Veterans Affairs



FedBizOppsSpecial Notice****CLASSIFICATION CODE*SUBJECTCONTRACTING OFFICE'S ZIP-CODESOLICITATION NUMBERARCHIVE DAYS AFTER THE RESPONSE DATERECOVERY ACT FUNDSNAICS CODECONTRACTING OFFICE ADDRESSPOINT OF CONTACT(POC Information Automatically Filled from User Profile Unless Entered)DESCRIPTIONSee AttachmentAGENCY'S URLURL DESCRIPTIONAGENCY CONTACT'S EMAIL ADDRESSEMAIL DESCRIPTION GENERAL INFORMATIONADDITIONAL INFORMATION* = Required FieldFedBizOpps Special NoticeRev. March 2010QInpatient Dialysis Services-Short Term Contract73104-5007VA256-16-R-007330N621492 Department of Veterans Affairs Oklahoma City VA Medical Center 921 N.E. 13th Street Oklahoma City OK 73104-5007Kevin Pollardkevin.pollard2@kevin.pollard2@kevin.pollard2@The purpose for this sources sought notice is to locate interested companies that can furnish the REQUIREMENTS listed in the PWS that is attached.Offeror's capability to meet this requirement including any current contracts (Civilian or Government) to include meeting the below listed accreditations or similar standards, facility description, capabilities, and certifications. Responses must show clear and convincing evidence that your company and its employees have the capabilities, training, and qualifications to provide this service to be considered as a source.The following information is requested in a response to this RFI:1. General Company information-Offeror's company name, DUNS, full address, point of contact, title, phone number, and email address.Name: ____________________________________________Address: ____________________________________ ____________________________________ ____________________________________Contact Person: _______________________________________Phone number: __________________________________________Email address: __________________________________________DUNS number: _________________________________________Cage Code Number: _______________________________Company website if available: _______________________________________2. Business Type – Please put a check mark or circle around the type of business you are below:a) Largeb) 8(a)c) HubZoned) Small Business e) Small Disadvantaged Businessf) Woman Owned Small Businessg) Service Disabled Veteran Owned Small Business h) Veteran Owned Small Business***Note - All Veteran Owned Businesses must be registered in VetBiz at to be considered a Veteran Owned Business. Socioeconomic status (whether Service Disable Veteran Owned Small Business (SDVOSB), Veteran Owned Small Business (VOSB), Hubzone, 8(a), Woman Owned, Small Disadvantaged, etc.). If stating SDVOSB or VOSB status, your company must be verified with the seal/icon or show pending verification in VetBiz Registry () to be considered as a SDVOSB or VOSB source. 3. How long has your company provided these services?4. Provide information for any current or past VA contracts for these products and services.5. Is your company registered in the System for Award Management at WWW.?The NAICS code for the procurement is 325412 and the small business size standard is $38.5 Million dollars. Any future RFP will be conducted in accordance with FAR Parts 12 and 15. The Government may elect to award a Firm Fixed Price contract resulting from the solicitation. Responses to this market survey should be e mailed to kevin.pollard2@ No telephone responses will be accepted. Please provide a detailed response to the below Performance Work Statement stating how you can meet all aspects stated.It is requested that responses be received no later than 3:00 pm Central, December18th, 2015. No solicitation document is available at this time; this notice is to acquire information only. Vendors interested in providing an offer will have to respond to a separate solicitation announcement.B.2 SPECIAL CONTRACT REQUIREMENTSUnder the authority of Public Law 104-262 and 38 USC 8153, the contractor agrees to provide Health Care Resources in accordance with the terms and conditions stated herein, to furnish to and at the Department of Veterans Affairs Medical Center, VAMC Oklahoma City in Oklahoma., the services and prices specified in the Section entitled Schedule of Supplies/Services of this contract.1. SERVICES:The services specified in the Sections entitled Schedule of Supplies/Services and Special Contract Requirements may be changed by written modification to this contract.Other necessary personnel for the operation of the services contracted for at the VA will be provided by the VA at levels mutually agreed upon which are compatible with the safety of the patient and personnel and with quality medical care programming.The services to be performed by the contractor will be performed in accordance with VA policies and procedures and the regulations of the medical staff by laws of the VA facility.2. TERM OF CONTRACT:This contract is effective one year from date of award plus four (4) one-year options that may be exercised by the VA. The contract is subject to the availability of funds. The contractor shall perform no services after September 30 of any year until the Contracting Officer authorizes such services in writing.3. QUALIFICATIONS:Personnel assigned by the Contractor to perform the services covered by this contract shall be licensed in a State, Territory, or Commonwealth of the United States or the District of Columbia. All licenses held by the personnel working on this contract shall be full and unrestricted licenses. The qualifications of such personnel shall also be subject to review by the VA Chief of Staff and approval by the VA Facility Director. Each person assigned to work under this contract shall be licensed by the State of Oklahoma.4. WORK HOURS:The services covered by this contract shall be furnished by the contractor as defined herein. The contractor will not be required, except in case of emergency, to furnish such services during off-duty hours as described below.The following terms have the following meanings: (1) Work hours: Monday through Saturday, 8:00 a.m.- 8:00 p.m.(2) National Holidays: The 10 holidays observed by the Federal Government are:New Years DayMartin Luther Kings BirthdayPresidents Day Memorial Day Independence DayLabor DayColumbus Day Veterans Day Thanksgiving Christmas any other day specifically declared by the President of the United States to be a national holiday. (3) Off-Duty hours: Saturday through Monday, 8:00 p.m. – 8:00 a.m.5. PERSONNEL POLICY:The contractor shall be responsible for protecting the personnel furnishing services under this contract. To carry out this responsibility, the contractor shall provide the following for these personnel:general liabilityworkers compensationprofessional liability insurance health examinations- income tax withholding, andsocial security payments.The parties agree that the contractor, its employees, agents and subcontractors shall not be considered VA employees for any purpose.RECORD KEEPING:The VA Medical Center, VAMC Oklahoma City in Oklahoma. shall establish and maintain a record keeping system that will record the hours worked by the contractor employee(s). Contractor's employee(s) shall report to COR, Administrative Officer, or designee upon arrival at the VAMC Oklahoma City in Oklahoma..CONTRACT PERFORMANCE