FBO Notice Date 12/14/17
BIDS Reference Number 840
Document Type: Special Notice
Professional, Administrative, And Management Support Services

Department of Veterans Affairs, Hampton VAMC, Department of Veterans Affairs Medical Center, 23667

R -- File Room Storage Service SOL VA24617Q1839Ronald Gamble

The Department of Veterans Affairs Medical Center, NCO 6 Network Contracting Office, on behalf of the Durham, NC VA Medical Center located at 508 Fulton Street, Durham, NC 27705 intends to negotiate a sole source, brand name only contract with SOURCECORP BPS Inc. The applicable North American Industry Classification System (NAICS) code assigned to this procurement is 493110. The FSC Code is R699.THERE IS NO SOLICITATION AT THIS TIME. This request for capability information does not constitute a request for proposals; submission of any information in response to this market survey is purely voluntary; the government assumes no financial responsibility for any costs incurred.The Government intends to award a sole source contract for this requirement under the authority of 6.302-5, Authorized or Required by Statue, Public Law 38 U.S.C. 8127(b).This notice of intent IS NOT a request for competitive quotes; however, interested parties may identify their interest and capability to respond to this requirement no later than 3:00pm EST, 24 August, 2017. A determination by the Government not to compete this proposed contract based on responses to this notice is solely within the discretion of the Government. Information received will be considered solely for the purpose of determining whether to conduct a competitive procurement. Inquiries can be emailed to ronald.gamble@va.gov. No telephone requests will be accepted.If your organization has the potential capacity to perform these services, please provide the following information:1) Organization name, address, email address, Web site address, telephone number, and size and type of ownership for the organization; Point of Contact and Phone Number, DUNS number; and2) Business Size applicable to the NAICS Code: a. HuBZone Small Business Concern; b. Service-Disabled Veteran Owned Small Business Concern (SDVOSBC); c. Veteran Owned Small Business Concern (VOSBC); d. Small Business Concern; e. Large Business Concern.3) Tailored capability statements addressing the particulars of this effort, with appropriate documentation supporting claims of organizational and staff capability. The government will evaluate market information to ascertain potential market capacity to:a) provide services consistent in scope and scale with those described in this notice and otherwise anticipated;b) secure and apply the full range of corporate financial, human capital, and technical resources required to successfully perform similar requirements;c) implement a successful plan that includes: compliance with program schedules; cost containment; meeting and tracking performance; andd) Provide services under a firm-fixed price contract.SAM: Interested parties shall be register in the System for Award Management (SAM) as prescribed in FAR Clause 52.232-33. The SAM can be obtained by accessing the internet at www.sam.gov or by calling 1-866-606-8220.This RFQ is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in response to this RFQ that is marked as proprietary will be handled accordingly. In accordance with FAR15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this RFQ.Failure to submit information in sufficient detail may result in considering a company as not a viable source and may influence competition and set-aside decisions. Regardless of the information obtained from this Sources Sought Notice, the Government reserves the right to consider any arrangement as deemed appropriated for this requirement. Respondents are advised that the Government is under noobligation to acknowledge receipt of the R--Durham VAMC File Room Storage Service VA24617Q1839 - Federal Business Op...Page 2 of 24 information received or provide feedback to respondents with respect to any information submitted. The Government reserves the right to use any information provided by respondents for any purpose deemed necessary and legally appropriate, including using technical information provided by respondents in any resultant solicitation. At this time no solicitation exists; therefore, do Not Request a Copy of the Solicitation. After a review of the responses received, a pre-solicitation notice and solicitation may be published on Federal Business Opportunities (FedBizOpps) website. It isthe potential offeror's responsibility to monitor FedBizOpps for release of anyfuture solicitation that may result from this Sources Sought Notice. However, responses to this Pre-solicitation Notice will not be considered adequate responses to any resultant solicitation.Pursuant to FAR Part 10 (Market Research), the purpose of this notice is to: (1) determine if sources capable of satisfying the agency's requirements exists, (2) determine if commercial items suitable to meet the agency's needs are available or could be modified to meet the agency's requirements, and (3) determine thecommercial practices of companies engaged in providing the needed service or supply. Pursuant to FAR Part 6 and FAR Part 19, competition and set-aside decisions may be based on the results of this market research. This notice in no way obligates the Government to any further action

