Www.vendorportal.ecms.va.gov



PERFORMANCE WORK STATEMENTFORVISN 7 TRANSCRIPTION SERVICES1. SCOPE OF WORK: Scope: The contractor shall provide Medical Transcription Services for the following VISN 7 facilities i Augusta, Dublin, Atlanta, Charleston, Columbia VA Medical Centers in strict accordance with this contract. This contract will have the option to include Birmingham, Central Alabama and Tuscaloosa if the need exists in the future. Medical Transcription Services shall be provided for dictated material that includes a high occurrence of technical terminology, and requires a comprehensive knowledge of the specialized vocabulary particular to a wide variety of medical and surgical fields. Contractor shall transcribe reports utilizing appropriate formats which could include headers and footers in the body of the document as provided by each medical center. Contractor shall transmit and/or upload completed reports to the VA.Type of Work:Transcription services shall be required for the following disciplines; outpatient clinics, emergency room, radiology, behavioral health, acute care and long-term care. Material to be transcribed includes highly technical terminology with specialized vocabularies. The specialized vocabularies will encompass a variety of subjects in the field of medicine, neurology and surgery including: general surgery, anesthesiology, vascular surgery, thoracic surgery, urology, otorhinolaryngology, plastic surgery, oral surgery, orthopedics, ophthalmology, gynecology, radiology, nuclear medicine, internal medicine, cardiology, allergy, pulmonary medicine, gastroenterology, endocrinology, rheumatology, nephrology, oncology, hematology, podiatry, geriatrics, psychiatry, pathology, neurosurgery, dermatology, spinal cord injury, blind rehabilitation and ambulatory care. Documents are dictated by many different physicians/clinicians requiring adaptation to variations in accent, speech, tone, voice, volume, delivery, pronunciation and enunciation. Contractor shall correct spelling, including unfamiliar words, utilizing automated spell and grammar check, referring to medical dictionaries and reference sources when needed for distinguishing between similar sounding medical terms, for arranging material in standard format, correct grammar as necessary and inserting proper pronunciation. A STAT dictation is a high priority report that shall to be transcribed within the turnaround time as specified in paragraph 2.2. These reports are based on a clinical urgency as defined by the VA (i.e. the patient is being admitted to the hospital or being transferred to another health care facility).Type of Contract:Federal Supply Schedule Delivery Order, Firm Fixed Price, Indefinite QuantityPerformance Period:Base Period: Ninety (90) days after award 2. REQUIREMENTSThe Contractor shall provide service seven days a week 24 hour a day (including holidays)2.1. UNIT OF WORK: a. Visible Black Character.? A Visible Black Character is defined as a strike-able and visible character and includes any printed letter, number, symbol, and/or punctuation mark excluding any or all formatting (e.g., bold, underline, italics, table structure, formatting codes). All visible black characters can be seen with the naked eye as a mark, regardless of whether viewed electronically or on a printed page.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijKlMnopqrstuvwxyz~!@#$%^&*()_+{}|:<>?÷±`1234567890-=[]\;‘,./“b. Visible Black Character (VBC) Line or ASCII (American Standard Code for Information Interchange) no Spaces Line. A VBC Line is defined as the total number of characters you can see with the naked eye, divided by 65. It includes any character contained within a header or footer. The header and footer terms in this section is defined as actual text in the body of the document. Spaces, carriage returns, and hidden format instructions, such as bold, underline, text boxes, printer configurations, spell check, etc., are not counted in the total character count. A VBC Line is calculated by counting all visual characters and simply dividing the total number of characters by 65 to arrive at the number of defined lines.Offerors shall propose on a per line basis (using the above line criteria), not per page, page number, key strokes or minutes. The setup for vendor owned equipment shall be included in the cost per line estimate. There can be no additional cost added per job or per VA facility. The Contractor shall be responsible for keeping a line count that can be verified using Microsoft Word to verify line counts. All numbers are to be rounded to the closest mathematical number including 2 decimal places (0.00).For batch uploading the upload header text is used only to upload the documents to the facilities and cannot be verified. Therefore, upload header text will not be included as visible black characters in the line count. c. Volume of Work: Contractor shall have adequate coverage to meet contract turnaround times. The VA has no control over when providers dictate, or daily report volume fluctuations including Stat dictations. Contractor shall respond accordingly to meet expected TAT with volume fluctuations. 2.2. REPORTS: Medical reports to be transcribed will include the following for both modules: Turnaround time in hoursDischarge summaries24Stat/All report types 2Compensation and Pension Examinations24Addenda to Compensation and Pension Examinations24Operative Reports 4Non-Operative Reports (i.e. cardiac catheterization, ophthalmology 4reports, endoscopy reports, dermatology reports) Progress Notes/Consultation reports24History and Physical Examination Reports 4 Cardiology Reports (Holter monitors, echocardiograms, stress treadmills) 4Neurology Reports (EEG, EMG, Sleep Studies Doppler studies) 4Radiology 4 Telephonic Consents 42.3. TRANSCRIBED DOCUMENTS: The Contractor shall access voice files to transcribe medical documents via telephone lines or via a cable modem or broadband internet access to transcribe medical reports for entry as documented under 2.4 Document Entry. Files shall be sent to VISTA using a cable modem or broadband internet access via the national one VA VPN secure access solution. All reports shall have the necessary patient identification data needed for transmitting the document into the correct patient record through one-VA VPN. The contractor is responsible for all proofreading. All reports shall be returned to the VA facilities as per turnaround times documented under 2.2. Reports.Contractor shall transcribe dictated material in the required VA format for each facility. Report formats will be provided to the contractor upon award of the contract. All material shall be transcribed in the tenses dictated.? The Contractor shall exercise judgment in discerning between syntax, grammar, and punctuation without changing the sentence structure.? Those cases which are technical in nature shall be referenced back to the facility for clarification or correction. The Contractor shall call the facility designated personnel (Health Information Management Section (HIMS), Pathology or Radiology) immediately, within 1 hour upon identification of problem, or if transcribed over the weekend, on the first workday by 10:00 a.m. when problems with the dictation are discovered which include missing/interrupted pieces and/or inaudible dictations. ?In those cases where dictated material cannot be understood, the transcriptionist shall refer back to the facility for clarification or correction. If, after full review, the dictated material cannot be understood, a blank space using the designated VISTA “flagging” system shall be used.? The specific flagging system for each facility will be provided upon award of the contract.? The flagging system will notify the provider of the need to edit the report prior to signing.? Bolding, underlining, tab spacing and italicizing shall not be used as it is not tolerated on upload into VISTA.?No abbreviations shall be used in the listing of discharge/final diagnoses, the pre and post-operative diagnosis and/or operations/ procedures. Numbers shall not be used as substitute for a diagnosis in the discharge/final diagnoses (COPD should be typed chronic obstructive pulmonary disease and respiratory distress secondary to #1 should be typed respiratory distress secondary to chronic obstructive pulmonary disease). Abbreviations within the text are to be limited to those listed on an approved abbreviation list and those commonly used in laboratory value reporting. An approved abbreviation list will be provided by each VA facility. No Joint Commission or locally prohibited abbreviations are to be used in any portion of the report. Vendor will be provided a list of approved and unapproved abbreviations upon award of the contract. Dictators are to provide patient name, complete social security number, type of document, admission and discharge date, and if a clinic note the name of clinic, date of visit, date of procedure, their full name and title, and name of attending physician, if applicable. For consults, physician should stipulate whether this is a new patient or follow-up. For pathology reports, dictators will provide patient name, complete social security number and type of specimen submitted when dictating specimens daily. 