Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF NOVEMBER 24, 2019 SAM #6569
SOLICITATION NOTICE

65 -- Cardiology BPA Call

Notice Date
11/22/2019 9:32:34 AM
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
339113 — Surgical Appliance and Supplies Manufacturing
 
Contracting Office
NAVAL MEDICAL CENTER PORTSMOUTH VA PORTSMOUTH VA 23708 USA
 
ZIP Code
23708
 
Solicitation Number
N0018320Q0013
 
Response Due
11/27/2019 2:00:00 PM
 
Archive Date
12/12/2019
 
Point of Contact
Harold D Woodley, Phone: 7579537276, Fax: 7579535739, Christopher S. Ward, Phone: 7579533412, Fax: 7579535739
 
E-Mail Address
harold.d.woodley.civ@mail.mil, christopher.s.ward1.civ@mail.mil
(harold.d.woodley.civ@mail.mil, christopher.s.ward1.civ@mail.mil)
 
Description
Section A - Solicitation/Contract FormCONTRACTOR INFORMATIONTHIS IS AN INFORMATION NOTICE ONLY - NO AWARD WILL BE MADE FROM THIS NOTIFICATION. This is an announcement that the Government intends to issue a call against an existing Blanket Purchase Agreement (BPA) for Cardio Thoracic Clinic consignment items used at the the Naval Medical Center Portsmouth Virginia. The call will be placed against Naval Medical Center Portsmouth’s BPA N0018317A0004. The Call will be issued for a total amount of $150,000.00 covering the period December 1-31, 2019.Section B - Supplies or Services and Prices??ITEM NOSUPPLIES/SERVICESQUANTITYUNITUNIT PRICEAMOUNT0001?1MonthsCost estimate for Boston ScientifiFFPConsignment contract for cardiac intervention and peripheral vascular O/P for 1-31 Dec 2019.FOB: DestinationMILSTRIP: N0018320RCCV012PURCHASE REQUEST NUMBER: N0018320RCCV012PSC CD: 6515??????NET AMT??Section C - Descriptions and SpecificationsCONTRACTOR UNCLASSIFIED ACCESSContractor Unclassified Access to Federally Controlled Facilities, Sensitive Information, Information Technology (IT) Systems or Protected Health Information (Jan 2017)Homeland Security Presidential Directive (HSPD)-12, requires government agencies to develop and implement Federal security standards for Federal employees and contractors. The Deputy Secretary of Defense Directive-Type Memorandum (DTM) 08-006 - "DoD Implementation of Homeland Security Presidential Directive - 12 (HSPD-12)" dated November 26, 2008 (or its subsequent DoD instruction) directs implementation of HSPD-12. This clause is in accordance with HSPD-12 and its implementing directives.APPLICABILITYThis text applies to contractor employees requiring physical access to any area of a federally controlled base, facility or activity and/or requiring access to a DoN or DoD computer/network/system to perform certain unclassified sensitive duties. This clause also applies to contractor employees who access Privacy Act and Protected Health Information, provide support associated with fiduciary duties, or perform duties that have been identified as National Security Position, as advised by the command security manager. It is the responsibility of the responsible security officer of the command/facility where the work is performed to ensure compliance.Each contractor employee providing services at a Navy Command under this contract is required to obtain a Department of Defense Common Access Card (DoD CAC). Additionally, depending on the level of computer/network access, the contract employee will require a successful investigation as detailed below.ACCESS TO FEDERAL FACILITIESPer HSPD-12 and implementing guidance, all contractor employees working at a federally controlled base, facility or activity under this clause will require a DoD CAC. When access to a base, facility or activity is required contractor employees shall in-process with the Command’s Security Manager upon arrival to the Command and shall out-process prior to their departure at the completion of the individual’s performance under the contract.ACCESS TO DOD IT SYSTEMSIn accordance with SECNAV M-5510.30, contractor employees who require access to DoN or DoD networks are categorized as IT-I, IT-II, or IT-III. The IT-II level, defined in detail in SECNAV M-5510.30, includes positions which require access to information protected under the Privacy Act, to include Protected Health Information (PHI). All contractor employees under this contract who require access to Privacy Act protected information are therefore categorized no lower than IT-II. IT Levels are determined by the requiring activity’s Command Information Assurance Manager.Contractor employees requiring privileged or IT-I level access, (when specified by the terms of the contract) require a Single Scope Background Investigation (SSBI) or T5 or T5R equivalent investigation , which is a higher level investigation than the National Agency Check with Law and Credit (NACLC)/T3/T3R described below. Due to the privileged system access, an investigation suitable for High Risk national security positions is required. Individuals who have access to system control, monitoring, or administration functions (e.g. system administrator, database administrator) require training and certification to Information Assurance Technical Level 1, and must be trained and certified on the Operating System or Computing Environment they are required to maintain.Access to sensitive IT systems is contingent upon a favorably adjudicated background investigation. When access to IT systems is required for performance of the contractor employee’s duties, such employees shall in-process with the Navy Command’s Security Manager and Information Assurance Manager upon arrival to the Navy command and shall out-process prior to their departure at the completion of the individual’s performance under the contract. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The decision to authorize access to a government IT system/network is inherently governmental. The contractor supervisor is not authorized to sign the SAAR-N; therefore, the government employee with knowledge of the system/network access required or the COR shall sign the SAAR-N as the "supervisor".The SAAR-N shall be forwarded to the Command’s Security Manager at least 30 days prior to the individual’s start date. Failure to provide the required documentation at least 30 days prior to the individual’s start date may result in delaying the individual’s start date.When required to maintain access to required IT systems or networks, the contractor shall ensure that all employees requiring access complete annual Information Assurance (IA) training, and maintain a current requisite background investigation. The Contractor’s Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required.?INTERIM ACCESSThe Command's Security Manager may authorize issuance of a DoD CAC and interim access to a DoN or DoD unclassified computer/network upon a favorable review of the investigative questionnaire and advance favorable fingerprint results. When the results of the investigation are received and a favorable determination is not made, the contractor employee working on the contract under interim access will be denied access to the computer network and this denial will not relieve the contractor of his/her responsibility to perform.DENIAL OR TERMINATION OF ACCESSThe potential consequences of any requirement under this clause including denial or termination of physical or system access in no way relieves the contractor from the requirement to execute performance under the contract within the timeframes specified in the contract. Contractors shall plan ahead in processing their employees and subcontractor employees. The contractor shall insert this clause in all subcontracts when the subcontractor is permitted to have unclassified access to a federally controlled facility, federally-controlled information system/network and/or to government information, meaning information not authorized for public release.CONTRACTOR’S SECURITY REPRESENTATIVEThe contractor shall designate an employee to serve as the Contractor’s Security Representative. Within three work days after contract award, the contractor shall provide to the requiring activity’s Security Manager and the Contracting Officer, in writing, the name, title, address and phone number for the Contractor’s Security Representative. The Contractor’s Security Representative shall be the primary point of contact on any security matter. The Contractor’s Security Representative shall not be replaced or removed without prior notice to the Contracting Officer and Command Security Manager.BACKGROUND INVESTIGATION REQUIREMENTS AND SECURITY APPROVAL PROCESS FOR CONTRACTORS ASSIGNED TO NATIONAL SECURITY POSITIONS OR PERFORMING SENSITIVE DUTIESNavy security policy requires that all positions be given a sensitivity value based on level of risk factors to ensure appropriate protective measures are applied. Contractor employees under this contract are recognized as Non-Critical Sensitive [ADP/IT-II] positions when the contract scope of work require physical access to a federally controlled base, facility or activity and/or requiring access to a DoD computer/network, to perform unclassified sensitive duties. This designation is also applied to contractor employees who access Privacy Act and Protected Health Information (PHI), provide support associated with fiduciary duties, or perform duties that have been identified as National Security Positions. At a minimum, each contractor employee must be a US citizen and have a favorably completed NACLC or T3 or T3R equivalent investigation to obtain a favorable determination for assignment to a non-critical sensitive or IT-II position. The investigation consists of a standard NAC and a FBI fingerprint check plus law enforcement checks and credit check. Each contractor employee filling a non-critical sensitive or IT-II position is required to complete:• SF-86 Questionnaire for National Security Positions (or equivalent OPM investigative product)• Two FD-258 Applicant Fingerprint Cards (or an electronic fingerprint submission)• Original Signed Release StatementsFailure to provide the required documentation at least 30 days prior to the individual’s start date shall result in delaying the individual’s start date. Background investigations shall be reinitiated as required to ensure investigations remain current (not older than 10 years) throughout the contract performance period. The Contractor’s Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required.Regardless of their duties or IT access requirements ALL contractor employees shall in-process with the Command’s Security Manager upon arrival to the command and shall out-process prior to their departure at the completion of the individual’s performance under the contract. Employees requiring IT access shall also check-in and check-out with the Navy Command’s Information Assurance Manager. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The SAAR-N shall be forwarded to the Navy Command’s Security Manager at least 30 days prior to the individual’s start date. Failure to provide the required documentation at least 30 days prior to the individual’s start date shall result in delaying the individual’s start date.The contractor shall ensure that each contract employee requiring access to IT systems or networks complete annual Information Assurance (IA) training, and maintain a current requisite background investigation. Contractor employees shall accurately complete the required investigative forms prior to submission to the Command Security Manager. The Command’s Security Manager will review the submitted documentation for completeness prior to submitting it to the Office of Personnel Management (OPM); Potential suitability or security issues identified may render the contractor employee ineligible for the assignment. An unfavorable determination is final (subject to SF-86 appeal procedures) and such a determination does not relieve the contractor from meeting any contractual obligation under the contract. The Command’s Security Manager will forward the required forms to OPM for processing. Once the investigation is complete, the results