Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF MARCH 24, 2016 FBO #5235
SOLICITATION NOTICE

65 -- Blanket Purchase Agreement on Radiopharmeutical (FDA Approval)

Notice Date
3/22/2016
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
325412 — Pharmaceutical Preparation Manufacturing
 
Contracting Office
Department of the Army, U.S. Army Medical Command, Western Regional Contracting Office, ATTN: MCAA W BLDG 9902, 9902 Lincoln Street, Tacoma, Washington, 98431-1110
 
ZIP Code
98431-1110
 
Solicitation Number
W81K02-16-T-0053
 
Point of Contact
Angela Dexter, Phone: 3604860708
 
E-Mail Address
angela.a.dexter.civ@mail.mil
(angela.a.dexter.civ@mail.mil)
 
Small Business Set-Aside
N/A
 
Description
BLANKET PURCHASE AGREEMENT ASFI INFORMATION BELOW: This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; request for quotes are being requested and a written solicitation will not be issued. This solicitation W81K02-16-T-0053 of Purchase Request BPAMAMC201603 is issued as a Request for Quote (RFQ). This is a request for quotes on Radiopharmeutical (FDA Approval) such as Meta-Trace (FDB 91-20 MC), Sodium Fluoride (1-12 MCI) and Sodium Fluoride Calibration ((1-12MCI) Products to establish Blanket Purchase Agreements. See attached Blanket Purchase Agreement Scope of Works. The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2005-87. Simplified Acquisition procedures will be followed. The NAICS Code is 325412, Pharmaceutical Preparation Manufacturing and the FSC Code is 6505 for Various Radiopharmeutical (FDA Approved) Products. The following document MUST be provided when submitting in the quote: a. Contractors shall provide the Material Safety Data Sheet (MSDS) on each product. b. Contractors' shall provide the pharmacy license number. c. Contractors' shall provide the radiopharmaceutical Washington state license number. Interested parties must register in the System for Award Management (SAM), online at s http://www.sam/gov All responsible Contractors shall fill out the attached Blanket Purchase Agreement Scope of Work and provide price listing. The full text of a FAR provision or clause may be accessed electronically at www.farsite.hill.af.mil<BR>The following provisions apply to this acquisition: 52.212-1 Instructions to Offerors-Commercial Items. 52.212-3 Offerors Representations and Certifications- Commercial Items. The following clauses apply to this acquisition: 52.204-7 Central Vendor Registration. 52.212-1 Instructions to Offerors- Commercial Item, 52.212-4 Contract Terms and Conditions Commercial Items; 52.212-5 Deviation Contract Terms and Conditions Required to Implement Statutes or Executive Orders Commercial Items, Addendum to 52.212-1 (Local Provision 5004), The following Addendum to FAR 52.212-4(c) (Local Clause 5003) will also be included in the agreement: UNILATERAL CHANGES 1,52.223-3 hazardous Matierial Identification and Material Safety Data, 52.252-2 Clauses Incorporated by Reference, 52.252-6 Authorized Deviations in Clauses. The Contracting Officer may unilaterally reduce and/or de-obligate any quantities not supplied/performed at the end of the contract period. 2. Unilateral Modifications: The Government may make unilateral modifications considered administrative in nature. The following provisions will be included in the established solicitation, 52.212-1 Instructions to Offerors-Commercial Items; Addendum to 52.212-1 Instructions to Vendors (LOCAL PROVISION 5004); 52.212-2 Evaluation-Commercial Items; Addendum to 52.212-2 Evaluation Criteria; 52.212-3 Offerors Representations and Certifications- Commercial Items. Offerors must complete FAR 52.212-3 Offerors Representations and Certifications- Commercial Items or do so on-line at http://orca.bpn.gov. The following FAR clauses apply to this acquisition, 52.204-7 Central Vendor Registration. 52.212-1 Instructions to Offerors- Commercial Item, 52.212-4 Contract Terms and Conditions Commercial Items; 52.212-5 Deviation Contract Terms and Conditions Required to Implement Statutes or Executive Orders Commercial Items, 52.217-9 Option to Extend the term of the Contract, 52.219-28 Post Award Small Business Program Representation, 52.232-18 Availability of Funds, 52.232-36 Payment by Third Party; 52.232-39 Unenforceability of Unauthorized obligation; 52.232.40 providing Accelerated payments to Small Business Subcontractors;,52.252-2, Addendum to 52.212-1 (Local Provision 5004), The following Addendum to FAR 52.212-4(c) (Local Clause 5003)will also be included in the award, UNILATERAL CHANGES 1. The Contracting Officer may unilaterally reduce and/or de-obligate any quantities not supplied/performed at the end of the Unilateral Modifications; The Government may make unilateral modifications considered administrative in nature. Clauses Incorporated by Reference. 