Sources Sought Notice Sources Sought Notice Page 5 of 5 Sources Sought Notice *= Required Field Sources Sought Notice Page 1 of 5 This Sources Sought Notice is for informational and planning purposes only and shall not be construed as a solicitation or as an obligation or commitment by the Government at this time. This notice is intended strictly for market research. The purpose of this Sources Sought notice is to determine interest and capability of Other than Small Businesses and/or Small Businesses, including VIP-Verified Veteran-Owned Small Business (VOSB) or Service-Disabled Veteran-Owned Small Business (SDVOSB) prospective contractors relative to the North American Industry Classification System (NAICS) Code 541519. This sources sought notice is to determine interest and capability of authorized vendors able to fulfill the following requirement: The Danville VA Medical Center is requesting the following: InstyMed Dispenser System Item 0001: InstyMeds System including purchase of Dispenser Quantity 4 Item 0002: Professional Installation Quantity 4 1. Contract Title. VA Illiana Healthcare System InstyMeds System. 2. Background. InstyMeds is a prescription dispensing system providing automated dispensing of prescriptions at the point of care. Use of an InstyMeds prescription dispenser at the Urgent Care and CBOCs, provides the ability to dispense prescriptions without the need to have a Pharmacy and associated FTE on site. Patients are guided through self-service transactions by following instructions on the touchscreen and collect their medications with personalized labels. In addition to cost savings associated with prescription dispensing without adding additional FTE on site and the decreased use of the First Fill contract, medication adherence and patient outcomes are projected to increase. Upon completion of an appointment with their Primary Care Provider, Veterans will have the ability to have common prescriptions dispensed on site eliminating the need to travel to the main facility or other location to fill these prescriptions. The InstyMeds must meet the following specifications: Maintain compliance with State and Federal Pharmacy Regulatory guidelines. Integrate with Vista using third-party software. Adjustable/flexible inventory formulary to meet site patient needs. Accuracy rate of 100% in dispensing Personalized patient label that includes requisite safety warnings and complies with the state s Board of Pharmacy requirements. Patient phone support available at InstyMeds location Availability of preventative and as-needed maintenance. Fee based packaging materials provided monthly based on prescriptions dispensed. Continuous access to InstyMeds support by telephone and email after installation and training is complete. 3. Scope. This statement of work covers the purchase and installation of the InstyMeds system and its accompanying yearly service specifications. The work being done will include a professional installation, inventory creation, training, hardware, and software maintenance during the first year, packaging materials (bottles, lids, magazines, Velcro straps, overpack boxes), as well as any service components required to keep the device operable throughout the life of the contract. 4. Specific Tasks. VA Illiana Healthcare System Pharmacy will be assigned a vendor project manager who will be responsible for coordinating the initial kickoff meeting and establishing regular calls to review the project plan and milestones. The due date of specific deliverables aiding in implementation and installation will be established at this initial meeting between the vendor and the facility. The kickoff meeting should be held no later than 15 days after issue of delivery order. A vendor-developed standard implementation schedule will be utilized to ensure installation is performed efficiently. The vendor will perform a pre-implementation meeting to validate integration requirements and to answer questions. Major aspects of the pre-implementation and installation process are listed below: Customer contract received. Project manager introduced. Kickoff meeting scheduled. Weekly project calls scheduled. Pre-implementation site survey scheduled. Facility assessment, equipment location and delivery planning. Installation timeline established. InstyMeds System database setup and preparation by InstyMeds staff Working with the VA s IT department to connect the VA InstyMeds location to both the network and the InstyMeds System. Validation of Vista interface with InstyMeds Vendor interface testing completed. Coordination with DSS vendor as needed for interface. Super users for training identified. Medical staff and pharmacy staff (VA personnel to determine appropriate medical and pharmacy staff) trained on: Overview on the basic operations of the Dispenser. Web-based prescription writing software. Restocking of the Dispenser. Basic first level maintenance and repair of the Dispenser. Certification testing and VA acceptance (At end of four days of training) Upon completion of on-site training, VA personnel will have continuous access to InstyMeds support by telephone and email. Approximately 30 days after Go Live, InstyMeds Account Manager will return for follow-up and answer any questions. Pharmacy system test order received. Deliverables: The vendor will install the InstyMeds System providing all necessary labor, management, skills, materials, etc. required to install, train, and maintain the system. Installation activities to include coordination with Biomedical Engineering and OI&T to ensure network connectivity as needed. Any necessary files created during maintenance will not be saved by the vendor. Retention of data will be on an internal VA server only. All backup data will be completed, performed, and