Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF AUGUST 25, 2017 FBO #5754
DOCUMENT

65 -- CIRRUS PHOTO WITH PRINTER - Attachment

Notice Date

8/23/2017
 

Notice Type

Attachment
 

NAICS

339112 — Surgical and Medical Instrument Manufacturing
 

Contracting Office

Department of Veterans Affairs;Network Contracting Office 4;1010 DELAFIELD ROAD;PITTSBURGH, PA 15215
 

ZIP Code

15215
 

Solicitation Number

VA24417Q1656
 

Response Due

8/30/2017
 

Archive Date

9/14/2017
 

Point of Contact

AMANDA SAUNDERS
 

Small Business Set-Aside

Service-Disabled Veteran-Owned Small Business
 

Description

VA HANDBOOK 6500.6 MARCH 12, 2010 APPENDIX D D- (i) This is a combined synopsis/solicitation for CIRRUS 800, BRAND NAME OR EQUAL, as prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotes are being requested and a written solicitation will not be issued. A firm-fixed price purchase order is anticipated. (ii) The solicitation number is VA244-17-Q-1656 and is issued as a request for quotation (RFQ). (iii) The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-95 (iv) This solicitation is set aside 100% for Service-Disabled Veteran-Owned Small Businesses and the associated NAICS 339112 code has a small business size standard of 1000. (v) Contract Line Items (CLIN): ITEM NUMBER DESCRIPTION OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 Cirrus photo 800 with Printer and CP table or equivalent must have the following specifications; Easy switching between fundus images registered with OCT scans and maps MulitMode Naviator-interactive 1.00 EA __________________ __________________ 0002 Installation 1.00 JB __________________ __________________ 0003 Shipping 1.00 EA __________________ __________________ 0004 Service Manual x 2 Operator Manual x 2 2.00 EA __________________ __________________ 0005 Training 1.00 JB __________________ __________________ GRAND TOTAL __________________ (vi) Comparable products must be brand name or equal in the following specifications: STATEMENT OF NEED The VA Butler Healthcare System (529) has a need for (1) Cirrus Photo 800 with printer and CP table or equivalent to be delivered, installed and training at the new Health Care Center (HCC) located at 353 North Duffy Road Butler PA 16001. Delivered on September 22, 2017. CLIN #1 Cirrus photo 800 with Printer and CP table or equivalent must have the following specifications; 120Volts Auto FOCUS Auto FLASH Color Image Separation (R, G, B) Enhanced Depth Imaging (EDI) MODE Fundus Auto fluoresence: Wheelchair accessible Network printer, sliding keyboard shelf, network isolator Operating system windows embedded Capable to do OCT scan, Fundus Photography, Fleurescein Angiography, Fundus and Autofluorescence GPA (Guided Progression Analysis). This report must display the forecasted measurements in future years. Must have the ability to import and integrate with OCT 5000/HFA 750i at VA Pittsburgh for the following test: Retina protocol : OCT MAC 200x200, with exact scanning speed at 27,000 A-scans -a second Macular progression analysis, 5 line raster. Glaucoma protocol: OCT RNFL, progression analysis Cornea: includes lenses for anterior segment imaging. Must Ability to provide an automated Glaucoma Scan report that is on the same 1 page report with the HFA 750i, which is called Combined Report. Must come with 1 year warranty parts and labor Be on Vista Imaging Approved DICOM Modality Interfaces List Must be compatible with FORUM Software STATEMENT OF WORK- DELIVERY, INSTALLATION, TRAINING STATEMENT OF WORK PART A GENERAL INFORMATION A.1 INTRODUCTION This contract is for the purchase, delivery, installation, and training of 1 (one) Cirrus Photo 800 with Printer and CP table or equivalent to meet the needs of VA Butler Healthcare in its Health Care Center (HCC) Optometry Clinic. A.2 BACKGROUND The equipment is an Optical Coherence Tomography (OCT) Multi-Modality fundus imaging system including fluorescein and ICG angiography,color and fundus auto fluorescence. The equipment has advanced algorithms to measure and display layers. Fovea Finder and Auto Center automatically ensure that measurements are made in the correct locations, taking the pressure off the operator to perfectly center the scans. Data cubes are automatically registered with data from prior visits, allowing for more detailed comparisons. Diversified normative databases for ONH, RNFL and macular thickness facilitate even more at-a-glance assessments. Enabling efficient cross-modality analysis, allows easy switching between fundus images registered with OCT scans and maps. A.3 SCOPE OF WORK This agreement will secure the hardware, software, and installation/configuration services needed to implement the Cirrus photo 800 with printer or equivalent. The hardware, software, and installation/configuration services covered by this agreement. STATEMENT OF WORK PART B WORK REQUIREMENTS The vendor: B.1.1 Will provide delivery of one (1) Cirrus Photo 800 with printer or equivalent to VA Butler Healthcare at an anticipated delivery date September 22, 2017 that will be coordinated between the vendor and the VA Butler Healthcare. B1.2 The one (1) Cirrus Photo 800 with printer or equivalent must have the following specifications: B1.2.1 Printer B1.2.2 Easy switching between fundus images registered with OCT scans and maps B1.2.3 Color Image Separation (R, G, B) B1.2.4 Voltage System: 120V B1.2.5 Filters for green, blue and fundus auto fluorescence images, UV/IR barrier filters and +FA + ICGA exciter and barrier filters, FA+ICGA exciter and barrier filters B1.2.6 Database for patient information and images with field angle, FA time, R/L recognition and date of visit are stored B1.2.7 Asymmetric, suitable for wheelchairs B1.2.8 Network printer, sliding keyboard shelf, network isolator B1.2.9 Auto Focus B1.2.10 Auto Flash B1.2.11 16 flash levels (30Ws) B1.2.12 24 flash levels (80Ws) B1.2.13 DICOM compliant: Be on Vista Imaging Approved DICOM Modality Interfaces List B1.2.14 C Drive or memory card will be remove after data migration and before turn in B1.2.15 Capable to do OCT scan, Fundus Photography, Fleurescein Angiography, Fundus and Auto fluorescence B1.2.16 Operating system windows embedded B1.2.17 Hard drive storage over 30,000 fundus images with OCT cube scans B1.2.18 Two operator manuals B1.2.19 Two service manuals B1.2.20 One year warranty parts and labor B1.2.21 Staff training (Clinical) B1.2.22 Shipping B1.2.23 Installation B1.2. 