Durham VA Health Care System Statement of WorkA. GENERAL INFORMATIONFile Room Closure and Image on DemandScope of Work:The contractor shall provide all resources necessary to accomplish the deliverables described in this statement of work (SOW), except as may otherwise be specified. The intent of this contract is to procure NARA approved storage space for Medical, Dental, Community Living Center, Dialysis, Radiology, Ophthalmology, Agent Orange, Flow Sheet, Administrative and Community Based Outpatient Center (CBOC) records, delivery of medical records/federal records, refiling of medical records/federal records, Image on Demand (IOD) services, inventory services, record destruction services, Indexing into CPRS/VISTA and scanning services from a selected contractor for the Durham VA Health Care System located at 508 Fulton Street, Durham, NC, 27705.Background:Durham VA Health Care System has had an electronic medical record Computerized Patient Records System (CPRS) since 2000. The scanning of health information documents was initiated in 2007. Durham VA Health Care System has a de-centralized scanning process. Closure of the Health Information Management Section s (HIMS) file room will allow for additional space for clinical services and personnel tobetter serve our Veterans. Maintaining current scanning will help ensure continuous compliance with VHA guidelines. The utilization of IOD will allow for a more complete and uniform patient medical record.Certification Requirements:The contractor shall be required to meet:1. National Archives and Records Administration Records Standards (NARA) including 36 CFR 1224 subpart B and C;2. VHA scanning equipment must meet VHA clinical capture devices for VistA image criteria; and3. VA approved Federal Information Process Standard (FIPS) 140-2 transmission protocol for IOD services.4. Review of paper versus images utilizing a statistically valid sampling modeladhering to the ANI/ASQC (American National Standards Institute/American Society for Quality Control) standard Z1.4 at 1.0 AQL (acceptable quality level) whichassures 99% accuracy.5. The contractor shall comply with all Federal, State and Local privacy guidelines to include entering a Business Associate Agreement with Durham VA Health Care System.

Performance Period:The contractor will be required to maintain approximately 4,623 cubic feet of individual medical records. As required the contractor will complete all cataloging, and entry of records received into an electronic tracking data base for easyretrieval, location tracking and record inventory. The electronic tracking database shall be searchable by the patient s full social security number (seven digits) and accessible to Durham VA Health Care System s staff identified by the Contractor Official Representative (COR). Additional records may be added to the inventory at any time during this contract and will be included in the established rate as specified by the contract period. The records to be stored are Medical, Dental, Community Living Center, Dialysis, Radiology, Ophthalmology, Agent Orange, Flow Sheet, Administrative and Community Based Outpatient Center (CBOC) records/files, loose documents and other federal records identified by COR.The contractor shall provide the following within 7 calendar days from date of initiation of the service(s) unless otherwise directed by the COR and or Contracting Office: Training on the electronic tracking data base including written instruction The electronic data base shall be available to Durham VA Health Care System sstaff Patient file entry of new and returning records into the electronic tracking data base within 24 hours of receipt. Original Jacket/Patient Record and Contents Recall or Return Document Scanning/Conversion Output List of contact names and numbers for staff managing this contract Written quality assurance plan and process Written plan for indexing into CPRS/VISTA Image on Demand servicesIf the contractor proposes an earlier completion date, and the Government accepts the contractor s proposal, the contractor s proposed completion date shall prevail. All other work shall begin within 30 calendar days of award, unless otherwise specified.Contract Award Meeting:The contractor shall not commence performance on the tasks in this SOW until the Contracting Officer has conducted a kick off meeting or has advised the contractor that a kick off meeting is waived.

