July 8, 2025

RFP: SOFTWARE DEVELOPMENT PARTNER FOR A SECURE, MODULAR PATIENT REGISTRY PLATFORM

Issued by: EvidaHealth Foundation
Issue Date: June 30, 2025
Submission Deadline: July 11, 2025

1. Background & Purpose

The EvidaHealth Foundation is launching Canada’s first modular, disease-agnostic patient registry infrastructure. This platform aims to support patient-owned data collection across multiple therapeutic areas while upholding the highest standards of privacy and data stewardship. This RFP outlines our vision for a third-party platform partner to bring this registry infrastructure to life.

2. Overview

The EvidaHealth Foundation is a Canadian not-for-profit organization focused on advancing patient-centered real-world evidence (RWE) through digital infrastructure that empowers patients, providers, researchers, and health system decision-makers. Our mission is to build privacy-first, patient-owned digital infrastructure that supports data-driven care, policy, and innovation.
We are issuing this RFP to identify an experienced software development partner to design and build the Registry Platform – a secure, modular, and scalable platform for hosting and scaling multiple disease- and condition-specific patient registries.
The platform must meet the highest standards in data privacy, security, and interoperability, with intuitive user interfaces for both patients and healthcare providers, and customizable dashboards for real-time insight.

3. Project Objectives

  • Develop a web-based platform capable of hosting multiple patient registries.
  • Enable user-friendly interfaces for data collection and data visualization for:
    • Patients
    • Healthcare providers
    • Researchers
    • Other authorized decision-makers (e.g., policymakers, funders)
  • Support evolving evidence needs, with the ability to adapt data collection fields over time and scale across multiple diseases and jurisdictions.

4. Scope of Work

4.1. Platform Features

  • Modular registry design: Ability to create and manage multiple disease-specific registries.
  • Custom data fields: Dynamic configuration of data collection forms tailored to disease area.
  • Multi-user interfaces:
    • Patient-friendly input forms with accessible design.
    • Provider-facing forms with clinical terminology.
  • Dashboards:
    • Patient and provider-level dashboards showing individual-level data.
    • Stakeholder-level aggregate dashboards with filtering capabilities.
  • Accessible and inclusive design: Support for multilingual interfaces and WCAG 2.1 accessibility compliance.
  • Administrative flexibility: Registry forms and workflows must be configurable by non-technical users (e.g., researchers or registry admins) to accommodate protocol changes without requiring software development support.
  • Secure user authentication: Multi-factor authentication (MFA), role-based access.
  • Tokenization of identifiable data: Personally identifiable information (PII) must be stored separately and securely using tokenization or equivalent privacy-enhancing technologies.
  • No data persistence: The platform must not retain identifiable information or health data; all data must be routed securely to EvidaHealth’s backend infrastructure.
  • Data linkage readiness: Infrastructure for future integration with external data sources (e.g., EMRs, primary care systems, administrative datasets).
  • Export/reporting tools: Downloadable data (de-identified and aggregate) with audit trails.
  • Audit logs: Detailed logging of user access and activity.
  • Scalability: Platform must be scalable to support multiple diseases and thousands of users.

4.2. Compliance & Security

  • Adherence to Canadian privacy regulations (e.g., PIPEDA, Health Information Act – Alberta) and international standards (e.g., GDPR if applicable).
  • Consent auditability: Platform should enable audit trails linked to consent events and allow user-level control over data sharing and retention preferences
  • Demonstrated compliance with cybersecurity frameworks, such as:
    • ISO/IEC 27001
    • SOC 2 Type II
    • NIST Cybersecurity Framework
  • Policies and practices for:
    • Secure hosting (e.g., Canadian data residency)
    • Data encryption at rest and in transit
    • Secure backup and disaster recovery
    • Consent management and user privacy.

4.3. Implementation & Support

  • Vendors must describe their approach to API development, integration with EvidaHealth’s secure intake and backend infrastructure, and sandbox/test environments for validation.
  • Collaborative planning with EvidaHealth leadership and partners.
  • Project management framework (Agile or hybrid preferred).
  • Phased implementation with milestones, timelines, and quality assurance protocols.
  • Training and documentation for administrators and end users.
  • Ongoing support and maintenance plans post-launch.

5. Vendor Requirements

Proposals must include:

  • Company overview including relevant experience with healthcare, registry, or public health platforms.
  • Relevant Experience:
    • Demonstrated experience handling personal health information (PHI) and data privacy compliance.
    • Experience developing secure APIs or system integrations, especially in health environments with PHI or PII.
    • Descriptions of 2–3 relevant projects with client references.
    • Screenshots, demo links, or case study visuals of prior implementations (especially relevant to patient registry or health data systems).
  • Team bios for key personnel assigned to this project.
  • Technical approach to the platform architecture, hosting, privacy, and security.
  • Details on tokenization strategy and future interoperability architecture.
  • Budget proposal with cost breakdown by phase or milestone.
  • Timeline for platform development and implementation.
  • Security Certifications: Vendors must provide evidence of current certifications or attestations (e.g., ISO 27001, SOC 2 Type II).
  • Insurance coverage (e.g., cyber liability insurance).
  • Bonus consideration may be given to vendors with a demonstrated commitment to patient empowerment, ethical data stewardship, or not-for-profit partnerships

6. Evaluation Criteria

Proposals will be evaluated based on:

Criteria Weight
Technical approach & solution design 25%
Experience with PHI & healthcare platforms 20%
Privacy, compliance, and data governance 20%
Cybersecurity and certifications 15%
Cost effectiveness 10%
Implementation plan & timeline 10%

Shortlisted vendors may be invited for a virtual presentation or Q&A.

EvidaHealth may also consider organizational alignment with our mission and track record in collaborative development.

7. Submission Instructions

Vendors are strongly encouraged to confirm their intent to submit by July 5, 2025, and may request a Q&A meeting to clarify any components of this RFP. Please indicate in your confirmation email if you would like to book a 20-minute Q&A call before July 7.

Please submit your proposal in PDF format to: info@evidahealth.com with subject line: “RFP Submission – Registry Platform
Deadline for submission: July 11, 2025
Questions may be directed to: Tara Cowling, tara@evidahealth.com by 6pm EST July 7, 2025

8. Disclaimer

The EvidaHealth Foundation reserves the right to reject any or all proposals, to negotiate with any bidder, or to cancel this RFP process at any time. Submission of a proposal does not guarantee selection or contract award.
All submitted materials will be treated as confidential and used solely for the purpose of evaluating proposals.