Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JULY 29, 2017 FBO #5727
SOLICITATION NOTICE

Q -- Cardiology Services

Notice Date
7/27/2017
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
621498 — All Other Outpatient Care Centers
 
Contracting Office
Department of the Army, U.S. Army Medical Command, REGIONAL HEALTH CONTRACT OFF CENTRAL, ATTN: MCAA GP L31 9V, 2539 GARDEN AVENUE, JBSA FT SAM HOUSTON, Texas, 78234-0000, United States
 
ZIP Code
78234-0000
 
Solicitation Number
W81K00-17-T-0358
 
Archive Date
8/18/2017
 
Point of Contact
Emerita Torres, Phone: 2102215187
 
E-Mail Address
emerita.torres.civ@mail.mil
(emerita.torres.civ@mail.mil)
 
Small Business Set-Aside
N/A
 
Description
This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in FAR Subpart 12.6 and FAR Part 13Simplified Acquisition Procedures, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotes are being requested and a written solicitation will not be issued. The solicitation number is W81K00-17-T-0358 and is issued as a Request for Quote (RFQ). This solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-68 and Defense Federal Acquisition Regulation Supplement Publication Notice (DPN) 20130710. This solicitation is for a Cardiology Testing Services for Dugway Proving Ground, Tooele Army Depot and Evans Army Community Hospital, Fort Carson, Colorado. The period of performance is 1 October 2017 - 30 September 2018, plus four (4) 12 month option periods. The associated North American Industrial Classification System (NAICS) code for this procurement is 621498, with a size standard of $20,500,000.00. This procurement is being conducted as Unrestricted. All eligible businesses may submit an offer, which will be considered. Offers are due by 3 August 2017, at 10:00 PM, Central Standard Time. The point of contact is Ms. Emerita Torres at (210) 221-5187 or emerita.torres.civ@mail.mil. Offers shall be submitted via e-mail. Questions shall be submitted via e-mail not later than 1 August 2017. No questions will be entertained after this date.   ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 CARDIOLOGY SERVICES BASE YEAR FFP Provide non-personal services: Provide Specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot personnel. Pricing must reflect 15 "Full Bruce Protocol Exercise Treadmill Test" and 5 "Nuclear stress Testing" per year. The contractor shall evaluate test data/imaging and provide a detailed evaluation report. The resulting report will be completed and sent to the referring Army physician. Bidder must submit their quote in accordance with Addendum 52.212-2. ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0002 CONTRACT MANPOWER REPORT ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 1001 1 Years OPTION CARDIOLOGY SERVICES Option 1 FFP Provide Specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot personnel. Pricing must reflect 15 Full Bruce Protocol Exercise Treadmill Test and 5 Nuclear stress Testing per year. ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 1002 1 Years OPTION CONTRACT MANPOWER REPORT FFP CONTRACT MANPOWER REPORT ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 2001 1 Years OPTION CARDIOLOGY SERVICES Option 2 FFP Provide Specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot personnel. Pricing must reflect 15 Full Bruce Protocol Exercise Treadmill Test and 5 Nuclear stress Testing per year. ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 2002 1 Years OPTION CONTRACT MANPOWER REPORT FFP CONTRACT MANPOWER REPORT ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 3001 1 Years OPTION CARDIOLOGY SERVICES Option 3 FFP Provide Specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot personnel. Pricing must reflect 15 Full Bruce Protocol Exercise Treadmill Test and 5 Nuclear stress Testing per year ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 3002 1 Years OPTION CONTRACT MANPOWER REPORT FFP CONTRACT MANPOWER REPORT ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 4001 1 Years OPTION CARDIOLOGY SERVICES Option 4 FFP Provide Specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot personnel. Pricing must reflect 15 Full Bruce Protocol Exercise Treadmill Test and 5 Nuclear stress Testing per year ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 4002 1 Years OPTION CONTRACT MANPOWER REPORT FFP CONTRACT MANPOWER REPORT WORKLOAD ESTIMATE TEST ESTIMATED NUMBER TESTS Pricing Per each Test Full Bruce Protocol Exercise Treadmill Test1 15 Base year $______ *Nuclear stress Testing2 5 Base year $_______ Full Bruce Protocol Exercise Treadmill Test1 15 Option year 1 $______ *Nuclear stress Testing2 5 Option year 1 $______ Full Bruce Protocol Exercise Treadmill Test1 15 Option year 2 $______ *Nuclear stress Testing2 5 Option year 2 $______ Full Bruce Protocol Exercise Treadmill Test1 15 Option year 3 $______ *Nuclear stress Testing2 5 Option year 3 $______ Full Bruce Protocol Exercise Treadmill Test1 15 Option year 4 $______ *Nuclear stress Testing2 5 Option year 4 $______ *e.g. Lexiscan Cardiolite SPECT stress and REST myocardial perfusion scan with left ventricular ejection fraction and wall motion assessment; CPT Codes: 1 - 93015; 2 - 78451 DELIVERY INFORMATION CLIN DELIVERY DATE QUANTITY SHIP TO ADDRESS DODAAC 0001 POP 01-OCT-2017 TO 30-SEP-2018 N/A DUGWAY PROVING GROUNDS DUGWAY PROVING GROUNDS 5116 KISTER DUGWAY UT 84022 FOB: Destination W51HQT 0002 POP 01-OCT-2017 TO 30-SEP-2018 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 1001 POP 01-OCT-2018 TO 30-SEP-2019 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 1002 POP 01-OCT-2018 TO 30-SEP-2019 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 2001 POP 01-OCT-2019 TO 30-SEP-2020 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 2002 POP 01-OCT-2019 TO 30-SEP-2020 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 3001 POP 01-OCT-2020 TO 30-SEP-2021 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 3002 POP 01-OCT-2020 TO 30-SEP-2021 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 4001 POP 01-OCT-2021 TO 30-SEP-2022 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT 4002 POP 01-OCT-2021 TO 30-SEP-2022 N/A (SAME AS PREVIOUS LOCATION) FOB: Destination W51HQT CLAUSES INCORPORATED BY REFERENCE 52.212-4 Contract Terms and Conditions--Commercial Items JAN 2017 ADDENDUM TO 52.212-4 (w) The non-FAR Part 12 discretionary FAR, DFARS, AFARS, and LOCAL clauses included herein are incorporated into this contract either by reference or in full text. If incorporated by reference, see clause 52.252-2 herein for locations where full text can be found. (End of Clause) CLAUSES INCORPORATED BY REFERENCE 52.204-10 Reporting Executive Compensation and First-Tier OCT 2016 Subcontract Awards 52.209-6 Protecting the Government's Interest When Subcontracting OCT 2015 With Contractors Debarred, Suspended, or Proposed for Debarment 52.222-3 Convict Labor JUN 2003 52.222-19 Child Labor -- Cooperation with Authorities and Remedies OCT 2016 52.222-21 Prohibition Of Segregated Facilities APR 2015 52.222-26 Equal Opportunity SEP 2016 52.222-36 Equal Opportunity for Workers with Disabilities JUL 2014 52.222-50 Combating Trafficking in Persons MAR 2015 52.223-18 Encouraging Contractor Policies To Ban Text Messaging AUG 2011 While Driving 52.225-13 Restrictions on Certain Foreign Purchases JUN 2008 52.232-33 Payment by Electronic Funds Transfer--System for Award JUL 2013 Management 52.232-39 Unenforceability of Unauthorized Obligations JUN 2013 52.233-3 Protest After Award AUG 1996 52.233-4 Applicable Law for Breach of Contract Claim OCT 2004 252.203-7000 Requirements Relating to Compensation of Former DoD SEP 2011 Officials 252.203-7002 Requirement to Inform Employees of Whistleblower Rights SEP 2013 252.204-7003 Control Of Government Personnel Work Product APR 1992 252.225-7048 Export-Controlled Items JUN 2013 252.232-7003 Electronic Submission of Payment Requests and Receiving JUN 2012 Reports 252.232-7010 Levies on Contract Payments DEC 2006 CLAUSES INCORPORATED BY FULL TEXT 52.209-10 Prohibition on Contracting With Inverted Domestic Corporations. (NOV 2015) (a) Definitions. As used in this clause-- Inverted domestic corporation means a foreign incorporated entity that meets the definition of an inverted domestic corporation under 6 U.S.C. 395(b), applied in accordance with the rules and definitions of 6 U.S.C. 395(c). Subsidiary means an entity in which more than 50 percent of the entity is owned-- (1) Directly by a parent corporation; or (2) Through another subsidiary of a parent corporation. (b) If the contractor reorganizes as an inverted domestic corporation or becomes a subsidiary of an inverted domestic corporation at any time during the period of performance of this contract, the Government may be prohibited from paying for Contractor activities performed after the date when it becomes an inverted domestic corporation or subsidiary. The Government may seek any available remedies in the event the Contractor fails to perform in accordance with the terms and conditions of the contract as a result of Government action under this clause. (c) Exceptions to this prohibition are located at 9.108-2. (d) In the event the Contractor becomes either an inverted domestic corporation, or a subsidiary of an inverted domestic corporation during contract performance, the Contractor shall give written notice to the Contracting Officer within five business days from the date of the inversion event. (End of clause) CLAUSES INCORPORATED BY FULL TEXT 52.217-8 OPTION TO EXTEND SERVICES (NOV 1999) The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 30 Days. (End of clause) CLAUSES INCORPORATED BY FULL TEXT 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000) (a) The Government may extend the term of this contract by written notice to the Contractor within 30; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 60 months. (End of clause) CLAUSES INCORPORATED BY FULL TEXT 52.219-28 POST-AWARD SMALL BUSINESS PROGRAM REREPRESENTATION (JULY 2013) (a) Definitions. As used in this clause-- Long-term contract means a contract of more than five years in duration, including options. However, the term does not include contracts that exceed five years in duration because the period of performance has been extended for a cumulative period not to exceed six months under the clause at 52.217-8, Option to Extend Services, or other appropriate authority. Small business concern means a concern, including its affiliates, that is independently owned and operated, not dominant in the field of operation in which it is bidding on Government contracts, and qualified as a small business under the criteria in 13 CFR part 121 and the size standard in paragraph (c) of this clause. Such a concern is ``not dominant in its field of operation'' when it does not exercise a controlling or major influence on a national basis in a kind of business activity in which a number of business concerns are primarily engaged. In determining whether dominance exists, consideration shall be given to all appropriate factors, including volume of business, number of employees, financial resources, competitive status or position, ownership or control of materials, processes, patents, license agreements, facilities, sales territory, and nature of business activity. (b) If the Contractor represented that it was a small business concern prior to award of this contract, the Contractor shall rerepresent its size status according to paragraph (e) of this clause or, if applicable, paragraph (g) of this clause, upon the occurrence of any of the following: (1) Within 30 days after execution of a novation agreement or within 30 days after modification of the contract to include this clause, if the novation agreement was executed prior to inclusion of this clause in the contract. (2) Within 30 days after a merger or acquisition that does not require a novation or within 30 days after modification of the contract to include this clause, if the merger or acquisition occurred prior to inclusion of this clause in the contract. (3) For long-term contracts-- (i) Within 60 to 120 days prior to the end of the fifth year of the contract; and (ii) Within 60 to 120 days prior to the date specified in the contract for exercising any option thereafter. (c) The Contractor shall rerepresent its size status in accordance with the size standard in effect at the time of this rerepresentation that corresponds to the North American Industry Classification System (NAICS) code assigned to this contract. The small business size standard corresponding to this NAICS code can be found at http://www.sba.gov/content/table-small-business-size-standards. (d) The small business size standard for a Contractor providing a product which it does not manufacture itself, for a contract other than a construction or service contract, is 500 employees. (e) Except as provided in paragraph (g) of this clause, the Contractor shall make the representation required by paragraph (b) of this clause by validating or updating all its representations in the Representations and Certifications section of the System for Award Management (SAM) and its other data in SAM, as necessary, to ensure that they reflect the Contractor's current status. The Contractor shall notify the contracting office in writing within the timeframes specified in paragraph (b) of this clause that the data have been validated or updated, and provide the date of the validation or update. (f) If the Contractor represented that it was other than a small business concern prior to award of this contract, the Contractor may, but is not required to, take the actions required by paragraphs (e) or (g) of this clause. (g) If the Contractor does not have representations and certifications in SAM, or does not have a representation in SAM for the NAICS code applicable to this contract, the Contractor is required to complete the following rerepresentation and submit it to the contracting office, along with the contract number and the date on which the rerepresentation was completed: The Contractor represents that it ( ) is, ( X ) is not a small business concern under NAICS Code 621498- assigned to contract number. (End of clause) 52.237-7 INDEMNIFICATION AND MEDICAL LIABILITY INSURANCE (JAN 1997) (a) It is expressly agreed and understood that this is a nonpersonal services contract, as defined in Federal Acquisition Regulation (FAR) 37.101, under which the professional services rendered by the Contractor are rendered in its capacity as an independent contractor. The Government may evaluate the quality of professional and administrative services provided, but retains no control over professional aspects of the services rendered, including by example, the Contractor's professional medical judgment, diagnosis, or specific medical treatments. The Contractor shall be solely liable for and expressly agrees to indemnify the Government with respect to any liability producing acts or omissions by it or by its employees or agents. The Contractor shall maintain during the term of this contract liability insurance issued by a responsible insurance carrier of not less than the following amount(s) per specialty