Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF MAY 31, 2019 FBO #6398
SOLICITATION NOTICE

L -- Radiation Survey Testing

Notice Date
5/29/2019
 
Notice Type
Synopsis
 
NAICS
541380 — Testing Laboratories
 
Contracting Office
Department of Veterans Affairs;Ralph H. Johnson VA Medical Center;109 Bee Street;Charleston SC 29403-5799
 
ZIP Code
29403-5799
 
Solicitation Number
36C24719Q0587
 
Response Due
6/14/2019
 
Archive Date
6/19/2019
 
Point of Contact
John.Norway@va.gov
 
Small Business Set-Aside
Veteran-Owned Small Business
 
Description
Statement of Work Medical Physicist Ralph H. Johnson VA Medical Center The Contractor shall furnish all labor, material, supplies, equipment, and qualified personnel to provide on-site diagnostic medical physics support or services for the Veterans Health Administration (VHA), under the terms and conditions stated herein and must adhere to VHA Directive 1105.04, Fluoroscopy Safety, dated June 21, 2018, VHA Directive 1129, all Joint Commission Healthcare Standards, Food Drug Administration regulations regarding x-ray equipment, VA National Health Physics Program rules and regulations, and all applicable Federal and state regulations. The Contractor shall comply with radiation protection standards in 29 CFR 1910.1096 and immediately report any unsafe conditions with the potential to adversely impact the facility s radiation safety workers or patients to the Radiation Safety Officer (RSO). Equipment requiring inspection is located at four locations, which include: Ralph H. Johnson VA Medical Center, 109 Bee Street, Charleston, SC 29401 (Location of most of the equipment). Savannah VA Outpatient Clinic, 1170 Shawnee Street, Savannah, GA 31419 Myrtle Beach VA Outpatient Clinic, 3381 Phyllis Blvd., Myrtle Beach, SC 29577 Hinesville VA Outpatient Clinic, 500 Oglethorpe Hwy., Hinesville, GA, 31313 General Requirements Performance All work shall be performed by a qualified diagnostic medical physicist. A qualified diagnostic medical physicist is a person who is certified in diagnostic radiologic physics or radiologic physics by the American Board of Radiology (ABR), American Board of Medical Physics (ABMP), or the Canadian College of Physicists in Medicine. For diagnostic computed tomography (CT), a qualified medical physicist can meet the following requirements in lieu of board certification: A graduate degree in physics, medical physics, biophysics, radiologic physics, medical health physics, or a closely related science or engineering discipline from an accredited college or university. Formal graduate-level coursework in the biological sciences with at least one course in biology or radiation biology and one course in anatomy, physiology, or a similar topic related to the practice of medical physics. Documented 3 years of clinical experience in CT. Contractor should provide the following to ensure work experience is sufficient to perform this contract: Provide example reports of the annual inspection for Computed Tomography scanner, fluoroscopy unit, radiography unit, MRI unit, Nuclear Medicine and PET units. Give three facilities similar in size to Charleston VAMC where the company has performed an annual x-ray equipment check with the modalities listed with contact person to call or email. b. Provide documented evidence that contractor meets required experience and certification/registration for this contract. Mandatory Services to be Performed a. The qualified diagnostic medical physicist shall perform inspections of ionizing radiation equipment to ensure compliance with the current American College of Radiology (ACR), Food and Drug Administration (FDA), VA National Health Physics Program (NHPP), Joint Commission (JC), and other applicable state and federal regulations. As the contract advances the contractor will stay up to date with regulations and change the required reports, tables, and checks as needed with the regulatory changes. Any deficiencies or non-conformances discovered during the inspection shall be verbally communicated to the Radiation Safety Officer (RSO) or his/her staff prior to the qualified diagnostic medical physicist leaving the facility. Deficiencies or non-conformances which represent unsafe conditions with the potential to adversely impact the facility radiation workers or patients shall be reported to the RSO immediately upon discovery. A written report of the results shall be provided to the RSO or his/her staff within 10 business days after completion of the inspection. All x-ray equipment shall be inspected at least annually, not to exceed 14 months. b. The qualified diagnostic medical physicist shall perform acceptance testing of all new or relocated imaging equipment prior to first clinical use. The acceptance