52.211-6 Brand Name or Equal, 52.219-6 Notice of Total SB Set-side, 52.219-28 Post Award SB Program Representation, 52.222-3, Convict Labor, 52.222-19 Child Labor Cooperation With Authorities And Remedies, 52.222-21, Prohibition of Segregated Facilities 52-222-26, Equal Opportunity, 52.222-35 Equal Opportunity for Special Disabled Veterans, 52.222-36, Affirmative Action for Workers with Disabilities, 52.222-37 Employment Reports on Special disabled Veterans, Veterans of the Vietnam Era, and Other eligible Veterans, 52.222-50 Combat Trafficking in Persons,52.222-54 Employment Eligibility Verification, 52.223-3, Hazardous Material Identification and Material Safety Data.'52.233-3 Protest After Award; 52.233-4 applicable Laws for Breach of Contract Claim (Oct 2004);52.225-13 Restriction on Certain Foreign Purchases, 52.228-5 Insurance -Work on Government Installation, 52.236-9 Protection of Existing Vegetation, Structure, Equipment, Utilities, and Improvement. The following DFARS clauses apply,252.203-7000 Requirements Relating to Compensation of former DOD Officials (Sep 2011); 252-203-7002 Requirement to Inform Employees of Whistleblower Rights (Sep 2013);252.204-7003 Control of Government Personnel Work Products (Apr 1992); 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting; 252.212-7001 Deviation, Contract Terms and Conditions Required to Implement Statutes or Executive Orders Applicable to Defense Acquisitions of Commercial Items; 252.225-7001, Buy American Act and Balance of Payments Program, 252.225-7048 Export Controlled Items ; 252.232-7003, Electronic Submission of Payment Requests,252.244-7000 Subcontracts for Commercial Items and Commercial Components (DOD Contracts)(Jun 2012); 252.247-7023, Transportation of Supplies by Sea 252.247-7023 with Alt III; 252.232-7010 Levies on Contract Payments, 252.211-7003 Item Identification and Valuation. The full text version of FAR provisions and clauses may be accessed electronically at www.arnet.gov/far Potential contractors must be registered in the System for Award Management (SAM) to be eligible for award. The SAM internet web site is http://www.sam/gov Place of Delivery: Madigan Army Medical Center Bldg 9040 Fitzsimmons Drive Tacoma, WA 98431-5000 ALL QUESTIONS SHALL BE SUBMITTED VIA EMAIL. BLANKET PURCHASE AGREEMENT (BPA) SCOPE OF WORK (1) AUTHORITY This agreement is established in accordance with FAR 13.303, Blanket Purchase Agreements (BPA). It will be reviewed by the Contracting Officer at least once annually prior to the anniversary of the effective date, and revised to conform to all requirements of Statutes, Executive Orders, or the Federal Acquisition Regulation as updates occur. Any revisions will be incorporated by modification to this BPA. (2) DESCRIPTION OF AGREEMENT a. The Contractor shall provide Radiopharmeutical (FDA Approved) such as Meta-Trace (FDB 91-20 MC), Sodium Fluoride (1-12 MCI) and Sodium Fluoride Calibration ((1-12MCI) products for the Department of Radiology Nuclear Medicine Service at various Madigan Healthcare Systems located in the Western Region. These radiopharmaceutical doses are ordered for specific patient's treatment, at a specific time during the scheduled appointment at the hospital. Due to the very short shelf life of the radiopharmaceutical products, multiple deliveries may be required during the Department of Radiology Nuclear Medicine Services. The following documents MUST be provided when submitting in the agreement: b. Contractor shall provide the Material Safety Data Sheet (MSDS) on each product. c. Contractor shall provide the pharmacy license number. d. Contractor shall provide the radiopharmaceutical Washington state license number. Applicable references: 10 CFR 30: NRC license to provide radio-pharmacy services. 10 CFR 71 and 49 CFR 172, 177 and 178: NRC and DOT transportation of radioactive materials. For information: NRC Radio-Pharmacy license guidance document: http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1556/v13/r1/sr1556v13r1.pdf b. The contractors' submitted product catalog and/or pricing (TO INCLUDE ALL APPLICABLE DISCOUNTS) is incorporated into this Agreement, and all BPA Calls will utilize this pricing. Any updates or changes to the product catalogs or pricing must be approved by the Contracting Officer for incorporation into this Agreement. The BPA holder must allow thirty (30) days for the incorporation of a revised catalog to be incorporated into the Agreement. This agreement shall be in effect for a term of five (5) years; starting on date of Award thru thru five years (dates to be determined at time of award). The