Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF SEPTEMBER 10, 2009 FBO #2847
MODIFICATION

65 -- Amendment to incorporate the following B2B, Business Associate Agreement verbiage.

Notice Date
9/8/2009
 
Notice Type
Modification/Amendment
 
NAICS
339115 — Ophthalmic Goods Manufacturing
 
Contracting Office
Great Plains Regional Contracting Ofc, ATTN: MCAA GP L31 9V, 3851 Roger Brooke Drive, Fort Sam Houston, TX 78234-6200
 
ZIP Code
78234-6200
 
Solicitation Number
W81K00-09-T-0464
 
Response Due
9/10/2009
 
Archive Date
11/9/2009
 
Point of Contact
Darlena Rivera, 210 221-4541
 
E-Mail Address
Great Plains Regional Contracting Ofc
(darlena.rivera@amedd.army.mil)
 
Small Business Set-Aside
N/A
 
Description
THIS NOTICE IS PROVIDED FOR INFORMATION PURPOSES ONLY. THIS OPPORTUNITY IS AVAILABLE ONLY TO CONTRACTORS UNDER W81K00-09-T-0464. Amendment to incorporate the following B2B, Business Associate Agreement verbiage. Your proposal will remain as originally submitted unless you decide to re-submit based on this amendment. Acknowledgement of this amendment, to include revised proposal, if applicable, must be received in this office electronically by 9/10/09 @4:00PM CST. BUSINESS ASSOCIATES Introduction In accordance with DoD 6025.18-R Department of Defense Health Information Privacy Regulation, January 24, 2003, the Contractor meets the definition of Business Associate. Therefore, a Business Associate Agreement is required to comply with both the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security regulations. This clause serves as that agreement whereby the Contractor agrees to abide by all applicable HIPAA Privacy and Security requirements regarding health information as defined in this clause, and in DoD 6025.18-R and DoD 8580.02-R, as amended. Additional requirements will be addressed when implemented. (a) Definitions. As used in this clause generally refer to the Code of Federal Regulations (CFR) definition unless a more specific provision exists in DoD 6025.18-R or DoD 8580.02-R. Individual has the same meaning as the term individual in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. Protected Health Information has the same meaning as the term protected health information in 45 CFR 160.103, limited to the information created or received by the Contractor from or on behalf of the Government pursuant to the Contract. Electronic Protected Health Information has the same meaning as the term electronic protected health information in 45 CFR 160.103. Required by Law has the same meaning as the term Required by law in 45 CFR 164.103. Secretary means the Secretary of the Department of Health and Human Services or his/her designee. Security Rule means the Health Insurance Reform: Security Standards at 45 CFR part 160, 162 and part 164, subpart C. Terms used, but not otherwise defined, in this Clause shall have the same meaning as those terms in 45 CFR 160.103, 160.502, 164.103, 164.304, and 164.501. (b) The Contractor shall not use or further disclose Protected Health Information other than as permitted or required by the Contract or as Required by Law. (c) The Contractor shall use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Contract. (d) The Contractor agrees to use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits in the execution of this Contract. (e) The Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to the Contractor of a use or disclosure of Protected Health Information by the Contractor in violation of the requirements of this Clause. (f) The Contractor shall report to the Government any security incident involving protected health information of which it becomes aware. (g) The Contractor shall report to the Government any use or disclosure of the Protected Health Information not provided for by this Contract of which the Contractor becomes aware. (h) The Contractor shall ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by the Contractor, on behalf of the Government, agrees to the same restrictions and conditions that apply through this Contract to the Contractor with respect to such information. (i) The Contractor shall ensure that any agent, including a subcontractor, to whom it provides electronic Protected Health Information, agrees to implement reasonable and appropriate safeguards to protect it. (j) The Contractor shall provide access, at the request of the Government, and in the time and manner reasonably designated by the Government to Protected Health Information in a Designated Record Set, to the Government or, as directed by the Government, to an Individual in order to meet the requirements under 45 CFR 164.524. (k) The Contractor shall make any amendment(s) to Protected Health Information in a Designated Record Set that the Government directs or agrees to pursuant to 45 CFR 164.526 at the request of the Government, and in the time and manner reasonably designated by the Government. (l) The Contractor shall make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by the Contractor, on behalf of the Government, available to the Government, or at the request of the Government to the Secretary, in a time and manner reasonably designated by the Government or the Secretary, for purposes of the Secretary determining the Governments compliance with the Privacy Rule. (m) The Contractor shall document such disclosures of Protected Health Information and information related to such disclosures as would be required for the Government to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (n) The Contractor shall provide to the Government or an Individual, in time and manner reasonably designated by the Government, information collected in accordance with this Clause of the Contract, to permit the Government to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. General