testing shall comply with ACR, FDA, and/or VA NHPP requirements. The inspection shall be completed within 48 hours after the facility notifies the contractor. Any deficiencies or non-conformances discovered during the inspection shall be reported to the RSO or his/her staff immediately upon discovery and prior to the qualified diagnostic medical physicist leaving the facility. A written report of the results shall be provided to the RSO or his/her staff within 10 business days after completion of the inspection. c. The qualified diagnostic medical physicist shall perform a full inspection of previously inspected imaging equipment after repairs or modifications that may affect the radiation output or image quality. The inspection shall be completed within 30 days following repairs or modifications. The RSO or his/her staff will contact the Contractor within 48 hours of the repairs or modifications. Any deficiencies or non-conformances discovered during the inspection shall be reported to the RSO or his/her staff immediately upon discovery and prior to the qualified diagnostic medical physicist leaving the facility. A written report of the results shall be provided to the RSO or his/her staff within 10 business days after performing the inspection. d. The qualified diagnostic medical physicist will meet with the RSO or his/her staff following each inspection to present their findings and provide a written inventory of each piece of equipment included in their inspection. e. The qualified diagnostic medical physicist will be available for consultation by phone and email for issues such as patient and staff radiation exposures, radiation safety issues, machine QA, etc. The qualified diagnostic medical physicist shall review all CT protocols used at the facility at least annually and provide a report detailing their findings. f. The qualified diagnostic medical physicist shall assist in the development of a comprehensive technical quality assurance (QA) program to ensure that the x-ray system and its associated equipment is functioning correctly. The physicist assists in ensuring the quality assurance program meets current regulatory requirements and standards by recommending items to be done, reviewing results and confirming or not confirming compliance with current regulatory statutes and regulations. Examples of items reviewed are: technique charts, repeat/reject analysis monitoring, monitoring of exposure indices to radiographic image receptors, QA program for display monitors, QA for CT, and monitoring of dose metrics from fluoroscopy studies. The qualified diagnostic medical physicist shall review at least annually the QA program. A written report of the results shall be provided to the RSO or his/her staff within 10 business days after performing the inspection. g. The qualified diagnostic medical physicist shall perform a follow-up inspection to verify compliance of any necessary corrective action performed to correct deficiencies found. h. During day-to-day operations, items come up that need the professional opinion/recommendation from the contracted radiation physicist who is the board-certified expert on radiation exposure, equipment, etc. for the facility. Call-back on equipment questions, radiation exposure of patients and staff, and other radiation physicist needs will be done within 2 hours of the call. I. All work will be compliant with the most current regulations including updates and changes made by any state or Federal authority with jurisdiction over the VA use of x-ray equipment including but not limited to: the VA National Health physics program, FDA, JC, CRCPD and the State of South Carolina Department of Health and Environmental Control (DHEC). All checks and the documents associated with them are to follow current regulatory trends and at a minimum VHA Directive 1105.04, Updated Guidance for Reducing Radiation Dose from Computed Tomography issued by Assistant Deputy Under Secretary for Health for Clinical Operation, new Federal and applicable state regulations and items determined by the Charleston VAMC Radiation Safety Committee. Equipment Inspections The Contractor shall conduct equipment inspections or quality control surveys of the imaging equipment listed below. The Contractor shall ensure the imaging equipment s compliance with applicable Federal and state regulations, Joint Commission standards and ACR recommendations, and shall include, but not be limited to, monitoring the following basic performance characteristics. A. Radiographic and Fluoroscopic Equipment Physics inspections of radiographic and fluoroscopic equipment shall comply with the ACR Technical Standard for Diagnostic Medical Physics Performance Monitoring of Radiographic and Fluoroscopic Equipment, VHA