24 Must have the ability to import and integrate with OCT 5000/HFA 750i at VA Pittsburgh for the following test: Retina protocol : OCT MAC 200x200, with exact scanning speed at 27,000 A-scans -a second, Macular progression analysis, 5 line raster. Glaucoma protocol: OCT RNFL, progression analysis Cornea: includes lenses for anterior segment imaging. B1.2.25 Must Ability to provide an automated Glaucoma Scan report that is on the same 1 page report with the HFA 750i, which is called Combined Report. STATEMENT OF WORK GENERAL REQUIREMENTS C.1. The contractor shall adhere to the job site requirements listed below: C.1.1. All personnel to adhere to site safety requirements PPE at a minimum to include hard hats, safety glasses, high-visibility clothing, hard sole shoes. C.1.2. All personnel subject to a 30-minute site safety orientation conducted by General Contractor (GC). C.1.3. Vendor responsible for unloading, handling, unpacking; clean up to dumpster provided by GC C.1.4. Vendor to schedule deliveries through VA who would in turn schedule with GC. At the time of these deliveries, most if not all products will have to go through the loading dock, so a schedule will be arranged for dock use. C.1.5. VA to obtain and maintain current certificates of insurance for each vendor C.1.6. Vendor responsible for protecting product after installation C.1.7. Standard work hours are Monday Friday, 7:00 AM 3:30 PM C.1.8. Contractor shall provide proof of insurance to COR before any work starts STATEMENT OF WORK PART D SUPPORTING INFORMATION D.1. Place of Performance VA Butler Healthcare Medical Center and/or Health Care Center (hereafter referred to as, The VA, VAMC, or HCC ) D.2. Period of Performance Period covers installation and verification/testing of operations to ensure the equipment operate as marketed. D.3. Special Considerations D.3.1. Contractor Furnished Materials and Services D.3.1.1. Equipment to transport equipment (e.g., dollies, pallet jacks, etc.) D.3.1.2. Tools necessary to finalize installation of equipment (e.g., installation of casters, setup of shelving) D.3.2. Government Furnished Materials and Services D.3.2.1. Elevator access, power, and as optimal an operating environment as can be reasonably achieved. D.3.3. Qualifications of Key Personnel Each party will determine the level of skills and adequate training for personnel supplied. ______________________________________ Authorized Company Representative Signature D.3.4. Contractor s Statement of Release - In consideration of the modification agreed to herein as complete equitable adjustment, the Contractor hereby releases the Government from any and all liability under this contract for further equitable adjustments attributable to this modification. D.3.5. VA Butler Healthcare will provide a secure area for operation of the purchased equipment VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS A contractor/subcontrator shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA INFORMATION CUSTODIAL LANGUAGE Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR. SECURITY INCIDENT INVESTIGATION The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. LIQUIDATED DAMAGES FOR DATA BREACH Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: NATURE OF THE EVENT (LOSS, THEFT, UNAUTHORIZED ACCESS); DESCRIPTION OF THE EVENT, INCLUDING: (A) DATE OF OCCURRENCE; (B) DATA ELEMENTS INVOLVED, INCLUDING ANY PII, SUCH AS FULL NAME, SOCIAL SECURITY NUMBER, DATE OF BIRTH, HOME ADDRESS, ACCOUNT NUMBER, DISABILITY CODE; (3) NUMBER OF INDIVIDUALS AFFECTED OR POTENTIALLY AFFECTED; (4) NAMES OF INDIVIDUALS OR GROUPS AFFECTED OR POTENTIALLY AFFECTED; (5) EASE OF LOGICAL DATA ACCESS TO THE LOST, STOLEN OR IMPROPERLY ACCESSED DATA IN LIGHT OF THE DEGREE OF PROTECTION FOR THE DATA, E.G., UNENCRYPTED, PLAIN TEXT; (6) AMOUNT OF TIME THE DATA HAS BEEN OUT OF VA CONTROL; (7) THE LIKELIHOOD THAT THE SENSITIVE PERSONAL INFORMATION WILL OR HAS BEEN COMPROMISED (MADE ACCESSIBLE TO AND USABLE BY UNAUTHORIZED PERSONS); (8) KNOWN MISUSES OF DATA CONTAINING SENSITIVE PERSONAL INFORMATION, IF ANY; (9) ASSESSMENT OF THE POTENTIAL HARM TO THE AFFECTED INDIVIDUALS; (10) DATA BREACH ANALYSIS AS OUTLINED IN 6500.2 HANDBOOK, MANAGEMENT OF SECURITY AND PRIVACY INCIDENTS, AS APPROPRIATE; AND (11) WHETHER CREDIT PROTECTION SERVICES MAY ASSIST RECORD SUBJECTS IN AVOIDING OR MITIGATING THE RESULTS OF IDENTITY THEFT BASED ON THE SENSITIVE PERSONAL INFORMATION THAT MAY HAVE BEEN COMPROMISED. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $______ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) NOTIFICATION; (2) ONE YEAR OF CREDIT MONITORING SERVICES CONSISTING OF AUTOMATIC DAILY MONITORING OF AT LEAST 3 RELEVANT CREDIT BUREAU REPORTS; (3) DATA BREACH ANALYSIS; (4) FRAUD RESOLUTION SERVICES, INCLUDING WRITING DISPUTE LETTERS, INITIATING FRAUD ALERTS AND CREDIT FREEZES, TO ASSIST AFFECTED INDIVIDUALS TO BRING MATTERS TO RESOLUTION; (5) ONE YEAR OF IDENTITY THEFT INSURANCE WITH $20,000.00 COVERAGE AT $0 DEDUCTIBLE; AND (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. TRAINING All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training; Successfully complete the appropriate VA privacy training and annually complete required privacy training; and Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL All personnel employed by the Contractor and performing work VAPHS must comply with Homeland Security Presidential Directive 12 (HSPD-12).    Office of Management and Budget (OMB) Guidance M-05-24 and Federal Information Processing Standards Publication (FIPS PUB) Number 201, which requires all federal employees, contractors, and affiliates to have a Personal Identity Verification (PIV) identification card.    