General Requirements:1. For every task, the contractor shall identify in writing all necessary subtasks (if any), associated costs by task, and together with associated sub milestone dates. The contractor's subtask structure shall be reflected in the technicalproposal and detailed work plan.2. All written deliverables shall be phrased in layperson language. Statisticaland other technical terminology shall not be used without providing a glossary of terms.Specific Mandatory Tasks and Associated Deliverables:Patient File EntryThe contractor shall enter all patient information into electronic tracking data base for new and returning patient folders and refile returning charts in original location and add new folders to the open shelving. The term jacket, folder,file, medical record can be used interchangeably but does not include loose documents. The contract shall provide this service within 24 hours of receipt unless otherwise directed by the COR and or Contracting Office.Original Jacket/Patient Record and Contents Recall or ReturnThe contractor will retrieve original jackets or patient folders and its contents for pick up. When records are returned to the contractor, the contractor willenter the record back into its electronic tracking data base and return the record to its original locations. See the section titled Turnaround Requirements for time frame requirements.Record DestructionThe contractor may destroy records with written approval from Durham VA Health Care System s Chief of Health Information Management Section. The contractor will be required to provide a list of each individual file folder prior to destruction of files belonging to Durham VA Health Care System. The list shall contain medical record number, patient s name, record type, and volume number(s).The contractor may destroy loose records with written approval from Durham VA Health Care System s Chief of Health Information Management Section. The contractor will be required to provide a list of the number of boxes containing the loose documents prior to destroying the boxes.The contractor must provide a certified letter detailing what and when and the method used to destroy the records. Record destruction must be follow VHA guidelines.Document Scanning/Image on DemandThe contractor will meet all VHA guidelines when indexing scanned images into CPRS/VISTA. The contractor shall utilize the patients full social security number, date of care for outpatients, admission and discharge date for inpatients, and date of birth (DOB) to accurately attach documents to the correct patient and patient encounter.The contractor shall provide Image on Demand (IOD)and Document Scanning services as specified in the section titled Document Scanning and Image on Demand Requirements this contract. The contractor must meet VHA clinical capture devices for VistA imaging criteria and VA approved Federal Information Processing Standard (FIPS) 140-2 transmission protocol for Document Scanning and IOD services. Seethe section titled Turnaround Requirements time frame requirements.Record StorageThere are approximately 4, 623 cubic feet of individual medical records to be maintained and stored. The contractor shall store all Durham VA Health Care System medical records/folders, loose document and all other Federal records in a facility that meets National Archives and Records Administration Record Standards (NARA) including 36 CFR 1224 subpart B and C. The contractor shall maintain NARA certification, provide a copy of NARA certificate and notify the COR of any problems that may impact the contractor losing their certification.There are approximately 4, 623 cubic feet of individual medical records to be maintained and stored.The terms of the contract will be one base year plus three option years. The dates will be established at the time the contract is awarded.Document Scanning and Image on Demand RequirementsPatient Folder and Loose Document Preparation Requirements: Level or type of file preparation Staple removal, repair of torn pages, unfolding pages. Identify photos and move to the back of the file. For Patient Folders only create Patient Authenticity Sheets ( Following Pages... placed as Lead Page and Previous Page. placed as last page) for each volume with: Patient s last and first name, full social security number or last 4 and Date of Birth (example: of date of birth 00/00/0000). o All pages within file to be kept in same order for scanning (with exception of photos). Patient identifiers must be added to all pages contained in the folders or any loose documents. The patient identifiers shall be placed preferably in the upper right corner of the page or where it does not cover up parts of the written information that is relevant to the patient s care. The patient identifiers are: o Patient s last and first name (example Record, Kathy or Kathy Record)o Full social security number or last 4 (example: seven or last four numerical only)o Date of Birth (example: of date of birth 00/00/0000). For Patient Folders only the medical section of the folder located on the left side of the folder shall be scanned first in order before pages on the right side of the folder which is the administrative section. o The medical and administrative section shall be scanned in the order placed in the folder.o All other folders that do not have a medical are admirative section shall be scanned in as filed in the folders.Post Scanning Reassembly: Documents shall be placed back in file folders in order they were scanned without re-stapling Return file folder or loose document to its original box with record inventory list Mark completed on medical folder scanned or the loose document scanned or on completed box scannedScanning Requirements: 300 dpi, B/W except photos that will be scanned as color images Entire volume to be scanned as one, multi-page document All pages will be scanned in the same order as in the file Scanned images will be oriented for correct viewing (auto-rotation) All images shall be in black in white unless image to be scanned is in color All color images shall be scanned in color Duplex scanning requires for two sided forms Documents such as scripts shall be attached to a page and scanned All pages shall have the patient identifiers/ inclusive of two-sided forms asspecified above.Image Output Requirements: Multi-page, standard PDF image format Full-text PDF search capability Patient Authenticity Sheets Image (PTF) naming convention: o Record Type: Medical, Dental, Community Living