Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF MARCH 11, 2016 FBO #5222
DOCUMENT

V -- Air Ambulance Service contract for FY17 VA Sierra Nevada Health Care System - Attachment

Notice Date
3/9/2016
 
Notice Type
Attachment
 
NAICS
621910 — Ambulance Services
 
Contracting Office
Department of Veterans Affairs;VA Sierra Pacific Network (VISN 21);VA Northern California HealthCare System;5342 Dudley Blvd, Bldg 209;McClellan CA 95652-2609
 
ZIP Code
95652-2609
 
Solicitation Number
VA26116Q0447
 
Response Due
3/31/2016
 
Archive Date
4/30/2016
 
Point of Contact
Jet Flores
 
E-Mail Address
ores@va.gov<br
 
Small Business Set-Aside
N/A
 
Description
SOURCES SOUGHT SYNOPSIS The Veterans Administration, SAOW Network Contracting Office (NCO) 21 is issuing this sources sought synopsis as a means of conducting market research to identify parties having an interest in and the resources to support this requirement for providing Air Ambulance (emergent fixed wing) transportation services for the VA Sierra Nevada Health Care System. The result of this market research will contribute to determining the method of procurement. The applicable North American Industry Classification System (NAICS) code assigned to this procurement is 621910. THERE IS NO SOLICITATION AT THIS TIME. This request for capability information does not constitute a request for proposals; submission of any information in response to this market survey is purely voluntary; the government assumes no financial responsibility for any costs incurred. If your organization has the potential capacity to perform these contract services, please provide the following information: 1) Organization name, address, email address, Web site address, telephone number, and size and type of ownership for the organization; and 2) Tailored capability statements addressing the particulars of this effort, with appropriate documentation supporting claims of organizational and staff capability. If significant subcontracting or teaming is anticipated in order to deliver technical capability, organizations should address the administrative and management structure of such arrangements. The government will evaluate market information to ascertain potential market capacity to 1) provide services consistent in scope and scale with those described in this notice and otherwise anticipated; 2) secure and apply the full range of corporate financial, human capital, and technical resources required to successfully perform similar requirements; 3) implement a successful project management plan that includes: compliance with tight program schedules; cost containment; meeting and tracking performance; hiring and retention of key personnel and risk mitigation; and 4) provide services under a performance based service acquisition contract. BASED ON THE RESPONSES TO THIS SOURCES SOUGHT NOTICE/MARKET RESEARCH, THIS REQUIREMENT MAY BE SET-ASIDE FOR SMALL BUSINESSES OR PROCURED THROUGH FULL AND OPEN COMPETITION, and multiple awards MAY be made. Telephone inquiries will not be accepted or acknowledged, and no feedback or evaluations will be provided to companies regarding their submissions. Submission Instructions: Interested parties who consider themselves qualified to perform the above-listed services are invited to submit a response to this Sources Sought Notice by March 31, 2016, 3:30PM (PST). All responses under this Sources Sought Notice must be emailed to jet.flores@va.gov. If you have any questions concerning this opportunity please contact: Jet Flores via email at jet.flores@va.gov. APPENDIX 1: DRAFT Performance Work Statement CONTRACT PURPOSE: This Performance Work Statement (PWS) defines services to provide Air Ambulance (emergent fixed wing) transportation services under a fixed price Indefinite Delivery Indefinite Quantity (IDIQ) contract for the VA Sierra Nevada Health Care System (VASNHCS). Transportation originates at a medical facility in the local area, and ends at a medical facility outside the local area. The price should include all legs of transportation including ground ambulance to and from respective airports. DEFINITIONS: AIR AMBLANCE: Fixed wing aircraft with a compartment that is designed and constructed to afford relative safety and comfort and to avoid aggravation of the patient's condition. The aircraft, compartment, and personnel must meet all applicable federal and state standards for medical air transport. ALS: Advanced Life Support. GROUND AMBULANCE: Vehicles for emergency medical care which provide a driver compartment and a patient compartment that will accommodate emergency personnel and patient, equipment and supplies for emergency care at the scene as well as during transport, and two-way radio communication and equipment for light rescue procedures. The ambulance must be designed and constructed to afford relative safety and comfort and to avoid aggravation of the patient's condition. AOD: Administrative Officer of the Day. This government employee is the administrative officer in charge during other than normal business hours. BLS: Basic Life Support. CCT: Critical Care Transport. CO/Contracting Officer: The person executing this contract on behalf of the Government and the only person authorized to make changes to the contract. COR/Contracting Officer Representative: Person or persons authorized to act for the Contracting Officer within the limits of his / her authority. CHIEF, Business Office: Person or persons authorized to act for the Contracting Officer within the limits of his / her authority in the absence of a COR. FEDERAL HOLIDAYS: New Year's Day, Martin