Sources Sought Notice – 65– Carescape Telemetry Monitoring System

Notice Type: Sources Sought Notice

Posted Date: 25-AUG-17

Office Address: Department of Veterans Affairs;Network Contracting Office 4;1010 DELAFIELD ROAD;PITTSBURGH, PA 15215

Subject: 65-- Carescape Telemetry Monitoring System

Classification Code: 65 - Medical, dental & veterinary equipment & supplies

Solicitation Number: VA24417N1686

Contact: AMANDA [email protected] mailto:[email protected]

Setaside: N/AN/A

Place of Performance (address): DEPT OF VA ERIE;135 East 38th Street;Erie, PA

Place of Performance (zipcode): 16504

Place of Performance Country: UNITED STATES

Description: Department of Veterans Affairs

Network Contracting Office 4

Veterans Integrated Service Network 4 Facilities

Sources Sought Notice

The intent of this Sources Sought Notice is to identify potential Small Businesses especially any SDVOSB offerors capable of providing a Carescape Telemetry Monitoring System as listed in the Statement of Work (See Below). These are for the VA Healthcare Center in Erie, PA.

Responses to this Sources Sought Notice should demonstrate the firm's ability, capability, and responsibility to provide the principal components of supplies listed in the Statement of Work (See Below).

Responses should include the following information:

Business name

Address

Business point of contact

Current Duns Number

All information is to be submitted via e-mail at [email protected] Information provided will not be returned. All responses shall be in the English Language.

Responses are due by 12:00 pm (EST) on 8/29/17.

WORK STATEMENT

1. GENERAL:

The vendor, GE, or equal, shall provide the equipment, upgrades, warranty, and training necessary to update our existing GE Telemetry System as specified in this documentation.

2. BACKGROUND:

The Erie VAMC is located in Erie, PA encompassing acute medical, surgical, psychiatric, and long-term care. The hospital provides primary, secondary, and some tertiary care. Annually, the medical center serves approximately 18,000 patients.

3. PERIOD OF PERFORMANCE:

FY 17 Q3/Q4

4. PLACE OF PERFORMANCE: 135 East 38th Street Erie, PA 16504.

5. DAYS AND HOURS OF OPERATION:

Monday Friday, 0730 to 1630. excluding federal holidays.

6. EQUIPMENT DESCRIPTION:

7. PERFORMANCE REQUIREMENTS:

The Vendor will upgrade our current GE telemetry system including:

Software updates to associated telemetry and monitoring software currently being used by the Erie VAMC.

This will include upgrades and replacements to computers if needed in order to run new software installments

The operating system for the central station computers will be Windows 7, 64 bit.

This will include a new server, with an operating system of Windows Server 2012, but no less than Windows Server 2008 or a Linux operating system. The server will be the point of interfacing with VISTA and CPRS.

Refer to section 8. SCOPE OF WORK FOR INSTALLATION for information on the installation of the requested equipment.

Clinical Training: The Contractor must provide a training program that is coordinated with and timely to the equipment installation, sufficient to the size and scope of the facility s services and minimally equivalent to the terms and conditions for training defined in the Contractor s FSS Contract. Training will be unlimited and include initial setup and user-training; onsite training for go-live support, super user training, and follow-up training. Training will include ongoing customer support after the implementation of the equipment, as well as annual applications training for the duration of the warranty.

The following list of equipment will be repurposed by the Erie VAMC:

Strip Chart Recorders

Telemetry Transmitters

Antennas

All equipment that is not reused will offered as a trade-in.

Urgent Care Center:

Eight (8) new B650 physiological monitors with Patient Data Modules (PDM) capable of monitoring end tidal CO2, ECG, SPO2, and noninvasive blood pressure.

Two (2) B450 transport monitors, with Patient Data Modules (PDM), capable of monitoring end tidal CO2, ECG, SPO2, and noninvasive blood pressure.

All monitors must utilize Masimo technology for SPO2 measurements

Vendor will include one (1) set of ECG cables and leads, SPO2 finger sensors, non-invasive blood pressure cuffs of each size, and exhaled CO2 sensors and interconnecting cables for each monitor.

One (1) upgraded Central Station (Windows 7, 64 bit), one (1) new laser printer and all interconnecting cables.

Vendor will supply an uninterruptable power supply, sized to maintain power to the CIC monitor and computer for a minimum of 10 minutes.