2.4. DOCUMENT ENTRY:VA may elect to have transcribed documents uploaded directly to VISTA or batch transmitted to the VA in ASCII upload format. Batch upload process: The Contractor shall batch upload the documents using upload headers provided by the individual medical centers. Documents will be batch uploaded in an ASCII text format using the "Upload Documents" option accessible in VISTA, and initiate a file transfer using the Kermit file transfer protocol. Each VA facility will provide the contractor with their upload header and tracking footer format. It is the contractor’s responsibility to assure all headers comply with the individual needs of each facility. The header could include the following: Document type, patient name, social security number, date of encounter, full name of document author, the attending physician and transcriptionist identifier. Upload Header text is non-printable and non-viewable to the VA and these are non-billable characters. The header includes all text characters including and between $HDR and $TXT. The following is an example of an upload header used for uploading discharge summaries.$HDR: DCSDATE OF ADMISSION: 5/8/08ATTENDING PHYSICIAN: SMITH,JOHNDICTATION DATE: 5/12/08@1333DICTATED BY: JONES,ROBERTDATE OF DISCHARGE: 5/12/08JOB NUMBER: 11433PATIENT: DOE,JOHNPATIENT SSN: 123456789TRANSCRIPTIONIST: $TXTFooter information could include date dictated; date transcribed, job number and transcriptionist’s initials and/or ID. The footer is considered included in the body of the document and is billable.*** File should be ASCII with width no greater than 80 columns.*** The appropriate “flagging” system will be used for “BLANKS” (word or phrase in dictation that isn't understood), i.e. “@@@” or “___” which is to be provided to the contractor by each facility.Direct Entry Process: The Contractor shall access the correct patient record and enter the report via the VA's word processor (called Screen Editor). Contractor shall utilize the VA word processor to transcribe reports while online or use a commercial word processor of their choice. If a commercial word processor is used, the completed report shall be pasted into the VISTA word processor as generic/unformatted text. Reports that cannot be directly entered into a patient's record by the Contractor shall be batch uploaded to the Medical Center or reported to the Medical Center's transcription unit for instruction on disposition.Entry methods for each VA facility are documented in the table that follows. FacilityDirect EntryBatch EntryCommentsAugustaOperative procedure reportsDischarge SummariesStat Discharge SummariesDopplersDublinStat reportsHistory and PhysicalsOperation ReportsDischarge SummariesProgress ReportsConsultation NotesRadiology ReportsColumbiaStat Discharge SummariesProgress NotesDischarge SummariesOperation/Procedure reportsC&P examsSleep StudiesVendor shall review alert of all notes and other items that are not correctly entered into CPRS by direct entryAtlantaC&P examsDischarge SummariesStat Discharge SummariesProgress NotesOperative/procedure ReportsVendor shall review alert of all notes that do not get correctly entered in CPRSCharlestonOperative/procedure ReportsDischarge SummariesStat Discharge SummariesConsultation NotesProgress NotesVendor shall review alert of all notes that do not get correctly entered in CPRS4. DELIVERABLE - REPORT TRANSMITTAL: On a daily basis, by 12:00 PM local facility time, the Contractor shall send electronically via PKI encrypted email a summary report of reports transcribed by all transcriptionists for the previous day. The report transmittal shall include the following information for each transcriptionist’s work: Each report (job) number.Patient's last name, SS# and name of physician dictating.Date of Dictation. Date of transcription. Number of lines transcribed per report.Type of Report. Date and time report was transmitted. For progress notes, it should include the name of the clinic to which the note was posted and any special notation (H&P, consultation). For operative reports, it should include the case number to which the report was loaded. For compensation and pension examinations, it should note which exam the report is loaded to. Date of visit (only if date of visit and date of dictation are different). Total number of lines for routine reports.Total number of lines for stat reports. Total number of routine reports.Total number of stat reports.To meet the performance standard, the contractor shall provide each VA facility a report transmittal that is both timely and contains all elements at least 95% of the time. For compliance less than the expectable 95%, a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to meet the 95% standard (not meeting the threshold for two consecutive months or for not meeting the 95% threshold for 4 out of six months) may be cause for termination of the contract. 5. PERFORMANCE STANDARDS: 5.1. QUALITY OF DOCUMENTS: The transcribed report shall contain no more than three typographical and content errors per 100 transcribed lines. Definitions of errors: misspelling, inappropriate abbreviations, missing or inaccurate information, entering material that is not part of the report such as dictator’s directions to transcriptionist, entering material that is not dictated, gross grammar errors, punctuation errors, or formatting in other than provided VA samples. There shall be no blanks in text as a result of dictation which is understandable to VA personnel. It is the contractor’s responsibility to have equipment with the capability to adjust tone, volume and speech to provide better clarity. If the same error is made more than one time in a report, it shall count as an error each time the error is made. All errors shall count equally. Quality is to be maintained at a minimum of 97% as determined by review of lines transcribed (minimum of 3% of workload) with number of errors divided by lines of transcription checked. The Contractor shall have a quality control program in place at the time performance begins and a written statement of the quality control program must be provided with Contractor’s proposal. QA plan is to show percentage of work (minimum of 3%) to be reviewed on each employee, documentation of the QA process, communication of the QA process to the employee and performance improvement plan for employees whose work does not meet the standard. 5.2. ACCURACY OF DOCUMENT ENTRY: All reports shall be transcribed and entered or uploaded into the correct patient’s electronic record as well as correctly assigned to the correct admission, visit, procedure or exam. There shall be no more than 10 instances per month of reports not being properly entered. If 11 to 30 reports are found not properly entered/uploaded into the correct patient record during a monthly billing cycle there will be a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to enter or upload documents into the correct patient’s record is defined as greater than 25 reports for two consecutive months or greater than 25 reports for 4 out of the last six months may be cause for termination of the contract.5.3. TURNAROUND: Turnaround time (TAT) is defined as the period of time from which the job is first available to the contractor (the point of time at which the physician hangs up the phone to the point that the completed document is loaded into VISTA. 98% of stat reports shall be transcribed and entered into VISTA within the stated turnaround time of two hours. If less than 98% of all stat reports per facility meet TAT then a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to meet the 98% standard (not meeting the threshold for two consecutive months or for not meeting the 98% threshold for 4 out of six months) may be cause for termination of the contract. 95% of routine reports will be transcribed and entered into VISTA within the stated turnaround times. For turnaround compliance of 90 to 94% on routine reports, a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to meet the 95% standard (not meeting the threshold for two consecutive months or for not meeting the 95% threshold for 4 out of six months) may be cause for termination of the contract. Any document not returned within 48 hours after notification by the medical center HIM staff, shall result in a fifty (50) percent deduction of the Contractor’s total invoice from the specific medical center for the month. If there is sufficient written evidence from the contractor to justify not imposing the penalty, it can be waived by the facility Contracting Officer Representative (COR). Reports lost or damaged by the Contractor shall be redone at no additional charge to the Government. If a report is lost the contractor shall immediately call the appropriate VAMC. If unable to reach COR by phone, they shall send fax or E-mail within 15 minutes. Contractor shall notify HIM that the dictation was lost and give the reason. Failure to notify the VA of lost reports shall result in termination of contract. The Contractor shall transcribe lost or damaged reports within two hours of retransmission of the report. Failure to transcribe retransmitted reports within the two hours shall result in a reduction of payment to the Contractor equal to the cost of transcribing the report. SPACE INTENTIONALLY LEFT BLANKPERFORMANCE STANDARDS SUMMARYTASK TO BE PERFORMEDPERFORMANCESTANDARDMONITORINGMETHODPENALTY FOR NOT MEETING THE PERFORMANCE STANDARDSReports received within TAT for Stat Reports98% of all stat reports must meet TAT100% of reports are monitoredPenalties outlined in Section 5.3. Turnaround Reports received within TAT for Routine Reports95% of all reports must meet TAT100% of reports are monitoredPenalties outlined in Section 5.3. TurnaroundDaily report transmittal Report received by 12:00 noon facility time and includes all requested elements100% of reports are monitoredPenalties outlined in Section 4. Deliverable – Report TransmittalCopies of Quality Control Reports Furnished for TranscriptionistsReports to be provided quarterly by 10th workday in January, April, July and OctoberMonitoring 100% by date of receiptPenalties outlined in Section 6.1. Quality ControlCorrected/Retyped Reports are accurate and received timely Reports should be corrected or retyped and sent back to the requesting facility