per occurrence: $1 million / $3 million (b) An apparently successful offeror, upon request by the Contracting Officer, shall furnish prior to contract award evidence of its insurability concerning the medical liability insurance required by paragraph (a) of this clause. (c) Liability insurance may be on either an occurrences basis or on a claims-made basis. If the policy is on a claims- made basis, an extended reporting endorsement (tail) for a period of not less than 3 years after the end of the contract term must also be provided. (d) Evidence of insurance documenting the required coverage for each health care provider who will perform under this contract shall be provided to the Contracting Officer prior to the commencement of services under this contract. If the insurance is on a claims-made basis and evidence of an extended reporting endorsement is not provided prior to the commencement of services, evidence of such endorsement shall be provided to the Contracting Officer prior to the expiration of this contract. Final payment under this contract shall be withheld until evidence of the extended reporting endorsement is provided to the Contracting Officer. (e) The policies evidencing required insurance shall also contain an endorsement to the effect that any cancellation or material change adversely affecting the Government's interest shall not be effective until 30 days after the insurer or the Contractor gives written notice to the Contracting Officer. If, during the performance period of the contract the Contractor changes insurance providers, the Contractor must provide evidence that the Government will be indemnified to the limits specified in paragraph (a) of this clause, for the entire period of the contract, either under the new policy, or a combination of old and new policies. (f) The Contractor shall insert the substance of this clause, including this paragraph (f), in all subcontracts under this contract for health care services and shall require such subcontractors to provide evidence of and maintain insurance in accordance with paragraph (a) of this clause. At least 5 days before the commencement of work by any subcontractor, the Contractor shall furnish to the Contracting Officer evidence of such insurance. $1 million and an excess capacity of up to $50 million Contracting Officer insert the dollar value(s) of standard coverage(s) prevailing within the local community as to the specific medical specialty, or specialties, concerned, or such higher amount as the Contracting Officer deems necessary to protect the Government's interests. (End of clause) 52.252-2 CLAUSES INCORPORATED BY REFERENCE (FEB 1998) This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): http://farsite.hill.af.mil (End of clause) 52.252-6 AUTHORIZED DEVIATIONS IN CLAUSES (APR 1984) (a) The use in this solicitation or contract of any Federal Acquisition Regulation (48 CFR Chapter 1) clause with an authorized deviation is indicated by the addition of "(DEVIATION)" after the date of the clause. (b) The use in this solicitation or contract of any DOD FAR SUPPLEMENT (48 CFR CHAPTER 2) clause with an authorized deviation is indicated by the addition of "(DEVIATION)" after the name of the regulation. (End of clause) 252.204-7012 SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (OCT 2016) (a) Definitions. As used in this clause-- Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. Contractor attributional/proprietary information means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. Covered contractor information system means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. Covered defense information means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category- list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is-- (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Forensic analysis means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Malicious software means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware. Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system. Operationally critical support means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. Rapidly report means within 72 hours of discovery of any cyber incident. Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data--Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. (b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections: (1) For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract. (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract. (2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, ``Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations'' (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer. (ii)(A) The Contractor shall implement NIST SP 800-171, as soon aspractical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. (B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the contractor's requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract. (D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. (3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan. (c) Cyber incident reporting requirement. (1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall-- (i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor's network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor's ability to provide operationally critical support; and (ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil. (2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil. (3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx. (d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer. (e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. (f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. (g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause. (h) DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this clause that includes contractor attributional/proprietary information, including such information submitted in accordance with paragraph (c). To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the contractor attributional/proprietary information that is included in such authorized release, seeking to include only that information that is necessary for the authorized purpose(s) for which the information is being released. (i) Use and release of contractor attributional/proprietary information not created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is not created by or for DoD is authorized to be released outside of DoD-- (1) To entities with missions that may be affected by such information; (2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; (3) To Government entities that conduct counterintelligence or law enforcement investigations; (4) For national security purposes, including cyber situational awareness and defense purposes (including with Defense Industrial Base (DIB) participants in the program at 32 CFR part 236); or (5) To a support services contractor (``recipient'') that is directly supporting Government activities under a contract that includes the clause at 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information. (j) Use and release of contractor attributional/proprietary information created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is created by or for DoD (including the information submitted pursuant to paragraph (c) of this clause) is authorized to be used and released outside of DoD for purposes and activities authorized by paragraph (i) of this clause, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government's use and release of such information. (k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. (l) Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor's responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements. (m) Subcontracts. The Contractor shall-- (1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and (2) Require subcontractors to-- (i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and (ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause. (End of clause) 252.204-7015 NOTICE OF AUTHORIZED DISCLOSURE OF INFORMATION FOR LITIGATION SUPPORT (MAY 2016) (a) Definitions. As used in this clause-- Computer software means computer programs, source code, source code listings, object code listings, design details, algorithms, processes, flow charts, formulae, and related material that would enable the software to be reproduced, recreated, or recompiled. Computer software does not include computer data bases or computer software documentation. Litigation support means administrative, technical, or professional services provided in support of the Government during or in anticipation of litigation. Litigation support contractor means a contractor (including its experts, technical consultants, subcontractors, and suppliers) providing litigation support under a contract that contains the clause at 252.204-7014, Limitations on the Use or Disclosure of Information by Litigation Support Contractors. Sensitive information means controlled unclassified information of a commercial, financial, proprietary, or privileged nature. The term includes technical data and computer software, but does not include information that is lawfully, publicly available without restriction. Technical data means recorded information, regardless of the form or method of the recording, of a scientific or technical nature (including computer software documentation). The term does not include computer software or data incidental to contract administration, such as financial and/or management information. (b) Notice of authorized disclosures. Notwithstanding any other provision of this solicitation or contract, the Government may disclose to a litigation support contractor, for the sole purpose of litigation support activities, any information, including sensitive information, received- (1) Within or in connection with a quotation or offer; or (2) In the performance of or in connection with a contract. (c) Flowdown. Include the substance of this clause, including this paragraph (c), in all subcontracts, including subcontracts for commercial items. (End of clause) 252.244-7000 SUBCONTRACTS FOR COMMERCIAL ITEMS (JUN 2013) (a) The Contractor is not required to flow down the terms of any Defense Federal Acquisition Regulation Supplement (DFARS) clause in subcontracts for commercial items at any tier under this contract, unless so specified in the particular clause. (b) While not required, the Contractor may flow down to subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligation. (c) The Contractor shall include the terms of this clause, including this paragraph (c), in subcontracts awarded under this contract, including subcontracts for the acquisition of commercial items. (End of clause) 52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS-COMMERCIAL ITEMS (DEVIATION 2013-O0019) (JAN 2017) (a) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (a) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, and does not contain the clause at 52.215-2, Audit and Records -- Negotiation. (1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract. (2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved. (3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law. (b) (1) Notwithstanding the requirements of any other clause in this contract, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (b)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause- (i) 52.203-13, Contractor Code of Business Ethics and Conduct (Oct 2015) (41 U.S.C. 3509). (ii) 52.219-8, Utilization of Small Business Concerns (Oct 2014) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds $650,000 ($1.5 million for construction of any public facility), the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities. (iii) 52.222-17, Nondisplacement of Qualified Workers (May 2014) (E.O. 13495). Flow down required in accordance with paragraph (1) of FAR clause 52.222-17. (iv) 52.222-21, Prohibition of Segregated Facilities (Apr 2015). (v) 52.222-26, Equal Opportunity (Sep 2016) (E.O. 11246). (vi) 52.222-35, Equal Opportunity for Veterans (Oct 2015) (38 U.S.C. 4212). (vii) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) (29 U.S.C. 793). (viii) 52.222-62 Paid Sick Leave Under Executive Order 13706 (JAN 2017) (E.O. 13706). (ix) 52.222-37, Employment Reports on Veterans (Feb 2016) (38 U.S.C. 4212). (x) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40. (xi) 52.222-41, Service Contract Labor Standards (May 2014), (41 U.S.C. chapter 67). (xii) 13627). (A) 52.222-50, Combating Trafficking in Persons (Mar 2015) (22 U.S.C. chapter 78 and E.O. (B) Alternate I (Mar 2015) of 52.222-50 (22 U.S.C. chapter 78 E.O. 13627). (xiii) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (May 2014) (41 U.S.C. chapter 67.) (xiv) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services--Requirements (May 2014) (41 U.S.C. chapter 67) (xv) 52.222-54, Employment Eligibility Verification (Oct 2015). (xvi) 52.222-55, Minimum Wages Under Executive Order 13658 (Dec 2015) (E.O. 13658). (xvii) 52.222-59, Compliance with Labor Laws (Executive Order 13673) (Oct 2016) (Applies at $50 million for solicitations and resultant contracts issued from October 25, 2016 through April 24, 2017; applies at $500,000 for solicitations and resultant contracts issued after April 24, 2017). Note to paragraph (b)(1)(xvi): By a court order issued on October 24, 2016, 52.222-59 is enjoined indefinitely as of the date of the order. The enjoined paragraph will become effective immediately if the court terminates the injunction. At that time, DoD, GSA, and NASA will publish a document in the Federal Register advising the public of the termination of the injunction. (xviii) 52.222-60, Paycheck Transparency (Executive Order 13673) (Oct 2016). (xix) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note). (xx) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (May 2014) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6. (xxi) 52.247-64, Preference for Privately-Owned U.S. Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx 1241(b) and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64. (2) While not required, the contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations. (End of Clause) PERFORMANCE WORK STATEMENT 1. GENERAL CARDIOLOGY TESTING SERVICES 1.1. DESCRIPTION OF WORK. The contractor shall provide specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot. 1.1.1. This contract is a non-personal services contract as defined in Federal Acquisition Regulation (FAR) 37.101, under which the professional services rendered by the Contractor are rendered in its capacity as an independent contractor. The Government may evaluate the quality of professional and administrative services provided, but retains no control over professional aspects of the services rendered including for example, the Contractor's professional medical judgment, diagnosis, or specific medical treatments. Contract personnel rendering the services are not subject, either by the contract's terms or by the manner of its administration, to the supervision and control usually prevailing in relationships between the Government and its employees. 