, clinical content selection, workflow re-engineering, and delivery of EHR end-user customized workflow training. Also leads additional EHR clinic rollout planning and training sessions. The EHR Analyst/Trainer provides initial EHR support to clinic users after Go-Live. These training functions can include definition of end-user training requirements, coordination of scheduled training sessions and the provision of ongoing training sessions for upgrades and new clinic staff.

Information Systems (IT) Representative

Represents the IT department throughout the planning, installation and implementation phases of the project. It is imperative that this person be authorized to represent the IT equipment and network standards and policies for the Customer.

Interface Specialist Coordinates the planning, configuration, testing and implementation of interfaces between Centricity EHR and the enterprise’s third party clinical and business systems.


System Manager Serves as the key contact to and from the Centricity Technical Support department after Go-Live. The System Manager will be responsible for the day-to-day operation of Centricity EHR system(s) (user management, content management, quality assurance, periodic system checks, generating system reports, product updates, hot fixes, new releases, etc.).

Physician Champion(s) Drives the project from the Enterprise level. He/She communicates regularly with other Physicians in the Enterprise to build consensus and acceptance on issues and decisions related to the implementation of Centricity EHR. A major responsibility of the Physician Champion is advising the EHR Design Teams in areas of decision-making related to clinical content and enterprise standardization.

*In some agencies, individuals may have more than one role. In these circumstances, it is imperative that those individuals understand and manage all the responsibilities required. During the Centricity EHR planning, Go-Live, and immediate post Go-Live periods, the Physician Champion, Clinic EHR Manager, Interface Manager and selected clinical personnel on the team will need to dedicate between 20%-50% of their time to the Centricity EHR Implementation Project depending on project role. They must be able to attend all training sessions, project team meetings and consulting sessions. Client’s Project Manager Fusion assumes that the client’s project manager roles and responsibilities shall include:

• Oversee activities required under the contract; • Perform overall monitoring and management of the project for timely process and satisfactory completion of tasks and activities; • Review and approve the proposed template for the format, content and distribution of deliverables prior to Fusion preparing deliverable drafts; • Review Fusion’s deliverables and/or milestones and submit written comments to Fusion indicating DOC approval, conditional approval, or rejection

(including modifications necessary to gain DOC approval); • Assist Fusion with questions or requests for information to promote a smooth transition/implementation; • Serve as liaison to facilitate Fusion’s interaction with other client staff and other external agencies; • Review all reports and work plan/task schedule updates; • Provide lists of client staff who will be involved in the specific project, including contact information, functional responsibilities, and relationship to the

project; • Review and approve training material for acceptability prior to use; • Monitor and evaluate Fusion’s progress throughout the duration of this contract; • Test the software for acceptability; • Identify and assign DOC staff charged with working with the Project Manager on file building and system testing; and • Meet with Fusion to discuss and confirm expectations and all requirements for content and format of task deliverables.


4. Describe your typical conversion plan to convert data from existing systems to your proposed solution (if you are proposing to migrate

from the incumbent system).

The data conversion process is a highly detailed aspect of most installations. Understanding the desired-end state of your Centricity implementation is a key consideration when deciding the type of conversions to do. Fusion has performed virtually every type of conversion that can be done, from large to small, brand-named systems to homegrown. We recognize the critical nature of converting your existing data from your current CorrecTek EHR system and factor conversion planning and specification design into our project plans. We will conduct a review of the project management plans, methodologies and approach to monitoring the critical elements of the EHR implementation work plan and schedule. In addition, we will develop agreed-upon quality control criteria and review their deliverables against those criteria. Our team has extensive experience in roll-over implementations, keeping legacy systems alive and running, while scripts port over information from the legacy system(s) into Centricity. Our team is more than capable of migrating the data from CorrecTek to Centricity within the time required. As part of our project plan, we will discuss other data elements VTDOC would like to capture, discuss various methods of data conversion, and then come up with the proper plan for the project. Following final acceptance of Centricity by VTDOC and appropriate user training, we can simply ‘switch’ the facilities from CorrecTek to Centricity. Most recently we partnered with Rhode Island Department of Corrections to implement Centricity and replace Nextgen EHR, which was all successfully completed within 30 days. Every successful project starts with a good plan. At Fusion, we follow four basic steps:

• We will help define your parameters • We will help you choose your data wisely, if requested • We will help develop new workflows, and train your staff • We will test the system to make sure it is 100% before go-live, you can never have enough testing


We will work diligently and with much effort to transfer all CorrecTek data VTDOC wishes into Centricity. Centricity’s database includes embedded relationship requirements. When conducting any migration/ETL process, data must be loaded in a sequential manner in order for the data to build the appropriate relationships. We have provided numerous legacy EHR -to-Centricity data migration projects. Sample Data Conversion Audit Work Plan Audit Objectives

� Ensure that the source data is being properly extracted prior to conversion as well as preserved and protected post conversion. � Ensure that controls are in place to verify that data transferred accurately and completely between systems. � Ensure that appropriate testing, including regression analysis, is being done with converted data on impacted applications and management

reporting.

Project Work Step I. Data Extraction- Evaluate the effectiveness of processes by which source data is being extracted prior to conversion as well as preserved and protected post conversion. A. Audit Steps


1. Test the existence of well-defined business requirements, rollback plans and stakeholder signoff. a) Conduct interviews with key personnel to gain understanding of the extractions process b) Review documentation of business requirements and rollback plans c) Test that all signoffs were collected before extraction and were given by stakeholders

2. Test the preservation and security of source data after extraction. a) Review documentation related to preservation and protection procedures b) Test evidence of data preservation after extraction (e.g., time stamps, log file, etc) c) Test evidence of security measures taken after preservation (e.g., archive/cut-off date, data access

limitation, etc.) B. Record of Work Done (Insert customized version of work performed here) C. Conclusion (Insert customized version of conclusion reached here) II. Data Transfer- Evaluate the controls in place to verify that data is transferred accurately and loaded completely between source and destination. A. Audit Steps 1. Test the design of controls in place that help to ensure the accurate and complete transferring and loading of data

a) Conduct interviews with key personnel to gain an understanding of the process by which data is transferred and loaded between source and destination.

b) Test controls in place which help to ensure data integrity during the transfer and loading process (e.g., total counts, check sums, data and time stamps)

c) Test the existence of completed mapping of data between source and destination d) Test the controls in place that identify, communicate, and resolve fallout e) Test the controls in place that ensure business stakeholder signoff

2. Test the integrity of data between the source and destination data stores. a) Extract a population of data from the source and destination systems b) Import the data into a data analysis tool and test the data integrity between the two data sets c) Document any discrepancies found and discuss with key process owners to determine the validity of

the results B. Record of Work Done (Insert customized version of work performed here) C. Conclusion (Insert customized version of conclusion reached here)


III. Data Accuracy- Evaluate the effectiveness of processes by which design, testing, and approvals are performed on converted data and underlying processes.