Directive 1129 Radiation Protection for Machine Sources of Ionizing Radiation, and VHA Directive 1105.04 Fluoroscopy Safety and Joint Commission Standards and all updates that occur during the contracts base plus four years at a minimum. The performance of each radiographic and fluoroscopic unit must be evaluated at least annually not to exceed 14 months. This evaluation should include, but not be limited to, the following (as applicable): Integrity of unit assembly. Collimation and radiation beam alignment. Fluoroscopic system spatial resolution. Automatic exposure control system performance. Fluoroscopic automatic brightness control performance (high-dose-rate, pulsed modes, field-of-view [FOV] variation). Image artifacts. Fluoroscopic phantom image quality (High Contrast Resolution and Low Contrast Detectability). kVp accuracy and reproducibility. Linearity of exposure versus mA or mAs. Exposure reproducibility. Timer accuracy. Beam quality assessment (half-value layer). Fluoroscopic entrance exposure rate (or air kerma rate). Maximum output and output using a phantom representing a standard size patient for all clinically used settings and commonly used protocols. [The mode of operation (e.g., magnification mode, frame rate, and any other mode selected) must be documented for each measurement.] Fluorographic (image recording) entrance exposure rate (or air kerma rate) for cine imaging, if performed and entrance exposure (or air kerma) for spot images (if performed). Maximum output and output using a phantom representing a standard size patient for all clinically used settings. [The mode of operation (e.g., magnification mode, frame rate, etc.) must be documented for each measurement.] Image receptor entrance exposure. Equipment radiation safety functions. Patient dose monitoring system calibration. This includes, for radiographic systems, the metric of dose to the image receptor (IEC Exposure Index or proprietary index) and, for fluoroscopy systems, the displays of cumulative air kerma and, if available, DAP. Display monitor performance. Digital image receptor performance. Grids used with portable x-ray units shall be imaged for uniformity. For radiographic units, measurement of entrance skin exposure (or air kerma) for a standard size patient for common radiographic projections and comparison to published diagnostic reference levels and achievable doses (e.g., ACR practice parameter) should be prepared in a table for posting and included in the report. Light beam to x-ray alignment. Overall performance of radiographic and fluoroscopic collimators. Output versus kVp, mAs, and distance. Appropriateness of total filtration. 26. Preparation of a typed report of all survey findings for use as a permanent record, in a format acceptable to regulatory agencies and the Joint Commission. Note: The information on entrance exposure rates (or air kerma rates) from fluoroscopy and from fluorography, in Items (13) and (14) above, for each fluoroscope, shall be in a format suitable for providing to the physicians who operate the fluoroscope. All fluoroscopic equipment is located at the Ralph H. Johnson VA Medical Center (RHJVAMC). Radiographic equipment is located at RHJVAMC and at each of the outpatient clinics. The number of units at each location is as follows: Ralph H. Johnson VA Medical Center: 32 Diagnostic X-ray Tubes 1 Bone Density (DEXA) Unit Savannah VA Outpatient Clinic: 1 Diagnostic X-ray Tube 1 Bone Density (DEXA) Unit Myrtle Beach VA Outpatient Clinic: 1 Diagnostic X-ray Tube 1 Bone Density (DEXA) Unit Hinesville VA Outpatient Clinic: 1 Diagnostic X-ray Tube B. Diagnostic Computed Tomography (CT) Services The physics inspection shall conform to the 2017 ACR Computed Tomography Quality Control Manual. The performance of each CT scanner shall be evaluated at least annually not to exceed 14 months. The contractor will assist in the review of CT protocols for optimization and review the QA program for each CT unit at least annually not to exceed 14 months. The contractor will perform dose measurements on all used CT protocols for each unit used for diagnostic CT. This evaluation should include, but not be limited to, the following tests (as applicable). Review of Clinical Protocols. Scout Prescription and Alignment Light Accuracy. Image Thickness Axial Mode. Table Travel Accuracy. Radiation Beam Width. Low-Contrast Resolution. Spatial Resolution. CT Number Accuracy. Artifact Evaluation. CT Number Uniformity. Dosimetry (the scanner displayed CTDIvol values must be within +/- 20% of the measured CTDIvol values). Gray Level Performance of CT Acquisition Display Monitors. Image Uniformity. Alignment light accuracy. High Contrast Resolution. Geometric or distance accuracy. Ensure Joint