1.1.2. Performance Measurements Requirement Summary. The following performance objectives and measures will be used to evaluate Contractor performance and compliance under the contract. This information will be used to prepare annual past performance evaluations. See attachment 1, Quality Assurance Surveillance Plan (QASP), for additional details. PERFORMANCE MEASUREMENT OBJECTIVE STANDARD ACCEPTABLE QUALITY LEVEL METHOD OF ASSESSMENT Meet requirements. Para 1.2. Maintain qualifications and requirements Comply initially and annually 100% of the time Annual review of COR files Patient and customer satisfaction. Para 1.5.2. Maintain a high level of patient and customer satisfaction. No more than two (2) substantiated patient complaints for the life of the contract. COR review assessment of customer complaints through patient and Government Provider feedback. Comply with reporting requirements. Para 4. Fax results to the Clinic within three (3) days after completion of test 100% of the time. All required documentation processed. No significant omissions. Tracked throughout the contract period of performance (POP) by the COR. Complete Contractor Manpower Report by Contractor Manpower Reporting (CMR). Para 7. 31 October of each year. Notify COR by the 5th working day of Completed report. Contract Specialist and COR review CMR records to ensure compliance. November whether the report is complete. 1.1.3. The inspection and acceptance point for all services rendered under this contract will be by the department where the services are being provided. The performance by the contract personnel, the quality of services rendered, and any documentation or written material in support of same, shall be subject to continuous inspection, surveillance and review for acceptance by the Contracting Officer's Representative (COR) or designated representative. Any services rendered by the contract personnel to patients or interaction with civilian personnel deemed unprofessional/threatening/dangerous by the Department Chief will be considered grounds for immediate removal of CP and termination under clause 52.212-4 (m) Termination for Cause. 1.2. REQUIREMENTS 1.2.1. The Contractor shall perform Cardiac Stress Testing Services, both exercise and nuclear in accordance with (IAW) the American College of Cardiology guidelines. For example, Full Bruce Protocol Exercise Treadmill stress tests (CPT code 93015), and Lexiscan Cardiolite SPECT stress and REST myocardial perfusion scan with left ventricular ejection fraction and wall motion assessment (CPT code 78451). 1.2.2. The attending Cardiologist providing services under this Performance Work Statement shall be licensed in the state of Utah and be either Board Eligible or Board Certified in Cardiology. Contractor shall provide certifications and licenses upon request by the Government. 1.2.3. Contractor testing facilities shall be located within 100 miles of Dugway Proving Ground and Tooele Army Depot, Utah. 1.3. ADMINISTRATIVE. 1.3.1. Contracting Officer's Representative (COR). The COR will be appointed in writing by the Contracting Officer (KO) after the contract is awarded. The KO will provide a copy of this designation and COR contact information to the Contractor. 1.3.2. Billing. The Government will only pay for tests actually provided. The Contractor shall only submit payment request for tests with evaluation and interpretive reports that are actually provided. Submitting a payment request for more than the amount due based on the number of tests actually provided may constitute fraud or a false claim and may result in administrative or criminal action or both. 1.3.2.1. Payment will be made by the Defense Finance and Accounting Service (DFAS), Indianapolis, IN. Contractor submits their 2-n-1 invoice online in the Invoicing, Receipt, Acceptance, and Property Transfer (iRAPT) program of the Wide Area Workflow (WAWF) e-Business Suite. The Contracting Officer's Representative (COR) shall verify invoice accuracy for acceptance and submittal to DFAS Indianapolis. 1.4. HOURS OF PERFORMANCE 1.4.1. Testing shall be available Monday through Friday, 52 weeks per year except for Federal holidays. 1.4.2. Holidays. 1.4.2.1. The following is a list of legal federal holidays as referred to elsewhere in the contract. New Year's Day January 1st Martin Luther King's Birthday 3rd Monday in January President's Day 3rd Monday in February Memorial Day Last Monday in May Independence Day July 4th Labor Day 1st Monday in September Columbus Day 2nd Monday in October Veteran's Day November 11th Thanksgiving Day 4th Thursday in November Christmas Day December 25th NOTE: Any of the above holidays falling on a Saturday will be observed on the preceding Friday; holidays falling on a Sunday will be observed on the following Monday. Any holidays that are declared by Presidential Executive Order shall be observed in the same manner as the holidays listed above. 1.5. CONDUCT. 1.5.1. Inquiries. Contractor shall ensure that its personnel do not respond to any media inquiries. Any inquiries from the medial shall be immediately relayed to the COR, who will relay them to the KO. There shall be no interview, comments, or any other response without the knowledge and approval of the KO. Other than routine inquiries from external agencies, all other inquiries and complaints shall be brought to the attention of the COR. 1.5.2. Complaints. Complaints will be validated by the COR and be reported in writing to the KO and to the Contractor for action, if it constitutes a failure to perform, as determined by the Government. Patients may also be a source of legitimate complaints that constitute a failure to perform. The Contractor shall have no more than two substantiated complaints per 12-month period. 1.6. CONDIDENTIALITY OF INFORMATION. Unless otherwise specified, all financial, statistical, personnel, and/or technical data which are furnished, produced or otherwise available to the Contractor during the performance of this contract are considered confidential business information and shall not be used for purposes other than performance of work under this contract. The Contractor shall not release any of the above information without prior written consent of the KO. 2. DEFINITION/ACRONYMS. 2.1. Definitions. Following is a list of basic definitions. 2.1.1. Contracting Officer (KO). A Government contracting professional with the authority to enter into, administer, and/or terminate contracts/task orders and make related determinations and findings. 2.1.2. Contracting Officer's Representative (COR). A Government employee selected and designated in writing by the KO to act as his/her designated representative in administering the contract. A COR has not authority to change or modify the contract. 2.1.3. Military time is on a 24-hour clock, e.g. 8:00 a.m. - 0800 9:10 a.m. - 0910 Noon - 1200 8:00 p.m. - 2000 9:10 p.m. - 2110 Midnight - 2400 12:01 a.m. - 0001 2.1.4. Military dates are written by placing the day of the month, followed by the first three letters of the month, followed by the last two digits of the year, e.g. January 02, 2016 - 02 Jan 16 January 12, 2016 - 12 Jan 16 2.1.5. Quality Assessment and Improvement. Those actions taken by the Government to check services to determine if they meet the requirements of the Joint Commission, US Army Medical Command, quality assurance and risk management program, and ensure that the Contractor and its health care providers comply with the terms and conditions of the contract. 2.1.6. Quality Control. Those actions taken by a Contractor to control the performance of services to ensure that they meet the requirements of the contract. 2.2. Acronyms/Abbreviations. Following is a list of basic acronyms/abbreviations used in this contract. ADP - Automated Data Processing AR - Army Regulation BCLS - Basic Cardiac Life Support BLS - Basic Life Support CFR - Code of Federal Regulations CLIN - Contract Line Item Number CMR - Contract Manpower Reporting CONUS - Continental United States COR - Contracting Officer's Representative CPARS - Contractor Performance Assessment Reporting System CPR - Cardiopulmonary Resuscitation CV - Curriculum Vitae DA - Department of the Army DCCS - Deputy Commander for Clinical Services DEA - Drug Enforcement Administration DoD - Department of Defense DODI - Department of Defense Instruction ECFMG - Educational Commission for Foreign Medical Graduates EFT - Electronic Funds Transfer EKG - Electrocardiogram ETS - Expiration Term of Service FAR - Federal Acquisition Regulation FBI - Federal Bureau of Investigation FL - Form Letter FPP - Family Practice Physician FTE(s) - Full Time Equivalent (s) HCAA - Health Care Acquisition Activity HCP - Health Care Provider HHS - Health and Human Services HIPAA - Health Insurance Portability & Accountability Act of 1996 IAW - In Accordance With IRC - Installation Record Check IV - Intravenous JC - Joint Commission (formerly referred to as the Joint Commission on Accreditation of Healthcare Organizations [JCAHO]) LOSS - Line of Sight Supervision KO - Contracting Officer MEDCOM - Medical Command MEDDAC - Medical Department Activity MTF - Medical Department Facility NACI - National Agency Check with Inquiries NCOIC - Non-Commissioned Officer in Charge NP - Nurse Practitioner OCONUS - Outside the Continental United States OIC - Officer in Charge OSHA - Occupational Safety and Health Administration or Act PA - Physician Assistant PAD - Patient Administration Division PALS - Pediatric Advanced Life Support Pam - Pamphlet PAR - Performance Assessment Report PCF - Practitioner's Credentials File PCO - Procurement KO/Procuring KO PCS - Permanent Change of Station PL - Public Law POC - Point of Contact PWS - Performance Work Statement (may also be referred to as work statement or statement of work) QA - Quality Assurance QA&I - Quality Assessment & Improvement QC - Quality Control RN - Registered Nurse LPN - Licensed Practical Nurse RFQ - Request for Quotation RFP - Request for Proposal RPO - Radiation Protection Officer SF - Standard Form SRP - Soldier Readiness Processing RAB - Therapeutic Agents Board TDY - Temporary Duty TO(s) - Task Order(s) USC - United States Code USPS - United States Postal Service CRCO - Central Region Contracting Office WRCO - Western Region Contracting Office WRMC - Western Region Medical Command 3. GOVERNMENT PROPERTY 3.1. The Government will not provide facilities and support services, materials, publications and forms, equipment, and specialty clothing required for contract performance (except as designated in the contract). 4. SPECIFIC TASKS. The Contractor shall provide specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot. Testing will be performed at the Contract facility. The contractor shall evaluate test data/imaging and provide a detailed evaluation report. The resulting report will be completed and faxed within three working days to the referring physician, US Army Health Clinic, Tooele Army Depot or Dugway Proving Ground. 5. APPLICABLE TECHNICAL ORDERS, SPECIFICATIONS, REGULATIONS, AND MANUALS. 5.1. Following is a list of basic publications applicable to this contract. Current issues of many DA publications can be accessed at http://www.apd.army.mil. Current issues of many forms can be accessed at http://www.apd.army.mil. Publications and forms not on the internet can be obtained from the Army Clinics. 5.1.1. The publications have been coded as mandatory or advisory. The Contractor is obligated to follow those coded as mandatory only to the extent that they apply to this contract. Supplements, amendments, or changes to these mandatory publications may be issued during the life of the contract. Advisory publications may be used for information and guidance but are not binding for compliance. 5.2. Publications. 5.2.1. Mandatory. 10 USC 1089 - Defense of Certain Suits Arising Out of Medical Malpractice 10 USC 1091 - Personal Service Contracts PL 91-596 - Occupational Safety and Health Act of 1970 PL 101-647, Sec 231 - Crime Control Act of 1990 PL 102-190, Sec 1094 - National Defense Authorization Act PL 104-191k - Health Insurance Portability and Accountability Act of 1996 DoDD 5200.28 - Security Requirements for Automated Information Systems (AISs) DoD 5200.2-R - Personnel Security Program DoD 6025.18-R - Department of Defense Health Information Privacy Regulation DoD 8580.02-R - DoD Health Information Security Regulation DoDI 1402.5 - Criminal History Background Checks on Individuals in Child Care Services Applicable Army Clinic Standard Operating Procedures (SOPs) and Policies: AR 25-2 - Information Assurance AR 40-1 - Composition, Mission, and Functions of the Army Medical Department AR 40-3 - Medical Services: Medical, Dental, and Veterinary Car AR 40-4 - Army Medical Department Facilities/Activities AR 40-5 - Preventive Medicine AR 40-48 - Non-Physician HCPs AR 40-66 - Medical Records Administration and Health Care Documentation AR 40-68 - Clinical Quality Management AR 40-501 - Standards of Medical Fitness AR 40-562 - Immunizations and Chemoprophylaxis AR 340-21 - The Army Privacy Program AR 351-3 - Professional Education and Training Programs of the Army Medical Department AR 380-19 - Information Systems Security AR 380-67 - The Department of the Army Personnel Security Program AR 385-40 - Army Accident Investigations and Reporting AR 600-85 - Army Substance Abuse Program Civilian Services MEDCOM Reg 715-3 - Contractor/Contractor's Employees and MEDCOM Personnel Relationships 5.2.2. Advisory. AR 310-25 - Dictionary of United States Army Terms MEDCOM Pam 25-11 - Index of Command Administrative Publications 5.3. The following is a listing of forms that may be required, and may customarily be used by a HCP performing services. A complete list of forms can be accessed at http://apd.army.mil/AdminPubs/ProductMap.asp. 5.3.1. Standard Forms. SF-85-P - Questionnaire for Public Trust Positions SF 504 - Medical Record - History SF 505 - Medical Record - History parts 2 and 3 SF 506 - Medical Record - Physical Examination SF 507 - Medical Record SF 509 - Medical Record - Progress Report SF 513 - Medical Record - Consultation Sheet SF 515 - Medical Record - Tissue Examination SF 519-B - Radiologic Consultation Request/Report SF 523 - Medical Record - Authorization for Autopsy SF 523-A - Disposition of Body SF 541 - Medical Record - Gynecologic Cytology SF 550 - Medical Record - Urinalysis SF 551 - Medical Record - Serology SF 557 - Medical Record - Miscellaneous SF 558 - Medical Record - Emergency Care and Treatment SF 600 - Medical Record - Chronological Record of Care 5.3.2. Department of Army. DA 3894 - Hospital Report of Death DA 4106 - Incident Report DA 4700 - Medical Record - Supplemental Medical Data DA 5008 - Telephone Medical Advice/Consultation Record 5.3.3. Departmentof Defense. DD 577 - Appointment/Termination Record - Authorized Signature DD 689 - Sick Slip, Individual DD 1289 - Prescription Form DD 2161 - Medical Care, Referral for Civilian DD 2795 - Pre-Deployment Health Assessment Questionnaire DD 2797 - Post-Deployment Health Assessment DD 2807-1 - Medical Record - Medical History DD 2808 - Medical Record - Medical Examination 5.3.4. Other Forms. FD Form 258 - FBI US Department of Justice Fingerprint Card 6. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (6 MAY 10) 6.1. In accordance with DoD 6025.18-R "Department of Defense Health Information Privacy Regulation," January 24, 2003, the Contractor meets the definition of Business Associate. Therefore, a Business Associate Agreement is required to comply with both the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security regulations. This clause serves as the agreement whereby the Contractor agrees to abide by all applicable HIPAA Privacy and Security requirements regarding health information as defined in this clause, and in DoD HIPPA Privacy and Security requirements regarding health information as defined in this clause, and in DoD 6025.18-R and DoD 8580.02-R, as amended. Additional requirements will be addressed when implemented. 6.1.2. Definitions. As used in this clause generally refers to the Code of Federal Regulations (CFR) definition unless a more specific provision exists in DoD 6025.18-R or DoD 8580.02-R. 6.1.2.1. Individual has the same meaning as the term "individual" in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). 6.1.2.2. Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. 6.1.2.3. Protected Health Information has the same meaning as the term "protected health information" in 45 CFR 160.103, limited to the information created or received by the Contractor from or on behalf of the Government pursuant to the Contract. 6.1.2.4. Electronic Protected Health Information has the same meaning as the term "electronic protected health information" in 45 CFR 160.103. 6.1.2.5. Required by Law has the same meaning as the term "required by law" in 45 CFR 160.103. 6.1.2.6. Secretary means the Secretary of the Department of Health and Human Services or his/her designee. 6.1.2.7. Security Rule means the Health Insurance Reform: Security Standards at 45 CFR 160, part 162 and part 164, subpart C. 6.1.2.8. Terms used, but not otherwise defined in this Clause shall have the same meaning as those terms in 45 CFR 160.103, 160.502, 164.103, 164.304, and 164.501. 6.1.3. The Contractor shall not use or further disclose Protected Health Information other than as permitted or required by the Contract or as Required by Law. 6.1.4. The Contractor shall use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for this Contract 6.1.5. The Contractor agrees to use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits in the execution of this Contract. 6.1.6. The Contractor shall, at their own expense, take action to mitigate, to the extent practicable, any harmful effect that is known to the Contractor of a use or disclosure of Protected Health Information by the Contractor in violation of the requirements of this Clause. These mitigation actions will include as a minimum those listed in the TMA Breach Notification Standard Operating Procedure (SOP), which is available at: http://www.tricare.mil/tmaprivacy/breach.cfm. 6.1.7. The Contractor shall report to the Government any security incident involving protected health information of which it becomes aware. 6.1.8. The Contractor shall report to the Government any use or disclosure of the Protected Health Information not provided for by this Contract of which the Contractor becomes aware. 6.1.9. The Contractor shall ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by the Contractor, on behalf of the Government, agrees to the same restrictions and conditions that apply through this Contract to the Contractor with respect to such information. 6.1.10. The Contractor shall ensure that any agent, including a subcontractor, to whom it provides electronic Protected Health Information, agrees to implement reasonable and appropriate safeguards to protect it. 6.1.11. The Contractor shall provide access, at the request of the Government, and in the time and manner reasonably designated by the Government to Protected Health Information in a Designated Record Set, to the Government or, as directed by the Government, to an Individual in order to meet the requirements under 45 CFR 164.524. 6.1.12. The Contractor shall make any amendment(s) to Protected Health Information in a Designated Record Set that the Government directs or agrees to pursuant to 45 CFR 164.526 at the request of the Government, and in the time and manner reasonably designated by the Government. 6.1.13. The Contractor shall make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by the Contractor, on behalf of the Government, designated by the Government or the Secretary, for purposes of the Secretary determining the Government's compliance with the Privacy Rule. 6.1.14. The Contractor shall document such disclosures of Protected Health Information and information related to such disclosures as would be required for the Government to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 6.1.15. The Contractor shall provide to the Government or an Individual, in time and manner reasonably designated by the Government, information collected in accordance with this Clause of the Contract, to permit the Government to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 6.2. General Use and Disclosure Provisions. Except as otherwise limited in this Clause, the Contractor may use or disclose Protected Health Information on behalf of, or to provide services to, the Government for treatment, payment, or healthcare operations purposes, in accordance with the specific use and disclosure provisions below, if such use or disclosure of Protected Health Information would not violate the HIPAA Privacy Rule, the HIPAA Security Rule, DoD 6025.18-R or DoD 8580.02-R if done by the Government. 6.2.1 Specific Use and Disclosure Provisions. (a) Except as otherwise limited in this Clause, the Contractor may use Protected Health Information for the proper management and administration of the Contractor or to carry out the legal responsibilities of the Contractor. (b) Except as otherwise limited in this Clause, the Contractor may disclose Protected Health Information for the proper management and administration of the Contractor, provided that disclosures are required by law, or the Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Contractor of any instances of which it is aware in which the confidentiality of the information has been breached. (c) Except as otherwise limited in this Clause, the Contractor may use Protected Health Information to provide Data Aggregation services to the Government as permitted by 45 CFR 164.504(e)(2)(i)(B). (d) Contractor may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(l). 6.3. Obligations of the Government. Provisions for the Government to Inform the Contractor of Privacy Practices and Restrictions. 6.3.1. The Government shall provide the Contractor with the notice of privacy practices that the Government produces in accordance with 45 CFR 164.520. 6.3.2. The Government shall provide the Contractor with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect the Contractor's permitted or required uses and disclosures. 6.3.3. The Government shall notify the Contractor of any restriction to the use or disclosure of Protected Health Information that the Government has agreed to in accordance with 45 CFR 164.522. 6.4. Permissible Requests By The Government. The Government shall not request the Contractor to use or disclose Protected Health Information in any manner that would not be permissible under HIPPA Privacy Rule, the HIPAA Security Rule, or any applicable Government regulations (including without limitation, DoD 6025.18-R and DoD 8580.02-R) if done by the Government, except for providing Data Aggregation services to the Government and for management and administrative activities of the Contractor as otherwise permitted by this clause. 6.5. Termination. 6.5.1. Termination. A breach by the Contractor of this clause, may subject the Contractor to termination under any applicable default or termination provision of this Contract. 6.5.2. Effect of Termination. 6.5.2.1. If this contract has records management requirements, the records subject to the Clause should be handled in accordance with the records management requirements. If this contract does not have records management requirements, the records should be handled in accordance with paragraphs (2) and (3) below. 6.5.2.2. If this contract does not have records management requirements, except as provided in paragraph (3) of this section, upon termination of this Contract, for any reason, the Contractor shall return or destroy all Protected Health Information received from the Government, or created or received by the Contractor on behalf of the Government. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of the Contractor. The Contractor shall retain no copies of the Protected Health Information. 6.5.2.3. If this contract does not have records management provisions and the Contractor determines that returning or destroying the Protected Health Information is infeasible, the Contractor shall provide to the Government notification of the conditions that make return of destruction infeasible. Upon mutual agreement of the Government and the Contractor that return or destruction of Protected Health Information is infeasible, the Contractor shall extend the protections of this Contract to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as the Contractor maintains such Protected Health Information. 6.6. Miscellaneous. 6.6.1. Regulatory Reference. A reference in this Clause to a section in DoD 6025.18-R, DoD 8580.02-R, Privacy Rule or Security Rule means the section currently in effect or as amended, and for which compliance is required. 6.6.2. Survival. The respective rights and obligations of Business Associate under the "Effects of Termination" provision of this Clause shall survive the termination of this Contract. 6.6.3. Interpretation. Any ambiguity in this Clause shall be resolved in favor of a meaning that permits the Government to comply with DoD 6035.18-R, DoD8580.02-R, the HIPAA Privacy Rule or the HIPAA Security Rule. 7. CONTRACT MANPOWER REPORTS (Accounting for Contract Services) (Jul 2007). 7.1. The Office of the Assistant Secretary of the Army (Manpower & Reserve Affairs) operates and maintains a secure Army data collection site where the Contractor will report ALL Contractor manpower (including subcontractor manpower) required for performance of this contract. 7.2. The Contractor is required to completely fill in all the information in the format using the following web address https://cmra.army.mil. The required information includes: (1) Contracting Office, Contracting Officer, Contracting Officer's Technical Representative (2) Contract number, including task and delivery order number (3) Beginning and ending dates covered by reporting period (4) Contractor name, address, phone number, e-mail address, identity of Contractor employee entering data (5) Estimated direct labor hours (including subcontractor) (6) Estimated direct labor dollars paid this reporting period (including subcontractor) (7) Total payments (including subcontractor) (8) Predominant Federal Service Code (FSC) reflecting services provided by Contractor (and separate predominant FSC for each subcontractor if different) (9) Organizational title associated with the Unit Identification Code (UIC) for the Army Requiring Activity (the Army Requiring Activity is responsible for providing the Contractor with its UIC for the purposes of reporting this information) (10) Locations where Contractor and subcontractors perform the work (specified by zip code in the United States and nearest City, Country, when in an overseas location, using standardized nomenclature provided on website) (11) Presence of deployment or contingency contract language, and, country) (12) Number of Contractor and subcontractor employees deployed in theater this reporting period (by (13) As part of its submission, the Contractor will also provide the estimated total cost (if any) incurred to comply with this reporting requirement. 7.3. Reporting period will be the period of performance not to exceed 12 months ending September 30 of each Government fiscal year and must be reported by 31 October of each calendar year. The Contractor shall notify the Contracting Officer's Representative (COR) by the 5th of November whether or not they have completed this report. If the COR is unavailable, the Contractor will notify the Contracting Officer. 7.3.1. Report Schedules are based on the Government's Fiscal Year cycle, regardless of the contract period of performance cycle. If this order requires a final CMR report which does NOT align to the Fiscal Year; the final CMR report shall be due NLT 30 days after the performance period ends. 7.4. The following information is provided for the Contractor's use in completing the above report: Predominant Federal Service Code: Q403 - Evaluation and Screening Unit Identification Code for the Army Requiring Activity: W2P1AA 8. NOTICE OF CONFERENCE. The Contractor, or authorized representative, may be required to attend a conference prior to commencement of any work performed under this contract. A representative of the Contracting Office will notify the Contractor after entering into the contract as to the specific time and location of the conference. Such conferences will normally occur telephonically, however, the Government reserves the right to require the personal presence of the Contractor. 9. SECURITY REQUIREMENTS The following paragraphs provide information on security requirements associated with this contract. 