NOTICE TO CONTRACTOR
This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotations are being requested and a written solicitation will not be issued. The solicitation number is N0025922Q0082. It is issued as a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2022-07. The North American Industry Classification System (NAICS) Code for this acquisition is 621340. The size standard is 8.0 (millions of dollars). This solicitation is unrestricted. It is the contractor’s responsibility to be familiar with the applicable clauses and provisions.
Naval Medical Center San Diego (NMCSD) requests responses from qualified sources capable of providing the following services that must meet the requirements:
One Music Therapy Instructor to provide individual music lessons/therapy with musical instruments at Naval Medical Center San Diego, CA in accordance with the Performance Work Statement.
Certified Occupational Therapist Assistant
Wage Determination No.: 2015-5635
Revision No.: 20
Date of Last Revision: 07/26/2022
Items required:
CLIN 0001:
Music Therapy Instructor – Naval Medical Center San Diego, CA.
Period of performance (POP): 1 Oct 2022 thru 30 Sep 2023.
50 hours per year plus travel cost
Hourly Price: ____________ Total CLIN Price: ____________
CLIN 1001:
Music Therapy Instructor – Naval Medical Center San Diego, CA.
Period of performance (POP): 1 Oct 2023 thru 30 Sep 2024.
50 hours per year plus travel cost
Hourly Price: ____________ Total CLIN Price: ____________
CLIN 2001:
Music Therapy Instructor – Naval Medical Center San Diego, CA.
Period of performance (POP): 1 Oct 2024 thru 30 Sep 2025.
50 hours per year plus travel cost
Hourly Price: ____________ Total CLIN Price: ____________
CLIN 3001:
Music Therapy Instructor – Naval Medical Center San Diego, CA.
Period of performance (POP): 1 Oct 2025 thru 30 Sep 2026.
50 hours per year plus travel cost
Hourly Price: ____________ Total CLIN Price: ____________
CLIN 4001:
Music Therapy Instructor – Naval Medical Center San Diego, CA.
Period of performance (POP): 1 Oct 2026 thru 30 Sep 2027.
50 hours per year plus travel cost
Hourly Price: ____________ Total CLIN Price: ____________
Delivery/Acceptance location: The services shall be performed at Naval Medical Center, 34800 Bob Wilson Dr. San Diego, CA 92134. FBO Destination: unless otherwise specified in the order, the supplier is responsible for the performance of all inspection requirements and quality control.
DEFENSE BIOMETRIC IDENTIFICATION SYSTEM (DBIDS)
(a) In accordance with CNICMEMO dated May 5, 2017, individuals currently using an NCACS credential for Installation access are required to switch to a DBIDS no later than 14 August 2017. After 14 August 2017, the NCACS credential will no longer be valid for access to Navy Installations.
(b) NCACS users may visit the local Navy Installation Visitor Control Center to obtain a DBIDS credential. To ensure uninterrupted Installation access, current NCACS credential holders are encouraged to shift to the DBIDS credential as soon as possible as Navy does not have the ability to extend this deadline. There are no fees incurred by the contractor, vendor, or supplier to obtain a DBIDS credential.
(c) Individuals who apply for NCACS credentials during the period of 17 April through 31 May 2017 must also obtain DBIDS credentials. NCACS credentials issued after 17 April 2017 will no longer be accepted without an accompanying DBIDS credential for Navy Installation access.
(d) DBIDS guidance for Vendors/Contractors to obtain a pass is accessible through the following website:
https://www.cnic.navy.mil/om/dbids.html
For more information or to enroll in the DBIDS Program call: 1.202.433.4784.
For Naval Base San Diego Pass and Decal Office, call: 1.619.556.1653
(e) Vendors, contractors, suppliers and other service providers shall present their pass upon entry at ECP.
This acquisition incorporates by reference the following FAR provisions and clauses:
52.204-7 – System for Award Management (Oct 2018)
52.204-13 - System for Award Management Maintenance (Oct 2018)
52.204-16 Commercial and Government Entity Code Reporting (Jul 2016)
52.204-18 Commercial and Government Entity Code Reporting (Jul 2016)
52.204-24 Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment. (Dec 2019)
52.204-25 -Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment (Nov 2021)
52.204-26- Covered Telecommunications Equipment or Services-Representation (Oct 2020)
52.212-3 -- Offeror Representations and Certifications -- Commercial Items (Mar 2020)
Contractors are reminded to either include a completed copy of 52.212-3 and its ALT I with offers, or alternatively, the provision can also be submitted at https://www.sam.gov.
52.212-4 – Contract Terms and Conditions -- Commercial Items (Oct 2018)
52.219-1 - Small Business Program Representations (Sep 2021)
52.232-18 Availability of Funds
52.232-40 – Providing Accelerated Payments to Small Business Subcontractors (Dec 2013)
Additional contract terms and conditions applicable to this procurement are:
252.203-7000 Requirements Relating to Compensation of Former DoD Officials (Sep 2011)
252.203-7002 Requirement to Inform Employees of Whistleblower Rights (SEP 2013)
252.203-7005 Representation Relating to Compensation of Former DoD Officials (Nov 2011)
252.204-7004 DoD Antiterrorism Awareness Training for Contractors (Feb 2019)
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Dec 2019)
252.204-7015 Notice of Authorized Disclosure of Information for Litigation Support (May 2016)
252.204-7016 Covered Defense Telecommunications Equipment Or Services—Representation (Dec 2019)
252.204-7017 Prohibition On The Acquisiton Of Covered Defense Telecommunications Equipment Or Services—Representation (Dec 2019)
252.204-7018 Prohibition On The Acquisition Of Covered Defense Telecommunications Equipment Or Services (Dec 2019)
252.223-7008 Prohibition of Hexavalent Chromium (JUN 2013)
252.225-7974 Representation Regarding Business Operations with the Maduro Regime (Feb 2020)
252.232-7003 Electronic Submission of Payment Requests and Receiving Reports (Dec 2018)
252.232-7006 Wide Area WorkFlow Payment Instructions (Dec 2018)
252.232-7010 Levies on Contract Payments (Dec 2006)
252.232-7017 Accelerating Payments to Small Business Subcontractors—Prohibition on Fees and Consideration (APR 2020)
252.239-7098 Prohibition on Contracting to Maintain or Establish a Computer Network Unless Such Network is Designed to Block Access to Certain Websites – Representation (APR 2021) (DEV 2021-O0003)
252.244-7000 Subcontracts for Commercial Items (Jun 2013)
252.247-7023 Transportation of Supplies by Sea—Basic (Feb 2019)
The following provisions and clauses incorporated by full text apply to the solicitation:
52.212-1 Instructions to Offerors-Commercial Items.