maintained by Pharmacy service. InstyMeds System to be installed at each of the following locations. VA Illiana Healthcare System, Urgent Care (Bldg 98) located at 1900 East Main St., Danville, IL 61832 Springfield Community Based Outpatient Clinic (CBOC), located at 5850 S 6th St, Ste A, Springfield, IL 62703 (parent facility VA Illiana Healthcare System) Mattoon Community Based Outpatient Clinic (CBOC), located at 501 Lakeland Blvd, Ste D, Mattoon, IL 61938 (parent facility VA Illiana Healthcare System) Bloomington Community Based Outpatient Clinic (CBOC), located at 207 Hamilton Rd, Bloomington, IL 61704 (parent facility VA Illiana Healthcare System) InstyMeds Inventory Creation to be completed at VA Illiana Healthcare System, which is physically located at 1900 E. Main Street, Danville, IL 61832. Four days of training with InstyMeds personnel with medical and pharmacy staff to be accomplished (VA personnel to determine appropriate medical and pharmacy staff) at VA Illiana Health Care System, 1900 E. Main St, Danville, IL 61832, the Springfield CBOC, located at 5850 S 6th St, Ste A, Springfield, IL 62703, the Mattoon CBOC, located at 501 Lakeland Blvd, Ste D, Mattoon, IL 61938, and the Bloomington CBOC, located at 207 Hamilton Rd, Bloomington, IL 61704. Certification testing and VA acceptance (At end of four days of training) Delivery of packing materials monthly (packaging materials fee per Rx- monthly amount based on number of Rx s dispensed each month) to the VA Illiana Healthcare System, located at 1900 E. Main St, Danville, IL 61832. All requested products on this transaction will be completely provided as specified and completed no later than the earliest time feasible once the contract is awarded. The installation of specified software should not take longer than 30 days. Installation is to occur during the timeframe indicated by the VA Illiana Healthcare System. The vendor shall perform all work during normal business hours (Monday through Friday, 0800-1630, excluding Federal holidays) unless otherwise stipulated by the COR/designee. 5. Performance Monitoring InstyMeds will provide subscription hardware and software maintenance and support Monday through Friday during standard operating hours (0700-1630 CST) to be provided by trained client support engineers, remote diagnostics including patches, software downloads and unlimited support requests. Patient support at point of dispensing for InstyMeds operation to be provided by InstyMeds Patient Service Center team through a phone at the dispenser. DSS s employees and/or subcontractors should possess skills and administrative privileges for installation, setup, and maintenance services. Prior to the go-live, we will require the following from contractors in order to monitor progress and ensure compliance: Weekly status report Weekly meetings Monthly progress report Project Management Team meetings Program reviews. Outlines and drafts 6. Security Requirements Development, management operation and security of a connection between DSS Pharmacy. 7. Government-Furnished Equipment (GFE)/Government-Furnished Information (GFI). No GFE will be provided to the contractor. 8. Other Pertinent Information or Special Considerations. a. Identification of Possible Follow-on Work. Not applicable b. Identification of Potential Conflicts of Interest (COI). No COI has been identified. c. Identification of Non-Disclosure Requirements. The contractor will not have access to sensitive or proprietary information. d. Packaging, Packing and Shipping Instructions. Not applicable e. Inspection and Acceptance Criteria. The interface will be received via VA Illiana Healthcare System policy with inspection and acceptance occurring at time of receipt. Final acceptance will occur with the completion of installation, setup, and certification testing. 9. Risk Control Not applicable 10. Place of Performance. One unit will be delivered, and training performed at each of the following locations: VA Illiana Healthcare System, Urgent Care (Bldg 98) located at 1900 East Main St., Danville, IL 61832 Springfield Community Based Outpatient Clinic (CBOC), located at 5850 S 6th St, Ste A, Springfield, IL 62703 (parent facility VA Illiana Healthcare System) Mattoon Community Based Outpatient Clinic (CBOC), located at 501 Lakeland Blvd, Ste D, Mattoon, IL 61938 (parent facility VA Illiana Healthcare System) Bloomington Community Based Outpatient Clinic (CBOC), located at 207 Hamilton Rd, Bloomington, IL 61704 (parent facility VA Illiana Healthcare System) It is expected that the equipment will be delivered 45-60 days after award. All work and labor will be scheduled with the COR or designee within 15 days after receipt. 11. Delivery Schedule. SOW Task# Deliverable Title Format Number Calendar Days After CO Start 1 InstyMeds installation Installation at the VA Illiana Healthcare System, Urgent Care in Danville, and each of the CBOCs located in Springfield, Mattoon, and Bloomington IL 2 Inventory Creation InstyMeds Inventory Creation to be completed at the VA Illiana Healthcare System 3 Training As applicable at each of the above CBOCs and at Main facility 4 Packing material Delivery of initial supply of packing material 5 Certification Testing Testing and VA Acceptance of equipment * Standard Distribution: 1 copy of the transmittal letter without the deliverable to the Contracting Officer shall be Emailed. 