MONITORING:Monitoring of contractors time shall be demonstrated through sign-in/ sign-out sheets. The contractor shall be required to sign an attendance log upon reporting to work and departing from work. The COR, shall be the VA official responsible for verifying contract compliance. After contract award, any incidents of contractor noncompliance as evidenced by the monitoring procedures shall be forwarded immediately to the Contracting Officer.KEY PERSONNEL AND TEMPORARY EMERGENCY SUBSTITUTIONS: The Contractor shall assign to this contract the following key personnel:Performance Work StatementThe contractor shall provide inpatient dialysis including, but not limited to hemodialysis, Continuous Ambulatory Peritoneal Dialysis (CAPD), and Continuous Renal Replacement Therapy (CRRT) treatments, Continuous Veno-Venous Hemodialysis (CVVHD) treatments, Continuous Cyclical Peritoneal Dialysis (CCPD) treatments, and additional clinical treatments related to dialysis patients (CRRT line change, declotting of tunnel caths, etc.) for the Oklahoma City Veterans Administrations Medical Center’s (OKC VAMC) inpatients and outpatients (when clinically indicated) as required. Operating hours will be 8:00 AM to 8:00 PM, Monday through Saturday. All treatments outside of these hours will be provided on a call back basis to include federal holidays. The Contractor will make available a sufficient number of licensed nurses trained in extracorporeal therapy, including acute dialysis treatments, necessary to provide scheduled and emergency dialysis services at the OKC VAMC seven days a week, 24 hours a day, 365 days a year. The Contractor will provide appropriate contact information for emergent, immediate and routine services provided to the OKC VAMC. The acceptable response time is within one (1) hour of being contacted. The Contractor’s staff will notify the Nurse Manager, Nurse Supervisor, or designee of their arrival at and departure from the location where the procedure is performed.1.Orders put in for treatment after 8:00 PM, Monday through Saturday and all day on Sunday’s and federal holidays, will be charged per the non-routine hours rate. Every effort shall be made to re-schedule late treatments for the next normal operating hours. Treatments that are initiated prior to 8:00 PM will be charged per the routine rate.2.Excess Registered Nurse (RN) waiting time charge shall be charged for the following reasons:a) Patient was scheduled the day before to be brought to dialysis unit (if patient immobile) by 8:00 AM and did not arrive within one (1) hour of schedule time due to transport delays.1. If patient has not arrived within 30 minutes, dialysis nurse will notify (page and call) one or more of the following: Nursing Supervisor, Nurse Manager, Transport Coordinator or Contracting Office Representative (COR). If dialysis staff are unable to contact any of the above, dialysis staff shall e-mail the name and time of the attempted contact to the COR. If these steps are not followed, excess waiting charge shall not be authorized. 2. If patient still has not arrived within one (1) hour of scheduled time, then excess time shall be charged.b) Nurse is called in to do afterhours treatment by physician. Patient is not ready to be dialyzed within one (1) hour of the nurse’s arrival to hospital.1. Nurse will contact Nurse Supervisor, to try to ascertain when patient will be ready for dialysis prior to arriving at hospital.2. Dialysis nurse will document reason for delay, persons contacted and time of contact and give information to the COR during next business day. 3.The Contractor must alert the COR within 1 hour to any patients unable to receive treatments due to any circumstance other than change in clinical condition of the patient. After review by the COR, if the patient is found to not receive treatment due to the fault of the Contractor, the Contractor will be docked the amount of services not rendered.4..The Contractor shall provide all equipment in good working order (current or latest model when applicable), treated water, Red Sense (or VA approved equivalent) supplies, equipment, supplies, training for VA staff, and personnel necessary for performance of contract services. 5. In addition the Contractor shall provide all repairs, upkeep, servicing, maintenance and preventative maintenance for all Contractor owned equipment pursuant to the manufacturers guidelines and applicable industry standards. All new equipment will first be checked in with Bio-Medical Service for an initial inspection before equipment can be used in the medical center. Test equipment does not have to be checked in with Bio-Medical Service, the Contractor will provide a copy of test equipment calibration to COR and Bio-Medical Service. The Contractor shall also properly clean and appropriately store all equipment associated with dialysis treatments immediately after each treatment and assist in maintaining the work area. The Contractor shall develop a cleaning maintenance schedule check-off and signature space for routine upkeep of equipment and perform preventive maintenance as necessary. These documents will be provided to the COR on a monthly basis.6..The Contractor shall respond in writing within five (5) working days to any complaint received to COR via e-mail or delivered. Contractor’s response shall describe corrective action taken with dates of completion or action required with dates of completion, as applicable.7.The Contractor shall respond to the Veterans Administration Medical Center (VAMC) and begin treatment within one (1) hour after receipt of request for services.8.The Contractor shall submit an Incident Report electronically in Veterans Health Information Systems and Technology Architecture (VISTA) to report adverse events, close calls, or sentinel events. The Contractor staff will also report any submission of Incident Reports to the COR. If Contractor staff suspects an event may be considered sentinel, staff will inform the COR within one (1) hour.9.The Contractor shall maintain documentation in a separate binder on the specific intervals when cultures are to be performed on dialysis equipment at the OKC VAMC and the results of past cultures. A copy of such documentation shall be kept in a separate binder on the OKC VAMC’s dialysis unit and be readily available at all times to the appropriate OKC VAMC personnel. The Contractor shall provide a copy of any additions to this documentation on a monthly basis.10.If there is a claim in which Contractor staff must be removed from performing services at the OKC VAMC due to concerns about patient care. The Contractor will perform an investigation to determine the circumstances and report their findings to the COR. 11.If at any time a Contractor staff who has provided care at the OKC VAMC is suspended or removed from the Contractor’s company due to concerns regarding patient care. The Contractor will alert the COR within 24 hours. 