This is a not a solicitation or Request for Proposals.

The State is seeking information to

identify the market and potential sources only
REQUEST FOR INFORMATION
RFI # N20914
PROJECT TITLE:

Department of Health (DOH) Medical Marijuana Registry

SCHEDULE of EVENTS: The schedule of events set out herein represents the best estimate of the
schedule that will be followed. However, delays to the procurement process may occur which may
necessitate adjustments to the proposed schedule. If any component of this schedule is delayed, the
rest of the schedule may be shifted as appropriate. Any changes, up to the closing date of the RFI, will
be publicly posted prior to the closing date of this RFI. After the close of the RFI, the State reserves the
right, at its sole discretion to adjust the remainder of the proposed dates on an as needed basis with or
without notice.
RFI Release Date
Deadline for Submitting Questions
Response to Questions
Vendor Submittals Due
Notification to Vendors of Demonstration
Conduct Demonstrations (optional)

November 05, 2014

November 12, 2014
November 14, 2014
November 25, 2014
November 25, 2014
December 01, 2014

Upon release of this RFI, all communications in regard to this RFI shall be directed, in writing, to the RFI
Coordinator and Alternate named below or their designee.
RFI Coordinator:
Alternate:

Ann Thompson
ann.thompson@doh.wa.gov
Melanie Brueske melanie.brueske@doh.wa.gov

Page 1 of 11

TABLE OF CONTENTS
TABLE OF CONTENTS......................................................................................................................2
DEFINITIONS:.....................................................................................................................................3
1 INTRODUCTION.........................................................................................................................5
1.1 PURPOSE.............................................................................................................................5
1.2 BACKGROUND.....................................................................................................................6
1.3 OBJECTIVE...........................................................................................................................6
2 FUNCTIONAL RESPONSE.........................................................................................................6
3 PARTICIPATION IN RFI AND INTENTION TO DEMONSTRATE...............................................7
3.1 LETTER OF INTENT.............................................................................................................7
3.2 DISCLOSURE OF RFI CONTENTS......................................................................................7
3.3 OWNERSHIP OF PROPOSALS...........................................................................................7
3.4 PROPRIETARY AND CONFIDENTIAL INFORMATION.......................................................7
3.5 COSTS OF PROPOSAL PREPARATION.............................................................................8
3.6 RESPONSE FORMAT...........................................................................................................8
4 EXHIBITS.....................................................................................................................................8
4.1 GENERAL QUESTIONS........................................................................................................8
4.2 CRITERIA..............................................................................................................................9
4.3 SECURITY.............................................................................................................................9

Page 2 of 11

DEFINITIONS:

For the purposes of this solicitation definitions include and have the meanings indicated below:
Agency: The Department of Health is the agency of the state of Washington issuing this
Solicitation.
Commercial Off-The-Shelf or COTS means a collection of computer source and/or object code
that, with modifications defined by the DOH, shall meet the system requirements and specifications
set forth in the RFP. The DOH shall have the right to use the modified software and all purchased
modules in accordance with the licensing provisions contained in the executed Contract.
Contractor: Individual or company whose proposal has been accepted by the Agency and is
awarded a fully executed, written contract. Contractor has full responsibility for the coordinating and
controlling of all aspects of the project, including support to be provided by any Subcontractor(s).
Contractor will be the sole point of contact with the DOH relative to Contract performance shall by
the signatory to the final contract including subsequent amendments- and is responsible for the
overall performance of Deliverables under the Contract.
Business Day: Days of the week excluding weekends and state holidays; namely, New Years Day,
Martin Luther King Jr. Day, Presidents Day, Memorial Day, Labor Day, Independence Day, Veterans
Day, Thanksgiving day, the day after Thanksgiving day, and Christmas.
Business Hours: Normal State business hours are Monday through Friday from 8:00 a.m. to 5:00
p.m. except legislatively mandated furlough days and State Holidays.
Deliverable: any measurable, tangible, verifiable outcome, result, or item that shall be produced to
complete a project or part of a project and to receive payment. A Deliverable may be composed of
one or more interrelated project Work Products.
Delivery Date: The date by which the Products/Services ordered must be delivered.
Documentation: All operations, technical and user manuals and guides used in conjunction with the
System.
DOH or Department: The Department of Health.
Effective Date: The first date the Contract is in full force and effect. It may be a specific date agreed
to by the parties; or, if not so specified, the date of the last signature of a party to this Contract.
Evaluation Committee: the body appointed by the DOH management to perform the evaluation
and scoring of submitted proposals.
License: The rights granted to the Department to use the Software and all modifications that is the
subject of this RFP/Contract.
Local Time Time in the Pacific Time Zone as observed by the State of Washington.
Mandatory The terms shall, will, and is required, identify a Mandatory item or factor (as
opposed to Desirable). Failure to meet a Mandatory item or factor will result in the rejection of the
Bidders proposal.
Milestone: a significant event in a project, usually the completion of a major Deliverable.
Optional: The terms may, can, or prefers identify a discretionary item or factor.
OCP: Office of Contracts & Procurement.
Price: shall mean charges, costs, rates, and/or fees charged for the Products and Services under
this Contract and shall be paid in United States dollars.

