Iowa City State Hygienic Lab

1. SERVICES PROVIDED:

1.1. Contractor shall provide clinical and environmental laboratory testing services for the Iowa City VA Health Care System. Work will be performed at the contractor's site for fees agreed upon in the cost/price section of the contract. Contractor will notify the proper state and federal agencies of reportable disease and environmental conditions.

2. REQUIREMENTS GENERAL:

2.1. Testing will be done during regular laboratory hours. Rush testing will be available following VA Pathology staff consults with the contractor's staff.

2.2. The contractor will provide:

2.2.1. Transportation of specimens must be available at least once a day, Monday-Friday, excluding federal and state holidays.

2.2.2. Analyze samples per the requests submitted on requisition.

2.2.3. Contractor shall consult with the VA laboratory on test results by telephone as needed.

2.2.4. Provide the VA laboratories with a means of communication to permit immediate inquiry regarding the status of pending tests.

2.2.5. Contractor shall provide information on testing methodology, specimen requirements, and any special handling requirements.

2.2.6. All results shall include reference ranges.

2.2.7. The VA laboratory reserves the right to request the results of any proficiency testing that the contractor subscribes.

2.2.8. Test results will be sent from the contractor to the Iowa City VA Send-out Supervisor or designee within the turn-around time published by the contractor. The contractor will transmit results in a secure way that complies with all HIPPA standards and requirements. Examples of secure methods include, but are not limited to, secured fax, U.S. mail, courier, or secure electronic transmission. Electronic reporting of test results is preferred.

2.3. The services to be performed by the contractor will be coordinated with the Director, Pathology and Laboratory Medicine Service or his/her designee.

2.3.1. Contractor will provide direct data review and real time consultation when requested.

2.4 Test sample preparation:

2.4.1. The VA laboratory shall be responsible to provide laboratory specimens prepared in accordance with the contractor's requirements.

2.4.2. All specimens will be properly identified and labeled for testing.

2.4.3 The contractor shall provide an adequate supply of requisition forms.

2.4.4. The contractor will provide any special fixative, preservative, collection/transport vials or containers not routinely used by the VA Laboratory.

3. LICENSING AND ACCREDITATION:

3.1. Contractor must be regularly established in the business of clinical and environmental laboratory testing.

3.2. Contractor must be financially responsible and have the necessary equipment and personnel to furnish services in the volume required.

3.3. Contractor's facility and employees shall have all licenses, permits, accreditation, and certificates required by federal and state law to provide medical and environmental laboratory testing services.

3.4. Contractor's laboratory shall have a current Clinical Laboratory Improvements Amendments (CLIA) license, or equivalent, and shall provide copies of the license and any accreditations held by the laboratory.

3.5. Contractor's environmental testing laboratory shall be currently accredited by a program with deemed status under National Environmental Laboratory Accreditation Conference (NELAC) and American Industrial Hygiene Association (AIHA) or equivalent. The contractor's laboratory must be able to report legionella to the genus level.

3.6. The contractor's Laboratory Director shall be a licensed physician or a licensed bioanalyst.

4. REPORTING TEST RESULTS:

4.1. Reporting of results must include:

4.1.1 Patient's name and identification code or Social Security number. For environmental testing, unique specimen identifier.

4.1.2. Physician's name (if supplied)

4.1.3. VA facility name

4.1.4. Patient's location (if supplied)

4.1.5. Test ordered

4.1.6. Date/time of specimen collection (when available)

4.1.7. Date/time received in testing facility

4.1.8. Date of test completed

4.1.9. Test result

4.1.10. Flag abnormal values

4.1.11. Reference Range

4.1.12. Toxic and/or therapeutic range where applicable

4.1.13. Name of testing laboratory

4.1.14. Testing laboratory specimen number

4.1.15. Type of specimen

4.1.16. Comments related to the test provided by submitting laboratory

4.1.17. Information that may indicate a questionable validity of test results, unsatisfactory specimen shall be reported with reason as to its unsuitability for testing.

5. QUALITY CONTROL

5.1 The contractor shall participate in Quality Improvement and Peer Review Activity for the purpose of compliance with appropriate agency and accrediting requirements.

