WRJ Shredding

1. Expired 5 years, 12 weeks and 2 days ago

(i) This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotes are being requested and a written solicitation will not be issued.
(ii) The solicitation number is 36C24119Q0111 and the solicitation is issued as a request for quotation (RFQ).
(iii) The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-101.
(iv) This requirement is being issued as a Small Business set aside. The associated NAICS code is 561990 with a size standard of $11Million.
(v) The Government intends to award a firm-fixed priced award for 12 months (04/01/2019-03/31/2020) with four (4) twelve month options. The Contractor shall provide all labor, supervision, material, equipment, and travel to provide document destruction services for Government- provided documents, containing sensitive confidential and medical records at the VAMC White River Junction and other clinics throughout VT as listed in the Performance Work Statement. Please see the Performance Work Statement, Price Schedule, and Evaluation below for full requirement details and pricing submission.

Item #
Description- Base Year 04/01/2019-03/31/2020

Qty
Unit
Price
Amount
0001
The contractor shall provide document destruction services in accordance with the Performance Work Statement.
12
MO



Item #
Description- Base Year 04/01/2020-03/31/2021



Item #
1001
The contractor shall provide document destruction services in accordance with the Performance Work Statement.
12
MO



Item #
Description- Option 2 04/01/2021-03/31/2022
Qty
Unit
Price
Amount
2001
The contractor shall provide document destruction services in accordance with the Performance Work Statement.
12
MO




Item #
Description- Option 3 04/01/2022-03/31/2023

Qty
Unit
Price
Amount
3001
The contractor shall provide document destruction services in accordance with the Performance Work Statement.
12
MO



Item #
Description- Option 4 04/02/2023-04/01/2024

Qty
Unit
Price
Amount
4001
The contractor shall provide document destruction services in accordance with the Performance Work Statement.

12
MO




TOTAL _______________________




(vi) The Contractor shall provide document destruction services for Government- provided documents, containing sensitive confidential and medical records. Destruction of patient privacy information shall be accomplished at the White River Junction VA Medical Center through the use of a vehicle equipped for mobile shredding. Please see the attached Performance Work Statement for a full description of the requirement.
(vii) The Place of Performance is the White River Junction VA Medical Center, 215 North Main Street, White River Junction, VT 05009 and several VA Clinics through VT (see Performance Work Statement). The period of performance shall be 12 months with four (4) twelve month options.
(viii) Provision at 52.212-1, Instructions to Offerors Commercial Items (OCT 2018), applies to this acquisition in addition to the following addenda s to the provision:
52.252-1 Solicitation Provisions Incorporated by Reference (FEB 1998);
52.204-7 System for Award Management (OCT 2018)
52.204-16 Commercial and Government Entity Code Reporting (JUL 2016)
52.216-1 Type of Contract (APR 1984);
52.217-5 Evaluation of Options (JUL 1990);
852.215-70 Service-Disabled Veteran-Owned and Veteran-Owned Small Business Evaluation Factors (JUL 2016) (DEVIATION)
852.252-70 Solicitation Provisions or Clauses Incorporated by Reference (JAN 2008)

(ix) Provision at 52.212-2, Evaluation -- Commercial Items (OCT 2014), applies to this requirement.

Submission of Quotes:
(1) Quotes shall be received on or before the date and time specified in Section (xv) of this solicitation. We will not consider any quote that we receive after the deadline unless we receive it before we issue a purchase order; it is in the best interest of the Government and it will not delay our purchase.
(2) Quotes shall be submitted electronically via email to Tammy.Davis6@va.gov.
(3) Quote Format: The submission should be clearly indexed and logically assembled in order of the evaluation criteria below. The Contractor shall include its company name, address, DUNS and Cage Code.
(4) Questions shall be submitted to the Contract Specialist in writing via e-mail. Oral questions will not be accepted due to the possibility of misunderstanding or misinterpretation. The cut-off date and time for receipt of questions is 1/17/2019 at 12:00 PM EST. Questions received after this date and time may not be answered. Questions will be answered in a formal amendment to the solicitation so all interested parties can see the answers.