A. Audit Steps 1. Test change management procedures associated to the automated Extract, Transform, and Load (ETL) process and evaluate the effectiveness of the control design

a) Conduct interviews with key personnel in order to gain an understanding of the change management process.

b) Test the operating effectiveness of the change management process and controls, as it relates to the automated ETL process including, but limited to: � Request � Review & Approval � Planning & Scheduling � Implementation � Review

c) Discuss any discrepancies with the process owners to confirm the issues and identify root causes. 2. Test change management procedures associated to the end to end ETL process and evaluate the effectiveness of the control design

a) Conduct interviews with key personnel in order to gain an understanding of the change management process as related to the data conversion.

b) Test the operating effectiveness of the change management process and controls, as it relates to the end to end ETL process including, but limited to: � Request � Review & Approval � Planning & Scheduling � Implementation � Review

c) Discuss any discrepancies with the process owners to confirm the issues and identify root causes. B. Record of Work Done (Insert customized version of work performed here) C. Conclusion (Insert customized version of conclusion reached here)


Configuration Build The system configuration and build process throughout the implementation coincides with our Quality Management Plan. The purpose of the Quality Management Plan is to develop a reasonable and appropriate method to arrange for reviews of Deliverables, particularly as they relate to the configuration and build of the system, to ensure delivery meets the standards of the agency. We applaud the agency in wanting to take on an increasing role in the implementation activities over the duration of the project. As you can see throughout our response, our implementation plan in its totality is very in depth and precise. Our implementation plan includes the process for finalizing the configuration build, as well as all interfaces and data migrations needed for a successful go live. Prior to deployment, all phases of the configuration build will be signed off on.

Step 1: Component, content, quality, and other criteria that will comprise the Deliverables will be discussed and agreed upon between the respective Project Managers (Fusion & VTDOC). Step 2: Draft Deliverables will be delivered to the VTDOC Project Manager according to the approved Project Schedule. Step 3: VTDOC Project Manager will arrange for team and interested project team members to review of Deliverables within three to five day period as defined the Project Schedule. Step 4: Reviews shall provide written feedback on the Deliverables to include comments on accuracy of information captured, insufficiency of description, and completeness to described scope, ensuring that the product and project deliverables meet industry standards and are fit for use in executing and/or controlling objectives. Step 5: Deliverable owner will take note of and address comments and feedback from Reviewer and make needed improvements and clarifications to Deliverable and resubmit to the VTDOC Project Manager for Final Review and Approval. Step 6: Project Manager will send Deliverable to VTDOC Project Manager for approval.

Testing and Quality Assurance There is no such thing as over testing and too much QA. We believe that having a full proof solution prior to deployment is what separates us from the competition. We will coordinate with VTDOC to devise a System Test Plan and include outcomes of the testing in a System Test Results Document. Testing begins with initial resource planning during the initiate phase, is designed in the Plan phase, and then is conducted during the Execute and Control phases. Initially, we advise regarding the testing effort, with leadership and ownership gradually transferring to VTDOC. Once UAT is completed, Fusion will provide a UAT Results Document certifying that all required activities are completed to the satisfaction of the VTDOC. Unit/component testing Unit Stress testing is conducted using software best practices for HIPAA-compliant health record application design using the Microsoft Test Manager suite of products in the Microsoft Visual Studio development product line. The software test strategy focuses on access control, data sanitization, audit trails, accurate timestamping of data, data security and performance metrics.

Integration testing Centricity leverages Microsoft Team Foundation services to coordinate and regressively test all Centricity modules and components for integration and performance modeling.

Regression testing Centricity employs Telerik and Microsoft Test Manager products for bug mapping and regression testing of its Centricity EHR user interface.


Parallel testing The Visual Studio Microsoft Test Manager test platform suit used to develop Centricity simulates hundreds of combination of operating systems and browser versions for consistency of user experience and interface testing.

Stress/load/performance testing Stress/Load capacity testing is virtualized through the Microsoft Test Manager software suite simulating hundreds of concurrent user sessions in the Centricity web application for both single instance and multi-instance deployments.

Client acceptance testing Designated client project testers will be provided during Dev and UAT, who will be testing credentials for proofing and user acceptance testing of all clinical forms, user interface modifications, security group mappings and data integration. All feedback with be integrated into final revisions for production rollout. Below is a typical system acceptance test plan we use:

Test Components Accepted Unit & Functional Testing

Each major function performs as specified in user manual. Design changes/customizations are present & work as requested. Document all changes for reference. Screens appear as expected (content and placement of fields, codes, drop down menus, and messages). No spelling errors or color changes. Readable icons. Appropriate representation of content can be printed if necessary for legal purposes. Entries that have been corrected and their corrections are both displayed accurately. Fields edits (e.g., valid values, options, defaults) function as expected. Alerts and clinical decision support provides appropriate reminders and prompts. Use scripts to test various scenarios.

System Testing Workflows send and/or receive data properly between systems (e.g., between EHR and pharmacy). Use scripts to test various scenarios.

Interfaces between applications move data correctly and completely. Test both sending and receiving when interfaces are bi-directional.

Connectivity with external organizations is accurate and complete as authorized (e.g., portal access to/from hospital/clinic, continuity of care record to referrals, personal health records for offenders, disease management to/from health plan).

System access is appropriate per assigned privileges. Test attempts to gain access when not authorized. Data are processed accurately, in graphs, tables, claims, client summaries, reports, etc. Data correctly populate registries, reporting warehouses, etc.

Integrated Testing Ensure all system components that share data or depend on other components work together properly. Ensure that workflows reflect actual new processes and workflows.


Test Components Accepted (simulates live environment)

Ensure that usage is defined in and follows policies and procedures. Reinforce training as applicable. Ensure that help desk, support personnel, and other aids function properly. Ensure that EHR works with all forms of human-computer interface devices and modalities being used (e.g., tablets, PDAs, voice recognition, and speech commands as applicable).

Attempt to break the system by testing mission critical and high risk functions, such as situations requiring exception logic (e.g., overrides to clinical decision support), handoffs from one process to another, and when you may have a series of events over a period of time (e.g., assessments performed at designated intervals).

Performance & Stress Testing

Measure response times for key transactions or interactions with the system, and assure they are within acceptable limits, which may be defined in the contract.

Simulate an extremely high volume of activity on the system such as would exceed anticipated peak loads of system usage.

Measure the time it takes to generate reports and data dumps, and the impact on system performance.

5. Describe the experience and qualifications of the technical resources proposed for this engagement. Provide their resume(s) and label

them Attachment #7.

Fusion will dedicate a team of about twenty-five (25) employees consisting of Centricity EHR implementation, training, and support specialists and as well as multiple employees who specialize in correctional health consulting. Additionally, we have a network of consultants nationwide who subcontract through Fusion on larger scale and/or super-specialty projects as well as access to Centricity EHR specialist staff for overflow work. For this project, Fusion intends to provide all services and support in-house. Fusion approaches every project with a partnership mentality, working in conjunction with the client to ensure that the EHR is implemented on time, on budget and complete. Unlike any other vendor, Fusion intimately understands what it takes to get an EHR system live at correctional health facilities. Fusion leverages its extensive knowledge of the EHR and Correctional Health space and will collaborate with VTDOC to ensure that the system truly meets their workflow both now and for the future. Our SMEs come with years of experience to be much more than ‘yes-folks’ when it comes to clinical content development and overall implementation and go-live of Centricity. Fusion will leverage its knowledge and experience of how things are done throughout the country to provide VTDOC with proven options and alternatives throughout the implementation. Fusion is dedicated to seeing the successful implementation of Centricity at Vermont Department of Corrections. Our team is highly experienced and knowledgeable in all functional aspects of correctional health-specific clinical delivery and electronic clinical documentation and workflow processes, which a company only like Fusion can provide. We have developed a systematic process to ensure that Fusion provides VTDOC with the right number of people with the right skills to fulfill the EHR implementation. We use a Responsibility Assignment Matrix for all of our projects, which details the nature of responsibility assignments for project staff as they relate to key activities and deliverables.