9.1. Physical Security. The Contractor shall be responsible for safeguarding all Government equipment, information and property provided for Contractor use. At the close of each work period, Government facilities shall be secured. The Contractor shall ensure that its employees entering Army-controlled installations or facilities have obtained access badges and passes IAW facility regulations and that these badges and passes are obtained in advance so as not to delay the accomplishment of contracted services (see paragraph 1.6.7.3.11 Security Badge Requirements for additional information). Delay caused by contractor failure to obtain badges and passes in advance will not be a basis for claim by the Contractor. The Contractor shall return all issued US Government Common Access Cards (CAC), Installation badges, and/or access passes to the COR when the contract is completed or when a Contractor employee no longer requires access to the Installation or facility. The Contractor shall demonstrate compliance with all personnel identity verification procedures. If the COR determines that the Contractor is not ensuring all access cards, badges, etc., are being returned as required under this section, the KO may take action against the Contractor to the extent allowed under the FAR and applicable supplements. Actions taken against the Contractor for their failure to comply with this requirement shall not relieve them of their duties associated with this contract. Force Protection Condition (FPCON) impact on work levels: During FPCONs Charlie and Delta, services are discontinued. Services shall resume when the FPCON level is reduced to level Bravo or lower. Procedures for complying with requirements addressed herein shall be included in the CQCP. 9.2 Key Control / Lock Combinations. The Contractor shall establish and implement methods of making sure all keys/key cards issued to the Contractor by the Government are not lost or misplaced and are not used by unauthorized persons. All references to keys include key cards. No keys issued to the Contractor by the Government shall be duplicated. The Contractor shall develop procedures covering key control that shall be included in the CQCP. Such procedures shall include turn-in of any issued keys by personnel who no longer require access to locked areas. The Contractor shall immediately report any occurrences of lost or duplicate keys/key cards to the KO. In the event keys, other than master keys, are lost or duplicated, the Contractor shall, upon direction of the KO, re-key or replace the affected lock or locks; however, the Government, at its option, may replace the affected lock or locks or perform re-keying. When the replacement of locks or re-keying is performed by the Government, the total cost of re-keying or the replacement of the lock or locks shall be deducted from the monthly payment due the Contractor. In the event a master key is lost or duplicated, all locks and keys for that system shall be replaced by the Government and the total cost deducted from the monthly payment due the Contractor. The Contractor shall prohibit the use of Government issued keys/key cards by any persons other than the Contractor's employees. The Contractor shall prohibit the opening of locked areas by Contractor employees to permit entrance of persons other than Contractor employees engaged in the performance of assigned work in those areas, or personnel authorized entrance by the KO. The Contractor shall establish and implement methods of ensuring that all lock combinations are not revealed to unauthorized persons. 9.3 Anti-Terrorism (AT) and Operations Security (OPSEC). The following sections provide applicable AT / OPSEC requirements, unless otherwise noted. 9.3.1. AT Level I Training. All Contractor employees, to include subcontractor employees, requiring access to Army Installations, facilities, and controlled access areas shall complete AT Level I Training within 14 days after contract start date. Employees hired after contract start date have 14 days from hire date to complete the training. The Contractor shall submit certificates of completion for each affected Contractor employee and subcontractor employee to the COR within 14 days after completion of training by all employees and subcontractor personnel. AT Level I Training is available at the following website: CAC Holders; Error! Hyperlink reference not valid. NON- CAC Holders; Error! Hyperlink reference not valid.. Refer to paragraph 6.4 for deliverable guidance. 9.3.2. Access and General Protection / Security Policy and Procedures. Contractor and all associated sub-contractor employees shall comply with applicable installation, facility, and area commander Installation/facility access and local security policies and procedures (provided by Government representative). The Contractor shall also provide all information required for background checks to meet Installation access requirements to be accomplished by Director of Emergency Services (DES), and/or Security Office (SO). Contractor workforce must comply with all personal identity verification requirements (FAR Clause 52.204-9, Personal Identity Verification of Contractor Personnel) as directed by DoD, Headquarters Department of the Army (HQDA), and/or local policy. In addition to the changes otherwise authorized by the changes clause of this contract, should the FPCON at any individual facility or Installation change, the Government may require changes in Contractor security matters or processes. 9.3.3. Contractors requiring Common Access Card (CAC). Before CAC issuance, the contractor employee requires, at a minimum, a favorably adjudicated National Agency Check with Inquiries (NACI) or an equivalent or higher investigation in accordance with Army Directive 2014-05. The contractor employee will be issued a CAC only if duties involve one of the following: (1) Both physical access to a DoD facility and access, via logon, to DoD networks on-site or remotely; (2) Remote access, via logon, to a DoD network using DoD-approved remote access procedures; or (3) Physical access to multiple DoD facilities or multiple non-DoD federally controlled facilities on behalf of the DoD on a recurring basis for a period of 6 months or more. At the discretion of the sponsoring activity, an initial CAC may be issued based on a favorable review of the FBI fingerprint check and a successfully scheduled NACI at the Office of Personnel Management. 9.3.4. Contractors that do not require CAC, but require access to a DoD facility or installation. Contractor and all associated sub-contractors employees shall comply with adjudication standards and procedures using the National Crime Information Center Interstate Identification Index (NCIC-III) and Terrorist Screening Database (TSDB) (Army Directive 2014-05/AR 190-13), applicable installation, facility and area commander installation/facility access and local security policies and procedures (provided by government representative), or, at OCONUS locations, in accordance with status of forces agreements and other theater regulations. 9.3.5. iWatch Training. The Contractor and all associated sub-contractors shall brief all employees on the local iWatch program (training standards provided by the requiring activity Anti-terrorism Officer (ATO)). This locally developed training will be used to inform employees of the types of behavior to watch for and instruct employees to report suspicious activity to the COR. This training shall be completed within 14 days of contract award and within 14 days of new employees commencing performance on this contract. Results shall be reported to the COR NLT 14 days after completion of the training required as stated above. Refer to paragraph 6.5 for deliverable guidance. 9.3.6. Contractor Employees Who Require Access to Government Information Systems (IS). All Contractor employees with access to a Government information system must be registered in the Army Training Certification Tracking System (ATCTS) ((Error! Hyperlink reference not valid.Error! Hyperlink reference not valid.) at the commencement of services, and must successfully complete the DoD Information Assurance Awareness training (Error! Hyperlink reference not valid.) prior to access to the information systems and annually thereafter. 9.3.7. OPSEC Standing Operating Procedure (SOP) / Plan. The Contractor shall develop an OPSEC SOP/Plan and submit for review and approval to the Government prior to end of the Phase-In period per Army Regulation (AR) 530-1 Operations Security. In addition, the Contractor shall identify an individual who shall be an OPSEC Coordinator. The Contractor shall ensure this individual becomes OPSEC Level II certified per AR 530-1 NLT the end of the Phase-In period. Refer to paragraph 6.6 for deliverable guidance. 9.3.8. OPSEC Training. All contractor employees shall complete Level I OPSEC training per AR 530-1 within 30 days of the approved OPSEC SOP/Plan. Thereafter, new Contractor employees must complete Level I OPSEC training within 30 days of their reporting for duty. All Contractor employees must complete annual OPSEC training. OPSEC Training is available at: Error! Hyperlink reference not valid. The Contractor shall submit certificates of completion for each affected Contractor employee and subcontractor employee to the COR within 14 days after completion of training. Refer to paragraph 6.7 for deliverable guidance. 9.3.9. Information Assurance (IA) / Information Technology (IT) Training. All Contractor employees and associated subcontractor employees must complete the DoD IA Awareness training before issuance of network access and annually thereafter. All Contractor employees working IA/IT functions must comply with DoD and Army training requirements in Department of Defense Directive (DoDD) 8570.01 Information Assurance (IA) Training, Certification, and Workforce Management, DoD 8570.01-M Information Assurance Workforce Improvement Program, and AR 25-2 Information Assurance within six months of employment. 9.3.10. IA / IT Certification. Per DoD 8570.01-M, Defense Federal Acquisition Regulations Supplement (DFARS) 252.239.7001, and AR 25-2, Contractor employees supporting IA/IT functions shall be appropriately certified upon contract award. The baseline certification as stipulated in DoD 8570.01-M must be completed upon contract award. 9.3.11. Contractor Access to DPG. Access to DPG requires that Contractor employees voluntarily submit personal data (e.g. Name, Driver License Number, Date of birth, [Active CAC; Y or N], Email address, Company Name, and Citizenship) when applying for a DPG Identification Card. When applying for a Temporary Access Pass (contractor shall submit the personal data a minimum of 72 hours in advance) the following personal data is required (same as above plus date of arrival, date of departure, reason for visit, and areas to be visited). This information is routinely used by DPG Law Enforcement and Security personnel to conduct driver's license and criminal history/background checks. Adverse information revealed by such checks (e.g. outstanding criminal warrants, criminal history indicating a potential risk to DPG Installation security, or similar negative information indicating a potential security and/or law enforcement risk to DPG) may result in denial of access and/or re-entry to DPG. Delays caused by any adverse employee information do not constitute a basis for claim by the Contractor. It is the Contractor's responsibility to assure all personnel scheduled to work on the installation have acceptable backgrounds. 9.3.12. Personnel Security. 9.3.12.1. The Contractor shall appoint a Facility Security Officer (FSO). The FSO shall provide employees with training required by DoD 5220.22-M Industrial Security Manual, DoD 5220.22-R, Army security directives and local security directives. 9.3.12.2. Some of the work required by this contract may require access to restricted areas. Occasional delays in obtaining authorization for access to these areas or escort to a work site may be anticipated. The Contractor's personnel requiring unescorted entry to restricted or other sensitive areas designated by the Installation Commander shall comply with AR 25-2 and AR 380-67 Personnel Security Program. 9.3.12.3. The Contractor shall have a Government Facility Security Clearance at the level indicated on DD 254 DoD Contract Security Classification Specification [refer to Technical Exhibit (TE) 1] and a cleared facility for the storage of classified materials. Safeguarding of classified information and clearance procedures for the Contractors personnel shall be accomplished in accordance with DoD 5220.22-M and all other current relevant regulatory/guidance materials. 9.3.12.4. The Contractor shall request from the Defense Industrial Security Clearance Office (DISCO), P.O. Box 2499, Columbus, OH 43216-5006, security clearances (e.g., locksmiths, alarm technicians) for personnel requiring access to classified information within 15 days after contract award. 9.3.12.5. The Contractor shall provide the security information to the DPG Intelligence Office prior to the end of the phase-in period and when any changes occur during the term of the contract. 9.3.12.6. The Counter Intelligence Office (CIO) processes National Agency Checks (NAC) for Contractor employees who require access to restricted areas or have access to sensitive information or equipment. The Contractor shall request a waiver through the servicing CIO to process employees for an NAC that requires access to restricted areas and who do not already have a security background investigation. In DPG cleared facilities, Performing Activities shall comply with the National Industrial Security Program (NISPOM) controlled area requirements. The CIO shall approve the establishment, the construction, and the modification of all designated controlled areas before they may be used for the storage of classified materials. 9.3.13. Security Badge Requirements. The Contractor is responsible for security badges issued to their employees and/or employees of their subcontractors. A designated representative (being an officer or supervisor of the Contractor) shall co-sign for each individual when obtaining the required item(s). Additionally, the Contractor shall provide to the KO a list of employees needing badges under the awarded contract prior to initiation of work. The Contractor shall submit, to the KO with his monthly billing, a "certificate of return for all badges from the cognizant office(s) before approval for payment will be considered. The replacement cost badges are as follows. a) Non-Proximity DPG ID Card $2.97 b) Proximity DPG ID Card $6.91 The above indicated replacement cost for lost items will be deducted from the Contractor's monthly billing (during the month of discovery) for item(s) not returned or lost, or the Contractor will be billed in cases where the replacement cost of lost items exceeds the amount due the Contractor. The Contractor shall be required to have security badges issued to their personnel by DPG Visitor Control Center Bldg. 5910. DPG IDs shall be visible at all times while West of Access Control Point 2. The Government will be responsible for the issuance of security badges required by DoD 5220.22-R Industrial Security Regulation. Additionally, all Contractor employees shall obtain and maintain a Government issued Common Access Card. Refer to paragraph 6.8 for deliverable guidance. 9.3.14. Entry Procedures to Controlled / Restricted Areas. The Contractor shall coordinate with Range Control at phone number 435-831-5141 for access to DPG Range Areas. Access to Buildings 4153, 4156, 4165, and 8027 shall be initiated via use of the phone located at the turnstile at each buildings entry location. The Contractors personnel requiring unescorted entry to restricted or other sensitive areas designated by the Installation Commander shall comply with AR 380-67 and AR 25-2. 9.3.15. Contractor Sponsored Foreign Nationals. All foreign national personnel (including guests) that need access past Access Control Point 2 will require a DPG affiliated U.S. citizen escort. If a sensitive test or visit is scheduled during the dates provided, the COR will inform the Contractor whether the work/visit may take place. The COR will forward the list to the DPG Foreign Disclosure Officer within the Counterintelligence Office for verification. Foreign nationals will not be allowed on DPG until verification process is complete. Once verification has been received, the COR is responsible to provide the Protocol Office the following information for badge preparation: a) Name b) Company Name c) Point of Contact (POC) The COR is also responsible to pick up the badges and badge holders, issue them to the visitor, and return them at the end of the visit. If the visit is only schedule to take place in the English Village area, the Visitor Control Center will issue a Foreign National Visitor Pass. Refer to paragraphs 9.3.11 and 9.3.13 for issuance, return, and cost associated with badges. 