(5) Evaluation Process:
Award will be made to the best value, as determined to be the most beneficial to the Government. Please read each section below carefully for the submittals and information required as part of the evaluation. Failure to provide the requested information below shall be considered non-compliant and your quote could be removed from the evaluation process.
Quotes shall be evaluated under FAR Part 13.106-2(b) -- Evaluation of Quotations or Offers. Therefore, the Government will not determine a competitive range, conduct discussions with all contractors, solicit final revised quotes, or use other techniques associated with FAR Part 15. The Contracting Officer will conduct a comparative evaluation of quotes in accordance with FAR 13.106-2 (b).
The Government will award a contract resulting from this solicitation to the responsible quoter whose quote conforming to the solicitation will be most advantageous to the Government, price and other factors considered. The following factors shall be used to evaluate quotes:B
Price: The Vendor shall complete the Price Schedule (attached) with proposed contract line item prices inserted in appropriate spaces.
Past Performance: Provide (3) references of work, similar in scope and size with the requirement detailed in the Performance Work Statement. References must include contact information; brief description of the work completed, and contract # (if relevant).B Please utilize Attachment Past Performance Worksheet for your references and please submit as part of your quote submission. References may be checked by the Contracting Officer to ensure your company is capable of performing the Statement of Work.B The Government also reserves the right to obtain information for use in the evaluation of past performance from any and all sources to include PPIRS.
Technical: The vendor s quote shall be evaluated to determine if the organization has the experience and capabilities to provide the requested services in accordance with the Performance Work Statement in a timely efficient manner.B
Contractor shall demonstrate its experience to meet all requirements stated in the PWS.
If you are planning to sub-contract some or all of this work, please provide the name and address(s) of all subcontractor(s) (if applicable) and a description of their planned subcontracting effort.

Veterans Preference Factor (per 852.215-70): The Government will assign evaluation credit for an Offeror (prime contractor) which is a Service-Disabled Veteran-Owned (SDVOSB) or a Veteran-Owned Small Business (VOSB). Non-SDVOSB/VOSB Offerors proposing to use SDVOSBs or VOSBs as subcontractors will receive some consideration under this evaluation Factor.
a. For SDVOSBS/VOSBs: In order to receive credit under this Factor, an Offeror shall submit a statement of compliance that it qualifies as a SDVOSB or VOSB in accordance with VAAR 852.215-70, Service-Disabled Veteran-Owned and Veteran-Owned Small Business Evaluation Factors . Offerors are cautioned that they must be registered and verified in Vendor Information Pages (VIP) database (http://www.VetBiz.gov).
i. Verified SDVOSBs will receive a 5% price credit (e.g. if a SDVOSB submits an offer of $100.00, it will be evaluated as if it submitted an offer of $95.00).
ii. Verified VOSBs will received a 2.5% price credit (e.g. if a VOSB submits an offer of $100.00, it will be evaluated as if it submitted an offer of $92.50).
b. For Non-SDVOSBs/VOSBs: To receive some consideration under this Factor, an Offeror must state in its proposal the names of SDVOSB(s) and/or VOSB(s) with whom it intends to subcontract, and provide a brief description and the approximate dollar values of the proposed subcontracts. Additionally, proposed SDVOSB/VOSB Subcontractors must be registered and verified in VIP database (http://www.VetBiz.gov) in order to receive some consideration under the Veteran s Involvement Factor.

i. If a vendor submits a subcontracting plan where it will be using a SDVOSB, it will receive a 2% price credit.
ii. If a vendor submits a subcontracting plan where it will be using a VOSB, it will receive a 1% price credit.



Options: Except when it is determined in accordance with FAR 17.206(b) not to be in the Government s best interests, the Government will evaluate offers for award purposes by adding the total price for all options to the total price for the basic requirement. Evaluation of options will not obligate the Government to exercise the option(s). The Government will evaluate prices for the option under FAR 52.217-8B by using the last year s option prices to calculate the price for six months of effort, and adding that amount to the base and other option years to arrive at the total.

(x) Please include a completed copy of the provision at 52.212-3, Offeror Representations and Certifications (OCT 2018) -- Commercial Items, with your offer via the SAM.gov website or a written copy. Unless exempted by the Contracting Officer, you must register in SAM before we will issue a purchase order to you. If you do not register by the date set by the Contracting Officer, the Contracting Officer might issue the order to a different quoter. Once registered, you must remain registered throughout performance until final payment. Go to https://www.acquisition.gov for information on SAM registration and annual confirmation.
(xi) Clause 52.212-4, Contract Terms and Conditions Commercial Items (OCT 2018), applies to this acquisition in addition to the following addenda s to the clause:
52.252-2 Clauses Incorporated by Reference (FEB 1998)
52.204-9 Personal Identity Verification of Contractor Personnel (JAN 2011)
52.204-13 System for Award Management Maintenance (OCT 2018)
52.204-18 Commercial and Government Entity Code Maintenance
52.224-1 Privacy Act Notification (APR 1984)
52.224-2 Privacy Act (APR 1984)
52.228-5 Insurance-Work on a Government Installation (JAN 1997)
52.237-3 Continuity of Services (JAN 1991)
852.203-70 Commercial Advertising (MAY 2008)
852.215-71 Evaluation Factor Commitments (DEC 2009)
852.219-74 Limitations on Subcontracting
852.219-75 Subcontracting Commitments Monitoring and Compliance (JUL 2018)
852.228-71 Indemnification and Insurance (MAR 2018)
852.232-72 Electronic Submission of Payment Requests (NOV 2018)
852.237-70 Contractor Responsibilities (APR 1984)