As prescribed in 12.301(b)(1), insert the following provision:
INSTRUCTIONS TO OFFERORS-COMMERCIAL ITEMS (MAR 2020)
(a) North American Industry Classification System (NAICS) code and small business size standard. The NAICS code(s) and small business size standard(s) for this acquisition appear elsewhere in the solicitation. However, the small business size standard for a concern which submits an offer in its own name, but which proposes to furnish an item which it did not itself manufacture, is 500 employees.
(b) Submission of offers. Submit signed and dated offers to the office specified in this solicitation at or before the exact time specified in this solicitation. Offers may be submitted on the SF 1449, letterhead stationery, or as otherwise specified in the solicitation. As a minimum, offers must show—
(1) The solicitation number;
(2) The time specified in the solicitation for receipt of offers;
(3) The name, address, and telephone number of the offeror;
(4) A technical description of the items being offered in sufficient detail to evaluate compliance with the requirements in the solicitation. This may include product literature, or other documents, if necessary;
(5) Terms of any express warranty;
(6) Price and any discount terms;
(7) “Remit to” address, if different than mailing address;
(8) A completed copy of the representations and certifications at FAR 52.212-3 (see FAR 52.212-3(b) for those representations and certifications that the offeror shall complete electronically);
(9) Acknowledgment of Solicitation Amendments;
(10) Past performance information, when included as an evaluation factor, to include recent and relevant contracts for the same or similar items and other references (including contract numbers, points of contact with telephone numbers and other relevant information); and
(11) If the offer is not submitted on the SF 1449, include a statement specifying the extent of agreement with all terms, conditions, and provisions included in the solicitation. Offers that fail to furnish required representations or information, or reject the terms and conditions of the solicitation may be excluded from consideration.
(c) Period for acceptance of offers. The offeror agrees to hold the prices in its offer firm for 30 calendar days from the date specified for receipt of offers, unless another time period is specified in an addendum to the solicitation.
(d) Product samples. When required by the solicitation, product samples shall be submitted at or prior to the time specified for receipt of offers. Unless otherwise specified in this solicitation, these samples shall be submitted at no expense to the
Government, and returned at the sender’s request and expense, unless they are destroyed during preaward testing.
(e) Multiple offers. Offerors are encouraged to submit multiple offers presenting alternative terms and conditions, including alternative line items (provided that the alternative line items are consistent with subpart 4.10 of the Federal
Acquisition Regulation), or alternative commercial items for satisfying the requirements of this solicitation. Each offer submitted will be evaluated separately.
(f) Late submissions, modifications, revisions, and withdrawals of offers. (1) Offerors are responsible for submitting offers, and any modifications, revisions, or withdrawals, so as to reach the Government office designated in the solicitation by the time specified in the solicitation. If no time is specified in the solicitation, the time for receipt is 4:30 p.m., local time, for the designated Government office on the date that offers or revisions are due.
(2) (i) Any offer, modification, revision, or withdrawal of an offer received at the Government office designated in the solicitation after the exact time specified for receipt of offers is “late” and will not be considered unless it is received before award is made, the Contracting Officer determines that accepting the late offer would not unduly delay the acquisition; and-
(A) If it was transmitted through an electronic commerce method authorized by the solicitation, it was received at the initial point of entry to the Government infrastructure not later than 5:00 p.m. one working day prior to the date specified for receipt of offers; or
(B) There is acceptable evidence to establish that it was received at the Government installation designated for receipt of offers and was under the Government’s control prior to the time set for receipt of offers; or
(C) If this solicitation is a request for proposals, it was the only proposal received.
(ii) However, a late modification of an otherwise successful offer, that makes its terms more favorable to the Government, will be considered at any time it is received and may be accepted.
(3) Acceptable evidence to establish the time of receipt at the Government installation includes the time/date stamp of that installation on the offer wrapper, other documentary evidence of receipt maintained by the installation, or oral testimony or statements of Government personnel.
(4) If an emergency or unanticipated event interrupts normal Government processes so that offers cannot be received at the Government office designated for receipt of offers by the exact time specified in the solicitation, and urgent Government requirements preclude amendment of the solicitation or other notice of an extension of the closing date, the time specified for receipt of offers will be deemed to be extended to the same time of day specified in the solicitation on the first work day on which normal Government processes resume.
(5) Offers may be withdrawn by written notice received at any time before the exact time set for receipt of offers.
Oral offers in response to oral solicitations may be withdrawn orally. If the solicitation authorizes facsimile offers, offers may be withdrawn via facsimile received at any time before the exact time set for receipt of offers, subject to the conditions specified in the solicitation concerning facsimile offers. An offer may be withdrawn in person by an offeror or its authorized representative if, before the exact time set for receipt of offers, the identity of the person requesting withdrawal is established and the person signs a receipt for the offer.
(g) Contract award (not applicable to Invitation for Bids). The Government intends to evaluate offers and award a contract without discussions with offerors. Therefore, the offeror’s initial offer should contain the offeror’s best terms from a price and technical standpoint. However, the Government reserves the right to conduct discussions if later determined by the Contracting Officer to be necessary. The Government may reject any or all offers if such action is in the public interest; accept other than the lowest offer; and waive informalities and minor irregularities in offers received.
(h) Multiple awards. The Government may accept any item or group of items of an offer, unless the offeror qualifies the offer by specific limitations. Unless otherwise provided in the Schedule, offers may not be submitted for quantities less than those specified. The Government reserves the right to make an award on any item for a quantity less than the quantity offered, at the unit prices offered, unless the offeror specifies otherwise in the offer.