12.Privacy and Security GENERAL. This entire section applies to all acquisitions requiring any Information Security and Privacy language. Contractors, contractor personnel, subcontractors and subcontractor personnel will be subject to the same federal laws, regulations, standards, VA directives and handbooks, as VA personnel regarding information and information system security and privacy. VA INFORMATION CUSTODIAL LANGUAGE. This entire section applies to all acquisitions requiring any Information Security and Privacy language. The Government shall receive unlimited rights to data/intellectual property first produced and delivered in the performance of this contract or order (hereinafter contract ) unless expressly stated otherwise in this contract. This includes all rights to source code and all documentation created in support thereof. The primary clause used to define Government and Contractor data rights is FAR 52.227-14 Rights in Data General. The primary clause used to define computer software license (not data/intellectual property first produced under this contractor or order) is FAR 52.227-19, Commercial Computer Software License. Information made available to the contractor by VA for the performance or administration of this contract will be used only for the purposes specified in the service agreement, SOW, PWS, PD, and/or contract. The contractor shall not use VA information in any other manner without prior written approval from a VA Contracting Officer (CO). The primary clause used to define Government and Contractor data rights is FAR 52.227-14 Rights in Data General. VA information will not be co-mingled with any other data on the contractor s information systems or media storage systems. The contractor shall ensure compliance with Federal and VA requirements related to data protection, data encryption, physical data segregation, logical data segregation, classification requirements and media sanitization. VA reserves the right to conduct scheduled or unscheduled audits, assessments, or investigations of contractor Information Technology (IT) resources to ensure information security is compliant with Federal and VA requirements. The contractor shall provide all necessary access to records (including electronic and documentary materials related to the contracts and subcontracts) and support (including access to contractor and subcontractor staff associated with the contract) to VA, VA's Office Inspector General (OIG), and/or Government Accountability Office (GAO) staff during periodic control assessments, audits, or investigations. The contractor may only use VA information within the terms of the contract and applicable Federal law, regulations, and VA policies. If new Federal information security laws, regulations or VA policies become applicable after execution of the contract, the parties agree to negotiate contract modification and adjustment necessary to implement the new laws, regulations, and/or policies. The contractor shall not make copies of VA information except as specifically authorized and necessary to perform the terms of the contract. If copies are made for restoration purposes, after the restoration is complete, the copies shall be destroyed in accordance with VA Directive 6500, VA Cybersecurity Program and VA Information Security Knowledge Service. If a Veterans Health Administration (VHA) contract is terminated for default or cause with a business associate, the related local Business Associate Agreement (BAA) shall also be terminated and actions taken in accordance with VHA Directive 1605.05, Business Associate Agreements. If there is an executed national BAA associated with the contract, VA will determine what actions are appropriate and notify the contactor. The contractor shall store and transmit VA sensitive information in an encrypted form, using VA-approved encryption tools which are, at a minimum, Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules (or its successor) validated and in conformance with VA Information Security Knowledge Service requirements. The contractor shall transmit VA sensitive information using VA approved Transport Layer Security (TLS) configured with FIPS based cipher suites in conformance with National Institute of Standards and Technology (NIST) 800-52, Guidelines for the Selection, Configuration and Use of Transport Layer Security (TLS) Implementations. The contractor s firewall and web services security controls, as applicable, shall meet or exceed VA s minimum requirements. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two situations: (i) in response to a qualifying order of a court of competent jurisdiction after notification to VA CO (ii) with written approval from the VA CO. The contractor shall refer all requests for, demands for production of or inquiries about, VA information and information systems to the VA CO for response. Notwithstanding the provision above, the contractor shall not release VA records protected by Title 38 U.S.C. § 5705, Confidentiality of medical quality-assurance medical records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse or infection with Human Immunodeficiency Virus (HIV). If the contractor is in receipt of a court order or other requests for the above-mentioned information, the contractor shall immediately refer such court order or other requests to the VA CO for response. records and/or Title 38 U.S.C. § 7332, Confidentiality of certain medical records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse or infection with Human Immunodeficiency Virus (HIV). If the contractor is in receipt of a court order or other requests for the above-mentioned information, the contractor shall immediately refer such court order or other requests to the VA CO for response. Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract will be protected and secured in accordance with VA Directive 6500 and Identity and Access Management (IAM) Security processes specified in the VA Information Security Knowledge Service. Any data destruction done on behalf of VA by a contractor shall be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management, VA Handbook 6300.1, Records Management Procedures, and applicable VA Records Control Schedules. The contractor shall provide its plan for destruction of all VA data in its possession according to VA Directive 6500 and NIST 800-88, Guidelines for Media Sanitization prior to termination or completion of this contract. If directed by the COR/CO, the contractor shall return all Federal Records to VA for disposition. Any media, such as paper, magnetic tape, magnetic disks, solid state devices or optical discs that is used to store, process, or access VA information that cannot be destroyed shall be returned to VA. The contractor shall hold the appropriate material until otherwise directed by the Contracting Officer s Representative (COR) or CO. Items shall be returned securely via VA-approved methods. VA sensitive information must be transmitted utilizing VA-approved encryption tools which are validated under FIPS 140-2 (or its successor) and NIST 800-52. If mailed, the contractor shall send via a trackable method (USPS, UPS, FedEx, etc.) and immediately provide the COR/CO with the tracking information. Self-certification by the contractor that the data destruction requirements above have been met shall be sent to the COR/CO within 30 business days of termination of the contract. All electronic storage media (hard drives, optical disks, CDs, back-up tapes, etc.) used to store, process or access VA information will not be returned to the contractor at the end of lease, loan, or trade-in. Exceptions to this paragraph will only be granted with the written approval of the VA CO. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS. This section applies when any person requires access to information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees and subcontractors only to the extent necessary to perform the services specified in the solicitation or contract. This includes indirect entities, both affiliate of contractor/subcontractor and agent of contractor/subcontractor. Contractors and subcontractors shall sign the VA Information Security Rule of Behavior (ROB) before access is provided to VA information and information systems (see Section 4, Training, below). The ROB contains the minimum user compliance requirements and does not supersede any policies of VA facilities or other agency components which provide higher levels of protection to VA s information or information systems. Users who require privileged access shall complete the VA elevated privilege access request processes before privileged access is granted. All contractors and subcontractors working with VA information are subject to the same security investigative and clearance requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors shall be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office of Human Resources and Administration/Operations, Security and Preparedness (HRA/OSP) is responsible for these policies and procedures. Contract personnel who require access to classified information or information systems shall have an appropriate security clearance. Verification of a Security Clearance shall be processed through the Special Security Officer located in HRA/OSP. Contractors shall conform to all requirements stated in the National Industrial Security Program Operating Manual (NISPOM). All contractors and subcontractors shall comply with conditions specified in VAAR 852.204-71(d); Contractor operations required to be in United States. All contractors and subcontractors working with VA information must be permanently located within a jurisdiction subject to the law of the United States or its Territories to the maximum extent feasible. If services are proposed to be performed abroad the contractor must state where all non-U.S. services are provided. The contractor shall deliver to VA a detailed plan specifically addressing communications, personnel control, data protection and potential legal issues. The plan shall be approved by the COR/CO in writing prior to access being granted. The contractor shall notify the COR/CO in writing immediately (no later than 24 hours) after personnel separation or occurrence of other causes. Causes may include the following: Contractor/subcontractor personnel no longer has a need for access to VA information or VA information systems. Contractor/subcontractor personnel are terminated, suspended, or otherwise has their work on a VA project discontinued for any reason. Contractor believes their own personnel or subcontractor personnel may pose a threat to their company s working environment or to any company- owned property. This includes contractor-owned assets, buildings, confidential data, customers, employees, networks, systems, trade secrets and/or VA data. Any previously undisclosed changes to contractor/subcontractor background history are brought to light, including but not limited to changes to background investigation or employee record. Contractor/subcontractor personnel have their authorization to work in the United States revoked. Agreement by which contractor provides products and services to VA has either been fulfilled or terminated, such that VA can cut off electronic and/or physical access for contractor personnel. In such cases of contract fulfillment, termination, or other causes; the contractor shall take the necessary measures to immediately revoke access to VA network, property, information, and information systems (logical and physical) by contractor/subcontractor personnel. These measures include (but are not limited to): removing and then securing Personal Identity Verification (PIV) badges and PIV Interoperable (PIV-I) access badges, VA-issued photo badges, credentials for VA facilities and devices, VA-issued laptops, and authentication tokens. Contractors shall notify the appropriate VA COR/CO immediately to initiate access