From our experience in working with correctional health agencies similar to VTDOC, we will allocate nine (9) key resources for this project who are dedicated in providing the management and services needed for this engagement. In total, approximately twenty-five (25) staff members will be involved in this project, including trainers, business analysts, etc. All project team members have extensive correctional health and IT experience. Their roles and responsibilities for this project are as follows:

Please refer to Exhibit C - Attachment #7 for Fusion’s Proposed Technical Resources Resumes.

6. Describe the training that is included in your proposal.

Fusion’s training utilizes a consultative approach. This approach has many benefits and a “train-the-trainer” strategy allows you to fully understand the setup of their system the independence to adjust, change, or recreate workflows in the future. Our implementation focuses on your business objectives. Upfront scoping of business needs defines common project expectations, establishes mutual goals and objectives, and solidifies agreement on the project plan. Fusion’s Project Manager and Implementation Consultant (s), along with the client’s Project Manager, will follow an implementation plan based on best practices from many successful implementations. Super-Users serve as your in-house EHR software experts. Super-Users will be designated by you and should have an advanced understanding of computers, as well as be able to provide effective training if required. Super-Users will complete all the training modules to ensure they are able to effectively navigate the program in its entirety. Identifying and training super users and clinical leaders will create a core of knowledgeable staff members familiar with the clinic’s processes and with the requirements (and advantages) of the electronic health record. Some super users should have clinical experience; all of them should be trained fully on EHR functions to understand the impact on the entire data flow. Training super users early is crucial to being able to champion the process of change throughout the organization, providing both clinical and technical

Roles/Responsibilities Team Member Project Manager Kansas Jackson

IT Manager Dan Brunell Clinical Manager Oscar Anzaldua

Systems Analyst/EHR Consultant Crystal Price Testing/QA Specialist Amanda Adegboyega

Migration/Interface Engineer Patrick Chan Security & Privacy Manager John Casey

Training Specialist Olivia Bell Lead Installation Engineer Dan Anderson


perspectives. They can shepherd the analysis of existing workflows and the configuration of Centricity to achieve the best fit with the client’s needs and client base. Early training also provides insight into the kinds of training that will be most effective for end-users, making it both more specific to their job function and more efficient. Super users can act as easily accessible mentors, providing front-line, ongoing support and training. Fusion’s blended training approach addresses specific learning needs of our clients including classroom-based instruction, online instructor-led instruction, and self-paced web-based training. Materials used include extensive online help, hardcopy training guides, online tutorials, training road shows, and computer-based training materials used include extensive online help, online tutorials (CBTs), online Companion Guides, and onsite and web-based training. Consulting Sessions Below is a sample list of training and consulting sessions you can expect to participate in during your Centricity Implementation. Attendees will be determined by the client Project team. The on-site consulting topics will be tailored to the client’s particular needs, once a thorough assessment is conducted. Centricity EHR Consulting

• Complete CBTs • Introductory Call • Check Point #1 • Check Point #2 • On-Site Consulting Topics (topics covered and number of visits will be tailored to meet your needs)

o Key Decisions o Workflow Workshop/Functionality Review o Workflow Assignments o Initiate Disposition of Chart o Introduce Pre-load o System Set-up Review o Pre-load Training o Third Party Software Set-up Review (if applicable) o Confirm Workflows o Confirm Testing Completed o Confirm Devices are Functioning As Intended o End User or Super User Training o Charge Import training o Go-Live Support o Post Implementation EHR Optimization Analysis o Custom Advanced Consulting Services


Onsite Training Fusion offers several classes/sessions onsite. While there are more WebEx classes than onsite classes, the amount of time spent in onsite training is about two-third of the entire time spent in training. It’s possible that more or less onsite training is done for your installation, as each installation is unique. Role-Based and Super-User Training In this portion of, the core team (Project Team & Super-Users) will receive hands-on application training for all the product components. The workflows established during the Workflow Session will be discussed and modified as needed, and policies and procedures around the use of the application will be solidified. Following this training, Super-Users will implement the end user training plan, which typically consists of a combination of CBT training and hands-on training in focused areas. Go Live Training and Support This visit is to support your organization as you go-live with Centricity and occurs the week after end-user training. Online Training Fusion offers several classes/sessions via WebEx. While there are more WebEx classes than onsite classes, the amount of time spent in WebEx training is about one-third of the entire time spent in training. It’s possible that more or less WebEx training is done for your installation, as each installation is unique. Centricity EHR Overview (Clinic Staff and Core Clinic Team) This three-hour Web-Ex session is intended for staff who want to see the content and flow of the entire system before beginning planning and training. Administration Table Checkpoint This training is designed for no more than 15 Super Users/System Administrators. The Super Users will work on the Production (Live) Database to begin customizing your new software tables. Each of the tables is listed on the "Administrative Check Point Checklist" you will receive from your Implementation Consultant. To expedite the gathering of this information and to assist with preliminary build of some of the larger tables, we will provide you a Configurator Tool Spreadsheet. You will use this spreadsheet to organize the information that will be pre-loaded into your production database and delivered to you prior to the Admin Table Checkpoint Completion of the Spreadsheet will allow us to confirm your Admin Table Checkpoint. CBT Checkpoint This session is intended for the Project Team and Super Users. During this session, your Implementation Consultant will validate your CBT learning to date by having you demonstrate your understanding of product functionality. We will also work with you to begin developing a strategy for end-user training, including development of role-based CBT assignments for end-users.

7. Describe the system, administrator, and/or user documentation that is included in your proposal.

Fusion will prepare weekly Status and Monthly Risk and Issues Reports and highlight when a variance from the baseline plan has occurred or is likely to


occur. We will work with VTDOC to initiate appropriate actions to address the variance and track the identification and resolution of project issues.

The Status and Monthly Risk and Issues Reports will provide a summary of activities completed during the status period, activities that are in progress, any open issues with assignments for their resolution, and reasons for delays encountered. We will identify project risks with related mitigation activities as part of our weekly and monthly reporting commitments. An updated project schedule will be included with the status report, as necessary.

We will provide these project status meetings to discuss the following criteria:

o Summary of Accomplishments and Activities for the Period o Review SLA against Supplement 5 specifications o Planned Activities of the Next Period o Status Milestones and Deliverables o Status of Concerns, Problems and Recommendations o Status of Risks, Issues and Change Requests o Status of Project Work Plan and Schedule o Other Discussion Topics, as required

In addition, as part of the Project Scope, Fusion will develop and provide the VTDOC with a detailed Implementation Project Plan that, at a minimum, will include the components listed below. 1. Project Objectives: Fusion will develop and include overall Project objectives in our project plan. 2. Project Deliverables and Milestones: Fusion will include a list of deliverables and milestones of the Project, and with each deliverable or milestone, this

section will describe exactly how and what will be provided to meet the needs of VTDOC.

