Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF MARCH 18, 2020 SAM #6684
SOLICITATION NOTICE

65 -- Cardiology BPA Call

Notice Date
3/16/2020 7:51:05 AM
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
339113 — Surgical Appliance and Supplies Manufacturing
 
Contracting Office
NAVAL MEDICAL CENTER PORTSMOUTH VA PORTSMOUTH VA 23708-2297 USA
 
ZIP Code
23708-2297
 
Solicitation Number
N0018320Q0032
 
Response Due
3/20/2020 2:00:00 PM
 
Archive Date
04/04/2020
 
Point of Contact
Harold D Woodley, Phone: 7579537276, Fax: 7579535006, Christopher S. Ward, Phone: 7579533412, Fax: 7579535739
 
E-Mail Address
harold.woodley@med.navy.mil, christopher.s.ward1.civ@mail.mil
(harold.woodley@med.navy.mil, christopher.s.ward1.civ@mail.mil)
 
Description
Section A - Solicitation/Contract Form CONTRACTOR INFORMATION THIS IS AN INFORMATION NOTICE ONLY � NO AWARD WILL BE MADE FROM THIS NOTIFICATION. This is an announcement that the Government intends to issue a call against an existing Blanket Purchase Agreement (BPA) for Cardio Thoracic Clinic consignment items used at the the Naval Medical Center Portsmouth Virginia. The call will be placed against Naval Medical Center Portsmouth�s BPA N0018317A0004. The Call will be issued for a total amount of $150,000.00 covering the period March, 2020. Section B - Supplies or Services and Prices ? ? ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 ? 1 Months March 2020 BPA Call FFP for Cardiology Clinic. FOB: Destination MILSTRIP: N0018320RCCV030 PURCHASE REQUEST NUMBER: N0018320RCCV030 PSC CD: 6515 ?? ???? NET AMT ?? Section C - Descriptions and Specifications CONTRACTOR UNCLASSIFIED ACCESS Contractor Unclassified Access to Federally Controlled Facilities, Sensitive Information, Information Technology (IT) Systems or Protected Health Information (Jan 2017) Homeland Security Presidential Directive (HSPD)-12, requires government agencies to develop and implement Federal security standards for Federal employees and contractors. The Deputy Secretary of Defense Directive-Type Memorandum (DTM) 08-006 � ""DoD Implementation of Homeland Security Presidential Directive � 12 (HSPD-12)"" dated November 26, 2008 (or its subsequent DoD instruction) directs implementation of HSPD-12. This clause is in accordance with HSPD-12 and its implementing directives. APPLICABILITY This text applies to contractor employees requiring physical access to any area of a federally controlled base, facility or activity and/or requiring access to a DoN or DoD computer/network/system to perform certain unclassified sensitive duties. This clause also applies to contractor employees who access Privacy Act and Protected Health Information, provide support associated with fiduciary duties, or perform duties that have been identified as National Security Position, as advised by the command security manager. It is the responsibility of the responsible security officer of the command/facility where the work is performed to ensure compliance. Each contractor employee providing services at a Navy Command under this contract is required to obtain a Department of Defense Common Access Card (DoD CAC). Additionally, depending on the level of computer/network access, the contract employee will require a successful investigation as detailed below. ACCESS TO FEDERAL FACILITIES Per HSPD-12 and implementing guidance, all contractor employees working at a federally controlled base, facility or activity under this clause will require a DoD CAC. When access to a base, facility or activity is required contractor employees shall in-process with the Command�s Security Manager upon arrival to the Command and shall out-process prior to their departure at the completion of the individual�s performance under the contract. ACCESS TO DOD IT SYSTEMS In accordance with SECNAV M-5510.30, contractor employees who require access to DoN or DoD networks are categorized as IT-I, IT-II, or IT-III. The IT-II level, defined in detail in SECNAV M-5510.30, includes positions which require access to information protected under the Privacy Act, to include Protected Health Information (PHI). All contractor employees under this contract who require access to Privacy Act protected information are therefore categorized no lower than IT-II. IT Levels are determined by the requiring activity�s Command Information Assurance Manager. Contractor employees requiring privileged or IT-I level access, (when specified by the terms of the contract) require a Single Scope Background Investigation (SSBI) or T5 or T5R equivalent investigation , which is a higher level