within 4 hours of notification.Total number of report received back within the 4 hour notification/Total number of reports requested to be retyped.Penalties outlined in Section 6.2. Quality Assurance Reports transcribed are entered or uploaded are placed into the correct patient’s electronic recordNo more than 10 instances per month of reports not being properly entered/uploaded into the correct patient’s record.Reports are reviewed to ensure that the documents are placed into the correct patient record and in the correct section.Penalties outlined in Section 5.2.Accuracy of Document EntryReports meet outlined performance standards on quality assurance performed by VA staff. At least 97% of reports should have no more than three errors per 100 lines. At least a 3% sample will be reviewed for content errors monthly by the facility checking report again actual audio file.Standards outlined in Section 5.1.Quality of DocumentsPenalties outlined in Section 6.2.Quality AssuranceCertification letter that files have been properly wiped or electronically shredded.Reports to be provided quarterly by 10th workday of the monthMonitoring 100% by date of receiptPenalties outlined in Section 14. Retention of Records6. QUALITY CONTROL/QUALITY ASSURANCE AND PENALTIES:6.1. QUALITY CONTROL: The Contractor’s Quality Control Plan shall be designed to monitor the overall quality of the product while providing continuing education and feedback to the transcriptionists. In order to assure high quality transcription the contractor shall establish and maintain a complete Quality Control Plan to ensure that the performance standards of the contract noted below are provided as specified. A copy of the contractor’s Quality Control Plan shall be included with contractor’s proposal. A copy of the contractor’s Quality Control Plan shall be provided within 10 business days of contract award, and an updated copy provided to the COR as changes occur. The plan shall describe the methods of monitoring work, identifying and preventing defects before the level of performance becomes unacceptable and a performance improvement plan. The plan shall be used to ensure quality standards are met while at the same time meeting turnaround time requirements. Copies of contractor’s Quality Control reports shall be submitted to each COR for each transcriptionist assigned to that facility. Reports shall be submitted quarterly by the 10th workday of the reporting month. Failure to provide these reports 50% of the time will result in 10% discount of the entire monthly invoice for the month the report should be received. For less than 50% compliance, there will be a 20% discount of the entire monthly invoice for the month the report should be received. Consistently failing to meet the 75% standard, which is defined as not providing the quality control report for any two quarters within the contract year, may be cause for termination of the contract. 6.2. QUALITY ASSURANCE: Periodic quality assurance checks will be performed by a representative of the Health Information Management Section (HIMS), Surgical Pathology and Radiology. A minimum of 3% of each work type will be checked each month for quality assurance purposes using criteria outlined in section C.5.1. This review will include comparison of the actual (audio) dictation to the typed report. When this performance measure is met at only 90 to 96%, there will be a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to meet the 97% standard (not meeting the threshold for two consecutive months or for not meeting the 97% threshold for 4 out of six months) may be cause for termination of the contract. If a report must be re-done due to contractor error, the Contractor shall correct/retype the report within four (4) hours of notification by telephone by appropriate VA staff. The report shall be re-done at no charge to the Government. Corrected reports shall be flagged as corrected when returned to the VA Medical Centers. (Stat reports shall be corrected and retransmitted within one hour following notification by telephone by VA personnel. In the event a report requires correction or retyping due to an error by Government personnel, the service shall be billed in accordance with the Schedule of Items. This performance measure is 80%. The formula used for calculating compliance is total number of reports received back within the 4 hour notification divided by the total number of reports requested to be retyped. For 50% to 79% compliance, there will be a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to meet the 80% standard, defined as not meeting the 80% threshold for three consecutive months, may be cause for termination of the contract. 6.3. QUALITY ASSURANCE SURVEILLANCE PLAN (QASP): The QASP will be reviewed at the post award meeting. 7. CONTINGENCY SERVICES: The Contractor shall provide a comprehensive plan detailing continuity of transcription services during contractor employee outages, telephone service interruption, power loss or other problems, which, if not addressed, would impede transcription operations. The contingency plan shall be submitted with the proposal. The contingency plan shall be provided within 10 business days of contract award. 8. EQUIPMENT: a. All VISN 7 facilities will utilize the Vendor’s Dictation Equipment. In accordance with FAR 4.703, contracts files must be maintained for 3 years after final payment. The contractor shall destroy the files on the anniversary of the third year after final payment. The vendor is not to subcontract work to another transcription firm without prior VA approval. This could include manipulating dictation setup, prompts, port availability and dictation instructions. b. All transcription and verification must be performed in the United States of America. There are no Exceptions. 8.3. CONTRACTOR EQUIPMENT AND SUPPLY REQUIREMENTS: The Contractor is responsible for all phone lines, cable modems or broadband internet access charges associated uploading into the medical center’s VISTA system.???? Minimal equipment requirements include: personal computers with word processing software, facsimile machine or software, electronic mail access and the use of Microsoft Word for the determination of line counts which will be used by personnel at each VA facility to validate quantity of work produced and invoicing procedures. ?Contractor must have the capability of batch uploading, transcribing and/or pasting reports directly into the Medical Center's Veterans Health Information Systems and Technology Architecture (VISTA); depending on the document/report type transcribed.? The Contractor must use communications software that is compatible with the Medical Center's VISTA information system; for example, PROCOMM PLUS, KEA, etc.? The Contractor shall be responsible for providing support if problems related to the communications software are encountered.? Each employee will be required to have personal access/verify codes to access each Medical Center's VISTA System.? Each employee will be required to have VA PKI (Public Key Infrastructure) encryption capability to e-mail any patient information to the facility; this includes the daily report transmittal.? PKI represents an Internet-based technology that protects transmissions of electronic mail (and attachments) from inadvertent unauthorized disclosure through the use of digital signatures and encryption.? Digital signatures provide non-repudiation and verify that the sender actually sent the message and that the message was not altered during transmission.? Encryption ensures that only the intended recipient can read the message (and attachments).? The use of PKI is required for all transmissions of electronic mail that contain sensitive data or personally identifiable information.? PKI is available to contractors, contractors, and affiliates free of charge through the VA PKI Partner program.? Any electronic mail program that utilizes the S/MIME Internet-based protocol can use PKI certificates.? VA can only provide support for Microsoft Outlook, but support for other e-mail programs is available through the publisher, VeriSign.? Contractors/contractors/affiliates can obtain Partner PKI certificates through the facility Information Security Officers.The Contractor is responsible for providing supplies for their equipment.? The contractor shall provide all reference materials such as dictionaries, drug indexes, PDR's, other specialized medical terminology references, and computer spell checkers.? In the event that the equipment furnished by the contractor fails, a replacement or repair of the equipment that failed is required within (12) working hours of system failure. The Vendor shall provide each VA access to their furnished dictation equipment to view the status of all work. 8.4. GOVERNMENT FURNISHED INFORMATION. The VA Medical Center(s) will provide to the Contractor an up-to-date listing of providers and an approved Medical Center abbreviation listing at the time of award. These will be updated as changes occur. 9. SYSTEM ACCESS: a. Any remote access to VA systems that contain sensitive information must be done through the One-VA VPN. After contract award and prior to VA granting VPN access, the contractor will be required to complete all security requirements. RESCUE OE is used in conjunction with one-VA VPN to ensure security requirements on contractor computer systems. RESCUE OE is provided by VA to the contractor and is used to ensure that up-to-date valid virus protection is in place and a valid firewall is in place. b. The Contractor and Contractor personnel shall have limited access to VISTA in order to transcribe medical reports. Any remote access to VA systems that contain sensitive information must be done through the One-VA VPN. Transcription Contractor shall remain compliant with the 10N7 AIS Security and Access Policies (a copy of these policies will be made available to the awarded contractor). Contractor shall have employees utilize the Dublin Terminal server for accessing VISN 7 Medical Centers in order to upload transcription as appropriate (instructions will be provided to the awarded contractor). 