will be forwarded by OPM to the DoD Central Adjudication Facility (CAF) for a determination.If the contractor employee already possesses a current favorably adjudicated investigation, the contractor shall submit a Visit Authorization Request (VAR) via the Joint Personnel Adjudication System (JPAS) or a hard copy VAR directly from the contractor’s Security Representative. Although the contractor will take JPAS "Owning" role over the contractor employee, the Command will take JPAS "Servicing" role over the contractor employee during the hiring process and for the duration of assignment under that contract. The contractor shall include the IT Position Category per SECNAV M-5510.30 for each employee designated on a VAR. The VAR requires annual renewal for the duration of the employee’s performance under the contract.Section E - Inspection and Acceptance???INSPECTION AND ACCEPTANCE TERMSSupplies/services will be inspected/accepted at:CLININSPECT ATINSPECT BYACCEPT ATACCEPT BY0001DestinationGovernmentDestinationGovernmentSection F - Deliveries or Performance???DELIVERY INFORMATIONCLINDELIVERY DATEQUANTITYSHIP TO ADDRESSDODAAC / CAGE000131-DEC-20191NAVAL MEDICAL CENTERRECEIVING OFFICER54 LEWIS MINOR STREETBLDG. 250PORTSMOUTH VA 23708-2297757-953-5770FOB: DestinationN00183?DOCK DELIVERYNaval Medical Center Portsmouth (NMCP) Receiving Dock Hours of Operation:NMCP Receiving Dock is open Monday through Friday 0700 to 1600 (7:00 a.m. to 4:00 p.m.). excluding federal holidays. Receiving personnel may be reached at 757-953-5770.Section G - Contract Administration DataCLAUSES INCORPORATED BY FULL TEXT?252.232-7006 WIDE AREA WORKFLOW PAYMENT INSTRUCTIONS (DEC 2018)(a) Definitions. As used in this clause—"Department of Defense Activity Address Code (DoDAAC)" is a six position code that uniquely identifies a unit, activity, or organization."Document type" means the type of payment request or receiving report available for creation in Wide Area WorkFlow (WAWF)."Local processing office (LPO)" is the office responsible for payment certification when payment certification is done external to the entitlement system."Payment request" and "receiving report" are defined in the clause at 252.232-7003, Electronic Submission of Payment Requests and Receiving Reports.(b) Electronic invoicing. The WAWF system provides the method to electronically process vendor payment requests and receiving reports, as authorized by Defense Federal Acquisition Regulation Supplement (DFARS) 252.232-7003, Electronic Submission of Payment Requests and Receiving Reports.(c) WAWF access. To access WAWF, the Contractor shall—(1) Have a designated electronic business point of contact in the System for Award Management at https://www.sam.gov; and(2) Be registered to use WAWF at https://wawf.eb.mil/ following the step-by-step procedures for self-registration available at this web site.(d) WAWF training. The Contractor should follow the training instructions of the WAWF Web-Based Training Course and use the Practice Training Site before submitting payment requests through WAWF. Both can be accessed by selecting the "Web Based Training" link on the WAWF home page at https://wawf.eb.mil/.(e) WAWF methods of document submission. Document submissions may be via web entry, Electronic Data Interchange, or File Transfer Protocol.(f) WAWF payment instructions. The Contractor shall use the following information when submitting payment requests and receiving reports in WAWF for this contract or task or delivery order:(1) Document type. The Contractor shall submit payment requests using the following document type(s):(i) For cost-type line items, including labor-hour or time-and-materials, submit a cost voucher.(ii) For fixed price line items—(A) That require shipment of a deliverable, submit the invoice and receiving report specified by the Contracting Officer.____________COMBO FOR SUPPLIES________________________________________________(Contracting Officer: Insert applicable invoice and receiving report document type(s) for fixed price line items that require shipment of a deliverable.)(B) For services that do not require shipment of a deliverable, submit either the Invoice 2in1, which meets the requirements for the invoice and receiving report, or the applicable invoice and receiving report, as specified by the Contracting Officer.____________ ______________________________________________(Contracting Officer: Insert either "Invoice 2in1" or the applicable invoice and receiving report document type(s) for fixed price line items for services.)(iii) For customary progress payments based on costs incurred, submit a progress payment request.(iv) For performance based payments, submit a performance based payment request.(v) For commercial item financing, submit a commercial item financing request.(2) Fast Pay requests are only permitted when Federal Acquisition Regulation (FAR) 52.213-1 is included in the contract.[Note: The Contractor may use a WAWF "combo" document type to create some combinations of invoice and receiving report in one step.](3) Document routing. The Contractor shall use the information in the Routing Data Table below only to fill in applicable fields in WAWF when creating payment requests and receiving reports in the system.Routing Data Table*Field Name in WAWFData to be entered in WAWF Pay Official DoDAAC?HQ0248Issue By DoDAAC?N00183Admin DoDAAC**?N00183Inspect By DoDAAC?N/AShip To Code?N00183Ship From Code?N/AMark For Code?N/AService Approver (DoDAAC)?N/AService Acceptor (DoDAAC)?N/AAccept at Other DoDAAC?N/ALPO DoDAAC?N00183DCAA Auditor DoDAAC?N/AOther DoDAAC(s)N/A?(*Contracting Officer: Insert applicable DoDAAC information. If multiple ship to/acceptance locations apply, insert "See Schedule" or "Not applicable.")(**Contracting Officer: If the contract provides for progress payments or performance-based payments, insert the DoDAAC for the contract administration office assigned the functions under FAR 42.302(a)(13).)