3. Project Schedule (Project Management Software): Fusion will identify the dates associated with deliverables and milestones described in the Project Plan. In addition, this section reflects Project predecessors, successors and dependencies.

Fusion will work in conjunction with VTDOC to collaborate on deliverables which have been identified in this proposal. Throughout the project, all deliverables which will reside on our SharePoint server and on the Microsoft Project page will identify and deliverables and who will work in conjunction with our team to limit any risk delays and more importantly, increase transparency of all outstanding deliverables. Microsoft SharePoint is a browser-based collaboration and document management platform from Microsoft. This system allows Fusion to set up a centralized, password protected space for document sharing with VTDOC. VTDOC will have continuous access to SharePoint after go-live and will be the owner of all the documents available in the PIL.


4. Project Management Processes:

� Resource Management: This section of the Implementation Project Plan will describe VTDOC resources, Fusion’s resources, and the overall Project team structure, including an organizational chart. Roles identified for Fusion and VTDOC will also include a detailed description of the responsibilities related to the identified role as well as the communication process for each party.

� Scope Management: This section of the Implementation Project Plan will describe the approach Fusion will use in order to manage Project Scope and the process used to request changes to Project Scope.

� Schedule Management: This section of the Implementation Project Plan will describe the approach Fusion will use in order to manage the Project schedule and the process used to submit requested changes to the schedule. Fusion will ensure that the Project schedule is kept current and timely report any missed milestones to VTDOC.

� Risk Management: This section of the Implementation Project Plan will describe the approach Fusion will use to document existing Project risks, provide recommendations for mitigating the risk, and how this will be communicated to VTDOC Implementation Team.

� Quality Management: This section of the Implementation Project Plan will describe the approach Fusion will use to assure that all written deliverables have received appropriate reviews for quality before being submitted to VTDOC.


� Communication Management: This section of the Implementation Project Plan will describe the approach Fusion will use to provide a detailed communication plan that includes discussion of key implementation metrics that will be used to track progress; types of communication methods (i.e., memo, email, one-on-one meetings, Project team meetings, stakeholder group meetings, online web progress reporting tools, etc.) that Fusion will use; frequency of these communications; and key Fusion points-of-contact with overall responsibility for ensuring these communications are provided as scheduled. Fusion will make key personnel and staff available for certain meetings either on-site or via teleconference or web- conference that may be required should major issues arise during the implementation that significantly impact the schedule, or budget of Centricity.

� Business Process Change Management: This section of the Implementation Project Plan will describe the approach Fusion will use to provide a plan which will include a list of the business processes Fusion recommends changing and a detailed description and flowchart outlining the changes, the anticipated benefits to VTDOC of these changes, and how Fusion proposes to manage this change process.

� Organizational Change Management: This section of the Implementation Project Plan will describe the process, tools and techniques Fusion will use to manage the people- side of change.

5. Data Conversion Approach: As part of the Implementation Project Plan, Fusion will develop and provide a detailed Data Conversion Plan that describes

how files will be converted from Greenway’s Success EHS to the Centricity system. A conversion schedule will be proposed to identify planned conversion steps, estimated hours, and what resources will be required (by VTDOC and/or Fusion) for all pertinent legacy data. Fusion will assist VTDOC in the conversion of both electronic and manual data to Centricity. The converted data ready will be available for the User Acceptance Testing phase of the Project.

6. Training Plan: As part of the Project Scope, Fusion will develop, provide, and manage a detailed plan for training. This Training Plan will include the

information described below, at a minimum: � The role and responsibility of Fusion and VTDOC in the design and implementation of the training plan (e.g., development of customized training

materials, delivering training to VTDOC end users) � The role and responsibility of VTDOC staff in the design and implementation of the training plan. � Overview of proposed training plan/strategy, including options for on-site or off-site training services, for the core project team, end users, and

technology personnel. � Proposed training schedule for VTDOC personnel of various user and interaction levels. � Descriptions of classes/courses proposed in the training plan. � The knowledge transfer strategy proposed as to prepare VTDOC staff to maintain the system after it is placed into production. � Detailed description of system documentation and resources that will be included as part of the implementation by Fusion including, but not

limited to, detailed system user manuals, “Quick Reference” guides, online support, help desk support, user group community resources, and others as available.


7. Bi-Weekly Status Reports: This section of the Implementation Project Plan will describe Fusion’s to provide bi-weekly status reports throughout the course of the Project. Regular status meetings and conference calls between VTDOC and Fusion’s project manager help maintain lines of communication throughout the implementation.

8. System Interface Plan: Fusion will develop and provide a detailed System Interface Plan that contains the proposed strategy for interfacing to all

applications described by the DOC. 9. Software Customization Plan: Fusion will develop and provide a detailed Software Customization Plan that includes anticipated customizations and their

impact to the overall Project schedule, budget, and final success. This Software Customization Plan will describe the process that VTDOC and Fusion will engage in for accepting the software modifications. While we understand that it is VTDOC’s intent to utilize Centricity’s existing capabilities and embedded best-practice business processes, VTDOC recognizes that there may be some critical work processes that require software customization.

10. Testing and Quality Assurance Plan: Fusion will develop and provide a Testing and Quality Assurance Plan that describes all phases of testing: unit,

system, interface, integration, regression, parallel, and user acceptance testing. We understand that it is VTDOC’s expectation that the Testing and Quality Assurance Plan govern all phases of the project and that Fusion will also provide assistance during each testing phase involving VTDOC users. Fusion will develop the initial User Acceptance Testing (UAT) plan, provide templates and guidance for developing test scripts, and will provide onsite support during UAT. Fusion will also provide a plan for stress testing of the system that will occur during or after UAT.

11. Pre-and-Post Implementation Level Support: Fusion will develop and provide a Pre- and Post-implementation Support Plan that describes the approach to

software support during the implementation and after the implementation. Fusion will describe what level of support is available under the proposed fee structure.

12. System Documentation: Fusion will develop and provide documentation that describes the features and functions of the proposed Centricity application

software. The documentation will be provided for both users and the technical personnel who will administer and maintain the system. Fusion will provide documentation in web-based and PDF forms for each application module.

13. Risk Register: Fusion will develop and maintain a documented Risk Register. This Risk Register will be maintained in Microsoft Project and/or

Sharepoint and will be regularly updated. For each risk identified, Fusion be responsible to develop an impact summary and a mitigation strategy in a timely fashion. Fusion uses Microsoft Sharepoint, as seen below:


PART 7: MAINTENANCE AND SUPPORT SERVICES

1. Provide answers to the questions below regarding your company’s Maintenance and Support Services:

Questions Vendor Response Service: Customer Phone &/or Email Support What is the method for contacting technical support?

Fusion offers all clients with 24x7x365 US based support. Designated personnel can open a support ticket at any time via the provided and dedicated toll-free number or through our dedicated helpdesk portal.

What are the hours of operation for support?

Just like Vermont DOC doesn’t close, neither do we. We understand the corrections business because we only work in the corrections business. Fusion offers all clients with 24x7x365 US based support. Designated personnel can open a support ticket at any time via the provided and dedicated toll-free number or through our dedicated helpdesk portal.