Page 3 of 11

Product: the software source or object code, system technical documentation, user
documentation, training materials or other items of tangible property developed by or delivered from
the Contractor to the DOH under the terms and conditions of the Contract.
Proposal: A formal offer submitted in response to this solicitation.
Proposal Due Date/Time: Proposals and Letters of Intent are due on the date and at the time
specified in the schedule. Any Proposal or Letter of Intent received at any time after the stated date
and time (e.g. 3:01p.m.) will be considered late and will not be evaluated.
Responsive Bid or Responsive Proposal: An offer or proposal that conforms in all material
respects to the requirements set forth in the request for proposals. Material respects of a request for
proposals include, but are not limited to, price, quality, quantity or delivery requirements.
Responsible Bidder: A Bidder who submits a responsive proposal and who has furnished, when
required, information and data to prove that its financial resources, production or service facilities,
personnel, service reputation, and experience are adequate to make satisfactory delivery of the
services or items of tangible personal property described in the Bidders proposal.
Software: shall mean the object code version of computer programs related to this solicitation.
Software also means the source code version and related utilities, provided by Vendor. Software
includes all prior, current, and future versions of the Software and all maintenance updates and error
corrections.
State: State means State of Washington.

Page 4 of 11

1 INTRODUCTION
1.1

PURPOSE

The Washington State Department of Health (DOH) is in the process of defining

anticipated future business needs and developing strategic solutions to meet business
needs as it applies to the establishment and management of a medical marijuana
registry system/service.
The DOH is soliciting information on COTS products or vendor hosted solutions that
allow for the following functionality:
Allows health care professionals to register patients and print DOH issued
authorization cards
Provide for law enforcement officers and marijuana retailers to confirm the
registration of qualifying patients and/or designated providers
Ability to control which data field can be updated
Ability to control who can update a data field
Ability to control who can delete a record
Ability for DOH to issue and allow health care professionals and DOH to manage
authorization cards. Authorization cards must contain the following:
o Patients Name
o Effective Date of the Authorization
o Amount of marijuana authorized, if the amount exceeds the presumptive
amount allowed by law
o 2-D Barcode containing the patients date of birth, address and photo
identification
Provide audit records to the DOH administrators that show any system access
and what individual record was accessed
Provide audit records to the DOH administrators that indicate type of activity and
what data elements were modified
Does not allow duplicate names/matching ID info
Once patient or designated provider registration is expired or in a non- active
status, removes patient from active registry
Maintain all registrations for 5 calendar years from date of entry
Compatible with multiple web browsers and mobile enabled devices
Tracks authorization /registration expiration 1 year from date of entry unless
revoked earlier by health professional or designated provider
Allow for processing of rules such as, if a designated provider is revoked or
cancelled they cannot become a designated provider for another patient until XX
days have passed
Additional Criteria/Requirements is detailed in section 4.2.
The purpose of this Request for Information (RFI) is to gather information on possible
solutions that will meet our business needs. The knowledge of available options will aid
Page 5 of 11

the development of an overall strategic approach. Responses to this RFI will help aid the
DOH on possible approaches.
1.2