10. PERSONNEL REQUIREMENTS: The contractor must employ experienced medical transcription personnel, preferably, AHDI (Association Healthcare Documentation Integrity) certified, or must have at least 3 years of experience as a medical transcriptionist in an acute care/teaching facility with extensive knowledge of medical terminology, anatomy and physiology, disease processes, signs and symptoms, medications and laboratory values related to a specialty or specialties. They shall possess excellent skills in the English language and possess the ability to use an extensive array of professional reference material. Curriculum vitae of current employees shall be provided in the proposal, curriculum vitae of employees will be provided to each of the facilities COR to which they are assigned to work and updated as employee assignments change. The contractor shall employee management staff with capabilities to oversee administrative duties, i.e. document entry, quality control, invoicing and supervision.11. ORIENTATION AND TRAINING: Contractor and Contractor personnel shall be required to complete an orientation/training session before being granted access to the VISTA and assignment of transcription work under this contract. Upon completion of the session, the Contractor and Contractor personnel requiring access shall be required to sign the Computer Access Notice Form (to be provided at post-award meeting). Orientation and training shall be coordinated by each VA Medical Center’s at the face to face and/or conference call for post award meeting.12. SECURITY: 12.1. PERSONNEL SECURITY: The Contractor and all personnel employed by the Contractor shall observe the requirements imposed on sensitive data by law, federal regulations, VA status and DM&S policy and the associated requirements to ensure appropriate screening of all personnel because of the inherent sensitivity of data at the facilities concerned and the level of security clearance carried by the Health Care Facility (HCF) personnel for the function under contract. The Contractor shall ensure that their personnel meet the above restrictions and that confidential and proprietary information shall be divulged only to those officers and officials of the VA Medical Center that are authorized to receive such information.The Contractor shall notify the VISN COR and the COR at the facility where the transcriptionist is working in writing, within 1 hour when a contractor's transcriptionist resigns or is terminated. On off tours, contractor shall be required to contact the administrative Officer of the Day.12.2. BACKGROUND INVESTIGATION: Contractor personnel performing work under this contract shall satisfy all requirements for appropriate security eligibility in dealing with access to sensitive information and information systems belonging to or being used on behalf of the Department of Veterans Affairs. To satisfy the requirements of the Department of Veterans Affairs a low risk level Background Investigation shall be conducted prior to performing work under this contract. Appropriate Background Investigation (BI) forms will be provided upon contract award, and are to be completed and returned to the VA Office of Security and Law Enforcement (OSL&E) within 30 days for processing. Access to VA information resources cannot be made available until the Security Investigations Center submits the investigatory packet to OPM for processing. At that time the investigation is considered “initiated” and access can be provided. Contractors and Contracting Officers/COR’s will be notified by OSL&E when the BI has been completed and adjudicated. 12.3. The investigative history for contractor personnel working under this contract shall be maintained in the databases of either the Office of Personnel Management (OPM) or the Defense Industrial Security Clearance Organization (DISCO). Should the contractor use a contractor other than OPM or Defense Security Service (DSS) to conduct investigations, the investigative company must be certified by OPM/DSS to conduct contractor investigations.Further, the contractor shall be responsible for the actions of all individuals provided to work for the VA under this contract. In the event that damages arise from work performed by contractor provided personnel, under the auspices of this contract, the contractor shall be responsible for all resources necessary to remedy the incident.12.4 PRIVACY/SECURITY TRAINING: All Contractor employees under this contract are required to complete the VA’s on-line Security Awareness Training Course and the Privacy Awareness Training Course annually. Contractors shall provide signed certifications of completion to the Contracting Officer during each year of the contract in addition to providing a signed VA National Rules of Behavior each year. This requirement is in addition to any other training that may be required of the contractor.Each employee of the Contractor accessing the VISTA information system shall be required to complete ADP access security forms for each medical center and shall be required to abide by those patient/record confidentiality regulations. 13. INFORMATION SECURITY: 13.1. SYSTEM OF RECORDS: The Veterans Administration's system of records to which the Contractor personnel shall have access to in order to maintain patient medical records is described annually in the Federal Register. Contractor personnel who obtain access to hardware or media which stores drug or alcohol abuse, AIDS, or sickle cell anemia treatment records or medical quality assurance records protected by code 38 U.S.C. 7332 or 38 U. S. C. 5705, as defined by the Department of Veterans Affairs, shall have access only to those records absolutely necessary to perform their contractual duty for which access was obtained. Violation of these statutory provisions by the Contractor or Contractor employee as stated in agency regulations may involve imposition of criminal penalties.13.2.. CONTRACTOR SYSTEM SECURITY: The contractor shall ensure adequate LAN/internet, data, information and system security in accordance with VA standard operating procedures and Federal standards, laws and regulations as noted in VA directive 6500 which can be obtained at . The contractor’s firewall and web server shall meet or exceed the Government minimum requirement for security. All Government data shall be protected behind an approved firewall. The contractor must provide full desktop and laptop encryption on their systems. Any security violations or attempted violations shall be reported to the COR and VA Information Security Officer (ISO) immediately upon detection. The Contractor shall adhere to applicable VA policies and procedures governing information security, especially those that pertain to certification and accreditation.Upon request, the contractor shall provide VA with access to information pertaining to the way in which the contractor maintains VA patient data and the steps taken on an ongoing basis to assure the privacy and security thereof. This includes, but is not limited, information regarding computer network architecture, configuration of firewall(s), routers, and other pieces of networking equipment, information about installed security software, and audits of patches of known security vulnerabilities. All relevant security-related patches and anti-virus updates must be installed within 15 days of initial release. A Business Associate Agreement will need to be completed with the selected vendor.14. RETENTION OF RECORDS: The Contractor shall not maintain any hard copies of reports. Contractor shall maintain all reports on hard drive back-up and/or storage media for a period not exceeding 90 days. After 90 days, all information shall be wiped or electronically shredded using a FIPS 140-2 approved media wiper or file shredder (see next paragraph). Unannounced site visits to contractor’s facility may be made to verify that information is being properly wiped or shredded. The contractor must be able to provide addresses of all business sites as well as telecommute locations that VA data might be processed in. Contractor is to provide written certification every 90 days that records have been destroyed using a FIPS 140-2 approved media wiper or file shredder. Copies of written certification that files have been destroyed shall be submitted to each COR quarterly by the 10th workday of January, April, July and October. Failure to provide these reports 50% of the time will result in a negative performance evaluation will be reported to both the Contracting Officer Representative (COR) and Contracting Officer in addition to the report being entered into the Contractor Performance Assessment Reporting System (CPARs) which will negatively impact ALL future Government contract awards. Consistent failure to not meet the 75% standard, defined as not providing written certification that that files have been destroyed for any two quarters within the contract year, may be cause for termination of the contract. Contractors shall make every attempt to process data online (file shares, terminal services) and not copy data to the local computer equipment or external electronic media for processing. In such instances where that is not possible, upon completion of each phase of contract performance, single job completion, upon contract expiration or termination, or when access to such data is no longer required, Contractor shall ensure that all