The PIV process will be initiated and completed by the VA Medical Center.    The Contractor Research Associates will be responsible for all costs associated with transportation of the employee to the VA Medical Center to initiate the fingerprinting and overall. a.              All Contractor employees who require access to the Department of Veterans Affairs' computer system, access to sensitive records or require access to the facility shall be the subject of a background investigation and must receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance.    This requirement is applicable to all Subcontractor personnel requiring the same access.    If the investigation is not completed prior to the start of the contract, the Contractor will be responsible for the actions of those individuals they provide to perform work for VA. i.            Position Sensitivity - The position sensitivity has been designated as low risk. ii.            Background Investigation - The level of background investigation commensurate with the required level of access is T1, form required is a SF85 iii.            Contractor Responsibilities 1.              The contractor shall bear the expense of obtaining background investigations, regardless of the final adjudication determination. A Bill of Collections shall be generated by the VA after final adjudication determination has been received. The VA facility will pay for investigations conducted by the Office of Personnel Management (OPM) in advance. In these instances, the contractor shall reimburse VA within 30 calendar days of receiving the Bill of Collections. 2.              The Contractor shall review the packet of information provided by the VA regarding background investigations and complete and submit required forms as directed in the instructions. 3.              The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. 4.              Contractor shall provide names of backup personnel to COR for investigation within two weeks of replacement. 5.              Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default. iv.            Government Responsibilities 1.              Upon contract award, the VA will provide the Contractor with a packet of information regarding the background investigation process. This packet will contain instructions and forms that must be completed in order to initiate the background investigation process. 2.              The VA facility will pay for investigations conducted by the Office of Personnel Management (OPM) in advance.    In these instances, the Contractor will reimburse the VA facility within 30 calendar days. 3.              The VA Office of Security and Law Enforcement will notify the Contracting Officer and Contractor after adjudicating the results of the background investigations received from OPM. (viii) The provision at 52.212-1, Instructions to Offerors -- Commercial, applies to this acquisition and the following clauses AND instructions are added as addenda: CLAUSES: 52.211-6 Brand Name or Equal (AUG 1999) 52.214-21 Descriptive Literature (APR 2002) 852.211-73 Brand Name or Equal. (JAN 2008) 852-219-10 VA Notice of Total Service-Disabled Veteran-Owned Small Business Set-Aside (ix) Evaluation of this requirement will be based on PRICE ONLY. (x) Offerors are advised to include a completed copy of the provision at 52.212-3, Offeror Representations and Certifications -- Commercial Items, with its offer if has not been completed on SAM.gov. (xi) The clause at 52.212-4, Contract Terms and Conditions -- Commercial Items, applies to this acquisition and the following clauses are added as addenda: (End of Clause) 52.252-2 CLAUSES INCORPORATED BY REFERENCE (FEB 1998) This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): http://farsite.hill.af.mil https://acquisition.gov/far (End of Clause) 852.203-70 Commercial Advertising (JAN 2008) 852.246-71 Inspection (Jan 2008) (xii) The clause at 52.212-5, Contract Terms and Conditions Required To Implement Statutes Or Executive Orders -- Commercial Items, applies to this acquisition and the following additional FAR clauses cited in the clause are applicable to the acquisition: 52.204-10 Reporting Executive Compensation & First-Tier Subcontract Awards (OCT 2015) 52.209-6 Protecting the Government s Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment (OCT 2015) 52.219-28 Post Award Small Business Program Representation (JUL 2013) 52.222-19 Child Labor--Cooperation with Authorities and Remedies (FEB 2016) (E.O. 13126) 52.222-21 Prohibition of Segregated Facilities (APR 2015) 52.222-26 Equal Opportunity (APR 2015) 52.222-36 Equal Opportunity for Workers with Disabilities (JUL 2014) 52.222-50 Combating Trafficking in Persons (MAR 2015) 52.223-18 Encouraging Contractor Policies to Ban Text Messaging While Driving (AUG 2011) 52.225-3 Buy American--Free Trade Agreements--Israeli Trade Act (MAY 2014) 52.225-13 Restrictions on Certain Foreign Purchases (JUNE 2008) 52.232-34 Payment by Electronic Funds Transfer--Other than System for Award Management (JUL 2013) 52.232-40 Providing Accelerated Payments to Small Business Subcontractors (xiii) There are no additional contract requirements, terms or conditions. (xiv) The Defense Priorities and Allocations System (DPAS) ratings are NOT APPLICABLE. (xv) Quotes must be emailed to amanda.saunders@va.gov and received no later than NOON EST on 8/30/2017. Quotes may be submitted on this document or the vendor s own form. NO LATES WILL BE ACCEPTED (xvi) For information regarding the solicitation, please contact Amanda Saunders at amanda.saunders@va.gov **MUST BE RETURNED WITH QUOTE** VA Privacy Training for Personnel without Access to VA Computer Systems or Direct Access or Use to VA Sensitive Information The Department of Veterans Affairs, VA must comply with all applicable privacy and confidentiality statutes and regulations. One of the requirements in VA is to have all personnel trained annually on privacy requirements. Privacy represents what must be protected by VA in the collection, use, and disclosure of personal information whether the medium is