5.2. The exchange of data will include Quality Improvement data such as discrepancy rates and/or other Performance Improvement data (Provides data and information required for accreditation).

5.3. The contractor shall provide the following updated information upon request during the life of the contract:

5.3.1. Tests routinely performed in duplicate should be indicated.

5.3.2. Proficiency testing data shall include a list of tests outside of the defined range for the past two years. Contractor shall notify the laboratory of any test falling outside the defined range during the contract period.

5.3.3. The contractor's facilities, methodologies and quality control procedures may be examined by representatives of the VA at any time during the life of the contract.

5.3.4. Contractor agrees to maintain the minimum acceptable service, reporting systems, and quality controls specified herein.

5.3.5. Immediate (within 24 hours) notification must be given to VA upon adverse action by a regulatory agency.

6. REQUIREMENTS SPECIAL:

6.1 Under the authority of Public Law 104-262 and 38 USC 1703, the contractor agrees to provide Health Care Resources in accordance with the terms and conditions stated herein, to furnish for the Iowa City Veterans Affairs Health Care System, Iowa City, IA the services and prices specified in the Section entitled Schedule of Supplies/Services of this contract. Work will be performed at the contractor's facility.

6.2. SERVICES:

6.2.1. The services specified in the Sections entitled Schedule of Item/Supplies/Services, Performance Work Statement and Special Contract Requirements may be changed by written modification to this contract. The modification will be prepared by the VA Contracting Officer and, prior to becoming effective, shall be approved by the contractor as part of the bi-lateral modification process.

6.2.2. The services to be performed by the contractor will be performed in accordance with VA policies and procedures and the regulations of the medical staff by laws of the VA facility found via http://vaww.iowacity.va.gov/SectionPages/Policy.asp

6.2.3. The services to be performed by the contractor will be performed in accordance with VA Privacy and Confidentiality regulations (VHA Handbook 1605.01) and Federal Health Insurance Portability and Accounting Act (HIPAA) standards (www.hhs.gov/hipaa).

6.3. VA Certification & Accreditation requirements do not apply. A Security Accreditation Package is not required.

6.4. This contract is a non-personal health care services contract as defined in Federal Acquisition Regulation 37.101 and is as follows Non-personal services contract means a contract under which the personnel rendering the services are not subject, either by the contract's terms or by the manner of its administration, to the supervision and control usually prevailing in relationships between the Government and its employees.

6.5. Under no circumstances will Contractor's employees be considered VHA employees.

6.6. Contractor shall hold certificate of insurance for general liability and malpractice insurance, workmen's compensation and vehicle insurance. Prior to award of the contract, the Contractor shall furnish to the VA a certificate of insurance evidencing that all required coverage has been obtained. The Contractor shall be responsible for maintaining this certificate/coverage for the duration of the contract.

6.7. Under no circumstances will Contractor bill any patient or patient's insurance company for any procedure. All costs will be charged only to the sending VA facility at the designated rate(s) as listed by the Contractor in the Schedule of Items. Those rates will be all-inclusive based on the described service categories herein.

7. QUALIFICATIONS:

7.1. The Contractor certifies that the Contractor shall comply with any and all legal provisions contained in the Immigration and Nationality Act of 1952, As Amended; its related laws and regulations that are enforced by Homeland Security, Immigration and Customs Enforcement and the U.S Department of Labor as these may relate to non-immigrant foreign nationals working under contract or subcontract for the Contractor while providing services to Department of Veterans Affairs.

7.2. While performing services for the Department of Veterans Affairs, the Contractor shall not knowingly employ, contract or subcontract with an illegal or ancient alien; foreign national non-immigrant who is in violation their status, as a result of their failure to maintain or comply with the terms and conditions of their admission into the United States. Additionally, the Contractor is required to comply with all E-Verify requirements consistent with Executive Order 12989 and any related pertinent Amendments, as well as applicable Federal Acquisition Regulations.

7.3. If the Contractor fails to comply with any requirements outlined in the preceding paragraphs or its Agency regulations, the Department of Veterans Affairs may, at its discretion, require that the foreign national who failed to maintain their legal status in the United States or otherwise failed to comply with the requirements of the laws administered by Homeland Security, Immigration and Customs Enforcement and the U.S Department of Labor, shall be prohibited from working at the Contractor's place of business that services Department of Veterans Affairs patient referrals; or other place where the Contractor provides services to veterans who have been referred by the Department of Veterans Affairs; and shall form the basis for termination of this contract for breach.