Center, Dialysis, Radiology, Ophthalmology, Agent Orange, Flow Sheets, Administrative and Community Based Outpatient Center (CBOC)o Social security number (full 7 numerical digits)o ROI Request or Non-ROI Request Patient Identifiers shall be on all pages:Turnaround Requirements: Whenever records or boxes are requested the contractor shall deliver it to Durham VA Medical Center s Health Information Management Section. The contractor shall have all Durham VAMC records available 7:00 am to 5:00 p.m. Monday through Friday. Contractor shall provide IOD request within 48 hours for routine request but shall also provide urgent IOD within 3 hours of the request during normal business hours and 4 hours of the request on weekends and holidays. Contractor shall provide documents/record(s)/boxes request(s) within 72 hourson routine requests but shall also provide urgent delivery of record(s)/documents/boxes within 24 hours of the request during normal business hours and 48 hours of the request on weekends and holidays.Complete Image on Demand Destination: Contractor will be required to meet VA approved Federal Information Processing Standards (FIPS) 140-2 transmission protocol for IOD services. Contractor is required to ensure all scanned images released via their FIPS compliant SFTP are secure and encrypted.B. Contractor Requirements:1. The contractor s employees shall provide proof of yearly completion of VAMC s Privacy and Cyber security training.2. Qualifications, licenses and inspection of contractor: The VAMC contracting officer reserves the right to thoroughly inspect and investigate the contractor s facilities and employees qualifications. The Contractor s facilities shall have all the licenses, permits, and certification as required by federal, state, and local authorities. Current copies of these must be provided to the VAMC Contracting Officer upon request.3. Quality Assurance (QA) Program: The contractor must have an effective quality assurance program that monitors the accuracy and timeliness of cataloging records while on VAMC site Center (CBOC) records to their off-site storage facility. The contractor must have an effective quality assurance program that monitorsthe security, accuracy and timeliness of retrieval and delivery of the medical,administrative and CBOC records to their off-site storage facility. The contractor must have an effective quality assurance program that monitorsthe accuracy and turnaround time for scanning medical, administrative and CBOC records. The QA program must also include an assessment of the security of protected health information. Contractor must have a 95% accuracy and timeliness of delivery for record(s),cataloging of records and IOD images to the VAMC. A monthly error rate in excess of 5% shall result in a reduction in payment by that percentage in excess of the 5%. The contractor shall be required to provide the COR with monthly QA report for accuracy and timeliness of delivery for record(s) and IOD images to the VAMC4. The VAMC Contracting Officer (CO) will notify the contractor in writing on an as needed basis of any negative issues concerning the accuracy and timeliness of delivery. The COR will provide CO with written detailed information of any negative issues concerning the accuracy and timeliness of delivery of services outlined in this SOW to all for the contractor to correct discrepancies.5. The contractor shall provide a secure web (Internet) based interface for Durham Medical Center to facilitate requests to retrieve, deliver, file or scan individual document(s), records, boxes or requests for filing. Contractor will allow for requests to retrieve, deliver, file or scan individual document(s), records, boxes or requests for filing to be made either through the web-based system, fax, or telephone.6. Whenever records or boxes are requested the contractor shall deliver it to Durham VA Medical Center s Health Information Management Section.7. Medical and administrative and CBOC records must be available 7:00 am to 5:00 p.m. Monday through Friday. Contractor shall provide IOD request within 24 hours for routine request but shall also provide urgent IOD within 3 hours of therequest during normal business hours and 4 hours of the request on weekends andholidays. Contractor shall provide documents/record(s)/boxes request(s) within 72 hourson routine requests but shall also provide urgent delivery of record(s)/documents/boxes within 24 hours of the request during normal business hours and 48 hours of the request on weekends and holidays.8. Invoices and validating invoices: The contractor shall bill VAMC monthly. The last day of the month shall be the cut off for invoices. Invoices are to be sent to FSC, P.O. Box 149972, Austin, Texas 78714-8971. A daily workload report must be sent to the VAMC COTR which describes the following:a) The daily cost of image on demand (number of images imported into the repository daily.)b) The number of boxes and records retrieved and delivered to VAMC.c) The daily cost of transportation to VAMC.d) The number of records scanned dailye) Daily log of the records scanned on a daily basis including:i. Veteran s nameii. Medical record number9. The contractor shall submit a list of proposed personnel who will be workingon this contract. In addition to providing the credential and resume of identified project manager(s).10. The contractor shall not subcontract to any other contractor.11. The contractor should ensure that records are readily accessible and retrievable immediately upon delivery to the offsite storage facility.12. The contractor will comply with all Federal, State, and Local privacy guidelines to include entering into a Business Associate Agreement with VAMC.13. The contractor may handle all of the responsibilities of destroying the medical, administrative and CBOC boxes in accordance with Record Control Schedule (RCS) 10-1 in a secure manner. COR signature and approval must be obtained prior to the destruction occurring. Destruction method must be delineated and approvedprior to award of the contract. Documentation of the destruction must be sent to the COR for evidence.C. Special RequirementsThe contractor shall provide the following, upon request, as well as provide copies during the term of the contract to the Contracting Officer and COR upon request:1. A mutually agreeable time for pickup and delivery.2. Telephone numbers and contact persons to be utilized by the using services at the Durham VAMC to inquire about and request files/records and loose documents.