9.3.16. Reporting Requirements. The Contractor shall immediately report any known or suspected breaks or violations of security to the proper authorities, the KO, and the COR and remain at the scene until authorities arrive. Additional or other conditions or situations are reportable under DoD 5220.22-M National Industrial Security Program Operating Manual Supplement. The Contractors personnel shall report to an appropriate authority any information or circumstances that they are aware that may pose a threat to the security of US Government, DoD, DoD personnel, Contractor personnel, resources, and classified or unclassified defense information. The Contractor shall brief their employees of reporting requirements upon arrival to the site. 9.3.17. Drivers. Drivers must be appropriately licensed by the State of Utah or other appropriate jurisdiction to operate vehicles used in the performance of this contract on Federal, State of Utah, and local highway systems. Violations of law off post may result in the employee being barred from driving on the Installation or barred from the Installation. These incidents shall not relieve the Contractor from performing the functions in this contract. 9.3.18. Additional Security Requirements. IAW DoDM 5200.01 Information Security Program (Volumes 1 through 4), the Contractor shall comply with Army Systems Security Instruction (ASI) requirements such as Communications Security (COMSEC); Computer Security (COMPUSEC) for Operational Systems; Security Awareness, Training, and Education (SATE) Program; and Emanations Security (TEMPEST) IAW AR 530-1. 9.3.19. Line-of-Sight Supervision. LOSS requires continuous visual observation and supervision of an individual while engaged in child-interactive duties or in the presence of children in an Army-sponsored or sanctioned program or activity. The person providing supervision must have undergone Preliminary checks and a CNACI background check, received a favorable suitability determination, be current on the periodic re-verification requirements and not previously exhibited wanton or reckless disregard for an obligation to supervise an employee, contractor or volunteer under LOSS. An individual permitted to work subject to LOSS must continue to function under LOSS until the results of his or her completed background check are received and favorably adjudicated. 9.3.19.1. All personnel within a CYS facility (including visitors, contractors etc.) must remain in Line of Sight Supervision (LOSS) of a cleared CYS employee (an individual who has a favorably adjudicated CNACI and IRC's) throughout the duration of their visit. 9.3.19.2. All individuals within the facility must be properly signed into the facility. If any CYS Services staff, contractors or volunteers are not cleared/under Line of Sight Supervision (LOSS), they will wear a RED uniform or Red Identification badge. Individuals working under LOSS must be conspicuously identified by means of distinctive clothing, identification badge with lanyard, armband, etc.) that is completely visible when viewed from all angles (This includes contractors). Three options for the contractor: a) Operate under LOSS supervisor working within the facility; b) Submit a name to be investigated and act as the LOSS supervisor; or c) Conduct the work after hours when no children are present. These conditions are mandatory and cannot be waived. The individuals conducting the work are allowed to work if they pass the Dugway criminal check for entrance onto the base. 9.3.20. Mass Warning Notification System (MWNS). All DoD military and civilian personnel and contract support personnel whose normal place of duty is on a DoD installation or within a DoD facility (i.e. "DoD badge holders") are considered part of the "primary population". Due to the life safety implications of the information being relayed and the requirement to provide immediate alerts and warnings, all members of the "primary population must ensure that their personal contact information, including after-duty hours contact information, as appropriate (e.g. personal cellular phone numbers or landline phone numbers), email addresses, home address, etc., are entered into the system (AtHoc and WebEoc) and regularly updated or verified every 90 days to remain current and accurate. (End of Performance Work Statement) Attachment 1: Quality Assurance Surveillance Plan Attachment 2: Workload Estimate ATTACHMENT 1 QUALITY ASSURANCE AND SURVEILLANCE PLAN FOR A. OBJECTIVE: The Contractor shall provide specialized Cardiology Testing services (treadmill and nuclear stress testing) for the Utah Army Health Clinics at Dugway Proving Ground and Tooele Army Depot. Testing will be performed at the Contract facility. The contractor shall evaluate test data/imaging and provide a detailed evaluation report. The resulting report will be completed and faxed within three working days to the referring physician, US Army Health Clinic, Tooele Army Depot or Dugway Proving Ground. B. PERFORMANCE MEASUREMENT OBJECTIVE: The key area(s) of the Contractor's performance that will be evaluated during the term of the contract. The PWS reference will be provided for each performance measurement objective. C. ASSESSMENT METHOD: contractor performance is inspected and evaluated on key areas of performance: fill rate monthly; turnover rate and substantiated patient/staff complaints annually; qualified candidates as needed. Method of surveillance is 100% inspection. D. ACCEPTABLE QUALITY LEVEL (AQL): The degree to which the Government will allow the Contractor's key areas of performance to vary; the variance from the standard that the Contractor is allowed and the grading/ measurement associated with deviation from the specific performance standard. E. KEY AREAS OF PERFORMANCE: The following Performance Measurements Requirement Summary applies. The Government may modify inspection methods in accordance with site specific requirements. PERFORMANCE MEASUREMENT OBJECTIVE STANDARD ACCEPTABLE QUALITY LEVEL METHOD OF ASSESSMENT REMEDY Document Meet requirements. Para 1.2. Maintain qualifications and requirements Comply initially and annually 100% of the time Annual review of COR files performance in CPARS using measurements shown below. Patient and customer satisfaction. Para 1.5.2. Maintain a high level of patient and customer satisfaction. No more than two (2) substantiated patient complaints for the life of the contract. COR review assessment of customer complaints through patient and Government Provider feedback. Document performance in CPARS using measurements shown below. Comply with reporting requirements. Para 4. Fax results to the Clinic within three (3) days after completion of test 100% of the time. All required documentation processed. No significant omissions. Tracked throughout the contract period of performance (POP) by the COR. Document performance in CPARS using measurements shown below. Complete Contractor Contractor Manpower Reporting (CMR). Para 7. Manpower Report by 31 October of each year. Notify COR by the 5th working day of November whether the report is Completed report. Contract Specialist and COR review CMR records to ensure compliance. Document performance in CPARS using measurements shown below. complete. F. CONTRACTOR PERFORMANCE ASSESSMENT REPORT. This report shall be submitted to the Contracting Officer monthly (unless otherwise agreed upon between the Contracting Officer and the Contracting Officer's Representative). G. REPERFORMANCE OF SERVICES. If any of the services do not conform with contract requirements, the Government will require the Contractor to reperform the services in conformity with contract requirements, at no additional cost to the Government. When the defects in services cannot be corrected due to circumstances, the Government may (1) require the contractor to take necessary action to ensure that future performance conforms to contract requirements and (2) reduce the contract price to reflect the reduced value of the services performed. The Contracting Officer may exercise appropriate contractual remedy should the Contractor fail to promptly take the necessary action to ensure future performance is in conformity with contract requirements. When apparent non-satisfactory work is identified, the Contracting Officer's Representative shall prepare a Contract Discrepancy Report (CDR) and submit to the Contracting Officer for review, use DD Form 2722. The Contractor shall then be required to respond to the CDR. The Contractor shall explain reasons for substandard performance, how performance will be returned to acceptable levels, and how recurrence of the same or like problems will be prevented. The Contracting Officer will evaluate the Contractor's explanation, assess its validity, and determine whether it is acceptable. The Contractor shall be required to correct/eliminate any deficiencies in services in a timely manner. Notification begins when pertinent documents (Customer Complaint Record or CDR) are issued to the Contractor. Time of notification and correction of all applicable deficiencies should be entered on all Government documents and retained in the contract file. The Government may execute a deduction in payment for non-compliance when validated by the Contracting Officer. H. PERFORMANCE RATINGS. The Government will rate past performance using the following performance standards. VERY GOOD: Performance meets contractual requirements and exceeds some to the Government's benefit. SATISFACTORY: Performance meets contractual requirements. MARGINAL: Performance does not meet some contractual requirements. UNSATISFACTORY: Performance does not meet most contractual requirements and recovery is not likely in a timely manner. Other performance evaluation factors that will be monitored and documented in the Contractor's performance records but cannot be quantified by numerical measurements: accuracy and timeliness of billing for services performed. For example: (1) erroneously billing the patient's personal insurance company as opposed to billing the Government for services; (2) repeated administrative invoice errors (wrong contract number, date of service, or CAGE code, etc.) resulting in rejection of invoice for payment by the COR; (3) not billing for services in a timely manner (Government receiving an invoice for a service rendered 3-6 months ago). NOTE: This plan is provided for information purposes only. The QASP is not a part of the solicitation, nor shall it be part of any resulting contract. The Government has the right to change or modify inspection methods at its discretion. (End of PWS) IRAPT Invoicing, Receipt, Acceptance and Property Transfer (iRAPT) - formerly known as WAWF iRAPT is the authorized method to electronically process vendor request for payment. This application allows DOD vendors to submit and track Invoices and Receipt/Acceptance documents electronically. Contractor shall (i) register to use iRAPT at https://wawf.eb.mil and (ii) ensure an electronic business point of contract (POC) is designated in the System for Award Management at https://www.sam.gov within ten (10) calendar days after award of this contract/order. iRAPT Instructions: Questions concerning payments should be directed to the Defense Finance and Accounting Service (DFAS) location listed in Block 18a of your purchase order/contract. Please have your purchase order/contract number ready when calling about payments. You can easily access payment and receipt information using the DFAS web site at http://www.dfas.mil/money/vendor. Your purchase order/contract number or invoice number will be required to inquire status of your payment. The following codes and information will be required to assure successful flow of iRAPT documents. Foreign Vendors will submit banking information in the Comments Tab of the iRAPT invoice. TYPE OF DOCUMENT [X the appropriate block] Invoice (Contractor Only) Invoice and Receiving Report (COMBO) _x Invoice as 2-in-1 (Services Only) Receiving Report (Government Only) CAGE CODE: ISSUE BY DODAAC: W81K00 ADMIN BY DODAAC: W81K00 INSPECT BY DODAAC: ACCEPT BY DODAAC: SHIP TO DODAAC: PAYMENT OFFICE FISCAL STATION CODE: 02001 EMAIL POINTS OF CONTACT LISTING: (Use Group e-mail accounts if applicable) INSPECTOR Primary: ACCEPTOR Primary: RECEIVING OFFICE POC: Primary: CONTRACT ADMINISTRATOR/ SPECIALIST: emerita.torres.civ@mail.mil CONTRACTING OFFICER: See Block 31b on SF1449 for email address. Any modification requests must be in writing and submitted to: ADMIN DODAAC. HIPPA Non-Defense Health Agency (Non-DHA) Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA) (7 July 2014) Introduction In accordance with 45 CFR 164.502(e)(2) and 164.504(e) and paragraph C.3.4.1.3 of DoD 6025.18-R, "DoD Health Information Privacy Regulation," January 24, 2003, this document serves as a BAA between the signatory parties for purposes of the HIPAA and the "HITECH Act" amendments thereof, as implemented by the HIPAA Rules and DoD HIPAA Issuances (both defined below). The parties are a DoD Military Health System (MHS) component, acting as a HIPAA covered entity, and a DoD contractor, acting as a HIPAA business associate. The HIPAA Rules require BAAs between covered entities and business associates. Implementing this BAA requirement, the applicable DoD HIPAA Issuance (DoD 6025.18-R, paragraph C3.4.1.3) provides that requirements applicable to business associates must be incorporated (or incorporated by reference) into the contract or agreement between the parties. (a) Catchall Definition. Except as provided otherwise in this BAA, the following terms used in this BAA shall have the same meaning as those terms in the DoD HIPAA Rules: Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices (NoPP), Protected Health Information (PHI), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. -Breach means actual or possible loss of control, unauthorized disclosure of or unauthorized access to PHI or other PII (which may include, but is not limited to PHI), where persons other than authorized users gain access or potential access to such information for any purpose other than authorized purposes, where one or more individuals will be adversely affected. The foregoing definition is based on the definition of breach in DoD Privacy Act Issuances as defined herein. -Business Associate shall generally have the same meaning as the term "business associate" in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of Business Associate signatory to this BAA]. -Agreement means this BAA together with the documents and/or other arrangements under which the Business Associate signatory performs services involving access to PHI on behalf of the MHS component signatory to this BAA. -Covered Entity shall generally have the same meaning as the term "covered entity" in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of MHS component signatory to