VAAR 852.228-71 INDEMNIFICATION AND INSURANCE (MAR 2018)
(a) Indemnification. The contractor expressly agrees to indemnify and save the Government, its officers, agents, servants, and employees harmless from and against any and all claims, loss, damage, injury, and liability, however caused, resulting from, arising out of, or in any way connected with the performance of work under this agreement. Further, it is agreed that any negligence or alleged negligence of the Government, its officers, agents, servants, and employees, shall not be a bar to a claim for indemnification unless the act or omission of the Government, its officers, agents, servants, and employees is the sole, competent, and producing cause of such claims, loss, damage, injury, and liability. At the option of the contractor, and subject to the approval by the contracting officer of the sources, insurance coverage may be employed as guaranty of indemnification.
(b) Insurance. Satisfactory insurance coverage is a condition precedent to award of a contract. In general, a successful bidder must present satisfactory evidence of full compliance with State and local requirements, or those below stipulated, whichever are the greater. More specifically, workers' compensation and employer's liability coverage will conform to applicable State law requirements for the service contemplated, whereas general liability and aircraft liability of comprehensive type shall, in the absence of higher statutory minimums, be required in the amounts per aircraft used of not less than $200,000 per person and $500,000 per occurrence for bodily injury and $200,000 per occurrence for property damage. Coverage for passenger liability bodily injury shall be at least $200,000 multiplied by the number of seats or passengers, whichever is greater. State-approved sources of insurance coverage ordinarily will be deemed acceptable to the Department of Veterans Affairs installation, subject to timely certifications by such sources of the types and limits of the coverages afforded by the sources to the bidder.

52.217-8 -- Option to Extend Services (Nov 1999) The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 10 days of contract expiration. (End of Clause)
52.217-9 --Option to Extend the Term of the Contract (Mar 2000)
(a) The Government may extend the term of this contract by written notice to the Contractor within 30 days; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30 days before the contract expires. The preliminary notice does not commit the Government to an extension.
(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.
(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 Years and 6 Months.


(xii) Clause at 52.212-5, Contract Terms and Conditions Required To Implement Statutes Or Executive Orders -- Commercial Items, applies to this acquisition and in addition to the following FAR clauses cited, which are also applicable to the acquisition:
52.204-10, Reporting Executive Compensation & First-Tier Subcontract Awards (OCT 2018);
52.209-6, Protecting the Government s Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment (OCT 2015);
52.219-6, Notice of Total Small Business Set-Aside (NOV 2011)
52.219-14, Limitations on Subcontracting (JAN 2017) (15 U.S.C. 637(a)(14))
52.219-28 Post Award Small Business Program Representation (JUL 2013);
52.222-3, Convict Labor (JUNE 2003);
52.222-21, Prohibition of Segregated Facilities (APR 2015);
52.222-26, Equal Opportunity (SEPT 2016); 52.222-35, Equal Opportunity for Veterans (OCT 2015); 52.222-36, Equal Opportunity for Workers with Disabilities (JUL 2014);
52.222-37, Employment Reports on Veterans (FEB 2016);
52.222-50, Combating Trafficking in Persons (MAR 2015);
52.222-59, Compliance with Labor Laws (Executive Order 13673) (OCT 2016);
52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (AUG 2011);
52.224-3, Privacy Training (JAN 2017
52.225-13, Restrictions on Certain Foreign Purchases (JUNE 2008);
52.232-33, Payment by Electronic Funds Transfer System for Award Management (OCT 2018);
52.222-41, Service Contract Labor Standards (AUG 2018);
52.222-42, Statement of Equivalent Rates for Federal Hires (MAY 2014);
52.222-43, Fair Labor Standards Act and Service Contract Labor Standards--Price Adjustment (Multiple Year and Option Contracts) (AUG 2018);
52.222-55, Minimum Wages Under Executive Order 13658 (DEC 2015);
52.222-62, Paid Sick Leave Under Executive Order 13706 (JAN 2017); (xiii) All contract requirement(s) and/or terms and conditions are stated above.


(xiv) The Defense Priorities and Allocations System (DPAS) and assigned rating are not applicable to this requirement.
(xv) RFQ responses are due 1/21/2019 at 12:00 PM E.S.T. RFQ responses must be submitted via email to: Tammy.Davis6@va.gov. Hand deliveries will not be accepted. Submissions after the deadline may not be considered.
(xvi) The POC of this solicitation is Tammy Davis (Tammy.Davis6@va.gov).