(i) Availability of requirements documents cited in the solicitation.
(1) (i) The GSA Index of Federal Specifications, Standards and Commercial Item Descriptions, FPMR Part 101-29, and copies of specifications, standards, and commercial item descriptions cited in this solicitation may be obtained for a fee by submitting a request to-
GSA Federal Supply Service Specifications Section
Suite 8100 470 East L’Enfant Plaza, SW
Washington, DC 20407
Telephone (202) 619-8925
Facsimile (202) 619-8978.
(ii) If the General Services Administration, Department of Agriculture, or Department of Veterans Affairs issued this solicitation, a single copy of specifications, standards, and commercial item descriptions cited in this solicitation may be obtained free of charge by submitting a request to the addressee in paragraph (i)(1)(i) of this provision. Additional copies will be issued for a fee.
(2) Most unclassified Defense specifications and standards may be downloaded from the following ASSIST websites:
(i) ASSIST ( https://assist.dla.mil/online/start/).
(ii) Quick Search ( http://quicksearch.dla.mil/).
(iii) ASSISTdocs.com (http://assistdocs.com).
(3) Documents not available from ASSIST may be ordered from the Department of Defense Single Stock Point
(DoDSSP) by-
(i) Using the ASSIST Shopping Wizard (https://assist.dla.mil/wizard/index.cfm);
(ii) Phoning the DoDSSP Customer Service Desk (215) 697-2179, Mon-Fri, 0730 to 1600 EST; or
(iii) Ordering from DoDSSP, Building 4, Section D, 700 Robbins Avenue, Philadelphia, PA 19111-5094, Telephone
(215) 697-2667/2179, Facsimile (215) 697-1462.
(4) Nongovernment (voluntary) standards must be obtained from the organization responsible for their preparation, publication, or maintenance.
(j) Unique entity identifier. (Applies to all offers exceeding $3,500, and offers of $3,500 or less if the solicitation requires the Contractor to be registered in the System for Award Management (SAM).) The Offeror shall enter, in the block with its name and address on the cover page of its offer, the annotation “Unique Entity Identifier” followed by the unique entity identifier that identifies the Offeror's name and address. The Offeror also shall enter its Electronic Funds Transfer (EFT) indicator, if applicable. The EFT indicator is a four-character suffix to the unique entity identifier. The suffix is assigned at the discretion of the Offeror to establish additional SAM records for identifying alternative EFT accounts (see subpart
32.11) for the same entity. If the Offeror does not have a unique entity identifier, it should contact the entity designated at www.sam.gov for unique entity identifier establishment directly to obtain one. The Offeror should indicate that it is an offeror for a Government contract when contacting the entity designated at www.sam.gov for establishing the unique entity identifier.
(k) [Reserved]
(l) Debriefing. If a post-award debriefing is given to requesting offerors, the Government shall disclose the following information, if applicable:
(1) The agency’s evaluation of the significant weak or deficient factors in the debriefed offeror’s offer.
(2) The overall evaluated cost or price and technical rating of the successful and the debriefed offeror and past performance information on the debriefed offeror.
(3) The overall ranking of all offerors, when any ranking was developed by the agency during source selection.
(4) A summary of the rationale for award;
(5) For acquisitions of commercial items, the make and model of the item to be delivered by the successful offeror.
(6) Reasonable responses to relevant questions posed by the debriefed offeror as to whether source-selection procedures
set forth in the solicitation, applicable regulations, and other applicable authorities were followed by the agency.
(End of provision)
52.212-2 -- Evaluation -- Commercial Items (Oct 2014)
(a) The Government will award a contract resulting from this solicitation to the responsible quoter whose quote conforming to the solicitation will be most advantageous to the Government, price and other factors considered. The following factors shall be used to evaluate quotes: Technical Capability, Past Performance, and Price.
The source selection method is Lowest Price Technically Acceptable (LPTA). The award will be made on the basis of the lowest evaluated price of proposals meeting or exceeding the acceptability standards for non-cost factors.
FACTOR 1: Technical Capability; defined as the ability of the products to meet the salient characteristics needed. Evaluations will be based on vendors meeting the task descriptions in the attached PWS.
FACTOR 2: Past Performance, provide two (2) references with the point of contact name, telephone number, address, and contract number, for which you have provided the same or similar services within the last 3 years. Past performance will be evaluated based on references and information from authorized government past performance systems and resources.
FACTOR 3: Price; the government shall conduct a price evaluation of all technically acceptable quotes with acceptable or neutral past performance. This requirement will be awarded as a Lowest Price Technically Accepted (LPTA) award.
(b) Options. The Government will evaluate offers for award purposes by adding the total price for all options to the total price for the basic requirement. The Government may determine that an offer is unacceptable if the option prices are significantly unbalanced. Evaluation of options shall not obligate the Government to exercise the option(s).
(c)A written notice of award or acceptance of an offer, mailed or otherwise furnished to the successful offeror within the time for acceptance specified in the offer, shall result in a binding contract without further action by either party. Before the offer’s specified expiration time, the Government may accept an offer (or part of an offer), whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award.
(End of provision)
52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS--COMMERCIAL ITEMS (JUN 2020)
(a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items:
(1) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (JAN 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts (and as extended in continuing resolutions)).
(2) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).
(3) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (AUG 2019) (Section 889(a)(1)(A) of Pub. L. 115-232).
(4) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (Nov 2015).
(5) 52.233-3, Protest After Award (AUG 1996) (31 U.S.C. 3553).
(6) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004) (Public Laws 108-77 and 108-78 (19 U.S.C. 3805 note)).
(b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (Contracting Officer check as appropriate.)
_ (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (JUN 2020), with Alternate I (Oct 1995) (41 U.S.C. 4704 and 10 U.S.C. 2402).
____ (2) 52.203-13, Contractor Code of Business Ethics and Conduct (JUN 2020) (41 U.S.C. 3509).
____ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (JUN 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.)
_XX_ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (JUN 2020) (Pub. L. 109-282) (31 U.S.C. 6101 note).