Luther King Jr. Birthday, Presidents Day, Memorial Day, Independence Day, Labor Day, Columbus Day, Veteran's Day, Thanksgiving Day, Christmas Day, also any day determined by the President of the United States to be a Federal Holiday. NORMAL BUSINESS HOURS: Normal business hours are defined as Monday thru Friday, 8:00 a.m. to 4:30 p.m. local time. TRIP: A trip is defined as the distance, "ONE WAY ONLY," over which a beneficiary will be transported. For all one-way trips ordered under this contract, the Contractor shall receive the base rate. POC: Point of contact. DEMAND: The estimated demand for the Air Ambulance is: a. Base Year: 125 Trips b. Option Year One: 130 Trips c. Option Year Two: 135 Trips d. Option Year Three: 140 Trips e. Option Year Four: 145 Trips Mileage range up to 700 miles per ONE WAY trip COMPLIANCE: All work related to this contract must be performed by the Contractor in accordance with all applicable Federal Aviation Administration (FAA), U.S. Department of Transportation, or Occupational Safety and Health Administration (OSHA) regulations, as well as applicable State health and safety regulations, health care accreditation standards (Joint Commission or equivalent accreditation organization) and standard industry practices as defined by the Association of Air Medical Services for air ambulance transportation. PERSONNEL: The Contractor shall provide the necessary licenses/certificates, competencies, privilege and credentialing in accordance with applicable State(s) and Federal regulation for each employee that will perform services under this contract. RATE: For all one-way trips ordered under this contract, the Contractor shall receive the base rate as stated in the price/cost schedule. The "BASE RATE" shall constitute full compensation for ONE-WAY trips. ORDER PLACEMENT: Task orders will be issued by the Network Contracting Office to bulk fund this requirement. Scheduling will be done on an as needed basis. Unit quantities are currently unknown. Each individual task/delivery order will state the estimated unit quantities of supplies and/or services required at time of issuance for the period stated in the task/delivery order. Orders will be placed orally, facsimile, or by email a)All orders placed under this IDIQ must contain the following information: 1. Date of order 2. Contract number and purchase order number 3. Contract line item number and description, quantity, and unit price 4. Delivery or performance schedule 5. Place of delivery or performance 6. Accounting and appropriation data. SCHEDULING: 1.Authorized VASNHCS personnel will place telephone requests for contract services only with the Contractor's dispatch office. The request for services shall specify the originating point and final destination. Only such travel is authorized and any costs incurred for unauthorized travel, stops, waiting time, etc. shall be the responsibility of the Contractor. Authorized VASNHCS personnel are: o Benefit Travel Personnel o Transfer Coordinators o Administrative Officer of the Day (AOD) 2.For prescheduled pickups, the Contractor shall be required to furnish the ground ambulance within twenty (20) minutes of the prearranged time. 3.For unscheduled pickups, the Contractor agrees to have patient(s) transported to the departing airport, prepared, and airborne within 4 hours after the receipt of order or as agreed between the contractor and the authorized VASNHCS requestor. If the Contractor identifies they cannot furnish the services within the time required, they shall notify the government at the time of scheduling, or as soon as possible. 4.In the event of a contractor "NO-SHOW", the Government reserves the right to obtain the necessary services from another source. 5.The Contractor shall respond to phone calls or messages from the government within 30 minutes. INSPECTION, QUALITY, AND PERFORMANCE STANDARDS: 1.The Government has the right to inspect the contractor premises, maintenance records of medical equipment and aircraft(s), flight logs, and dispatch records being used for the contracted services. Furthermore, annually the contractor must provide proof of insurance (see paragraph J.4 and Clauses 852.228-71, 852.237-7, and 852.237-70 for further details on insurance requirements) and copies of any licenses for all staff providing services under this contract upon request of the POC (see also paragraph D). 2.The last month of each contract year the Contracting Officer will review contract compliance reports submitted by the POC. The review will employ various monitoring methods, but will specifically include complaints and timeliness. 3.Maintain full compliance with Quality Assurance Surveillance Plan (QASP) REPORTING RESPONSIBILITIES: 1.The Contractor shall furnish an in-flight medical attendant report of the patient's status to the receiving facility. The report should include: "Patient's full name and social security number (whenever possible) - if not possible, explain the reasons. "Time picked up. "Originating and terminating points. "Who called (initiator). "Presenting problem. "Immediate First Aid Measures (bandages, oxygen, restraints, etc.) "State of consciousness. "Blood pressure. "Pulse. "Respiration. "Any other noted symptoms or pertinent information, including vital signs not already described, level of consciousness, drugs administered, and details of therapeutic intervention. "Any unusual circumstances encountered during the flight, including but not limited to inordinate altitudes flown, turbulence, and times associated with these conditions. INVOICE PROCEDURES: 1.Invoices shall be submitted (monthly in arrears) no later than fifteen (15) calendar days following the end of the month in which services are rendered. Invoices are to include obligation number, all contract services furnished for the preceding month. Invoices shall specify the patient name, 4 digit patient identifier, date of service, time of pick-up, whether the trip was "pre-scheduled" or "unscheduled", pick-up and delivery point, trip number and separate charges (i.e. toll fee, medications, etc.) per trip for which payment is requested. Separate charges must be itemized. All invoices must include a Health Insurance Claim Form OMB-form-1500 (HCFA). 