file data and residual data stored on computer hard drives or removable electronic media shall be immediately electronically shredded/overwritten using the Department of Defense (DoD) triple-pass specifications. Files from non-government-owned equipment or other equipment located away from any VA government facility that have a continued need for access at a later time during contract performance must be backed up to removable media for later restoration and securely stored away from the equipment, then immediately be electronically shredded/overwritten on the computer system or other electronic media using a product that conforms to DoD triple-pass specifications. Commercial products are readily available to perform DoD standard file shredding/overwriting and encryption. Sensitive data remaining on computer equipment or media that is located away from any VA government facility must be encrypted in accordance with VA Directive 6500.In accordance with FAR 4.703, contract files shall be maintained for three (3) years after final payment. The contractor shall destroy the files on the anniversary of the third year after final payment.15. INSURANCE: The Contractor shall maintain liability and property damage insurance having coverage for the limit as prescribed by state law. Further, it is agreed that negligence of the government, its officers, agents, servants, and employees shall not be the responsibility of the contractor hereunder regarding any claim, loss, damage, injury and liability.16. IMPLEMENTATION PLAN: The Contractor shall provide a plan to include a schedule for bringing each facility on-line upon receipt of Notice of award letter as part of its proposal. As a minimum, the plan shall include the names of all the facilities as listed in the Pricing Section, the number of days the Contractor shall require to bring each facility on-line and an outline of how employees are to be brought on line. The implementation plan shall be submitted with the proposal and shall be completed within 30 calendar days of award. 17. INVOICES AND VALIDATING INVOICES: The facility shall be billed monthly, in arrears. The last day of the month shall be the cut off for an invoice (i.e. for fiscal purposes, billing period shall not extend into another month). Invoice shall be sent to each facility; in addition, invoice for each facility shall be sent electronically in OB10 format to the Financial Service Center in Austin, TX as well. Invoices received from the contractor shall provide sufficient detail to enable comparisons of billed units to the typed reports (i.e. line count that is broken down by report type for each VA Medical Center’s invoices). Total calculations from the Daily Report transmittal and the monthly invoice shall equal for the same billing cycle. The units of work for the invoice shall be totaled at the end of the invoice. All numbers are to be rounded to the closest mathematical number.All VA staff shall validate invoices on a monthly routine basis. The invoice shall be received at each facility within 8 calendar days after the last day of the month. Any discrepancies shall be brought to the attention of the contractor within 10 calendar days of receipt of the invoice. If a discrepancy exists and cannot be satisfactorily explained by the contractor, the VA will pay the invoice based on the VA line count obtained from the daily report transmittals. Contractor shall furnish CD containing raw documents upon request of medical center to enable them to verify line counts. Contractor shall furnish completed case numbers and accession numbers for the pathology department of the Atlanta VAMC upon request for verification. 18. POINTS OF CONTACTS: Upon contract award the contractor will be provided a list of CORs with contact information and shall provide the name, phone number, fax number and e-mail address of the company’s designated representative(s). The company representative shall be available during normal working hours (8:00 a.m. - 4:30 p.m.). The COR shall be notified by telephone or e-mail within 24 hours of any changes to this position. Written notification shall be received within 10 days. Contractor is required to provide contact number of staff member for emergencies. The following are the Key Personnel for each medical center:19. SUBCONTRACTING: Subcontracting of these services is strictly prohibited. All work performed under this contract shall be performed within the United States. The contractor performing these services shall be physically located within the United States.20. PERIOD OF PERFORMANCE: Term of contract shall be for one year from date of award with 2 option years. The quantities listed are estimated and may vary above or below those figures. Contractor shall be prepared to start work under this contract within ten (10) days of receipt of notice of award. ESTIMATED LINES PER PERFORMANCE PERIOD Base Period: Ninety (90) days after award FacilityEstimated Lines for base YearEstimated Cost Per LineEstimated Total CostAtlantaAugustaDublinColumbiaCharlestonTotals21. B.9. KEY PERSONNEL AND TEMPORARY EMERGENCY SUBSTITUTIONS - The Contractor shall assign to this contract qualified key personnel a. The Contractor shall make NO substitutions of key personnel unless the substitution is necessitated by illness, death, or termination of employment. The Contractor shall notify the Contracting Officer, in writing, within 15 calendar days after the occurrence of any of these events and provide the information required by paragraph (c) below.b. The Contractor shall provide a detailed explanation of the circumstances necessitating the proposed substitutions, complete resumes for the proposed substitutes, and any additional information requested by the Contracting Officer. Proposed substitutes shall have comparable qualifications to those of the persons being replaced. The Contracting Officer shall notify the Contractor within 15 calendar days after receipt of all required information of the decision on the proposed substitutes. The contract shall be modified to reflect any approved changes of key personnel.c. For temporary substitutions where the key person shall not be reporting to work for three (3) consecutive work days or more, the Contractor shall provide a qualified replacement for the key person. This substitute shall have comparable qualifications to the key person. Any period exceeding two weeks shall require the procedure as stated above.NameRank/PositionDOL Skill NumberStart DatePercentage of Work under contractVA ACQUISITION REGULATION SOLICITATION PROVISION AND CONTRACT CLAUSE1. SUBPART 839.2 – INFORMATION AND INFORMATION TECHNOLOGY SECURITYREQUIREMENTS839.201 Contract clause for Information and Information Technology Security:a. Due to the threat of data breach, compromise or loss of information that resides oneither VA-owned or contractor-owned systems, and to comply with Federal laws andregulations, VA has developed an Information and Information Technology Security clause tobe used when VA sensitive information is accessed, used, stored, generated, transmitted, orexchanged by and between VA and a contractor, subcontractor or a third party in any format(e.g., paper, microfiche, electronic or magnetic portable media).b. In solicitations and contracts where VA Sensitive Information or Information Technologywill be accessed or utilized, the CO shall insert the clause found at 852.273-75, SecurityRequirements for Unclassified Information Technology Resources.2. 852.273-75 - SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATIONTECHNOLOGY RESOURCES (INTERIM- OCTOBER 2008)As prescribed in 839.201, insert the following clause:The contractor, their personnel, and their subcontractors shall be subject to the Federal laws,regulations, standards, and VA Directives and Handbooks regarding information andinformation system security as delineated in this contract.(END OF CLAUSE)VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE 1. GENERALContractors, contractor personnel, subcontractors, and subcontractor personnel shall besubject to the same Federal laws, regulations, standards, and VA Directives and Handbooksas VA and VA personnel regarding information and information system security.2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMSa. A contractor/subcontractor shall request logical (technical) or physical access to VAinformation and VA information systems for their employees, subcontractors, and affiliates onlyto the extent necessary to perform the services specified in the contract, agreement, or taskorder.b. All contractors, subcontractors, and third-party servicers and associates working withVA information are subject to the same investigative requirements as those of VA appointeesor employees who have access to the same types of information. The level and process ofbackground security investigations for contractors must be in accordance with VA Directiveand Handbook 0710, Personnel Suitability and Security Program. The Office for Operations,Security, and Preparedness is responsible for these policies and procedures.c. Contract personnel who require access to national security programs must have a validsecurity clearance. National Industrial Security Program (NISP) was established by ExecutiveOrder 12829 to ensure that cleared U.S. defense industry contract personnel safeguard theclassified information in their possession while performing work on contracts, programs, bids,or research and development efforts. The Department of Veterans Affairs does not have aMemorandum of Agreement with Defense Security Service (DSS). Verification of a SecurityClearance must be processed through the Special Security Officer located in the Planning andNational Security Service within the Office of Operations, Security, and Preparedness.d. Custom software development and outsourced operations must be located in the U.S.to the maximum extent practical. If such services are proposed to be performed abroad andare not disallowed by other VA policy or mandates, the contractor/subcontractor must statewhere all non-U.S. services are provided and detail a security plan, deemed to be acceptableby VA, specifically to address mitigation of the resulting problems of communication, control,data protection, and so forth. Location within the U.S. may be an evaluation factor.e. The contractor or subcontractor must notify the Contracting Officer immediately whenan employee working on a VA system or with access to VA information is reassigned or leavesthe contractor or subcontractor’s employ. The Contracting Officer must also be notifiedimmediately by the contractor or subcontractor prior to an unfriendly termination.3. VA INFORMATION CUSTODIAL LANGUAGEa. Information made available to the contractor or subcontractor by VA for the performanceor administration of this contract or information developed by the contractor/subcontractor inperformance or administration of the contract shall be used only for those purposes and shallnot be used in any other way without the prior written agreement of the VA. This clauseexpressly limits the contractor/subcontractor's rights to use data as described in Rights in Data- General, FAR 52.227-14(d) (1).b. VA information should not be co-mingled, if possible, with any other data on thecontractors/subcontractor’s information systems or media storage systems in order to ensureVA requirements related to data protection and media sanitization can be met. If co-minglingmust be allowed to meet the requirements of the business need, the contractor must ensurethat VA’s information is returned to the VA or destroyed in accordance with VA’s sanitizationrequirements. VA reserves the right to conduct on site inspections of contractor andsubcontractor IT resources to ensure data security controls, separation of data and job duties,and destruction/media sanitization procedures are in compliance with VA directiverequirements.c. Prior to termination or completion of this contract, contractor/subcontractor must notdestroy information received from VA, or gathered/created by the contractor in the course ofperforming this contract without prior written approval by the VA. Any data destruction done onbehalf of VA by a contractor/subcontractor must be done in accordance with National Archivesand Records Administration (NARA) requirements as outlined in VA Directive 6300, Recordsand Information Management and its Handbook 6300.1 Records Management Procedures,applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic MediaSanitization. Self-certification by the contractor that the data destruction requirements abovehave been met must be sent to the VA Contracting Officer within 30 days of termination of thecontract.d. The contractor/subcontractor must receive, gather, store, back up, maintain, use,disclose and dispose of VA information only in compliance with the terms of the contract andapplicable Federal and VA information confidentiality and security laws, regulations andpolicies. If Federal or VA information confidentiality and security laws, regulations and policiesbecome applicable to the VA information or information systems after execution of thecontract, or if NIST issues or updates applicable FIPS or Special Publications (SP) afterexecution of this contract, the parties agree to negotiate in good faith to implement theinformation confidentiality and security laws, regulations and policies in this contract.e. The contractor/subcontractor shall not make copies of VA information except asauthorized and necessary to perform the terms of the agreement or to preserve electronicinformation stored on contractor/subcontractor electronic storage media for restoration in caseany electronic equipment or data used by the contractor/subcontractor needs to be restored toan operating state. If copies are made for restoration purposes, after the restoration iscomplete, the copies must be appropriately destroyed.f. If VA determines that the contractor has violated any of the information confidentiality,privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withholdpayment to the contractor or third party or terminate the contract for default or terminate forcause under Federal Acquisition Regulation (FAR) part 12.g. If a VHA contract is terminated for cause, the associated BAA must also be terminatedand appropriate actions taken in accordance with VHA Handbook 1600.01, BusinessAssociate Agreements. Absent an agreement to use or disclose protected health information,there is no business associate relationship.h. The contractor/subcontractor must store, transport, or transmit VA sensitive informationin an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2validated.i. The contractor/subcontractor’s firewall and Web services security controls, if applicable,shall meet or exceed VA’s minimum requirements. VA Configuration Guidelines are availableupon request.j. Except for uses and disclosures of VA information authorized by this contract forperformance of the contract, the contractor/subcontractor may use and disclose VA informationonly in two other situations: (i) in response to a qualifying order of a court of competentjurisdiction, or (ii) with VA’s prior written approval. The contractor/subcontractor must refer allrequests for, demands for production of, or inquiries about, VA information and informationsystems to the VA contracting officer for response.k. Notwithstanding the provision above, the contractor/subcontractor shall not release VArecords protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance recordsand/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drugaddiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with humanimmunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or otherrequests for the above-mentioned information, that contractor/subcontractor shall immediatelyrefer such court orders or other requests to the VA contracting officer for response.l. For service that involves the storage, generating, transmitting, or exchanging of VAsensitive information but does not require C&A or an MOU-ISA for system interconnection, thecontractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) ona yearly basis and provide it to the COR.4. INFORMATION SYSTEM DESIGN AND DEVELOPMENTa. Information systems that are designed or developed for or on behalf of VA at non-VAfacilities shall comply with all VA directives developed in accordance with FISMA, HIPAA,NIST, and related VA security and privacy control requirements for Federal informationsystems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R.Part 164, Subpart C, information and system security categorization level designations inaccordance with FIPS 199 and FIPS 200 with implementation of all baseline security controlscommensurate with the FIPS 199 system security categorization (reference Appendix D of VAHandbook 6500, VA Information Security Program). During the development cycle a PrivacyImpact Assessment (PIA) must be completed, provided to the COR, and approved by the VAPrivacy Service in accordance with Directive 6507, VA Privacy Impact Assessment.b. The contractor/subcontractor shall certify to the COR that applications are fullyfunctional and operate correctly as intended on systems using the VA Federal Desktop CoreConfiguration (FDCC), and the common security configuration guidelines provided by NIST orthe VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (inProtected Mode on Vista) and future versions, as required.c. The standard installation, operation, maintenance, updating, and patching of softwareshall not alter the configuration settings from the VA approved and FDCC rmation technology staff must also use the Windows Installer Service for installation to thedefault “program files” directory and silently install and uninstall.d. Applications designed for normal end users shall run in the standard user contextwithout elevated system administration privileges.e. The security controls must be designed, developed, approved by VA, and implementedin accordance with the provisions of VA security system development life cycle as outlined inNIST Special Publication 800-37, Guide for Applying the Risk Management Framework toFederal Information Systems, VA Handbook 6500, Information Security Program and VAHandbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle.f. The contractor/subcontractor is required to design, develop, or operate a System ofRecords Notice (SOR) on individuals to accomplish an agency function subject to the PrivacyAct of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) andapplicable agency regulations. Violation of the Privacy Act may involve the imposition ofcriminal and civil penalties.g. The contractor/subcontractor agrees to:(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulationsissued under the Act in the design, development, or operation of any system of records onindividuals to accomplish an agency function when the contract specifically identifies:(a) The Systems of Records (SOR); and(b) The design, development, or operation work that the contractor/subcontractor is toperform;(2) Include the Privacy Act notification contained in this contract in every solicitation andresulting subcontract and in every subcontract awarded without a solicitation, when the workstatement in the proposed subcontract requires the redesign, development, or operation of aSOR on individuals that is subject to the Privacy Act; and (3) Include this Privacy Act clause, including this subparagraph (3), in all subcontractsawarded under this contract which requires the design, development, or operation of such aSOR.h. In the event of violations of the Act, a civil action may be brought against the agencyinvolved when the violation concerns the design, development, or operation of a SOR onindividuals to accomplish an agency function, and criminal penalties may be imposed upon theofficers or employees of the agency when the violation concerns the operation of a SOR onindividuals to accomplish an agency function. For purposes of the Act, when the contract is forthe operation of a SOR on individuals to accomplish an agency function, thecontractor/subcontractor is considered to be an employee of the agency.