SAMDaily.us | SNOTE | 70 | Redding Pkg. 103-PILLS machine interface Intent to Sole Source (Document Storage Systems)

SAMDAILY.US - ISSUE OF SEPTEMBER 06, 2020 SAM #6856
SPECIAL NOTICE

70 -- Redding Pkg. 103-PILLS machine interface Intent to Sole Source (Document Storage Systems)

Notice Date: 9/4/2020 9:37:19 AM
Notice Type: Special Notice
NAICS: 541511 — Custom Computer Programming Services
Contracting Office: PCAC ACTIVATIONS (36A776) INDEPENDENCE OH 44131 USA
ZIP Code: 44131
Solicitation Number: 36A77620Q0435
Archive Date: 10/04/2020
Point of Contact: Rachael Avery, Contract Specialist, Phone: 216-447-8300
E-Mail Address: rachael.avery@va.gov
(rachael.avery@va.gov)
Awardee: null
Description: Page 2 of 10 Department of Veterans Affairs Veterans Health Administration Office of Informatics and Analytics September 4, 2020 SPECIAL NOTICE NOTICE OF INTENT TO SOLE SOURCE Package # 103 PILLS Machine Software RFI ECMS ACTION NUMBER 36E776-20-Q-0435 The Department of Veterans Affairs (VA) Veterans Health Administration (VHA) requires: Document Storage Systems Synmed Outpatient Interface software. The Program Contracting Activity Central (PCAC), National Activations Office (NAO) intends to issue a Sole Source solicitation for Document Storage Systems Synmed Outpatient Interface software. This procurement is being conducted in accordance with FAR 6.302-1(c), Only one responsible source and no other supplies or services will satisfy agency requirements. The NAICS code for this procurement is 541511 and the Small Business Administration Size Standard is $30MIL. This notice of intent to is not a request for competitive quotes. No solicitation document is available and telephone requests will not be accepted. However, any responsible source who believes it is capable of meeting the requirements may submit a quotation with required information outlined below, which may be considered by the agency, only if received by the closing date and time of this notice. Responses received will be evaluated; however, a determination by the Government not to compete the proposed procurement based upon responses received to this notice is solely within the discretion of the Government. Required Information Interface Integration experience with the VA legacy VistA architecture Validation of previous Coding Background Previous documented experience with the intricacies of VA Pharmacy data Responses to this notice are due on or before Friday September 11, 2020 at 1:00 p.m. (Eastern) to this procurement s Contract Specialist, Rachael Avery, Rachael.avery@va.gov and the Contracting Officer Grace Kelly-Burnsworth, at grace.kelly-burnsworth@va.gov . Contracting Office Address: Department of Veterans Affairs Program Contracting Activity Central 6150 Oak Tree Blvd, Suite 300 Independence, OH 44131 VA Northern California Health Care System Redding CBOC 351 Hartnell Ave. Redding, CA 96002 STATEMENT OF WORK Introduction Redding CBOC of VA Northern California Health Care System requires a Software Interface for the Automatic Blister Packing Machine. This purchase is in support of the PILLS program and the activation of the new Redding CBOC, which is currently under construction. The item is to be delivered to the location specified in the table below ITEM NUMBER ITEM DESCRIPTION QUANTITY DELIVERY LOCATION DSSRX-SynMed OutPt- PL DSS SynMed Outpatient VistA Interface Perpetual License. Includes Outpatient pharmacy orders. 1 each 351 Hartnell Ave, Redding, Ca 96002 DSSRX-SynMed OutPt- PL-AM DSS Synmed Outpatient Interface software subscription maintenance and support M-F 8-8 EST, includes bug fixes, minor release upgrades, telephone support 12 months 351 Hartnell Ave, Redding, Ca 96002 DSS-INST-R DSS Remote Installation Services Per Day 1 job 351 Hartnell Ave, Redding, Ca 96002 General Conditions: Site Address: Redding Outpatient Pharmacy 351 Hartnell Ave. Redding, CA 96002 Delivery Schedule: The Items will be delivered no earlier than the estimated delivery start date and no later than the delivery end date as listed below. The schedule below is based on the current construction and activation schedule, which is subject to change. Building name Building # Est. Delivery start date. Est. Delivery end date. Redding Pharmacy 351 23 August 2020 24 August 2020 Schedule and order management: The awardees actual delivery date: The awardees actual delivery date will be confirmed by VA upon award. Post-award the vendor will coordinate delivery prior to beginning any work. Once the dates have been confirmed, modification to the schedule are subject to written approval from the Contracting Officer s Representative (COR). If the final required delivery dates are outside the delivery terms specified in the contract, a bilateral modification must be issued to change the delivery requirements. Delivery and Receiving: Delivery and receipt of the proposed item is anticipated to be directed to the location at 351 Hartnell Ave, Redding, CA 96002. Confirmation of delivery location will be provided post-award. To coordinate delivery contact Government point of contact (POC), Dan Sandy @ 530-226-7620 or at Daniel.sandy@va.gov. The delivery of the items identified in this document shall take place during normal business hours of 0800 to 1600 Pacific Standard Time, Monday through Friday, and excluding Federal Holidays. Delivery trucks will not be permitted to remain on the loading dock. Trucks shall be unloaded, moved from the dock and brought back to the dock if required to haul out any waste, tools or excess materials. Labelling of delivered items shall include the VA facilities contract number and VA purchase order number for identification and reference upon receipt of items. Use of warehouse: If the vendor requires the use of government s warehouse to meet the requirement of this contract, the vendor must provide proof of insurance prior to the delivery and offloading of the items. This insurance certificate must be completed and presented to the warehouse manager prior to delivery The vendor shall communicate through the VA POC any required coordination requirements. Clean up and Disposal: There are no dumpsters available for vendor use. The removal of waste and/or excess material shall be taken care of by the vendor. Assemble and installation: The vendor is to manage and coordinate installation at the Redding VA facility with the pharmacy supervisor. Onsite assembly and installation of items, and performance of service identified in this document shall take place during normal business hours of 0800 to 1630, Monday through Friday and excluding federal holidays. The vendor is required to provide the need for a staging area and to accommodate assembly. Post-award this information will be confirmed with the vendor. The vendor is to provide tools, labor and materials to complete assembly and installation of items detailed in this document. The vendor shall protect all finished spaces and surfaces as required from delivery and installation damage. The vendor shall use covering and protection to the extent necessary to prevent damage to finished spaces. Any damage occurred during delivery and installation is the responsibility of the vendor. The vendor will be responsible for paying for and repairing any damage or noted deficiencies to finished spaces and surfaces that occur as a result of the vendor s (or associated sub-contractors) installation. The vendor shall comply with all COVID-19 related safety requirements when a VA ROC premises such as wearing surgical/cloth face masks and maintaining social distancing requirements. Training The vendor shall provide end-user training for routine operation and maintenance at a minimum. Training must be coordinated with the VA POC prior to installation or first use. For on-site, vendor conducted training, the vendor will document the training and provide a copy of all training materials to the VA POC. Documentation may be up to and including video of training session conducted on site. The vendor shall provide service training for the system, up to and including preventive maintenance, diagnostics and repair. Training shall be completed within 45 days after final installation or as directed by the VA. The vendor will document the training and provide a copy of the training materials to the VA POC. Information Security: BAA will be required. Record Management Language for Contracts Required Interface Requirements: The following Outpatient Interface elements for the SynMed XF shall be provided by Document Storage Systems (DSS): DSS shall develop, deploy, and support an HL7 interface with VistA outpatient pharmacy version 7.0 to the SynMed XF. The interface shall include information from outpatient prescriptions, original fills, refills and partials. The interface shall have the capability to extract the patient s name, patient s address, name of drug, directions, date, quantity, warning labels, prescription medication information, refill number, name of clinic, address of clinic, discard date, date of expiration, refills remaining, day supply, refill phone number, Pharmacist s unique number, physician s names, Pharmacy technician s unique number, time of fill and last fill from the VistA system. The schedule field from the VistA pharmacy file shall be interpreted to the appropriate schedule time for the SynMed XF machine blister packs. The software shall be able to manually exclude medications and manually include medications. Only tablets and capsules can be filled; exclude scheduled medications, warfarin, liquids, patches, creams, troches, lozenges, gums, ointments and any other medication not feasible to be dispensed by the SynMed XF. DSS shall develop a method for patients enrolled in the PILLS Project to be uniquely identified. Prescriptions ordered for a PILLS Project patient shall generate a view alert to the VA Pharmacy in Redding, California. All prescription designated to a PILLS patient shall automatically be queued to the SynMed XF in the VA Pharmacy in Redding, California. The interface shall have the ability to automatically queue patients that are due for refills; and place prescriptions in a suspense queue. Prescription refills shall be queued for review one week prior to the patients due date for fill. The interface shall identify each PILLS drug for local filling while other non-PILLS drug for the same patient is filled by CMOP. Shall include VistA prescription barcode for each prescription on the SynMed label that will be utilized for identifying and releasing prescriptions. Shall identify the PILLS patient on the VistA pharmacy prescription label. The interface shall have the capability to retrieve patient s address data and automatically print label for mail for blister pack. Upon completion, pharmacist shall be able to scan the barcode of the filled and reviewed prescription on the SynMed XF system and the release data would be sent back to VistA pharmacy. The interface shall be written for the PILLS Project in Redding, California, but must be able to be adaptable to the needs of other VA facilities. The interface shall be tested in the VistA test account prior to loading to a production account. The VA will be the sole owners of the software license. The HL7 interface shall be delivered within sixty (60) business days after receipt of order. The contractor shall provide updates and patches for the interface. The interface shall have the capability to identify National Drug Codes (NDC) in the VA system. Upon completion of the Outpatient Interface, the VA pharmacy shall have the capability to fill prescriptions using VistA and the SynMed XF software to allow for filling of patients prescriptions in a timely, efficient, and effective manner. SPECIAL CLAUSES: SECURITY CLAUSES 1. GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS a. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. d. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. 3. VA INFORMATION CUSTODIAL LANGUAGE a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). b. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. c. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. d. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. 4. INFORMATION SYSTEM DESIGN AND DEVELOPMENT a. Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COTR, and approved by the VA Privacy Service in accordance with Directive 6507, VA Privacy Impact Assessment. b. The contractor/subcontractor shall certify to the COTR that applications are fully functional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC), and the common security configuration guidelines provided by NIST or the VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista) and future versions, as required. c. The standard installation, operation, maintenance, updating, and patching of software shall not alter the configuration settings from the VA approved and FDCC configuration. Information technology staff must also use the Windows Installer Service for installation to the default program files directory and silently install and uninstall. d. Applications designed for normal end users shall run in the standard user context without elevated system administration privileges. e. The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, VA Handbook 6500, Information Security Program and VA Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle. f. The vendor shall ensure the security of all procured or developed systems and technologies, including their subcomponents (hereinafter referred to as Systems ), throughout the life of this contract and any extension, warranty, or maintenance periods. This includes, but is not limited to workarounds, patches, hotfixes, upgrades, and any physical components (hereafter referred to as Security Fixes) which may be necessary to fix all security vulnerabilities published or known to the vendor anywhere in the Systems, including Operating Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact the Systems. g. The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, but in no event longer than 30 days. h. When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to the VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes within 30 days. i. All other vulnerabilities shall be remediated as specified in this paragraph in a timely manner based on risk, but within 60 days of discovery or disclosure. Exceptions to this paragraph (e.g. for the convenience of VA) shall only be granted with approval of the contracting officer and the VA Assistant Secretary for Office of Information and Technology. 5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE a. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are: (1) Vendor must accept the system without the drive; (2) VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or (3) VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase. (4) Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then; (a) The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and (b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract. (c) A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation. 6. LIQUIDATED DAMAGES FOR DATA BREACH a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. b. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. 7. TRAINING a. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: (1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; (2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training; (3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and (4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] b. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. 8. SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract. RECORDS MANAGEMENT LANGUAGE FOR CONTRACTS REQUIRED The following standard items relate to records generated in executing the contract and should be included in a typical Electronic Information Systems (EIS) procurement contract: Citations to pertinent laws, codes and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228. Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records. Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act. Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract. The Government Agency owns the rights to all data/records produced as part of this contract. The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data. Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.]. No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules. Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information.
Web Link: SAM.gov Permalink
(https://beta.sam.gov/opp/8c9bbae5db63464cacad2f7d886a62d9/view)
Record: SN05787666-F 20200906/200904230148 (samdaily.us)
Source: SAM.gov Link to This Notice
(may not be valid after Archive Date)

| FSG Index | This Issue's Index | Today's SAM Daily Index Page |

Loren Data's SAM Daily™

70 -- Redding Pkg. 103-PILLS machine interface Intent to Sole Source (Document Storage Systems)