Six (6) of the mounts will need to be capable of attaching the headwall rail and 2 of the mounts will need to attach directly to the wall.

Unit 5 Acute Care

All telemetry transmitters will be compatible and capable of connecting to the GE Healthcare Carescape V100 vital signs monitor and the Dyna Link adapters for the transmission of non-invasive blood pressure values to the central station

Vendor will include patient leads and SPO2 sensors and Dyna Link adaptor, and cables, compatible with the GE Healthcare Carescape V100 vital signs monitor, for the telemetry transmitters

Two (2) new B450 physiological transport monitors, with Patient Data Modules (PDM), capable of monitoring end tidal CO2, ECG, SPO2, and noninvasive blood pressure.

The B450 must have the full arrhythmia package

Vendor will include one (2) roll stand for the B450 transport monitor

Vendor will include 1 set of ECG cables and leads, SPO2 finger sensors, non-invasive blood pressure cuffs of each size, and end tidal CO2 sensors and interconnecting cables for the B450 transport monitor.

One (1) upgraded Central Station (Windows 7, 64 bit), one (1) new laser printer

The Central Station (CIC) must have the full arrhythmia capability, 72 hour full disclosure, post-discharge data and all Clinical Tools, ie., care notes, event review, strip reporting, etc.

The Acute Care CIC will be interconnected to the CIC in the Urgent Care Clinic and be capable of viewing patients in the Urgent Care Clinic while continuing to monitor all telemetry patients.

Vendor will supply an uninterruptable power supply, sized to maintain power to the CIC monitor and computer for a minimum of 10 minutes.

Operating Room

Four (4) new B850 physiological monitors, with Patient Data Modules (PDM) capable of monitoring end tidal CO2, ECG, SPO2, Smart Anesthesia Modules and noninvasive blood pressure.

The B850 monitors will mount to the existing mounts and must have the standard VESA mounting configuration.

Three (3) new B650 physiological monitors with Patient Data Modules (PDM) capable of monitoring end tidal CO2, ECG, SPO2, and noninvasive blood pressure.

The B650 monitors will require new mounting hardware. The mounts must be capable of being mounted to the wall and capable of

Vendor will include 1 set of ECG cables and leads, SPO2 finger sensors, non-invasive blood pressure cuffs of each size, and exhaled CO2 sensors and interconnecting cables for the B450 transport monitor.

One (1) new B450 physiological transport monitor, with Patient Data Modules (PDM), capable of monitoring exhaled CO2, ECG, SPO2, and noninvasive blood pressure.

Vendor will include 1 set of ECG cables and leads, SPO2 finger sensors, non-invasive blood pressure cuffs of each size, and exhaled CO2 sensors and interconnecting cables for the B450 transport monitor.

All monitors must utilize Masimo technology for SPO2 measurements

One (1) new B450 Roll Stand

Server

The vendor will provide and install the server. The server will be physically installed in the Information Technology server core room, which is located in the basement, room B018-1.

The server must be 4-post rack mounted, 120 volt

Vendor will provide the HL7 interface to VISTA.

Must have an operating system of Windows Server 2012, but no less than Windows Server 2008 or a Linux operating system.

Biomedical Department

One (1) new Central Station, one (1) new laser printer

8. WARRANTY:

The Erie VAMC is requesting a 3 year warranty on all new and upgraded equipment. Any equipment that is being reused will not be covered under the warranty.

9. SCOPE OF WORK FOR INSTALLATION

The vendor must provide a turn-key installation that must include all hardware, cabling, and accessories for a complete system (excluding devices stated to be reused) including but not limited to servers, monitors, modules, mounts, cabling, switches and uninterruptable power supplies.

The following list of equipment will be repurposed by the Erie VAMC:

Strip Chart Recorders

Telemetry Transmitters

Antennas

The Vendor will contact the Contracting Officer s Representative (COR), to arrange for a pre-installation meeting, with all effected services and the vendor. Meeting must occur within 4 weeks after the award of the contract.

Installation/Site Preparation: Site preparation specifications must be furnished in writing by the Vendor as a Site Preparation Report after award of the delivery/task order. The Vendor must provide coordinated professional installation and implementation project management services to implement the system specified in the SOW. The Vendor must provide a firm estimate of working days required from date of delivery order to go-live based upon the SOW. The initial installation site report must be provided to the COR no later than two weeks after the per-installation meeting. Vendor must visit the site and agree to the location of equipment and determine specific site prep requirements including but not limited to:

Space availability

Power availability

Configuration of mounts, modules, and peripheral equipment.