(1) “Operation of a System of Records” means performance of any of the activitiesassociated with maintaining the SOR, including the collection, use, maintenance, anddissemination of records.(2) “Record” means any item, collection, or grouping of information about an individual thatis maintained by an agency, including, but not limited to, education, financial transactions,medicalhistory, and criminal or employment history and contains the person’s name, or identifyingnumber, symbol, or any other identifying particular assigned to the individual, such as afingerprint or voiceprint, or a photograph.(3) “System of Records” means a group of any records under the control of any agencyfrom which information is retrieved by the name of the individual or by some identifying number,symbol, or other identifying particular assigned to the individual.i. The vendor shall ensure the security of all procured or developed systems andtechnologies, including their subcomponents (hereinafter referred to as “Systems”), throughoutthe life of this contract and any extension, warranty, or maintenance periods. This includes,but is not limited to workarounds, patches, hotfixes, upgrades, and any physical components(hereafter referred to as Security Fixes) which may be necessary to fix all securityvulnerabilities published or known to the vendor anywhere in the Systems, including OperatingSystems and firmware. The vendor shall ensure that Security Fixes shall not negatively impactthe Systems.j. The vendor shall notify VA within 24 hours of the discovery or disclosure of successfulexploits of the vulnerability which can compromise the security of the Systems (including theconfidentiality or integrity of its data and operations, or the availability of the system). Suchissues shall be remediated as quickly as is practical, but in no event longer than 10 days.k. When the Security Fixes involve installing third party patches (such as Microsoft OSpatches or Adobe Acrobat), the vendor will provide written notice to the VA that the patch hasbeen validated as not affecting the Systems within 10 working days. When the vendor isresponsible for operations or maintenance of the Systems, they shall apply the Security Fixeswithin 10 days.l. All other vulnerabilities shall be remediated as specified in this paragraph in a timelymanner based on risk, but within 60 days of discovery or disclosure. Exceptions to thisparagraph (e.g. for the convenience of VA) shall only be granted with approval of thecontracting officer and the VA Assistant Secretary for Office of Information and Technology.5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USEa. For information systems that are hosted, operated, maintained, or used on behalf of VAat non-VA facilities, contractors/subcontractors are fully responsible and accountable forensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security andprivacy directives and handbooks. This includes conducting compliant risk assessments,routine vulnerability scanning, system patching and change management procedures, and thecompletion of an acceptable contingency plan for each system. The contractor’s securitycontrol procedures must be equivalent, to those procedures used to secure VA systems. APrivacy Impact Assessment (PIA) must also be provided to the COR and approved by VAPrivacy Service prior to operational approval. All external Internet connections to VA’s networkinvolving VA information must be reviewed and approved by VA prior to implementation.b. Adequate security controls for collecting, processing, transmitting, and storing ofPersonal Identifiable Information (PII), as determined by the VA Privacy Service, must be inplace, tested, and approved by VA prior to hosting, operation, maintenance, or use of theinformation system, or systems by or on behalf of VA. These security controls are to beassessed and stated within the PIA and if these controls are determined not to be in place, orinadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved priorto the collection of PII.c. Outsourcing (contractor facility, contractor equipment or contractor staff) of systems ornetwork operations, telecommunications services, or other managed services requirescertification and accreditation (authorization) (C&A) of the contractor’s systems in accordancewith VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS CertificationProgram Office. Government-owned (government facility or government equipment)contractor-operated systems, third party or business partner networks require memorandumsof understanding and interconnection agreements (MOU-ISA) which detail what data typesare shared, who has access, and the appropriate level of security controls for all systemsconnected to VA networks.d. The contractor/subcontractor’s system must adhere to all FISMA, FIPS, and NISTstandards related to the annual FISMA security controls assessment and review and updatethe PIA. Any deficiencies noted during this assessment must be provided to the VAcontracting officer and the ISO for entry into VA’s POA&M management process. Thecontractor/subcontractor must use VA’s POA&M process to document planned remedialactions to address any deficiencies in information security policies, procedures, and practices,and the completion of those activities. Security deficiencies must be corrected within thetimeframes approved by the government. Contractor/subcontractor procedures are subject toperiodic, unannounced assessments by VA officials, including the VA Office of InspectorGeneral. The physical security aspects associated with contractor/subcontractor activitiesmust also be subject to such assessments. If major changes to the system occur that mayaffect the privacy or security of the data or the system, the C&A of the system may need to bereviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewingand updating all of the documentation (PIA, System Security Plan, Contingency Plan). TheCertification Program Office can provide guidance on whether a new C&A would be necessary.e. The contractor/subcontractor must conduct an annual self-assessment on all systemsand outsourced services as required. Both hard copy and electronic copies of the assessmentmust be provided to the COR. The government reserves the right to conduct such anassessment using government personnel or another contractor/subcontractor. Thecontractor/subcontractor must take appropriate and timely action (this can be specified in thecontract) to correct or mitigate any weaknesses discovered during such testing, generally at noadditional cost.f. VA prohibits the installation and use of personally-owned or contractor/subcontractor ownedequipment or software on VA’s network. If non-VA owned equipment must be used tofulfill the requirements of a contract, it must be stated in the service agreement, SOW orcontract. All of the security controls required for government furnished equipment (GFE) mustbe utilized in approved other equipment (OE) and must be funded by the owner of theequipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV)software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates andpatches. Owners of approved OE are responsible for providing and maintaining the anti-viralsoftware and the firewall on the non-VA owned OE.g. All electronic storage media used on non-VA leased or non-VA owned IT equipmentthat is used to store, process, or access VA information must be handled in adherence with VAHandbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of thecontract or (ii) disposal or return of the IT equipment by the contractor/subcontractor or anyperson acting on behalf of the contractor/subcontractor, whichever is earlier. Media (harddrives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors thatcontain VA information must be returned to the VA for sanitization or destruction or thecontractor/subcontractor must self-certify that the media has been disposed of per 6500.1requirements. This must be completed within 30 days of termination of the contract.h. Bio-Medical devices and other equipment or systems containing media (hard drives,optical disks, etc.) with VA sensitive information must not be returned to the vendor at the endof lease, for trade-in, or other purposes. The options are:(1) Vendor must accept the system without the drive;(2) VA’s initial medical device purchase includes a spare drive which must be installed inplace of the original drive at time of turn-in; or(3) VA must reimburse the company for media at a reasonable open market replacementcost at time of purchase.(4) Due to the highly specialized and sometimes proprietary hardware and softwareassociated with medical equipment/systems, if it is not possible for the VA to retain the harddrive, then;(a) The equipment vendor must have an existing BAA if the device being traded in hassensitive information stored on it and hard drive(s) from the system are being returnedphysically intact; and(b) Any fixed hard drive on the device must be non-destructively sanitized to the greatestextent possible without negatively impacting system operation. Selective clearing down topatient data folder level is recommended using VA approved and validated overwritingtechnologies/methods/tools. Applicable media sanitization specifications need to be preapprovedand described in the purchase order or contract.