(4) Payment request. The Contractor shall ensure a payment request includes documentation appropriate to the type of payment request in accordance with the payment clause, contract financing clause, or Federal Acquisition Regulation 52.216-7, Allowable Cost and Payment, as applicable.(5) Receiving report. The Contractor shall ensure a receiving report meets the requirements of DFARS Appendix F.(g) WAWF point of contact.(1) The Contractor may obtain clarification regarding invoicing in WAWF from the following contracting activity’s WAWF point of contact._USN.DETRICK.NAVMEDLOGCOMFTDMD.LIST.NMLC-WAWF@MAI.MIL___(Contracting Officer: Insert applicable information or "Not applicable.")(2) Contact the WAWF helpdesk at 866-618-5988, if assistance is needed.(End of clause)Section H - Special Contract RequirementsPRIVACY & SECURITY OF PHIBUSINESS ASSOCIATE AGREEMENTPrivacy, Access, Use, and Disclosure of Protected Health Information1. Introduction. In accordance with 45 C.F.R. §§ 164.502(e)(2) and 164.504(e), and DoDM 6025.18, "Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in DoD Health Care Programs," March 13, 2019, this document serves as a Business Associate Agreement (BAA) between the signatory Parties for purposes of the HIPAA and the "HITECH Act" amendments thereof, as implemented by the HIPAA Rules and DoD HIPAA issuances (both defined below). The Parties are (1) a DoD Military Health System (MHS) component command such as a Navy Medicine Medical Treatment Facility (MTF) (Naval Medical center or Naval hospital), or special mission command (research, public health, other), acting as a HIPAA covered entity, and (2) another Federal or Government organization, civilian academic institution, or other civilian entity, acting as a HIPAA Business Associate (BA). The HIPAA Rules require BAAs between covered entities and BAs. Implementing this BAA requirement, the applicable DoD HIPAA issuances (DoDM 6025.18) provides that requirements applicable to BAs must be incorporated (or incorporated by reference) into the contract or agreement between the Parties.2. Definitions:a. Terms. Except as provided otherwise in this BAA, the following terms used in this BAA shall have the same meaning as those terms in the DoD HIPAA Rules (DoDM6025.18-): Data aggregation, designated record set, disclosure, health care operations, individual, minimum necessary, notice of privacy practices, protected health information (PHI), required by law, secretary, security incident, subcontractor, unsecured PHI, and use.b. Breach. means actual or possible loss of control, unauthorized disclosure of or unauthorized access to PHI or other Personally Identifiable Information (PII) (which may include, but is not limited to PHI), where persons other than authorized users gain access or potential access to such information for any purpose other than authorized purposes, where one or more individuals will be adversely affected. The foregoing definition is based on the definition of "Breach" in DoD Privacy Act issuances as defined herein.c. BA. shall generally have the same meaning as the term "BA" in the DoD HIPAA issuances, and in reference to this BAA, shall mean the entity (another Government organization, civilian academic institution, or other civilian organization), entering into agreement with a Navy Medicine MTF or special mission command.d. Agreement. means this BAA together with the documents or other arrangements under which the BA signatory performs services involving access to PHI on behalf of the MHS component signatory to this BAA.e. Covered Entity. shall generally have the same meaning as the term "covered entity" in the DoD HIPAA issuances, and in reference to this BAA, shall mean a Navy Medicine MTF or special mission command under the Bureau of Medicine and Surgery.f. DHA Privacy Office. means the Defense Health Agency (DHA) Privacy and Civil Liberties Office. The DHA Privacy Office Director is the HIPAA Privacy and Security Officer for DHA, including the National Capital Region Medical Directorate.g. DoD HIPAA Issuances. means the DoD issuances implementing the HIPAA Rules in the DoD MHS. These issuances are DoDM 6025.18 Implementation of the HIPAA Privacy Rule in DoD Health Care Programs," March 13, 2019; DoD Instruction 6025.18, Privacy of Individually Identifiable Health Information in DoD Health Care Programs of December 2009, and DoD Instruction 8580.02, Security of Individually Identifiable Health Information in DoD Health Care Programs of August 2015.h. DoD Privacy Act Issuances. means the DoD issuances implementing the Privacy Act, which are DoD Directive 5400.11, DoD Privacy Program of 29 October 2014, and DoD 5400.11-R, Department of Defense Privacy Program of 8 May 2007.i. HIPAA Rules. means, collectively, the HIPAA privacy, security, breach and enforcement rules, issued by the United States (US) Department of Health and Human Services (HHS) and codified at 45 C.F.R. §§ 160 and 164, Subpart E (Privacy), Subpart C (Security), Subpart D (Breach) and 45 C.F.R. § 160, Subparts C-D (Enforcement), as amended by the 2013 modifications to those Rules which implemented the "HITECH Act" provisions of Publication L. 111-5. See 78 Federal Regulation 5566-5702 of 25 January 2013 (with corrections at 78 Federal Regulation 32464 of 7 June 2013. Additional HIPAA rules regarding electronic transactions and code sets (45 C.F.R. § 162) are not addressed in this BAA and are not included in the term HIPAA Rules.j. HHS Breach. means a breach that satisfies the HIPAA Breach Rule definition of "Breach" in 45 C.F.R. § 164.402.k. Service-Level Privacy Office. means one or more offices within the military services (Army, Navy, or Air Force) with oversight authority over Privacy Act and HIPAA privacy compliance.3. Obligations and Activities of BA:a. The BA shall not access, use, or disclose PHI other than as permitted or required by this Agreement, the controlling Memorandum of Understanding (MOU) or training affiliation agreement, or as required by law.b. The BA shall use appropriate safeguards and comply with the DoD HIPAA Rules with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Agreement, the controlling MOU, or law.c. The BA shall report to the covered entity any Breach of which it becomes aware and shall proceed with breach response steps required by paragraph 7 (Breach Response) of this BAA. With respect to electronic PHI, the BA shall also respond to any security incident of which it becomes aware in accordance with any information assurance provisions of the Understanding. If at any point the BA becomes aware that a security incident involves a breach, the BA shall immediately initiate breach response as required by paragraph 7 (Breach Response) of this BAA.d. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii)) and 164.308(b)(2), respectively, as applicable, the BA shall ensure that any entities that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions, conditions, and requirements that apply to the BA with respect to such PHI.e. The BA shall make available PHI in a designated record set, to the covered entity or, as directed by the covered entity, to an Individual, as necessary to satisfy the covered entity obligations under 45 C.F.R. § 164.524.f. The BA shall make any amendment(s) to PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. § 164.526.g. The BA shall maintain and make available the information required to provide an accounting of disclosures to the covered entity or an individual as necessary to satisfy the covered entity’s obligations under 45 C.F.R. § 164.528.h. To the extent the BA is to carry out one or more of the covered entity’s obligation(s) under the HIPAA privacy rule, the BA shall comply with the requirements of HIPAA privacy rule that apply to the covered entity in the performance of such obligation(s).i. The BA shall make its internal practices, books, and records available to the Secretary and the covered entity for purposes of audit and in determining compliance with the HIPAA Rules.4. Permitted Uses and Disclosures by BA:a. The BA may only use or disclose PHI as necessary to perform the services set forth in the Understanding or as required by law. The BA is not permitted to de-identify PHI under DoD HIPAA issuances or the corresponding 45 C.F.R. § 164.514(a) through (c), nor is it permitted to use or disclose de-identified PHI except as provided by the Understanding or directed by the covered entity.b. The BA agrees to use, disclose, and request PHI only in accordance with the HIPAA privacy rule "minimum necessary" standard and corresponding DHA policies and procedures as stated in the DoD HIPAA issuances.c. The BA shall not use or disclose PHI in a manner that would violate the DoD HIPAA issuances or HIPAA privacy rules if done by the covered entity, except uses and disclosures for the BA’s own management and administration and legal responsibilities or for data aggregation services as set forth in the following three paragraphs:(1) Except as otherwise limited in the understanding, the BA may use PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA. The foregoing authority to use PHI does not apply to disclosure of PHI, which is covered in the next paragraph.(2) Except as otherwise limited in the Understanding, the BA may disclose PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA, provided that disclosures are required by law, or the BA obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the BA of any instances of which it is aware in which the confidentiality of the information has been breached.(3) Except as otherwise limited in the Understanding, the BA may use PHI to provide Data Aggregation services relating to the covered entity’s health care operations.5. Provisions for Covered Entity to Inform BA of Privacy Practices and Restrictions:a. The covered entity shall provide the BA with the notice of privacy practices that the covered entity produces in accordance with 45 C.F.R.§ 164.520 and the corresponding provision of the DoD HIPAA issuances (DoDM 6025.18).b. The covered entity shall notify the BA of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the BA’s use or disclosure of PHI.c. The covered entity shall notify the BA of any restriction on the use or disclosure of PHI that the covered entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such changes may affect the BA’s use or disclosure of PHI.6. Permissible Requests by Covered Entity. The covered entity shall not request the BA to use or disclose PHI in any manner that would not be permissible under the HIPAA privacy rule or any applicable Government regulations (including without limitation, DoD HIPAA issuances) if done by the covered entity, except for providing Data Aggregation services to the covered entity and for management and administrative activities of the BA as otherwise permitted by this BAA.7. Breach Response:a. General. Breach Response is designed to satisfy the DoD Privacy Act issuances and the HIPAA Breach Rule as implemented by the DoD HIPAA issuances. In general, the BA shall report the breach to the covered entity, assess the breach incident, notify affected individuals, and take mitigating actions, as applicable. Because DoD defines "Breach" to include possible (suspected) as well as actual (confirmed) breaches, the BA shall implement these breach response requirements immediately upon the BA’s discovery of a possible breach. The following provisions set forth the BA’s Privacy Act and HIPAA breach response requirements for all breaches, including but not limited to HHS breaches (defined below). In the event of a breach of PII or PHI held by the BA, the BA shall follow the breach response requirements set forth under paragraphs 7, 8, and 9 of this BAA, which are designed to satisfy both the Privacy Act and HIPAA, as applicable.(1) If a breach involves PII without PHI, then the BA shall comply with DoD Privacy Act issuance breach response requirements only.(2) If a breach involves PHI (a subset of PII), then the BA shall comply with both Privacy Act and HIPAA breach response requirements.