Infection Control Risk Assessment

The telemetry configuration and networking currently not functional will be implemented in the 5th floor acute area. The telemetry central station will have an interconnection with the central station in the Urgent Care Clinic. The vendor will include a gateway server to enable the interface connection of both central stations to VISTA. That connection will not be performed during this installation, but should be capable of that connection in a future project.

The Ambulatory Surgery monitors will be connected to the PICIS computers for the transfer of patient data to VISTA. The vendor must provide the drivers for the monitors to interface with the PICIS computers.

The vendor will install the antenna and cabling on the 5th floor. The cabling will be run into the Engineering closet, room # SP535-1 and down thru the existing conduit to the 3rd floor Engineering closet, room 351. From the 3rd floor closet the cable will be run above the ceiling and into room 303, which is across the hall from the Engineering closet. The telemetry receivers, filters and power supplies for the filters will be mounted on the East wall of room 303. The existing data drop will be utilized to connect the receiver to the network in room 302 (IT closet). The receiver will use the network cabling to connect to the servers in the IT server core room.

Contractor must provide a turn-key installation that must include all hardware, cabling, and accessories for a complete system, including but not limited to, servers, monitors, modules, mounts, cabling, network switches and uninterruptable power supplies.

10. VENDOR RESPONSIBILITIES:

All installation of antennas, cabling of antennas, receivers, telemetry peripheral switches will be installed by GE Healthcare.

Vendor will perform an RF survey, on Unit 5, prior to installation.

Vendor will work with COR and Information Technology Representative to determine the best location for networking components, based on the location of the existing network components.

All above ceiling cabling must be tie-wrapped and placed in either the-- telephone/data trough, in a conduit, or properly routed through interstitial areas per hospital facilities requirements and local electric codes.

Cables must be bundled neatly and in a professional manner especially when cables converge at network hardware.

Cables must be marked at each end indicating the termination point of the other end.

Any cable run through plenum space must be plenum rated according to NEC and applicable fire codes.

Any firewalls that are breached must have the openings sealed with a properly rated fire stop sealant.

All networking hardware must be rack mounted in the rooms designated by Facility Project POC or COR to be provided at walkthrough.

Network cabling, terminations, and any patch panels used must be Category 6 (Hereafter referenced as CAT6) certified.

All cables must be terminated TIA568A in conformance with Telecommunications Industry Association standards.

All cable runs must be tested and certified in accordance with TSB-67 and TIA/EIA 568-A or latest TIA/EIA Revisions.

The Contractor must provide a copy of all test results along with all cable lengths to the COR in an acceptable electronic format that can be displayed and/or viewed.

Contractor must comply with all VA mandated and local permitted/safety requirements.

Performance verification will be required at the conclusion of every preventive maintenance and emergency repair event.-- This verification procedure may include performance testing for accuracy and precision of the instrument.-- If any procedures were performed that would in any way affect the calibration status of the instrument, the results of performance testing must conform to established performance criteria for the instrument.

11. GOVERNMENTS RESPONSIBILITY:

Entry into all spaces required to complete the installation

All electrical power required for the equipment

Any data drops needed for connection to the network

Space for the equipment to be installed

Storage space for all new/upgraded equipment and during the installation phase a staging area for the vendors tools and equipment.

12. SECURITY:

Upon arrival at the VA Medical Center, the vendor shall stop at the VA Police office and obtain a contractor s badge. The vendor will proceed to the areas where the installation will be performed.

13. INFORMATION SYSTEMS SECURITY REQUIREMENTS:

GENERAL

Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.

ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS

A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.

With regard to background investigation requirements, the Office of Operations, Security, and Preparedness (OSP), has determined it is not required for contract personnel with limited and intermittent access (installation and repairs as required or requested by VA staff as part of the approved contract) to equipment connected to facility networks on which limited VA sensitive information may reside, including medical equipment contractors who install, maintain, and repair networked medical equipment. Therefore, maintenance (warranty) and installation contracts are exempt when a Business Associate Agreement (BAA) is in place.

VA INFORMATION CUSTODIAL LANGUAGE

Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).

If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.