BACKGROUND

Washington State provides an affirmative defense for the possession, growth and use of
marijuana by qualifying patients with terminal or debilitating medicinal conditions
(chapter 69.51A RCW). Medical marijuana users are held to different requirements than
recreational users. Over the past several years, the legislature has considered
legislation to further regulate medical marijuana. The DOH will likely be responsible for
implementation of all or part of such regulation by managing the medical marijuana
registry and database. DOH is interested in exploring a database or registry for medical
marijuana authorizations. DOH is most interested in a solution that allows for tracking,
reporting and managing the medical marijuana authorizations.
Currently there is not a system in place to verify individuals who hold medical marijuana
authorizations. The DOH is interested in a solution that allows health care providers to
register qualifying patients and law enforcement and marijuana retailers to confirm the
authorization of DOH authorization cards of qualifying patients.
The department anticipates an average of approximately 139,000 patients and
designated providers will be having a new or renewed authorization in each of the next
five years. There will be approximately 500 concurrent users. Due to state regulation the
system is not allowed to interface with other DOH or external systems.
1.3

OBJECTIVE

The objective of the RFI is to determine if there is a COTS system available,

implementation services and solicit information for a solution that will allow for DOH to
manage a medical marijuana database/registry.
Using information gathered from responses to this RFI, DOH may request product
demonstrations. DOH may also issue a Request for Proposal (RFP) for the procurement
of a solution. The release of this RFI, in no way obligates DOH to such course of action
or any other obligation not set forth in this RFI.

2 FUNCTIONAL RESPONSE
This RFI is issued as a means of technical discovery, information gathering and for the
purpose of determining market capability/availability of sources. This RFI is for planning
purposes only and should not be construed as a solicitation as it does not satisfy the
requirement for competitive bidding nor should it be construed as an obligation on the part of
the State to make any purchases. This RFI should not be construed as a means to pre-qualify
vendors. Participation in this RFI is voluntary and the State will not pay for the preparation of
any information submitted by a respondent or for the States use of information provided.
Responding to this RFI is not a pre-requisite for participation in any future RFP or solicitation
for these services should one be issued; nor does it prevent respondents from bidding on any
subsequent RFP. All submissions will become the property of the DOH and will not be
Page 6 of 11

returned. The DOH may utilize the information provided as a result of this RFI in drafting a
more definitive set of requirements and services that may be required as well as provide
valuable insight as to the best approach for a competitive solicitation.
Please provide any feedback/comments that your company feels would enhance the proposed
project, including but not limited to additional relevant COTS technologies not specifically
referenced.

3 PARTICIPATION IN RFI AND INTENTION TO DEMONSTRATE

3.1

LETTER OF INTENT

You must send or email DOH a Letter of Intent to participate in the RFI product
demonstrations. E-mail your Letter of Intent to the RFI Coordinators no later than the
5:00 p.m. on the date stated in the SCHEDULE you may respond sooner.
The top five vendors will be brought in for demonstrations. Vendor selection for
demonstrations will be based on the number of requirements a vendor can meet and
solution that is best fit for DOH. Demonstrations do not need to be in-person they can
be done via State provided GoToMeeting/GoTo Webinar. Most state participants will
attend in person but we may have participants from other parts of the state who will
attend via the GoToMeeting broadcast. Demonstrations will be 1 2 hours with 30
minutes prior for setup.
3.2 DISCLOSURE OF RFI CONTENTS
All RFI responses shall be deemed public records as defined in RCW 42.56.
If a public records request is made for any information in the proposal that the Bidder
claims as proprietary/confidential and exempt from disclosure under the provisions of
RCW 42.56 the Agency will notify the Bidder of the request and of the date that the
records will be released to the requester unless the Bidder obtains a court order
preventing disclosure. If the Bidder fails to obtain the court order preventing disclosure,
the Agency will release the requested information on the date specified.
DOH will charge for copying and shipping any copies of materials requested as outlined
in RCW 42.56. DOH will not charge a fee for inspection of RFI files but twenty-four (24)
hours notice to the RFI Coordinator is required. Address requests for copying or
inspecting materials to the RFI Coordinator named in this RFI.
DOH will retain solicitation records in accordance with Washington State and DOH
Records Retention Schedules.
3.3

