66--Mobile 1.5T MRI Unit and Technologist Services
Department of Veterans Affairs, VA South Texas Health Care System | Published September 13, 2016 - Deadline September 21, 2016
Table of Contents
SECTION A 1
A.1 SF 1449 SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS 1
SECTION B - CONTINUATION OF SF 1449 BLOCKS 3
B.1 CONTRACT ADMINISTRATION DATA 3
B.2 PRICE/COST SCHEDULE 4
ITEM INFORMATION 4
B.3 DELIVERY SCHEDULE 4
SOLICITATION PROVISIONS 28
SECTION B - CONTINUATION OF SF 1449 BLOCKS
B.1 CONTRACT ADMINISTRATION DATA
(continuation from Standard Form 1449, block 18A.)
1. Contract Administration: All contract administration matters will be handled by the following individuals:
b. GOVERNMENT: Contracting Officer 36C671
Department of Veterans Affairs
VISN17 Network Contracting Activity
7400 Merton Minter Blvd. (10N17/90C)
San Antonio TX 78229
2. CONTRACTOR REMITTANCE ADDRESS: All payments by the Government to the contractor will be made in accordance with:
[X] 52.232-34, Payment by Electronic Funds Transfer-Other Than System For Award Management, or
 52.232-36, Payment by Third Party
3. INVOICES: Invoices shall be submitted in arrears:
a. Quarterly 
b. Semi-Annually 
c. Other [X]
4. GOVERNMENT INVOICE ADDRESS: All Invoices from the contractor shall be submitted electronically in accordance with VAAR Clause 852.232-72 Electronic Submission of Payment Requests.
Financial Services Center
PO Box 149971
Austin TX 78714-9971
ACKNOWLEDGMENT OF AMENDMENTS: The offeror acknowledges receipt of amendments to the Solicitation numbered and dated as follows:
AMENDMENT NO DATE
B.2 PRICE/COST SCHEDULE
ITEM NUMBER DESCRIPTION OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT
0001 Mobile 1.5T MRI scanner unit for lease with associated supporting equipment as listed per SOW. Also an on-site Technologist to perform services as listed per SOW.
Contract Period: Base
POP Begin: 09-28-2016
POP End: 09-27-2017
LOCAL STOCK NUMBER: mobile MRI
12.00 MO __________________ __________________
GRAND TOTAL __________________
B.3 DELIVERY SCHEDULE
ITEM NUMBER QUANTITY DELIVERY DATE
STATEMENT OF WORK
1. GENERAL REQUIREMENTS: The Contractor shall provide a mobile 1.5T MRI Coach and
Technologist Services for CTVHCS, Austin, TX, in accordance with the SOW.
a. Schedule: Services shall be required five (5) days per week and provide the appropriate staff to operate and provide eleven (11) patient exams scheduled per day.
b. Hours of Service: Contractor's mobile unit and personnel shall be on site to perform exams eight (8) hours per day, Monday - Friday, between the hours of 7:30 am and 4:30 pm. The first MRI will begin at 7:30 am with the last patient being seen such that the exam is completed no later than 4:30pm.
c. Pro-rated Monthly Rental Fee: The Contractor shall prorate the monthly rental fee when MRI coach is not functioning in accordance with prescribed guidelines. The monthly fee shall be prorated based on the number of hours the coach is out of service during regularly scheduled clinic hours M-F, 7:30am - 4:30pm. The Contractor shall include the hourly rate in the space provided below:
2. CONTRACTOR RESPONSIBILITIES:
a. Contractor shall be solely responsible for all driver and technologist staffing issues related to the operation of the mobile system.
b. Contractor shall provide a mobile 1.5T MRI unit (5 years old or newer) (including scanner, acquisition and processing station, and physician viewing stations) with a high performance gradient system for use at CTVHCS. Specific equipment requirements include:
(1) Operating system must be Windows 7 or newer
(2) The bore dimensions on the magnet will be 60cm X 60 cm at a minimum
(3) The scanner table weight limit must be equal to or exceed 450 lbs.