Agreement terms and conditions may be renegotiated annually prior to the anniversary of the effective date of the agreement. Either party may terminate this agreement by giving thirty (30) days written notice c. BPA calls will be issued by the Joint Base Lewis-McChord Health Contracting Cell (JBLM-HCC) located at 673 Woodland Square Loop, Lacey, WA 98503-1066. (3) EXTENT OF OBLIGATION a. This Blanket Purchase Agreement (BPA) does not obligate any funds. The Government will be obligated only to the extent that authorized BPA calls are actually made under this agreement. The Department of Radiology Nuclear Medicine Service at the Madigan Army Medical Center, Tacoma, WA, that ordered the radiopharmaceutical products, will be responsible for payment of any obligation via Government Credit Card b. Purchase Limitation: BPA Call Limit- $150,000.00 BPA Master Dollar Limit=$2,000,000.00 (for the life of Agreement) (4) ORDERING PROCEDURES a. BPA holders will be awarded BPA Calls UP TO $150,000.00. As requirements occur, the Department of Radiology Nuclear Medicine Service will rotate the various BPA holders for these products, and depending on the availability and delivery time of the products, will schedule deliveries accordingly. (5) Individuals Authorized to Schedule Deliveries under the BPA a. Each BPA Call will identify the names of the individuals authorized to schedule deliveries under this Agreement. Only authorized Government employees who have been specifically named by the Contracting Officer may schedule deliveries under this agreement. STRICT COMPLIANCE WITH THIS STIPULATION IS IMPERATIVE. b. Each order under this agreement will be assigned a Call number by the Western Regional Contracting Office. Invoices shall reflect BPA number and Call number. Deliveries will be scheduled by, Department of Radiology Nuclear Medicine Service, and a call number will be associated with each delivery. d. Orders will be placed telephonically to: _______________________ or _________________________ referencing Account Number: _____________________. (6) DELIVERY TICKETS/PACKAGING a. All deliveries shall contain the following information: a. Name of Supplier b. BPA Number c. Date of Surgery/Procedure d. Itemized list of supplies furnished (7) SHIPPING: A. All shipping shall be in accordance with the 49 CFR (Code of Federal Regulations, Transportation of Hazardous Waste Materiel's on Federal Highways regulation. United State Pharmacopeia (USP) 823 Regulatory issues for Radiopharmaceuticals for Positron Emission Tomography (PET) b. Under the Washington Administrative Code (WAC) all products shall be labeled as follows: (a) Standard radiation symbol; (b) the words "caution-radioactive material"; (c) the name of the radiopharmaceutical; (d) the amount of radioactive material contained, in millicuries or microcuries; (e) if a liquid, the volume in milliliters; (f) the requested calibration time for the amount of radioactivity contained; (g) expiration data, if applicable; and (h) specific concentration of radioactivity. The Contractor shall ship directly to the following address: (or as stated on each individual BPA Call) Madigan Army Medical Center Department of Radiology Nuclear Medicine Service Bldg 9040A (Receiving Section) Fitzsimmons Tacoma, WA 98431 All items are to be priced (inclusive of all fees, freight, etc.). In most cases, deliveries shall occur within 24 hours of the Department of Radiology Nuclear Medicine Services' patient scheduled appointment. All products shall be delivered at least one hour prior to any scheduled patient appointment or otherwise stated from the department. (8) INVOICES/PAYMENT: (Government- Wide Purchase Card (GPC). GPC is a Government -wide commercial purchase card provided by VISA for the purchase /payment of certain supplies and service. a. The Contractor shall submit a separate invoice for each call. The invoice shall include the following information below: a. Name of Supplier b. BPA Number/Call number c. Date of Purchase d. Itemized list of supplies furnished e. Quantity, unit price, and extension of each item less applicable discounts, if applicable f. Date of delivery or shipment Note: The contractor shall be responsible for any and all transaction service charges incurred for the acceptance of GPC payment. The contractor shall submit invoice for calls to the attention of the respective ordering individual who will verify material receipt and provide government purchase card (GPC) information for payment purposes. Monthly Report: The Department of Radiology Nuclear Medicine Service shall submit monthly call report to, Joint Base Lewis-McChord health Cotracting Cell (JBLM-Hcc) no later than the 5th business day following the