12.Documentation related to water logs, equipment checks, culture results, AED/crash cart logs, chart audits, environment of care rounds, temperature logs, and quality control will be provided to the COR on a monthly basis.13.The VAMC will have ambulatory and non-ambulatory inpatients requiring dialysis treatments under this contract. Ambulatory patients are those that can be transported to the dialysis unit, via ambulation, wheelchair, or litter. Non-ambulatory patients are those that are in the VAMC ICU or are otherwise unable to be transported and must receive their treatments at bedside. Patients on the General or Specialty Medicine Units that are deemed inappropriate to receive their treatment in the inpatient dialysis unit may have their treatment performed in an available ICU. The VA estimates 90-100 inpatient hemodialysis treatments per month and three (3) inpatient CAPD treatments per month. Of these, an average of nine (9) will be non-ambulatory and must be done bedside. On occasion a patient may present to the VAMC with a need for procedures that do not require admission. 14.If it is deemed necessary by the Nephrology staff that the patient will require hemodialysis and the patient cannot undergo this at his outpatient treatment facility, then the physician may order this treatment be done in the inpatient dialysis unit by the contractor. The inpatient dialysis treatment contractor will perform this treatment in the treatment area. These procedures are limited to the hours of 8:00 AM to 8:00 PM Monday through Saturday. There will be no after hours, Sunday, or federal holiday outpatient procedures performed in the dialysis unit. The Nephrology physicians will be responsible for appropriate orders for the treatment and subsequent discharge from the unit. The billing amount for this service is at the inpatient dialysis rate. The Nephrology physician must authorize approval of this treatment. Every effort should be made to arrange for the dialysis treatment at the patients outpatient treatment facility. These procedures must be reported to the COR for documentation purposes.15.The contractor may treat both ambulatory and non-ambulatory patient’s bedside. 16.All equipment to be used in performance of this contract shall be in good working order (current or latest model when applicable), The Joint Commission (TJC) standards for use, maintenance, and staff training. 17.All documentation conducted on Veteran patients under this contract shall be in compliance with TJC regulations, standards and requirements. All patient documentation shall be complete and become a part of the OKC VAMC medical records systems and will remain property of the VA. 18.The contractor providing services under this contract shall be a certified End Stage Renal Dialysis (ESRD) provider as certified by CMS. 19.Contractor staff will provide hand off communication to all receiving services based on Medical Center policy and procedures.20.Provide sufficient training quarterly in Continuous Renal Replacement Therapy (CRRT) to accommodate staff members of each of the OKC VAMC ICU’s and provide sufficient training quarterly in Continuous Cyclical Peritoneal Dialysis (CCPD) to accommodate staff members of each of the OKC VAMC ICU’s and medical/surgical floors/units.21.Continuous Veno-Venous Hemodialysis (CVVHD) treatments:a) Contractor shall supply all necessary equipment and dialysis supplies to complete treatment, (unless prescription is outside of any available pre-mixed dialysate).b) Initiation, discontinuation, and technical assistance will be furnished for the duration of the treatment. c) Continuing education and competencies will be provided by the contractor on an annual and semi-annual basis as needed for VAMC staff.d) Equipmentwill have a suitable backup in case of malfunction during treatment as to allow continued patient treatment.e) The contractor will have equipment available in order to perform multiple patient treatments.22.The OKC VAMC shall appoint a COR for this contract who will provide oversight of the activities conducted hereunder. Notwithstanding the Contractor’s responsibility for management during the performance of this contract, the assigned COR shall be the principle point of contact on behalf of the OKC VAMC and will be the principal point of contact for the Contractor concerning Contractor’s performance under this contract. 23.OKC VAMC shall also: a) Provide sufficient space for dialysis treatment.b) Provide untreated water necessary for dialysis services. c) Provide such utilities, equipment, maintenance and supplies not specific to dialysis service, security, communications, pharmacy, laboratory, access to emergency response system, janitorial, laundry, and other support services as the OKC VAMC shall deem necessary for the provision of the dialysis services to the dialysis unit.d) Provide adequate storage space capable of being locked for Contractor’s equipment and supplies.e) Provide equipment and supplies necessary to perform temporary treatment access, including, without limitation, femoral catheters, and jugular and subclavian catheters for physician placement.f) Provide non-dialysis specific supplies, defined to mean all necessary or appropriate supplies for patient care other than the following supplies which will be provided by Contractor: Dialyzers/hemofilters;Blood tubing;Transducer protectors;Dialysate;Dialysate additives;Access needles;Plastic hemostats;Quality Assurance materials;Internal equipment cleaners and disinfectants for Contractor-owned equipment only; and Plasmaphersis supplies.g) Provide all necessary medical record charting forms.h) Provide all patient transport.i) Provide all equipment and supplies necessary for contractor to comply with all VA policies and procedures with respect to the treatment of patients with active tuberculosis in conjunction with the provision of services.j) Provide orientation to all contractor staff providing services with respect to VA policies and procedures applicable to the provision of services by the Contractor (e.g. fire safety, evacuation procedure, hazardous materials, communication, safety etc.).k) Provide all infection control guidelines and policies to be met in performance of the contract. l) Notify Contractor representative immediately of any unsatisfactory performance or conduct on the part of any staff assigned to the OKC VAMC Contractor.24.Contractor shall provide:Catheter placement or discontinuationLifesite flushLab draws from dialysis accessBlood transfusions (patient not receiving a treatment at the time of transfusion or blood not available during prescribed dialysis treatment)Any procedure requiring dialysis nurse expertise25.In the performance of official duties, the Contractor has regular access to printed and electronic files containing sensitive data which must be protected under the provisions of the Privacy Act of 1974 and other applicable laws, federal regulations, VA statutes and policy, VHA policy, and OKC VAMC policies, procedures, and Medical Staff Bylaws.? protecting the data from unauthorized release or from loss, alteration, or unauthorized deletionfollowing applicable regulations, and instructions, regarding access to computerized files, release of access code, etc., as set out in a computer access agreement which the employee signs.26.Contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. MANDATED TRAINING:The Nursing Service COR will present and document work site orientation before the commencement of work on-site. Contractors