2.All invoices shall include a fixed base-rate line item & a mileage rate line item. Each line item shall include rate, quantity, description, and line total. 3.Invoices will be reviewed and reconciled with trip tickets and travel logs. Unauthorized charges will be suspended pending investigation. Unauthorized charges are those that are being disputed or have not been pre-approved by authorized VA personnel. A final determination will be made within 30 days after notifying the Contractor of charges being suspended. 4.All invoices rendered by the Contractor to VASNHCS for contract services furnished in accordance with this contract shall be in full. Neither the beneficiary nor any other party shall be required to bear the burden of additional payments, surcharges, tip or other gratuity. 5.Authorized invoices shall be submitted through Tungsten Network (formally OB10) for payments. Invoicing information can be found at http://www.tungsten-network.comius/enheterans-affairs-us/. LICENSES, CERTIFICATIONS AND INSURANCE: 1.Air Ambulance Pilot - Shall have a valid operator's license in accordance with Federal, State and local government requirements for their place of operation and for the services they perform. 2.EMTs - Shall be certified, licensed or otherwise officially recognized by the local, state or regional government or public entity where the emergency ambulance service is operated or by which it is governed. 3.Ambulance Driver - Shall have a valid operator's or chauffeur's license in accordance with Federal, State and local government requirements for their place of operation, for the services they perform. 4.Contractor - Shall maintain personal liability, automobile liability, and property damage insurance, as prescribed by the laws of the state in which they operate, and in accordance with VAAR 852.228-71, VAAR 852.237-7, and VAAR 852.237-70. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA), PRIVACY RULE, AND SECURITY RULE: Whereas the Contractor will have access to Business Associate Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR Parts 160 and 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule"), and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard ("Security Rule"); and whereas, Department of Veterans Affairs Veterans Health Administration is a "Covered Entity" as that term is defined in the HIPAA implementing regulations, 45 CFR 160.103, the Contractor shall be required to complete the blanks, sign, date and provide a completed Business Associate Agreement with their quotation (as provided as an attachment to this solicitation). Contractor staff shall sign and follow confidentiality statements as required. The C&A requirements do not apply, and that a Security Accreditation Package is not required The Contractor shall comply with the Privacy Act, 38 USC 5701 and 38 USC 7332. Any information the Contractor may obtain on personnel and/or patient data as a result of performance of this contract will not at any time be disclosed to third parties or used for the Contractor's own purpose except to the extent allowed by the Privacy Act. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). The term "security incident" means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs PATIENT PRIVACY AND CONFIDENTIALITY: All "patient papers" transported with the patient are confidential in accordance with HIPAA. Contractor's personnel may review these records for assessment and treatment purposes only. Appropriate administrative and medical information will be provided to the Contractor for patient transport. If the medical record is transported with the patient, it may be used as a source of information if the situation warrants (i.e. emergent care while in-route). In all other instances, all documents will remain intact and sealed. GOVERNMENT'S MINIMUM QUANTITY: The VA attempts to be as accurate as possible when providing estimated quantities; however, actual dollar value quantities may vary from the dollar value quantities as listed in the price schedule. The Government's guaranteed minimum amount to be ordered from this contract is $3,000.00 for the base year and during each option year, if exercised. SECURITY REQUIREMENTS: A. Service contractor is expected to perform functions that will require access to VA sensitive information. In the course of providing services, it will be necessary for the service contractor to, view and receive protected health information (PHI), and personnel identifiable information (PII). B. Contracts, in which VA sensitive information are accessed by a VA contractor/subcontractor require the following requirements per 38 U.S.C. § 5723 and 5725: 1) A prohibition on unauthorized disclosure: "Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA' See VA Handbook 65006, Appendix C, paragraph 3.a. 2) A requirement for data breach notification: Upon discovery of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor /subcontractor has access, the