7.4. This certification concerns a matter within the jurisdiction of an agency of the United States and the making of a false, fictitious, or fraudulent certification may render the maker subject to prosecution under 18 U.S.C. 1001.

7.5. The Contractor agrees to obtain a similar certification from its subcontractors.

7.6. Personnel assigned by the Contractor to perform the services covered by this contract shall be (if required) licensed in a State, Territory, or Commonwealth of the United States or the District of Columbia. All certifications/licenses held by the personnel working on this contract shall be full and unrestricted. The contracting facility must be accredited by CLIA, NELAC and AIHA or their equivalents.

8. CONTINUITY OF SERVICES:

8.1. The contractor will ensure that adequate staffing is available to perform contracted testing in a timely manner.

9. DISASTER/EMERGENCY COVERAGE:

9.1. In the event of a Federal, local or community disaster or emergency, the Contractor will use best efforts to continue to provide services to the VA at the same level as is contained in this contract.

10. STANDARD OF CARE:

10.1. The standard of care should be equal to that provided by the VA if the VA were capable of providing the services required at their location.

11. CONTRACT PERFORMANCE MONITORING:

11.1. Monitoring of Contractor's performance shall be done by the Contracting Officer's Representative (COR). Incidents of contractor non-compliance as evidenced by the monitoring procedures shall be forwarded immediately to the Contracting Officer. Upon award, a Quality Assurance Surveillance Plan (QASP) will be signed by the Contractor Program Manager and COR, outlining the evaluation criteria to ensure the Contractor is aware of the management and quality criteria.

11.2. Frequency of Measurement and Performance Assessments:

11.2.1. During contract performance, the COR will continuously monitor test results, turnaround time, privacy/confidentiality, and test quality.

11.2.2. The COR will provide quarterly progress/performance reports to the CO.

11.2.3. The COR shall visit/correspond on an as-needed basis. Unresolved issues shall be documented in writing. This written assessment, Contract Discrepancy Report (CDR), will be forwarded to the Contracting Officer as documentation of the Contractor's performance and/or a request to terminate the contract.

12. CONTRACT PERFORMANCE REPORTING

12.1. CPARS REPORTING AND REGISTRATION:

12.1.1. As prescribed in Federal Acquisition Regulation (FAR) Part 42.15, the Department of Veterans Affairs (VA) evaluates Contractor past performance on all contracts that exceed $150,000, and shares those evaluations with other Federal government contract specialists and procurement officials. The FAR requires that the Contractor be provided an opportunity to comment on past performance evaluations prior to each report closing. To fulfill this requirement VA uses an online database, CPARS, which is maintained by the Naval Seal Logistics Center in Portsmouth, New Hampshire. CPARS has connectivity with the Past Performance Information Retrieval System (PPIRS) database, which is available to all Federal agencies. PPIRS is the system used to collect and retrieve performance assessment reports used in source selection determinations and completed CPARS report cards transferred to PPIRS. CPARS also includes access to the federal awardee performance and integrity information system (FAPIIS). FAPIIS is a web-enabled application accessed via CPARS for Contractor responsibility determination information.

12.1.2 Each Contractor whose contract award is estimated to exceed $150,000 requires a CPARS evaluation. A Government Focal Point will register your contract within 30 days after contract award and, at that time, you will receive an email message with a User ID (to be used when reviewing evaluations). Additional information regarding the evaluation process can be found at www.cpars.gov or if you have any questions, you may contact the Customer Support Desk @ DSN: 684-1690 or COMM: 207-438-1690.

12.1.3 For contracts with a period of one (1) year or less, the contracting officer will perform a single evaluation when the contract is complete. For contracts exceeding one (1) year, the contracting officer will evaluate the Contractor's performance annually. Interim reports will be filed each year until the last year of the contract, when the final report will be completed. The report shall be assigned in CPARS to the Contractor's designated representative for comment. The Contractor representative will have 60 days to submit any comments and re-assign the report to the CO.