removal. Contractors/subcontractors who no longer require VA accesses will return VA- issued property to VA. This property includes (but is not limited to): documents, electronic equipment, keys, and parking passes. PIV and PIV-I access badges shall be returned to the nearest VA PIV Badge Issuance Office. Once they have had access to VA information, information systems, networks and VA property in their possessions removed, contractors shall notify the appropriate VA COR/CO. TRAINING. This entire section applies to all acquisitions which include section 3. All contractors and subcontractors requiring access to VA information and VA information systems shall successfully complete the following before being granted access to VA information and its systems: VA Privacy and Information Security Awareness and Rules of Behavior course (Talent Management System (TMS) #10176) initially and annually thereafter. Sign and acknowledge (electronically through TMS #10176) understanding of and responsibilities for compliance with the Organizational Rules of Behavior, relating to access to VA information and information systems initially and annually thereafter; and Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system or information access [to be defined by the VA program official and provided to the VA CO for inclusion in the solicitation document i.e., any role-based information security training]. The contractor shall provide to the COR/CO a copy of the training certificates and certification of signing the Organizational Rules of Behavior for each applicable employee within five days of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the required training is complete. SECURITY INCIDENT INVESTIGATION. This entire section applies to all acquisitions requiring any Information Security and Privacy language. The contractor, subcontractor, their employees, or business associates shall immediately (within one hour) report suspected security / privacy incidents to the VA OIT s Enterprise Service Desk (ESD) by calling (855) 673-4357 (TTY: 711). The ESD is OIT s 24/7/365 single point of contact for IT-related issues. After reporting to the ESD, the contractor, subcontractor, their employees, or business associates shall, within one hour, provide the COR/CO the incident number received from the ESD. To the extent known by the contractor/subcontractor, the contractor/ subcontractor's notice to VA shall identify the information involved and the circumstances surrounding the incident, including the following: (1) The date and time (or approximation of) the Security Incident occurred. The date and time (or approximation of) the Security Incident occurred. The names of individuals involved (when applicable). The physical and logical (if applicable) location of the incident. Why the Security Incident took place (i.e., catalyst for the failure). The amount of data belonging to VA believed to have been compromised. The remediation measures the contractor is taking to ensure no future incidents of a similar nature. After the contractor has provided the initial detailed incident summary to VA, they will continue to provide written updates on any new and relevant circumstances or facts they discover. The contractor, subcontractor, and their employes shall fully cooperate with VA or third-party entity performing an independent risk analysis on behalf of VA. Failure to cooperate may be deemed a material breach and grounds for contract termination. VA IT contractors shall follow VA Handbook 6500, Risk Management Framework for VA Information Systems VA Information Security Program, and VA Information Security Knowledge Service guidance for implementing an Incident Response Plan or integrating with an existing VA implementation. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG, and the VA Office of Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. The contractor shall comply with VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information, which establishes the breach management policies and assigns responsibilities for the oversight, management and reporting procedures associated with managing of breaches. With respect to unsecured Protected Health Information (PHI), the contractor is deemed to have discovered a data breach when the contractor knew or should have known of breach of such information. When a business associate is part of VHA contract, notification to the covered entity (VHA) shall be made in accordance with the executed BAA. If the contractor or any of its agents fails to protect VA sensitive personal information or otherwise engages in conduct which results in a data breach involving any VA sensitive personal information the contractor/subcontractor processes or maintains under the contract; the contractor shall pay liquidated damages to the VA as set forth in clause 852.211-76, Liquidated Damages--Reimbursement for Data Breach Costs. Qualifications, capabilities, and experience for providing this product; Business size/Socioeconomic status; Memo or correspondence from manufacturer to distribute their products. This is not a Request for Proposal/Quote or an announcement of a solicitation and no solicitation package exists at this time. Responses will be used solely for market research purposes of the Government. The Government will not pay for any materials provided in response to this notice and submissions will not be returned to the sender. VOSBs and SDVOSBs must be registered and verified in VIP for set-aside consideration. The applicable North American Industry Classification System (NAICS) Code for this requirement is 541519 responses should be submitted by e-mail to Vernise L. Newton at vernise.newton@va.gov. The information requested must be received no later than 10:00 am Central Standard Time on 12/2/2025.