If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1605.05, Business Associate Handbook. Absent an agreement to use or disclose protected health information, there is no business associate relationship.

4. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE (if applicable include the following statement per memo 3/24/2011)

Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:

Vendor must accept the system without the drive;

VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or

VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase.

Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then;

The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and

Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be pre-approved and described in the purchase order or contract.

A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed.-- The ISO needs to maintain the documentation.

SECURITY INCIDENT INVESTIGATION

The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.

To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.

LIQUIDATED DAMAGES FOR DATA BREACH

Consistent with the requirements of 38 U.S.C. --5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.

Based on the determinations of an independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:

Notification;

One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;

Data breach analysis;

Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;

One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and

Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

7. TRAINING

Before being granted access to VA information or information systems, all contractor employees and subcontractor employees requiring such access shall complete on an annual basis electronically through TMS either: (i) the VA security/privacy training (contains VA s security/privacy requirements) within 1 week of the initiation of the contract, or (ii) security awareness training provided or arranged by the contractor that conforms to VA s security/privacy requirements as delineated in the hard copy of the VA security awareness training provided to the contractor. If the contractor provides their own training that conforms to VA s requirements, they will provide the COR or CO, a yearly report (due annually on the date of the contract initiation) stating that all applicable employees involved in VA s contract have received their annual security/privacy training that meets VA s requirements and the total number of employees trained.

Sign VA s Rules of Behavior: Before being granted access to VA information or information systems, all contractor employees and subcontractor employees requiring such access shall sign electronically through TMS, on an annual basis, an acknowledgement that they have read, understand, and agree to abide by the VA s Contractor Rules of Behavior through TMS. If a medical device vendor anticipates that the services under the contract will be performed by 10 or more individuals, the Contractor Rules of Behavior may be signed by the vendor s designated representative. The contract must reflect by signing the Rules of Behavior on behalf of the vendor that the designated representative agrees to ensure that all such individuals review and understand the Contractor Rules of Behavior when accessing VA s information and information systems.

14. CONTRACT PERFORMANCE MONITORING:

The government reserves the right to monitor services in accordance with Performance Based Matrix.

15. INVOICES:

Payment will be made upon receipt of a properly prepared detailed invoice, prepared by the Contractor, validated by the Contracting Officer s Representative (COR), and submitted to XXX.

A properly prepared invoice will contain:

Invoice Number and Date

Contractor s Name and Address

Accurate Purchase Order Number

Supply or Service provided

Total amount due

16. Records Management Language for Contracts

The following standard items relate to records generated in executing the contract and should be included in a typical Electronic Information Systems (EIS) procurement contract:

Citations to pertinent laws, codes and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228.

Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest.

Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records.

Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act.

Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract.

The Government Agency owns the rights to all data/records produced as part of this contract.

The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data.

Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.].

No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules.

Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information.

Additional Security Requirements

Contractor must take the VA Privacy and Information Security Awareness and Rules and Behavior courseupon hire and annually thereafter as long as the contract is in place. (Hard copy text version is acceptableas contractor will not have VA network access) Copies to be maintained by COR.

BAA required (Copy of a BAA Below)

BAA

Purpose. The purpose of this Business Associate Agreement (Agreement) is to establish requirements for the Department of Veterans Affairs (VA), Veterans Health Administration (VHA), and in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, and the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules ( HIPAA Rules ), 45 C.F.R. Parts 160 and 164, for the Use and Disclosure of Protected Health Information (PHI) under the terms and conditions specified below.

Scope. Under this Agreement and other applicable contracts or agreements, will provide brIEFLY DESCRIBE SERVICES (i.e., medical device, transcription, publishing)> services to, for, or on behalf of.

In order for to provide such services, will disclose PHI to , and will use or disclose PHI in accordance with this Agreement.

Definitions. Unless otherwise provided, the following terms used in this Agreement have the same meaning as defined by the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Business Associate shall have the same meaning as described at 45 C.F.R. '' 160.103. For the purposes of this Agreement, Business Associate shall refer to , including its employees, officers, or any other agents that create, receive, maintain, or transmit PHI as described below.

Covered Entity shall have the same meaning as the term is defined at 45 C.F.R. '' 160.103. For the purposes of this Agreement, Covered Entity shall refer to.

Protected Health Information or PHI shall have the same meaning as described at 45 C.F.R. '' 160.103. Protected Health Information and PHI as used in this Agreement include Electronic Protected Health Information and EPHI. For the purposes of this Agreement and unless otherwise provided, the term shall also refer to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity or receives from Covered Entity or another Business Associate.

Subcontractor shall have the same meaning as the term is defined at 45 C.F.R. '' 160.103. For the purposes of this Agreement, Subcontractor shall refer to a contractor of any person or entity, other than Covered Entity, that creates, receives, maintains, or transmits PHI under the terms of this Agreement.

Terms and Conditions. Covered Entity and Business Associate agree as follows:

1. Ownership of PHI. PHI is and remains the property of Covered Entity as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate agreement is in place.

2. Use and Disclosure of PHI by Business Associate. Unless otherwise provided, Business Associate:

A. May not use or disclose PHI other than as permitted or required by this Agreement, or in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except that it may use or disclose PHI:

(1) As required by law or to carry out its legal responsibilities;

(2) For the proper management and administration of Business Associate; or

(3) To provide Data Aggregation services relating to the health care operations of Covered Entity.

B. Must use or disclose PHI in a manner that complies with Covered Entity s minimum necessary policies and procedures.

C. May de-identify PHI created or received by Business Associate under this Agreement at the request of the Covered Entity, provided that the de-identification conforms to the requirements of the HIPAA Privacy Rule.

3. Obligations of Business Associate. In connection with any Use or Disclosure of PHI, Business Associate must:

A. Consult with Covered Entity before using or disclosing PHI whenever Business Associate is uncertain whether the Use or Disclosure is authorized under this Agreement.

B. Implement appropriate administrative, physical, and technical safeguards and controls to protect PHI and document applicable policies and procedures to prevent any Use or Disclosure of PHI other than as provided by this Agreement.

C. Provide satisfactory assurances that PHI created or received by Business Associate under this Agreement is protected to the greatest extent feasible.

D. Notify Covered Entity within twenty-four (24) hours of Business Associate s discovery of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI.

(1) Any incident as described above will be treated as discovered as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

(2) Notification shall be sent to the and to the VHA Health Information Access Office, Business Associate Program Manager by email at [email protected].

(3) Business Associate shall not notify individuals or the Department of Health and Human Services directly unless Business Associate is not acting as an agent of Covered Entity but in its capacity as a Covered Entity itself.

E. Provide a written report to Covered Entity of any potential access, acquisition, use, disclosure, modification, or destruction of either secured or unsecured PHI in violation of this Agreement, including any Breach of PHI, within ten (10) business days of the initial notification.

(1) The written report of an incident as described above will document the following:

(a) The identity of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, disclosed, modified, or destroyed;

(b) A description of what occurred, including the date of the incident and the date of the discovery of the incident (if known);

(c) A description of the types of secured or unsecured PHI that was involved;

(d) A description of what is being done to investigate the incident, to mitigate further harm to Individuals, and to protect against future incidents; and

(e) Any other information as required by 45 C.F.R. '--' 164.404(c) and 164.410.

(2) The written report shall be addressed to:

and submitted by email to and to the VHA Health Information Access Office, Business Associate Program Manager at [email protected].

F. To the greatest extent feasible, mitigate any harm due to a Use or Disclosure of PHI by Business Associate in violation of this Agreement that is known or, by exercising reasonable diligence, should have been known to Business Associate.

G. Use only contractors and Subcontractors that are physically located within a jurisdiction subject to the laws of the United States, and ensure that no contractor or Subcontractor maintains, processes, uses, or discloses PHI in any way that will remove the information from such jurisdiction. Any modification to this provision must be approved by Covered Entity in advance and in writing.

H. Enter into Business Associate Agreements with contractors and Subcontractors as appropriate under the HIPAA Rules and this Agreement. Business Associate:

(1) Must ensure that the terms of any Agreement between Business Associate and a contractor or Subcontractor are at least as restrictive as Business Associate Agreement between Business Associate and Covered Entity.

(2) Must ensure that contractors and Subcontractors agree to the same restrictions and conditions that apply to Business Associate and obtain satisfactory written assurances from them that they agree to those restrictions and conditions.

(3) May not amend any terms of such Agreement without Covered Entity s prior written approval.

I. Within five (5) business days of a written request from Covered Entity:

(1) Make available information for Covered Entity to respond to an Individual s request for access to PHI about him/her.