end of each. b. Contractor shall provide the account number for the treatment facilities (MTF): Madigan Army Medical Center, Department of Radiology Nuclear Medicine Service Bldg 9040A (Receiving Section) Fitzsimmons Tacoma, WA 98431 (9) CUSTOMER SERVICE The contactor authorized Sales Representatives for the Medical Treatment Facilities (MTF) are listed below: Madigan Healthcare System Departments (MAMC), _________________________ ________________________ _________________________ Name Phone Email _________________________ ________________________ _________________________ Name Phone Email The Contractor Government Representative is: _________________________ ________________________ _________________________ Name Phone Email The Contractor radiopharmaceuticals products license number: ___________________________________ Contractor license number to manufacture, produces, and /or transfers for distribution of radiopharmaceuticals products ___________________________________ The Contractor Billing/Accounting Representative is: _________________________ ________________________ _________________________ Name Phone Email The Contractor shall ensure that all customer service numbers are updated periodically to the outlying MTF facility and the Contracting Office. (10) WARRANTY PROVISIONS/RETURNS Return Policy: Due to the nature of the Madigan Army Medical Center Products being procured under this agreement, the contactor shall ensure that all deliverables are in compliance with Madigan and FDA Regulations. The contractor /Sales Representative shall provide a replacement immediately if a deliverable is determined unsatisfactory in accordance with Madigan Standards. Products purchased in a kit or set cannot be returned as individual components. A return evaluation number must be obtained prior to returning any product and should be used on the shipping label and on any correspondence in the package. All returned products shall be credited to the applicable call number and Government Purchase Card ordering account. (11) PROMOTION The contractor it shall not advertise the use of this BPA in such a manner as to state or imply that the medical treatment facilities endorse a product, project, or commercial product line. NOTE: HIPPA -PHI clause is only applicable if representatives the Contractor Rep are involved in the actual surgeries being performed. (12) HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (7 July 2014); HCAA Local Clause 5001 - Non-Defense Health Agency (Non-DHA) Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA) ( In accordance with 45 CFR 164.502(e)(2) and 164.504(e) and paragraph C.3.4.1.3 of DoD 6025.18-R, "DoD Health Information Privacy Regulation," January 24, 2003, this document serves as a BAA between the signatory parties for purposes of the HIPAA and the "HITECH Act" amendments thereof, as implemented by the HIPAA Rules and DoD HIPAA Issuances (both defined below). The parties are a DoD Military Health System (MHS) component, acting as a HIPAA covered entity, and a DoD contractor, acting as a HIPAA business associate. The HIPAA Rules require BAAs between covered entities and business associates. Implementing this BAA requirement, the applicable DoD HIPAA Issuance (DoD 6025.18-R, paragraph C3.4.1.3) provides that requirements applicable to business associates must be incorporated (or incorporated by reference) into the contract or agreement between the parties. (a) Catchall Definition. Except as provided otherwise in this BAA, the following terms used in this BAA shall have the same meaning as those terms in the DoD HIPAA Rules: Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices (NoPP), Protected Health Information (PHI), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. -Breach means actual or possible loss of control, unauthorized disclosure of or unauthorized access to PHI or other PII (which may include, but is not limited to PHI), where persons other than authorized users gain access or potential access to such information for any purpose other than authorized purposes, where one or more individuals will be adversely affected. The foregoing definition is based on the definition of breach in DoD Privacy Act Issuances as defined herein. -Business Associate shall generally have the same meaning as the term "business associate" in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of Business Associate signatory to this BAA]. -Agreement means this BAA together with the documents and/or other arrangements under which the Business Associate signatory performs services involving access to PHI on behalf of the MHS component signatory to this BAA. -Covered Entity shall generally have the same meaning as the term "covered entity" in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of MHS component signatory to this BAA]. -DHA Privacy Office means the DHA Privacy and Civil Liberties Office. The DHA Privacy Office Director is the HIPAA Privacy and Security Officer for DHA, including the National Capital Region Medical Directorate (NCRMD). -DoD HIPAA Issuances means the DoD issuances implementing the HIPAA Rules in the DoD Military Health System (MHS). These issuances are DoD 6025.18-R (2003), DoDI 6025.18 (2009), and DoD 8580.02-R (2007). -DoD Privacy Act Issuances means the DoD issuances implementing the Privacy Act, which are DoDD 5400.11 (2007) and DoD 5400.11-R (2007). -HHS Breach means a breach that satisfies the HIPAA Breach Rule definition of breach in 45 CFR 164.402. -HIPAA Rules means, collectively, the HIPAA Privacy, Security, Breach and Enforcement Rules, issued by the U.S. Department of Health and Human Services (HHS) and codified at 45 CFR Part 160 and Part 164, Subpart E (Privacy), Subpart C (Security), Subpart D (Breach) and Part 160, Subparts C-D (Enforcement), as amended by the 2013 modifications to those Rules, implementing the "HITECH Act" provisions of Pub. L. 111-5. See 78 FR 5566-5702 (Jan. 25, 2013) (with corrections at 78 FR 32464 (June 7, 2013)). Additional HIPAA rules regarding electronic transactions and code sets (45 CFR Part 162) are not addressed in this BAA and are not included in the term HIPAA Rules. -Service-Level Privacy Office means one or more offices within the military services (Army, Navy, or Air Force) with oversight authority over Privacy Act and HIPAA privacy compliance. I. Obligations and Activities of Business Associate (a) The Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement or as required by law. (b) The Business Associate shall use appropriate safeguards, and comply with the DoD HIPAA Rules with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement. (c) The Business Associate shall report to Covered Entity any Breach of which it becomes aware, and shall proceed with breach response steps as required by Part V of this BAA. With respect to electronic PHI, the Business Associate shall also respond to any security incident of which it becomes aware in accordance with any Information Assurance provisions of the Agreement. If at any point the Business Associate becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate breach response as required by part V of this BAA. (d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), respectively), as applicable, the Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI. (e) The Business Associate shall make available PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual, as necessary to satisfy the Covered Entity obligations under 45 CFR 164.524. (f) The Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526. (g) The Business Associate shall maintain and make available the information required to provide an accounting of disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity's obligations under 45 CFR 164.528. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and (i) The Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. II. Permitted Uses and Disclosures by Business Associate (a) The Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Agreement or as required by law. The Business Associate is not permitted to de-identify PHI under DoD HIPAA issuances or the corresponding 45 CFR 164.514(a)-(c), nor is it permitted to use or disclose de-identified PHI, except as provided by the Agreement or directed by the Covered Entity. (b) The Business Associate agrees to use, disclose and request PHI only in accordance with the HIPAA Privacy Rule "minimum necessary" standard and corresponding DHA policies and procedures as stated in the DoD HIPAA Issuances. (c) The Business Associate shall not use or disclose PHI in a manner that would violate the DoD HIPAA Issuances or HIPAA Privacy Rules if done by the Covered Entity, except uses and disclosures for the Business Associate's own management and administration and legal responsibilities or for data aggregation services as set forth in the following three paragraphs. (d) Except as otherwise limited in the Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. The foregoing authority to use PHI does not apply to disclosure of PHI, which is covered in the next paragraph. (e) Except as otherwise limited in the Agreement, the Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (f) Except as otherwise limited in the Agreement, the Business Associate may use PHI to provide Data Aggregation services relating to the Covered Entity's health care operations. III. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (a) The Covered Entity shall provide the Business Associate with the notice of privacy practices that the Covered Entity produces in accordance with 45 CFR 164.520 and the corresponding provision of the DoD HIPAA Issuances. (b) The Covered Entity shall notify the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the Business Associate's use or disclosure of PHI. (c) The Covered Entity shall notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such changes may affect the Business Associate's use or disclosure of PHI. IV. Permissible Requests by Covered Entity The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule or any applicable Government regulations (including without limitation, DoD HIPAA Issuances) if done by the Covered Entity, except for providing Data Aggregation services to the Covered Entity and for management and administrative activities of the Business Associate as otherwise permitted by this BAA. V. Breach Response (a) In general. In the event of a breach of PII/PHI held by the Business Associate, the Business Associate shall follow the breach response requirements set forth in this Part V, which is designed to satisfy both the Privacy Act and HIPAA as applicable. If a breach involves PII without PHI, then the Business Associate shall comply with DoD Privacy Act Issuance breach response requirements only; if a breach involves PHI (a subset of PII), then the Business Associate shall comply with both Privacy Act and HIPAA breach response requirements. A breach involving PHI may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then the Business Associate has no HIPAA breach response obligations. In such cases, the Business Associate must still comply with breach response requirements under the DoD Privacy Act Issuances. If the DHA Privacy Office determines that a breach is an HHS Breach, then the Business Associate shall comply with both the HIPAA Breach Rule and DoD Privacy Act Issuances, as directed by the DHA Privacy Office, regardless of whether the breach occurs at DHA or at one of the Service components. If the DHA Privacy Office determines that the breach does not constitute an HHS Breach, then the Business Associate shall comply with DoD Privacy Act Issuances, as directed by the applicable Service-Level Privacy Office. The Business Associate shall contact the Covered Entity for guidance when the incident is not an HHS Breach. This Part V is designed to satisfy the DoD Privacy Act Issuances and the HIPAA Breach Rule as implemented by the DoD HIPAA Issuances. In general, for breach response, the Business Associate shall report the breach to the Covered Entity, assess the breach incident, notify affected individuals, and take mitigation actions as applicable. Because DoD defines "breach" to include possible (suspected) as well as actual (confirmed) breaches, the Business Associate shall implement these breach response requirements immediately upon the Business Associate's discovery of a possible breach. (b) Government Reporting Provisions The Business Associate shall report the breach within one hour of discovery to the Covered Entity and to the US Computer Emergency Readiness Team (US CERT) -the other parties as deemed appropriate by the Covered Entity. The Business Associate is deemed to have discovered a breach as of the time a breach (suspected or confirmed) is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing it) who is an employee, officer or other agent of the Business Associate. The Business Associate shall submit the US-CERT report using the online form at https://forms.us-cert.gov/report/. Before submission to US-CERT, the Business Associate shall save a copy of the on-line report. After submission, the Business Associate shall record the US-CERT Reporting Number. Although only limited information about the breach may be available as of the one hour deadline for submission, the Business Associate shall submit the US-CERT report by the deadline. The Business Associate shall e-mail updated information as it is obtained, following the instructions at http://www.us-cert.gov/pgp/email.html. The Business Associate shall provide a copy of the initial or updated US-CERT report to the -Covered Entity and the applicable Service-Level Privacy Office, if requested by either. Business Associate questions about US-CERT reporting shall be directed to the Covered Entity or Service-Level Privacy Office, not the US-CERT office. The additional US Army and the US Army Medical Command (MEDCOM) reporting requirements are addressed in the PII Breach Reporting and Notification Policy. The latest version of this policy can be obtained from the Covered Entity or the MEDCOM Privacy Act/Freedom of Information Act (FOIA) Office