PERFORMANCE WORK STATEMENT
DOCUMENT DESTRUCTION-SHREDDING SERVICES
WHITE RIVER JUNCTION VA MEDICAL CENTER

1. DESCPRICTION OF SERVICES: The Contractor shall provide document destruction services for Government- provided documents, containing sensitive, confidential and medical records. Destruction of patient privacy information shall be accomplished at the White River Junction VA Medical Center using a vehicle equipped for mobile shredding. The Contractor shall maintain liability insurance for the duration of the contract and shall follow all pertinent federal and state regulations with regard to transportation and destruction of medical documentation. All security waste shall be shredded on-site and removed from the White River Junction VA Medical Center premises and transported to an appropriate location to be recycled. During shredding the waste material must be maintained in a secured container in a secured holding area, which will prevent any disclosure or unauthorized access. The destruction of the information must be witnessed either by a VA employee or, if authorized by the VA, by a contractor employee. The White River Junction VA Medical Center shall not be required to separate documents by color or grade of paper, nor remove paper clips and other fasteners. Contractor shall furnish keys for the containers provided under this contract. Each container provided shall have information on it listing the acceptable and non-acceptable items that may be placed inside.

2. GENERAL REQUIREMENTS.
a) The Contractor shall provide 64-gallon, lockable, wheeled totes that have a slot in the top to accept all materials to be shredded. These totes and additional keys are included in this contract and are to be provided at no additional charge.
b) The Contractor shall provide 36" tall front feed lockable consoles. These consoles and additional keys are included in this contract and are to be provided at no additional charge.
c) Pick up, the exact location, and scheduling for all shredding services shall be coordinated with the Government Point of Contact (GPOC) prior to commencement.
d) Removal of sensitive materials/records for shredding and destruction.

2.1 Specific Requirements: With the exception of the White River Junction VA Medical Center, all Government locations are leased. Due to varying lease expiration dates with the potential for locations to move, the lease locations are fluid and may be subject to change but will remain in the same general area. The following is a listing of the Government sites participating and their locations:

White River Junction VA Medical Center (provide approximately 30-40 totes & 30-35 consoles, pickup once a week)
215 North Main Street
White River Junction VT, 05009

White River Junction VA Medical Center Outer Bldgs. 4,6,7,9,37,58,59,60,62,63,66 & 67
(provide 14 totes & 6 consoles, Pickup twice a month)

Bennington CBOC (provide 2 consoles, pickup two times per month)
186 North Street
Bennington, VT 05201

Brattleboro CBOC (provide 1 tote & 2 consoles, pickup every 4 weeks)
71 GSP Drive
Brattleboro, VT 05301

Burlington Lakeside CBOC (provide 2 totes, pickup weekly)
128 Lakeside Avenue, Suite 260
Burlington, VT 05401

Newport Outpatient Clinic (provide 1 tote, pickup every 4 weeks)
1734 Crawford Farm Road
Newport, VT 05855

Rutland CBOC (provide 2 consoles, pickup every 2 weeks)
232 West Street
Rutland, VT 05701

Keene Outpatient Clinic (provide 1 console, pickup every 4 weeks)
640 Marlboro Street, Route 101
Keene, NH 03431

Littleton CBOC (provide 4 consoles, pickup every 4 weeks)
264 Cottage Street
Littleton, NH 03561

2.1.1 The Contractor shall provide a written "Certificate of Destruction" to the Government point of contact weekly to provide verification of the destruction of the contents of all containers and receptacles referenced. In addition, a Final Destruction certificate (date that shreds are pulped) shall be provided monthly to the Privacy Office located at WRJVA.
Example: Bundles of shredded material picked up from WRJ and CBOC s between 1 August 2018 31 August 2018, delivered to pulp factory on 01 September 2018. Final Destruction occurred on 01 September 2018.
Signed by: an authorized trained certified employee of the subcontractor or contractor.
2.1.2 The numbers of Wheeled Totes and drop off stations are estimates based on current requirements. The Wheeled Totes and Drop off stations needed may be increased or decreased due to the changes in the amount of shredding services required. Additional pick-ups may be required at more frequent intervals. Any change to the contract will be incorporated via a bilateral modification. No changes shall be performed by the contractor without prior approval from a Contracting Officer.
2.1.3 Prior to commencing performances of this service, the Contractor shall submit a Contingency Plan that includes detailed procedures that will be used in the advent of equipment failure, or any other situations that prevent adherence to the planned schedule of performance, or requirements of this contract.
2.1.4 Contractor shall shred documents in accordance with shredding specifications outlined in most recent VA Directive 6371 guidelines.
2.2 Hours of Operation:
a) Normal Hours: The normal hours of operations at the White River Junction VA Medical Center and its leased locations are Monday through Friday from 8:00 am to 4:30 pm, excluding holidays. All work and services shall be performed during normal hours of coverage and shall be during the time period agreed upon with the GPOC. There should be the capacity to start shredding at 7:00 or 7:30 am up to 4:00 pm, depending on volume. This shall be communicated ahead of time by the GPOC.
b) If a scheduled day for services falls on a Federal Holiday the contractor shall provide services the following day or a day previous agreed upon with the GPOC. Federal Holidays observed by VAMC:
New Year's Day Labor Day
Martin Luther King Day Columbus Day
President's Day Veterans Day
Memorial Day Thanksgiving Day
Independence Day Christmas Day