3. A narrative description of the contractor s quality assurance program.4. The Contractor shall maintain acceptable services, reporting systems and quality controls as specified herein. Failure to comply with the specified terms and conditions and/or failure to perform satisfactorily may be grounds for termination of the contract.5. A monthly error rate in excess of 5% shall result in a reduction in payment by that percentage in excess of the 5%.6. Contractor will be required to have an NARA certified record storage facility. a. Contractor shall meet National Archives and Records Administration Record Standards (NARA) 36 CFR 1234 storage standards.7. Contractor will be required to have an existing Federal Information Processing Standard (FIPS) 140-2 transmission protocol in place for IOD services and be able to provide evidence of such. a. Contractor will be required to meet VA approved Federal Information Processing Standard (FIPS) 140-2 transmission protocol for IOD services.D. QA Requirements:Review of paper versus images utilizing a statistically valid sampling model adhering to the ANSI/ASQC (American National Standards Institute/American Society for Quality Control) standard Z1.4 at a 1.0 AQL (acceptable quality level) whichassures 99% accuracy.E. Completed Image Destination:Ultimate destination is for import into VA s imaging system VISTA imaging within VA s CPRS system.Upon completion of quality control processes, images are released, encrypted and delivered to contractor s custom developed FIPS compliant Secure File TransferProtocol (SFTP) site electronically and securely for download by the VA and subsequent import into VISTA.Hours of Operation:For information, normal working (peak) hours at the VA Medical Center are from 8:00 AM through 4:30PM, Monday through Friday, excluding Federal Holidays. Thereare ten (10) holidays observed by the Federal Government, which are: New Year sDay, Dr. Martin Luther King Jr. Birthday, President s Day, Memorial Day, Independence Day, Labor Day, Columbus Day, Veterans Day, Thanksgiving, Christmas and any other day specifically declared by the President of the United States to be aFederal Holiday. Non- peak hours at the VA Medical Center are from 4:30PM through 8:00AM, Monday through Friday and all day Saturday & Sunday.VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE FOR INCLUSION INTO CONTRACTS, AS APPROPRIATE1. GENERALContractors, contractor personnel, subcontractors, and subcontractor personnel shall besubject to the same Federal laws, regulations, standards, and VA Directives andHandbooks as VA and VA personnel regarding information and information system security.2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMSa. A contractor/subcontractor shall request logical (technical) or physical access to VAinformation and VA information systems for their employees, subcontractors, andaffiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.b. All contractors, subcontractors, and third-party servicers and associates working withVA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710,Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness.d. Custom software development and outsourced operations must be located in theU.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail asecurity plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor.e. The contractor or subcontractor must notify the Contracting Officer immediately whenan employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination.3. VA INFORMATION CUSTODIAL LANGUAGEa. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).b. VA information should not be co-mingled, if possible, with any other data onthecontractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.c. Prior to termination or completion of this contract, contractor/subcontractor must notdestroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA.Any data destruction done on behalf of VA by a contractor/subcontractor must bedone in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and itsHandbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.d. The contractor/subcontractor must receive, gather, store, back up, maintain,use,disclose and dispose of VA information only in compliance with the terms of thecontract and applicable Federal and VA information confidentiality and securitylaws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.e. The contractor/subcontractor shall not make copies of VA information except asauthorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.f. If VA determines that the contractor has violated any of the information confidentiality,privacy, and security provisions of the contract, it shall be sufficient grounds for VA to with hold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation(FAR) part 12.g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01,Business Associate Agreements. Absent an agreement to use or disclose protectedhealth information, there is no business associate relationship.h. The contractor/subcontractor must store, transport, or transmit VA sensitiveinformation in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request.j. Except for uses and disclosures of VA information authorized by this contract forperformance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medicalquality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.l. For service that involves the storage, generating, transmitting, or exchanging of VAsensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR.4. INFORMATION SYSTEM DESIGN AND DEVELOPMENTa. Information systems that are designed or developed for or on behalf of VA atnon-VAfacilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VAInformation Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COTR, and approved by the VAPrivacy Service in accordance with Directive 6507, VA Privacy Impact Assessment.

