SOURCES SOUGHT
D -- Web Eligibility and Demographics
- Notice Date
- 6/28/2022 6:42:13 AM
- Notice Type
- Sources Sought
- NAICS
- 541511
— Custom Computer Programming Services
- Contracting Office
- PCAC HEALTH INFORMATION (36C776) INDEPENDENCE OH 44131 USA
- ZIP Code
- 44131
- Solicitation Number
- 36C77622Q0381
- Response Due
- 7/15/2022 6:00:00 AM
- Archive Date
- 07/25/2022
- Point of Contact
- Greg McMillan Sr., Contract Specialist, Phone: 314-894-6656 x65119
- E-Mail Address
-
VHACLEPCACSTL3@va.gov
(VHACLEPCACSTL3@va.gov)
- Awardee
- null
- Description
- Chief Business Office (CBO) Consolidated Patient Account Center (CPAC) Benefit and Demographics Information Single Web-based Portal Access to Multiple Insurance Carriers 1. Scope: The Veterans Health Administration (VHA) Revenue Operations is looking to procure a nationwide contract with a Contractor who have web-based internet access with one sign-on to access multiple payers information for the purpose of verification of insurance carrier coverage and demographic information. The Contractor shall provide single secure internet-based web portal to multiple national and regional insurance carrier s with information regarding patient specific benefits and demographic data. The single web-based source shall have access to data that includes; claims status inquiry, benefit coverage and demographic information such as client address and telephone number(s). Access to information shall be web-based with no additional hardware or software requirements or licensing fees. The Contractor shall provide sufficient management to ensure the secure web-based access is available to VA 24/7 and provide timely customer service in compliance with the requirements of this PWS. Contractor shall be in compliance with government FEDRAMP requirements. Cloud services are not permitted. 2. Background: The Department of Veterans Affairs (VA) has historically relied on contract services in an effort to improve collections through Identification and validation of Veterans 3rd (third) party Insurance. The VA Consolidated Patient Account Center (CPAC) is responsible for billing to and collecting from Insurance companies for medical treatment provided to Veterans for non-service connected conditions. There are seven (7) regional CPACs located as follows: 1. Asheville, NC - Mid-Atlantic CPAC (MACPAC) 2. Smyrna, TN Mid-South CPAC (MSCPAC) 3. Middleton, WI North Central CPAC (NCCPAC) 4. Orlando, FL Florida Caribbean CPAC (FCCPAC) 5. Lebanon, PA North East CPAC (NECPAC) 6. Leavenworth, KS Central Plains CPAC (CPCPAC) 7. Las Vegas, NV West CPAC (WCPAC) Public Law 99-272 gave the VA authority to seek reimbursement from 3rd (third) party health insurers for the cost of medical care furnished to an insured non-service connected (NSC) Veteran. Public Law 101-508 expanded the VA's recovery program by providing authority to seek reimbursement from 3rd (third) party payers for the cost of medical care provided to insured service-connected Veterans treated for their NSC conditions. 3. Period of Performance (POP): The POP shall be from the date of award for a one (1) twelve (12) month base period-year period, plus three (3) consecutive twelve (12) month option periods. 4. Tasks: The Contractor shall grant access to the secure Internet-based portal with functionality that allows for the verification of coverage benefits and demographic information for the following CPACs: Asheville, NC - Mid-Atlantic CPAC (MACPAC), Smyrna, TN Mid-South CPAC (MSCPAC), Middleton, WI North Central CPAC (NCCPAC), Orlando, FL Florida Caribbean CPAC (FCCPAC), Lebanon, PA North East CPAC (NECPAC), and Leavenworth, KS Central Plains CPAC (CPCPAC). Information within the portal shall include; patient coverage information, demographics, claims status inquiry and report capabilities. Access to information shall be web-based with no additional hardware or software requirements or licensing fees. The Contractor shall: 4.1 Provide the necessary implementation (set-up) for Internet-based access to include issuance of individual access (log-on) codes within five (5) days of request for access. 4.2 Provide web-based group and individual training for staff at start-up. 4.3 Aggressively pursue access to additional insurance carriers identified by a CPAC within 30 days from the date of the request. 4.4. Provide web-based access twenty four (24) hours a day, seven (7) days per week. 4.5. Specify a contact/liaison person, and alternate, and phone numbers for the duration of the work. 4.6. Provide telephone help desk service Monday thru Friday from 8:00 am EST to 4:30pm PST. 4.7. Provide multiple search options with minimal patient information. 4.7.1 Services shall allow VA to search for eligibility identification for up to twenty (20) patients at one time. 4.7.2 Inquires shall be run by date of service to check for current and past periods of eligibility identification. 4.8. Provide secure Internet-based access to patient locator inquires; utilizing social security numbers, patient names, or last known addresses. 4.8.1 Address validation shall allow the user to search for current and previous addresses; entering social security numbers, patient names, or last know addresses. 