are required to also complete and provide documentation of additional mandated training to include, but not limited to the courses below.VA Privacy & Information Security Awareness: Rules of Behavior VA 10176VA Privacy & HIPAA Training VA 10203US Constitution NFED 1310049Recognition Protection of Patients from Abuse/Neglect VA 3858200ICARE: Introduction to Core Values and Characteristics VA 3851643Compliance & Business Integrity Awareness VA 9237Prevention of Workplace Harrassment/No Fear VA 8872Infection Control for New Employees VA 1711950Infection Prevention and Control VA 3891046Green Environment Management System (GEMS)VA 3856937Leading the Way-VA Palliative Care VA 16188Suicide Prevention Training/Operation SaveVA 66979BE A HERO: Save a Hero VA 3857255Diversity on the Job; Diversity and You NFED 1310261Alternative Dispute Resolution-Online Awareness Training VA 10033EEO Complaint Process VA 3858362Bloodborne Pathogens AwarenessNFED 3857349Blood Borne Pathogens Local Information VA 3861467CPR Awareness and Public Access Defibrillation Program Training VA 3856852Patient Safety Mandatory Training VA 3858244EOC Environment of Care Combined Course as Curriculum (covers all EOC's listed)OKL-EOC-CurUtility Management Mandatory Training (EOC)VA 4050607Fire Safety-EOC Mandatory Training (EOC) VA 4110125Electrical Safety Mandatory Training (EOC) VA 3858383Occupational Health & Safety Management (EOC) VA 40001002Medical Equipment Management (EOC) VA 40123210Security Management Annual Training (EOC) VA 3858435Emergency Management (EOC) VA 3869228GEMS Awareness Course VA 3856937Customer Service Mandatory Training VA 3858387Affordable Care Act VA 17037Safe Patient Handling and Movement for Direct Care ProvidersVA 6746Preventative Management of Disruptive Behavior WEB Based Training (Level I)VA 7831Annual Government Ethics Training VA 3812493Patient Safety TrainingVA 3858244Globally Harmonized Systems TrainingVA 19273Infection Control & Prevention (Education for Surgical Site and Central Line, VAP, and UTI)VA 3856986CAVH-ENFit Enteral Feeding Tube Connector TrainingVA 3899753VHA Active Threat Training/ Active ShooterVA 24638Acute Stroke RecognitionVA 3896785QSV: Stop the Line for Patient Safety Employee Education InitiativeVA 17459OKL Combined MDRO Training VA 3845192NDNQI Pressure Ulcer Training Module 1-4VA 3858288Prevention of CLABSI's VA 3858409MRI Safety TrainingOKL-MRI-CurBar Code Medication Training Managing Scanning FailuresVA 6850Bar Code Medication Administration (BCMA) WBT for Clinical StaffVA 19028Color Coded Wristband IndicatorsVA 4051405Fall Back to BasicsVA 4011236Pain Module 4VA 4007246Restraint TrainingVA 3861433Suicide Risk Management Training (Clinicians)VA 6201Ensuring Correct Surgery & Invasive ProcedureVA 6573Peer Review Training (General Training)VA 9678Anticoagulation Education for StaffVA 6720 Mental Health EOC for Clinical StaffVA 1290945Emergency Preparedness: Continuity of Operations (COOP)NFED 3812490Emergency Preparedness: General Emergency PreparednessNFED 3813276*Including: Fit Testing, TB, BLS, ACLS, and Safe Patient HandlingAdditional trainings may be added throughout contract.All staff will be issued computer access codes and PIV puterized Patient Record System (CPRS) Training: Prior to commencement of work under this contract, the COR will ensure the Contractor’s employee receives proper access to the VA computer systems. The COR will coordinate the training with staff. DOCUMENTATION:Dialysis staff performing the service shall document all patient interventions in CPRS, including all progress notes, orders, and consults. Computerized templates shall be used when available. All documentation shall be entered and signed within the established timeframes and guidelines. Clinic visits encounters shall be completed at the time of the visit using CPRS. MINIMUM DOCUMENTATION STANDARDS:The Contractor is responsible for utilizing the CPRS in VISTA. The Contractor will attend CPRS training prior to providing any patient care services, including on-call/emergency coverage at the OKC VAMC The Contractor will document patient care in CPRS to comply with all VA and TJC requirements. Unapproved abbreviations, as listed in Center Memorandum 136-10 “The Use of Medical Abbreviations,” will not be used. CONTRACTOR MONITORING BY SERVICE:At the time of contract award, the Contracting Officer will appoint a COR to assist with the contract monitoring requirements. The COR will monitor such items as quality of service, timeliness of performance, customer service, cost control, and business relations. The Contractor will participate in all Nursing Service quality performance tracers and environment of care rounds, if not meeting compliance standards Contractor will correct deficiencies. The Contractor will make corrections as needed to comply with the OKC VAMC policies, TJC standards, and additional accrediting bodies.The COR for Nursing Service is responsible for monitoring the services provided under this contract. The COR will ensure that services are performed and be responsible for handling service related requirements necessary for patient care. The services provided will be monitored through a variety of mechanisms, including but not limited to:Treatment LogsClinic encounters as documented in CPRSConsultative Services as documented in CPRSVHA VISN 16 and National Performance Measure Scores VHA VISN 16 and National Patient Satisfaction Scores VASQIP Data External Accreditation and Review complianceThe Government may evaluate the quality of professional and administrative services provided; but retains no control over the medical, professional aspects of services rendered (e.g., professional judgments, diagnosis for specific medical treatment), in accordance with FAR 37.401(b).The delegated COR will notify the Contracting Officer of any non-compliance immediately upon his/her gaining knowledge of any such situation or incident. Initial communication may be communicated by telephone. After such communication, the COR will provide a written/electronic statement to the contracting officer along with any supporting documentation regarding the performance failure noted. A summary evaluation of the contractor performance will be forwarded to the contracting officer annually prior to exercising any option year.The COR will maintain a competency folder for each contractor employee throughout the contract period in accordance with OKC VAMC and TJC requirements. The contractor will assist in maintaining the folder. This will include documentation on an annual basis and upon initial start date for core competency (OKC VAMC form), Licensure, role-specific competency (OKC VAMC form), age/population competency (OKC VAMC form), performance evaluation and performance standards, job description, supervisor 90 day checklist (OKC VAMC form), orientation skills checklist (OKC VAMC form) must be completed and provided to the COR upon request/after completion. ADDITIONAL CONTRACT MONITORING:OKC VAMC will monitor mortality/morbidity; clinical outcomes; access and timeliness of care; patient satisfaction; regulatory and accrediting standards, reporting adverse events; and access to patient records.The Contracting Officer shall arrange