b. The contractor/subcontractor shall certify to the COTR that applications arefullyfunctional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC), and the common security configuration guidelines provided by NIST or the VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista) and future versions, as required.c. The standard installation, operation, maintenance, updating, and patching ofsoftwareshall not alter the configuration settings from the VA approved and FDCC configuration.Information technology staff must also use the Windows Installer Service for installation to the default program files directory and silently install and uninstall.d. Applications designed for normal end users shall run in the standard user contextwithout elevated system administration privileges.e. The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, VA Handbook 6500, Information Security Program and VA Handbook 6500.5, Incorporating Security and Privacyin System Development Lifecycle.f. The contractor/subcontractor is required to design, develop, or operate a System of Records Notice (SOR) on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties.g. The contractor/subcontractor agrees to:(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulationsissued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies:(a) The Systems of Records (SOR); and(b) The design, development, or operation work that the contractor/subcontractor is toperform;(2) Include the Privacy Act notification contained in this contract in every solicitation andresulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a SOR on individuals that is subject to the Privacy Act;and (3) Include this Privacy Act clause, including this subparagraph (3), in all subcontractsawarded under this contract which requires the design, development, or operation of such a SOR.h. In the event of violations of the Act, a civil action may be brought againstthe agencyinvolved when the violation concerns the design, development, or operation of aSOR on individuals to accomplish an agency function, and criminal penalties maybe imposed upon the officers or employees of the agency when the violation concerns the operation of a SOR on individuals to accomplish an agency function. Forpurposes of the Act, when the contract is for the operation of a SOR on individuals to accomplish an agency function, the contractor/subcontractor is considered to be an employee of the agency.(1) Operation of a System of Records means performance of any of the activitiesassociated with maintaining the SOR, including the collection, use, maintenance, anddissemination of records.(2) Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person s name, or identifying number, symbol, or any other identifying information assigned to the individual, such as a fingerprint or voiceprint, or a photograph.(3) System of Records means a group of any records under the control of any agencyfrom which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying information assigned to the individual.i. The vendor shall ensure the security of all procured or developed systems andtechnologies, including their subcomponents (hereinafter referred to as Systems ), throughout the life of this contract and any extension, warranty, or maintenance periods. This includes, but is not limited to workarounds, patches, hotfixes, upgrades, and any physical components (hereafter referred to as Security Fixes) which may be necessary to fix all security vulnerabilities published or known to the vendor anywhere in the Systems, including Operating Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact the Systems.j. The vendor shall notify VA within 24 hours of the discovery or disclosure ofsuccessfulexploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, but in no event longer than 30 days unless otherwise specified by the COR or contracting officer.k. When the Security Fixes involve installing third party patches (such as Microsoft OSpatches or Adobe Acrobat), the vendor will provide written notice to the VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems,they shall apply the Security Fixes within 30 days unless otherwise specified by the COR or contracting officer.l. All other vulnerabilities shall be remediated as specified in this paragraphin a timelymanner based on risk, but within 60 days of discovery or disclosure. Exceptionsto thisparagraph (e.g. for the convenience of VA) shall only be granted with approval of thecontracting officer and the VA Assistant Secretary for Office of Information and Technology.5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USEa. For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors/subcontractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COTR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VA s network involving VA information must be reviewed and approved by VA prior to implementation.b. Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII.c. Outsourcing (contractor facility, contractor equipment or contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (authorization) (C&A) of the contractor s systems in accordance with VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification Program Office. Government-owned (government facility or government equipment) contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks.d. The contractor/subcontractor s system must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and reviewand update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the ISO for entry into VA s POA&M management process. The contractor/subcontractor must use VA s POA&M process to documentplanned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the government. Contractor/subcontractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with contractor/subcontractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the C&A of the system may need to bereviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, Contingency Plan). The Certification Program Office can provide guidance on whether anew C&A would be necessary.e. The contractor/subcontractor must conduct an annual self assessment on all systemsand outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COTR. The government reserves the right to conduct such an assessment using government personnel or another contractor/subcontractor. The