this BAA]. -DHA Privacy Office means the DHA Privacy and Civil Liberties Office. The DHA Privacy Office Director is the HIPAA Privacy and Security Officer for DHA, including the National Capital Region Medical Directorate (NCRMD). -DoD HIPAA Issuances means the DoD issuances implementing the HIPAA Rules in the DoD Military Health System (MHS). These issuances are DoD 6025.18-R (2003), DoDI 6025.18 (2009), and DoD 8580.02-R (2007). -DoD Privacy Act Issuances means the DoD issuances implementing the Privacy Act, which are DoDD 5400.11 (2007) and DoD 5400.11-R (2007). -HHS Breach means a breach that satisfies the HIPAA Breach Rule definition of breach in 45 CFR 164.402. -HIPAA Rules means, collectively, the HIPAA Privacy, Security, Breach and Enforcement Rules, issued by the U.S. Department of Health and Human Services (HHS) and codified at 45 CFR Part 160 and Part 164, Subpart E (Privacy), Subpart C (Security), Subpart D (Breach) and Part 160, Subparts C-D (Enforcement), as amended by the 2013 modifications to those Rules, implementing the "HITECH Act" provisions of Pub. L. 111-5. See 78 FR 5566- 5702 (Jan. 25, 2013) (with corrections at 78 FR 32464 (June 7, 2013)). Additional HIPAA rules regarding electronic transactions and code sets (45 CFR Part 162) are not addressed in this BAA and are not included in the term HIPAA Rules. -Service-Level Privacy Office means one or more offices within the military services (Army, Navy, or Air Force) with oversight authority over Privacy Act and HIPAA privacy compliance. I. Obligations and Activities of Business Associate (a) The Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement or as required by law. (b) The Business Associate shall use appropriate safeguards, and comply with the DoD HIPAA Rules with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement. (c) The Business Associate shall report to Covered Entity any Breach of which it becomes aware, and shall proceed with breach response steps as required by Part V of this BAA. With respect to electronic PHI, the Business Associate shall also respond to any security incident of which it becomes aware in accordance with any Information Assurance provisions of the Agreement. If at any point the Business Associate becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate breach response as required by part V of this BAA. (d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), respectively), as applicable, the Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI. (e) The Business Associate shall make available PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual, as necessary to satisfy the Covered Entity obligations under 45 CFR 164.524. (f) The Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526. (g) The Business Associate shall maintain and make available the information required to provide an accounting of disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity's obligations under 45 CFR 164.528. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and (i) The Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. II. Permitted Uses and Disclosures by Business Associate (a) The Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Agreement or as required by law. The Business Associate is not permitted to de-identify PHI under DoD HIPAA issuances or the corresponding 45 CFR 164.514(a)-(c), nor is it permitted to use or disclose de-identified PHI, except as provided by the Agreement or directed by the Covered Entity. (b) The Business Associate agrees to use, disclose and request PHI only in accordance with the HIPAA Privacy Rule "minimum necessary" standard and corresponding DHA policies and procedures as stated in the DoD HIPAA Issuances. (c) The Business Associate shall not use or disclose PHI in a manner that would violate the DoD HIPAA Issuances or HIPAA Privacy Rules if done by the Covered Entity, except uses and disclosures for the Business Associate's own management and administration and legal responsibilities or for data aggregation services as set forth in the following three paragraphs. (d) Except as otherwise limited in the Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. The foregoing authority to use PHI does not apply to disclosure of PHI, which is covered in the next paragraph. (e) Except as otherwise limited in the Agreement, the Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (f) Except as otherwise limited in the Agreement, the Business Associate may use PHI to provide Data Aggregation services relating to the Covered Entity's health care operations. III. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (a) The Covered Entity shall provide the Business Associate with the notice of privacy practices that the Covered Entity produces in accordance with 45 CFR 164.520 and the corresponding provision of the DoD HIPAA Issuances. (b) The Covered Entity shall notify the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the Business Associate's use or disclosure of PHI. (c) The Covered Entity shall notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such changes may affect the Business Associate's use or disclosure of PHI. IV. Permissible Requests by Covered Entity The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule or any applicable Government regulations (including without limitation, DoD HIPAA Issuances) if done by the Covered Entity, except for providing Data Aggregation services to the Covered Entity and for management and administrative activities of the Business Associate as otherwise permitted by this BAA. V. Breach Response (a) In general. In the event of a breach of PII/PHI held by the Business Associate, the Business Associate shall follow the breach response requirements set forth in this Part V, which is designed to satisfy both the Privacy Act and HIPAA as applicable. If a breach involves PII without PHI, then the Business Associate shall comply with DoD Privacy Act Issuance breach response requirements only; if a breach involves PHI (a subset of PII), then the Business Associate shall comply with both Privacy Act and HIPAA breach response requirements. A breach involving PHI may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then the Business Associate has no HIPAA breach response obligations. In such cases, the Business Associate must still comply with breach response requirements under the DoD Privacy Act Issuances. If the DHA Privacy Office determines that a breach is an HHS Breach, then the Business Associate shall comply with both the HIPAA Breach Rule and DoD Privacy Act Issuances, as directed by the DHA Privacy Office, regardless of whether the breach occurs at DHA or at one of the Service components. If the DHA Privacy Office determines that the breach does not constitute an HHS Breach, then the Business Associate shall comply with DoD Privacy Act Issuances, as directed by the applicable Service-Level Privacy Office. The Business Associate shall contact the Covered Entity for guidance when the incident is not an HHS Breach. This Part V is designed to satisfy the DoD Privacy Act Issuances and the HIPAA Breach Rule as implemented by the DoD HIPAA Issuances. In general, for breach response, the Business Associate shall report the breach to the Covered Entity, assess the breach incident, notify affected individuals, and take mitigation actions as applicable. Because DoD defines "breach" to include possible (suspected) as well as actual (confirmed) breaches, the Business Associate shall implement these breach response requirements immediately upon the Business Associate's discovery of a possible breach. (b) Government Reporting Provisions The Business Associate shall report the breach within one hour of discovery to the Covered Entity and to the US Computer Emergency Readiness Team (US CERT) -the other parties as deemed appropriate by the Covered Entity. The Business Associate is deemed to have discovered a breach as of the time a breach (suspected or confirmed) is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing it) who is an employee, officer or other agent of the Business Associate. The Business Associate shall submit the US-CERT report using the online form at https://forms.us-cert.gov/report/. Before submission to US-CERT, the Business Associate shall save a copy of the on-line report. After submission, the Business Associate shall record the US-CERT Reporting Number. Although only limited information about the breach may be available as of the one hour deadline for submission, the Business Associate shall submit the US- CERT report by the deadline. The Business Associate shall e-mail updated information as it is obtained, following the instructions at http://www.us-cert.gov/pgp/email.html. The Business Associate shall provide a copy of the initial or updated US-CERT report to the -Covered Entity and the applicable Service-Level Privacy Office, if requested by either. Business Associate questions about US-CERT reporting shall be directed to the Covered Entity or Service- Level Privacy Office, not the US-CERT office. The additional US Army and the US Army Medical Command (MEDCOM) reporting requirements are addressed in the PII Breach Reporting and Notification Policy. The latest version of this policy can be obtained from the Covered Entity or the MEDCOM Privacy Act/Freedom of Information Act (FOIA) Office at: usarmy.jbsa.medcom.list.medcom-foia-users@mail.mil. If multiple beneficiaries are affected by a single event or related set of events, then a single reportable breach may be deemed to have occurred, depending on the circumstances. The Business Associate shall inform the Covered Entity as soon as possible if it believes that "single event" breach response is appropriate; the Covered Entity will determine how the Business Associate shall proceed and, if appropriate, consolidate separately reported breaches for purposes of Business Associate report updates, beneficiary notification, and mitigation. When a Breach Report initially submitted is incomplete or incorrect due to unavailable information, or when significant developments require an update, the Business Associate shall submit a revised form or forms, stating the updated status and previous report date(s) and showing any revisions or additions in red text. Examples of updated information the Business Associate shall report include, but are not limited to: confirmation on the exact data elements involved, the root cause of the incident, and any mitigation actions to include, sanctions, training, incident containment, follow-up, etc. The Business Associate shall submit these report updates promptly after the new information becomes available. Prompt reporting of updates is required to allow the Covered Entity to make timely final determinations on any subsequent notifications or reports. The Business Associate shall provide updates to the same parties as required for the initial Breach Report. The Business Associate is responsible for reporting all information needed by the Covered Entity to make timely and accurate determinations on reports to HHS as required by the HHS Breach Rule and reports to the Defense Privacy and Civil Liberties Office as required by DoD Privacy Act Issuances. In the event the Business Associate is uncertain on how to apply the above requirements, the Business Associate shall consult with the Covered Entity (or the Service-Level Privacy Office, which will consult with the DHA Privacy Office as appropriate) when determinations on applying the above requirements are needed. (c) Individual Notification Provisions If the DHA Privacy Office determines that individual notification is required, the Business Associate shall provide written notification to individuals affected by the breach as soon as possible, but no later than 10 working days after the breach is discovered and the identities of the individuals are ascertained. The 10 day period begins when the Business Associate is able to determine the identities (including addresses) of the individuals whose records were impacted. The Business Associate's proposed notification to be issued to the affected individuals shall be submitted to the parties to which reports are submitted under paragraph V (a) for their review, and for approval by the DHA Privacy Office. Upon request, the Business Associate shall provide the DHA Privacy Office with the final text of the notification letter sent to the affected individuals. If different groups of affected individuals receive different notification letters, then the Business Associate shall provide the text of the letter for each group. (PII shall not be included with the text of the letter(s) provided.) Copies of further correspondence with affected individuals need not be provided unless requested by the Privacy Office. The Business Associate's notification to the individuals, at a minimum, shall include the following: -The individual(s) must be advised of what specific data was involved. It is insufficient to simply state that PII has been lost. Where names, Social Security Numbers (SSNs) or truncated SSNs, and Dates of Birth (DOBs) are involved, it is critical to advise the individual that these data elements potentially have been breached. -The individual(s) must be informed of the facts and circumstances surrounding the breach. The description should be sufficiently detailed so that the individual clearly understands how the breach occurred. -The individual(s) must be informed of what protective actions the Business Associate is taking or the individual can take to mitigate against potential future harm. The notice must refer the individual to the current Federal Trade Commission (FTC) web site pages on identity theft and the FTC's Identity Theft Hotline, toll-free: 1-877-ID- THEFT (438-4338); TTY: 1-866-653-4261. -The individual(s) must also be informed of any mitigation support services (e.g., one year of free credit monitoring, identification of fraud expense coverage for affected individuals, provision of credit freezes, etc.) that the Business Associate may offer affected individuals, the process to follow to obtain those services and the period of time the services will be made available, and contact information (including a phone number, either direct or toll- free, e-mail address and postal address) for obtaining more information. Business Associates shall ensure any envelope containing written notifications to affected individuals are clearly labeled to alert the recipient to the importance of its contents, e.g., "Data Breach Information Enclosed," and that the envelope is marked with the identity of the Business Associate and/or subcontractor organization that suffered the breach. The letter must also include contact information for a designated POC to include, phone number, email address, and postal address. If the Business Associate determines that it cannot readily identify, or will be unable to reach, some affected individuals within the 10 day period after discovering the breach, the Business Associate shall so indicate in the initial or updated Breach Report. Within the 10 day period, the Business Associate shall provide the approved notification to those individuals who can be reached. Other