What is the turnaround time for responses?

To help us manage your support issues, Fusion’s Support Services uses a three-tiered priority system to log your application support service requests. To help manage technical support issues, clients are asked to identify the priority of the issue according to the following guidelines. Fusion encourages you to report Emergency and High issues by telephone because of the escalated response time. Fusion’s average percentage of first call resolutions is at 95%. Below are Fusion’s standard support tiers and response times: Incident Level 3 – Immediate Initial Response Contact Methods: Fusion Support Line & Fusion Help Desk Portal (24x7)

1. Centricity client will not launch for all users. 2. Fusion web applications (i.e. eMAR, Orders Manager…etc.) will not load for all users and the user has the appropriate security permissions to access the applications. 3. An incident where patient safety may be affected that was triaged by your facility superusers and/or IT.

* For fastest resolution, it is recommended that the client open a helpdesk ticket with the appropriate issue type as well as a call to our support line.

Incident Level 2 – Immediate to 8-hour initial response Contact Method: Fusion Help Desk Portal (24x7)

1. Interface related issues such as demographics not importing, lab results not importing or pharmacy message errors. 2. Defects relating to clinical content (Centricity encounters/forms). 3. Component of the system not functioning as designed.


1. Functionality questions. 2. Clinical content or report enhancements. 3. Component of the system not functioning as expected.


What is the escalation process for support issues?

Our account manager serves as the single point-of-contact for escalations after project management closure. Your account manager will also provide proactive product utilization advice based on his/her knowledge of your organization. This resource delivers expeditious resolution with cross-functional issues and will coordinate all correspondence between the proper support personnel and the client. Lastly, the account manager understands and communicates release/upgrade/product roadmaps and schedules to enable your IT strategy and can be contacted for a support case if unsatisfied with the response from our support team. The typical path for incident resolution is as follows: Incident Resolution Support staff will support only those applications represented on your software maintenance agreement. Issues related to hardware, operating systems, network, backup software, and other software should be addressed by your organization or the appropriate third-party vendor if you are not a Fusion hardware customer.

1. Review the following references: • Product reference materials • Online help • Escalation point assigned within the clinic

2. If you’ve consulted your escalation point, reviewed the references and you still need to call Support, be sure to

have the following information ready: • Your name and your organization’s name. • Any Incident Number previously assigned to, or associated with this issue. Your phone number. • Your fax number (if applicable). • The product and version number(s) being used. • Any error message and the error message numbers. A detailed description of the problem. • A description of the business impact of the problem. The support representative will help you determine the

severity level should you need assistance. • If the problem is reproducible, have ready the steps required to reproduce it. Sample information, screen shots, or

other diagnostic information. • The Support Technical Services Engineer may also ask:

o Whether or not your production database is down o Whether you are under deadline pressure. o Whether remote access is available and ready for use

• If you will be away from your office or on service during the day: o An alternate contact that is knowledgeable about this problem o Alternate phone numbers where you can be reached


Incident Tracking Upon completion of the Incident reporting, the caller will receive an Incident Tracking Number (Issue Number) which assures the caller that the incident has been appropriately registered in the Fusion CRM Tracking System. This number will be used for future reference, including calls to ascertain status, resolution, etc. Before You Hang Up To be sure the follow-up to your incident meets your expectations; please review this checklist with the Technical Support Engineer before you hang up:

• Review the priority level • Review action items for you and Fusion support • Confirm who is responsible for the call back and when • Confirm the issue number

Incident Resolution Fusion’s customer support staff document all problem determination and resolution procedures in the CRM. Incident resolution will be validated by the customer contact that made the initial report prior to Fusion’s support staff “closing” the incident.

Who comprises the support team and what are their qualifications?

Just like VTDOC doesn’t close, neither do we. We understand the corrections business because we only work in the corrections business. Fusion offers all clients with 24x7x365 US based support. Designated personnel can open a support ticket at any time via the provided and dedicated toll-free number or through our dedicated helpdesk portal. Our team consists of a wide range of qualified Technical Services Engineers and Clinical Consultants, who are operating system software certified and have expertise in our products, databases, network (server and client) and other related application software products to the criminal justice industry. We will answer your call and obtain information from you to properly log and prioritize your case before making it available for the next support specialist. By providing us detailed information, we will be able to properly prioritize your case. Fusion’s Help Desk staff is exclusively trained on supporting Centricity EHR for the Correctional Industry. Our Help Desk staff has experience being the Point of Contact with Correctional Clients and perform troubleshooting many of the client’s issues. We designate specific personnel to each Client in order for the Help Desk staff to have an intricate understanding of the customers work-flows and content. All staff members on the project have daily touchpoint meetings to review any new updates. Fusion also performs internal quarterly meetings with all pertinent staff members for the project including but not limited to Help Desk staff, Project Managers, IT Managers, etc. These daily touchpoints and quarterly meetings ensure that all necessary Help Desk staff are up to date on the project. We ensure that any Help Desk staff designated to VTDOC is up to date on all content and workflows


in order to efficiently and effectively maintain communication between VTDOC and Fusion as well as troubleshooting any issues within the system. Our client support staff utilize a Customer Relationship Management (CRM) incident tracking software to collect initial incident information and track progress and status of reported incidents. Incident reporting should be assigned to a consistently available staff member, who is familiar with the incident reporting process and is familiar with the operation of the Centricity application in general, typically the initial Project Manager. In addition to accessing our Technical Services Teams, users will also have online access to the user knowledgebase which provides answers to common questions and technical issues. In addition, there will be access to general training manuals. Fusion’s IT Education helps to provide a deeper understanding of information technology and its impact on the healthcare delivery process. We are dedicated to providing you with the knowledge and confidence required for your organization to remain competitive and continue to provide quality offender care in today's rapidly changing environment. We provide our clients/partners with a robust self-help portal that includes a comprehensive repository of training materials which are available 24/7/365. Our client’s success is our success. We take support very seriously. Our support surveys are a questionnaire designed to review the quality of your support. The survey poses questions about the overall support process and specific questions about support events over a designated period of time. Responses to support survey are used by us to evaluate the quality of support and our support process in order to make continual improvements.

Define your response resolution metrics and how you capture and report them.

Our client support staff utilize a Customer Relationship Management (CRM) incident tracking software to collect initial incident information and track progress and status of reported incidents. Incident reporting should be assigned to a consistently available staff member, who is familiar with the incident reporting process and is familiar with the operation of the Centricity application in general, typically the initial Project Manager. In addition to accessing our Technical Services Teams, users will also have online access to the user knowledgebase which provides answers to common questions and technical issues. The CRM will be able to Track and Record all support issues which can be reported on.

Service: Incident/Security Breach Notification and Process Describe your identification and notification process for security breaches.

Our team continuously monitors all network traffic looking for any unusual activity and intrusion. To date, we have never had any breaches. Internally, we have specific policies on breach notification, response, and reporting protocols which are reviewed annually and refreshed as needed. Our response team will look at the audit and communicate any necessary next steps with the client. The incident report will be submitted and resolved accordingly.

Service: Data Management Describe how data is stored, retained and backed-up (including frequency).