c) Also included would be any other day specifically declared by the President of the United States to be a National Holiday.
d) When a holiday falls on a Sunday, the following Monday shall be observed as a legal holiday by U.S. Government agencies. When a holiday falls on a Saturday, the preceding Friday shall be observed as a legal holiday.
2.3. Quality Control: The contractor is responsible for developing and maintaining a quality control program to ensure On-site Document Destruction. Shredding Services are performed in accordance with commonly accepted commercial practices. The contractor is responsible for developing and implementing procedures to identify, prevent, and ensure non-recurrence of defective services.
2.4 Quality Assurance: The government will periodically evaluate the contractor's performance by having the Contracting Officer (CO) or Government POC monitor performance to ensure services are received. The Government POC will evaluate the contractor's performance through intermittent on-site inspections of the contractor's performance and receipt of complaints from facility personnel. The government is responsible for validating customer/facility complaints.
2.5. No work other than that called for in this contract is authorized. The Contracting Officer is the only person authorized to enact changes/additions to this contract.
2.6. Payment: Payments shall be made monthly, in arrears, upon successful completion of the above listed requirements and after submission of a record of all services performed, and the receipt of properly prepared Certificates of Destruction and invoiced electronically. A properly prepared invoice shall include at a minimum, the Purchase Order Number, the Contract Number and the period of performance relative to the invoice.
2.7. Privacy/Security: The Contractor shall observe and comply with the VA rules of Conduct and Standards. Contractor shall ensure all employees coming on station have read and are familiar with VHA Privacy Policy Training. (To be supplied by Privacy Officer.) Official notification of such shall be sent to the Government POC. The Contractor shall also need to be escorted on station during services until official Government background investigation has been done on Contract employee/s.
a) Privacy Act Documents: The contractor understands and agrees that property obtained under this contract may contain records previously maintained as a system of records subject to the Privacy Act. The contractor is subject to the provisions of the Privacy Act and is responsible for compliance with its provisions with respect to the handling and disposal of protected information. Additionally, all document destruction and documentation shall be as required by the Health Insurance Portability and Accountability Act (HIPAA).
b) HIPAA Compliance: Contractor must adhere to the provisions of Public Law 104-191, Health Insurance Portability and Accountability Act (HIP AA) of 1996 and the National Standards to Protect the Privacy and Security of Protected Health Information (PHI). As required by HIPAA, the Department of Health and Human Services (HHS) has promulgated rules governing the security and use and disclosure of protected health information by covered entities, including the Department of Veterans Affairs (V A). In accordance with HIP AA, the Contractor shall be required to enter into a Business Associate Agreement (BAA) with VA.
c) Document Destruction Reports. Document destruction reports shall be submitted to the Government POC within 48 hours of pickup and shall include the information required to meet HIP AA requirements. At a minimum the report shall include:
- Date of document pickup.
- Weight/tonnage picked up.
- Date of Destruction.
- Method of Destruction.
- Description of the disposed records: Confidential documents.
- Statement that the documents were received secured.
- Statement that the documents were destroyed in the normal course of business.
- The signature of the individuals supervising and witnessing the destruction.

2.8. Contractor Personnel: The Contractor shall provide qualified employees. The Contractor shall comply with all security requirements of the VAMC. The Contractor shall ensure all employees poses all required licenses for operating all equipment used in the execution of this contract. The Contractor shall be responsible for coordinating with the Government POC and providing all information required of him or his employees for performance of work. The Contractor shall ensure that the Contractor employees providing work on this contract are fully trained and completely competent to perform the required work. Contractor personnel must wear a common uniform or identification with the contractor's name printed in neat and professional manner so as to be easily visible and readable.
2.9. Security Requirements: All contractor employees who require access to the Department of Veterans Affairs' computer systems and any documents containing sensitive and confidential information shall be the subject of a background investigation and must receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance. This requirement is applicable to all subcontractor personnel requiring the same access. If the investigation is not completed prior to the start date of the contract, the contractor shall be responsible for the actions of those individuals they provide to perform work for VA.
Position Sensitivity - The position sensitivity has been designated as Low Risk for On-site Document Destruction/Shredding services.
Background Investigation - The level of background investigation commensurate with the required level of access is National Agency Check with Written Inquiries.

2.9.1 Contractor Responsibilities
a) The contractor shall bear the expense of obtaining background investigations. If the Office of Personnel Management (OPM) conducts the investigation, the contractor shall reimburse VA within 30 days. If timely payment is not made within 30 days from date of bill for collection, then VA shall deduct the cost incurred from the contractors 1st month(s) invoice(s) for services rendered.
b) As required, the contractor shall submit or have their employees submit the following forms to the VA Office of Security and Law Enforcement within 15 days of receipt:
(i) Standard Form 85P, Questionnaire for Public Trust Positions
(ii) Standard Form 85P-S, Supplemental Questionnaire for Selected Positions
(iii) FD 258, U.S. Department of Justice Fingerprint Applicant Chart
(iv) Optional Form 306, Declaration for Federal Employment

c) The Contractor shall inform the contract employee that when filling out Standard Form 85, that there should be no gaps in employment history. Any gaps in employment history on Standard Form 85 may result in rejection of the documentation for investigation.
d) The contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract.
e) Failure to comply with the contractor personnel security requirements may result in termination of the contract for default.
f) The contractor shall be responsible to provide evidence to the GPOC that investigations have been completed or in the process of being requested within 15 calendar days from receipt of award.
g) The contractor is responsible for physical security and safeguarding all government documents. All vehicles/trucks utilized for Document Destruction/Shredding Services must be properly identified with contractor name.

2.9.2 Government Responsibilities
a) The Government POC will forward the names, social security numbers, and dates of birth of the contractor's employees to the VA Law Enforcement Training Center/SIC.
b) The VA Law Enforcement Training Center/SIC will provide the necessary investigative forms to the contractor or to the contractor's employees, coordinate the background investigations, and notify the GPOC and contractor of the results of the investigations.
c) The VA facility will pay for requested investigations in advance. A bill for collection will be sent to the contractor to reimburse the VA facility. The contractor shall reimburse the VA facility within 30 days. If timely payment is not made within 30 days from date of bill for collection, then VA shall deduct the cost incurred from the contractors 1st month(s) invoice(s) for services rendered.
d) The current fees associated with background investigations are $200.00 each for low level investigation. See above for the position sensitivity that has been assigned to this contract.
Contractor Reporting Person
Contractor -- Provide telephone number(s) to call for your Service Department.
Provide name(s) of authorized contact person(s):

2.10. Contractor Vehicles: All Contractor vehicles utilized in this contract shall be insured (up to the minimum coverage required by the respective State) and maintain current state vehicle registration. All Contractor employees shall possess a valid State Driver's license and have a clean driving record. The Contractor or his/her employees while performing under this contract shall use no personal vehicles.
2.11. Protection of Government Property: During work execution, the Contractor shall take special care to protect Government property. Contractor shall be responsible to meet all OSHA/Safety requirements in the performance of the work. This shall include but not be limited to taking all the necessary precautions to protect the patients, visitors and/or staff at each location. Contractor shall be held responsible for any injuries and/or damage, which may be caused as a result of the Contractors failure to adhere to these requirements.
2.12. Identification, Parking, Smoking and VA Regulations: The Contractor's employees shall wear visible identification at all times while on the premises of the VAMC. It is the responsibility of the Contractor to park in the appropriate designated parking areas. Information on parking is available from the Government POC. The VA will not invalidate or make reimbursement for parking violations of the Contractor under any conditions. Smoking is prohibited inside any buildings at the VA and is only allowed in designated areas. (A copy of the smoking policy/locations will be provided to the Contractor upon request.) Possession of weapons is prohibited. Enclosed containers, including tool kits, shall be subject to search. Violations of VA regulations may result in citation answerable in the United States (Federal) District Court, not a local district, state, or municipal court.

3. Performance Requirements Summary
Task

Standard
Acceptable Quality Level
Method of Surveillance
Certificate of Destruction submitted weekly

Completed on time
98%
Periodic Inspections
Document Destruction Reports

Submitted to Government with accurate information and within 48 Hours of Pick up.
98%
Periodic Inspection
Documents shredded on-site

Shredding is in accordance with VA Directive 6371
100%
Periodic Inspection



IT CONTRACT SECURITY (MARCH 12, 2010)
VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY

GENERAL

Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.

VA INFORMATION CUSTODIAL LANGUAGE

Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data
- General, FAR 52.227-14(d) (1).

VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.

Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.

The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.

The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.

If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.

If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.

The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.

The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request.

Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.


Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.

For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR.
SECURITY INCIDENT INVESTIGATION

The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.

To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.

With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.

In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.

LIQUIDATED DAMAGES FOR DATA BREACH

Consistent with the requirements of 38 U.S.C. B'5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.

The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.

Each risk analysis shall address all relevant information concerning the data breach, including the following:

Nature of the event (loss, theft, unauthorized access);

Description of the event, including:

date of occurrence;

data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;

Number of individuals affected or potentially affected;

Names of individuals or groups affected or potentially affected;

Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;

Amount of time the data has been out of VA control;

The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);

Known misuses of data containing sensitive personal information, if any;

Assessment of the potential harm to the affected individuals;

Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and

Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.

Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:

Notification;

One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;

Data breach analysis;

Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;

One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and

Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

TRAINING

All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:

Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems;

Successfully complete the VA Cyber Security Awareness and Rules of Behavior
training and annually complete required security training;

Successfully complete the appropriate VA privacy training and annually complete required privacy training; and

Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]


The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.

Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.


BUSINESS ASSOCIATE AGREEMENT BETWEEN THE DEPARTMENT OF VETERANS AFFAIRS VETERANS HEALTH ADMINISTRATION AND _

Purpose. The purpose of this Business Associate Agreement (Agreement) is to establish requirements for the Department of Veterans Affairs (VA) Veterans Health Administration (VHA)
and in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, and the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules ( HIPAA Rules ), 45 C.F.R. Parts 160 and 164, for the Use and Disclosure of Protected Health Information (PHI) under the terms and conditions specified below.

Scope. Under this Agreement and other applicable contracts or agreements,
will provide services to, for, or on behalf of .

In order for to provide such services,
will disclose Protected Health Information
to and will use or disclose Protected Health Information in accordance with this Agreement.

Definitions. Unless otherwise provided, the following terms used in this Agreement have the same meaning as defined by the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Business Associate shall have the same meaning as described at 45 C.F.R. B' 160.103. For the purposes of this Agreement, Business Associate shall refer to , including its employees, officers, or any other agents that create, receive, maintain, or transmit PHI as described below.

Covered Entity shall have the same meaning as the term is defined at 45 C.F.R. B' 160.103. For the purposes of this Agreement, Covered Entity shall refer to .

Protected Health Information or PHI shall have the same meaning as described at 45 C.F.R. B'
160.103. Protected Health Information and PHI as used in this Agreement include Electronic Protected Health Information and EPHI. For the purposes of this Agreement and unless otherwise provided, the term shall also refer to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity or receives from Covered Entity or another Business Associate.

Subcontractor shall have the same meaning as the term is defined at 45 C.F.R. B' 160.103. For the purposes of this Agreement, Subcontractor shall refer to a contractor of any person or entity, other than Covered Entity, that creates, receives, maintains, or transmits PHI under the terms of this Agreement.

Terms and Conditions. Covered Entity and Business Associate agree as follows:

Ownership of PHI. PHI is and remains the property of Covered Entity as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate agreement is in place.

Use and Disclosure of PHI by Business Associate. Unless otherwise provided, Business Associate:

May not use or disclose PHI other than as permitted or required by this Agreement, or in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except that it may use or disclose PHI:
(1) As required by law or to carry out its legal responsibilities;
(2) For the proper management and administration of Business Associate; or
To provide Data Aggregation services relating to the health care operations of Covered Entity.

Must use or disclose PHI in a manner that complies with Covered Entity s minimum necessary policies and procedures.

May de-identify PHI created or received by Business Associate under this Agreement at the request of the Covered Entity, provided that the de-identification conforms to the requirements of the HIPAA Privacy Rule.

Obligations of Business Associate. In connection with any Use or Disclosure of PHI, Business Associate must:

Consult with Covered Entity before using or disclosing PHI whenever Business Associate is uncertain whether the Use or Disclosure is authorized under this Agreement.

Implement appropriate administrative, physical, and technical safeguards and controls to protect PHI and document applicable policies and procedures to prevent any Use or Disclosure of PHI other than as provided by this Agreement.

Provide satisfactory assurances that PHI created or received by Business Associate under this Agreement is protected to the greatest extent feasible.

Notify Covered Entity within twenty-four (24) hours of Business Associate s discovery of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI.

Any incident as described above will be treated as discovered as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

Notification shall be sent to and and to the VHA Health Information Access Office, Business Associate Program Manager by email at VHABAAIssues@va.gov.

Business Associate shall not notify individuals or the Department of Health and Human Services directly unless Business Associate is not acting as an agent of Covered Entity but in its capacity as a Covered Entity itself.

Provide a written report to Covered Entity of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI, within ten (10) business days of the initial notification.

The written report of an incident as described above will document the following:

The identity of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, disclosed, modified, or destroyed;

A description of what occurred, including the date of the incident and the date of the discovery of the incident (if known);

A description of the types of secured or unsecured PHI that was involved;


A description of what is being done to investigate the incident, to mitigate further harm to Individuals, and to protect against future incidents; and

Any other information as required by 45 C.F.R. B'B' 164.404(c) and 164.410.

The written report shall be addressed to:

and submitted by email to and to the VHA Health Information Access Office, Business Associate Program Manager at VHABAAIssues@va.gov

To the greatest extent feasible, mitigate any harm due to a Use or Disclosure of PHI by Business Associate in violation of this Agreement that is known or, by exercising reasonable diligence, should have been known to Business Associate.

Use only contractors and Subcontractors that are physically located within a jurisdiction subject to the laws of the United States, and ensure that no contractor or Subcontractor maintains, processes, uses, or discloses PHI in any way that will remove the information from such jurisdiction. Any modification to this provision must be approved by Covered Entity in advance and in writing.