___ (5) [Reserved]
___ (6) 52.204-14, Service Contract Reporting Requirements (Oct 2016) (Pub. L. 111-117, section 743 of Div. C).
___ (7) 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery Contracts (Oct 2016) (Pub. L. 111-117, section 743 of Div. C).
_XX (8) 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (JUN 2020) (31 U.S.C. 6101 note).
____ (9) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (OCT 2018) (41 U.S.C. 2313).
____ (10) [Reserved]
_ _ (11)(i) 52.219-3, Notice of HUBZone Set-Aside or Sole-Source Award (MAR 2020) (15 U.S.C. 657a).
____ (ii) Alternate I (MAR 2020) of 52.219-3.
_XX _ (12) (i) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns (MAR 2020) (if the offeror elects to waive the preference, it shall so indicate in its offer) (15 U.S.C. 657a).
____ (ii) Alternate I (MAR 2020) of 52.219-4.
____ (13) [Reserved]
_ _ (14)(i) 52.219-6, Notice of Total Small Business Set-Aside (MAR 2020) (15 U.S.C. 644).
____ (ii) Alternate I (MAR 2020).
____ (15)(i) 52.219-7, Notice of Partial Small Business Set-Aside (MAR 2020) (15 U.S.C. 644).
____ (ii) Alternate I (MAR 2020) of 52.219-7.
____ (16) 52.219-8, Utilization of Small Business Concerns (OCT 2018) (15 U.S.C. 637(d)(2) and (3)).
____ (17)(i) 52.219-9, Small Business Subcontracting Plan (JUN 2020) (15 U.S.C. 637(d)(4)).
____ (ii) Alternate I (NOV 2016) of 52.219-9.
____ (iii) Alternate II (NOV 2016) of 52.219-9.
____ (iv) Alternate III (JUN 2020) of 52.219-9.
____ (v) Alternate IV (JUN 2020) of 52.219-9.
____ (18) 52.219-13, Notice of Set-Aside of Orders (MAR 2020) (15 U.S.C. 644(r)).
____ (19) 52.219-14, Limitations on Subcontracting (MAR 2020) (15 U.S.C. 637(a)(14)).
____ (20) 52.219-16, Liquidated Damages—Subcontracting Plan (Jan 1999) (15 U.S.C. 637(d)(4)(F)(i)).
____ (21) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (MAR 2020) (15 U.S.C. 657f).
_XX_ (22) (i) 52.219-28, Post Award Small Business Program Rerepresentation (MAR 2020) (15 U.S.C. 632(a)(2)).
____ (ii) Alternate I (MAR 2020) of 52.219-28.
____ (23) 52.219-29, Notice of Set-Aside for, or Sole Source Award to, Economically Disadvantaged Women-Owned Small Business (EDWOSB) Concerns (MAR 2020) (15 U.S.C. 637(m)).
____ (24) 52.219-30, Notice of Set-Aside for, or Sole Source Award to, Women-Owned Small Business Concerns Eligible Under the Women-Owned Small Business Program (MAR 2020) (15 U.S.C. 637(m)).
____ (25) 52.219-32, Orders Issued Directly Under Small Business Reserves (MAR 2020) (15 U.S.C. 644(r)).
____ (26) 52.219-33, Nonmanufacturer Rule (MAR 2020) (15 U.S.C. 637(a)(17)).
_XX_ (27) 52.222-3, Convict Labor (JUN 2003) (E.O. 11755).
____(28) 52.222-19, Child Labor--Cooperation with Authorities and Remedies (JAN 2020) (E.O. 13126).
_XX_ (29) 52.222-21, Prohibition of Segregated Facilities (APR 2015).
_XX_ (30)(i) 52.222-26, Equal Opportunity (SEPT 2016) (E.O. 11246).
____ (ii) Alternate I (FEB 1999) of 52.222-26.
_ _ (31)(i) 52.222-35, Equal Opportunity for Veterans (JUN 2020) (38 U.S.C. 4212).
____ (ii) Alternate I (JUL 2014) of 52.222-35.
_XX_ (32)(i) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 2020) (29 U.S.C. 793).
____ (ii) Alternate I (JUL 2014) of 52.222-36.
_XX _ (33) 52.222-37, Employment Reports on Veterans (JUN 2020) (38 U.S.C. 4212).
____ (34) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (DEC 2010) (E.O. 13496).
_XX_ (35)(i) 52.222-50, Combating Trafficking in Persons (JAN 2019) (22 U.S.C. chapter 78 and E.O. 13627).
____ (ii) Alternate I (MAR 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627).
____ (36) 52.222-54, Employment Eligibility Verification (OCT 2015). (E. O. 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.)
____ (37)(i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA–Designated Items (MAY 2008) (42 U.S.C. 6962(c)(3)(A)(ii)). (Not applicable to the acquisition of commercially available off-the-shelf items.)
____ (ii) Alternate I (MAY 2008) of 52.223-9 (42 U.S.C. 6962(i)(2)(C)). (Not applicable to the acquisition of commercially available off-the-shelf items.)
____ (38) 52.223-11, Ozone-Depleting Substances and High Global Warming Potential Hydrofluorocarbons (JUN 2016) (E.O. 13693).
____ (39) 52.223-12, Maintenance, Service, Repair, or Disposal of Refrigeration Equipment and Air Conditioners (JUN 2016) (E.O. 13693).
____ (40) (i) 52.223-13, Acquisition of EPEAT® Registered Imaging Equipment (JUN 2014) (E.O.s 13423 and 13514).
____ (ii) Alternate I (OCT 2015) of 52.223-13.
____ (41)(i) 52.223-14, Acquisition of EPEAT® Registered Televisions (JUN 2014) (E.O.s 13423 and 13514).
____ (ii) Alternate I (JUN 2014) of 52.223-14.
____ (42) 52.223-15, Energy Efficiency in Energy-Consuming Products (DEC 2007) (42 U.S.C. 8259b).
____ (43)(i) 52.223-16, Acquisition of EPEAT®-Registered Personal Computer Products (OCT 2015) (E.O.s 13423 and 13514).
____ (ii) Alternate I (JUN 2014) of 52.223-16.
_XX_ (44) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (JUN 2020) (E.O. 13513).