Centricity offers full and incremental backup solution on a daily basis within the data center environment with adjustable frequency to the tolerance level of VTDOC’s desire and performance configuration of the server array. Time to restore will be a function of the volume of data being restored and the performance of the storage area environment. Offsite backups, log shipping and server clustering are available to the extent of the clients’ needs and scope of project. Hot backups are conducted daily with snapshots of the database taken as well. The database backup is then archived for up to


90 days to allow for full restoration. In addition, transaction logs are also created consistently which allow for rapid recovery should the event arise. There are also 4 Hour Incremental Hot Backups with zero (0) downtime. Recovery procedures are tested to ensure restoration procedures are operational. In addition, testing will be conducted with VTDOC’s archived data to the testing environment to ensure that both the backups work as designed as well as to ensure recent test data is available. Should system modifications be performed between the scheduled recovery tests, one will be conducted immediately before the planned update/upgrade as well as following the commitment of the updates to the system. Should data need to be restored, the length of time to restore will vary on the size of the restoration; from minutes for a partial restore to up to 2-3 hours for a full system restore.

Service: Hosting Describe the hosting service and associated service levels.

Fusion is a partner of TierPoint, who provides information technology and data center services. The company offers TierPoint Cloud, an Infrastructure-as-a-Service (IaaS) that includes public, private, multi-tenant, and hybrid deployments for production, disaster recovery, and backup services. Its services include colocation, cloud computing, backup and business continuity, managed security, and professional services. TierPoint infrastructure is built on best-in-class technology and backed by a dedicated team of cloud experts. TierPoint hosted and public cloud solutions helps our clients improve performance, manage costs, maintain compliance and enable disaster recovery. The data centers are SSAE-16 audited and are CJIS compliant. We are also ISO 27001 certified using AES-256 standard data centers with 256-bit SSL document transmission. Fusion’s data centers are audited annually and are consistently meeting and exceeding data center security standards for healthcare. Please reference the answer to number 22 in this section. When hosting with Fusion, our customer has access to state-of-the-art data centers providing the following benefits and services:

Service

Benefits

Hosting Facilities

� Redundant power supply with UPS systems providing instantaneous failover

� Redundant on-site diesel generators

� Redundant HVAC temperature-controlled environment

� Raised floor plenum to facilitate cable management and uniform cooling distribution

� Full monitoring and alerting on all electrical and mechanical system components


Network

� Redundant Gigabit geographically diverse internet connections ensure sustainable connectivity by

utilizing multiple service providers � WAN access also allows options for customer systems to be hosted from multiple GE supported

data centers

Privacy and Security

� Security officers on duty 24/7

� Monitored video surveillance throughout the facility

� Required photo ID security card

� Biometric scanners

� Dedicated firewall and VPN services to block unauthorized access � Data protection with encrypted backup solutions

� Established policies and procedures that meet industry standards to support customer’s

data protection requirements

Infrastructure and Support

� Scalable infrastructure and storage for hosting applications � Operating System management for industry standard vendors

� Management of vendor relationships for critical issues and on-site support

� On-site hardware support and remote problem diagnosis

� Proactive system monitoring and ITIL processes for change control and incident management

� 24/7 monitoring of infrastructure to ensure continuous service


Questions Vendor Response

Service: Scheduled Maintenance/Downtime What is the frequency of scheduled maintenance and downtime?

There are no regularly scheduled or weekly updates to the system which would cause downtime. When patches/upgrades are mutually determined to be applied, we will coordinate that with the State. The amount of time needed to perform patches can take a few minutes, with an upgrade varying between less than an hour to two hours. With respect to upgrades, the largest time factor is deploying an upgrade .msi to the workstations which is largely based on the State’s internal infrastructure.

What is the notification process for scheduled maintenance and downtime?

During the Implementation Phase, The State and Fusion will appoint roles to specific personnel. When maintenance and downtime needs to be scheduled, Fusion and the State’s appointed personnel will coordinate to determine the best date and time for the system maintenance.

Describe how “maintenance” updates are tested with customers prior to installing them in their live environments.

Upgrades and patches are typically supplied to users approximately every 6 months, while new versions are available every 12 – 18 months. Clients are not mandated to conduct software upgrades and to date, legacy versions nearly ten years old are still supported. All new releases go through extensive testing in-house before they are released for beta testing to a select few clients. At that time, the new beta version of the software will be installed by a Fusion representative and carefully monitored for a predetermined amount of time. Once Fusion is confident that the new version has been adequately tested, it is then available as a general release. The quality assurance team has developed a comprehensive test plan that includes sophisticated, automated regression, and coverage testing processes. Our QA lab executes the test plan on every software release to ensure that a highly reliable application is delivered for support and maintenance in all supported platform environments. The implementation for VTDOC will maintain a test environment to maintain test and implementation standards appropriate to their environments.

Service: System Upgrades Are software upgrades provided as part of the software support contract?

Upgrades and patches are typically supplied to users approximately every 6 months, while new versions are available every 12 – 18 months. Clients are not mandated to conduct software upgrades and to date, legacy versions nearly ten years old are still supported. Major releases deliver significant new features requiring new product documentation and training. Major releases are fully tested on all supported platforms and delivered on DVD and/or downloaded from our secure Client Support web site. Major releases are targeted for approximately every 12 months. Knowledgebase releases deliver knowledgebase updates. Every 3-6 months, system lists are updated to ensure compliance and accuracy; for example the medication interactions check database. Knowledge base releases are fully tested on all supported platforms and delivered monthly via download from our secure Client Support web site. Service pack releases deliver critical performance and bug patches. They receive targeted testing and are delivered as needed from our secure Client Support web site.


All of these types of releases are included as part of the annual support and maintenance fees.

Describe your software upgrade process.

Upgrades and patches are typically supplied to users approximately every 6 months, while new versions are available every 12 – 18 months. Clients are not mandated to conduct software upgrades and to date, legacy versions nearly ten years old are still supported. All new releases go through extensive testing in-house before they are released for beta testing to a select few clients. At that time, the new beta version of the software will be installed by a Fusion representative and carefully monitored for a predetermined amount of time. Once Fusion is confident that the new version has been adequately tested, it is then available as a general release. The quality assurance team has developed a comprehensive test plan that includes sophisticated, automated regression, and coverage testing processes. Our QA lab executes the test plan on every software release to ensure that a highly reliable application is delivered for support and maintenance in all supported platform environments. The implementation for VTDOC will maintain a test environment to maintain test and implementation standards appropriate to their environments.

How often are new versions released?

As stated in the above response, Upgrades and patches are typically supplied to users approximately every 6 months, while new versions are available every 12 – 18 months. Clients are not mandated to conduct software upgrades and to date, legacy versions nearly ten years old are still supported. All new releases go through extensive testing in-house before they are released for beta testing to a select few clients. At that time, the new beta version of the software will be installed by a Fusion representative and carefully monitored for a predetermined amount of time. Once Fusion is confident that the new version has been adequately tested, it is then available as a general release. The quality assurance team has developed a comprehensive test plan that includes sophisticated, automated regression, and coverage testing processes. Our QA lab executes the test plan on every software release to ensure that a highly reliable application is delivered for support and maintenance in all supported platform environments. The implementation for VTDOC will maintain a test environment to maintain test and implementation standards appropriate to their environments.