OWNERSHIP OF PROPOSALS

All proposals and materials submitted in response to this solicitation shall become the
property of the Department and will not be returned. The Department will have the right to
use ideas or adaptations of ideas that are presented in the responses.

Page 7 of 11

3.4

PROPRIETARY AND CONFIDENTIAL INFORMATION

Clearly mark every page of any portion(s) of your written response that contains
proprietary/confidential information with the words PROPRIETARY/CONFIDENTIAL
INFORMATION (in all caps), affixed to the lower right-hand corner of each page. In
addition, you must provide a detailed listing (including page numbers) of any and all
materials so marked and the particular exemption from disclosure upon which the Bidder is
making the claim must be cited.
Any response containing language which copyrights the proposal, declares the entire
proposal to be confidential or proprietary, declares that the document is the exclusive
property of the Bidder, or is in any way contrary to state public disclosure laws or this RFI
may be declared non responsive and removed from consideration.
Your responses to this RFI including any estimated product and maintenance costs are
not considered by DOH to be confidential or proprietary.
3.5

COSTS OF PROPOSAL PREPARATION

The State will not be liable for any costs incurred by the Respondent in the preparation
and presentation of information submitted in response to this RFI including, but not
limited to, costs incurred in connection with the Respondents participation in
demonstrations and the informational conference.
3.6

RESPONSE FORMAT

Respondents should provide a written response no later than 5:00 pm Pacific Time on
the date specified in the SCHEDULE. The response should be short, clear, concise, and
complete. Responses are to be emailed to the RFP Coordinator and the alternate
identified . Bidders are cautioned to keep email sizes to less than 15 Mb. Zipped files
cannot be received and will not be accepted by DOH and must not be used in
Responses. All files in the Bidders Response must be formatted in Microsoft Word,
Microsoft Excel or PDF.

4 EXHIBITS
4.1

GENERAL QUESTIONS

The following questions have been developed by our project team and express the
range of information we are seeking. We encourage you to tell us about functionality
your system may have in addition to the areas identified below If a questions cannot be
answered, provide a brief explanation as to why the question cannot be answered (e.g.
N/A function is outside the scope of offering.)
These are general questions about your product. Other questions about your product will
give us a more complete understanding of the products functionality. Pre-printed
marketing material should not be included in your response.
As noted in section 3.2 your written answers are subject to public disclosure. You may
omit answering any questions you wish.
Page 8 of 11

Answers to these questions and any additional materials must be provided by the
5:00pm on the date in the SCHEDULE.
4.2

CRITERIA

General Describe how your solution addresses the following requirements.

1.0
Allows health care professionals to register patients
2.0

Ability to issue and manage authorization cards.

3.0

Provides audit records to the DOH administrators that show any system access
and what individual record was accessed.

4.0

Provides audit records to the DOH administrators that indicate type of activity
and what data elements were modified.

5.0

Does not allow duplicate names/matching ID info.

6.0

Provides ability for law enforcement officers and marijuana retailers to confirm
the registration of qualifying patients and/or designated providers.

7.0

Once patient or designated provider registration is expired or in a non- active

status, remove patient or designated provider from active registry.

8.0

Maintains all registrations for 5 calendar years from date of entry.