electronic, paper or verbal. This document satisfies the basic privacy training requirement for a contractor, volunteer, or other personnel only if the individual does not use or have access to any VA computer system such as Time and Attendance, PAID, CPRS, VistA Web, VA sensitive information or protected health information (PHI), whether paper or electronic. You will find this training outlines your roles and responsibility for protecting VA sensitive information (medical, financial, or educational) that you may incidentally or accidentally see or overhear. If you have direct access to protected health information or access to a VA computer system where there is protected health information such as CPRS, VistA Web, you must take Privacy and HIPAA Focused Training (TMS 10203). VA Privacy and Information Security Awareness and Rules of Behavior (TMS 10176) is always required in order to use or gain access to a VA computer systems or VA sensitive information, whether or not protected health information is included. Both trainings are located within the VA Talent Management System (TMS): https://www.tms.va.gov What is VA Sensitive Information/Data? All Department information and/or data on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes not only information that identifies an individual but also other information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. What is Protected Health Information? The HIPAA Privacy Rule defines protected health information as Individually Identifiable Health Information transmitted or maintained in any form or medium by a covered entity, such as VHA. What is an Incidental Disclosure? An incidental disclosure is one where an individual s information may be disclosed incidentally even though appropriate safeguards are in place. Due to the nature of VA communications and practices, as well as the various environments in which Veterans receive healthcare or other services from VA, the potential exists for a Veteran s protected health information or VA sensitive information to be disclosed incidentally. For example: You overhear a healthcare provider s conversation with another provider or patient even when the conversation is taken place appropriately. You may see limited Veteran information on sign-in sheets or white boards within a treating area of the facility. Hearing a Veteran s name being called out for an appointment or when the Veteran is being transported/escorted to and from an appointment. Safeguards You Must Follow To Secure VA Sensitive Information: Secure any VA sensitive information found in unsecured public areas (parking lot, trash can, or vacated area) until information can be given to your supervisor or Privacy Officer. You must report such incidents to your Privacy Officer timely. Don t take VA sensitive information off facilities grounds without VA permission unless the VA information is general public information, i.e., brochures/pamphlets. Don t take pictures using a personal camera without the permission from the Medical Center Director. Any protected health information overheard or seen in VA should not be discussed or shared with anyone who does not have a need to know the information in the performance of their official job duties, this includes spouses, employers or colleagues. Do not share VA access cards, keys, or codes to enter the facility. Immediately report lost or stolen Personal Identity Verification (PIV) or Veteran Health Identification Cards (VHIC), any VA keys or keypad lock codes to your supervisor or VA police. Do not use a VA computer using another VA employee s access and password. Do not ask another VA employee to access your own protected health information. You must request this information in writing from the Release of Information section at your facility. What are the Six Privacy Laws and Statutes Governing VA? Freedom of Information Act (FOIA) compels disclosure of reasonably described VA records or a reasonably segregated portion of the records to any person upon written request unless one or more of the nine exemptions apply. Privacy Act of 1974 provides for the confidentiality of personal information about a living individual who is a United States citizen or an alien lawfully admitted to U.S. and whose information is retrieved by the individual s name or other unique identifier, e.g. Social Security Number. Health Insurance Portability and Accountability Act (HIPAA) provides for the improvement of the efficiency and effectiveness of health care systems by encouraging the development of health information systems through the establishment of standards and requirements for the electronic transmission, privacy, and security of certain health information. 38 U.S.C. 5701 provides for the confidentiality of all VA patient and claimant information, with special protection for their names and home addresses. 38 U.S.C. 7332 provides for the confidentiality of drug abuse, alcoholism and alcohol abuse, infection with the human immunodeficiency virus (HIV) and sickle cell anemia medical records and health information. 38 U.S.C. 5705 provides for the confidentiality of designated medical-quality assurance documents. What are the Privacy Rules Concerning Use and Disclosure? You are not authorized to use or disclose protected health information. In general, VHA personnel may only use information for purposes of treatment, payment or healthcare operations when they have a need-to-know in the course of their official job duties. VHA may only disclose protected health information upon written request by the individual who is the subject of the information or as authorized by law. How is Privacy Enforced? There are both civil and criminal penalties, including monetary penalties that may be imposed if a privacy violation has taken place. Any willful negligent or intentional violation of an individual s privacy by VA personnel, contract staff, volunteers, or others may result in such corrective action as deemed appropriate by VA including the potential loss of employment, contract, or volunteer status. Know your VA/VHA Privacy