Is documentation and training provided for system upgrades?

Fusion will provide documentation for any system upgrades that may cause changes to the client’s workflows. Training will be discussed between Fusion and the Client based off the extent of the changes involved in the system upgrade.

Are there additional costs for upgrades and/or new releases?

Upgrades and patches are typically supplied to users approximately every 6 months, while new versions are available every 12 – 18 months. Clients are not mandated to conduct software upgrades and to date, legacy versions nearly ten years old are still supported. Major releases deliver significant new features requiring new product documentation and training. Major releases are fully tested on all supported platforms and delivered on DVD and/or downloaded from our secure Client Support web site. Major releases are targeted for approximately every 12 months. Knowledgebase releases deliver knowledgebase updates. Every 3-6 months, system lists are updated to ensure compliance and accuracy; for example the medication interactions check database. Knowledge base releases are fully tested on all supported platforms and delivered monthly via download from our secure Client Support web site.


Service pack releases deliver critical performance and bug patches. They receive targeted testing and are delivered as needed from our secure Client Support web site.

All of these types of releases are included as part of the annual support and maintenance fees. Describe how and when the State will have an opportunity to test system upgrades/releases prior to live installation.

All new releases go through extensive testing in-house before they are released for beta testing to a select few clients. At that time, the new beta version of the software will be installed by a Fusion representative and carefully monitored for a predetermined amount of time. Once Fusion is confident that the new version has been adequately tested, it is then available as a general release. The quality assurance team has developed a comprehensive test plan that includes sophisticated, automated regression, and coverage testing processes. Our QA lab executes the test plan on every software release to ensure that a highly reliable application is delivered for support and maintenance in all supported platform environments. The implementation for VTDOC will maintain a test environment to maintain test and implementation standards appropriate to their environments.

Describe how the State will validate post installation and how changes will be backed out in the event that a problem is encountered.

Even though Fusion has a comprehensive test plan for releases and updates, VTDOC will have access to a testing environment which will allow for key stakeholders to validate the update prior to committing it to the production environment. Fusion sets up four separate environments when the system is initially installed; test, development, training and production. The intended use of each is given in its name. A best practice communicated to the client is to build all new or updated content in the Development environment. Once it has been completed it is moved into the Test environment for testing and certification by some combination of staff that typically includes a few end users. Once it has been certified, it is scheduled and moved into the Production environment where it immediately becomes available to all users. This will ensure that any bugs/issues are addressed prior to commitment of the update to ensure minimal disruption to the client. This model is the same whether the system is self-hosted or vendor-hosted.


Questions Vendor Response Service: Bug Fixes and Minor Enhancements Describe the frequency and process for providing, testing, and installing bug fixes and minor enhancements.

Upgrades and patches are typically supplied to users approximately every 6 months, while new versions are available every 12 – 18 months. Clients are not mandated to conduct software upgrades and to date, legacy versions nearly ten years old are still supported. All new releases go through extensive testing in-house before they are released for beta testing to a select few clients. At that time, the new beta version of the software will be installed by a Fusion representative and carefully monitored for a predetermined amount of time. Once Fusion is confident that the new version has been adequately tested, it is then available as a general release. Software updates include major updates and minor updates that are made generally available as part of the applicable software. Major updates include product feature and/or functionality enhancements and minor updates include bug fixes and modifications to improve product reliability. Fusion recommends that the client implement the most current software updates to take advantage of added features, enhancements, bug fixes, and a higher level of support. The quality assurance team has developed a comprehensive test plan that includes sophisticated, automated regression, and coverage testing processes. Our QA lab executes the test plan on every software release to ensure that a highly reliable application is delivered for support and maintenance in all supported platform environments. The implementation for VTDOC will maintain a test environment to maintain test and implementation standards appropriate to their environments.

Service: Disaster Recovery What is your standard RPO and RTO?

As part of your Centricity implementation, a disaster recovery plan will be created whereby the location of the backup data as well as the method which the backups are created will be decided. Our co-location sites will be used as our offsite disaster recovery location. Natural disasters and emergencies will failover to Fusion’s Disaster Recovery facility. Centricity provides industry best-practice for HIPAA compliant high-availability clinical data at rest and network security solutions. Our data centers are SSAE-18 audited and pass all HIPAA and PHI security measures. To date, we have never had any breaches. Internally, we have specific policies on breach notification, response, and reporting protocols which are reviewed annually and refreshed as needed. Centricity is certified with MS Server, SQL and VMWare to allow industry standard High Availability, DR strategies, tools, process and procedures that secure industrial internet solutions. Centricity has dual/redundant infrastructure for network, switches, routers, servers, etc. in order to maximize uptime capabilities. Centricity’s scalable and highly redundant infrastructure provides a multi-site load balanced architecture to ensure high availability, business continuity and disaster recovery. The system includes built-in redundancy so that in case of a power failure or hardware issue at the primary data center, a duplicate backup is activated and the network’s function is not interrupted. Centricity’s average uptime has been 99.99% in the last twelve months and that is what we strive to achieve. When hosting with Fusion, our clients have access to state-of-the-art data centers providing the following benefits and services found on the following page.


2. Describe any other services not mentioned in the above list that are included in your standard Service Level Agreement (SLA). Include a copy of your SLA with your response to this RFP. Label the SLA Attachment #8. Please refer to Exhibit C - Attachment #8 for Fusion’s Service Level Agreement

3. Describe how adherence to your service levels is measured and what remedies you would provide the State when performance doesn’t meet the standard?

The Contractor will implement and utilize measurement and monitoring tools and metrics as well as standard reporting procedures to measure, monitor and report the Contractor's performance of the Services against the applicable Service Level Specific Performance plus the Overall Performance Score and provide any other reports required under this Scope of Work. The Contractor will provide the State with access to the Contractor’s asset management reports used in performing the Services, and to on-line databases containing up-to-date information regarding the status of service problems, service requests and user inquiries. The Contractor also will provide the State with information and access to the measurement and monitoring reports and procedures utilized by the Contractor for purposes of audit verification. The State will not be required to pay for such measurement and monitoring tools or the resource utilization associated with their use. Prior to the Commencement Date, the Contractor will provide to the State proposed report formats, for State approval. In addition, from time to time, the State may identify a number of additional reports to be generated by the Contractor and delivered to the State on an ad hoc or periodic basis. Generally, the Contractor tools provide a number of standard reports and the capability to provide real-time ad hoc queries by the State. A number of additional or other periodic reports (i.e., those other than the standard ones included in the tools) mean a number that can be provided incidentally without major commitment of resources or disruption of the efficient performance of the services. Such additional reports will be electronically generated by the Contractor, provided as part of the Services and at no additional charge to the State. To the extent possible, all reports will be provided to the State on-line in web-enabled format and the information contained therein will be capable of being displayed graphically. At a minimum, the reports to be provided by the Contractor must include:

• Monthly Service Level report(s) documenting the Contractor's performance with respect to Service Level Agreements; and • A number of other periodic reports requested by the State which the State reasonably determines are necessary and related to its use and understanding

of the Services.