____ (45) 52.223-20, Aerosols (JUN 2016) (E.O. 13693).
____ (46) 52.223-21, Foams (JUN 2016) (E.O. 13693).
____ (47)(i) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
____ (ii) Alternate I (JAN 2017) of 52.224-3.
____ (48) 52.225-1, Buy American--Supplies (MAY 2014) (41 U.S.C. chapter 83).
____ (49) (i) 52.225-3, Buy American--Free Trade Agreements--Israeli Trade Act (MAY 2014) (41 U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, 112-42, and 112-43.
____ (ii) Alternate I (MAY 2014) of 52.225-3.
____ (iii) Alternate II (MAY 2014) of 52.225-3.
____ (iv) Alternate III (MAY 2014) of 52.225-3.
____ (50) 52.225-5, Trade Agreements (OCT 2019) 19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note).
_XX_ (51) 52.225-13, Restrictions on Certain Foreign Purchases (JUN 2008) (E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury).
____ (52) 52.225-26, Contractors Performing Private Security Functions Outside the United States (OCT 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).
____ (53) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (NOV 2007) (42 U.S.C. 5150
____ (54) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (NOV 2007) (42 U.S.C. 5150).
____ (55) 52.229-12, Tax on Certain Foreign Procurements (JUN 2020).
____ (56) 52.232-29, Terms for Financing of Purchases of Commercial Items (FEB 2002) (41 U.S.C. 4505, 10 U.S.C. 2307(f)).
____ (57) 52.232-30, Installment Payments for Commercial Items (JAN 2017) (41 U.S.C. 4505, 10 U.S.C. 2307(f)).
_XX_ (58) 52.232-33, Payment by Electronic Funds Transfer—System for Award Management (OCT 2018) (31 U.S.C. 3332).
____ (59) 52.232-34, Payment by Electronic Funds Transfer—Other than System for Award Management (JUL 2013) (31 U.S.C. 3332).
____ (60) 52.232-36, Payment by Third Party (MAY 2014) (31 U.S.C. 3332).
____ (61) 52.239-1, Privacy or Security Safeguards (AUG 1996) (5 U.S.C. 552a).
____ (62) 52.242-5, Payments to Small Business Subcontractors (JAN 2017)(15 U.S.C. 637(d)(13)).
____ (63)(i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (FEB 2006) (46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631).
____ (ii) Alternate I (APR 2003) of 52.247-64.
____ (iii) Alternate II (FEB 2006) of 52.247-64.
(c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (Contracting Officer check as appropriate.)
_XX__ (1) 52.222-41, Service Contract Labor Standards (AUG 2018) (41 U.S.C. chapter 67).
_____ (2) 52.222-42, Statement of Equivalent Rates for Federal Hires (MAY 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67).
_____ (3) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards--Price Adjustment (Multiple Year and Option Contracts) (AUG 2018) (29 U.S.C. 206 and 41 U.S.C. chapter 67).
_____ (4) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards--Price Adjustment (MAY 2014) (29 U.S.C 206 and 41 U.S.C. chapter 67).
_ _ (5) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (MAY 2014) (41 U.S.C. chapter 67).
_____ (6) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services--Requirements (MAY 2014) (41 U.S.C. chapter 67).
_XX_(7) 52.222-55, Minimum Wages Under Executive Order 13658 (DEC 2015) (E.O. 13658).
_XX_ (8) 52.222-62, Paid Sick Leave Under Executive Order 13706 (JAN 2017) (E.O. 13706).
_____ (9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (JUN 2020) (42 U.S.C. 1792).
(d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, as defined in FAR 2.101, on the date of award of this contract, and does not contain the clause at 52.215-2, Audit and Records--Negotiation.
(1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract.
(2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved.
(3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law.
(e) (1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1)in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause—
(i) 52.203-13, Contractor Code of Business Ethics and Conduct (JUN 2020) (41 U.S.C. 3509).
(ii) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (JAN 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts (and as extended in continuing resolutions)).
(iii) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).
(iv) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (AUG 2019) (Section 889(a)(1)(A) of Pub. L. 115-232).
(v) 52.219-8, Utilization of Small Business Concerns (Oct 2018) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts
to small business concerns) exceeds the applicable threshold specified in FAR 19.702(a) on the date of subcontract award, the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities.
(vi) 52.222-21, Prohibition of Segregated Facilities (Apr 2015).
(vii) 52.222-26, Equal Opportunity (Sep 2016) (E.O. 11246).
(viii) 52.222-35, Equal Opportunity for Veterans (JUN 2020) (38 U.S.C. 4212).
(ix) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 2020) (29 U.S.C. 793).
(x) 52.222-37, Employment Reports on Veterans (JUN 2020) (38 U.S.C. 4212).
(xi) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40.
(xii) 52.222-41, Service Contract Labor Standards (Aug 2018), (41 U.S.C. chapter 67).
(xiii) _____ (A) 52.222-50, Combating Trafficking in Persons (JAN 2019) (22 U.S.C. chapter 78 and E.O. 13627).
_____ (B) Alternate I (March 2, 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627).
(xiv) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (May 2014) (41 U.S.C. chapter 67.)
(xv) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services--Requirements (May 2014) (41 U.S.C. chapter 67)
(xvi) 52.222-54, Employment Eligibility Verification (Oct 2015) (E. O. 12989).
(xvii) 52.222-55, Minimum Wages Under Executive Order 13658 (Dec 2015) (E.O. 13658).
(xviii) 52.222-62, Paid Sick Leave Under Executive Order 13706 (Jan 2017) (E.O. 13706).
(xix) (A) 52.224-3, Privacy Training (Jan 2017) (5 U.S.C. 552a).
(B) Alternate I (Jan 2017) of 52.224-3.
(xx) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Oct 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).
(xxi) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (JUN 2020) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6.
(xxii) 52.247-64, Preference for Privately-Owned U.S. Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx 1241(b) and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64.
(2) While not required, the Contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations.
52.217-9
(a) The Government may extend the term of this contract by written notice to the Contractor within 30 days prior to the contract expiration; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30 days before the contract expires. The preliminary notice does not commit the Government to an extension.
(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.
(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed five (5) years.
(End of clause)
HIPAA
Department of Defense (DoD) Business Associate Agreement (BAA)
Introduction
In accordance with 45 CFR §§164.502(e)(2), 164.504(e); the Health Information Technology for Economic and Clinical Health (HITECH) Act; and paragraph 3.3.c. of Department of Defense Manual (DoDM) 6025.18, “Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in DoD Health Care Programs,” March 13, 2019, and Chapter 1, Section 5 of the TRICARE Operations Manual, this document serves as a Business Associate Agreement (BAA) between the executing parties for purposes of the Health Insurance Portability and Accountability Act (HIPAA) as implemented by the HIPAA Rules and Department of Defense (DoD) HIPAA Issuances (as defined below). The parties are a DoD Component, acting as a HIPAA Covered Entity, and a Business Associate (i.e., a DoD Contractor creates, receives, maintains, and/or transmits protected health information (PHI) for the purpose of performing covered functions on behalf of the DoD Component). The HIPAA Rules (as defined below) require BAAs between covered entities and business associates. As such, this BAA implements and incorporates the applicable DoD HIPAA Issuances (including DoDI 6025.18 and the authorities incorporated therein) and provides the Business Associate requirements which apply to the relevant Business Associates contract or other agreement between the parties.
(a) Catchall Definition:: Except as otherwise provided in this BAA, the following terms used in this BAA shall have the same meaning as those terms in the DoD HIPAA Issuances : Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices (NoPP), PHI,, Required by Law, Secretary of HHS, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
(b) Specific definitions:
Agreement means this BAA together with the documents and/or other arrangements under which the Business Associate signatory performs services involving access to PHI on behalf of the DoD component signatory.
Breach means the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: (1) a person other than an authorized user accesses or potentially accesses personally identifiable information; or (2) an authorized user accesses or potentially accesses Personally Identifiable Information (PII) for an other than authorized purpose. The foregoing definition is based on the definition of breach in Office of Management and Budget (OMB) Memorandum M-17-12.
Business Associate shall generally have the same meaning as the term “Business Associate” in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of the non-federal Business Associate entity/signatory to this BAA].
Covered Entity shall generally have the same meaning as the term “covered entity” in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of the DoD Component entity/DoD signatory to this BAA].
Covered Functions are functions of a covered entity, the performance of which makes the entity a health plan or health care provider as outlined in DoDM 6025.18.
Defense Health Agency (DHA) Privacy Office means the DHA Privacy and Civil Liberties Office, with the responsibilities and authorities as outlined in DoDM 6025.18. The Chief of the DHA Privacy Office is the HIPAA Privacy and Security Officer for DHA.
DoD HIPAA Issuances means all DoD issuances implementing the HIPAA Rules in the DoD Military Health System (MHS). These issuances include DoDM 6025.18 (2019), Department of Defense Instruction (DoDI) 6025.18, “Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Compliance in DoD Health Care Programs,” March 13, 2019; and DoDI 8580.02, “Security of Individually Identifiable Health Information in DoD Health Care Programs,” August 12, 2015.
DoD Privacy Program Issuances means the current DoD issuances implementing within DoD the Privacy Act and certain privacy-related authorities, as identified by DHA Privacy Office Guidance. These issuances are DoDI 5400.11, “DoD Privacy and Civil Liberties Programs,” January 29, 2019, DoDM 5400.11, Volume 2 “DoD Privacy and Civil Liberties Programs: Breach Preparedness and Response Plan,” May 6, 2021 and DoD 5400.11-R, “Department of Defense Privacy Program,” May 14, 2007. These issuances are available on the Washington Headquarters Services DoD Directives website (https://www.esd.whs.mil/DD/) or upon request.
Department of Health and Human Services (HHS) Breach means a breach that satisfies the HIPAA Breach Rule definition of breach found in 45 CFR §164.402.
HIPAA Rules means the regulations issued by HHS pursuant to its authority to issue regulations on health information privacy, as provided by Section 264(c) of HIPAA. The HIPAA Rules, as amended by the Omnibus Final Rule, include the HIPAA Privacy Rule, the HIPAA Breach Rule, the HIPAA Security Rule, and the HIPAA Enforcement Rule.
I. Obligations and Activities of the Business Associate
(a) The Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
(b) The Business Associate shall use appropriate safeguards, and comply with the HIPAA Rules and DoD HIPAA Issuances incorporated by reference in this document Issuances with respect to PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.
(c) The Business Associate shall report to the Covered Entity any breach of which it
becomes aware, and shall proceed with breach response steps as required by Part V of this agreement. With respect to electronic PHI, the Business Associate shall also respond to any security incident of which it becomes aware in accordance with any cybersecurity provisions of the Agreement. If at any point the Business Associate becomes aware that a security incident involves a breach, the Business Associate shall immediately initiate breach response as required by PartV of this BAA.
(d) In accordance with DoDM 6025.18, paragraph 3.3.c.(3)(b)4, 45 CFR
§164.502(e)(1)(ii)) and §164.308(b)(2),the Business Associate shall ensure that any (and all) subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to PHI, specifically the responsibilities laid out in the DoD HIPAA Issuances incorporated by reference in this agreement. PHI.
(e) The business associate may disclose PHI to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit PHI on its behalf, if the business associate obtains satisfactory assurances, in accordance with DoDM 6025.18, paragraph 4.5.e.(1), that the subcontractor will appropriately safeguard the information.
(f) The Business Associate shall make available PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual, as necessary to satisfy the Covered Entity obligations under 45 CFR §164.524 and DoDM 6025.18, paragraph 5.3.c.
(g) The Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR § and DoDM 6025.18, paragraph 5.4.
(h) The Business Associate shall maintain and make available the information required to provide an accounting of disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity’s obligations under 45 CFR §164.528 and DoDM 6025.18, paragraph 5.5.
(i) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Privacy Rule and DoDM 6025.18, the Business Associate shall comply with the requirements of the HIPAA Privacy Rule and DoDM 6025.18, that apply to the Covered Entity in the performance of such obligation(s); and
(j) The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI from, or created or received by the Business Associate on behalf of, the DoD Component available to the Secretary of HHS and to the Director, DHA, or their designee for purposes of determining compliance with the HIPAA Rules.