at: usarmy.jbsa.medcom.list.medcom-foia-users@mail.mil. If multiple beneficiaries are affected by a single event or related set of events, then a single reportable breach may be deemed to have occurred, depending on the circumstances. The Business Associate shall inform the Covered Entity as soon as possible if it believes that "single event" breach response is appropriate; the Covered Entity will determine how the Business Associate shall proceed and, if appropriate, consolidate separately reported breaches for purposes of Business Associate report updates, beneficiary notification, and mitigation. When a Breach Report initially submitted is incomplete or incorrect due to unavailable information, or when significant developments require an update, the Business Associate shall submit a revised form or forms, stating the updated status and previous report date(s) and showing any revisions or additions in red text. Examples of updated information the Business Associate shall report include, but are not limited to: confirmation on the exact data elements involved, the root cause of the incident, and any mitigation actions to include, sanctions, training, incident containment, follow-up, etc. The Business Associate shall submit these report updates promptly after the new information becomes available. Prompt reporting of updates is required to allow the Covered Entity to make timely final determinations on any subsequent notifications or reports. The Business Associate shall provide updates to the same parties as required for the initial Breach Report. The Business Associate is responsible for reporting all information needed by the Covered Entity to make timely and accurate determinations on reports to HHS as required by the HHS Breach Rule and reports to the Defense Privacy and Civil Liberties Office as required by DoD Privacy Act Issuances. In the event the Business Associate is uncertain on how to apply the above requirements, the Business Associate shall consult with the Covered Entity (or the Service-Level Privacy Office, which will consult with the DHA Privacy Office as appropriate) when determinations on applying the above requirements are needed. (c) Individual Notification Provisions If the DHA Privacy Office determines that individual notification is required, the Business Associate shall provide written notification to individuals affected by the breach as soon as possible, but no later than 10 working days after the breach is discovered and the identities of the individuals are ascertained. The 10 day period begins when the Business Associate is able to determine the identities (including addresses) of the individuals whose records were impacted. The Business Associate's proposed notification to be issued to the affected individuals shall be submitted to the parties to which reports are submitted under paragraph V (a) for their review, and for approval by the DHA Privacy Office. Upon request, the Business Associate shall provide the DHA Privacy Office with the final text of the notification letter sent to the affected individuals. If different groups of affected individuals receive different notification letters, then the Business Associate shall provide the text of the letter for each group. (PII shall not be included with the text of the letter(s) provided.) Copies of further correspondence with affected individuals need not be provided unless requested by the Privacy Office. The Business Associate's notification to the individuals, at a minimum, shall include the following: -The individual(s) must be advised of what specific data was involved. It is insufficient to simply state that PII has been lost. Where names, Social Security Numbers (SSNs) or truncated SSNs, and Dates of Birth (DOBs) are involved, it is critical to advise the individual that these data elements potentially have been breached. -The individual(s) must be informed of the facts and circumstances surrounding the breach. The description should be sufficiently detailed so that the individual clearly understands how the breach occurred. -The individual(s) must be informed of what protective actions the Business Associate is taking or the individual can take to mitigate against potential future harm. The notice must refer the individual to the current Federal Trade Commission (FTC) web site pages on identity theft and the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261. -The individual(s) must also be informed of any mitigation support services (e.g., one year of free credit monitoring, identification of fraud expense coverage for affected individuals, provision of credit freezes, etc.) that the Business Associate may offer affected individuals, the process