(3) If a breach involves PHI, it may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then the BA has no HIPAA breach response obligations. In such cases, the BA must still comply with breach response requirements under the DoD Privacy Act issuances.b. HHS Breach. If the DHA Privacy Office determines that a breach is an HHS Breach, then the BA shall comply with both the HIPAA Breach Rule and DoD Privacy Act issuances, as directed by the DHA Privacy Office, regardless of where the breach occurs.c. Non-HHS Breach. If the DHA Privacy Office determines that the breach does not constitute an HHS Breach, then the BA shall comply with DoD Privacy Act issuances, as directed by the applicable Service-Level Privacy Office.d. Service-Level Privacy Office Point of Contact (POC). Brian Martin, who may be reached at Comm: 904-542-3559, DSN: 312-942-3559, or via E-mail: brian.k.martin4.civ@mail.mil, or usn.ncr.bumedfchava.list.bumed-pii-rpt@mail.mil.BRIAN K. MARTINCODE M31 PRIVACY OFFICEBUMED DETACHMENT JACKSONVILLEH2005 KNIGHT LANEPO BOX 140NAVAL AIR STATION JACKSONVILLE FL 322128. Breach Reporting Provisions:a. The BA shall report the breach within 1 business day of discovery to the US Computer Emergency Readiness Team (US-CERT) and within 24 hours of discovery to theDHA Privacy Office and the other Parties set forth below. The BA is deemed to have discovered a breach as of the time a breach (suspected or confirmed) is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing it) who is an employee, officer, or other agent of the BA.b. The BA shall submit the US-CERT report using the online form at https://forms.us-cert.gov/report. Before submission to US-CERT, the BA shall save a copy of the on-line report. After submission, the BA shall record the US-CERT Reporting Number. Although only limited information about the breach may be available as of the 1 hour deadline for submission, the BA shall submit the US-CERT report by the deadline. The BA shall e-mail updated information as it is obtained, following the instructions at: http://www.us-cert.gov/pgp/email.html. The BA shall provide a copy of the initial or updated US-CERT report to the DHA Privacy Office and the applicable Service-Level Privacy Office, if requested by either.BA questions about US-CERT reporting shall be directed to the DHA or Service-Level Privacy Office, not the US-CERT office.c. The BA report due within 24 hours shall be submitted by completing the New Breach Reporting Form DD 2959 at the Breach Response page on the DHA Privacy Office web site and emailing that form to, as applicable, the DHA Privacy Office, the Service-Level Privacy Office, the Contracting Officer (CO) and Contracting Officer’s Representative (COR) (if the Understanding is not a contract, delete these references to the CO and COR), and the BA’s DoD POC unless the POC specifies another addressee for breach reporting. Encryption is not required, because Breach Report Forms should not contain PII or PHI. The email address for notices to the DHA Privacy Office is provided at the Privacy Office web site breach response page. If electronic mail is not available, telephone notification is also acceptable, but all notifications and reports delivered telephonically must be confirmed by email as soon as technically feasible.d. If multiple beneficiaries are affected by a single event or related set of events, then a single reportable breach may be deemed to have occurred, depending on the circumstances. The BA shall inform the DHA Privacy Office as soon as possible if it believes that "single event" breach response is appropriate; the DHA Privacy Office will determine how the BA shall proceed and, if appropriate, consolidate separately reported breaches for purposes of BA report updates, beneficiary notification, and mitigation.e. When a Breach Report Form initially submitted is incomplete or incorrect due to unavailable information, or when significant developments require an update, the BA shall submit a revised form or forms, stating the updated status and previous report date(s) and showing any revisions or additions in red text. Examples of updated information the BA shall report include, but are not limited to:(1) Confirmation on the exact data elements involved.(2) Root cause of the incident.(3) Any mitigation actions to include, sanctions, training, incident containment, follow-up, etc. The BA shall submit these report updates promptly after the new information becomes available. Prompt reporting of updates is required to allow the DHA Privacy Office to make timely final determinations on any subsequent notifications or reports. The BA shall provide updates to the same Parties as required for the initial Breach Reporting Form. The BA is responsible for reporting all information needed by the DHA Privacy Office to make timely and accurate determinations on reports to HHS as required by the HHS Breach Rule and reports to the Defense Privacy and Civil Liberties Office as required by DoD Privacy Act issuances.f. In the event the BA is uncertain on how to apply the above requirements, the BA shall consult with the DHA privacy office or service-level privacy office when determinations on applying the above requirements are needed.9. Breach - Individual Notification Provisions:a. Determine if Notification is Required. If the DHA Privacy Office determines that individual notification is required, the BA shall provide written notification to individuals affected by the breach as soon as possible, but no later than 60 working days after the breach is discovered and the identities of the individuals ascertained. The 60-day period begins when the BA is able to determine the identities (including addresses) of the individuals whose records were impacted.b. Draft Proposed Notification. The BA’s proposed notification to be issued to the affected individuals shall be submitted to the Parties to which reports are submitted under paragraph 7 (breach response) for their review and for approval by