12.1.4 Failure for the Contractor's representative to respond to the evaluation within those sixty (60) days, will result in the Government's evaluation being placed on file in the database with a statement that the Contractor failed to respond; the Contractor's representative will be locked out of the evaluation and may no longer send comments.

13. CONFLICT OF INTEREST:

13.1. The Contractor is responsible for identifying and communicating to the CO and COR conflicts of interest at the time of proposal and during the entirety of contract performance. At the time of proposal, the Contractor shall provide a statement which describes, in a concise manner, all relevant facts concerning any past, present, or currently planned interest (financial, contractual, organizational, or otherwise) or actual or potential organizational conflicts of interest relating to the services to be provided. The Contractor shall also provide statements containing the same information for any identified consultants or sub-Contractors who shall provide services. The Contractor must also provide relevant facts that show how it's organizational and/or management system or other actions would avoid or mitigate any actual or potential organizational conflicts of interest.

14. QUALITY MANAGEMENT REQUIREMENTS:

14.1. General:

14.1.1. All applicable VAHCS policies and procedures shall be followed by the contractor

14.1.2. Contractor personnel shall provide compassionate care with respect for the special needs of the veteran population served.

14.1.3. Services provided will reflect the VA Health Care System's mission, vision and values.

14.2. Patient Rights:

14.2.1. Protection of all patients' rights is of highest priority.

14.2.2. Patient privacy and confidentiality shall be maintained at all times.

14.3. Errors or Incidents:

14.3.1. The VAHCS shall determine when a Root Cause Analysis (RCA) is required of the Contractor and must be submitted to the COR in a timely manner.

14.4. Performance Improvement:

14.4.1. Contractor Performance Improvement activities may be directed by the VAHCS, VISN or VHA, as well as accreditation or licensing bodies.

14.5. Personnel Records:

14.5.1. All related documentation, such as completed competency checklists or educational training records, shall be maintained by the Contractor and available for VAHCS review upon request.

14.6. Information Management:

14.6.1. Strict adherence to all documentation related to the performance of diagnostic laboratory testing shall be maintained.

15. Accounting / Invoices

15.1 Contractor shall submit monthly invoices to the respective submitting VA Medical Center laboratory manager for services rendered. Invoices must be 100% accurate before payment is approved.

15.2 All invoices sent to the VA Laboratory shall reference the vendor's name and address, the contact number and purchase order number for the VA facility. Invoices must be accurate and shall display chronologically by date of service the name of the patient, date of service, description of service provided (CPT code), quantity, unit price, total price, and total invoice amount.

15.3. Contractor shall also submit an accurate electronic invoice by following provision of services to the Veterans Affairs Financial Services Center (VAFSC) e-Invoice through the website at https://portal.tungsten-netwrok.com/Login.aspx. This invoice must exclude patient identification.

16. Security

16.1 General: This entire section applies to all acquisitions requiring any Information Security and Privacy language. Contractors, contractor personnel, subcontractors and subcontractor personnel will be subject to the same federal laws, regulations, standards, VA directives and handbooks, as VA personnel regarding information and information system security and privacy.

16.2 VA INFORMATION CUSTODIAL LANGUAGE. This entire section applies to all acquisitions requiring any Information Security and Privacy language.

16.2.1. The Government shall receive unlimited rights to data/intellectual property first produced and delivered in the performance of this contract or order (hereinafter contract ) unless expressly stated otherwise in this contract. This includes all rights to source code and all documentation created in support thereof. The primary clause used to define Government and Contractor data rights is FAR 52.227-14 Rights in Data General . The primary clause used to define computer software license (not data/intellectual property first produced under this contractor or order) is FAR 52.227-19, Commercial Computer Software License.

16.2.2. Information made available to the contractor by VA for the performance or administration of this contract will be used only for the purposes specified in the service agreement, SOW, PWS, PD, and/or contract. The contractor shall not use VA information in any other manner without prior written approval from a VA Contracting Officer (CO). The primary clause used to define Government and Contractor data rights is FAR 52.227-14 Rights in Data General.

16.2.3. VA information will not be co-mingled with any other data on the contractor's information systems or media storage systems. The contractor shall ensure compliance with Federal and VA requirements related to data protection, data encryption, physical data segregation, logical data segregation, classification requirements and media sanitization.