9.0
10.0

Provides compatibility with multiple web browsers and mobile enabled devices.
Tracks authorization /registration expiration 1 year from date of entry unless
revoked by Health Professional or Patient/Guardian (Designated Provider
earlier

11.0

Allows for processing of rules such as, if a designated provider is revoked or

cancelled they cannot become a designated provider for another patient until
XX days have passed
12.0
Provides availability 24/7 with geographicaly disperse Disaster
Recovery/Failover Sites
Permissions
1.0
Describe how the solution allows for the ability to create multiple levels of
permissions.
2.0
Does the solution allow for role based permissions? Please describe.
3.0
Ability to control which data field can be updated
4.0
5.0

Ability to control who can update a data field

Ability to control who can delete a record

Cost
Please describe costs associated with one time purchase, subscription costs,
Page 9 of 11

maintenance, and implementation services.

4.3

SECURITY

The medical marijuana registry must meet the following Security Specific requirements:
A. Any personally identifiable information included in the registry must be nonreversible,
pursuant to definitions and standards set forth by the national institute of standards and
technology;
1.0
Please describe the ability of the registry solution to encrypt personally
identifiable information using a non-reversible hash algorithm validated by the
National Institute of Standards and Technology (NIST).
B. Any personally identifiable information included in the registry must not be susceptible to
linkage by use of data external to the registry;
1.0
Please describe the ability of the solution to prevent the linking of registry data to
any other information.
2.0
Please describe the processes used to identify and address the registry solution
systems and application vulnerabilities throughout the system lifecycle.
3.0
Please describe practices for conducting penetration testing. When was the last
test conducted?
4.0
Are development practices consistent with NIST SP800-64?
5.0
Please describe the ability to show the registry solution does not contain any of
the OWASP top 10 vulnerabilities.
6.0
For SaaS solutions please address the ability to support single tenancy.
C. The registry must incorporate current best differential privacy practices, allowing for
maximum accuracy of registry queries while minimizing the chances of identifying the
personally identifiable information included therein; and
1.0
Please describe how the solution will provide maximum accuracy query results
without including personally identifiable information.
D. The registry must be upgradable and updated in a timely fashion to keep current with
state of the art privacy and security standards and practices.
1.0
Please describe the processes and timelines that assure the registry solution is
updated regularly, including security patches, services packs, and new releases
for browsers, operating systems, databases, and all other supporting software.
2.0
Please describe your ability to assure the data center facility and the registry
solution remain current with Washington state, and federal privacy and security
statutes, standards, and guidelines (e.g., chapter 42.56 RCW, chapter 70.02
RCW, FIPS, FISMA, and NIST).
2.1
Please describe the security controls and practices that ensures the registry
information is secured against unauthorized access, use, modification or
disclosure consistent with federal and industry standards and guidelines for
medium to high impact systems (e.g., FIPS, FISMA, NIST, ISO 27001/27002 and
OWASP). The response should include data center facility, operational, and
administrative controls as well as the system lifecycle development practices.
2.2
Please describe the ability to show compliance with federal and industry
standards (e.g., FIPS, FISMA, NIST, ISO 27001/27002, and OWASP), and to
complete SOC2 audits. The response should address controls for both Cloud
Page 10 of 11

Provider and the registry solution

E. Personally identifiable information of qualifying patients and designated providers
included in the medical marijuana registry is confidential and exempt from public
disclosure, inspection, or copying under chapter 42.56 RCW.
1.0
Please describe your experience integrating the registry solutions authentication
mechanisms with state supported authentication gateways and supporting single
sign on.
1.0
Please describe the ability of your solution to support multifactor authentication
that provides a high level of confidence in the identity of individuals.
1.1
Does the authentication method meet or exceed the requirements for assurance
level 3 or higher as described in the most recent version of NIST SP 800-63?
2.0
Please describe your ability to provide cyber liability insurance for the registry
solution. Include limits per claim and annual aggregates.
F. Information contained in the medical marijuana registry may be released in aggregate
form, with all personally identifying information redacted, for the purpose of statistical
analysis and oversight of agency performance and actions.
1.0
Please describe the practices that ensures
prior written authorization is received from the Department of Health
before the registry information is released in any form;
only the data specifically authorized by the Department of Health are
released; and
the data are released only to individuals or entities specific authorized by
the Department.

Page 11 of 11