(4) The RF coils supplied with the system will include at a minimum:
a) Multi-Channel Phased Array for cervical/thoracic/ lumbar spine
b) Multi-Channel Phased Array Shoulder Coil
c) Multi-Channel Phased Array Body Coil
d) Chimney Knee/Foot Coil
e) Multi-Channel Shoulder Coil
f) Multi-Channel Wrist Coil
g) Multi-Channel Neurovascular coil
h) Multi-Channel Flexible Coil
(5) A power injector for intravenous contrast administration must be included
(6) The scanner must be able to scan the cervical, thoracic, and lumbar spines continuously without requiring patient movement
(7) The system must be capable of performing 2D,3D TOF & PCA and total Body contrast enhanced MRA (intracranial and body) studies
(8) The scanner must include some form of effective noise abatement system for the patients
(9) The scanner must offer a patient entertainment system that enables the patient to experience digital media during the MRI scan procedures
c. Contractor shall be responsible for the transportation of the Mobile MRI coach to and from CTVHCS. Cost of transportation shall be included in the monthly rate. Austin facility is gated and locked after-hours. The facility is open from 6:30 am through 6 pm Monday through Friday for removal of trailer for other assignments.
d. Delivery and Set-up of Contractor Equipment: The Contractor shall be responsible for proper installation/set-up of the Contractor's furnished equipment including the mobile trailer. Installation/setup shall be accomplished in accordance with industry standards, all OSHA regulations and applicable manufacturer's recommendations.
e. Contractor's Equipment: The Contractor shall be responsible for the following daily functions:
(1) Transmit completed electronic data after each exam. Ensure that all of the day's exam data is completely transferred to the CTVHCS computer systems.
(2) Any patient data archived to magnetic optical disk (MOD) or DVD is handed to a designated VA staff member for storage on site at CTVHCS. The MOD and/or DVD shall be the property of CTVHCS. All patient information required for Contractor's records shall be secured in accordance with HIPAA guidelines.
(3) All connections from the trailer to CTVHCS property are properly disconnected from trailer when moved from CTVHCS' site.
(4) Any temporary site preparations are removed upon completion of services.
(5) Contractor shall ensure mobile MRI is maintained in optimum working condition to ensure the highest level of patient safety at all times. Maintenance documents shall be made available to CTVHCS upon request.
f. Contractor shall inform the COTR with an advance notice of at least ninety (90) calendar days prior to any replacement of personnel. All new personnel shall be approved by the COTR and must meet all training, licensing, certifications and VA security checks (credentialing and privileging) before making any personnel changes.
g. Contractor shall ensure each patient arriving for mobile MRI exam has a written or electronic medical record physician order to receive services and a completed MRI Screening Checklist.
h. Contractor shall use appropriate screening devices to ensure patient has no ferro-magnetic materials on or in his/her body.
i. Contractor shall be responsible for adhering to all Federal regulations regarding patient care, patient safety, medical practice and operation of mobile MRI.
j. Contractor shall provide a copy of a current, comprehensive MRI Safety Program policy to which each technologist is expected to comply. MRI Technologist is required to complete CTVHCS MRI Safety Training yearly.
k. Contractor shall be responsible for patient after pick up at the designated area, while on the mobile unit and during the entire scanning procedure up to the patient's release.
l. In the event a patient is injured while in Contractor's care, Contractor shall immediately notify the assigned nurse or a designated VA physician and complete a written report.
m. Contractor shall be responsible for providing a qualified MRI Technologist(s) to perform services defined herein. The MRI Technologist shall be required to provide scanning services as well as training on the full operation of the Mobile MRI unit. Training shall be provided to the assigned CTVHCS technical personnel at no additional cost to the Government. If the MRI Technologist is unable to come in to work as per the schedule, an alternate MRI Technologist is available to cover the shift to avoid having to reschedule patients. All MRI Technologists must complete the credentialing requirements established by CTVHCS and VHA Directive and Handbook 1100.19.
n. Environment of Care Rounds shall be conducted quarterly by the COTR and CTVHCS Austin Administrator. All identified deficiencies shall be corrected by the Contractor prior to the next scheduled day of service.