contractor/subcontractor shall immediately and simultaneously notify the COTR, the designated ISO, and Privacy Officer for the contract. The term 'security incident' means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. See VA Handbook 6500.6, Appendix C, paragraph Ga. 3) A requirement to pay liquidated damages in the event of a data: "In the event of a data breach or privacy incident involving any SPI the contractor processes or maintains under this contract, the contractor shall be liable to VA for liquidated damages for a specified amount per affected individual to cover the cost of providing credit protection services to those individuals." See VA Handbook 6500.6, Appendix C, paragraph 7.a., 7,d. 4) A requirement for annual security/privacy awareness training: 'Before being granted access to VA information, all contractor employees and subcontractor employees requiring such access shall complete on an annual basis either (i) the VA security/privacy awareness training (contains VA's security/privacy requirements) within 1 week of the initiation of the contract, or (ii) security awareness training provided or arranged by the contractor that conforms to VA's security)privacy requirements as delineated in the hard copy of the VA security awareness training provided to the contractor. If the contractor provides their own training that conforms to VA's requirements, they will provide the COTR or CC, a yearly report (due annually on the date of the contract initiation) stating that all applicable employees involved in VA's contract have received their annual security/privacy training that meets VA'S requirements and the total number of employees trained. See VA Handbook 6500.6, Appendix C, paragraph 9. 5) A requirement to sign VA's Rules of Behavior: "Before being granted access to VA information, all contractor employees and subcontractor employees requiring such access shall sign on an annual basis an acknowledgment that they have read, understand, and agree to abide by VA's Contractor Rules of Behavior which is attached to this contract." See VA Handbook 6500.6, Appendix C, paragraph 9, Appendix D, Note: If the vendor anticipates that the services under the contract will be performed by 10 or more individuals, the Contractor Rules of Behavior may be signed by the vendor's designated representative. The contract must reflect by signing the Rules of Behavior on behalf of the vendor that the designated representative agrees to ensure that all such individuals review and understand the Contractor Rules of Behavior when accessing VA's information. VA INFORMATION CUSTODIAL LANGUAGE A. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data- General, FAR 52.227-14(d) (1). B. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor's information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA's information is returned to the VA or destroyed in accordance with VA's sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. C. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. D. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. E. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. F. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. G. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. H. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. I. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. SECURITY INCIDENT INVESTIGATION A.The term "security incident" means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. B. To the extent known by the contractor/subcontractor, the contractor/subcontractor's notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. C. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. D. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. LIQUIDATED DAMAGES FOR DATA BREACH A. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. B. The contractor/subcontractor shall provide notice to VA of a "security incident" as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. C. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) Nature of the event (loss, theft, unauthorized access); (2) Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. D. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $___37.50___ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days' notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. TRAINING a. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: (1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; (2) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and (3) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document - e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] b. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. ADDITIONAL SECURITY REQUIREMENTS: The contractor employees shall have access to VA sensitive information and will require routine access to VA Facilities. The contractor employees shall intermittent access only and will be escorted by VA employees while at VA Facilities.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/VANCHCS/VANCHCS/VA26116Q0447/listing.html)
 
Document(s)
Attachment
 
File Name: VA261-16-Q-0447 VA261-16-Q-0447.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=2606996&FileName=VA261-16-Q-0447-000.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=2606996&FileName=VA261-16-Q-0447-000.docx

 
Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 
Place of Performance
Address: Sierra Nevada Health Care System;975 Kirman Avenue;Reno, NV
Zip Code: 89502
 
Record
SN04044476-W 20160311/160309235420-6b64966455f0a8d825a5d49e042219e9 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.