for periodic audits of the level of service, in addition to utilizing the Quality Assurance Surveillance Plan herein. This documentary audit may include records of procedures performed, patient records, time and attendance logs or documentation mechanism, sign in/sign out sheets or other appropriate records that verify services called for under the contract have been performed by the Contractor. It is the intention of both parties to conduct joint reviews prior to the expiration date of the contract to determine and evaluate if services being provided are in accordance with the contract terms, payments and billings are being properly handled and to jointly determine if this agreement is satisfactory to both parties in terms of services provided and consideration being received. This review may include, but not be limited to: analyze all billings, payments, costs, administrative issues, patient satisfaction, quality of care and other related documentation that identifies that services has been received. Upon conclusion of the initial contract period, and in coordination with the Contracting Officer, the using service shall provide a statement to the Contracting Officer providing a summary of contractor actions and a statement that all requirements of the contract were fulfilled as agreed. This information shall be forwarded by the COR to the Contracting Officer at least 90 days prior to contract expiration. QUALITY ASSURANCE SURVEILLANCE PLAN: MeasuresPWS ReferencePerformance RequirementStandardAcceptable Quality LevelSurveillanceMethodIncentiveDisincentive/Deduct1 - AccessQASPPatients must receive treatment in a timely manner.Staff on-site and available during all scheduled clinic hours95%Random Inspection Favorable contactor performance evaluationUnfavorable contractor performance evaluation 2 - Quality CareQASPUpdated Licensing, registration and certification shall be provided as they are renewed. Licensing and registration information kept current.Nurses must be registered and/or licensed.100%Verification provided by ContractorFavorable contactor performance evaluationUnfavorable contractor performance evaluation. Removal from contract until such time the contract nurse(s) meet qualification standard.QASPQuality monitoring completed timely by contractorContractor will complete 10 random chart audits per month and enter into database100%Random Sampling Favorable contactor performance evaluationUnfavorable contractor performance evaluationQASPQuality indicators identified: Pre/Post Vital Signs Present for Time On, Pre/Post Vital Signs Present for Time Off, Post Bruit Thrill Note Present, Medication Read Back Complete on all Verbal/Telephone Orders, & Vital Signs with UFR documented q15 minutes during treatment.Each quality indicator must meet standard of 90%. 80%Random SamplingFavorable contactor performance evaluationUnfavorable contractor performance evaluation3 – Patient SafetyQASPPatient safety incidents must be reported to the OKC VAMC (via Incident Reports through VISTA) and the COR.All incidents reported immediately within 24 hours100%Periodic Inspection Favorable contactor performance evaluationUnfavorable contractor performance evaluation.QASPPatient safety incidents must be investigated, confirmed and resolvedAll incidents are investigated, confirmed and resolved100%Periodic InspectionFavorable contractor performance evaluationUnfavorable contractor performance evaluation.4 - Mandatory TrainingQASPContractor shall complete all required training per VAMC policyComplete all mandatory training100%Periodic Sampling via VA Training ReportsFavorable contactor performance evaluation.Suspension or termination of all physical and/or electronic access privileges and removal from contract until such time as the training is complete5 – Patient SatisfactionQASPImmediate reporting of patient care quality complaints to COR through Incident Reports, Tell it to the Director, PATS, or Report of ContactsAll complaints100%Periodic InspectionFavorable contactor performance evaluationUnfavorable contractor performance evaluation6 – PerformanceQASPContractor will be responsible to check and document all dialysis treatments appropriatelyWill complete 30 random chart audits per quarter100%Random SamplingFavorable contactor performance evaluationUnfavorable contractor performance evaluation7 – Documentation in Electronic Medical RecordQASPContractor will be responsible to document in medical record the same day a procedure is performedWill complete 30 random chart audits per quarter95%Random SamplingFavorable contractor performance evaluationUnfavorable contractor performance evaluationRatings:Metrics and methods are designed to determine rating for a given standard and acceptable quality level. The following ratings shall be used:Exceptional:Performance meets contractual requirements and exceeds many to the Government’s benefit. The contractual performance of the element or sub-element being assessed was accomplished with few minor problems for which corrective actions taken by the contractor were highly effective.VERY GOOD:Performance meets contractual requirements and exceeds some to the Government’s benefit. The contractual performance of the element or sub-element being assessed was accomplished with some minor problems for which corrective actions taken by the contractor were effective.Satisfactory:Performance meets contractual requirements. The contractual performance of the element or sub-element contains some minor problems for which corrective actions taken by the contractor appear or were satisfactory.MARGINAL:Performance does not meet some contractual requirements. The contractual performance of the element or sub-element being assessed reflects a serious problem for which the contractor has not yet identified corrective actions. The contractor’s proposed actions appear only marginally effective or were not fully implemented.Unsatisfactory:Performance does not meet most contractual requirements and recovery is not likely in a timely manner. The contractual performance of the element or sub-element being assessed contains serious problem(s) for which the contractor’s corrective actions appear or were ineffective.The contractor is responsible for performance of all terms and conditions of this contract.DOCUMENTING PERFORMANCE:a.The Government shall document positive and/or negative performance. Any report may become a part of the supporting documentation for any contractual action and perparing annual past performance using CONTRACTOR PERFORMANCE ASSESSMENT REPORT (CPAR).b. If contractor performance does not meet the Acceptable Quality level, the CO shall inform the contractor. This will normally be in writing unless circumstances necessitate verbal communication. In any case the CO shall document the discussion and place it in the contract file. When the COR and the CO determines formal written communication is required, the COR shall prepare a Contract Discrepancy Report (CDR), and present it to CO. The CO will in turn review and will present to the contractor's program manager for corrective action.The contractor shall acknowledge receipt of the CDR in writing. The CDR will specify if the contractor is required to prepare a corrective