individuals must be notified within 10 days after their identities and addresses are ascertained. The Business Associate shall consult with the DHA Privacy Office, which will determine which media notice is most likely to reach the population not otherwise identified or reached. The Business Associate shall issue a generalized media notice(s) to that population in accordance with Privacy Office approval. The Business Associate shall, at no cost to the government, bear any costs associated with a breach of PII/PHI that the Business Associate has caused or is otherwise responsible for addressing. Breaches are not to be confused with security incidents (often referred to as cyber security incidents when electronic information is involved), which may or may not involve a breach of PII/PHI. In the event of a security incident not involving a PII/PHI breach, the Business Associate shall follow applicable DoD Information Assurance requirements under its Agreement. If at any point the Business Associate finds that a cyber security incident involves a PII/PHI breach (suspected or confirmed), the Business Associate shall immediately initiate the breach response procedures set forth here. The Business Associate shall also continue to follow any required cyber security incident response procedures to the extent needed to address security issues, as determined by DoD/DHA. VI. Termination (a) Termination. Noncompliance by the Business Associate (or any of its staff, agents, or subcontractors) with any requirement in this BAA may subject the Business Associate to termination under any applicable default or other termination provision of the Agreement. (b) Effect of Termination. (1) If the Agreement has records management requirements, the Business Associate shall handle such records in accordance with the records management requirements. If the Agreement does not have records management requirements, the records should be handled in accordance with paragraphs (2) and (3) below. If the Agreement has provisions for transfer of records and PII/PHI to a successor Business Associate, or if DHA gives directions for such transfer, the Business Associate shall handle such records and information in accordance with such Agreement provisions or DHA direction. (2) If the Agreement does not have records management requirements, except as provided in the following paragraph (3), upon termination of the Agreement, for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form. This provision shall apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business Associate shall retain no copies of the PHI. (3) If the Agreement does not have records management provisions and the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Covered Entity and the Business Associate that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI. VII. Miscellaneous (a) Survival. The obligations of Business Associate under the "Effect of Termination" provision of this BAA shall survive the termination of the Agreement. (b) Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits the Covered Entity and the Business Associate to comply with the HIPAA Rules and the DoD HIPAA Rules. (End of HCAA Local Clause 5001) CLAUSES INCORPORATED BY REFERENCE 52.212-1 Instructions to Offerors--Commercial Items JAN 2017 ADDENDUM 52.212-1 (m) The non-FAR Part 12 discretionary FAR and DFARS provisions included herein are incorporated into this solicitation either by reference or in full text. If incorporated by reference, see provision 52.252-1 herein for locations where full text can be found. (End of Addendum) CLAUSES INCORPORATED BY REFERENCE 52.204-16 Commercial and Government Entity Code Reporting JUL 2016 52.225-25 Prohibition on Contracting with Entities Engaging in Certain Activities or Transactions Relating to Iran-- Representation and Certifications. OCT 2015 CLAUSES INCORPORATED BY FULL TEXT 52.209-2 PROHIBITION ON CONTRACTING WITH INVERTED DOMESTIC CORPORATIONS-- REPRESENTATION (NOV 2015) (a) Definitions. Inverted domestic corporation and subsidiary have the meaning given in the clause of this contract entitled Prohibition on Contracting with Inverted Domestic Corporations (52.209-10). (b) Government agencies are not permitted to use appropriated (or otherwise made available) funds for contracts with either an inverted domestic corporation, or a subsidiary of an inverted domestic corporation, unless the exception at 9.108-2(b) applies or the requirement is waived in accordance with the procedures at 9.108-4. (c) Representation. The Offeror represents that-- (1) It [ ] is, [ ] is not an inverted domestic corporation; and (2) It [ ] is, [ ] is not a subsidiary of an inverted domestic corporation. (End of provision) 52.209-11 REPRESENTATION BY CORPORATIONS REGARDING DELINQUENT TAX LIABILITY OR A FELONY CONVICTION UNDER ANY FEDERAL LAW (FEB 2016) (a) As required by sections 744 and 745 of Division E of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235), and similar provisions, if contained in subsequent appropriations acts, the Government will not enter into a contract with any corporation that-- (1) Has any unpaid Federal tax liability that has been assessed, for which all judicial and administrative remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability, where the awarding agency is aware of the unpaid tax liability, unless an agency has considered suspension or debarment of the corporation and made a determination that suspension or debarment is not necessary to protect the interests of the Government; or (2) Was convicted of a felony criminal violation under any Federal law within the preceding 24 months, where the awarding agency is aware of the conviction, unless an agency has considered suspension or debarment of the corporation and made a determination that this action is not necessary to protect the interests of the Government. (b) The Offeror represents that-- (1) It is [ ] is not [ ] a corporation that has any unpaid Federal tax liability that has been assessed, for which all judicial and administrative remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability; and (2) It is [ ] is not [ ] a corporation that was convicted of a felony criminal violation under a Federal law within the preceding 24 months. (End of provision) 52.252-1 SOLICITATION PROVISIONS INCORPORATED BY REFERENCE (FEB 1998) This solicitation incorporates one or more solicitation provisions by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. The offeror is cautioned that the listed provisions may include blocks that must be completed by the offeror and submitted with its quotation or offer. In lieu of submitting the full text of those provisions, the offeror may identify the provision by paragraph identifier and provide the appropriate information with its quotation or offer. Also, the full text of a solicitation provision may be accessed electronically at this/these address(es): http://farsite.hill.af.mil (End of provision) 52.252-5 AUTHORIZED DEVIATIONS IN PROVISIONS (APR 1984) (a) The use in this solicitation of any Federal Acquisition Regulation (48 CFR Chapter 1) provision with an authorized deviation is indicated by the addition of"(DEVIATION)" after the date of the provision. (b) The use in this solicitation of any DoD FAR Supplement (48 CFR Chapter Chapter 2) provision with an authorized deviation is indicated by the addition of "(DEVIATION)" after the name of the regulation. (End of provision) 252.203-7005 REPRESENTATION RELATING TO COMPENSATION OF FORMER DOD OFFICIALS (NOV 2011) (a) Definition. Covered DoD official is defined in the clause at 252.203-7000, Requirements Relating to Compensation of Former DoD Officials. (b) By submission of this offer, the offeror represents, to the best of its knowledge and belief, that all covered DoD officials employed by or otherwise receiving compensation from the offeror, and who are expected to undertake activities on behalf of the offeror for any resulting contract, are presently in compliance with all post-employment restrictions covered by 18 U.S.C. 207, 41 U.S.C. 2101-2107, and 5 CFR parts 2637 and 2641, including Federal Acquisition Regulation 3.104-2. (End of provision) 252.204-7008 COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATION CONTROLS (OCT 2016) (a) Definitions. As used in this provision-- Controlled technical information, covered contractor information system, covered defense information, cyber incident, information system, and technical information are defined in clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. (b) The security requirements required by contract clause 252.204-7012 shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract. (c) For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government (see 252.204-7012(b)(2))-- (1) By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, ``Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations'' (see http://dx.doi.org/10.6028/NIST.SP.800-171) that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017. (2)(i) If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of- (A) Why a particular security requirement is not applicable; or (B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection. (ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP 800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall be incorporated into the resulting contract. (End of provision) 52.212-2 EVALUATION--COMMERCIAL ITEMS (OCT 2014) (a) See 52.212-2 Addendum (b) Options. The Government will evaluate offers for award purposes by adding the total price for all options to the total price for the basic requirement. The Government may determine that an offer is unacceptable if the option prices are significantly unbalanced. Evaluation of options shall not obligate the Government to exercise the option(s). (c) A written notice of award or acceptance of an offer, mailed or otherwise furnished to the successful offeror within the time for acceptance specified in the offer, shall result in a binding contract without further action by either party. Before the offer's specified expiration time, the Government may accept an offer (or part of an offer), whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award. (End of provision) ADDENDUM 52.212-2 Award will be made using the lowest price technically acceptable (LPTA) source selection process. Award will be made to the responsible offeror on the basis of the lowest evaluated price of proposals meeting or exceeding the acceptability standards for non-cost factors. Award maybe made without discussions with offerors (except communications conducted for the purpose of minor clarification). Therefore, each initial offer should contain the offeror's best terms from a technical and price standpoint. However, the Government reserves the right to conduct discussions if it is later determined by the contracting officer to be necessary. Paragraph (a) is hereby replaced with the following: The Government will award a contract resulting from this solicitation to the responsible offeror whose offer conforming to the solicitation is Lowest Price, Technically Acceptable (LPTA). Award will be made on all or nothing basis. The following evaluation factors shall be used to evaluate offers: Technically Acceptability and Price 1. Technical Capability. The following adjectival ratings will be used in evaluating the offeror's technicalquote: Acceptable - To receive this rating, the offerors product shall meet each of the performance objectives set forth in the solicitation. Unacceptable - An unacceptable rating will be assessed on any offeror that presents items that demonstrate any of the following: Proposal does not meet the requirements as outlined in the RFQ and contains one or more deficiencies. Award will be made using Lowest Price Technically Acceptable (LPTA) process. On a separate sheet of paper, not to exceed 4 pages, the offeror shall provide a written overview of experience, equipment, and/or software used in providing the necessary tests. The written overview will be evaluated for familiarity and knowledge of performing tests (i.e. technically acceptable). Also, provide distance, in miles, from Dugway Proving Grounds, and Tooele Army Depot, UT to physical address in which the exercise stress test will be accomplished (i.e. technically acceptable). The written overview will be determined as "Acceptable" or "Unacceptable". Award will then be made on the basis of the lowest evaluated price of quotes meeting or exceeding the technical acceptability standards. Also, technical acceptability, for relative importance, is the same as price. Offerors with no relevant past or present performance history shall receive be treated neither favorably nor unfavorably. The government intends to award a contract without discussions with respective offerors. The government, however, reserves the right to conduct discussions if deemed in its best interest. TECHNICAL REQUIREMENTS: a. Offeror shall provide a written overview of experience and equipment used in providing required test. No more than 4 pages. Also, provide distance, in miles, from Dugway Proving Grounds, and Tooele Army Depot, UT to physical address in which the exercise stress test will be accomplished. b. Past Performance: The purpose of the past performance information is to allow the government to assess the offeror's ability to perform the effort described in this RFQ. The offeror shall provide a list of no more than two contracts with federal agencies or commercial customers within the last three years. Contracts include performance of efforts involving similar cardiology testing as the effort described in this solicitation. Past performance information will take into account past performance information regarding, key personnel who have relevant experience, or subcontractors that will perform major or critical aspects of the requirement. c. Must provide proof of Medical Liability Insurance ($1 million/$3 million primary capacity and up to $50 million excess capacity). Potential contractors must be registered in the System for Award Management (SAM) to be eligible for award. SAM website is http://www.sam.gov. 2. Price Contractors must submit their proposals to the following address: Regional Health Contracting Office - Central MCAA-S Attn: Emerita Torres 3551 Roger Brooke Drive, Room L31- 9V Fort Sam Houston, TX 78234-6200 Proposals must be submitted on time to the mailing address above, or by fax to (210)221-3446 Attn: Emerita Torres or e-mail to emerita.torres.civ@mail.mil Evaluation Process: All quotes will be evaluated on their price and technical acceptability. The award decision will be based on the lowest priced technically acceptable quote. (End of provision) 52.212-3 OFFEROR REPRESENTATIONS AND CERTIFICATIONS--COMMERCIAL ITEMS (JAN 2017) ALTERNATE I (OCT 2014)
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/USA/MEDCOM/DADA09/W81K00-17-T-0358/listing.html)
 
Place of Performance
Address: Outpatient Services, Fort Carson, Utah, 80913, United States
Zip Code: 80913
 
Record
SN04601549-W 20170729/170727233111-70b238ddf8f0fbb9c1c419a7664c6725 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.