investigation than the National Agency Check with Law and Credit (NACLC)/T3/T3R described below. Due to the privileged system access, an investigation suitable for High Risk national security positions is required. Individuals who have access to system control, monitoring, or administration functions (e.g. system administrator, database administrator) require training and certification to Information Assurance Technical Level 1, and must be trained and certified on the Operating System or Computing Environment they are required to maintain. Access to sensitive IT systems is contingent upon a favorably adjudicated background investigation. When access to IT systems is required for performance of the contractor employee�s duties, such employees shall in-process with the Navy Command�s Security Manager and Information Assurance Manager upon arrival to the Navy command and shall out-process prior to their departure at the completion of the individual�s performance under the contract. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The decision to authorize access to a government IT system/network is inherently governmental. The contractor supervisor is not authorized to sign the SAAR-N; therefore, the government employee with knowledge of the system/network access required or the COR shall sign the SAAR-N as the ""supervisor"". The SAAR-N shall be forwarded to the Command�s Security Manager at least 30 days prior to the individual�s start date. Failure to provide the required documentation at least 30 days prior to the individual�s start date may result in delaying the individual�s start date. When required to maintain access to required IT systems or networks, the contractor shall ensure that all employees requiring access complete annual Information Assurance (IA) training, and maintain a current requisite background investigation. The Contractor�s Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required. ? INTERIM ACCESS The Command's Security Manager may authorize issuance of a DoD CAC and interim access to a DoN or DoD unclassified computer/network upon a favorable review of the investigative questionnaire and advance favorable fingerprint results. When the results of the investigation are received and a favorable determination is not made, the contractor employee working on the contract under interim access will be denied access to the computer network and this denial will not relieve the contractor of his/her responsibility to perform. DENIAL OR TERMINATION OF ACCESS The potential consequences of any requirement under this clause including denial or termination of physical or system access in no way relieves the contractor from the requirement to execute performance under the contract within the timeframes specified in the contract. Contractors shall plan ahead in processing their employees and subcontractor employees. The contractor shall insert this clause in all subcontracts when the subcontractor is permitted to have unclassified access to a federally controlled facility, federally-controlled information system/network and/or to government information, meaning information not authorized for public release. CONTRACTOR�S SECURITY REPRESENTATIVE The contractor shall designate an employee to serve as the Contractor�s Security Representative. Within three work days after contract award, the contractor shall provide to the requiring activity�s Security Manager and the Contracting Officer, in writing, the name, title, address and phone number for the Contractor�s Security Representative. The Contractor�s Security Representative shall be the primary point of contact on any security matter. The Contractor�s Security Representative shall not be replaced or removed without prior notice to the Contracting Officer and Command Security Manager. BACKGROUND INVESTIGATION REQUIREMENTS AND SECURITY APPROVAL PROCESS FOR CONTRACTORS ASSIGNED TO NATIONAL SECURITY POSITIONS OR PERFORMING SENSITIVE DUTIES Navy security policy requires that all positions be given a sensitivity value based on level of risk factors to ensure appropriate protective measures are applied. Contractor employees under this contract are recognized as Non-Critical Sensitive [ADP/IT-II] positions when the contract scope of work require physical access to a federally controlled base, facility or activity and/or requiring access to a DoD computer/network, to perform unclassified sensitive duties. This designation is also applied to contractor employees who access Privacy Act and Protected Health Information (PHI), provide support associated with