Officer and Information Security Officer. These are the individuals to whom you can report any potential violation of protected health information or VA sensitive information, or any other concerns regarding privacy of VA sensitive information. YOU ARE RESPONSIBLE FOR PROTECTING THE CONFIDENTIAL INFORMATION OF OUR VETERANS __________________________________________ ________________ Employee (Print Name) Date __________________________________________ Employee Signature __________________________________________ Print Name of Contract Agency, if contractor __________________________________________ Print Name of VHA Department/Supervisor/Contracting Officer PROVIDE A COPY OF THIS FORM TO YOUR SUPERVISOR/CONTRACTING OFFICER FOR DATA ENTRY INTO TALENT MANAGEMENT SYSTEM CONTRACTOR RULES OF BEHAVIOR **MUST BE RETURNED WITH QUOTE** This User Agreement contains rights and authorizations regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the Department of Veterans Affairs (VA). This User Agreement covers my access to all VA data whether electronic or hard copy ("Data"), VA information systems and resources ("Systems"), and VA sites ("Sites"). This User Agreement incorporates Rules of Behavior for using VA, and other information systems and resources under the contract. 1. GENERAL TERMS AND CONDITIONS FOR ALL ACTIONS AND ACTIVITIES UNDER THE CONTRACT: I understand and agree that I have no reasonable expectation of privacy in accessing or using any VA, or other Federal Government information systems. I consent to reviews and actions by the Office of Information & Technology (OI&T) staff designated and authorized by the VA Chief Information Officer (CIO) and to the VA OIG regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA. These actions may include monitoring, recording, copying, inspecting, restricting access, blocking, tracking, and disclosing to all authorized OI&T, VA, and law enforcement personnel as directed by the VA CIO without my prior consent or notification. I consent to reviews and actions by authorized VA systems administrators and Information Security Officers solely for protection of the VA infrastructure, including, but not limited to monitoring, recording, auditing, inspecting, investigating, restricting access, blocking, tracking, disclosing to authorized personnel, or any other authorized actions by all authorized OI&T, VA, and law enforcement personnel. I understand and accept that unauthorized attempts or acts to access, upload, change, or delete information on Federal Government systems; modify Federal government systems; deny access to Federal government systems; accrue resources for unauthorized use on Federal government systems; or otherwise misuse Federal government systems or resources are prohibited. I understand that such unauthorized attempts or acts are subject to action that may result in criminal, civil, or administrative penalties. This includes penalties for violations of Federal laws including, but not limited to, 18 U.S.C. §1030 (fraud and related activity in connection with computers) and 18 U.S.C. §2701 (unlawful access to stored communications). I agree that OI&T staff, in the course of obtaining access to information or systems on my behalf for performance under the contract, may provide information about me including, but not limited to, appropriate unique personal identifiers such as date of birth and social security number to other system administrators, Information Security Officers (ISOs), or other authorized staff without further notifying me or obtaining additional written or verbal permission from me. I understand I must comply with VA s security and data privacy directives and handbooks. I understand that copies of those directives and handbooks can be obtained from the Contracting Officer's Technical Representative (COTR). If the contractor believes the policies and guidance provided by the COTR is a material unilateral change to the contract, the contractor must elevate such concerns to the Contracting Officer for resolution. I will report suspected or identified information security/privacy incidents to the COTR and to the local ISO or Privacy Officer as appropriate. 2. GENERAL RULES OF BEHAVIOR Rules of Behavior are part of a comprehensive program to provide complete information security. These rules establish standards of behavior in recognition of the fact that knowledgeable users are the foundation of a successful security program. Users must understand that taking personal responsibility for the security of their computer and the information it contains is an essential part of their job. The following rules apply to all VA contractors. I agree to: Follow established procedures for requesting, accessing, and closing user accounts and access. I will not request or obtain access beyond what is normally granted to users or by what is outlined in the contract. Use only systems, software, databases, and data which I am authorized to use, including any copyright restrictions. I will not use other equipment (OE) (non-contractor owned) for the storage, transfer, or processing of VA sensitive information without a VA CIO approved waiver, unless it has been reviewed and approved by local management and is included in the language of the contract. If authorized to use OE IT equipment, I must ensure that the system meets all applicable 6500 Handbook requirements for OE. Not use my position of trust and access rights to exploit system controls or access information for any reason other than in the performance of the contract. Not attempt to override or disable security, technical, or management controls unless expressly permitted to do so as an explicit requirement under the contract or at the direction of the COTR or ISO. If I am allowed or required to have a local administrator account on a government-owned computer, that local administrative account does not VA HANDBOOK 6500.6 MARCH 12, 2010 APPENDIX D MARCH 12, 2010 VA HANDBOOK 6500.6 APPENDIX D D- D- confer me unrestricted access or use, nor the authority to bypass security or other controls except as