4.8.2 Access to information shall be web-based with no additional hardware or software requirements or licensing fees. 4.8.3 Eligibility results shall print directly from the screen and shall allow for copying and pasting of responses into other systems. 4.8.4 Provide access to comprehensive demographic information to include patient address and telephone number(s). 4.9. Provide a comprehensive listing of health Insurance Carriers that provide: 4.9.1 Access to Medicaid 4.9.2 Access to Tricare 4.9.3 Access to multiple carriers to include the top fifteen (15) carriers within each CPAC. 4.10. Be in full compliance and certified with the Health Insurance Portability and Accountability Act of 1996 (HIPPA). 4.11. Be able be fully operational to perform work outlined in the PWS within 5 (five) calendar days of award. 5. Key General Requirements and Assumptions: 5.1. The contract ceiling may be increased or decreased depending on the needs of the CPAC and availability of funding through coordination with the CO. 5.2. A Business Day is defined as Monday through Friday, excluding standard Federal Holidays and any other day specifically declared to be a national holiday. 5.3. Treat all identifiable health records with the strictest confidentiality. Access to records shall be limited to essential personnel only. 5.4. Comply with the Privacy Acts 38 USC 5701 and 38 USC 7332. Any personnel and/or patient data the Contractor shall obtain as a result of the performance of this contract shall not be disclosed to a 3rd (third) party or be used for the Contractor s own purpose except to the extent allowed by the Privacy Act. 5.5. Ensure Contractors do not have access to hardware or media which shall manipulate or store drug or alcohol abuse data, sickle cell anemia treatment records, records or tests or treatment for or infection with HIV, medical quality assurance records, or any other sensitive information is protected under 38 U.S.C. 4132 or 3305 as defined by the VA, unless it is absolutely necessary to perform their contractual duties. 5.5.1 Any individual who has access to sensitive information shall not disclose to anyone, including other employees of the Contractor not involved in the performance of the particular contractual duty for which access was obtained. 5.5.2 Violation of these statutory provisions, as stated in department regulations by the Contractor s employees shall involve imposition of criminal penalties. 5.6. Report security incidents to the Contracting Officer s Representative (COR) and local VA Information Security Officer (ISO) as soon as an incident is discovered. Information submitted shall cite the incident date, name, organization, phone number, and e-mail of the person filing the report; including the affected system name and preliminary actions taken. 5.7. Meet the facility ISO before work starts to reinforce security responsibilities Contractor positions in the overall security program at each facility. Compliance with VA Directive 6504, Restrictions on Transmission, Transportation and use of, and access to, VA Data outside VA Facilities, issues June 7, 2006 is mandatory. There will be a facility ISO present at the Contract kick-off meeting. 5.8. Ensure measures are taken so fraud is not committed on work performed by Contractor. 5.9. Contractor claim expediting and collection activities shall be legal, ethical and in compliance with applicable legislation regulating debt collection practices. 5.9.1 The Workforce Investment Act of 1998, Public Law 105-220 was enacted on August 7, 1998. 5.9.2 Title IV of the Act is the Rehabilitation Act Amendments of 1998. Subsection 408 (b) amended Section 508 of the Rehabilitation Act of 1973. 5.9.3 Section 508 requires Federal departments or agencies to develop, procure, maintain, or use Electronic and Information Technology (EIT). 5.9.4 Agencies shall ensure that the EIT allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access and use of information and data to that of other Federal employees. 5.9.5 Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal department or agency, access to and use of information and data that is comparable to that information and data that is available to the public not having the disabilities. 6. Section- 508 Compliance: In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2) (A) of the Rehabilitation Act Amendments of 1998, established Information Technology accessibility standards for the Federal Government. 6.1. Section 508(a)(1) requires that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows individuals with disabilities who are Federal employees to have access to and use of information and data that is comparable to the access to and use of the information and data by Federal employees who are not individuals with disabilities; and individuals with disabilities who are members of the public seeking information or services from a Federal department or agency to have access to and use of information and data that is comparable to the access to and use of the information and data by such members of the public who are not individuals with disabilities. 