Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF OCTOBER 15, 2023 SAM #7992
SOLICITATION NOTICE

65 -- VISN 1 Artificial Limb BPA

Notice Date
10/13/2023 9:06:51 AM
 
Notice Type
Solicitation
 
NAICS
339113 — Surgical Appliance and Supplies Manufacturing
 
Contracting Office
241-NETWORK CONTRACT OFFICE 01 (36C241) TOGUS ME 04330 USA
 
ZIP Code
04330
 
Solicitation Number
36C24123Q0883
 
Response Due
11/1/2023 11:00:00 AM
 
Archive Date
12/01/2023
 
Point of Contact
Tyler M Kenyon, Contract Specialist
 
E-Mail Address
tyler.kenyon@va.gov
(tyler.kenyon@va.gov)
 
Awardee
null
 
Description
Amendment 0001: Questions: Several areas of the statement of work refer to documents shared in RMS/AZURE.   While we work with the VISN 1 VA s currently, this is not a system that we are currently using.   Is there an anticipated implementation plan for utilizing this system after contract award? Government Response: The Government requires vendors to conform to the Government preferred encryption system. RMS/AZURE encryption is built into Microsoft Office 365. Vendors will be required to use this system. If vendors do not have Microsoft 365, the Government recommends beginning the process to start using Microsoft 365, and the VA will attempt to use the vendor s encryption system during the transition. The Government will offer support through this process if required. Attachment Business Associate Agreement This item of the Solicitation is included in error and should be omitted/deleted because the selected Contractor will be a Covered Entity (CE) under HIPAA, and not a Business Associate (BA) of the VA.   Therefore, a Business Associate Agreement, or BAA, will not be needed or required.   The selected Contractor (whether REDACTED or another qualified prosthetic and orthotic company) will be a healthcare provider to Veterans under the contract.  Under HIPAA, this makes the Contractor a separate Covered Entity, and not a Business Associate of the VA.  The HIPAA Privacy Rule only requires BAAs for Business Associates.  Therefore, a VA hospital may disclose PHI for the treatment activities of another health care provider [see 45 CFR 164.506(c)(2)], and providing such information does not make the other health care provider a business associate of the VA hospital that requires a BAA.  The US Department of Health and Human Services has provided explicit interpretive guidance under HIPAA that is directly on point: In these situations, a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity. Disclosures by a covered entity to a health care provider for treatment of the individual. For example: A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient's medical chart for treatment purposes. The following is a link to this guidance, which is in the subsection titled:  Exceptions to the Business Associate Standard. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html Government response: The Government concurs with the concern and explanation outlined above. The Business Associate Agreement attachment has been updated and included at the end of this document as a result of Amendment 0001. The Solicitation contains VAAR 852.219-76  VA NOTICE OF LIMITATIONS ON SUBCONTRACTING CERTIFICATE OF COMPLIANCE FOR SUPPLIES AND PRODUCTS (NOV 2022).  Pursuant to VAAR 819.7011(c), this clause is only supposed to be included in contracts that are awarded on the basis of an SDVOSB/VOSB set-aside, sole source, or an evaluation preference.  Since this is an unrestricted procurement, please confirm that this clause does not apply to the Solicitation and this clause will not apply to any resulting contract. Government Response: The Government concurs with #3. VAAR 852.219-76  VA NOTICE OF LIMITATIONS ON SUBCONTRACTING CERTIFICATE OF COMPLIANCE FOR SUPPLIES AND PRODUCTS (NOV 2022) is hereby removed as a result of this amendment 00001. Shop data sheet asks for 3 civilian physician references. We literally have hundreds.  Can we provide the full list or should we pick the top 3 relevant to prosthetic care? Government Response: Provide the top 3 I started filling out the Inspection Sheet Prosthetic Dealer but then it seemed as though that may be a document your group fills out during an inspection of our facility.  Can you clarify for me? Government Response: The VA normally completes it now if there is an issue at the site. Vendors do not need to complete Attachment 2130 as a result of Amendment 0001. In addition to discount level, what are the most important topics to the VA in awarding this contract?  We will be aggressive on our discount because we want to work with Vets and we also want to help save the VA money.  We also offer a number of things that others do not.  For example, the aforementioned shoes.  Also, we have 2 locations (Hooksett near the Manchester VA and Merrimack) but we also see Vets at other locations that are more convenient to their homes such as Wolfeboro (Huggins Hospital Back Bay Rehab). Government Response: Orthotics will be covered in a separate contract solicitation. Vendors are encouraged to offer a discount that is fair to the VA and fair to its company s finances. Any locations listed must be ABC or BOC-site accredited for VA patients to schedule and attend appointments. If awarded this contract, is it exclusive?  Meaning will Vets be required to use us as their provider or will they be given a choice of a few providers?  What is expected volume of Vets being referred under this contract by the Manchester VA? Government Response: This contract solicitation is a multiple-award contract, meaning it is not exclusive to one vendor but open to multiple vendors so long as the vendors meet the requirements outlined in the solicitation. It is expected the Government will award multiple Blanket Purchase Agreement awards. The expected volume is unknown at this time. Please note Veteran patients have the right to choose their artificial limb contractor as already mentioned in the solicitation. UPDATED: BUSINESS ASSOCIATE AGREEMENT BETWEEN THE DEPARTMENT OF VETERANS AFFAIRS VETERANS HEALTH ADMINISTRATION, , AND Purpose. The purpose of this Business Associate Agreement (Agreement) is to establish requirements for the Department of Veterans Affairs (VA) Veterans Health Administration (VHA) and in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, and the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules ( HIPAA Rules ), 45 C.F.R. Parts 160 and 164, for the Use and Disclosure of Protected Health Information (PHI) under the terms and conditions specified below. Scope. Under this Agreement and other applicable contracts or agreements, will provide services to, for, or on behalf of . In order for to provide such services, will disclose PHI to and will use or disclose PHI in accordance with this Agreement. Definitions. Unless otherwise provided, the following terms used in this Agreement have the same meaning as defined by the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Business Associate shall have the same meaning as described at 45 C.F.R. § 160.103. For the purposes of this Agreement, Business Associate shall refer to , including its employees, officers, or any other agents that create, receive, maintain, or transmit PHI as described below. Covered Entity shall have the same meaning as the term is defined at 45 C.F.R. § 160.103. For the purposes of this Agreement, Covered Entity shall refer to . Protected Health Information or PHI shall have the same meaning as described at 45 C.F.R. § 160.103. Protected Health Information and PHI as used in this Agreement include Electronic Protected Health Information and EPHI. For the purposes of this Agreement and unless otherwise provided, the term shall also refer to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity or receives from Covered Entity or another Business Associate. Subcontractor shall have the same meaning as the term is defined at 45 C.F.R. § 160.103. For the purposes of this Agreement, Subcontractor shall refer to a contractor of any person or entity, other than Covered Entity, that creates, receives, maintains, or transmits PHI under the terms of this Agreement. Terms and Conditions. Covered Entity and Business Associate agree as follows: 1. Ownership of PHI. PHI is and remains the property of Covered Entity as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate agreement is in place. 2. Use and Disclosure of PHI by Business Associate. Unless otherwise provided, Business Associate: A. May not use or disclose PHI other than as permitted or required by this Agreement, or in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except that it may use or disclose PHI: (1) As required by law or to carry out its legal responsibilities; (2) For the proper management and administration of Business Associate; or (3) To provide Data Aggregation services relating to the health care operations of Covered Entity. B. Must use or disclose PHI in a manner that complies with Covered Entity s minimum necessary policies and procedures. C. May de-identify PHI created or received by Business Associate under this Agreement at the request of the Covered Entity, provided that the de-identification conforms to the requirements of the HIPAA Privacy Rule. 3. Obligations of Business Associate. In connection with any Use or Disclosure of PHI, Business Associate must: A. Consult with Covered Entity before using or disclosing PHI whenever Business Associate is uncertain whether the Use or Disclosure is authorized under this Agreement. B. Implement appropriate administrative, physical, and technical safeguards and controls to protect PHI and document applicable policies and procedures to prevent any Use or Disclosure of PHI other than as provided by this Agreement. C. Provide satisfactory assurances that PHI created or received by Business Associate under this Agreement is protected to the greatest extent feasible. D. Notify Covered Entity within twenty-four (24) hours of Business Associate s discovery of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI. (1) Any incident as described above will be treated as discovered as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. (2) Notification shall be sent to and and to the VHA Health Information Access Office, Business Associate Program Manager by email at VHABAAIssues@va.gov. (3) Business Associate shall not notify individuals or the Department of Health and Human Services directly unless Business Associate is not acting as an agent of Covered Entity but in its capacity as a Covered Entity itself. E. Provide a written report to Covered Entity of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI, within ten (10) business days of the initial notification. (1) The written report of an incident as described above will document the following: (a) The identity of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, disclosed, modified, or destroyed; (b) A description of what occurred, including the date of the incident and the date of the discovery of the incident (if known); (c) A description of the types of secured or unsecured PHI that was involved; (d) A description of what is being done to investigate the incident, to mitigate further harm to Individuals, and to protect against future incidents; and (e) Any other information as required by 45 C.F.R. §§ 164.404(c) and 164.410. (2) The written report shall be addressed to: and submitted by email to and to the VHA Health Information Access Office, Business Associate Program Manager at VHABAAIssues@va.gov F. To the greatest extent feasible, mitigate any harm due to a Use or Disclosure of PHI by Business Associate in violation of this Agreement that is known or, by exercising reasonable diligence, should have been known to Business Associate. G. Use only contractors and Subcontractors that are physically located within a jurisdiction subject to the laws of the United States, and ensure that no contractor or Subcontractor maintains, processes, uses, or discloses PHI in any way that will remove the information from such jurisdiction. Any modification to this provision must be approved by Covered Entity in advance and in writing. H. Enter into Business Associate Agreements with contractors and Subcontractors as appropriate under the HIPAA Rules and this Agreement. Business Associate: (1) Must ensure that the terms of any Agreement between Business Associate and a contractor or Subcontractor are at least as restrictive as Business Associate Agreement between Business Associate and Covered Entity. (2) Must ensure that contractors and Subcontractors agree to the same