16.2.4. VA reserves the right to conduct scheduled or unscheduled audits, assessments, or investigations of contractor Information Technology (IT) resources to ensure information security is compliant with Federal and VA requirements. The contractor shall provide all necessary access to records (including electronic and documentary materials related to the contracts and subcontracts) and support (including access to contractor and subcontractor staff associated with the contract) to VA, VA's Office Inspector General (OIG), and/or Government Accountability Office (GAO) staff during periodic control assessments, audits, or investigations.

16.2.5. The contractor may only use VA information within the terms of the contract and applicable Federal law, regulations, and VA policies. If new Federal information security laws, regulations or VA policies become applicable after execution of the contract, the parties agree to negotiate contract modification and adjustment necessary to implement the new laws, regulations, and/or policies.

16.2.6. The contractor shall not make copies of VA information except as specifically authorized and necessary to perform the terms of the contract. If copies are made for restoration purposes, after the restoration is complete, the copies shall be destroyed in accordance with VA Directive 6500, VA Cybersecurity Program and VA Information Security Knowledge Service.

16.2.7. If a Veterans Health Administration (VHA) contract is terminated for default or cause with a business associate, the related local Business Associate Agreement (BAA) shall also be terminated and actions taken in accordance with VHA Directive 1605.05, Business Associate Agreements. If there is an executed national BAA associated with the contract, VA will determine what actions are appropriate and notify the contactor.

16.2.8. The contractor shall store and transmit VA sensitive information in an encrypted form, using VA-approved encryption tools which are, at a minimum, Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules (or its successor) validated and in conformance with VA Information Security Knowledge Service requirements. The contractor shall transmit VA sensitive information using VA approved Transport Layer Security (TLS) configured with FIPS based cipher suites in conformance with National Institute of Standards and Technology (NIST) 800-52, Guidelines for the Selection, Configuration and Use of Transport Layer Security (TLS) Implementations.

16.2.9. The contractor's firewall and web services security controls, as applicable, shall meet or exceed VA's minimum requirements.

16.2.10. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two situations: (i) in response to a qualifying order of a court of competent jurisdiction after notification to VA CO (ii) with written approval from the VA CO. The contractor shall refer all requests for, demands for production of or inquiries about, VA information and information systems to the VA CO for response.

16.2.11. Notwithstanding the provision above, the contractor shall not release VA records protected by Title 38 U.S.C. 5705, Confidentiality of medical quality-assurance records and/or Title 38 U.S.C. 7332, Confidentiality of certain medical records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse or infection with Human Immunodeficiency Virus (HIV). If the contractor is in receipt of a court order or other requests for the above-mentioned information, the contractor shall immediately refer such court order or other requests to the VA CO for response.

16.2.12. Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract will be protected and secured in accordance with VA Directive 6500 and Identity and Access Management (IAM) Security processes specified in the VA Information Security Knowledge Service.

16.2.13. Any data destruction done on behalf of VA by a contractor shall be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management, VA Handbook 6300.1, Records Management Procedures, and applicable VA Records Control Schedules.

16.2.14. The contractor shall provide its plan for destruction of all VA data in its possession according to VA Directive 6500 and NIST 800-88, Guidelines for Media Sanitization prior to termination or completion of this contract. If directed by the COR/CO, the contractor shall return all Federal Records to VA for disposition.

16.2.15. Any media, such as paper, magnetic tape, magnetic disks, solid state devices or optical discs that is used to store, process, or access VA information that cannot be destroyed shall be returned to VA.The contractor shall hold the appropriate material until otherwise directed by the Contracting Officer's Representative (COR) or CO. Items shall be returned securely via VA-approved methods. VA sensitive information must be transmitted utilizing VA-approved encryption tools which are validated under FIPS 140-2 (or its successor) and NIST 800-52. If mailed, the contractor shall send via a trackable method (USPS, UPS, FedEx, etc.) and immediately provide the COR/CO with the tracking information. Self-certification by the contractor that the data destruction requirements above have been met shall be sent to the COR/CO within 30 business days of termination of the contract.

16.2.16. All electronic storage media (hard drives, optical disks, CDs, back-up tapes, etc.) used to store, process or access VA information will not be returned to the contractor at the end of lease, loan, or trade-in. Exceptions to this paragraph will only be granted with the written approval of the VA CO.