(2) Make available information for Covered Entity to respond to an Individual s request for amendment of PHI about him/her and, as determined by and under the direction of Covered Entity, incorporate any amendment to the PHI.

(3) Make available PHI for Covered Entity to respond to an Individual s request for an accounting of Disclosures of PHI about him/her.

J. Business Associate may not take any action concerning an individual s request for access, amendment, or accounting other than as instructed by Covered Entity.

K. To the extent Business Associate is required to carry out Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the provisions that apply to Covered Entity in the performance of such obligations.

L. Provide to the Secretary of Health and Human Services and to Covered Entity records related to Use or Disclosure of PHI, including its policies, procedures, and practices, for the purpose of determining Covered Entity s, Business Associate s, or a Subcontractor s compliance with the HIPAA Rules.

M. Upon completion or termination of the applicable contract(s) or agreement(s), return or destroy, as determined by and under the direction of Covered Entity, all PHI and other VA data created or received by Business Associate during the performance of the contract(s) or agreement(s). No such information will be retained by Business Associate unless retention is required by law or specifically permitted by Covered Entity. If return or destruction is not feasible, Business Associate shall continue to protect the PHI in accordance with the Agreement and use or disclose the information only for the purpose of making the return or destruction feasible, or as required by law or specifically permitted by Covered Entity. Business Associate shall provide written assurance that either all PHI has been returned or destroyed, or any information retained will be safeguarded and used and disclosed only as permitted under this paragraph.

N. Be liable to Covered Entity for civil or criminal penalties imposed on Covered Entity, in accordance with 45 C.F.R. '--' 164.402 and 164.410, and with the HITECH Act, 42 U.S.C. '--' 17931(b), 17934(c), for any violation of the HIPAA Rules or this Agreement by Business Associate.

4. Obligations of Covered Entity. Covered Entity agrees that it:

A. Will not request Business Associate to make any Use or Disclosure of PHI in a manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if made by Covered Entity, except as permitted under Section 2 of this Agreement.

B. Will promptly notify Business Associate in writing of any restrictions on Covered Entity s authority to use or disclose PHI that may limit Business Associate s Use or Disclosure of PHI or otherwise affect its ability to fulfill its obligations under this Agreement.

C. Has obtained or will obtain from Individuals any authorization necessary for Business Associate to fulfill its obligations under this Agreement.

D. Will promptly notify Business Associate in writing of any change in Covered Entity s Notice of Privacy Practices, or any modification or revocation of an Individual s authorization to use or disclose PHI, if such change or revocation may limit Business Associate s Use and Disclosure of PHI or otherwise affect its ability to perform its obligations under this Agreement.

5. Amendment. Business Associate and Covered Entity will take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the HIPAA Rules or other applicable law.

6. Termination.

A. Automatic Termination. This Agreement will automatically terminate upon completion of Business Associate s duties under all underlying Agreements or by termination of such underlying Agreements.

B. Termination Upon Review. This Agreement may be terminated by Covered Entity, at its discretion, upon review as provided by Section 9 of this Agreement.

C. Termination for Cause. In the event of a material breach by Business Associate, Covered Entity:

(1) Will provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Covered Entity, and;

(2) May terminate this Agreement and underlying contract(s) if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity.

D. Effect of Termination. Termination of this Agreement will result in cessation of activities by Business Associate involving PHI under this Agreement.

E. Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement as long as Business Associate creates, receives, maintains, or transmits PHI, regardless of whether a compliant Business Associate Agreement is in place.

7. No Third Party Beneficiaries. Nothing expressed or implied in this Agreement confers any rights, remedies, obligations, or liabilities whatsoever upon any person or entity other than Covered Entity and Business Associate, including their respective successors or assigns.

8. Other Applicable Law. This Agreement does not abrogate any responsibilities of the parties under any other applicable law.

9. Review Date. The provisions of this Agreement will be reviewed by Covered Entity every two years from Effective Date to determine the applicability and accuracy of the Agreement based on the circumstances that exist at the time of review.

10. Effective Date. This Agreement shall be effective on the last signature date below.

Department of Veterans Affairs COMPANY/ORGANIZATION

Veterans Health Administration

By: By:

Name: Name:

Title: Title:

Date: Date:

Link/URL: https://www.fbo.gov/spg/VA/PiVAMC646/PiVAMC646/VA24417N1686/listing.html