6.2. The Contractor shall comply with the following technical standards: 1. 1194.21 - Software Applications and Operating Systems 2. 1194.22 - Web Based Intranet and Internet Information and Applications 3. 1194.23 - Telecommunication Products 4. 1194.24 - Video and Multimedia Products 5. 1194.25 - Self Contained Closed products 6. 1194.26 - Desktop and Portable Computers 7. 1194.31 - Functional Performance Criteria 8. 1194.41 - Information, Documentation and Support 6.3. In order to validate conformance to the above standards the COR shall complete the VA s Section 508 Determination and Findings Document. 6.3.1 The VA s Section 508 PO has developed a Conformance Validation Statement (CVS). 6.3.2 The CVS shall be completed by the responsible requiring/procurement official as part of their market research to validate the conformance of the E&IT project ((See Section ten (10) in the Section 508 Determination and Findings Document)). 6.4. If at any time the responsible requiring/procurement official finds that an exception shall apply, the Contractor shall complete and have the Section 508 EIT Exceptions Certification Document signed by the VA Section 508 Coordinator. Once the E&IT is determined to meet all applicable Section 508 standards, the E&IT is validated by the VA s Section 508 PO in the Department s Section 508 Testing and Training Center using the information provided by the CVS. 6.5. In the case the VA decides to purchase an application, product or service that cannot be validated for Section 508 prior to purchase, the Contractor agrees to accept all costs for ensuring conformance working with the VA Section 508 PO. For future releases or upgrades all steps using the CVS are required and upon validation a signed approval shall be given to the VA PO from the VA Section 508 Coordinator. 6.6. Section 508 information is available at http://www.section508.gov/. 6.7. The VA Directive and Handbook 6221, Accessible Electronic and Information Technology are posted at: http://www.va.gov/oit/ea/section508/policy.asp. 7. Reporting Requirements: The Contractor shall: 7.1. The Contractor shall ensure that an itemized statement is submitted monthly outlining the expenditures, billings, and any access problems/issues encountered in the performance of this task. Monthly reports on the follow-up activity include, but are not limited to: Itemized summary for each transaction for the reporting period (every 4 weeks) cumulative to date Number of transactions 7.2. Additional reporting to the COR is acceptable; however, the Contractor s proposed reports shall at minimum monitor the process for required changes and provide feedback results. 7.3. Propose modifications to the reporting requirements to the COR. 7.4. Explain why, in writing, to the COR (if for any reason a deliverable cannot be met within the scheduled time frame or adherence to the established schedules cannot be met) the following: 1. Reasons for the delay 2. Modified delivery date 3. Impact on the overall project 4. A revised project plan with all adjusted dates The COR in turn will brief the incident to the CO, who shall will issue a response pursuant to applicable regulations. 8. Level of Effort: The Contractor is encouraged to propose a response consistent with their technical approach for accomplishment of all performance objectives/standards set forth above. 9. Deliverables and Associated Performance Standards: The Contractor shall: 9.1. Para-phrase all written deliverables in layperson language. Statistical and other technical terminology shall not be used without providing a glossary of terms. 9.2. Forward all deliverables to the COR for approval and/or acceptance (identified and validated billable medical Insurance policies) via a VA compliant methodology. 9. 3. Deliver the final deliverable from date of receipt of the Government s comments within five (5) business days. Deliverables found to be unacceptable or not meeting the intent of the task within the review period shall be redone by the Contractor and considered to be within scope of this order. The COR and PO team shall review all deliverables. Where a written milestone deliverable is required in draft form, the CPAC shall complete the review of the draft deliverable within ten (10) business days from date of receipt. 9.4. Agree that all deliverables, associated working papers, and other material deemed relevant by the Contractor in the performance of these tasks are the property of the United States (U.S.) Government. 