CRISP RFP: Annual Security Audit

The purpose of this solicitation is to obtain an audit firm to assess whether patient data is processed, transmitted, and stored by the HIE and its vendors in a secure manner and in accordance with the Health Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH), and State level requirements defined within the Code of Maryland Regulations (COMAR) 10.25.18 to minimize the potential for unauthorized disclosure or breach of protected health information (PHI), and HITRUST CSF compliance. CSS is formally designated as Maryland and D.C.’s statewide Health Information Exchange (“HIE”) and is incorporated as a non-profit entity charged with the mission to advance health and wellness of patients throughout Maryland, the District of Columbia, West Virginia, Connecticut, and Alaska by enabling healthcare providers to share clinical data with other hospital systems, providers, and stakeholders across the Region. CSS is committed to providing secure operations and protection of private health data. As a Health Information Exchange, compliance with HIPAA/HITECH and COMAR is a business requirement. With or without HIPAA compliance, the security and privacy of the data made available by CSS on publicly accessible websites and through the numerous custom developed applications running on them is a high priority.


You are invited to submit a Proposal to explain your solution for a comprehensive annual security audit that will include a System and Organization Controls 2 (SOC 2 Type 2), HIPAA/HITECH, COMAR (Code of Maryland Regulations) audit, cybersecurity testing, and validated HITRUST assessment of a health information exchange (HIE). The audit will evaluate adherence to HIPAA/HITECH and COMAR (10.25.18) requirements for security and privacy, as well as the controls required for HITRUST Common Security Framework (CSF) compliance. You will need to describe how your solution will meet CRISP Shared Services’(CSS) requirements as described herein. All Proposals should be submitted electronically to:


  1. Intent to bid on this proposal must be submitted by November 18, 2022, at 6:00pm ET
  2. Questions from potential vendors are due by November 30, 2022, at 6:00pm ET
  3. Responses to Questions will be provided on or before December 07, 2022
  4. Final Proposals must be received no later than 6:00pm ET on December 15, 2022

Kevin Phillip