restrictions and conditions that apply to Business Associate and obtain satisfactory written assurances from them that they agree to those restrictions and conditions. (3) May not amend any terms of such Agreement without Covered Entity s prior written approval. I. Within five (5) business days of a written request from Covered Entity: (1) Make available information for Covered Entity to respond to an Individual s request for access to PHI about him/her. (2) Make available information for Covered Entity to respond to an Individual s request for amendment of PHI about him/her and, as determined by and under the direction of Covered Entity, incorporate any amendment to the PHI. (3) Make available PHI for Covered Entity to respond to an Individual s request for an accounting of Disclosures of PHI about him/her. J. Business Associate may not take any action concerning an individual s request for access, amendment, or accounting other than as instructed by Covered Entity. K. To the extent Business Associate is required to carry out Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the provisions that apply to Covered Entity in the performance of such obligations. L. Provide to the Secretary of Health and Human Services and to Covered Entity records related to Use or Disclosure of PHI, including its policies, procedures, and practices, for the purpose of determining Covered Entity s, Business Associate s, or a Subcontractor s compliance with the HIPAA Rules. M. Upon completion or termination of the applicable contract(s) or agreement(s), return or destroy, as determined by and under the direction of Covered Entity, all PHI and other VA data created or received by Business Associate during the performance of the contract(s) or agreement(s). No such information will be retained by Business Associate unless retention is required by law or specifically permitted by Covered Entity. If return or destruction is not feasible, Business Associate shall continue to protect the PHI in accordance with the Agreement and use or disclose the information only for the purpose of making the return or destruction feasible, or as required by law or specifically permitted by Covered Entity. Business Associate shall provide written assurance that either all PHI has been returned or destroyed, or any information retained will be safeguarded and used and disclosed only as permitted under this paragraph. N. Be liable to Covered Entity for civil or criminal penalties imposed on Covered Entity, in accordance with 45 C.F.R. §§ 164.402 and 164.410, and with the HITECH Act, 42 U.S.C. §§ 17931(b), 17934(c), for any violation of the HIPAA Rules or this Agreement by Business Associate. 4. Obligations of Covered Entity. Covered Entity agrees that it: A. Will not request Business Associate to make any Use or Disclosure of PHI in a manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if made by Covered Entity, except as permitted under Section 2 of this Agreement. B. Will promptly notify Business Associate in writing of any restrictions on Covered Entity s authority to use or disclose PHI that may limit Business Associate s Use or Disclosure of PHI or otherwise affect its ability to fulfill its obligations under this Agreement. C. Has obtained or will obtain from Individuals any authorization necessary for Business Associate to fulfill its obligations under this Agreement. D. Will promptly notify Business Associate in writing of any change in Covered Entity s Notice of Privacy Practices, or any modification or revocation of an Individual s authorization to use or disclose PHI, if such change or revocation may limit Business Associate s Use and Disclosure of PHI or otherwise affect its ability to perform its obligations under this Agreement. 5. Amendment. Business Associate and Covered Entity will take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the HIPAA Rules or other applicable law. 6. Termination. A. Automatic Termination. This Agreement will automatically terminate upon completion of Business Associate s duties under all underlying Agreements or by termination of such underlying Agreements. B. Termination Upon Review. This Agreement may be terminated by Covered Entity, at its discretion, upon review as provided by Section 9 of this Agreement. C. Termination for Cause. In the event of a material breach by Business Associate, Covered Entity: (1) Will provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Covered Entity; (2) May terminate this Agreement and underlying contract(s) if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity. D. Effect of Termination. Termination of this Agreement will result in cessation of activities by Business Associate involving PHI under this Agreement. E. Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate Agreement is in place. 7. No Third-Party Beneficiaries. Nothing expressed or implied in this Agreement confers any rights, remedies, obligations, or liabilities whatsoever upon any person or entity other than Covered Entity and Business Associate, including their respective successors or assigns. 8. Other Applicable Law. This Agreement does not abrogate any responsibilities of the parties under any other applicable law. 9. Review Date. The provisions of this Agreement will be reviewed by Covered Entity every two years from Effective Date to determine the applicability and accuracy of the Agreement based on the circumstances that exist at the time of review. 10. Effective Date. This Agreement shall be effective on the last signature date below. 11. Exceptions. Prospective vendors that meet the definition of a Covered Entity , in accordance with 45 CFR 160.103, are not required to engage in a Business Associate Agreement with the Government. For further information on this topic please refer to: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html Vendors that claim Covered Entity status shall provide any documentation available in accordance with Volume One Technical of their proposal. Department of Veterans Affairs Veterans Health Administration By: By: Name: Name: Title: Title: Date: Date:
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/bff867b6e6074d4aaf44a840b477cc68/view)
 
Record
SN06859302-F 20231015/231013230045 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.