PART 8: PRICING

1. Submit four-year pricing for your proposed solution in the table below. Fill in only the lines that are applicable to your proposal. Insert lines for additional costs, but do not delete or rename any lines in the Table. Total each column and provide a total of all columns in the “Total Implementation, plus 5 Year Costs” box on the next page.

We are pleased to have the opportunity to earn the business of Vermont Department of Corrections. As further explained throughout our proposal, we are excited to partner with DOC to improve correctional healthcare delivery with the Centricity EHR system. Our comprehensive, corrections-specific EHR system coupled with our team of highly experienced and knowledgeable personnel in all aspects of correctional clinical delivery, electronic clinical documentation and workflow processes allows DOC to retain the most capable, experienced, and thorough team to provide EHR services. For every Centricity implementation, our clients receive exceptional software, services and support. With the implementation of Centricity our clients reap the benefits of having the following system clinical documentation functionality including, but not limited to EHR, Behavioral Health, Dental, ePrescribe/CPOE, Infirmary Management, Sick Call Request, eSignature, Scheduling, Orders Manager, and much more.

Centricity provides DOC with the most comprehensive EHR solution for the correctional health industry, period. Unlike other EHR vendors that have minimal, if any, correctional health implementations, Centricity manages over 250,000 inmates in over 200 correctional facilities throughout the US. Centricity has been developed to meet the needs of numerous correctional facilities nationwide while adhering to and surpassing NCCHC, ACA, and PBNDS requirements for workflow, documentation and reporting.

As part of this project, Fusion will replace CorrecTek with a more robust and comprehensive system that is easy to use, flexible and configurable, easily integrates within the State’s network environment, meets industry standards, provides decision and administrative support, meets the State’s technical and functional requirements, can interface with various 3rd party systems, is reliable, is affordable, and is sustainable. We are proud to say that Centricity meets, exceeds and complies with all DOC’s business and technical requirements.

We are committed not only to DOC, but the Centricity product in general. That said, we are focused to ensure DOC is fully satisfied with the products and overall services which will allow Centricity to continue to spread to other correctional health organizations across the nation. Our team is committed to seeing the successful implementation of Centricity in all of our clients’ sites, as we strive to use each client as a reference site. That said, we have provided the required pricing information on the following page(s):


Cost Type One Time Year 1 Year 2 Year 3 Year 4 Year 5 Software

Enterprise Application: License Fees $487,400.00 $0.00 $0.00 $0.00 $0.00 $0.00

Maintenance &/or License Fee Add-Ons $0.00 $0.00 $0.00 $0.00 $0.00 $0.00

Subscription cost $0.00 $0.00 $0.00 $0.00 $0.00 $0.00

Storage Limitations and/or Additional Fees $0.00 $0.00 $0.00 $0.00 $0.00 $0.00

Database Software: License Fees $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Middleware Tools: License Fees $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Operating System Software: License Fees $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Upgrade Costs for Later Years $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Post-Go-Live Configuration $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Support and Maintenance Fees $0.00 $115,455.00 $115,455.00 $115,455.00 $115,455.00 $115,455.00 Implementation Services

Project Management $150,000.00 $0.00 $0.00 $0.00 $0.00 $0.00 Requirements $20,000.00 $0.00 $0.00 $0.00 $0.00 $0.00 Design (Architect Solution) $58,400.00 $0.00 $0.00 $0.00 $0.00 $0.00

Development (Build, Configure or Aggregate)/Testing $248,210.00 $0.00 $0.00 $0.00 $0.00 $0.00

System Testing $27,500.00 $0.00 $0.00 $0.00 $0.00 $0.00 Defect Removal $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Implement/Deploy or Integrate $264,750.00 $0.00 $0.00 $0.00 $0.00 $0.00 Quality Management $32,500.00 $0.00 $0.00 $0.00 $0.00 $0.00


Cost Type One Time Year 1 Year 2 Year 3 Year 4 Year 5

Implementation Services Continued

Training $175,800.00 $0.00 $0.00 $0.00 $0.00 $0.00 Telecom Bandwidth $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Hardware Computing Hardware $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Storage and Backup Hardware $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Network Hardware $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Facilities/Data Center $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 Hosting Hosting Fees $10,000.00 $55,545.00 $55,545.00 $55,545.00 $55,545.00 $55,545.00 Total Base Costs $1,474,560.00 $171,000.00 $171,000.00 $171,000.00 $171,000.00 $171,000.00

Total Implementation plus 5 Year Costs $ 2,329,560.00

2. Provide a confirmatory statement that the Offeror’s Appendix 5.24 “Price Proposal PIPM Calculator” has been updated to include (as

indicated above) One-Time (as part of Year 1) and Year 2-5 costs. Fusion’s Appendix 5.4 “Price Proposal PIPM Calculator” has been updated to include (as indicated above) One-Time (as part of Year 1) and Year 2-5 costs.

3. Describe any assumptions you have made in relation to the above cost and pricing information.

The following assumptions have been made in relation to the above cost and pricing information: • Pricing is based on 1,500 ADP. • Fusion will develop the following interfaces: JMS, Pharmacy, Lab, Radiology, and HIE. • Training and go-live approach will be at the discretion of Fusion’s PM. • One-time software fee is due upon contract execution unless otherwise agreed on. • Implementation fees are due upon deliverable/milestone accomplishments unless otherwise agreed on.


4. Provide pricing information for any volume discounts that are available based on the number of software licenses purchased or support years purchased. All applicable discounts have been reflected in the proposed price sheet.

5. Provide pricing for any Functional Requirements marked as “C” (feature is not available in the core solution, but can be

provided with customization). The following item, which has been marked as ‘C’ in Part 3: Functional Requirements, will incur an additional cost of $1,000.00, per custom report:

• The Solution shall generate a customizable discharge report, known as the “Discharge Summary” or “Continuity of Care Document” that is customizable.


PART 9: TERMS AND CONDITIONS

In deciding which Respondent/s to shortlist the State will take into consideration each Respondent’s willingness to meet the State’s terms and conditions. Indicate any objections or concerns to our stated terms and conditions in the RFP or any of the exhibits, addendums or attachments including Attachment C. Add lines to the table below as needed.

Important: Bidder will be bound to all terms and conditions stated in the State’s RFP, exhibits, attachments, and/or addendums except and then only to the extent specifically set forth in the table below, and only if and to the extent expressly agreed and incorporated in writing in a resulting contract. Note that exceptions to contract terms may cause rejection of the proposal. Fusion has read and understands the terms and conditions set forth by the State in the Sealed Bid for Comprehensive Correctional Healthcare Services and Information Technology Request for Proposals.

Clause Location Concern Proposed Verbiage

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A


PART 10: AUTHORIZED COMPANY SIGNATURE I am authorized to submit a proposal to the State of Vermont in response to this RFP on behalf of my organization. The information provided as part of my organization’s response is a true and accurate representation of my organization’s ability to meet the State of Vermont’s business needs as expressed in this RFP.

Michael Jakovcic

EVP of Business Development

Fusion Capital Management, LLC d.b.a. Fusion

2/15/2019

Signature:

Full name:

Title:

Company:

Date:


E-SIGNED by SOV ITcontracting-ADS on 2020-06-05 19:11 ...

Documents

Transcript of E-SIGNED by SOV ITcontracting-ADS on 2020-06-05 19:11 ...