expressly permitted by the VA CIO or CIO's designee. Contractors use of systems, information, or sites is strictly limited to fulfill the terms of the contract. I understand no personal use is authorized. I will only use other Federal government information systems as expressly authorized by the terms of those systems. I accept that the restrictions under ethics regulations and criminal law still apply. Grant access to systems and information only to those who have an official need to know. Protect passwords from access by other individuals. Create and change passwords in accordance with VA Handbook 6500 on systems and any devices protecting VA information as well as the rules of behavior and security settings for the particular system in question. Protect information and systems from unauthorized disclosure, use, modification, or destruction. I will only use encryption that is FIPS 140-2 validated to safeguard VA sensitive information, both safeguarding VA sensitive information in storage and in transit regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA. Follow VA Handbook 6500.1, Electronic Media Sanitization to protect VA information. I will contact the COTR for policies and guidance on complying with this requirement and will follow the COTR's orders. Ensure that the COTR has previously approved VA information for public dissemination, including e-mail communications outside of the VA as appropriate. I will not make any unauthorized disclosure of any VA sensitive information through the use of any means of communication including but not limited to e-mail, instant messaging, online chat, and web bulletin boards or logs. Not host, set up, administer, or run an Internet server related to my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA unless explicitly authorized under the contract or in writing by the COTR. Protect government property from theft, destruction, or misuse. I will follow VA directives and handbooks on handling Federal government IT equipment, information, and systems. I will not take VA sensitive information from the workplace without authorization from the COTR. VA HANDBOOK 6500.6 MARCH 12, 2010 APPENDIX D D-4 Only use anti-virus software, antispyware, and firewall/intrusion detection software authorized by VA. I will contact the COTR for policies and guidance on complying with this requirement and will follow the COTR's orders regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with VA. Not disable or degrade the standard anti-virus software, antispyware, and/or firewall/intrusion detection software on the computer I use to access and use information assets or resources associated with my performance of services under the contract terms with VA. I will report anti-virus, antispyware, firewall or intrusion detection software errors, or significant alert messages to the COTR. Understand that restoration of service of any VA system is a concern of all users of the system. Complete required information security and privacy training, and complete required training for the particular systems to which I require access. 3. ADDITIONAL CONDITIONS FOR USE OF NON- VA INFORMATION TECHNOLOGY RESOURCES When required to complete work under the contract, I will directly connect to the VA network whenever possible. If a direct connection to the VA network is not possible, then I will use VA approved remote access software and services. Remote access to non-public VA information technology resources is prohibited from publicly-available IT computers, such as remotely connecting to the internal VA network from computers in a public library. I will not have both a VA network line and any kind of non-VA network line including a wireless network card, modem with phone line, or other network device physically connected to my computer at the same time, unless the dual connection is explicitly authorized by the COTR. I understand that I may not obviate or evade my responsibility to adhere to VA security requirements by subcontracting any work under any given contract or agreement with VA, and that any subcontractor(s) I engage shall likewise be bound by the same security requirements and penalties for violating the same. 4. STATEMENT ON LITIGATION This User Agreement does not and should not be relied upon to create any other right or benefit, substantive or procedural, enforceable by law, by a party to litigation with the United States Government. COMBINED SYNOPSIS SOLICITATION 5. ACKNOWLEDGEMENT AND ACCEPTANCE I acknowledge receipt of this User Agreement. I understand and accept all terms and conditions of this User Agreement, and I will comply with the terms and conditions of this agreement and any additional VA warning banners, directives, handbooks, notices, or directions regarding access to or use of information systems or information. The terms and conditions of this document do not supersede the terms and conditions of the signatory s employer and VA. Print or type your full name Signature Last 4 digits of SSN Date Office Phone Position Title Contractor s Company Please complete and return the original signed Name document to the COTR within the timeframe stated in the terms of the contract. **MUST BE RETURNED WITH QUOTE** BUSINESS ASSOCIATE AGREEMENT BETWEEN THE DEPARTMENT OF VETERANS AFFAIRS VETERANS HEALTH ADMINISTRATION, BUTLER HCC AND The purpose of this Business Associate Agreement (Agreement) is to establish requirements for the Department of Veterans Affairs (VA), Veterans Health Administration (VHA), BUTLER HCC and in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, and the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules ( HIPAA Rules ), 45 C.F.R. Parts 160 and 164, for the Use and Disclosure of Protected Health Information (PHI) under the terms and conditions specified below. Scope. Under this Agreement and other applicable contracts or agreements, will provide CIRRUS 800 services to, for, or on behalf of BUTLER HCC. In order for to provide such services, BUTLER HCC will disclose PHI to, and will use or disclose PHI in accordance with this Agreement. Definitions. Unless