A. The Contractor shall perform the following requirements in order to provide the MBC with on-site digitized scanning and photocopying services: i. The Contractor shall provide digitized scanning and photocopying of confidential medical records, diagnostic images, charts, depositions, and court documents for the MBC’s Central Complaint Unit, Complaint Investigation Office, and three (3) Probation Offices (Exhibit A, Attachment I – Medical Board of California Office Sites) located throughout California. An email or fax request for service shall originate from one (1) of these offices. ii. All jobs are to be scanned unless paper copies are specifically requested by the MBC staff. MBC cannot accept compact discs (CDs), digital video disks (DVDs), or thumb drives/USB drives, as these items are not in compliance with MBC’s information security policies. iii. The Contractor must be able to provide optical character recognition (OCR). This software provides MBC staff and consultant’s ability to search key words, dates, names, etc. when scanning records. iv. The Contractor shall provide documents electronically within thirty (30) days upon receipt of the request in an adobe portable document format (PDF) through a secure website. The website shall be protected by secured with Transport Layer Security (TLS), minimum 1.2, using a secure certificate issued by a trusted certificate authority. The website must be secured and only accessible using HyperText Transfer Protocol Secure (HTTPS). MBC users will be issued unique logins with passwords conforming to MBC standards or federated sign-in using Microsoft Identity platform integration. Multifactor authentication capabilities shall be available if not using federated sign-in. The Contractor will also protect each individual set of patient records with a unique password. Upon completion of a request when the documents are available for download, the Contractor will send the unique password to the MBC requestor via encrypted email, CC’ing the requestors manager. B. All records pertaining to the specific patient must be included in one (1) file or as few files as space permits. The file must be indexed to indicate the facility/physician/clinic or location from which the documents were obtained. Contractor must maintain documents electronically for ninety (90) days from when they are completed and available for access. C. MBC shall notify contractor of changes to security protocols. Contractor will review updates, and if agreed to, shall comply with updated security protocols upon mutually agreed-upon timeframes. D. Contractor shall ensure that the following requirements are met for all individuals that access the Recovery Program System. i. Uniquely identify each individual user to enforce individual accountability for those accessing the system. ii. Maintain authentication data that includes information for verifying the claimed identity of individual users (e.g. passwords). iii. Upon MBC request, Contractor shall provide access to security logs for all DCA users and activities for audit purposes. iv. Contractor shall notify MBC within 24 hours of any identified breaches to the Recovery Program System.