the DHA Privacy Office. Upon request, the BA shall provide the DHA Privacy Office with the final text of the notification letter sent to the affected individuals. If different groups of affected individuals receive different notification letters, then the BA shall provide the text of the letter for each group. PII shall not be included with the text of the letter(s) provided. Copies of further correspondence with affected individuals need not be provided unless requested by the Privacy Office. The BA’s notification to the individuals, at a minimum, shall include the following:(1) Identify PII Lost. The individual(s) must be advised of what specific data was involved. It is insufficient to simply state that PII has been lost. Where names, Social Security Numbers (SSNs) or truncated SSNs, and Dates of Birth are involved, it is critical to advise the individual that these data elements potentially have been breached.(2) Inform. The affected individual(s) must be informed of the facts and circumstances surrounding the breach. The description should be sufficiently detailed so that the individual clearly understands how the breach occurred.(3) Protective Actions. The affected individual(s) must be informed of what protective actions the BA is taking or the individual can take to mitigate against potential future harm. The notice must refer the individual to the current Federal Trade Commission (FTC) web site pages on identity theft and the FTC’s Identity Theft Hotline: Toll Free: 1-877-ID-THEFT (438-4338), TTY: 1-866-653-4261.(4) Credit Monitoring. The individual(s) must also be informed of any mitigating support services (e.g., 1 year of free credit monitoring, identification of fraud expense coverage for affected individuals, provision of credit freezes, etc.) that the BA may offer affected individuals, the process to follow to obtain those services, the period of time the services will be made available, and contact information (including a phone number, either direct or toll-free, e-mail address and postal address) for obtaining more information.(5) Labeling. BAs shall ensure any envelope containing written notifications to affected individuals are clearly labeled to alert the recipient to the importance of its contents (e.g., "Data Breach Information Enclosed") and that the envelope is marked with the identity of the BA or subcontractor organization that suffered the breach. The letter must also include contact information for a designated POC to include, phone number, email address, and postal address.c. Notification within 60 Days. If the BA determines that it cannot readily identify, or will be unable to reach, some affected individuals within the 60-day period after discovering the breach, the BA shall so indicate in the initial or updated Breach Report Form. Within the 10-day period, the BA shall provide the approved notification to those individuals who can be reached. Other individuals must be notified within 60 days after identities and addresses are ascertained. The BA shall consult with the DHA Privacy Office, which will determine which media notice is most likely to reach the population not otherwise identified or reached. The BA shall issue a generalized media notice(s) to that population in accordance with Privacy Office approval.d. Costs. The BA shall, at no cost to the government, bear any costs associated with a breach of PII or PHI that the BA has caused or is otherwise responsible for addressing.e. Security Incident versus Breach. Breaches are not to be confused with security incidents (often referred to as cyber security incidents when electronic information is involved), which may or may not involve a breach of PII or PHI. In the event of a security incident not involving a PII or PHI breach, the BA shall follow applicable DoD Information Assurance requirements under its Understanding. If at any point the BA finds that a cyber security incident involves a PII or PHI breach (suspected or confirmed), the BA shall immediately initiate the breach response procedures set forth herein. The BA shall also continue to follow any required cyber security incident response procedures to the extent needed to address security issues, as determined by DoD/DHA.10. Termination:a. Termination. Noncompliance by the BA (or any of its staff, agents, or subcontractors) with any requirements in this BAA may subject the BA to termination under any applicable default or other termination provision of the Understanding.b. Effect of Termination.(1) If the Understanding has records management requirements, the BA shall handle such records in accordance with the records management requirements. If the Understanding does not have records management requirements, the records should be handled in accordance with subparagraphs (2) and (3) below. If the Understanding has provisions for transfer of records and PII or PHI to a successor BA or if DHA gives directions for such transfer, the BA shall handle such records and information in accordance with such Understanding provisions or DHA direction.(2) If the Understanding does not have records management requirements, except as provided in the following paragraph (3), upon termination of the Understanding, for any reason, the BA shall return or destroy all PHI received from the covered entity, or created or received by the BA on behalf of the covered entity that the BA still maintains in any form. This provision shall apply to PHI that is in the possession of subcontractors or agents of the BA. The BA shall retain no copies of the PHI.