Use and Disclosure Provisions Except as otherwise limited in this Clause, the Contractor may use or disclose Protected Health Information on behalf of, or to provide services to, the Government for treatment, payment, or healthcare operations purposes, in accordance with the specific use and disclosure provisions below, if such use or disclosure of Protected Health Information would not violate the HIPAA Privacy Rule, the HIPAA Security Rule, DoD 6025.18-R or DoD 8580.02-R if done by the Government. Specific Use and Disclosure Provisions (a) Except as otherwise limited in this Clause, the Contractor may use Protected Health Information for the proper management and administration of the Contractor or to carry out the legal responsibilities of the Contractor. (b) Except as otherwise limited in this Clause, the Contractor may disclose Protected Health Information for the proper management and administration of the Contractor, provided that disclosures are required by law, or the Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Contractor of any instances of which it is aware in which the confidentiality of the information has been breached. (c) Except as otherwise limited in this Clause, the Contractor may use Protected Health Information to provide Data Aggregation services to the Government as permitted by 45 CFR 164.504(e)(2)(i)(B). (d) Contractor may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(1). Obligations of the Government Provisions for the Government to Inform the Contractor of Privacy Practices and Restrictions (a) The Government shall provide the Contractor with the notice of privacy practices that the Government produces in accordance with 45 CFR 164.520. (b) The Government shall provide the Contractor with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect the Contractors permitted or required uses and disclosures. (c) The Government shall notify the Contractor of any restriction to the use or disclosure of Protected Health Information that the Government has agreed to in accordance with 45 CFR 164.522. Permissible Requests by the Government The Government shall not request the Contractor to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Privacy Rule, the HIPAA Security Rule, or any applicable Government regulations (including without limitation, DoD 6025.18-R and DoD 8580.02-R) if done by the Government, except for providing Data Aggregation services to the Government and for management and administrative activities of the Contractor as otherwise permitted by this clause. Termination (a) Termination. A breach by the Contractor of this clause, may subject the Contractor to termination under any applicable default or termination provision of this Contract. (b) Effect of Termination. (1) If this contract has records management requirements, the records subject to the Clause should be handled in accordance with the records management requirements. If this contract does not have records management requirements, the records should be handled in accordance with paragraphs (2) and (3) below (2) If this contract does not have records management requirements, except as provided in paragraph (3) of this section, upon termination of this Contract, for any reason, the Contractor shall return or destroy all Protected Health Information received from the Government, or created or received by the Contractor on behalf of the Government. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of the Contractor. The Contractor shall retain no copies of the Protected Health Information. (3) If this contract does not have records management provisions and the Contractor determines that returning or destroying the Protected Health Information is infeasible, the Contractor shall provide to the Government notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Government and the Contractor that return or destruction of Protected Health Information is infeasible, the Contractor shall extend the protections of this Contract to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as the Contractor maintains such Protected Health Information. Miscellaneous (a) Regulatory References. A reference in this Clause to a section in DoD 6025.18-R, DoD 8580.02-R, Privacy Rule or Security Rule means the section currently in effect or as amended, and for which compliance is required. (b) Survival. The respective rights and obligations of Business Associate under the Effect of Termination provision of this Clause shall survive the termination of this Contract. (c) Interpretation. Any ambiguity in this Clause shall be resolved in favor of a meaning that permits the Government to comply with DoD 6025.18-R, DoD 8580.02-R, the HIPAA Privacy Rule or the HIPAA Security Rule. INFORMATION ASSURANCE/HIPPA 1.General Security Requirements. The Contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Army data, to ensure the confidentiality, integrity, and availability of Army data. As a minimum, this shall include provisions for personnel security, electronic security and physical security as listed in the sections that follow: 2.Health Insurance Portability and Accountability Act (HIPAA). Health Insurance Portability and Accountability Act of 1996 (HIPAA) Requirement. The HIPAA standard contract language is mandatory whenever a business associate, (i.e., outside person or agency) creates, receives, maintains, or transmits electronic protected health information (PHI) on behalf of a covered entity. This contract or agreement requires the business associate to: a.Implement administrative, physical, and technical safeguards that will protect the confidentiality, integrity, and availability of the PHI b.Ensure all agents or subcontractors to whom the business associate provides PHI will also implement reasonable and appropriate safeguards to protect the information. c.Report all security incidents. d.Authorize termination of the contract if the organization finds that the business associate has violated the terms of the contract. The standard HIPAA standard contract language is available at: http://www.tricare.mil/tmaprivacy/hipaa/hipaacompliance/images/pdf/BAA_11Mar8_Final.pdf.. Additional guidance can be found in DoD 8580.02 R, Health Information Security Regulation. 