contractor/subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost.f. VA prohibits the installation and use of personally-owned or contractor/subcontract or owned equipment or software on VA s network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required forgovernment furnished equipment (GFE) must be utilized in approved otherequipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and apersonal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE.g. All electronic storage media used on non-VA leased or non-VA owned IT equipmentthat is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipmentby the contractor/subcontractor or any person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors that contain VA information must be returned to the VA for sanitization or destruction or the contractor/subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract.h. Bio-Medical devices and other equipment or systems containing media (hard drives,optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:(1) Vendor must accept the system without the drive;(2) VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or(3) VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase.(4) Due to the highly specialized and sometimes proprietary hardware and softwareassociated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then;(a) The equipment vendor must have an existing BAA if the device being traded in hassensitive information stored on it and hard drive(s) from the system are being returnedphysically intact; and(b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approvedand validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract.(c) A statement needs to be signed by the Director (System Owner) that states that thedrive could not be removed and that (a) and (b) controls above are in place andcompleted. The ISO needs to maintain the documentation.6. SECURITY INCIDENT INVESTIGATIONa. The term security incident means an event that has, or could have, resulted inunauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.c. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.d. In instances of theft or break-in or other criminal activity, the contractor/subcontractormust concurrently report the incident to the appropriate law enforcement entity(or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employeesshall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in anycivil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.7. LIQUIDATED DAMAGES FOR DATA BREACHa. Consistent with the requirements of 38 U.S.C. ยง5725, a contract may requireaccess to sensitive personal information. If so, the contractor is liable to VAfor liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.b. The contractor/subcontractor shall provide notice to VA of a security incident as setforth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level ofrisk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise ofthe confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemeda material breach and grounds for contract termination.c. Each risk analysis shall address all relevant information concerning the data breach,including the following:(1) Nature of the event (loss, theft, unauthorized access);(2) Description of the event, including:(a) date of occurrence;(b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;(3) Number of individuals affected or potentially affected;(4) Names of individuals or groups affected or potentially affected;(5) Ease of logical data access to the lost, stolen or improperly accessed datain light of the degree of protection for the data, e.g., unencrypted, plain text;(6) Amount of time the data has been out of VA control;(7) The likelihood that the sensitive personal information will or has been compromised(made accessible to and usable by unauthorized persons);(8) Known misuses of data containing sensitive personal information, if any;(9) Assessment of the potential harm to the affected individuals;(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and(11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.d. Based on the determinations of the independent risk analysis, the contractorshall beresponsible for paying to the VA liquidated damages in the amount of $100 per affected individual, unless otherwise specified by contracting officer, to cover the cost of providing credit protection services to affected individuals consisting of the following:(1) Notification;(2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;(3) Data breach analysis;(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts andcredit freezes, to assist affected individuals to bring matters to resolution;(5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and(6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.8. SECURITY CONTROLS COMPLIANCE TESTINGOn a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-day s notice, at the request of the government, the contractor mustfully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conducta security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time.9. TRAININGa. All contractor employees and subcontractor employees requiring access to VAinformation and VA information systems shall complete the following before being granted access to VA information and its systems:(1) Sign and acknowledge (either manually or electronically) understanding of andresponsibilities for compliance with the Contractor Rules of Behavior, AppendixE relating to access to VA information and information systems;(2) Successfully complete the VA Cyber Security Awareness and Rules of Behaviortraining and annually complete required security training;(3) Successfully complete the appropriate VA privacy training and annually completerequired privacy training; and(4) Successfully complete any additional cyber security or privacy training, asrequired for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]b. The contractor shall provide to the contracting officer and/or the COTR a copy of thetraining certificates and certification of signing the Contractor Rules of Behavior for eachapplicable employee within 1 week of the initiation of the contract and annually thereafter, as required.c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until the training and documents are complete.

CITE: https://www.fbo.gov/spg/VA/HaVAMC/VAMCCO80220/VA24617Q1839/listing.html