(3) If the Understanding does not have records management provisions and the BA determines that returning or destroying the PHI is infeasible, the BA shall provide to the covered entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the covered entity and the BA that return or destruction of PHI is infeasible, the BA shall extend the protections of the Understanding to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the BA maintains such PHI.11. Miscellaneous:a. Survival. The obligations of BA under the "Effect of Termination" provision of this BAA shall survive the termination of the Understanding.b. Interpretation. Any ambiguity in the Understanding shall be resolved in favor of a meaning that permits the covered entity and the BA to comply with HIPAA and the DoD HIPAA Rules.BASE ACCESSBase Access (NMCP)Commander, Navy Installations Command (CNIC), has established the Navy Commercial Access Control System (NCACS), a standardized process for granting unescorted access privileges to vendors, contractors, suppliers and service providers not otherwise entitled to the issuance of a Common Access Card (CAC) who seek access to and can provide justification to enter Navy installations and facilities. Vendors visiting Naval Medical Center Portsmouth (NMCP) may obtain daily passes directly from Naval Station Norfolk (NSN) Pass and ID office, located at NSN (Bldg CD-9), 9040 Hampton Blvd, Norfolk, Virginia, 23505, by submitting identification credentials for verification and undergoing a criminal screening/ background check. Alternatively, if the vendor so chooses, it may voluntarily elect to obtain long-term credentials through enrollment, registration, background vetting, screening, issuance of credentials, and electronic validation of credentials at its own cost through one of the designated independent contractor NCACS service providers. Credentials will be issued every five years and access privileges will be reviewed / renewed on an annual basis. The costs incurred to obtain Navy installation access of any kind are not reimbursable, and the price(s) paid for obtaining long-term NCACS credentials will not be approved as a direct cost of this contract. Further information regarding NCACS can be found at http://cnic.navy.mil/CNIC_HQ_Site/index.htm.VENDORMATEVendormate Credentialing RequirementNaval Medical Center, Portsmouth (NMCP) has instituted a Credentialing Program which is designed to streamline the collection and management of key information regarding the regulatory and compliance status as well as business operations of our suppliers.The program requires all vendors and their representatives to register in order to gain base access to NMCP. One nominal annual credentialing fee covers your company as well as all representatives of your company that interact with NMCP.The price ranges from $25 to $250 per year depending on your company’s risk profile and is paid directly to our partner, Vendormate Credentialing. It is imperative that each representative registers individually to maintain their personal credentials and ensure ongoing base access to our facility.A Federal Tax Identification Number and a credit card are required to complete the initial registration. Additional representatives only need the Federal Tax Identification Number.Register for Vendormate Credentialing at https://nmcp.vendormate.com.For technical questions, go to https://ghx.com/customer-care.Kiosks are located on the first and second floor entrances of Building two (2). Your representatives who visit NMCP may be required to sign in electronically to obtain an identification badge. With a valid appointment and current credentials, your representative will be able to print a single-use badge that is to be worn throughout the visit to any NMCP facility. Badges are required for all vendors on premises.Please note that GHX Vendormate Credentialing is in addition to RapidGate for Base Access. Vendors are required to register for both programs in order to come onboard the NMCP base.Section I - Contract ClausesCLAUSES INCORPORATED BY REFERENCE252.203-7000Requirements Relating to Compensation of Former DoD OfficialsSEP 2011252.203-7002Requirement to Inform Employees of Whistleblower RightsSEP 2013252.204-7003Control Of Government Personnel Work ProductAPR 1992252.204-7012Safeguarding Covered Defense Information and Cyber Incident ReportingOCT 2016252.211-7003Item Unique Identification and ValuationMAR 2016252.225-7048Export-Controlled ItemsJUN 2013252.232-7003Electronic Submission of Payment Requests and Receiving ReportsDEC 2018252.237-7010Prohibition on Interrogation of Detainees by Contractor PersonnelJUN 2013252.243-7001Pricing Of Contract ModificationsDEC 1991CLAUSES INCORPORATED BY FULL TEXT?52.232-18 AVAILABILITY OF FUNDS (APR 1984)Funds are not presently available for this contract. The Government's obligation under this contract is contingent upon the availability of appropriated funds from which payment for contract purposes can be made. No legal liability on the part of the Government for any payment may arise until funds are made available to the Contracting Officer for this contract and until the Contractor receives notice of such availability, to be confirmed in writing by the Contracting Officer.(End of clause)52.252-1 SOLICITATION PROVISIONS INCORPORATED BY REFERENCE (FEB 1998)This solicitation incorporates one or more solicitation provisions by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. The offeror is cautioned that the listed provisions may include blocks that must be completed by the offeror and submitted with its quotation or offer. In lieu of submitting the full text of those provisions, the offeror may identify the provision by paragraph identifier and provide the appropriate information with its quotation or offer. Also, the full text of a solicitation provision may be accessed electronically at this/these address(es):http://www.arnet.gov/far(End of provision)52.252-2 CLAUSES INCORPORATED BY REFERENCE (FEB 1998)This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es):FAR Clauses http://acquisition.gov/comp/far/index.htmDFAR Clauses http://www.acq.osd.mil/dpap/dars/dfars/index.htm(End of clause)
 
Web Link
SAM.gov Permalink
(https://beta.sam.gov/opp/2fa22bbee78145c48339a7b00ea823f5/view)
 
Place of Performance
Address: 64000, VA 23708, USA
Zip Code: 23708
Country: USA
 
Record
SN05501875-F 20191124/191122230250 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.