3. Personnel Security. 3.1 The contractor shall comply with Army Regulation 252, Information Assurance (IA), Army Regulation 251, Army Knowledge Management and Information Technology, and DoD Health Information Privacy Regulation. 3.2 Contractor responsibilities for ensuring personnel security include, but are not limited to, meeting the following requirements: 3.2.1 Follow the Army guidelines for submittal of Information Technology (IT) security background checks and ensure all contractor personnel are designated as IT-I, IT-II, or IT-III where their duties meet the criteria of the position sensitivity designations. Contact the Contracting Officers Representative for guidance on the appropriate IT levels for personnel on the contract. 3.2.2 Initiate, maintain, and document personnel security investigations appropriate to the individual's responsibilities and required access to MEDCOM Sensitive Information (SI). 3.2.3 Immediately report to the Contracting Officers Representative and deny access to any automated information system (AIS), network, or MEDCOM SI information if a contractor employee filling a sensitive position receives an unfavorable adjudication, if information that would result in an unfavorable adjudication becomes available, or if directed to do so by the appropriate Army representative for security reasons. 3.2.4 Ensure that all contractor personnel receive information assurance (IA) training before being granted access to Army AISs/networks, and/or MEDCOM SI information. 4. Electronic Security 4.1 Contractor Information Systems (IS)/networks that are involved in the operation of systems in support of the Armys Health System shall operate in accordance with controlling laws, regulations, and Army policy. 4.2 Certification & Accreditation (C&A) requirements apply to all Army and contractor's IS/networks that receive, process, display, store or transmit Army information. The contractor shall comply with the C&A process for safeguarding SI. Certification is the determination of the appropriate level of protection required for IS/networks. Certification also includes a comprehensive evaluation of the technical and non-technical security features and countermeasures required for each system/network. 4.3 Accreditation is the formal approval by the Army to operate the contractor's IS/networks in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. In addition, accreditation allows IS/networks to operate within the given operational environment with stated interconnections; and with appropriate level of protection for the specified period. 4.4 The contractor shall comply with C&A requirements, as specified by the Army that meet appropriate Army Information Assurance requirements. The C&A requirements shall be met before the contractor's system is authorized to access Army data or interconnect with any Army IS/network that receives, processes, stores, displays or transmits Army data. The contractor shall initiate the C&A process by providing the Contracting Officer, within 60 days following contract award, the required documentation necessary to receive an Approval to Operate (ATO). The contractor shall make their IS/networks available for testing, and initiate the C&A testing four months (120 days) in advance of accessing Army data or interconnecting with Army IS/networks. The contractor shall ensure the proper contractor support staff is available to participate in all phases of the C&A process. They include, but are not limited to: e.Attending and supporting C&A meetings with the Army f.Supporting/conducting the vulnerability mitigation process g.Supporting the C&A Team during system security testing 4.5 Contractors must confirm that their IS/networks are locked down prior to initiating testing. h.Conformation of system lock down shall be agreed upon during the definition of the C&A boundary and be signed and documented as part of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). i.Locking down the system means that there shall be no changes made to the configuration of the system (within the C&A boundary) during the C&A process 4.6 Any re-configuration or change in the system during the C&A testing process will require a re-baselining of the system and documentation of system changes. 4.7 Vulnerabilities that have been identified by the Army as must-fix issues during C&A process must be mitigated according to the timeline identified by the Army Representative. C&A Checklists are provided for complying Army C&A requirements. Reference material and C&A tools may be obtained at the USAMITC IA Document Library (Portal): https://mitc.amedd.army.mil/IA. 4.7.1 A request for a waiver to the C&A requirements may be submitted for temporary testing and other usual circumstances. A waiver request must be submitted, in writing, to the Designated Approving Authority (DAA). The request must include mitigation strategies that ensure adequate protection measures and security controls are in place (for example: air gapping a testing network). 4.8 Information Assurance Vulnerability Management (IAVM). The contractor shall implement an information assurance vulnerability management program. The Army IAVM program provides electronic security protections against known threats and vulnerabilities. The IAVM program requires the registration of AIS system assets, which then allows for the timely dissemination of critical vulnerability information. It also assists in the documentation and tracking of compliance, providing increased electronic security to MEDCOM systems. As part of the program, the contractor shall provide a primary and secondary point of contact in the Asset & Vulnerability Tracking Resource (A&VTR). The point of contact shall provide, upon receipt of a vulnerability message, an acknowledgment of receipt via the A&VTR. The contactor shall thoroughly test all mitigations for the vulnerability, and upon applying the mitigation to the system, report compliance in the A&VTR. Receipt and compliance messages to the Army shall occur within the stipulated time window, as stated in the vulnerability message or in the A&VTR. 4.8.1 The contractor shall ensure AIS assets that are under development are registered in the A&VTR and have all applicable electronic patches installed for the system (1) when the system is delivered to MEDCOM, or (2) if the AIS assets are used to store or process Army data prior to delivery (such as when being used in testing and development). 4.8.2 Guidance regarding the requirement for IAVM is contained in the Army Regulation 252, Information Assurance and Army Regulation 251, Army Knowledge Management and Information Technology. An asset is defined as any hardware device, such as a router, firewall, server, or an operating system image accessed by more than one user. Primary servers and the workstations that they support are assets that must be registered in the A&VTR. The Army IAVM Community website (URL: https://www.us.army.mil/suite/personalization/grouppage.do?groupid=16822) is used to disseminate IAVAs, Information Assurance Vulnerability Bulletins (IAVBs), and Information Assurance Technical Advisories down to the System Administrator (SA) and applicable personnel throughout the chain of command. 4.8.3 The contractor shall maintain any development environments in accordance with MEDCOM Information Assurance (IA) best practices and operational requirements. During product development for the Army, the contractor shall ensure that all IA mitigation strategies have been applied to the development environment prior to any Army data being loaded onto any assets or software for testing or delivery. 4.8.4 IA mitigation strategies include security updates, service packs, and changes to operating procedures as physical and cyber vulnerabilities are detected. Operating system, routers, servers, development platforms and the application being delivered to the Army shall be in compliance with all known applicable Army Computer Emergency Response Team (ACERT) Alert, Bulletin, and Technical Advisory Notices published during the past 36 months. 4.8.5 Disposing of Electronic Media. Vendors shall follow the Army standards, procedures, and use approved products to dispose of unclassified hard drives and other electronic media, as appropriate, in accordance with Army Regulation 252, Information Assurance and Army Best Business Practices (BBP), Reuse of Computer Hard Drives. 4.9 Ports Protocols and Services. Vendors shall follow all current Army standards and requirements for acceptable Ports, Protocols, and Services. Any requests for exception to using the current Army Ports, Protocols, and Services standards requires an request for exception sent through the Program Manager to the DAA. 4.10 Public Key Infrastructure and Encryption. Vendors shall follow the Army standards, policies, and procedures related to the use of Public Key Infrastructure (PKI) certificates and biometrics for positive authentication. Where interoperable PKI is required for the exchange of unclassified information between the Army and its vendors and contractors, industry partners shall obtain all necessary certificates. Vendors must turn over to the Army all encryption keys for deployed systems, backdoor algorithms, and procedures for their use in remote support. The Vendor must provide a written report detailing all of the above, prior to task order expiration, regardless of modifications or extensions. 5. Information Systems (IS)/Networks Physical Security. The contractor shall employ physical security safeguards for IS/Networks involved in processing or storage of Army Data to prevent the unauthorized access, disclosure, modification, destruction, use, etc., and to otherwise protect the confidentiality and ensure use conforms with Army regulations. In addition, the contractor will support a Physical Security Audit performed by the Army of the contractor's internal information management infrastructure. The MHS Physical Security Audit Matrix is available at: http://www.tricare.mil/tmis_new/Policy/PSA_Matrix_%20012304%200930%20clean%20version.xls. The contractor shall correct any deficiencies identified by the Army of the contractor's physical security posture. The contractor shall be required to follow all requirements in the Armys Information Assurance Policy. New Army policies will be posted to the following website: http://www.apd.army.mil/. The contractor shall ensure that data which contains PHI is continuously protected from unauthorized access, use, modification, or disclosure. The contractor shall comply with all previously stated requirements for HIPAA, Personnel Security, Electronic Security, and Physical Security.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/USA/MEDCOM/DADA09/W81K00-09-T-0464/listing.html)
 
Place of Performance
Address: Great Plains Regional Contracting Ofc ATTN: MCAA GP L31 9V, 3851 Roger Brooke Drive Fort Sam Houston TX
Zip Code: 78234-6200
 
Record
SN01945012-W 20090910/090909083658-b5f1149bdd558a0073e19bc51e792861 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.