action plan to document how the contractor shall correct the unacceptable performance and avoid a recurrence. The CDR will also state how long after receipt the contractor has to present this corrective action plan to the CO. The Government shall review the contractor's corrective action plan to determine acceptability. The CO shall also assure that the contractor receives impartial, fair, and equitable treatment. The CO is ultimately responsible for the final determination of the adequacy of the contractor’s performance and the acceptability of the Contractor’s corrective action plan.Any CDRs may become a part of the supporting documentation for any contractual action deemed necessary by the CO. See Sample CDR below.INSURANCE:The Contractor will provide a certificate of insurance providing evidence of liability coverage including the name of the insurance carrier, limits of liability and type of coverage (Ref: VAAR 852.237-7, Indemnification and Medical Liability Insurance in this agreement). Contractor must provide evidence of coverage within two weeks of request.HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) COMPLIANCE:The Contractor must adhere to the provisions of Public Law 104-191, HIPAA of 1996 and the National Standards to Protect the Privacy and Security of Protected Health Information (PHI).LIABILITY:VA beneficiaries shall not under any circumstances be charged nor their insurance companies charged for services rendered by the contractor even if VA does not pay for those services. This provision shall survive through the termination or ending of the contract.MEDICAL RECORDS:The Contractor will provide health care to patients seeking such care from or through VA. As such, the Contractor is considered part of the Nursing Service health activity for purposes of the following statues and the VA regulations implementing these statues: the Privacy Act, 5.U.S.C. § 552a, and 38 U.S.C. §s 5701, 7705 and 7332. The Contractor and its employees may have access to VA patient medical records to the extent necessary for the contract or to perform this contract. Notwithstanding any other provision of this contract, contractor and its employees may disclose patient treatment records only pursuant to explicit disclosure authority from VA. The Contractor and its employees are subject to the penalties and liabilities provided statutes and regulations for unauthorized disclosures of such records and their contents. Records created by the Contractor in the course of treating VA patients under this agreement are the property of the VA and shall not be accessed, released, transferred or destroyed except in accordance with applicable federal law and regulations. Upon the expiration of this contract or termination of the contract, the Contractor will promptly provide the VA with the individually identified VA patient treatment records. CONTACT POINTS:Overall contract responsibility: The Contracting Officer that awards this agreement is the responsible party for conducting all of the requirements outlined in this contract. The Contracting Officer may designate another Contracting Officer to administer functions during the contract administration of this agreement. If the contracting officer determines that this is necessary, the delegation will be in writing and outline the specific duties and limitations accordingly.Both the VA and Contractor will provide the necessary contact points for those individuals that will interface with each other during the life of the contract. The Contracting Officer will coordinate the review of the payment submitted by the contractor, review the payment for accuracy; ensure proper and timely certification by the authorized individuals; The contractor will be required to provide their key personnel/contact points to ensure a smooth flow between the departments in their facility and VA. A listing of contact points will be provided to the VA within 30 days after execution of this agreement.CONFLICT OF INTEREST:Under the performance of this contract, a Government employee who is employed by the Contractor is prohibited from participating on behalf of the Government through decision, approval, disapproval, recommendation, rendering of advice, certifying for payment or otherwise in that contract. No VA Employee who is an employee, director or trustee of an affiliated university, or who has a financial interest in the contract, may lawfully participate in a VA contract or any other Government contract with this contractor.In relation to the contract monitoring procedures, a Government employee who is employed by the contractor may not certify bills for payment. This requirement shall be performed by an employee who is not employee, officer, director or trustee of the contractor, and who does not have a financial interest in the contract.OTHER SPECIAL REQUIREMENTS:The Contractor will be responsible to ensure that employees performing services under this contract are fully trained and completely competent to perform the required work. The Contractor’s employee will undergo verification of licensure and credentials, as appropriate, including the supervision, training and ongoing competency assessment of the employee on an annual basis.The Contractor and VAMC are required to maintain records that document the competency/performance level of Contractor’s employee working under this contract in accordance with VA medical center policies and higher headquarter procedures and directives. The Contractor will provide a current copy of the competency assessment checklist and annual performance evaluation to the COR for the employee working under this contract.COR will monitor the Contractor employee’s work to ensure contract compliance with all applicable medical center policies and procedures. All information required by the Food & Drug Administration (FDA) for the tracking of devices implanted during surgery shall be included in the patient’s medical record.Notwithstanding other contract requirements, upon request of the Contracting Officer, the Contractor will remove from the work site any Contractor employee who does not comply with medical center policies and procedures, regulatory and accrediting standards or is believed to have compromised patient care.If there is a need to change personnel during the performance of this contract, the Contractor will promptly notify the contracting officer of their intent to do so. The new individual will be subject to the qualifications, credentials, security and all other terms and conditions of this contract. Contracting Officials need to work with the COR and the ISO to: ? Ensure contractor understands and implements the IT security requirements for system interconnection documents required per the Memorandum of Understanding or Interconnection Agreement (MOU-ISA). The standard operating procedure (SOP) and a template for a MOU-ISA are located on the Information Protection Risk Management (IPRM) Portal and can be provided to the contractor. ? Ensure contractor understands their participation in IT security requirements for C&A of the VA system to which they connect. ? Enforce contractor performance (timely submission of deliverables, compliance with personnel screening requirements, and appropriate termination activity as appropriate).BILLING:VA will be the only entity that will make payments for services rendered under this contract. The contractor will not bill any third party, insurance carrier, Medicare, or Medicaid. The VA or a patient beneficiary will not be billed for any co-payments under this agreement. All billing will be contingent on the service being documented in CPRS.PRICING SCHEDULE: Attached herein under Schedule of Services and CostsINVOICES: a. Invoices shall be submitted in arrears, monthly. The Contractor will submit invoices covering the services performed under this contract. Sums due the Contractor will be paid upon receipt of a properly prepared invoice. Payment will be made no later than 45 days after receipt of a completed invoice. b. Invoices will contain the following information:Invoice numberContract numberPurchase order numberDate of ServicesUnit priceTotal priceProcedure providedAny additional information needed by the COR to ensure proper payment of services renderedc. The Contractor shall accept payment for services rendered under this contract as payment in full and will not bill the veteran or his or her third party insurer for any services covered under this contract or for additional services for which the VA pays the Contractor outside this contract.4. GOVERNMENT INVOICE ADDRESS: a. Invoices shall be certified by the COR. Payment will be made upon certification of invoice. All invoices from the Contractor shall be mailed to the following address: Department of Veterans AffairsFMS-VA-2(101)Financial Services CenterPO Box 149971Austin TX 78714-8971b. The Department of Veterans Affairs’ VA Financial Service Center (FSC) is the designated agency office for invoice receipt in accordance with the Prompt Payment Act (5 CFR 1315). FSC or its designated representative may contact the vendor to provide specific instructions for electronic submission of invoices. The vendor shall be responsible for any associated expenses. FSC may utilize third-party Contractors to facilitate invoice processing. Prior to contact by FSC or its designated representative for electronic invoicing submissions, the vendor shall continue to submit all invoices to FSC at the above mailing address.c. To improve the timeliness of payments and lower overall administrative costs, VA requests Contractors to submit invoices using its electronic invoicing system. At present, electronic submission is voluntary and any nominal registration fees will be the responsibility of the Contractor. VA intends to mandate electronic invoice submission, subject to completion of the federal rulemaking process. At present, VA is using a third party agent to contact Contractors regarding this service. In the meantime, Contractors interested in registering for the electronic system should contact the VA's Financial Services Center at . GENERALContractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMSa. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness.d. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor.e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor’s employment. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination.3. VA INFORMATION CUSTODIAL LANGUAGEa. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).b. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor’s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA’s information is returned to the VA or destroyed in accordance with VA’s sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.c. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.d. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.e. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.f. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.i. The contractor/subcontractor’s firewall and Web services security controls, if applicable, shall meet or exceed VA’s minimum requirements. VA Configuration Guidelines are available upon request.j. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA’s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.l. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COR.4. INFORMATION SYSTEM DESIGN AND DEVELOPMENTa. Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COR, and approved by the VA Privacy Service in accordance with Directive 6507, VA Privacy Impact Assessment.b. The contractor/subcontractor shall certify to the COR that applications are fully functional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC), and the common security configuration guidelines provided by NIST or the VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista) and future versions, as required.c. The standard installation, operation, maintenance, updating, and patching of software shall not alter the configuration settings from the VA approved and FDCC configuration. Information technology staff must also use the Windows Installer Service for installation to the default “program files” directory and silently install and uninstall.d. Applications designed for normal end users shall run in the standard user context without elevated system administration privileges.e. The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, VA Handbook 6500, Information Security Program and VA Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle.f. The contractor/subcontractor is required to design, develop, or operate a System of Records Notice (SOR) on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties.g. The contractor/subcontractor agrees to:(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies:(a) The SOR; and (b) The design, development, or operation work that the contractor/subcontractor is to perform;(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a SOR on individuals that is subject to the Privacy Act; and(3) Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a SOR.h. In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a SOR on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a SOR on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a SOR on individuals to accomplish an agency function, the contractor/subcontractor is considered to be an employee of the agency.(1) “Operation of a System of Records” means performance of any of the activities associated with maintaining the SOR, including the collection, use, maintenance, and dissemination of records.(2) “Record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person’s name, or identifying number, symbol, or any other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph.(3) “System of Records” means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.i. The vendor shall ensure the security of all procured or developed systems and technologies, including their subcomponents (hereinafter referred to as “Systems”), throughout the life of this contract and any extension, warranty, or maintenance periods. This includes, but is not limited to workarounds, patches, hot fixes, upgrades, and any physical components (hereafter referred to as Security Fixes) which may be necessary to fix all security vulnerabilities published or known to the vendor anywhere in the Systems, including Operating Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact the Systems.j. The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, but in no event longer than 2 days.k. When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to the VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes within 3 days.l. All other vulnerabilities shall be remediated as specified in this paragraph in a timely manner based on risk, but within 60 days of discovery or disclosure. Exceptions to this paragraph (e.g. for the convenience of VA) shall only be granted with approval of the contracting officer and the VA Assistant Secretary for Office of Information and Technology.5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USEa. For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors/subcontractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor’s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VA’s network involving VA information must be reviewed and approved by VA prior to implementation.b. Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII.c. Outsourcing (contractor facility, contractor equipment or contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (authorization) (C&A) of the contractor’s systems in accordance with VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification Program Office. Government-owned (government facility or government equipment) contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks.d. The contractor/subcontractor’s system must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the Information Security Officer (ISO) for entry into VA’s POA&M management process. The contractor/subcontractor must use VA’s POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the government. Contractor/subcontractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with contractor/subcontractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the C&A of the system may need to be reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, and Contingency Plan). The Certification Program Office can provide guidance on whether a new C&A would be necessary.e. The contractor/subcontractor must conduct an annual self assessment on all systems and outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COR. The government reserves the right to conduct such an assessment using government personnel or another contractor/subcontractor. The contractor/subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost.f. VA prohibits the installation and use of personally-owned or contractor/subcontractor owned equipment or software on VA’s network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required for government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE.g. All electronic storage media used on non-VA leased or non-VA owned information technology (IT) equipment that is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipment by the contractor/subcontractor or any person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors that contain VA information must be returned to the VA for sanitization or destruction or the contractor/subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract. h. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:(1) Vendor must accept the system without the drive;(2) VA’s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or(3) VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase. (4) Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then;(a) The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and(b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapprovedand described in the purchase order or contract.(c) A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation.6. SECURITY INCIDENT INVESTIGATIONa. The term “security incident” means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.b. To the extent known by the contractor/subcontractor, the contractor/subcontractor’s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.c. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.d. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any lawenforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.7. LIQUIDATED DAMAGES FOR DATA BREACHa. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.b. The contractor/subcontractor shall provide notice to VA of a “security incident” as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.c. Each risk analysis shall address all relevant information concerning the data breach, including the following:(1) Nature of the event (loss, theft, unauthorized access);(2) Description of the event, including:(a) Date of occurrence;(b) Data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;(3) Number of individuals affected or potentially affected;(4) Names of individuals or groups affected or potentially affected;(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;(6) Amount of time the data has been out of VA control;(7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);(8) Known misuses of data containing sensitive personal information, if any;(9) Assessment of the potential harm to the affected individuals;(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security andPrivacy Incidents, as appropriate; and(11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.d. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $______ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:(1) Notification;(2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;(3) Data breach analysis;(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;(5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and(6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.8. SECURITY CONTROLS COMPLIANCE TESTINGOn a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-day’s notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time.9. TRAININGa. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:(1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems;(2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training;(3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and(4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document – e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]b. The contractor shall provide to the contracting officer and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. SUBCONTRACTORS: To the extent that the Contract is performed by subcontractors whose employees need access to the VA computer system to perform their responsibilities, these requirements apply to employees and/or agents of the sub-contractors. The Contractor will impose these same terms on its agreement with the subcontractors.CONTRACTOR INTERNAL COMPLIANCE PLAN:In Accordance with the American Health Information Management Association, (AHIMA), Centers for Medicare and Medicaid Services (CMS),? VHA Directive 2003-028 "Compliance and Business Integrity Program", its updates or replacement directives, HHS OIG Compliance Program Guidance for Hospitals, as published 63 FR 8987 (February 23, 1998) and HHS OIG Supplemental Compliance Program Guidance for Hospitals as published at 70 FR 4858 ( January 31, 2005) the contractor is to provide in writing their internal Compliance Program, Training and Monitoring Plans which is to include documentation of training and monitoring procedures. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download