fiduciary duties, or perform duties that have been identified as National Security Positions. At a minimum, each contractor employee must be a US citizen and have a favorably completed NACLC or T3 or T3R equivalent investigation to obtain a favorable determination for assignment to a non-critical sensitive or IT-II position. The investigation consists of a standard NAC and a FBI fingerprint check plus law enforcement checks and credit check. Each contractor employee filling a non-critical sensitive or IT-II position is required to complete: � SF-86 Questionnaire for National Security Positions (or equivalent OPM investigative product) � Two FD-258 Applicant Fingerprint Cards (or an electronic fingerprint submission) � Original Signed Release Statements Failure to provide the required documentation at least 30 days prior to the individual�s start date shall result in delaying the individual�s start date. Background investigations shall be reinitiated as required to ensure investigations remain current (not older than 10 years) throughout the contract performance period. The Contractor�s Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required. Regardless of their duties or IT access requirements ALL contractor employees shall in-process with the Command�s Security Manager upon arrival to the command and shall out-process prior to their departure at the completion of the individual�s performance under the contract. Employees requiring IT access shall also check-in and check-out with the Navy Command�s Information Assurance Manager. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The SAAR-N shall be forwarded to the Navy Command�s Security Manager at least 30 days prior to the individual�s start date. Failure to provide the required documentation at least 30 days prior to the individual�s start date shall result in delaying the individual�s start date. The contractor shall ensure that each contract employee requiring access to IT systems or networks complete annual Information Assurance (IA) training, and maintain a current requisite background investigation. Contractor employees shall accurately complete the required investigative forms prior to submission to the Command Security Manager. The Command�s Security Manager will review the submitted documentation for completeness prior to submitting it to the Office of Personnel Management (OPM); Potential suitability or security issues identified may render the contractor employee ineligible for the assignment. An unfavorable determination is final (subject to SF-86 appeal procedures) and such a determination does not relieve the contractor from meeting any contractual obligation under the contract. The Command�s Security Manager will forward the required forms to OPM for processing. Once the investigation is complete, the results will be forwarded by OPM to the DoD Central Adjudication Facility (CAF) for a determination. If the contractor employee already possesses a current favorably adjudicated investigation, the contractor shall submit a Visit Authorization Request (VAR) via the Joint Personnel Adjudication System (JPAS) or a hard copy VAR directly from the contractor�s Security Representative. Although the contractor will take JPAS ""Owning"" role over the contractor employee, the Command will take JPAS ""Servicing"" role over the contractor employee during the hiring process and for the duration of assignment under that contract. The contractor shall include the IT Position Category per SECNAV M-5510.30 for each employee designated on a VAR. The VAR requires annual renewal for the duration of the employee�s performance under the contract. Section E - Inspection and Acceptance ? ? ? INSPECTION AND ACCEPTANCE TERMS Supplies/services will be inspected/accepted at: CLIN INSPECT AT INSPECT BY ACCEPT AT ACCEPT BY 0001 Destination Government Destination Government Section F - Deliveries or Performance ? ? ? DELIVERY INFORMATION CLIN DELIVERY DATE QUANTITY SHIP TO ADDRESS DODAAC / CAGE 0001 31-MAR-2020 1 NAVAL MEDICAL CENTER RECEIVING OFFICER 54 LEWIS MINOR STREET BLDG. 250 PORTSMOUTH VA 23708-2297 757-953-5770 FOB: Destination N00183 ? DOCK DELIVERY Naval Medical Center Portsmouth (NMCP) Receiving Dock Hours of Operation: NMCP Receiving Dock is open Monday through Friday 0700 to 1600 (7:00 a.m. to 4:00 p.m.). excluding federal holidays. Receiving personnel may be reached at 757-953-5770. Section G - Contract Administration Data CLAUSES INCORPORATED BY FULL TEXT ? 252.232-7006 WIDE AREA WORKFLOW PAYMENT INSTRUCTIONS (DEC 2018) (a) Definitions. As used in this clause� ""Department of Defense Activity Address Code (DoDAAC)"" is a six position code that uniquely identifies a unit, activity, or organization. ""Document type"" means the type of payment request or receiving report available for creation in Wide Area WorkFlow (WAWF). ""Local processing office (LPO)"" is the office responsible for payment certification when payment certification is done external to the entitlement system. ""Payment request"" and ""receiving report"" are defined in the clause at 252.232-7003, Electronic Submission of Payment Requests and Receiving Reports. (b) Electronic invoicing. The WAWF system provides the method to electronically process vendor payment requests and receiving reports, as authorized by Defense Federal Acquisition Regulation Supplement (DFARS) 252.232-7003, Electronic Submission of Payment Requests and Receiving Reports. (c) WAWF access. To access WAWF, the Contractor shall� (1) Have a designated electronic business point of contact in the System for Award Management at https://www.sam.gov; and (2) Be registered to use WAWF at https://wawf.eb.mil/ following the step-by-step procedures for self-registration available at this web site. (d) WAWF training. The Contractor should follow the training instructions of the WAWF Web-Based Training Course and use the Practice Training Site before submitting payment requests through WAWF. Both can be accessed by selecting the ""Web Based Training"" link on the WAWF home page at https://wawf.eb.mil/. (e) WAWF methods of document submission. Document submissions may be via web entry, Electronic Data Interchange, or File Transfer Protocol. (f) WAWF payment instructions. The Contractor shall use the following information when submitting payment requests and receiving reports in WAWF for this contract or task or delivery order: (1) Document type. The Contractor shall submit payment requests using the following document type(s): (i) For cost-type line items, including labor-hour or time-and-materials, submit a cost voucher. (ii) For fixed price line items� (A) That require shipment of a deliverable, submit the invoice and receiving report specified by the Contracting Officer. ____________COMBO FOR SUPPLIES________________________________________________ (Contracting Officer: Insert applicable invoice and receiving report document type(s) for fixed price line items that require shipment of a deliverable.) (B) For services that do not require shipment of a deliverable, submit either the Invoice 2in1, which meets the requirements for the invoice and receiving report, or the applicable invoice and receiving report, as specified by the Contracting Officer. ____________ ______________________________________________ (Contracting Officer: Insert either ""Invoice 2in1"" or the applicable invoice and receiving report document type(s) for fixed price line items for services.) (iii) For customary progress payments based on costs incurred, submit a progress payment request. (iv) For performance based payments, submit a performance based payment request. (v) For commercial item financing, submit a commercial item financing request. (2) Fast Pay requests are only permitted when Federal Acquisition Regulation (FAR) 52.213-1 is included in the contract. [Note: The Contractor may use a WAWF ""combo"" document type to create some combinations of invoice and receiving report in one step.] (3) Document routing. The Contractor shall use the information in the Routing Data Table below only to fill in applicable fields in WAWF when creating payment requests and receiving reports in the system. Routing Data Table* Field Name in WAWF Data to be entered in WAWF Pay Official DoDAAC ?HQ0248 Issue By DoDAAC ?N00183 Admin DoDAAC** ?N00183 Inspect By DoDAAC ?N/A Ship To Code ?N00183 Ship From Code ?N/A Mark For Code ?N/A Service Approver (DoDAAC) ?N/A Service Acceptor (DoDAAC) ?N/A Accept at Other DoDAAC ?N/A LPO DoDAAC ?N00183 DCAA Auditor DoDAAC ?N/A Other DoDAAC(s) N/A ? (*Contracting Officer: Insert applicable DoDAAC information. If multiple ship to/acceptance locations apply, insert ""See Schedule"" or ""Not applicable."") (**Contracting Officer: If the contract provides for progress payments or performance-based payments, insert the DoDAAC for the contract administration office assigned the functions under FAR 42.302(a)(13).) (4) Payment request. The Contractor shall ensure a payment request includes documentation appropriate to the type of payment request in accordance with the payment clause, contract financing clause, or Federal Acquisition Regulation 52.216-7, Allowable Cost and Payment, as applicable. (5) Receiving report. The Contractor shall ensure a receiving report meets the requirements of DFARS Appendix F. (g) WAWF point of contact. (1) The Contractor may obtain clarification regarding invoicing in WAWF from the following contracting activity�s WAWF point of contact. _USN.DETRICK.NAVMEDLOGCOMFTDMD.LIST.NMLC-WAWF@MAI.MIL___ (Contracting Officer: Insert applicable information or ""Not applicable."") (2) Contact the WAWF helpdesk at 866-618-5988, if assistance is needed. (End of clause) Section H - Special Contract Requirements PRIVACY & SECURITY OF PHI BUSINESS ASSOCIATE AGREEMENT Privacy, Access, Use, and Disclosure of Protected Health Information 1. Introduction. In accordance with 45 C.F.R. �� 164.502(e)(2) and 164.504(e), and DoDM 6025.18, ""Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in DoD Health Care Programs,"" March 13, 2019, this document serves as a Business Associate Agreement (BAA) between the signatory Parties for purposes of the HIPAA and the ""HITECH Act"" amendments thereof, as implemented by the HIPAA Rules and DoD HIPAA issuances (both defined below). The Parties are (1) a DoD Military Health System (MHS) component command such as a Navy Medicine Medical Treatment Facility (MTF) (Naval Medical center or Naval hospital), or special mission command (research, public health, other), acting as a HIPAA covered entity, and (2) another Federal or Government organization, civilian academic institution, or other civilian entity, acting as a HIPAA Business Associate (BA). The HIPAA Rules require BAAs between covered entities and BAs. Implementing this BAA requirement, the applicable DoD HIPAA issuances (DoDM 6025.18) provides that requirements applicable to BAs must be incorporated (or incorporated by reference) into the contract or agreement between the Parties. 2. Definitions: a. Terms. Except as provided otherwise in this BAA, the following terms used in this BAA shall have the same meaning as those terms in the DoD HIPAA Rules (DoDM6025.18-): Data aggregation, designated record set, disclosure, health care operations, individual, minimum necessary, notice of privacy practices, protected health information (PHI), required by law, secretary, security incident, subcontractor, unsecured PHI, and use. b. Breach. means actual or possible loss of control, unauthorized disclosure of or unauthorized access to PHI or other Personally Identifiable Information (PII) (which may include, but is not limited to PHI), where persons other than authorized users gain access or potential access to such information for any purpose other than authorized purposes, where one or more individuals will be adversely affected. The foregoing definition is based on the definition of ""Breach"" in DoD Privacy Act issuances as defined herein. c. BA. shall generally have the same meaning as the term ""BA"" in the DoD HIPAA issuances, and in reference to this BAA, shall mean the entity (another Government organization, civilian academic institution, or other civilian organization), entering into agreement with a Navy Medicine MTF or special mission command. d. Agreement. means this BAA together with the documents or other arrangements under which the BA signatory performs services involving access to PHI on behalf of the MHS component signatory to this BAA. e. Covered Entity. shall generally have the same meaning as the term ""covered entity"" in the DoD HIPAA issuances, and in reference to this BAA, shall mean a Navy Medicine MTF or special mission command under the Bureau of Medicine and Surgery. f. DHA Privacy Office. means the Defense Health Agency (DHA) Privacy and Civil Liberties Office. The DHA Privacy Office Director is the HIPAA Privacy and Security Officer for DHA, including the National Capital Region Medical Directorate. g. DoD HIPAA Issuances. means the DoD issuances implementing the HIPAA Rules in the DoD MHS. These issuances are DoDM 6025.18 Implementation of the HIPAA Privacy Rule in DoD Health Care Programs,"" March 13, 2019; DoD Instruction 6025.18, Privacy of Individually Identifiable Health Information in DoD Health Care Programs of December 2009, and DoD Instruction 8580.02, Security of Individually Identifiable Health Information in DoD Health Care Programs of August 2015. h. DoD Privacy Act Issuances. means the DoD issuances implementing the Privacy Act, which are DoD Directive 5400.11, DoD Privacy Program of 29 October 2014, and DoD 5400.11-R, Department of Defense Privacy Program of 8 May 2007. i. HIPAA Rules. means, collectively, the HIPAA privacy, security, breach and enforcement rules, issued by the United States (US) Department of Health and Human Services (HHS) and codified at 45 C.F.R. �� 160 and 164, Subpart E (Privacy), Subpart C (Security), Subpart D (Breach) and 45 C.F.R. � 160, Subparts C-D (Enforcement), as amended by the 2013 modifications to those Rules which implemented the ""HITECH Act"" provisions of Publication L. 111-5. See 78 Federal Regulation 5566-5702 of 25 January 2013 (with corrections at 78 Federal Regulation 32464 of 7 June 2013. Additional HIPAA rules regarding electronic transactions and code sets (45 C.F.R. � 162) are not addressed in this BAA and are not included in the term HIPAA Rules. j. HHS Breach. means a breach that satisfies the HIPAA Breach Rule definition of ""Breach"" in 45 C.F.R. � 164.402. k. Service-Level Privacy Office. means one or more offices within the military services (Army, Navy, or Air Force) with oversight authority over Privacy Act and HIPAA privacy compliance. 3. Obligations and Activities of BA: a. The BA shall not access, use, or disclose PHI other than as permitted or required by this Agreement, the controlling Memorandum of Understanding (MOU) or training affiliation agreement, or as required by law. b. The BA shall use appropriate safeguards and comply with the DoD HIPAA Rules with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Agreement, the controlling MOU, or law. c. The BA shall report to the covered entity any Breach of which it becomes aware and shall proceed with breach response steps required by paragraph 7 (Breach Response) of this BAA. With respect to electronic PHI, the BA shall also respond to any security incident of which it becomes aware in accordance with any information assurance provisions of the Understanding. If at any point the BA becomes aware that a security incident involves a breach, the BA shall immediately initiate breach response as required by paragraph 7 (Breach Response) of this BAA. d. In accordance with 45 C.F.R. �� 164.502(e)(1)(ii)) and 164.308(b)(2), respectively, as applicable, the BA shall ensure that any entities that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions, conditions, and requirements that apply to the BA with respect to such PHI. e. The BA shall make available PHI in a designated record set, to the covered entity or, as directed by the covered entity, to an Individual, as necessary to satisfy the covered entity obligations under 45 C.F.R. � 164.524. f. The BA shall make any amendment(s) to PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. � 164.526, or take other measures as necessary to satisfy covered entity�s obligations under 45 C.F.R. � 164.526. g. The BA shall maintain and make available the information required to provide an accounting of disclosures to the covered entity or an individual as necessary to satisfy the covered entity�s obligations under 45 C.F.R. � 164.528. h. To the extent the BA is to carry out one or more of the covered entity�s obligation(s) under the HIPAA privacy rule, the BA shall comply with the requirements of HIPAA privacy rule that apply to the covered entity in the performance of such obligation(s). i. The BA shall make its internal practices, books, and records available to the Secretary and the covered entity for purposes of audit and in determining compliance with the HIPAA Rules. 4. Permitted Uses and Disclosures by BA: a. The BA may only use or disclose PHI as necessary to perform the services set forth in the Understanding or as required by law. The BA is not permitted to de-identify PHI under DoD HIPAA issuances or the corresponding 45 C.F.R. � 164.514(a) through (c), nor is it permitted to use or disclose de-identified PHI except as provided by the Understanding or directed by the covered entity. b. The BA agrees to use, disclose, and request PHI only in accordance with the HIPAA privacy rule ""minimum necessary"" standard and corresponding DHA policies and procedures as stated in the DoD HIPAA issuances. c. The BA shall not use or disclose PHI in a manner that would violate the DoD HIPAA issuances or HIPAA privacy rules if done by the covered entity, except uses and disclosures for the BA�s own management and administration and legal responsibilities or for data aggregation services as set forth in the following three paragraphs: (1) Except as otherwise limited in the understanding, the BA may use PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA. The foregoing authority to use PHI does not apply to disclosure of PHI, which is covered in the next paragraph. (2) Except as otherwise limited in the Understanding, the BA may disclose PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA, provided that disclosures are required by law, or the BA obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the BA of any instances of which it is aware in which the confidentiality of the information has been breached. (3) Except as otherwise limited in the Understanding, the BA may use PHI to provide Data Aggregation services relating to the covered entity�s health care operations. 5. Provisions for Covered Entity to Inform BA of Privacy Practices and Restrictions: a. The covered entity shall provide the BA with the notice of privacy practices that the covered entity produces in accordance with 45 C.F.R.� 164.520 and the corresponding provision of the DoD HIPAA issuances (DoDM 6025.18). b. The covered entity shall notify the BA of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the BA�s use or disclosure of PHI. c. The covered entity shall notify the BA of any restriction on the use or disclosure of PHI that the covered entity has agreed to or is required to abide by under 45 C.F.R. � 164.522, to the extent that such changes may affect the BA�s use or disclosure of PHI. 6. Permissible Requests by Covered Entity. The covered entity shall not request the BA to use or disclose PHI in any manner that would not be permissible under the HIPAA privacy rule or any applicable Government regulations (including without limitation, DoD HIPAA issuances) if done by the covered entity, except for providing Data Aggregation services to the covered entity and for management and administrative activities of the BA as otherwise permitted by this BAA. 7. Breach Response: a. General. Breach Response is designed to satisfy the DoD Privacy Act issuances and the HIPAA Breach Rule as implemented by the DoD HIPAA issuances. In general, the BA shall report the breach to the covered entity, assess the breach incident, notify affected individuals, and take mitigating actions, as applicable. Because DoD defines ""Breach"" to include possible (suspected) as well as actual (confirmed) breaches, the BA shall implement these breach response requirements immediately upon the BA�s discovery of a possible breach. The following provisions set forth the BA�s Privacy Act and HIPAA breach response requirements for all breaches, including but not limited to HHS breaches (defined below). In the event of a breach of PII or PHI held by the BA, the BA shall follow the breach response requirements set forth under paragraphs 7, 8, and 9 of this BAA, which are designed to satisfy both the Privacy Act and HIPAA, as applicable. (1) If a breach involves PII without PHI, then the BA shall comply with DoD Privacy Act issuance breach response requirements only. (2) If a breach involves PHI (a subset of PII), then the BA shall comply with both Privacy Act and HIPAA breach response requirements. (3) If a breach involves PHI, it may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then the BA has no HIPAA breach response obligations. In such cases, the BA must still comply with breach response requirements under the DoD Privacy Act issuances. b. HHS Breach. If the DHA Privacy Office determines that a breach is an HHS Breach, then the BA shall comply with both the HIPAA Breach Rule and DoD Privacy Act issuances, as directed by the DHA Privacy Office, regardless of where the breach occurs. c. Non-HHS Breach. If the DHA Privacy Office determines that the breach does not constitute an HHS Breach, then the BA shall comply with DoD Privacy Act issuances, as directed by the applicable Service-Level Privacy Office. d. Service-Level Privacy Office Point of Contact (POC). Brian Martin, who may be reached at Comm: 904-542-3559, DSN: 312-942-3559, or via E-mail: brian.k.martin4.civ@mail.mil, or usn.ncr.bumedfchava.list.bumed-pii-rpt@mail.mil. BRIAN K. MARTIN CODE M31 PRIVACY OFFICE BUMED DETACHMENT JACKSONVILLE H2005 KNIGHT LANE PO BOX 140 NAVAL AIR STATION JACKSONVILLE FL 32212 8. Breach Reporting Provisions: a. The BA shall report the breach within 1 business day of discovery to the US Computer Emergency Readiness Team (US-CERT) and within 24 hours of discovery to the DHA Privacy Office and the other Parties set forth below. The BA is deemed to have discovered a breach as of the time ...
 
Web Link
SAM.gov Permalink
(https://beta.sam.gov/opp/218d7bbad7d74e7cbcb92cbde15b8564/view)
 
Place of Performance
Address: Portsmouth, VA 23708, USA
Zip Code: 23708
Country: USA
 
Record
SN05590457-F 20200318/200316230148 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.