otherwise provided, the following terms used in this Agreement have the same meaning as defined by the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Business Associate shall have the same meaning as described at 45 C.F.R. § 160.103. For the purposes of this Agreement, Business Associate shall refer to, including its employees, officers, or any other agents that create, receive, maintain, or transmit PHI as described below. Covered Entity shall have the same meaning as the term is defined at 45 C.F.R. § 160.103. For the purposes of this Agreement, Covered Entity shall refer to BUTLER HCC. Protected Health Information or PHI shall have the same meaning as described at 45 C.F.R. § 160.103. Protected Health Information and PHI as used in this Agreement include Electronic Protected Health Information and EPHI. For the purposes of this Agreement and unless otherwise provided, the term shall also refer to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity or receives from Covered Entity or another Business Associate. Subcontractor shall have the same meaning as the term is defined at 45 C.F.R. § 160.103. For the purposes of this Agreement, Subcontractor shall refer to a contractor of any person or entity, other than Covered Entity, that creates, receives, maintains, or transmits PHI under the terms of this Agreement. Terms and Conditions. Covered Entity and Business Associate agree as follows: 1. Ownership of PHI. PHI is and remains the property of Covered Entity as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate agreement is in place. 2. Use and Disclosure of PHI by Business Associate. Unless otherwise provided, Business Associate: A. May not use or disclose PHI other than as permitted or required by this Agreement, or in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except that it may use or disclose PHI: (1) As required by law or to carry out its legal responsibilities; (2) For the proper management and administration of Business Associate; or (3) To provide Data Aggregation services relating to the health care operations of Covered Entity. B. Must use or disclose PHI in a manner that complies with Covered Entity s minimum necessary policies and procedures. C. May de-identify PHI created or received by Business Associate under this Agreement at the request of the Covered Entity, provided that the de-identification conforms to the requirements of the HIPAA Privacy Rule. 3. Obligations of Business Associate. In connection with any Use or Disclosure of PHI, Business Associate must: A. Consult with Covered Entity before using or disclosing PHI whenever Business Associate is uncertain whether the Use or Disclosure is authorized under this Agreement. B. Implement appropriate administrative, physical, and technical safeguards and controls to protect PHI and document applicable policies and procedures to prevent any Use or Disclosure of PHI other than as provided by this Agreement. C. Provide satisfactory assurances that PHI created or received by Business Associate under this Agreement is protected to the greatest extent feasible. D. Notify Covered Entity within twenty-four (24) hours of Business Associate s discovery of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI. (1) Any incident as described above will be treated as discovered as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. (2) Notification shall be sent to the ELAINE RAY; ELAINE.RAY@VA.GOV and to the VHA Health Information Access Office, Business Associate Program Manager by email at VHABAAIssues@va.gov. (3) Business Associate shall not notify individuals or the Department of Health and Human Services directly unless Business Associate is not acting as an agent of Covered Entity but in its capacity as a Covered Entity itself. E. Provide a written report to Covered Entity of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI, within ten (10) business days of the initial notification. (1) The written report of an incident as described above will document the following: (a) The identity of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, disclosed, modified, or destroyed; (b) A description of what occurred, including the date of the incident and the date of the discovery of the incident (if known); (c) A description of the types of secured or unsecured PHI that was involved; (d) A description of what is being done to investigate the incident, to mitigate further harm to Individuals, and to protect against future incidents; and (e) Any other information as required by 45 C.F.R. § § 164.404(c) and 164.410. (2) The written report shall be addressed to: ELAINE RAY and submitted by email to ELAINE.RAY@VA.GOV and to the VHA Health Information Access Office, Business Associate Program Manager at VHABAAIssues@va.gov. F. To the greatest extent feasible, mitigate any harm due to a Use or Disclosure of PHI by Business Associate in violation of this Agreement that is known or, by exercising reasonable diligence, should have been known to Business Associate. G. Use only contractors and Subcontractors that are physically located within a jurisdiction subject to the laws of the United States, and ensure that no contractor or Subcontractor maintains, processes, uses, or discloses PHI in any way that will remove the information from such jurisdiction. Any modification to this provision must be approved by Covered Entity in advance and in writing. H. Enter into Business Associate Agreements with contractors and Subcontractors as appropriate under the HIPAA Rules and this Agreement. Business Associate: (1) Must ensure that the terms of any Agreement between Business Associate and a contractor or Subcontractor are at least as restrictive as Business Associate Agreement between Business Associate and Covered Entity. (2) Must ensure that contractors and Subcontractors agree to the same restrictions and conditions that apply to Business Associate and obtain satisfactory written assurances from them that they agree to those restrictions and conditions. (3) May not amend any terms of such Agreement without Covered Entity s