(c) A statement needs to be signed by the Director (System Owner) that states that thedrive could not be removed and that (a) and (b) controls above are in place and completed.The ISO needs to maintain the documentation.6. SECURITY INCIDENT INVESTIGATIONa. The term “security incident” means an event that has, or could have, resulted inunauthorized access to, loss or damage to VA assets, or sensitive information, or an actionthat breaches VA security procedures. The contractor/subcontractor shall immediately notifythe COR and simultaneously, the designated ISO and Privacy Officer for the contract of anyknown or suspected security/privacy incidents, or any unauthorized disclosure of sensitiveinformation, including that contained in system(s) to which the contractor/subcontractor hasaccess.b. To the extent known by the contractor/subcontractor, the contractor/subcontractor’snotice to VA shall identify the information involved, the circumstances surrounding the incident(including to whom, how, when, and where the VA information or assets were placed at risk orcompromised), and any other information that the contractor/subcontractor considers relevant.c. With respect to unsecured protected health information, the business associate isdeemed to have discovered a data breach when the business associate knew or should haveknown of a breach of such information. Upon discovery, the business associate must notifythe covered entity of the breach. Notifications need to be made in accordance with theexecuted business associate agreement.d. In instances of theft or break-in or other criminal activity, the contractor/subcontractormust concurrently report the incident to the appropriate law enforcement entity (or entities) ofjurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, itsemployees, and its subcontractors and their employees shall cooperate with VA and any lawenforcement authority responsible for the investigation and prosecution of any possiblecriminal law violation(s) associated with any incident. The contractor/subcontractor shallcooperate with VA in any civil litigation to recover VA information, obtain monetary or othercompensation from a third party for damages arising from any incident, or obtain injunctiverelief against any third party arising from, or related to, the incident.7. LIQUIDATED DAMAGES FOR DATA BREACHa. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access tosensitive personal information. If so, the contractor is liable to VA for liquidated damages inthe event of a data breach or privacy incident involving any SPI the contractor/subcontractorprocesses or maintains under this contract.b. The contractor/subcontractor shall provide notice to VA of a “security incident” as setforth in the Security Incident Investigation section above. Upon such notification, VA mustsecure from a non-Department entity or the VA Office of Inspector General an independent riskanalysis of the data breach to determine the level of risk associated with the data breach forthe potential misuse of any sensitive personal information involved in the data breach. Theterm 'data breach' means the loss, theft, or other unauthorized access, or any access otherthan that incidental to the scope of employment, to data containing sensitive personalinformation, in electronic or printed form, that results in the potential compromise of theconfidentiality or integrity of the data. Contractor shall fully cooperate with the entityperforming the risk analysis. Failure to cooperate may be deemed a material breach andgrounds for contract termination.c. Each risk analysis shall address all relevant information concerning the data breach,including the following:(1) Nature of the event (loss, theft, unauthorized access);(2) Description of the event, including:(a) date of occurrence;(b) data elements involved, including any PII, such as full name, social security number,date of birth, home address, account number, disability code;(3) Number of individuals affected or potentially affected;(4) Names of individuals or groups affected or potentially affected;(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of thedegree of protection for the data, e.g., unencrypted, plain text;(6) Amount of time the data has been out of VA control;(7) The likelihood that the sensitive personal information will or has been compromised(made accessible to and usable by unauthorized persons);(8) Known misuses of data containing sensitive personal information, if any;(9) Assessment of the potential harm to the affected individuals;(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security andPrivacy Incidents, as appropriate; and(11) Whether credit protection services may assist record subjects in avoiding or mitigatingthe results of identity theft based on the sensitive personal information that may have beencompromised.d. Based on the determinations of the independent risk analysis, the contractor shall beresponsible for paying to the VA liquidated damages in the amount of $______ per affectedindividual to cover the cost of providing credit protection services to affected individualsconsisting of the following:(1) Notification;(2) One year of credit monitoring services consisting of automatic daily monitoring of at least3 relevant credit bureau reports;(3) Data breach analysis;(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts andcredit freezes, to assist affected individuals to bring matters to resolution;(5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and(6) Necessary legal expenses the subjects may incur to repair falsified or damaged creditrecords, histories, or financial affairs.8. SECURITY CONTROLS COMPLIANCE TESTINGOn a periodic basis, VA, including the Office of Inspector General, reserves the right toevaluate any or all of the security controls and privacy practices implemented by the contractorunder the clauses contained within the contract. With 10 working-day’s notice, at the requestof the government, the contractor must fully cooperate and assist in a government-sponsoredsecurity controls assessment at each location wherein VA information is processed or stored,or information systems are developed, operated, maintained, or used on behalf of VA,including those initiated by the Office of Inspector General. The government may conduct asecurity control assessment on shorter notice (to include unannounced assessments) asdetermined by VA in the event of a security incident or at any other time.9. TRAININGa. All contractor employees and subcontractor employees requiring access to VAinformation and VA information systems shall complete the following before being grantedaccess to VA information and its systems:(1) Sign and acknowledge (either manually or electronically) understanding of andresponsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating toaccess to VA information and information systems;(2) Successfully complete the VA Cyber Security Awareness and Rules of Behaviortraining and annually complete required security training;(3) Successfully complete the appropriate VA privacy training and annually completerequired privacy training; and(4) Successfully complete any additional cyber security or privacy training, as required forVA personnel with equivalent information system access [to be defined by the VA programofficial and provided to the contracting officer for inclusion in the solicitation document – e.g.,any role-based information security training required in accordance with NIST SpecialPublication 800-16, Information Technology Security Training Requirements.]b. The contractor shall provide to the contracting officer and/or the COR a copy of thetraining certificates and certification of signing the Contractor Rules of Behavior for eachapplicable employee within 1 week of the initiation of the contract and annually thereafter, asrequired.c. Failure to complete the mandatory annual training and sign the Rules of Behaviorannually, within the timeframe required, is grounds for suspension or termination of all physicalor electronic access privileges and removal from work on the contract until such time as thetraining and documents are complete.Records Management Language for Contracts1. Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion.?2. In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation.?3. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data.?4. VISN 7 Healthcare Systems and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of VISN 7 Healthcare Systems or destroyed except for in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of any unlawful or accidental removal, defacing, alteration, or destruction of records, Contractor must report to VISN 7 Healthcare Systems. The agency must report promptly to NARA in accordance with 36 CFR 1230.5. The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government’s behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to VISN 7 Healthcare Systems control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4).6. The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and VA Ann Arbor Healthcare Systems guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information.7. The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with VISN 7 Healthcare Systems policy.?8. The Contractor shall not create or maintain any records containing any non-public VISN 7 Healthcare Systems information that are not specifically tied to or authorized by the contract.?9. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act.?10. The VISN 7 Healthcare Systems owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which VISN 7 Healthcare Systems shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download