Commission Imaging Standard requirements and ACR standards are met including future additions of these manuals, requirements and standards. CT Protocol Evaluations must be performed on all diagnostic CT scanners according to Joint Commission Standards and VA National Health Physics Program publication "Optimization of Radiation Doses to the Patient in Computed Tomography" (http://nhpp.med.va.gov/Top/2VAspecific/13RadOnc/OptimizationRadDoses.pdf) and CRCPD suggested state regulations section F.11.d.ii.3 (https://cdn.ymaws.com/www.crcpd.org/resource/resmgr/docs/SSRCRs/F_Part_2015.pdf). The protocol review should involve all protocols used and any the facility deems possibly usable. CT scanners are located at the following locations: Ralph H. Johnson VA Medical Center: 4 CT scanners (includes PET) Savannah VA Outpatient Clinic: 1 CT scanner C. Magnetic Resonance Imaging (MRI) Services The performance of each MRI scanner shall be evaluated at least annually not to exceed 14 months. The contractor will assist in the review of MRI protocols for optimization at least annually not to exceed 14 months. The contractor physicist will review the QA program for each MRI unit on an annual basis not to exceed 14 months. This evaluation should include, but not be limited to, the following tests (as applicable). Image Uniformity Signal to Noise Ratio Slice thickness accuracy Slice position accuracy Alignment light accuracy High contrast resolution Low contrast resolution (or contrast-to-noise ratio) Geometric or distance accuracy Magnetic field homogeneity Artifact evaluation Percent signal ghosting Soft copy display evaluation Review of technologist QC records MRI Safety Program Assessment ACR criteria for compliance All MRI scanners are located in Charleston, SC at the RHJVAMC. D. Nuclear Medicine Imaging (NM) Services The performance of each NM scanner shall be evaluated at least annually not to exceed 14 months and in accordance with the National Electrical Manufacturers Association (NEMA) protocols and the American College of radiology (ACR). The contractor will assist in the review of the QA program and NM protocols for optimization and at least annually not to exceed 14 months. The evaluation results, along with recommendations for correcting any problems identified, are to be documented. Evaluations are to be conducted for all the imaging types produced clinically by each Nuclear Medicine scanner, (e.g. planar and/or tomographic) and include the use of phantoms to assess the following imaging metrics: Image uniformity/system uniformity High-contrast resolution System Spatial Resolution System Sensitivity Energy Resolution Maximum Count Rate Parameters Artifact evaluation Overall System Performance for SPECT Systems System Interlocks Center of Rotation Physical Inspection All Nuclear Medicine cameras are located in Charleston, SC at the RHJVAMC. E. Positron Emission Tomography (PET) Services A performance evaluation of each PET scanner shall be evaluated at least annually and not to exceed 14 months. The evaluation results, along with recommendations for correcting any problems identified, are to be documented. Evaluations are to be conducted for all the imaging types produced clinically by each PET scanner, (e.g. planar and/or tomographic) and include the use of phantoms to assess the following imaging metrics: Image uniformity/system uniformity High-contrast resolution/system spatial resolution Low-contrast resolution or detectability (not applicable for planar acquisitions) Artifact evaluation Provide PET Phantom for testing Preparation of F-18 dilution for PET Phantom setup PET Data acquisitions and assistance with processing ROI evaluation and data calculations Overall System Performance for PET PET/CT Systems Formatter/Video Display Assessment System Interlocks verification Physical Inspection The PET/CT scanner is located in Charleston, SC at the RHJVAMC. F. Dental The physics inspection shall conform to the Conference of Radiation Control Program Directors (CRCPD) website: https://cdn.ymaws.com/www.crcpd.org/resource/resmgr/docs/SSRCRs/F_Part_2015.pdf, Quality Control Recommendations for Diagnostic Radiography Volume 1 Dental Facilities July 2001 (https://cdn.ymaws.com/www.crcpd.org/resource/collection/720B159D-BBFC-4C72-AB22-36BD9F25FCFE/QC-Vol1-Web.pdf). The performance of dental x-ray inspections shall be annually not to exceed 14 months. This evaluation should include, but not be limited to, the following tests (as applicable). kVp and Timer Accuracy and Reproducibility Exposure Output Reproducibility Beam Quality Collimation mA or mAs linearity Entrance Skin Exposure Artifact Evaluation Integrity of Unit Assembly All Dental units are located in Charleston, SC at the RHJVAMC. G. Ultrasound