prior written approval. I. Within five (5) business days of a written request from Covered Entity: (1) Make available information for Covered Entity to respond to an Individual s request for access to PHI about him/her. (2) Make available information for Covered Entity to respond to an Individual s request for amendment of PHI about him/her and, as determined by and under the direction of Covered Entity, incorporate any amendment to the PHI. (3) Make available PHI for Covered Entity to respond to an Individual s request for an accounting of Disclosures of PHI about him/her. J. Business Associate may not take any action concerning an individual s request for access, amendment, or accounting other than as instructed by Covered Entity. K. To the extent Business Associate is required to carry out Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the provisions that apply to Covered Entity in the performance of such obligations. L. Provide to the Secretary of Health and Human Services and to Covered Entity records related to Use or Disclosure of PHI, including its policies, procedures, and practices, for the purpose of determining Covered Entity s, Business Associate s, or a Subcontractor s compliance with the HIPAA Rules. M. Upon completion or termination of the applicable contract(s) or agreement(s), return or destroy, as determined by and under the direction of Covered Entity, all PHI and other VA data created or received by Business Associate during the performance of the contract(s) or agreement(s). No such information will be retained by Business Associate unless retention is required by law or specifically permitted by Covered Entity. If return or destruction is not feasible, Business Associate shall continue to protect the PHI in accordance with the Agreement and use or disclose the information only for the purpose of making the return or destruction feasible, or as required by law or specifically permitted by Covered Entity. Business Associate shall provide written assurance that either all PHI has been returned or destroyed, or any information retained will be safeguarded and used and disclosed only as permitted under this paragraph. N. Be liable to Covered Entity for civil or criminal penalties imposed on Covered Entity, in accordance with 45 C.F.R. § § 164.402 and 164.410, and with the HITECH Act, 42 U.S.C. § § 17931(b), 17934(c), for any violation of the HIPAA Rules or this Agreement by Business Associate. 4. Obligations of Covered Entity. Covered Entity agrees that it: A. Will not request Business Associate to make any Use or Disclosure of PHI in a manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if made by Covered Entity, except as permitted under Section 2 of this Agreement. B. Will promptly notify Business Associate in writing of any restrictions on Covered Entity s authority to use or disclose PHI that may limit Business Associate s Use or Disclosure of PHI or otherwise affect its ability to fulfill its obligations under this Agreement. C. Has obtained or will obtain from Individuals any authorization necessary for Business Associate to fulfill its obligations under this Agreement. D. Will promptly notify Business Associate in writing of any change in Covered Entity s Notice of Privacy Practices, or any modification or revocation of an Individual s authorization to use or disclose PHI, if such change or revocation may limit Business Associate s Use and Disclosure of PHI or otherwise affect its ability to perform its obligations under this Agreement. 5. Amendment. Business Associate and Covered Entity will take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the HIPAA Rules or other applicable law. 6. Termination. A. Automatic Termination. This Agreement will automatically terminate upon completion of Business Associate s duties under all underlying Agreements or by termination of such underlying Agreements. B. Termination Upon Review. This Agreement may be terminated by Covered Entity, at its discretion, upon review as provided by Section 9 of this Agreement. C. Termination for Cause. In the event of a material breach by Business Associate, Covered Entity: (1) Will provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Covered Entity, and; (2) May terminate this Agreement and underlying contract(s) if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity. D. Effect of Termination. Termination of this Agreement will result in cessation of activities by Business Associate involving PHI under this Agreement. E. Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate Agreement is in place. 7. No Third Party Beneficiaries. Nothing expressed or implied in this Agreement confers any rights, remedies, obligations, or liabilities whatsoever upon any person or entity other than Covered Entity and Business Associate, including their respective successors or assigns. 8. Other Applicable Law. This Agreement does not abrogate any responsibilities of the parties under any other applicable law. 9. Review Date. The provisions of this Agreement will be reviewed by Covered Entity every two years from Effective Date to determine the applicability and accuracy of the Agreement based on the circumstances that exist at the time of review. 10. Effective Date. This Agreement shall be effective on the last signature date below. Department of Veterans Affairs COMPANY/ORGANIZATION Veterans Health Administration By: By: Name: Name: Title: Title: Date: Date:
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/spg/VA/PiVAMC646/PiVAMC646/VA24417Q1656/listing.html)
 

Document(s)

Attachment
 

File Name: VA244-17-Q-1656 VA244-17-Q-1656.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3751568&FileName=VA244-17-Q-1656-000.docx)

Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3751568&FileName=VA244-17-Q-1656-000.docx

 

Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 

Place of Performance

Address: BUTLER HCC;353 North Duffy Road;BUTLER, PA

Zip Code: 16001
 

Record

SN04643430-W 20170825/170823233529-30447783c77ce390fdc937dd7c2c5145 (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |