Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JUNE 17, 2010 FBO #3127
MODIFICATION

R -- Billing-added SOW and extended time.

Notice Date
6/15/2010
 
Notice Type
Modification/Amendment
 
NAICS
524298 — All Other Insurance Related Activities
 
Contracting Office
Department of Veterans Affairs;VISN 9 ASC (90C);1639 Medical Center Parkway, Suite 400;Murfreesboro TN 37129
 
ZIP Code
37129
 
Solicitation Number
VA24910RQ0254
 
Response Due
6/18/2010
 
Archive Date
7/18/2010
 
Point of Contact
Stacey McClendon
 
E-Mail Address
CONTRACT SPECIALIST
(STACEY.MCCLENDON4@VA.GOV)
 
Small Business Set-Aside
Total Small Business
 
Description
Billing Contract Statement of Work The primary purpose of this Statement of Work (SOW) is to accomplish the following Billing objectives: Provide Billing services as an extended business office solution with the generation, processing and submission of Hospital and Professional Medical Claims to Third and First Party Payers on behalf of (VHA) Veterans Health Administration facilities. Establish and maintain a productive cost-effective Billing system that: Incorporates industry standard performance metrics that monitor the accuracy and timeliness of the system; Establishes a reporting mechanism that measures return on investment that is in line with negotiated performance metrics Allows the VAMC to meet and/or exceed their TRICARE/CHAMPVA goals by optimizing third and first party reimbursements, in part through aggressive, accurate and timely billing Incorporates performance metrics that monitor the accuracy and timeliness of the billing process Key Assumptions: Definitions are provided (Attachment A) A minimum of 125 claims per individual contracted staff member will be processed each day. The claims may be for any backlog and/or current episodes of care. Claims which cannot be billed due to no insurance coverage or data validation/compliance issues will be assigned a "Reason Not Billable" in Claims Tracking and when appropriate bills will be cancelled in the Integrated Billing Software Package. VA can only bill health insurance carriers for treatment of non-service connected conditions provided to veterans. Any questions regarding a veteran's service connected status should be referred to the VAMC. VI-IA submits claims for supplemental Medicare payers to Trailblazer's for development of a Medicare Remittance Advice. Contract staff is responsible for working MRA errors returned from Trailblazers or clearing house as part of the task of completing the claim and does not generate an additional cost transaction. VHA does not send all claims for Medicare supplemental payers to Trailblazer. Certain Medicare supplemental claims are filed directly with supplemental payers without use of the MRA transaction. Contract staff is responsible for working payer rejects of MRA exclusion claims as part of the task of completing the claim. The VA is not authorized to bill Medicare or Medicaid. There are also specific services that are excluded from billing through the e-MRA process to obtain the Medicare Remittance Advice (MRA). Contract staff is responsible for maintaining a current list of services that are billable for the MRA and understanding proper coordination of benefit issues. Contractor will attach the MRA exclusionary listing to the bill or claim when needed. The Contractor must notify the VA facility of any Release Of Information (ROl) needed for claims processing. The software application providing bill scrubbing edits used by the VA shall be used by Contractor staff. All edits will be reviewed and corrected as appropriate. VHA's rate structure, commonly called reasonable charges, must be used when preparing claims. VA information will not be co-mingled with any other data on the contractors/subcontractors information systems/media storage systems in order to ensure VA requirements related to data protection and media sanitation can be met. VA also reserves the right to conduct IT resource inspections to ensure data separation and on-site inspection of information destruction/media sanitization procedures to ensure they are in compliance with VA policy requirements. The Contractor is subject to the same principles in regards to separation of duties. If the Contractor has a contract for both Billing and AR follow-up, the same staff cannot work on both processes. Contractor agrees that all deliverables, associated working papers, and other material deemed relevant by the Contractor in the performance of these tasks are the property of the United States Government. "Business Day" is defined as Monday through Friday, excluding standard Federal Holidays and any other day specifically declared to be a national holiday. All scheduled contacts between the Contractor and VAMC staff shall occur during regular VAMC hours of operation. General Requirements: All written deliverables shall be phrased in layperson language. Statistical and other technical terminology shall not be used without providing a glossary of terms. For every task, the Contractor shall identify in writing all necessary subtasks (if any), associated costs by task with associated sub-milestone dates. The Contractor's subtask structure shall be reflected in the technical proposal. Where a written milestone deliverable is required in draft form, the VA will complete the review of the draft deliverable within 10 calendar days from date of receipt. The PM and/or designated representative will review and accept deliverables. Deliverables found to be unacceptable or not meeting the intent of the task within the review period shall be redone by the Contractor and considered to be within scope of this order. The Contractor shall be required to follow the Veterans Affairs Office of Information and Technology's (OI&T) policies and procedures, which will be made available at the Contractor's request on award. The OI&T policies and procedures are in conjunction with others as may be identified in other paragraphs of this SOW. The Contractor shall operate within Federal law and within VHA directives and guidelines for this contract. egarding Contractor staff, the Contractor shall: 1) Be responsible for having trained staff at the Contractor's expense for VA billing in place at the time the contract is awarded. The contract staff must be trained in all aspects of billing requested under the contract, which may include: utilizing the VA's encoder software package, generating a clean claim, canceling claims in Integrated Billing when appropriate, assigning appropriate Reasons Not Billable in Claims Tracking, and utilizing both the Entered Not Reviewed and the Unbilled Reports for appropriate billing or cancellation of bill numbers via electronic interface or high speed, secure, remote access. The cost of any additional training required by the Contractor's staff shall be borne by the Contractor. 2) Provide a list of qualified employees that will be performing work for this contract. Qualifications shall outline training, years of experience, and any other information so qualification can be determined. Additionally, the vendor shall notify the VA facility of any change in staffing, i.e. new employees and shall provide training, years of experience, and any other information so qualification can be determined. The Contractor shall obtain OneVA VPN access for staff assigned to this project. The Contractor shall be responsible for correcting any errors made by their employees at no charge to the VA. There will be no charge for any cancelled, duplicate or returned claims that may need to be esubmitted due to billing error. The Contractor will have "view" only access to the insurance file. This will include working errors on the MRA Worklist (MRW) and the Claims Status Awaiting Resolution CSA) worklist, within 5 business days. The Contractor shall have forty-five (30) days from the date of task order(s) award to have all sites operational. A post-award orientation conference is required and will be performed prior to the performance of any work under this contract. This conference will include Contracting Officer (CO), Contracting Officer Technical Representative (COTR), Information Security Officer (ISO) for the VA Medical facility involved, and any contractor personnel requiring VA computer access. Patient Confidentiality (HIPAA compliance) and overall data security are vitally important and will be maintained at all times. All Contractor personnel shall be required to observe the requirements imposed on sensitive data by law, Federal regulations, and VA policies and procedures. The Contractor shall be responsible for his/her employees (including subcontractors) in release of confidential/proprietary information and the divulgence to authorized recipients designed by the VAMC. The Contractor's staff shall have background investigations performed. The VAMC will furnish a copy of the background investigation and information security forms to be completed by each Contractor employee working on this project. The Contractor must treat all individually identifiable health records with the strictest confidentiality. Access to records must be limited to essential personnel only. Records must be secured when not in use. At the conclusion of the Contract all copies of individually identifiable health records must be destroyed or returned to the VAMC at the VA's discretion. Contractor staff shall sign and follow confidentiality statements as required. The Contractor shall comply with the Privacy Act, 38 USC 5701 and 38 USC 7332. Any information the Contractor may obtain on personnel and/or patient data as a result of performance of this contract will not at any time be disclosed to third parties or used for the Contractor's own purpose except to the extent allowed by the Privacy Act. Contractor personnel who obtain access to hardware or media which may manipulate or store drug or alcohol abuse data, sickle cell anemia treatment records, records or tests or treatment for or infection with HIV, medical quality assurance records, or any other sensitive information is protected under 38 U.S.C. 4132 or 3305 as defined by the Department of Veterans Affairs, shall not have access to the records unless absolutely necessary to perform their contractual duties. Any individual who has access to this data will disclose them to no one, including other employees of the Contractor not involved in the performance of the particular contractual duty for which access was obtained. Violation of these statutory provisions, as stated in department regulations by the Contractor's employees may involve imposition of criminal penalties. The Contractor shall report all VA security incidents will to the local facility VA Information Security Officer (ISO) as soon as the incident is discovered. The information submitted to the ISO will be the current date, the date the incident was observed, name of person filing the incident, organization, phone number of the person filing the report including e-mail address, affected system name and preliminary actions taken. The Contractor will meet the facility ISO before work in order to reinforce security responsibilities of their positions in the overall security program at the facility. Compliance with VA Directive 6504, Restrictions on Transmission, Transportation and Use Of, and Access To, VA Data Outside VA Facilities, issued June 7, 2006 is mandatory. Contractor shall ensure that no fraud will be committed on work performed by the Contractor. The Contractor's claims expediting and collection activities must be legal, ethical and in compliance with applicable legislation regulating debt collection practices. The Workforce Investment Act of 1998, Public Law 105-220 was enacted on August 7, 1998. Title IV of the Act is the Rehabilitation Act Amendments of 1998. Subsection 408 (b) amended Section 508 of the Rehabilitation Act of 1973. Section 508 requires Federal departments or agencies to develop, procure, maintain, or use Electronic and Information Technology (EIT). Agencies must ensure that the EIT allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access and use of information and data to that of other Federal employees. Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal department or agency, access to and use of information and data that is comparable to that information and data that is available to the public not having the disabilities. The Contractor is responsible for developing an IT protocol for transfer of data if the vendor uses a software product other than VistA. VA bills health insurance carriers for treatment of veterans' non-service connected conditions. The Contractor shall refer any questions regarding a veteran's service connected status to the VAMC. Any updated patient demographic information obtained during collection/follow-up activities, including updated insurance information, must be furnished to the appropriate VAMC designee on a daily basis. The Contractor must instruct all debtors to remit payment to the VAMC, under medical center's business name, as it appears on the UB-92 or HCFA-1500 form. Section 508 Compliance: In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2) (A) of the Rehabilitation Act Amendments of 1998, established Information Technology accessibility standards for the Federal Government. Section 508(a)(1) requires that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows individuals with disabilities who are Federal employees to have access to and use of information and data that is comparable to the access to and use of the information and data by Federal employees who are not individuals with disabilities; and individuals with disabilities who are members of the public seeking information or services from a Federal department or agency to have access to and use of information and data that is comparable to the access to and use of the information and data by such members of the public who are not individuals with disabilities. Specific technical standards the contractor must comply with are: 1194.21, Software Applications and Operating Systems 1194.22, Web Based Intranet and Internet Information and Applications 1194.23 Telecommunication Products 1194.24 Video and Multimedia Products 1194.25 Self Contained Closed products 1194.26 Desktop and Portable Computers 1194.31 Functional Performance Criteria 1194.41 Information, Documentation and Support In order to validate conformance to the above standards the responsible requiring/procurement official must complete the VA's Section 508 Determination and Findings Document, see document at: http://wwwl.va.gov/oamm/rlib/best_practices.cfm. VA's Section 508 Program Office has developed a Conformance Validation Statement (CVS). The CVS must be completed by the responsible requiring/procurement official as part of their market research to validate the conformance of the E&IT project. (See Section 10 in the Section 508 Determination and Findings Document). If at any time the responsible requiring/procurement official finds that an exception may apply, they must complete the Section 508 EIT Exceptions Certification Document, see document at: http://wwwl.va.gov/oamm/rlib/best_practices.cfm, which must get a signed approval from the VA Section 508 Coordinator. Once the E&IT is determined to meet all applicable Section 508 standards, the E&IT is validated by the VA's Section 508 Program Office in the Department's Section 508 Testing and Training Center using the information provided by the CVS. If in the case the VA decides to purchase an application, product or service that cannot be validated for Section 508 prior to purchase, the Vendor agrees to accept all costs for ensuring conformance working with the VA Section 508 Program Office. For future releases or upgrades all steps using the CVS are required and upon validation a signed approval will be given to the VA POC from the VA Section 508 Coordinator. Section 508 text is available at: http://www.va.gov/accessible http://www.access-board.gov http://www.opm.gov/HTML/508-textOfLaw.httn http://www.section508.gov/index.cfm?FuseAction=Content&ID=14 http://wwwl.va.gov/oamm/rlib/best practices.cfm VA Directive and Handbook 6221, Accessible Electronic and Information Technology is posted at: http://www.va.gov/oit/ea/section508/policy.asp or vawwwl.va.gov/vapubs Description of Tasks and Associated Deliverables: The Contractor shall provide Billing services as follows: Provide Billing services to include inpatient and outpatient services (including pharmacy and durable medical equipment) within VA established timeframes. Provide a remote and secure business office solution for medical center billing. Provide secure, remote Hospital (UB92, UB04), professional (1500), Dental (ADA) and any proprietary format claim billing whether the need is for a billing "backlog" cleanup or ongoing outsourcing of accounts Provide automated secondary billing services (preferred) provided the electronic (835) MRA or RA is supplied. Consideration will be given for manual processing and mailing Submit claims directly to payers electronically (preferred) whenever possible via a clearinghouse and/or mailed hard copy. Ensure claim acknowledgment and status reports are retrieved and are posted back at the claim and summary report level to assist in follow-up and account reconciliation by VHA. Authorize and release claims to third party carriers for treatment provided by VA health care facilities for inpatient and outpatient services (including pharmacy and durable medical equipment) received. Review potential claims for appropriate insurance coverage based on information provided by the VA facility and all claims will be completed and authorized in accordance with VA Reasonable Charges and Billing Guide and insurance company requirements. Provide a mechanism to ensure timely and meaningful communications with appropriate VAMC Point of Contact at a frequency identified in the individual task order(s). Instruct all payers to remit payment to the VAMC, under the appropriate medical center's business name, as it appears on the UB04 or CMS-1500 form. Ensure claims which cannot be billed due to lack of insurance coverage or data validation/compliance issues are assigned a "reason Not Billable" in Claims Tracking and when appropriate bills shall be cancelled in the Integrated Billing Software Package. Establish billing priorities with the Technical COTR designated on the task order. Provide a mechanism to ensure timely and meaningful communications with appropriate VAMC staff, the communication methodology shall be tailored to the VAMC's needs. Bill Me and/or Unbilled Report: These reports are generated by the VAMC outlining the work to be done. Contractor shall notify VA facility when Contractor has only three days of work left, so the facility can provide additional work, if necessary. Deliverable la: Monthly, the Contractor shall provide a summary to the Technical COTR (Attachment B). This report covers only cases referred to the vendor based on a contractual agreement through the BPA. The Contractor may propose modifications to the reporting requirements to the Technical COTR. Deliverable lb: The Contractor shall prepare a weekly Rejection report for each facility that gives the list of encounters they were unable to process. The reports will include the patient's name, Social Security Number, the encounter and the reason they cannot process the encounter. Deliverables: If for any reason a deliverable cannot be met within the scheduled time frame or adherence to the established schedules cannot be met, the Contractor is required to explain why, in writing, to the local Contracting Officer for the task order, and include a firm commitment of when the work shall be completed. This notice to the Contracting Officer shall specify the following: Reasons for the delay Modified delivery date Impact on the overall project A revised project plan with all adjusted dates The Contracting Officer will then review the facts and issue a response in accordance with applicable regulations. Reporting Requirements The Contractor shall include in their submission proposed monthly reports that will be provided by the Contractor to the VAMC contact person(s) that monitor performance on the task order. The VAMC will monitor productivity (bills authorized, reasons not billable, and bill cancellation) of the Contractor on a predetermined basis as specified on the individual task order. There will be an open line of communication between the Contractor and the VA regarding all questions, concerns, and productivity. The Contractor shall prepare a weekly Rejection report for each facility that gives the list of encounters they were unable to process. The report will include the patient's name, Social Security Number, the encounter and the reason they cannot process the encounter. Monthly, the Contractor shall provide the following summary to the Technical COTR. This report covers only cases referred to the vendor based on a contractual agreement through the BPA (Attachment B). The Contractor may propose modifications to the reporting to the national COIR. However, the Contractors proposed reports shall at minimum accomplish the following: Constantly monitor process for required changes and feedback results Identify and report billing inconsistencies and irregularities that impact ongoing receivables and for proactive rejection/denial management Performance Standards: The Contractor may propose performance metrics for consideration that are measurable and assess the quality of the services provided. Contractor will perform monthly CBI billing audits and provide results of the audits to the VAMC point of contact. Billing turnaround time: Contractor will be required to meet all deadlines set by the VA to ensure all claims are filed within insurance company filing time limits. This shall be specified with the VAMC task orders. Time schedules and deadlines are to be established based on mutual agreement of the applicable VAMC and the Contractor. Claims shall be generated within two (2) days of receipt from the facility 98% of the time. The Contractor shall notify the VAMC within 24 hours of receipt of the workload if an issue arise regarding being able to meet the expected timeframes. This includes reporting any issues dealing with meeting the time associated with working errors on the MRA Worklist (MRW) and the Claims Status Awaiting Resolution (CSA) worklist, within 5 business days. Clean claims submissions: Clean Claims submitted is 95% or greater. HIPAA-compliant electronic claim submission rate 100%. Administrative: Agreed upon reports shall be complete, accurate and delivered to VA on agreed upon schedule 98% of the time. If issues are presenting that hinder satisfactory performance of this metric, vendor shall notify VA within 2 business days to request an extension. Vendor consistently meets agreed upon workload requirements specified in individual task orders 98% of the time. Vendor manages workload without loss of data 100% of the time. Vendor provides complete explanation of all non-billables 100% of the time Vendor may submit for VA consideration additional performance metrics. Property Rights: The Contractor shall not divulge or disclose information received and discussed regarding data considered proprietary to other contractors collaborating on or with this effort. Contractor staff will be required to complete mandated VA privacy and security training. The Contractor may be required to negotiate agreements with commercial system vendors relating to non-disclosure of vendor-proprietary information. If the Contractor uses copyright or otherwise licensed software in any deliverable under this order, the Contractor must secure unlimited use rights for the Government. In addition, the Contractor is required to pass all software licenses on to the Government within 30 days after completion of the tasks. The Contractor shall limit access to the minimum number of employees necessary for order performance for all information considered sensitive or proprietary in nature. If the Contractor is uncertain of the sensitivity of any information obtained during the order then the Contractor has a responsibility to ask the Government representative. The Contractor shall indoctrinate all personnel employed by the Contractor and any subcontractors involved in this order on their roles and responsibilities for proper handling and nondisclosure of sensitive government or proprietary information. Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. Travel: Travel is not anticipated for this effort. Contract Award Meeting: The Contractor shall not commence performance on the tasks in this SOW until the Contracting Officer has conducted a kick off meeting or, has advised the Contractor that a kick off meeting is waived. Changes to the Statement of Work: Any changes to this SOW shall be authorized and approved only through written correspondence from the Contracting Officer. A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the Contractor, through the actions of parties other than the Contracting Officer, shall be borne by the Contractor. Security and Privacy: Information and Records All information and records provided to Contractor by VA, in whatever medium, as well as all information and documents, including drafts, emails, back-up copies, hand-written notes and copies that contain such information and records gathered or created by Contractor (collectively referred to as "VA information") in the performance of this contract, regardless of storage media, are the exclusive property of VA. Contractor does not retain any property interest in these materials and will not use them for any purpose other than performance of this contract. Upon completion or termination of the contract, Contractor will either provide all copies of all VA information to VA or certify that it has destroyed all copies of all VA information as required by VA in a method specified by VA, at VA's option. The Contractor will not retain any copies of VA information. Where immediate return or destruction of the information is not practicable, Contractor will return or destroy the information within 30 days of completion or termination of the contract. All provisions of this contract concerning the security and protection of the VA information that is the subject of this contract will continue to apply to the VA information for as long as the Contractor retains it, regardless of whether the contract has been completed or terminated. Prior to termination or completion of this contract, Contractor will not destroy VA information received from VA or gathered or created by Contractor in the course of performing this contract without prior written approval by VA. Contractor will receive, gather, store, backup, maintain, use, disclose and dispose of VA information only in accordance with the terms of this contract and applicable federal and VA information confidentiality and security laws, regulations and policies. The Contractor shall not make copies of VA information except as necessary to perform this agreement or to preserve electronic information stored on Contractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor needs to be restored to an operating state. Contractor shall provide access to VA information only to employees, subcontractors, and affiliates only: (1) to the extent necessary to perform the services specified in this Contract, (2) to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of this contract, and (3) only to individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees must meet in order to have access to the same VA information. These restrictions include the same level of background investigations, where applicable. Contractor will store, transport or transmit VA information only in an encrypted form, using an encryption application that meets the requirements of FIPS 140-2, and is approved for use by VA. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two other situations: (i) in response to an order of a court of competent jurisdiction, or (ii) with VA's prior written authorization. The contractor will refer all requests for, demands for production of, or inquiries about, VA information to VA for response. If VA information subject to the contract includes information protected by 38 USC 7332, or 5705, include the following after the last sentence of the paragraph immediately above: Contractor shall not release information protected by either 38 USC 5705 or 7332 in response to a court order, and shall immediately refer such court orders to VA for response. Prior to any disclosure pursuant to a court order, the Contractor shall promptly notify VA of the court order upon its receipt by the Contractor, provide VA with a copy by fax or email, whichever is faster, and notify by telephone the VA individual designated in advance to receive such notices. If the Contractor cannot notify VA before being compelled to produce the information under court order, the Contractor will notify VA of the disclosure as soon as practical and provide a copy of the court order, including a copy of the court order, a description of the records provided pursuant to the court order, and to whom the Contractor provided the records under the court order. The notice will include the following information to the extent that the Contractor knows it, if it does not show on the face of the court order: the records disclosed pursuant to the order, to whom, where, when, and for what purpose, and any other information that the Contractor reasonably believes is relevant to the disclosure. If VA determines that it is appropriate toseek retrieval of information released pursuant to a court order before Contractor notified VA of the court order, Contractor will assist VA in attempting to retrieve the VA information involved. The Contractor will inform VA, by the most expeditious method available to Contractor, of any incident of suspected or actual access to, or disclosure, disposition, alteration or destruction of, VA information not authorized under this Contract ("incident") within one hour of learning of the incident. An incident includes the transmission, storage or access of VA information by Contractor or subcontractor employees in violation of applicable VA confidentiality and security requirements. To the extent known by the Contractor, the Contractor's notice to VA will identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information was placed at risk or compromised), and any other information that the contractor considers relevant. Contractor will simultaneously report the incident to the appropriate law enforcement entity(ies) of jurisdiction. The Contractor, its employees, and its subcontractors and their employees will cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor also will cooperate with VA in any civil litigation to recover VA information, to obtain monetary or other compensation from a third party for damages arising from any incident, or to obtain injunctive relief against any third party arising from, or related to, the incident. In addition to notifying the COTR on this BPA, VA will provide the Contractor with the name, title, telephone number, fax number and email address of the VA official to whom the Contractor will provide all notices required by this Contract. This shall be indicated on the specific task orders. VA has the right during normal business hours to inspect the Contractor's facility, information technology systems and storage and transmission equipment, and software utilized to perform the contract to ensure that the Contractor is providing for the security of VA data and computer systems in accordance with the terms of this Contract. Contractor will receive, gather, store, backup, maintain, use, disclose and dispose of VA information only in compliance with all applicable Federal Information Processing Standards (FIPS) and Special Publications (SPs) issued by the National Institute of Standards and Technology (NIST) concerning VA information that is the subject of this contract. If NIST issues or updates an applicable FIPS or SP after execution of this contract, the parties agree to negotiate in good faith to implement the FIPS or SP in this contract. The Contractor will provide appropriate administrative, technical, and physical safeguards to ensure the confidentiality and security of the Owner's data and to prevent unauthorized use or access to it. VA sensitive information must not be transmitted by remote access unless VA-approved protection mechanisms are used. All encryption modules used to protect VA data must be validated by NIST to meet the currently applicable version of Federal Information Processing Standards (FIPS) 140 (See http://csrc.nist.gov/groups/STM/cmvp/ for a complete list of validated cryptographic modules). Only approved encryption solutions using validated modules may be used when protecting data during transmission. Additional security controls are required to guard VA sensitive information stored on computers used outside VA facilities. All VA data must be stored in an encrypted partition on the hard drive and must be encrypted with FIPS 140 validated software. The application must be capable of key recovery and a copy of the encryption key(s) must be stored in multiple secure locations. Further, the Contractor agrees that the data must not be physically moved or transmitted in any way from the site without first being encrypted and obtaining prior written approval from the VA data owner. A determination by VA that the Contractor has violated any of the information confidentiality and security provisions of this contract, including a violation of any applicable FIPS or SP, shall be a basis for VA to terminate the contract for cause. If anyone performing this contract, including employees of subcontractors, accesses VA computer systems or data in the performance of the contract, VA may monitor and record all such access activity. If VA monitoring reveals any information of suspected or potential criminal law violations, VA will refer the matter to the appropriate law enforcement authorities for investigation. Contractor shall inform its employees and other individuals performing any part of this contract that VA may monitor their actions in accessing or attempting to access VA computer systems and the possible consequences to them for improper access, whether successful or not. The Contractor shall ensure that any subcontractors or others acting on behalf of or for the Contractor in performing any part of this contract inform their employees, associates or others acting on their behalf that VA may monitor their access activities. Execution of this contract and any subcontract or agreement constitutes consent to VA monitoring. The Contractor will ensure that all individuals who will access VA data or systems in performing the contract are appropriately trained in the applicable VA confidentiality and security requirements. Contractor may do this by requiring and documenting that these individuals have completed the VA training for its employees. Contractor shall contact the Associate COTR on the individual Task Order regarding access to the required VA training. To the extent practicable, Contractor shall mitigate any harmful effect on individuals whose VA information was accessed or disclosed in an incident. Contractor shall require subcontractors, agents, affiliates or others to whom Contractor provides access to VA information for the performance of this contract to agree to the same VA information confidentiality and security restrictions and conditions that apply to the Contractor before providing access. Protection of Individual Privacy The contractor shall abide by FAR clauses 52.224-1 and 52.224-2. The VA records that are the subject of this contract are contained in VA Privacy Act system of records Program Evaluation Research Data Records #107VA008B. The contractor shall abide by FAR clauses 52.239-1 and 48 C.F.R. § §24.101-104 for Privacy or Security Safeguards. The contractor shall not publish or disclose in any manner, without the Contracting Officer's written consent, the details of any safeguards either designed or developed by the contractor under this contract or otherwise provided by the government. To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the contractor shall afford the Government access to the contractor's facilities, installations, technical capabilities, operations, documentation, records, and databases. If new or unanticipated threats or hazards are discovered by either the Government or the contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party The contractor shall utilize only employees, subcontractors or agents who are physically located within a jurisdiction subject to the laws of the United States. The contractor will ensure that it does not use or disclose PHI received from Covered Entity in any way that will remove the PHI from such jurisdiction. The contractor will ensure that its employees, subcontractors and agents do not use or disclose PHI received from Covered Entity in any way that will remove the PHI from such jurisdiction. Information System Security: The Contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard contract language, conditions laws, and regulations. The Contractor's firewall and web server shall meet or exceed the government minimum requirements for security. All government data shall be protected behind an approved firewall. Any security violations or attempted violations shall be reported to the VA project manager and the VHA Headquarters Information Security Officer as soon as possible. The Contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification accreditation. Security Training: All Contractor employees and subcontractors under this contract order are required to complete the VA's on-line Security Awareness Training Course and the Privacy Awareness Training Course annually. Contractors must provide signed certifications of completion to the CO during each year of the contract. This requirement is in addition to any other training that may be required of the Contractor and subcontractor(s). Contractor Personnel Security: All Contractor employees who require access to the Department of Veterans Affairs' computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). The level of background security investigation will be in accordance with VA Directive 0710 dated September 10, 2004 and is available at: http://www.va.gov/pubs/asp/edsdirec.asp (VA Handbook 0710, Appendix A, Tables 1 - 3). Appropriate Background Investigation (BI) forms will be provided upon contract (or task order) award, and are to be completed and returned to the VA Security and Investigations Center (07C) within 30 days for processing. Contractors will be notified by 07C when the BI has been completed and adjudicated. These requirements are applicable to all subcontractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee may work on the contract while the security clearance is being processed, but the Contractor will be responsible for the actions of those individuals they provide to perform work for the VA. In the event that damage arises from work performed by Contractor personnel, under the auspices of the contract, the Contractor will be responsible for resources necessary to remedy the incident. The investigative history for Contractor personnel working under this contract must be maintained in the databases of either the Office of Personnel Management (OPM) or the Defense Industrial Security Clearance Organization (DISCO). Should the Contractor use a vendor other than OPM or Defense Security Service (DSS) to conduct investigations, the investigative company must be certified by OPM/DSS to conduct Contractor investigations. Background Investigation: The position sensitivity impact for this effort has been designated as Low Risk and the level of background investigation is NACI. Contractor Responsibilities: The Contractor shall bear the expense of obtaining background investigations. The cost of a Low Risk background investigation is $230/ea. If the investigation is conducted by the Office of Personnel Management (OPM) through the VA, the Contractor shall reimburse the VA within 30 days. Background investigations from investigating agencies other than OPM are permitted if the agencies possess an OPM and Defense Security Service certification. The Vendor Cage Code number must be provided to the Security and Investigations Center (07C), which will verify the information and advise the contracting officer whether access to the computer systems can be authorized. The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language. After contract award and prior to contract performance, the Contractor shall provide the following information, using Attachment D Security Background Investigation Information, to the CO or designated COTR: (1) List of names of Contractor personnel. (2) Social Security Number of Contractor personnel. (3) Home address of Contractor personnel or the Contractor's address. The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default. Further, the Contractor will be responsible for the actions of all individuals provided to work for the VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor will be responsible for all resources necessary to remedy the incident." Government Responsibilities: The VA Security and Investigations Center (07C) will provide the necessary forms to the Contractor or to the Contractor's employees after receiving a list of names and addresses. Upon receipt, the VA Security and Investigations Center (07C) will review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. The VA facility will pay for investigations conducted by the OPM in advance. In these instances, the Contractor will reimburse the VA facility within 30 days. The VA Security and Investigations Center (07C) will notify the contracting officer and Contractor after adjudicating the results of the background investigations received from OPM. The Contracting Officer will ensure that the Contractor provides evidence that investigations have been completed or are in the process of being requested. The Contractor is responsible for being in compliance with VA Handbook 6500.6, Appendix C, dated March 12, 1010, Attachment E, VA Information and Information System Security/Privacy Language for Inclusion into Contracts, As Appropriate regarding access to VA information and VA information systems. VA Internet and Intranet Standards: The contractor shall adhere to and comply with VA Directive 6102 and VA Handbook 6102, Internet/Intranet Services, including applicable amendments and changes, if the contractor's work includes managing, maintaining, establishing and presenting information on VA's Internet/Intranet Service Sites. This pertains, but is not limited to: creating announcements; collecting information; databases to be accessed, graphics and links to external sites. Internet/Intranet Services Directive 6102 is posted at: http: //www.va.gov/pubs/directives/Information-Resources-Management-(IRM)/6102d.doc Internet/Intranet Services Handbook 6102 is posted at: http: //www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/6102h.doc. Internet/Intranet Services Handbook 6102, Change 1, is posted at: http: / /www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/61021h.doc. These documents contain information regarding: VA cookie use policy, privacy statements, Section 508 applicability, posting "Hot Topics", warning notices and editorial changes. Invoicing Acceptance: The Contractor shall forward invoices related to this effort by regular mail to the Austin Financial Services Center with a copy sent by electronic mail to the Local Associate COTR on the Task Order on a monthly basis. All invoices submitted shall contain the following information: BPA Number: Purchase Order/Task Order Number: Contractor Name: Invoicing Period: Services Provided: The above information shall be listed on the invoices, provided VHA has identified the appropriate numbers on its Purchase Order and indicated on the Purchase Order that the above references need to be referenced on the invoice. The Contractor shall submit invoices to VA on a monthly basis for the length of the project. BPA/Task Order Termination: VA has the right to terminate (in whole or in part) all resultant BPA(s) and/or task order(s) issued against it at any time in accordance with the termination clauses of the governing GSA Schedule Contract. The Contractor will be paid only for the services rendered up to the point of receiving the termination notice, and then only to the extent that those services meet the requirements of this SOW. Confidentiality and Nondisclosure: It is agreed that: 1. The preliminary and final deliverables and all associated working papers, application source code, and other material deemed relevant by the VA which has been generated by the contractor in the performance of this task order are the exclusive property of the U.S. Government and shall be submitted to the Contracting Officer at the conclusion of the task order. 2. The Contracting Officer will be the sole authorized official to release verbally or in writing, any data, the draft deliverables, the final deliverables, or any other written or printed materials pertaining to this Blanket Purchase Agreement. No information shall be released by the contractor. Any request for information relating to this task order presented to the contractor shall be submitted in writing to the Contracting Officer for response. 3. Press releases, marketing material or any other printed or electronic documentation related to this project, shall not be publicized without the written approval of the Contracting Officer. 4. The Contractor will sign a National Business Associate Agreement with the VA, in accordance with the HIPAA mandate after award.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/NaVAMC/VAMCCO80220/VA24910RQ0254/listing.html)
 
Place of Performance
Address: 800 ZORN AVENUE;LOUISVILLE, KENTUCKY
Zip Code: 40206
 
Record
SN02178313-W 20100617/100615235726-6caa33f2a7b1c01e1d89539cc4e18a3f (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.