3. MAINTENANCE REQUIREMENTS:
a. Contractor shall be responsible for all maintenance of the unit including all PMs as required by the manufacturer's literature. The Contractor shall assume all cost for labor and parts including glassware and will make all arrangements for service upon notification of failure. Contractor shall communicate these occurrences and progress in a timely manner with Imaging Service staff and Biomedical Staff. Anyone performing maintenance on the unit shall be factory trained by the manufacturer on this specific unit. Any FDA alerts or recalls associated with this equipment will be ameliorated in a timely manner.
b. All PMs shall be done after normal operating hours, Monday - Friday.
c. Contractor shall ensure a 95% or better up-time based upon the normal operation hours, Monday - Friday, 7:30 a.m. - 4:30 p.m.
d. If the system breaks down, the MRI Technologist is responsible for informing Imaging Service representative and Bio Medical of the issue immediately upon determining there is a problem. The MRI Technologist will contact the vendor immediately if an on-site service technician is needed. It is expected that the on-site service technician will respond within 2 hours to determine what the problem is and a proposed timeframe of how long the machine is expected to be down. Repairs and delays that will be beyond two working days will require a replacement trailer to be brought in.
4. CTVHCS RESPONSIBILITIES:
a. CTVHCS shall provide a covered walkway, utility connections, and an appropriate computer line(s) for use by the Contractor.
b. CTVHCS shall be responsible for scheduling exams for the mobile MRI unit.
c. CTVHCS shall transport patients to the VA furnished waiting area.
d. CTVHCS shall identify patients and provide and administer prescribed sedation which patients may require prior to the scans provided by the Contractor. Sedated patients shall be identified and given special care by the Contractor during the performance of procedures. A CTVHCS registered nurse shall monitor sedated patients in the Contractor's trailer. Conscious sedation/moderate sedation will not be used for these exams.
5. CONTRACTOR PERSONNEL QUALIFICATIONS/POLICIES:
a. The Contractor's Technologist shall possess a current Radiologic Technologist (RT) license. A copy of all applicable operators' license(s) shall be provided with the proposal along with a copy of the updated license immediately upon renewal. The Contractor shall ensure that a copy of the technologist's current license is provided to the COTR for inclusion in CTVHCS' 6-part folder at all times.
b. The Contractor shall be responsible to ensure that Contractor employees providing work on this contract are fully trained and completely competent to perform the required work. Evidence of the Contractor's Technologist's competency review shall be provided with the proposal. Competency checklists must contain evidence of supervisory review at least annually and must contain the written signature of the supervisory official performing the review. A current copy of the employee's competency checklist shall be maintained in CTVHCS' 6-part folder at all times. Competency checklists shall be resubmitted to CTVHCS each time the checklist is updated, no more than 12 months beyond the original date of review.
c. The Contractor shall be required to maintain documentation and provide copies, with their proposal, of the following for each employee working under the contract:
(1) credentials and qualifications for the job
(2) a current competency assessment checklist (an assessment of knowledge, skills, abilities and behaviors required to perform a job correctly and skillfully; includes age-specific knowledge and skills required to provide care for certain patient populations, as appropriate.)
(3) a listing of relevant continuing education for the last two years.
(4) health examination records of all individuals performing work under this contract to include:
(a) Annual TB Skin Test and recent (within the last year) chest X-ray if there is a history of positive TB skin test
(b) Evidence of Hepatitis B immunity (hepatitis immune titer, if provider has had the series of shots; if no immunity, evidence that provider has started the Hepatitis B vaccination series.)
(c) Varicella titer if provider has not had chicken pox and has direct patient contact.
d. This is a non-personal health care service contract under which the Contractor is an independent Contractor. Contractor employees shall not be considered VA employees for any purpose.
6. MOBILE UNIT EQUIPMENT SPECIFICATIONS: The following minimum performance characteristics of the equipment are required:
a. Contractor shall make whatever adaptations are necessary so that the Contractor's equipment is compatible with the CTVHCS data network as specified in Paragraph 12, Telecommunications.
b. MRI images shall be of a high resolution diagnostic image quality.
c. The Mobile MRI unit shall be ready for use regardless of outside environmental conditions.
d. The Mobile MRI unit shall maintain a temperature to assure proper operation of the scanner and provide for patient comfort.
e. The Mobile MRI unit shall include a private dressing area with secured cabinets for patient use.
f. Contractor shall provide a MRI-compatible Automatic External Defibrillator (AED). The system must contain the minimum characteristics:
(1) AED Unit with LCS Screen showing voice prompt messages, device advisory messages, elapsed time, shock count and chest compression graph, Operator's Guide and Carrying Case;
(2) Two (2) Sets of CPR-D Pads, one piece defibrillation and CPR system with compression, depth and rate sensors, supplies with gloves, barrier mask, scissors, razor, wet wipes and dry wipes;
(3) Two (2) Sets of Type 123 Lithium Batteries with storage sleeve.
7. CONFORMANCE STANDARDS/REGULATORY ADHERENCE:
a. Contractor shall perform the required services in accordance with the following:
(1) the standards of the Joint Commission for the Accreditation of Healthcare Organizations (JC) to include Patient Safety Standards (a copy of these standards may be obtained from the Joint Commission on Accreditation of Healthcare Organizations, One Renaissance Blvd., Oakbrook Terrace, IL 60181)
(2) the established principles and ethics of the medical profession established by the AMA and ACEP, and is responsible for the quality of care rendered to all patients.
(3) all relevant Federal and State regulations regarding patient care, medical practice, operation of MRI equipment; to include but not be limited to:
Occupational Safety and Health Act (OSHA)
The Joint Commission (JC)
Veterans Health Administration (VHA)
United States Department of Transportation (US DOT)
Health Information Portability and Accountability Act (HIPAA)
VHA Automated Information Security (AIS)
CTVHCS Medical Staff Bylaws
b. Contractor shall ensure that the equipment/system functions in conformance with the latest published edition of OSHA and the manufacturer's specifications.
c. Contractor shall adhere to the provisions of Public Law 104-191, Health Insurance
Portability and Accountability Act (HIPAA) of 1996 and the National Standards to Protect the Privacy and Security of Protected Health Information (PHI). As required by HIPAA, the Department of Health and Human Services (HHS) has promulgated rules governing the security and use and disclosure of protected health information by covered entities, including the Department of Veterans Affairs Veterans Health Administration (VA).
8. MRI STUDY INTERPRETATION: A CTVHCS radiologist shall read/interpret all MRI studies and dictate all required study reports.
9. MRI DATA OWNERSHIP: CTVHCS shall maintain sole ownership of all data of studies performed on the mobile MRI under this contract. The Contractor may not use any portion of imaging data obtained from patient studies under the contract. The Contractor may not use any portion of imaging data obtained from patient studies for quality control or educational purposes without written consent of CTVHCS.
10. EMERGENCIES ON MOBILE MRI UNIT: Emergency 911 shall handle all medical emergencies occurring on the mobile coach. The Contractor shall provide, with their proposal, a written emergency plan addressing emergencies such as patient codes, personal injury, fire, and disruptive behavior.
11. MRI POINT OF CONTACT: The Contracting Officer shall designate an individual as the Contracting Officer's Technical Representative (COTR) who shall be the primary point of contact at CTVHCS for communication between CTVHCS and the Contractor with regards technical aspects of imaging protocols and medical aspects of MRI studies. The Contractor shall communicate to the COTR any possible and actual disruptions of MRI service. Upon becoming aware of possible or actual disruption of MRI service, the Contractor shall communicate such service-disruption information to the COTR in a timely manner so that patient and service schedules can be appropriately modified with as little inconvenience as possible to patients and services. The Contractor shall provide contact information with their solicitation proposal and provide an update to CTVHCS immediately upon any change in the designation(s).
a. The mobile unit shall be equipped with an outlet connection capable of transmitting data and voice through a Government provided network interface jack (RJ11 Analog Voice and RJ45 IEEE 803.x). The Government shall provide the necessary network services required for the transmission of images, data and voice. The Contractor's mobile unit shall be able to connect to VISTA Imaging Network and to transmit all images to VISTA Imaging to include being compatible to DICOM 3.0 imaging standards. (PACS interface contact person shall be provided to the Contractor during the post-award orientation).
b. The Contractor shall be responsible for all expenses incurred to interface the MRI Scanner OEM using the DICOM 3.0 network with the existing VISTA RAD (soon to be McKesson PACs system). System must be compatible with HL7 - V2.3 soon to be V2.4.
13. QUALITY ASSURANCE MONITOR:
a. The Contractor shall have a Quality Assurance Program in place at the time of contract award. The Contractor shall provide, with their proposal, a copy of their Quality Assurance Program Plan.
b. The Contractor's Quality Assurance Program Plan shall be in accordance with all JC and HIPAA standards.
c. The Contractor shall maintain equipment service records to document performance reports.
d. Quality Improvement: The Government may evaluate the quality of professional and administrative services provided but retain no control over the medical, professional aspects of services rendered (e.g., professional judgments, diagnosis for specific medical treatment), in accordance with FAR 37.401.b. unless otherwise stated herein.
e. The results of all Quality Improvement activities performed by the Contractor involving CTVHCS patients shall be provided to the COTR. This shall include, but not be limited to, quality improvement plans, minutes of staff meetings where quality improvement has been discussed and which include practitioner-specific findings, conclusions, recommendations, written plans for actions taken in response to such conclusions and recommendations, and evaluation of those actions taken. It will also include the annual evaluation required by JCAHO. The monitors should reflect, at a minimum, issues related to quality of care and appropriateness of referral. The Contractor shall submit Quality reports by the 10th workday of the first month of each Government fiscal quarter (i.e. October, January, April, July).
f. At the end of each scheduled day of scanning, the Contractor shall provide a log of patients who were scanned on that date and all diagnostic information regarding each patient scanned that day.
14. QUALITY CONTROL:
a. The COTR will conduct a monthly quality control evaluation to assess the Contractor's overall performance. The quality control plan will monitor the approved quality assurance plan and assess the areas that pertain to the performance of the services provided by in accordance to the specified standards.
b. The COTR will coordinate with the Contractor's representative(s) for any issues or corrections that needs to be addressed and corrected. A timeline will be established and approved by the COTR and Contractor representative to ensure proper time is allocated for corrections and also to minimize the impact to the services provided to the patients.
15. CONFIDENTIALITY OF PATIENT RECORDS:
a. The Contractor, as a VA provider, shall assist in the provision of health care to patients seeking such care from or through VA. As such, the Contractor is considered as being part of the Department health care activity. Contractor is considered to be a VA provider for purposes of the Privacy Act, Title 5 U.S.C. 552a. Further, for the purpose of VA records access and patient confidentiality, Contractor is considered to be a VA provider for the following provisions: Title 38 U.S.C. 5701, 5705, and 7362. Therefore, Contractor may have access, as would other appropriate components of VA, to patient medical records including patient treatment records pertaining to drug and alcohol abuse, HIV, and sickle cell anemia, to the extent necessary to perform its contractual responsibilities. However, like other components of the Department, and not withstanding any other provisions of the contract, the Contractor is restricted from making disclosures of VA records, or information contained in such records, to which it may have access, except to the extent that explicit disclosure authority from VA has been received. The Contractor is subject to the same penalties and liabilities for unauthorized disclosures of such records as VA.
b. The records referred to above shall be and remain the property of VA and shall not be removed or transferred from VA except in accordance with U.S.C.551 a (Privacy Act), 38 U.S.C. 5701 (Confidentiality of claimants records), 5 U.S.C. 552 (FOIA), 38 U.S.C. 5705 (Confidentiality of Medical Quality Assurance Records) 38 U.S.C. 7332 (Confidentiality of certain medical records) and Federal laws, rules and regulations. Subject to applicable Federal confidentiality or privacy laws, the Contractor, or their designated representatives, and designated representatives of Federal regulatory agencies having jurisdiction over Contractor, may have access to VA's records, at VA's place of business on request during normal business hours, to inspect and review as needed in order to perform the examination contracted for but in no case will copies of records be made and/or removed from the VA's place of business.
16. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA): Contractor must adhere to the provisions of Public Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the National Standards to Protect the Privacy and Security of Protected Health Information (PHI). As required by HIPAA, the Department of Health and Human Services (HHS) has promulgated rules governing the security and use and disclosure of protected health information by covered entities, including the Department of Veterans Affairs (VA). In accordance with HIPAA, the Contractor may be required to enter into a Business Associate Agreement (BAA) with VA.
17. CONTRACT INFORMATION SECURITY REQUIREMENTS:
a. GENERAL: Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.
b. CONTRACTOR PERSONNEL SECURITY REQUIREMENTS: LOW RISK
(1) All Contractor employees having or requiring access to the Department of Veterans Affairs' computer systems or to sensitive data (to include patient or beneficiary records), shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security Investigation Center prior to contract performance. This requirement is applicable to all subcontractor personnel requiring the same access.
(2) The Contracting Officer will provide the appropriate Background Investigation information to the Contractor for completion. Required background investigation initiation documentation must be completed and returned to the Contracting Office within five (5) calendar days after receipt.
(3) Contractor staff shall not begin performance until notification is received from the Contracting Officer that the Security Package has been received and is considered a complete package. It is not necessary that the full investigation be complete prior to commencement of work. However, if the investigation is not completed prior to the start date of the contract, the Contractor shall be responsible for the actions of those individuals they provide to perform work for VA.
(4) Position Sensitivity - The position sensitivity has been designated as Low Risk.
(5) Background Investigation - The level of background investigation commensurate with the required level of access is a National Agency Check with Written Inquiries (NACI).
(6) Contractor Responsibilities:
(a) The Contractor shall bear the expense of obtaining background investigations. The VA shall be responsible for payment to the Security Investigations Center; however upon final payment, the VA shall submit a Bill of Collections to the Contractor. The Contractor shall be responsible for reimbursement to the VA within thirty (30) calendar days. The current cost for a low risk background investigation is $230 per case.
(b) For Low Risk Sensitivity Designation, each Contractor/Subcontractor employee must complete the following forms.
(i) Standard Form 85, Questionnaire for Non-Sensitive Positions
(ii)Optional Form 306, Declaration for Federal Employment
(c) The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract.
(d) Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default.
(7) Fingerprinting Requirements - Contractor/subcontractor employees will be required to have fingerprints taken as part of the background investigation process. The preferred method of obtaining fingerprints is to have them taken electronically at the Human Resources Service at a VA facility. If fingerprints cannot be obtained at a VA facility the Contracting Officer will provide the Contractor with a Form FD258 fingerprint chart, which can be taken to any local police station for fingerprints. However, local entities may assess a fee for this service. The fingerprint chart must accompany the OF 306 when returned by the contractor.
c. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS:
(1) A contractor/subcontractor shall be granted access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.
(2) All contractor/subcontractors working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for Contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.
(3) The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor's employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination.
d. VA INFORMATION CUSTODIAL LANGUAGE:
(1) Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information development by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d)(1).
(2) VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor's information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA's information is returned to the VA or destroyed in accordance with VA's sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties,
and destruction/media sanitization procedures are in compliance with VA directive requirements.
(3) Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination or completion of the contract.
(4) The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security, laws, regulations and policies into this contract.
(5) The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.
(6) If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provision of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.
(7) If a VA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associates Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.
(8) The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.
(9) The contractor/subcontractor's firewall and Web services security controls, if applicable, shall meet or exceed VA's minimum requirements. VA Configuration Guidelines are available upon request.
(10) Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA Contracting Officer for response.
e. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE.
(1) All electronic storage media used on non-VA leased or non-VA owned IT equipment that is
used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipment by the contractor/subcontractor or any person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/ subcontractors that contain VA information must be returned to the VA for sanitization or destruction or the contractor/subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract and becomes the property of the VA.
(2) Bio-Medical devices and other equipment or systems containing media (hard drives,
optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:
(a) Vendor must accept the system without the drive;
(b) VA's initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or
(c) VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase.
(d) Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then;
(i) The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and
(II) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract.
(iii) A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation.
f. LIQUIDATED DAMAGES FOR DATA BREACH
(1) Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.
(2) The contractor/subcontractor shall provide notice to VA of a "security incident" as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.
(3) Each risk analysis shall address all relevant information concerning the data breach, including the following:
(a) Nature of the event (loss, theft, unauthorized access);
(b) Description of the event, including:
(i) date of occurrence;
(ii) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;
(c) Number of individuals affected or potentially affected;
(d) Names of individuals or groups affected or potentially affected;
(e) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;
(f) Amount of time the data has been out of VA control;
(g) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);
(h) Known misuses of data containing sensitive personal information, if any;
(i) Assessment of the potential harm to the affected individuals;
(j) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and
(k) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.
(4) Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:
(b) One year of credit monitoring services consisting of automatic daily monitoring of at least three (3) relevant credit bureau reports;
(c) Data breach analysis;
(d) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
(e) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
(f) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.
g. SECURITY INCIDENT INVESTIGATION:
(1) The term 'security incident' means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedure. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.
(2) To the extent known by the contractor/subcontractor, the contractor/subcontractor's notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.
(3) With respect to unsecured protected health information, the contractor/subcontractor is deemed to have discovered a data breach when the contractor/subcontractor knew or should have known of a breach of such information. Upon discovery, the contractor/subcontractor must simultaneously notify the COTR, ISO and Privacy Officer.
(4) In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with the incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.
h. SECURITY CONTOLS COMPLIANCE TESTING: On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days' notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time.
(1) All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:
(a) Sign and acknowledge (either manually or electronically) understanding of and responsibility for compliance with the Contractor Rules of Behavior, attached, relating to access to VA information and information systems.
(b) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training;
(c) Successfully complete the appropriate VA privacy training and annually completed required privacy training; and
(d) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access as deemed necessary.
(2) The contractor shall provide the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within one week of the initiation of the contract and annually thereafter, as required.
(3) Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training documents are complete.
18. CONTRACTOR REMOTE ACCESS REQUIREMENTS: The Contractor shall be allowed remote access to VA computer systems or network in the performance of the contract. VA has stringent polices and procedures covering remote access, therefore the following responsibilities are outlined below:
a. All remote connections to the VA network shall be through the Office of Cyber and Information Security (OCS) authorized configurations and access points. Contractor's remote access sessions through the Internet or other networks shall be conducted using VA's remote access Virtual Private Network (VPN) Service.
b. The VA shall provide secure and reliable remote access to systems, applications, and information on the VA network to the Contractor.
c. All Contractor personnel requesting remote access shall be required to sign a One-VA VPN Rules of Behavior. The Contractor shall be responsible to ensure Contractor personnel follow the terms of the agreement.
d. VA shall provide VPN software; host based personal firewall, and anti-virus software to the Contractor.
e. The Contractor shall install VA provided VPN software, host based personnel firewall, and anti-virus protection software on all Contractor computer systems that will connect to the VA network or computer systems.
f. The Contractor shall adhere to the remote access requirements, and ensure that systems are properly configured, and appropriately security mechanism and monitoring devices are up to date with best practices and technical standards.
19. PATIENT REFERRAL: The Contractor is not authorized to refer any VA patients for additional medical treatment.
20. LIABILITY AND INSURANCE COVERAGE: The Contractor shall provide insurance coverage in accordance with Federal Acquisition Regulation (FAR) Clause 52.228-5, "Insurance - Work On A Government Installation (Jan 1997)" and VA Acquisition Regulation (VAAR) Clause 852.237-7, "Indemnification And Medical Liability Insurance (Oct 1996) incorporated herein under the Clause Section. The Contractor shall furnish a proof of insurance certificate prior to commencement of services under the awarded contract.
21. POST AWARD REQUIREMENTS: The Contractor shall be responsible to contact the COTR upon receipt of Notice of Award to schedule a post-award orientation. This orientation shall be held on a mutually agreed upon date and time to discuss commencement of services, completion of site renovations required to accept the equipment, scheduling of patients and additional services defined in the specifications.
22. ID BADGES/PARKING/SMOKING POLICY:
a. BADGES: All Contractor personnel are required to wear identification (ID) badges during the entire time they are on the VA grounds.
b. PARKING: It is the responsibility of Contractor personnel to park only in designated parking areas. Parking information is available from the VA Security Service. The VA will not invalidate or make reimbursement for parking violations of the Contractor's personnel under any circumstances.
c. SMOKING: Smoking is not permitted within or around the VA Healthcare System facilities, except in designated areas.
ADDENDUM to FAR 52.212-1 INSTRUCTIONS TO OFFERORS-COMMERCIAL ITEMS
Provisions that are incorporated by reference (by Citation Number, Title, and Date), have the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available.
The following provisions are incorporated into 52.212-1 as an addendum to this solicitation:
1. Offeror's quotes must be submitted via electronic (email) to:
Ms. Cynthia Caruso
2. Offeror quotes must be submitted by the deadline of; September 21, 2016 12:00PM CST.
3. Offeror shall include the proposed Mobile 1.5T MRI Unit and supporting equipment listing the manufacturer, model/brand and specifications (must meet the specifications listed in the SOW).
4. Offeror shall provide the name(s) of the Technologist and associated license(s), training certificates, competency assessment review and associated health examinations listed in the SOW.
5. Questions and Answers: Questions about this solicitation shall be addressed to Ms. Cynthia Caruso via email firstname.lastname@example.org. The closing date for questions is September 16, 2016, 3:00PM CST. Answers will be provided and posted on FBO no later than September 19, 2016.
6. Site visit is not available for this solicitation.