Enter into Business Associate Agreements with contractors and Subcontractors as appropriate under the HIPAA Rules and this Agreement. Business Associate:

Must ensure that the terms of any Agreement between Business Associate and a contractor or Subcontractor are at least as restrictive as Business Associate Agreement between Business Associate and Covered Entity.

Must ensure that contractors and Subcontractors agree to the same restrictions and conditions that apply to Business Associate and obtain satisfactory written assurances from them that they agree to those restrictions and conditions.

May not amend any terms of such Agreement without Covered Entity s prior written approval.

I. Within five (5) business days of a written request from Covered Entity:
Make available information for Covered Entity to respond to an Individual s request for access to PHI about him/her.

Make available information for Covered Entity to respond to an Individual s request for amendment of PHI about him/her and, as determined by and under the direction of Covered Entity, incorporate any amendment to the PHI.

Make available PHI for Covered Entity to respond to an Individual s request for an accounting of Disclosures of PHI about him/her.

Business Associate may not take any action concerning an individual s request for access, amendment, or accounting other than as instructed by Covered Entity.

To the extent Business Associate is required to carry out Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the provisions that apply to Covered Entity in the performance of such obligations.


Provide to the Secretary of Health and Human Services and to Covered Entity records related to Use or Disclosure of PHI, including its policies, procedures, and practices, for the purpose of determining Covered Entity s, Business Associate s, or a Subcontractor s compliance with the HIPAA Rules.

Upon completion or termination of the applicable contract(s) or agreement(s), return or destroy, as determined by and under the direction of Covered Entity, all PHI and other VA data created or received by Business Associate during the performance of the contract(s) or agreement(s). No such information will be retained by Business Associate unless retention is required by law or specifically permitted by Covered Entity. If return or destruction is not feasible, Business Associate shall continue to protect the PHI in accordance with the Agreement and use or disclose the information only for the purpose of making the return or destruction feasible, or as required by law or specifically permitted by Covered Entity. Business Associate shall provide written assurance that either all PHI has been returned or destroyed, or any information retained will be safeguarded and used and disclosed only as permitted under this paragraph.

Be liable to Covered Entity for civil or criminal penalties imposed on Covered Entity, in accordance with 45 C.F.R. B'B' 164.402 and 164.410, and with the HITECH Act, 42 U.S.C. B'B' 17931(b), 17934(c), for any violation of the HIPAA Rules or this Agreement by Business Associate.

Obligations of Covered Entity. Covered Entity agrees that it:

Will not request Business Associate to make any Use or Disclosure of PHI in a manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if made by Covered Entity, except as permitted under Section 2 of this Agreement.

Will promptly notify Business Associate in writing of any restrictions on Covered Entity s authority to use or disclose PHI that may limit Business Associate s Use or Disclosure of PHI or otherwise affect its ability to fulfill its obligations under this Agreement.

Has obtained or will obtain from Individuals any authorization necessary for Business Associate to fulfill its obligations under this Agreement.


Will promptly notify Business Associate in writing of any change in Covered Entity s Notice of Privacy Practices, or any modification or revocation of an Individual s authorization to use or disclose PHI, if such change or revocation may limit Business Associate s Use and Disclosure of PHI or otherwise affect its ability to perform its obligations under this Agreement.

Amendment. Business Associate and Covered Entity will take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the HIPAA Rules or other applicable law.

Termination.

Automatic Termination. This Agreement will automatically terminate upon completion of Business Associate s duties under all underlying Agreements or by termination of such underlying Agreements.

Termination Upon Review. This Agreement may be terminated by Covered Entity, at its discretion, upon review as provided by Section 9 of this Agreement.

Termination for Cause. In the event of a material breach by Business Associate, Covered Entity:

Will provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Covered Entity;
May terminate this Agreement and underlying contract(s) if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity.

Effect of Termination. Termination of this Agreement will result in cessation of activities by Business Associate involving PHI under this Agreement.

Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate Agreement is in place.

No Third Party Beneficiaries. Nothing expressed or implied in this Agreement confers any rights, remedies, obligations, or liabilities whatsoever upon any person or entity other than Covered Entity and Business Associate, including their respective successors or assigns.

Other Applicable Law. This Agreement does not abrogate any responsibilities of the parties under any other applicable law.

Review Date. The provisions of this Agreement will be reviewed by Covered Entity every two years from Effective Date to determine the applicability and accuracy of the Agreement based on the circumstances that exist at the time of review.

Effective Date. This Agreement shall be effective on the last signature date below.

Department of Veterans Affairs Veterans Health Administration


By: By:

Name: Name:



Title: Title:



Date: Date:

Tammy Davis
Tammy.Davis6@va.gov

Tammy.Davis6@va.gov