Evaluation of each Ultrasound unit will be conducted in accordance with recommendations set forth by the AAPM, AIUM and ACR. The performance of each Ultrasound unit shall be evaluated at least annually. The contractor will assist in the review of Ultrasound protocols for optimization and the QA program for each Ultrasound unit on an annual basis not to exceed 14 months. This evaluation should include, but not be limited to, the following tests (as applicable). Ultrasound probe evaluation Sensitivity Dead Zone Axial distance accuracy Axial resolution Lateral resolution Cyst imaging accuracy Image uniformity Gray scale evaluation The number and location of the Ultrasound units are as follows: Ralph H. Johnson VA Medical Center: 8 Ultrasound Units Savannah VA Outpatient Clinic: 2 Ultrasound Units Myrtle Beach VA Outpatient Clinic: 1 Ultrasound Unit Hinesville VA Outpatient Clinic: 1 Ultrasound Unit H. Computed Radiography (CR) and Digital Radiography (DR) Physics inspections of CR and DR equipment shall comply with the American Association of Physicist in Medicine (AAPM) Report Number 93, Acceptance Testing and Quality Control of Photostimulable Storage Phosphor Imaging Systems. The performance of CR and DR must be evaluated at least annually not to exceed 14 months. This evaluation should include, but not be limited to, the following tests (as applicable). Visual Inspection of CR cassette(s) CR Spatial Resolution, CR High and Low contrast CR reader laser jitter CR Exposure indicator evaluation CR Sensitivity / Reproducibility CR Cassette Dark Noise All CR/DR cassettes are located in Charleston, SC at the RHJVAMC. Incidental Expenditures During the course of the contract, situations requiring a qualified diagnostic medical physicist may arise and necessitate the need for the medical physicist to return to the Ralph H. Johnson VAMC or affiliated CBOCs. This may include performing previously unscheduled inspections of new equipment or replacement components and the preparation of shielding plans. New equipment installed at the facility requires inspection prior to its operation and will therefore require inspection by a qualified diagnostic medical physicist within 48 hours following the VAs notification to the contractor. Replacement of tubes in equipment identified herein will require inspection by a qualified diagnostic medical physicist within 30 days from installation. The VA will notify the contractor within 48 hours of tube replacement. Costs to provide the following services should therefore be included: Inspection of 5 new or replacement X-ray tubes. Inspection of 2 new or replacement CT, NM, or MRI tubes. Preparation of 5 shielding plans. J. VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE 1. GENERAL: Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS a. A contractor / sub-contractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. 3. VA INFORMATION CUSTODIAL LANGUAGE a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d)(1). b. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on-site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. c. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. d. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. e. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor / subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. f. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. g. If a VHA contract is terminated for cause, the associated BAA must also be terminated, and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. j. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor / subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. l. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR. 4. SECURITY INCIDENT INVESTIGATION a. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. c. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. d. In instancesof theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. 5. LIQUIDATED DAMAGES FOR DATA BREACH a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. b. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. c. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) Nature of the event (loss, theft, unauthorized access); (2) Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. 6. SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. NOTE: THIS NOTICE WAS NOT POSTED TO FEDBIZOPPS ON THE DATE INDICATED IN THE NOTICE ITSELF (29-MAY-2019); HOWEVER, IT DID APPEAR IN THE FEDBIZOPPS FTP FEED ON THIS DATE. PLEASE CONTACT 877-472-3779 or fbo.support@gsa.gov REGARDING THIS ISSUE.
 
Web Link
Link To Document
(https://www.fbo.gov/spg/VA/ChaVAMC/VAMCCO80220/36C24719Q0587/listing.html)
 
Record
SN05324731-F 20190531/190529230008 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.