16.3 ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS. This section applies when any person requires access to information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract.

16.3.1. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees and subcontractors only to the extent necessary to perform the services specified in the solicitation or contract. This includes indirect entities, both affiliate of contractor/subcontractor and agent of contractor/subcontractor.

16.3.2. Contractors and subcontractors shall sign the VA Information Security Rule of Behavior (ROB) before access is provided to VA information and information systems (see Section 4, Training, below). The ROB contains the minimum user compliance requirements and does not supersede any policies of VA facilities or other agency components which provide higher levels of protection to VA's information or information systems. Users who require privileged access shall complete the VA elevated privilege access request processes before privileged access is granted.

16.3.3. All contractors and subcontractors working with VA information are subject to the same security investigative and clearance requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors shall be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office of Human Resources and Administration/Operations, Security and Preparedness (HRA/OSP) is responsible for these policies and procedures. Contract personnel who require access to classified information or information systems shall have an appropriate security clearance. Verification of a Security Clearance shall be processed through the Special Security Officer located in HRA/OSP. Contractors shall conform to all requirements stated in the National Industrial Security Program Operating Manual (NISPOM).

16.3.4. All contractors and subcontractors shall comply with conditions specified in VAAR 852.204-71(d); Contractor operations required to be in United States. All contractors and subcontractors working with VA information must be permanently located within a jurisdiction subject to the law of the United States or its Territories to the maximum extent feasible. If services are proposed to be performed abroad the contractor must state where all non-U.S. services are provided. The contractor shall deliver to VA a detailed plan specifically addressing communications, personnel control, data protection and potential legal issues. The plan shall be approved by the COR/CO in writing prior to access being granted.

16.3.5. The contractor shall notify the COR/CO in writing immediately (no later than 24 hours) after personnel separation or occurrence of other causes. Causes may include the following:

16.3.5.1 Contractor/subcontractor personnel no longer has a need for access to VA information or VA information systems.

16.3.5.2 Contractor/subcontractor personnel are terminated, suspended, or otherwise has their work on a VA project discontinued for any reason.

16.3.5.3 Contractor believes their own personnel or subcontractor personnel may pose a threat to their company's working environment or to any company-owned property. This includes contractor-owned assets, buildings, confidential data, customers, employees, networks, systems, trade secrets and/or VA data.

16.3.5.4 Any previously undisclosed changes to contractor/subcontractor background history are brought to light, including but not limited to changes to background investigation or employee record.

16.3.5.5 Contractor/subcontractor personnel have their authorization to work in the United States revoked.

16.3.5.6. Agreement by which contractor provides products and services to VA has either been fulfilled or terminated, such that VA can cut off electronic and/or physical access for contractor personnel.

16.3.5.7. In such cases of contract fulfillment, termination, or other causes; the contractor shall take the necessary measures to immediately revoke access to VA network, property, information, and information systems (logical and physical) by contractor/subcontractor personnel. These measures include (but are not limited to): removing and then securing Personal Identity Verification (PIV) badges and PIV Interoperable (PIV-I) access badges, VA-issued photo badges, credentials for VA facilities and devices, VA-issued laptops, and authentication tokens. Contractors shall notify the appropriate VA COR/CO immediately to initiate access removal.

16.3.5.8. Contractors/subcontractors who no longer require VA accesses will return VA-issued property to VA. This property includes (but is not limited to): documents, electronic equipment, keys, and parking passes. PIV and PIV-I access badges shall be returned to the nearest VA PIV Badge Issuance Office. Once they have had access to VA information, information systems, networks and VA property in their possessions removed, contractors shall notify the appropriate VA COR/CO.

16.4 TRAINING. This entire section applies to all acquisitions which include section 3.

16.4.1. All contractors and subcontractors requiring access to VA information and VA information systems shall successfully complete the following before being granted access to VA information and its systems:

16.4.1.1 VA Privacy and Information Security Awareness and Rules of Behavior course (Talent Management System (TMS) #10176) initially and annually thereafter.

16.4.1.2. Sign and acknowledge (electronically through TMS #10176) understanding of and responsibilities for compliance with the Organizational Rules of Behavior, relating to access to VA information and information systems initially and annually thereafter; and

16.4.1.3. Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system or information access [to be defined by the VA program official and provided to the VA CO for inclusion in the solicitation document i.e., any role-based information security training].

16.4.2. The contractor shall provide to the COR/CO a copy of the training certificates and certification of signing the Organizational Rules of Behavior for each applicable employee within five days of the initiation of the contract and annually thereafter, as required.

16.4.3. Failure to complete the mandatory annual training is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the required training is complete.

16.5 SECURITY INCIDENT INVESTIGATION. This entire section applies to all acquisitions requiring any Information Security and Privacy language.

16.5.1. The contractor, subcontractor, their employees, or business associates shall immediately (within one hour) report suspected security / privacy incidents to the VA OIT's Enterprise Service Desk (ESD) by calling (855) 673-4357 (TTY: 711). The ESD is OIT's 24/7/365 single point of contact for IT-related issues. After reporting to the ESD, the contractor, subcontractor, their employees, or business associates shall, within one hour, provide the COR/CO the incident number received from the ESD.

16.5.2. To the extent known by the contractor/subcontractor, the contractor/ subcontractor's notice to VA shall identify the information involved and the circumstances surrounding the incident, including the following:

16.5.2.1. The date and time (or approximation of) the Security Incident occurred.

16.5.2.2. The names of individuals involved (when applicable).

16.5.2.3. The physical and logical (if applicable) location of the incident.

16.5.2.4. Why the Security Incident took place (i.e., catalyst for the failure).

16.5.2.5. The amount of data belonging to VA believed to have been compromised.

16.5.2.6. The remediation measures the contractor is taking to ensure no future incidents of a similar nature.

16.5.3. After the contractor has provided the initial detailed incident summary to VA, they will continue to provide written updates on any new and relevant circumstances or facts they discover. The contractor, subcontractor, and their employes shall fully cooperate with VA or third-party entity performing an independent risk analysis on behalf of VA. Failure to cooperate may be deemed a material breach and grounds for contract termination.

16.5.4. VA IT contractors shall follow VA Handbook 6500, Risk Management Framework for VA Information Systems VA Information Security Program, and VA Information Security Knowledge Service guidance for implementing an Incident Response Plan or integrating with an existing VA implementation.

16.5.5. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG, and the VA Office of Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.

16.5.6. The contractor shall comply with VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information, which establishes the breach management policies and assigns responsibilities for the oversight, management and reporting procedures associated with managing of breaches.

16.5.7. With respect to unsecured Protected Health Information (PHI), the contractor is deemed to have discovered a data breach when the contractor knew or should have known of breach of such information. When a business associate is part of VHA contract, notification to the covered entity (VHA) shall be made in accordance with the executed BAA.

16.5.8. If the contractor or any of its agents fails to protect VA sensitive personal information or otherwise engages in conduct which results in a data breach involving any VA sensitive personal information the contractor/subcontractor processes or maintains under the contract; the contractor shall pay liquidated damages to the VA as set forth in clause 852.211-76, Liquidated Damages Reimbursement for Data Breach Costs.

16.6 PRODUCT INTEGRITY, AUTHENTICITY, PROVENANCE, ANTI-COUNTERFEIT AND ANTI-TAMPERING. This entire section applies when the acquisition involves any product (application, hardware, or software) or when section 6 or 7 is included.

16.6.1. The contractor shall comply with Code of Federal Regulations (CFR) Title 15 Part 7, Securing the Information and Communications Technology and Services (ICTS) Supply Chain , which prohibits ICTS Transactions from foreign adversaries. ICTS Transactions are defined as any acquisition, importation,

transfer, installation, dealing in or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs or the platforming or data hosting of applications for consumer download.

16.6.2. When contracting terms require the contractor to procure equipment, the contractor shall purchase or acquire the equipment from an Original Equipment Manufacturer (OEM) or an authorized reseller of the OEM. The contractor shall attest that equipment procured from an OEM or authorized reseller or distributor are authentic. If procurement is unavailable from an OEM or authorized reseller, the contractor shall submit in writing, details of the circumstances prohibiting this from happening and procure a product waiver from the VA COR/CO.

16.6.3. All contractors shall establish, implement, and provide documentation for risk management practices for supply chain delivery of hardware, software (to include patches) and firmware provided under this agreement. Documentation will include chain of custody practices, inventory management program, information protection practices, integrity management program for sub-supplier provided components, and replacement parts requests. The contractor shall make spare parts available. All contractor(s) shall specify how digital delivery for procured products, including patches, will be validated and monitored to ensure consistent delivery. The contractor shall apply encryption technology to protect procured products throughout the delivery process.

16.6.4. If a contractor provides software or patches to VA, the contractor shall publish or provide a hash conforming to the FIPS Security Requirements for Cryptographic Modules (FIPS 140-2 or successor).

16.6.5. The contractor shall provide a software bill of materials (SBOM) for procured (to include licensed products) and consist of a list of components and associated metadata which make up the product. SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report The Minimum Elements for a Software Bill of Materials (SBOM).

16.6.6. Contractors shall use or arrange for the use of trusted channels to ship procured products, such as U.S. registered mail and/or tamper-evident packaging for physical deliveries.

16.6.7. Throughout the delivery process, the contractor shall demonstrate a capability for detecting unauthorized access (tampering).

16.6.8. The contractor shall demonstrate chain-of-custody documentation for procured products and require tamper-evident packaging for the delivery of this hardware.

17. RECORDS MANAGEMENT OBLIGATIONS

17.1. Applicability. This clause applies to all Contractors whose employees create, work with, or otherwise handle Federal records, as defined in Section B, regardless of the medium in which the record exists.

17.2. Definitions. Federal record as defined in 44 U.S.C. 3301, includes all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.

The term Federal record:

17.2.1. includes Iowa City VAHCS records.

17.2.2. does not include personal materials.

17.2.3. applies to records created, received, or maintained by Contractors pursuant to their Iowa City VAHCS contract.

17.2.4. may include deliverables and documentation associated with deliverables.

17.3. Requirements

17.3.1. Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion.

17.3.2. In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation.

17.3.3. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data.

17.3.4. Iowa City VA HCS and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of Iowa City VAHCS or destroyed except for in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of any unlawful or accidental removal, defacing, alteration, or destruction of records, Contractor must report to Iowa City VAHCS. The agency must report promptly to NARA in accordance with 36 CFR 1230.

17.3.5. The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government's behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to Iowa City VA HCS control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4).

17.3.6. The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and Iowa City VA HCS guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information.

17.3.7. The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with Iowa City VAHCS policy.

17.3.8. The Contractor shall not create or maintain any records containing any non-public Iowa City VAHCS information that are not specifically tied to or authorized by the contract.

17.3.9. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act.

17.3.10. The Iowa City VA HCS owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which Iowa City VA HCS shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20.

17.3.11. Training. All Contractor employees assigned to this contract who create, work with, or otherwise handle records are required to take Iowa City VAHCS-provided records management training. The Contractor is responsible for confirming training has been completed according to agency policies, including initial training and any annual or refresher training.

17.4. Flowdown of requirements to subcontractors

17.4.1. The Contractor shall incorporate the substance of this clause, its terms and requirements including this paragraph, in all subcontracts under this [contract vehicle], and require written subcontractor acknowledgment of same.

17.4.2. Violation by a subcontractor of any provision set forth in this clause will be attributed to the Contractor.

18. DISCLOSURES

18.1. The contractor is authorized to release the following information for public health reporting to the proper state and federal agencies in accordance with federal law:. 1) VA patients full name, 2) DOB 3) and other VA sensitive information as required by law.

18.2. The Privacy Act requires an accounting of all disclosures made outside of VA regardless of the purpose of the disclosure.

18.3. The contractor shall have a system in place to document and track each disclosure. (ie: using the attached spreadsheet or form) This accounting of disclosure report will be made available to the Iowa City VA Privacy Officer at any time upon request. This accounting of disclosure report must be maintained throughout the duration of the contract.

18.4. The accounting of disclosure report must include the following elements:

18.4.1. The date of each disclosure

18.4.2. Nature or description of the individually-identifiable information disclosed

18.4.3. The purpose of each disclosure

18.4.4. The name and address (if known) of the person or agency to which the disclosure was made.