to follow to obtain those services and the period of time the services will be made available, and contact information (including a phone number, either direct or toll-free, e-mail address and postal address) for obtaining more information. Business Associates shall ensure any envelope containing written notifications to affected individuals are clearly labeled to alert the recipient to the importance of its contents, e.g., "Data Breach Information Enclosed," and that the envelope is marked with the identity of the Business Associate and/or subcontractor organization that suffered the breach. The letter must also include contact information for a designated POC to include, phone number, email address, and postal address. If the Business Associate determines that it cannot readily identify, or will be unable to reach, some affected individuals within the 10 day period after discovering the breach, the Business Associate shall so indicate in the initial or updated Breach Report. Within the 10 day period, the Business Associate shall provide the approved notification to those individuals who can be reached. Other individuals must be notified within 10 days after their identities and addresses are ascertained. The Business Associate shall consult with the DHA Privacy Office, which will determine which media notice is most likely to reach the population not otherwise identified or reached. The Business Associate shall issue a generalized media notice(s) to that population in accordance with Privacy Office approval. The Business Associate shall, at no cost to the government, bear any costs associated with a breach of PII/PHI that the Business Associate has caused or is otherwise responsible for addressing. Breaches are not to be confused with security incidents (often referred to as cyber security incidents when electronic information is involved), which may or may not involve a breach of PII/PHI. In the event of a security incident not involving a PII/PHI breach, the Business Associate shall follow applicable DoD Information Assurance requirements under its Agreement. If at any point the Business Associate finds that a cyber security incident involves a PII/PHI breach (suspected or confirmed), the Business Associate shall immediately initiate the breach response procedures set forth here. The Business Associate shall also continue to follow any required cyber security incident response procedures to the extent needed to address security issues, as determined by DoD/DHA. VI. Termination (a) Termination. Noncompliance by the Business Associate (or any of its staff, agents, or subcontractors) with any requirement in this BAA may subject the Business Associate to termination under any applicable default or other termination provision of the Agreement. (b) Effect of Termination. (1) If the Agreement has records management requirements, the Business Associate shall handle such records in accordance with the records management requirements. If the Agreement does not have records management requirements, the records should be handled in accordance with paragraphs (2) and (3) below. If the Agreement has provisions for transfer of records and PII/PHI to a successor Business Associate, or if DHA gives directions for such transfer, the Business Associate shall handle such records and information in accordance with such Agreement provisions or DHA direction. (2) If the Agreement does not have records management requirements, except as provided in the following paragraph (3), upon termination of the Agreement, for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form. This provision shall apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business Associate shall retain no copies of the PHI. (3) If the Agreement does not have records management provisions and the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Covered Entity and the Business Associate that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI. VII. Miscellaneous (a) Survival. The obligations of Business Associate under the "Effect of Termination" provision of this BAA shall survive the termination of the Agreement. (b) Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits the Covered Entity and the Business Associate to comply with the HIPAA Rules and the DoD HIPAA Rules. (End of Clause)
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/USA/MEDCOM/DADA13/W81K02-16-T-0053/listing.html)
 
Place of Performance
Address: Place of Delivery:, Madigan Army Medical Center, Bldg 9040 Fitzsimmons Drive, Tacoma, Washington, 98431, United States
Zip Code: 98431
 
Record
SN04058434-W 20160324/160323000633-ed321baaebc73816ef2fd799ce3e45cf (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.