II. Permitted Uses and Disclosures by Business Associate
(a) The Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Agreement or as required by law. The Business Associate is not permitted
to de-identify PHI, nor is it permitted to use or disclose de-identified PHI, except as provided by the Agreement or directed by the Covered Entity with written approval from DHA’s HIPAA Privacy Officer.
(b) The Business Associate agrees to use, disclose, and request PHI only in accordance with the HIPAA Privacy Rule “minimum necessary” standard and corresponding DHA policies and procedures as stated in the DoD HIPAA Issuances.
(c) The Business Associate shall not use or disclose PHI in a manner that would violate the DoD HIPAA Issuances if done by the Covered Entity.
(d) Except as otherwise limited in the Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. The foregoing authority to use PHI does not apply to disclosure of PHI, which is covered in the next paragraph.
(e) Except as otherwise limited in the Agreement, the Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(f) Except as otherwise limited in the Agreement, the Business Associate may use PHI to provide Data Aggregation services relating to the Covered Entity’s health care operations.
III. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
(a) The Covered Entity shall provide the Business Associate with NoPP that the Covered Entity produces in accordance with 45 CFR §164.520 and DoDM 6025.18, paragraph 5.1.
(b) The Covered Entity shall notify the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the Business Associate’s use or disclosure of PHI.
(c) The Covered Entity shall notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR
§164.522 and DoDM 6025.18, paragraph 5.2, to the extent that such changes may affect the Business Associate’s use or disclosure of PHI.
IV. Permissible Requests by Covered Entity
The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule or any applicable Federal regulations (including without limitation, DoD HIPAA Issuances) if done by the Covered Entity.
V. Breach Response
(a) In general.
In the event of a breach of PII/PHI held by the Business Associate, the Business Associate shall follow the breach response requirements set forth in this Part V, which is designed to satisfy both the Privacy Act and HIPAA breach response requirements, as applicable. If a breach involves PII without PHI, then the Business Associate shall comply with DoD Privacy Program Issuances breach response requirements only. If a breach involves PHI (a subset of PII), then the Business Associate shall comply with DoD Privacy Program Issuances breach response requirements. A breach involving PHI may or may not constitute a HHS Breach. If a breach is not an HHS Breach, then the Business Associate has no HIPAA breach response obligations. In such cases, the Business Associate must still comply with breach response requirements under the DoD Privacy Program Issuances.
If the DHA Privacy Office determines that a breach is an HHS Breach, then the Business Associate shall comply with both the HIPAA Breach Rule and DoD Privacy Program Issuances, as directed by the DHA Privacy Office. If the DHA Privacy Office determines that the breach does not constitute an HHS Breach, then the Business Associate shall comply with DoD Privacy Program Issuances. The following provisions of Part V set forth the Business Associate’s Privacy Act and HIPAA breach response requirements for all breaches, including but not limited to HHS breaches.
In general, for breach response, the Business Associate shall report the breach to the Covered Entity. Such breach shall be reported to the NMCSD Privacy Office at 619-532-6278 or
usn.san-diego.navmedcensanca.list.nmcsd-hipaa@mail.mil or the DHA Privacy Office within
24 hours at 703-275-6363 or dha.privacyofficer@mail.mil. If such breach is a cybersecurity incident, an incident involving damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, electronic communication, including information contained therein, ensuring the availability, integrity, authentication, confidentiality, and nonrepudiation of data, as defined in Committee on National Security Systems Instruction (CNSSI) 4009
https://www.cnss.gov/CNSS/issuances/Instructions.cfm, the discovering party shall report the breach to the DHA NIWC CSSP Watchdesk by dialing 1.866.786.4432 Cybersecurity and Infrastructure Security Agency potential-CERT) within one hour of the potential cybersecurity incident. The DHA NIWC CSSP Watchdesk reports, and report to USCYBERCOM within 48 hours of being notified of the occurrence of a breach, and complete the breach response actions as required by DHA guidance https://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties/Breaches- of-PII-and-PHI?type=Policies#RefFeed.
The Business Associate is deemed to have discovered a breach as of the first day a breach (suspected or confirmed) is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing it) who is an employee, officer or other agent of
the Business Associate.
The Business Associate shall submit a report to the U.S. Computer Emergency Readiness Team (US-CERT), using the US-CERT report online form at https://us- cert.cisa.gov/forms/reporthttps://us-cert.cisa.gov/forms/report. Before submission to US-CERT, the Business Associate shall save a copy of the on-line report. After submission, the Business Associate shall record the US-CERT Reporting Number. Although only limited information about the breach may be available as of the one-hour deadline for submission, the Business Associate shall submit the US-CERT report by the deadline. The Business Associate shall e-mail updated information to the Covered Entity as it is obtained. The Business Associate shall provide a copy of the initial or updated US-CERT report to the DHA Privacy Office. Business Associate general questions about US-CERT reporting shall be directed to the DHA Privacy Office not the US-CERT office.
Additionally, the Business Associate will send to the DHA Privacy Office a completed Breach Report Form Report DD 2959 at https://www.esd.whs.mil/Portals/54/Documents/DD/forms/dd/dd2959.pdf. Encryption is not required, because Breach Report Forms must not contain PII/PHI.
If multiple individuals are affected by a single event or related set of events, then a single reportable breach may be deemed to have occurred, depending on the circumstances. The Business Associate shall inform the DHA Privacy Office as soon as possible if it believes that a “single event” breach response is appropriate. The DHA Privacy Office will determine how the Business Associate shall proceed and, if appropriate, consolidate separately reported breaches for purposes of Business Associate report updates, individual notification, and mitigation.
When an initially submitted Breach Report Form is incomplete or incorrect due to unavailable information, or when significant developments require an update, the Business Associate shall submit a revised form or forms, stating the updated status and previous report date(s) and showing any revisions or additions by denoting “UPDATE.” Examples of updated information the Business Associate shall report include but are not limited to: confirmation on the exact data elements involved, the root cause of the incident, and any mitigation actions,, including sanctions, training, incident containment, follow-up, etc. The Business Associate shall submit these report updates promptly after the new information becomes available. Prompt reporting of updates is required to allow the DHA Privacy Office to make timely final determinations on any subsequent notifications or reports. The Business Associate shall provide updates to the same parties as required for the initial Breach Reporting Form. The Business Associate is responsible for reporting all information needed by the DHA Privacy Office to enable timely and accurate determinations on reports to HHS as required by the HHS Breach Rule and reports to the Defense Privacy, Civil Liberties, and Transparency Division as required by DoD Privacy Program Issuances.
(b) Individual Notification Provisions
If the DHA Privacy Office determines that individual notification is required IAW 5 CFR
§§ 164.400-414, the Business Associate shall provide written notification to individuals affected
by the breach as soon as possible, but no later than ten working days after the breach is discovered
and the identities of the individuals are ascertained. The ten-day period begins when the Business Associate determines the identities (including addresses) of the individuals whose records were affected.
The Business Associate’s proposed notification to be issued to the affected individuals shall be submitted for approval to the DHA Privacy Office. Upon request, the Business Associate shall provide the DHA Privacy Office with the final text of the notification letter sent to the affected individuals. PII shall not be included with the text of the letter(s) provided.. Copies of further correspondence with affected individuals need not be provided unless requested by the DHA Privacy Office. Pursuant to 45 CFR §§ 164.400-414 and section 13407 of the HITECH Act, the Business Associate’s notification to the individuals, at a minimum, shall include the following:
—The individual(s) must be advised of what specific data was involved. It is insufficient to simply state that PII has been lost. Where names, Social Security Numbers (SSNs) or truncated SSNs, and Dates of Birth (DOBs) are involved, it is critical to advise the individual of the nature and extent of any potentially PHI data elements that have been breached. In all cases, individuals should be notified as to the nature and extent of any compromised PHI.
—The individual(s) must be informed of the facts and circumstances surrounding the breach. The description should be sufficiently detailed so that the individual clearly understands how the breach occurred.
—The individual(s) must be informed of any steps the individuals should take to protect themselves from potential harm resulting from the breach.
—The individual(s) must be informed of what protective actions the Business Associate is taking or the individual can take to mitigate against potential future harm. The notice must refer the individual to the current Federal Trade Commission (FTC) web site pages on identity theft and the FTC’s Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); Teletype (TTY):): 1- 866- 653-4261.
—The individual(s) must also be informed of any mitigation support services (e.g., one year of free credit monitoring, identification of fraud expense coverage for affected individuals, provision of credit freezes, etc.) that the Business Associate may offer affected individuals, the process to follow to obtain those services, and the period of time the services will be made available, and contact information (including a phone number, either direct or toll-free, e-mail address and postal address) for obtaining more information.
Business Associates shall ensure any envelope containing written notifications to affected individuals are clearly labeled to alert the recipient to the importance of its contents, e.g., “Data Breach Information Enclosed,” and that the envelope is marked with the identity of the Business Associate and/or subcontractor organization that suffered the breach. The letter must also include contact information for a designated point of contact (POC),), phone number, email address, and
postal address.
If the Business Associate determines that it cannot readily identify, or will be unable to reach, some affected individuals within the ten-day period after discovering the breach, the Business Associate shall so indicate in the initial or updated Breach Report Form. Within the 10- day period, the Business Associate shall provide the approved notification to those individuals who can be reached. Other individuals must be notified within ten days after their identities and addresses are ascertained. The Business Associate shall consult with the DHA Privacy Office, which will determine which media notice is most likely to reach the population not otherwise identified or reached. The Business Associate shall issue a generalized media notice(s) to that population in accordance with DHA Privacy Office approval.
The Business Associate shall, at no cost to the government, bear all costs associated with a breach of PII/PHI that the Business Associate has caused or is otherwise responsible for addressing.
VI. Termination
(a) Termination. Noncompliance by the Business Associate (or any of its staff, agents, or subcontractors) with any requirement addressed in this BAA may subject the Business Associate to termination under any applicable default or other termination provision of the Agreement.
(b) Effect of Termination.
(1) If the Agreement has records management requirements, the Business Associate shall handle such records in accordance with the records management requirements. If the Agreement does not have records management requirements, the records shall be handled in accordance with paragraphs (2) and (3) below, unless the Agreement has provisions for transfer of records and PII/PHI to a successor Business Associate, or if DHA gives directions for such transfer. In the case DHA or the Agreement provides for transfer of records, the Business Associate shall handle such records and information in accordance with such Agreement provisions or DHA direction.
(2) If the Agreement does not have records management requirements, except as provided in the following paragraph (3), upon termination of the Agreement, for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form. This provision shall apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business Associate shall retain no copies of the PHI or its derivatives.
(3) If the Agreement does not have records management provisions and the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Covered Entity and the Business Associate that return or destruction of PHI is infeasible, the Business
Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.
VII. Execution
(a) Survival. The obligations of Business Associate under the “Effect of Termination” provision of this BAA shall survive the termination of the Agreement or any part thereof.
(b) Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits the DoD Component and the Business Associate to comply with the HIPAA Rules and the DoD HIPAA Rules.
[Business Associate] [DoD Covered Entity]
Date Date
(End of Clause)
The Government will only consider firm fixed price (FFP) quotations.
All questions regarding the RFQ, of a contractual or technical nature, must be submitted electronically by email to dernell.w.wade.civ@mail.mil no later than Monday, 9/19/2022, 12:01pm PST. Questions with the Government’s responses will be posted as an attachment to the RFQ. Please be advised that the Government reserves the right to transmit those questions and answers of a common interest to all prospective Quoters.
Electronic submission of Quotes: Quotations shall be submitted electronically by email to dernell.w.wade.civ@mail.mil. Quotations must be received no later than 12:01pm PST on Thursday, 9/22/2022. Email submissions are limited to 2MB. The submitter should confirm receipt of email submissions.
All quotes shall include price(s), FOB point, a point of contact, name and phone number, GSA contract number, business size, and payment terms. Each response must clearly indicate the capability of the Quoter to meet all specifications and requirements.
******* End of Combined Synopsis/Solicitation ********