9.2 Deliverables Specific to This Order: 9.2.1 Web-based access to carrier policy coverage 9.2.2 Web-based access to carrier demographic data 9.3 Deliverable Sub-Tasks Specific to This Order: The following performance metrics are associated with this deliverable: 9.3.1: Web-based access to carrier policy coverage: Provides itemized statements outlining expenditures, billings, and any access problems/issues encountered in the performance of this tasks are met with a ninety five percent (95%) monthly accuracy. The Contractor shall provide an electronic Monthly Status Report to the COR and PO Team. 9.3.2: Web-based access to carrier demographic: data Provides itemized statements outlining expenditures, billings, and any access problems/issues encountered in the performance of this tasks are met with a ninety five percent (95%) monthly accuracy. The Contractor shall provide an electronic Monthly Status Report to the COR and PO Team. 10a. Deliverables Specific to this Order: Deliverable Standard/Frequency Medium/Format Submit To Web-based access to carrier policy coverage PWS 9.2.1 Per month The Contractor shall provide a Monthly Status Report Electronically in: MS Word, Excel, and PowerPoint COR/IV Manager Web-based access to carrier demographic data PWS 9.2.2 Per month The Contractor shall provide a Monthly Status Report Electronically in: MS Word, Excel, and PowerPoint COR/IV Manager 10b. Deliverable Sub-Tasks Specific to This Order: Deliverable Standard/Frequency Medium/Format Submit To Web-based access to carrier policy coverage PWS 9.3.1 Ninety five percent (95%) monthly accuracy The Contractor shall provide a Monthly Status Report thereafter Electronically in: MS Word, Excel, and PowerPoint COR/IV Manager Web-based access to carrier demographic data PWS 9.3.2 Ninety five percent (95%) monthly accuracy The Contractor shall provide a Monthly Status Report thereafter Electronically in: MS Word, Excel, and PowerPoint COR/IV Manager 11. Contractor Responsibilities: No workspace, computers, or telephone will be provided. 12. Security Requirements: The Contractor shall: 12.1. Not divulge or disclose information received and/or discussed regarding data considered proprietary to other Contractors collaborating on or with this effort. 12.2. Be required to negotiate agreements with commercial system Contractors relating to non-disclosure of Contractor-proprietary information. 12.2.1 If the Contractor uses copyright or otherwise licensed software in any deliverable under this order, the Contractor shall secure unlimited use rights for the Government. 12.3.2 Forward all software licenses on to the Government within thirty (30) business days after completion of the tasks. 12.3. Limit access to the minimum number of employees necessary to perform tasks that are considered sensitive or proprietary in nature. 12.4. Contact the COR, if the Contractor is uncertain of the sensitivity of any information obtained. 12.5. Indoctrinate all personnel employed by the Contractor and any Sub-Contractors involved on their roles and responsibilities for proper handling and nondisclosure of sensitive Government or proprietary information. 12.6. Not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. 12.7. Comply with VA and VHA Security requirements. 13. Travel: Travel is not required. 14. Inspections and Acceptance: All reports shall be approved by the COR and CO. 15. Contract Award Meeting: The Contractor shall not commence performance on the tasks described in the PWS until the CO has conducted a kick off meeting or has advised the Contractor that a kick off meeting has been waived. 16. Changes to the PWS: Any changes to this PWS shall be authorized and approved only through written correspondence from the CO. A copy of each change shall be kept in a project folder along with any other products of the project. Costs incurred by the Contractor, through the actions of parties other than the CO, shall be borne by the Contractor alone. 17. Security and Privacy - Information and Records: The Contractor shall: 17.1. Return all information and records provided to Contractor by the VA, in whatever medium, as well as all information and documents, including drafts, emails, back-up copies, hand-written notes and copies that contain such information and records gathered or created by Contractor (collectively referred to as VA information ) in the performance of this contract, regardless of storage media, are the exclusive property of the VA. The Contractor shall not retain any property interest in these materials and shall not use them for any purpose other than performance of this contract. 17.2. Provide, upon completion or termination of the contract, all copies of any VA information that it used during work it performed of the Task Order or certify that it any/all information it obtained has destroyed. Where immediate return or destruction of the information is not practicable, the Contractor shall return and/or destroy the information within thirty (30) business days of completion or termination of the contract. All provisions of this contract concerning the security and protection of VA information that is the subject to this contract shall continue to apply to the VA information for as long as the Contractor retains it, regardless of whether the contract has been completed or terminated. 17.3. Not destroy, prior to termination or completion of this contract, any VA information received from the VA, gathered and/or created in the performance of the Task Order without prior written approval by the VA. 17.4. Receive, gather, store, backup, maintain, use, disclose and/or dispose of VA information only in accordance with the terms of the Task Order and any applicable federal, VA, confidentiality, security laws, regulations or policies. 17.5. Not make copies of VA information except as necessary to perform duties required of the Task Order or to preserve electronic information stored on Contractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor needs to be restored to an operating state. 17.6. Provide access only to VA information to employees, Sub-Contractors, and affiliates to: a.) the extent necessary to perform the services specified of the Task Order; b.) perform necessary maintenance functions for electronic storage or transmission media necessary for performance of the Task Order; and c.) individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees shall meet in order to have access to the same VA information. Note: These restrictions include the same level of Background Investigations, where applicable. 17.7. Store, transport or transmit VA information only in an encrypted form, using an encryption application that meets the requirements of Federal Information Processing Standards (FIPS) 140-2 or is approved for use by the VA. 17.8. Only use or disclose, except for uses and disclosures of VA information authorized by this contract for performance of the contract in response to an order of a court of competent jurisdiction, or with VA s prior written authorization. The Contractor shall refer all requests for, demands for production of, or inquiries about, VA information to the VA for response. 17.9. Include the statement, Contractor shall not release information protected by either 38 USC 5705 or 7332 in response to a court order, and shall immediately refer such court orders to VA for response, if VA information subject to the Task Order includes information protected by 38 USC 7332 or 5705. 17.10. Promptly notify the VA, prior to any disclosure pursuant to a court order, of a court order upon its receipt by the Contractor. 17.10.1 Notify the COR by phone and provide the VA a copy of the court order by fax or e-mail within one (1) business day. 17.10.2 If the Contractor cannot notify the VA before being compelled to produce the information under court order, the Contractor shall notify the VA of the disclosure as soon as practical and provide a copy of the court order, a description of the records provided pursuant to the court order, and to whom the Contractor provided the records to under the court order. 17.10.3 The notice shall include the following information to the extent that the Contractor knows it, if it does not show on the face of the court order: the records disclosed pursuant to the order, to whom, where, when, and for what purpose, and any other information that the Contractor reasonably believes is relevant to the disclosure. 17.10.4 If the VA determines that it is appropriate to seek retrieval of information released pursuant to a court order before Contractor notified the VA of the court order, Contractor shall assist the VA in attempting to retrieve VA information involved. 17.11. Inform the VA, by the most expeditious method available to Contractor, of any incident of suspected or actual access to, or disclosure, disposition, alteration or destruction of, VA information not authorized under this Contract ( incident ) within one (1) hour of learning of the incident. 17.11.1 An incident includes the transmission, storage or access of VA information by Contractor or Sub-Contractor employees in violation of applicable VA confidentiality and security requirements. 17.11.2 To the extent known by the Contractor, the Contractor s notice to the VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information was placed at risk or compromised), and any other information that the Contractor considers relevant. 17.12. Simultaneously report the incident to the appropriate law enforcement entities or jurisdiction. The Contractor, its employees, and its Sub-Contractors and their employees shall cooperate with the VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violations associated with any incident. 17.13. Cooperate with the VA in any civil litigation to recover VA information, to obtain monetary or other compensation from a 3rd (third) party for damages arising from any incident, or to obtain injunctive relief against any 3rd (third) party arising from, or related to, the incident. 17.13.1 In addition to notifying the COR, the VA shall provide the Contractor with the name, title, telephone number, fax number and email address of the VA official to whom the Contractor shall provide all notices required by this Task Order. 17.13.2 The VA has the right during normal business hours to inspect the Contractor s facility, information technology systems and storage and transmission equipment, and software utilized to perform the contract to ensure that the Contractor is providing for the security of VA data and computer systems in accordance with the terms of this Contract. 17.14. Receive, gather, store, backup, maintain, use, disclose and/or dispose of VA information only in compliance with all applicable FIPS and Special Publications (SP) issued by the National Institute of Standards and Technology (NIST) concerning VA information that is the subject of this contract. If NIST issues or updates an applicable FIPS or SP after execution of this contract, the parties agree to negotiate in good faith to implement the FIPS or SP in this contract. 17.15. Provide appropriate administrative, technical, and physical safeguards to ensure the confidentiality and security of the Veterans data and to prevent unauthorized use or access to it. 17.15.1 Sensitive VA information shall not be transmitted by remote access unless VA approved protection mechanisms are used. 17.15.2 All encryption modules used to protect VA data shall be validated by NIST to meet the current version of FIPS 140 (See http://csrc.nist.gov/cryptval/140-1/1401val.htm for a complete list of validated cryptographic modules). 17.15.3 Only approved encryption solutions using validated modules shall be used when protecting data during transmission. 17.15. 4 Additional security controls are required to guard VA sensitive information stored on computers used outside VA facilities. 17.15. 5 All VA data shall be stored in an encrypted partition on the hard drive and shall be encrypted with FIPS 140 validated software. 17.15.6 The application shall be capable of key recovery and a copy of the encryption keys shall be stored in multiple secure locations. 17.15.7 The Contractor agrees that the data shall not be physically moved or transmitted in any way from the site without first being encrypted and obtaining prior written approval from the VA data owner. 17.15.8 A determination by VA that the Contractor has violated any of the information confidentiality and security provisions of this contract, including a violation of any applicable FIPS or SP, shall be a basis for VA to terminate the contract for cause. 17.15.9 If anyone performing this contract, including employees of Sub-Contractors, accesses VA computer systems or data in the performance of the contract, the VA shall monitor and record all such access activity. 17.15.10 If VA monitoring reveals any information of suspected or potential criminal law violations; the VA shall refer the matter to the appropriate law enforcement authorities for investigation. 17.16. Mitigate, to the extent practicable, any harmful effect on individuals whose VA information was accessed or disclosed in an incident. 18. Protection of Individual Privacy: The Contractor shall: 18.1. Abide by FAR clauses 52.224-1 and 52.224.2. All VA records, subject to this Contract and Task Orders issued thereafter, are contained in the VA Privacy Act System of Records - Program Evaluation Research Data Records #107VA008B. 18.2. Abide by FAR clauses 52.239-1 for Privacy or Security Safeguards. 18.3. Not publish or disclose in any manner, without the CO s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. 18.3.1 To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor s facilities, installations, technical capabilities, operations, documentation, records, and databases. 18.3.2 If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party 18.4. Utilize only employees, Sub-Contractors or agents who are physically located within a jurisdiction subject to the laws of the U.S. 18.5. Ensure that it does not use or disclose PHI received from a Covered Entity in any way that shall remove the PHI from such jurisdiction. 18.6. Ensure that its employees, Sub-Contractors and agents do not use or disclose PHI received from Covered Entity in any way that shall remove the PHI from such jurisdiction. 19. Information System Security: The Contractor shall: 19.1. Ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard contract language, conditions laws, and regulations. 19.1.1 Firewall and web servers shall meet or exceed the Government minimum requirements for security. 19.1.2 All Government data shall be protected behind an approved firewall. 19.1.3 Any security violations or attempted violations shall be reported to the VA project manager and the VHA Headquarters Information Security Officer as soon as possible. 19.2 Follow all applicable VA policies and procedures governing information security, especially those that pertain to certification accreditation. 20. Information System Design and Development: Information systems are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA policies developed in accordance with the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), NIST, and related VA security and privacy control requirements for Federal Information Systems. This includes standards for the protection of electronic PHI, outlines in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 System Security Categorization (reference Appendix A of VA Handbook 6500, VA information Security Program). During the development cycle, a privacy impact assessment will be completed, provided the COR, and approved by the VA Privacy Service in accordance with VA Privacy Impact Assessment Handbook 6500.3. The security controls must be designated, developed, approved by the VA, and implemented in accordance with the provisions of the VA Security System development life cycle as outlined in NIST Special Publication 800-37 and VA Handbook 6500. 21. VA Internet and Intranet Standards: The Contractor shall adhere to and comply with VA Directive 610...
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/93299a66527c42fa9d4605425e1d0a1a/view)
- Record
- SN06372336-F 20220630/220628230130 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |