VETERANS AFFAIRS, DEPARTMENT OF USA Tender

B.3 Performance Work Statement b.3.1 Overview contractor Shall Provide All Labor, Supplies, Equipment, Maintenance, Information Technology, Transportation, And Supervision Necessary To Provide Cytogenetic Reference Laboratory Services To The William S. Middleton M Memorial Veterans Hospital Located In Madison, Wi. Cytogenetic Laboratory Services Include, But Are Not Limited To: Specimen Preparation And Storage; Transportation Of Clinical Laboratory Specimens, Performance Of Analytical Testing; Reporting Of Analytical Test Results; And Consultative Services. b.3.2 Start Of Work Meeting the Contractor Shall Attend A Three (3) Hour Start Of Work Meeting To Be Held Via Teleconference Within Fifteen (15) Business Days Following Contract Award. The Contractor Shall Have The Following Representation At The Start Of Work Meeting: customer Service Representative contracting Representative lead Pathologist the Contractor Will Be Given At Least A Ten (10) Business Day Notice Of The Time, Date And Location Of The Start Of Work Meeting. The Contractor Will Be Limited To Five Individuals Representing The Contractor At The Start Of Work Meeting Due To Limited Space. Three (3) Days Following The Receipt Of The Government S Start Of Work Meeting Notification, The Contractor Shall Provide The Names, Titles And Email Addresses Of The Individuals That Will Be Attending The Start Of Work Meeting To The Contracting Officer. b.3.3 Qualifications/requirements Of Laboratory & Contractor Personnel b.3.3.1 Laboratory b.3.3.1.1 Contractor Must Have At Least Three (3) Years Of Experience In Providing Rapid Response And Cytogenetic Laboratory Testing Services. b.3.3.1.2 Contractor, Including All Subcontractor(s), Must Continuously Hold A Certificate Of Compliance Or Certificate Of Accreditation From The Centers For Medicare & Medicaid Services As Meeting The Requirements Of The Clinical Laboratory Improvement Amendments Of 1988 Or Must Demonstrate Accreditation By A Regulatory Agency(s) With Deemed Status From The Centers For Medicare & Medicaid Services, E.g. The College Of American Pathologists, And/or Other State Regulatory Agencies, As Appropriate, And As Mandated By Federal And State Statutes. The Reference Laboratory (ies) Must Maintain Valid Certifications During The Entire Performance Period Of This Contract. b.3.3.1.3 Upon Reissued Or Re-certification, The Contractor Must Supply A Copy Of The Certifications Referenced In Section B.3.1.1.2 To The Contracting Officer S Representative Assigned To The Contract. The Above Documents Must Also Be Supplied For Each Reference Laboratory That Is A Subcontractor Of The Primary Contractor. b.3.3.1.4 Contractor Must Notify Immediately The Contracting Officer S Representative (cor), In Writing, Upon Loss Of Any Required Certification, Accreditation Or Licensure. b.3.3.1.5 Contractor Shall Maintain Safety And Health Standards Consistent With The Requirements Set Forth By The Occupational, Health, And Safety Administration (osha), And The Center For Disease Control (cdc) And Prevention. b.3.3.2 Personnel b.3.3.2.1 Contractor Shall Ensure All Testing And Supervisory Personnel At All Contractor-owned, Affiliate, Or Subcontracted Laboratories Assigned To Work Under This Contract Meet And Maintain The Applicable Personnel Qualifications Set Forth Under The Clinical Laboratory Improvement Amendments (clia) Of 1988 Regulations, The College Of American Pathology (cap) Accreditation Standards, Or Other Accrediting Organizations And State Standards. b.3.3.2.2 Contractor Shall Ensure Its Employees Have The Ability To Perform The Applicable Duties Consistent With Their License And Certification. b.3.3.2.3 Personnel Assigned By The Contractor To Perform The Services Covered By This Contract Shall Be Proficient In Written And Spoken English (38 Usc 7402). b.3.3.2.4 Any New Requirements For Mandatory Education And/or Competency Reassessment, Which Occur During The Contract Period, Shall Be Completed/documented By The Individual Contractor Employee(s) And Available Upon Request. b.3.3.2.5 Contractor/subcontractor Couriers Entering Any Government Facility Must Be Attired In A Contractor/subcontractor Issued Uniform That Bears The Name Of The Contractor/subcontractor S Company. In Addition, The Contractor/subcontractor Representative Shall Prominently Display A Contractor-issued Identification Badge. b.3.4 Specimen Preparation And Storage For Reference Testing Specimens b.3.4.1 Contractor Shall Provide The Government Facility With Its Commercial Laboratory Reference Test Manual (hard Copy) To Ensure That The Collection And Storage Of Specimens Are In Accordance With Contractor S Requirements. b.3.4.2 If The Contractor Requires Specialized Specimen Collection Containers/media, The Contractor Shall Supply The Government Facility With The Appropriate Collection Container/media And Safety Data Sheets (sds) To Ensure Proper Specimen Integrity And Chemical Spill Clean-up Efforts. b.3.4.2 Contractor Shall Be Responsible For Storing Specimens In Such A Manner To Ensure The Integrity Of The Specimen. b.3.5 Specimen Transportation/testing Laboratory Locations b.3.5.1 The Contractor Shall Be Responsible For All Services Related To The Transportation Of The Specimens From The Madison Va Medical Center To The Commercial Testing Laboratory. b.3.5.2 The Contractor/subcontractor Shall Have At Least One (1) Year Of Experience In Providing Transportation Of Biomedical Material Transportation Services. b.3.5.3 Due To The Critical Importance Of Maintaining The Viability Of The Specimen Cells, The Specimen Must Arrive At The Contractor S Testing Laboratory Within Eight (8) Hours Of The Telephone Request By The Government Facility. b.3.5.4 The Government Will Request Specimen Transportation Services Via Telephone To The Contractor Or Designee On An As Needed Basis, Monday Through Friday, 8:00 Am 4:30pm. The Contractor Shall Provide Same Day Specimen Pickup As Requested By The Government Facility. Historically, The Madison Va Medical Center Requests Specimens Testing Services Three (3) Times A Week And Sends Out 1 To 2 Packages Each Time. b.3.5.5 The Contractor Shall Implement And Maintain Specimen Transportation In Accordance With The Transportation Plan Submitted With The Offer For The Transportation Of Specimens From The Madison Va Medical Center To The Testing Laboratory. b.3.5.6 The Contractor Shall Receive A Copy Of The Orders Following Notification By The Government. The Orders Will Be Provided Via A Secure Fax To The Contractor. Contractor S Fax Machine To Receive These Orders Shall Be In A Secure Location. The Orders Will Contain At A Minimum The Following Information: b.3.5.6.1 Patient S Full Name b. 3.5.6.2 Patient S Identification Number, E.g. Social Security Number (ssn) b. 3.5.6.3 Physician S Name b. 3.5.6.4 Test(s) Ordered b. 3.5.6.5 Date/time Of Specimen Collection b. 3.5.6.6 Specimen Type b.3.5.7 The Contractor Shall Have Laboratory Personnel Available On Saturday To Accept/process Specimens, For When A Telephone Request Is Initiated On A Friday. b.3.6 Specimen Testing b.3.6.1 The Contractor And/or Subcontractor Shall Provide The Full Range Of Clinical And/or Anatomic Pathology Diagnostic Testing Capabilities To Execute All Required Tests As Annotated In Attachment 1. Contractor Shall Make Available The Following Test Information: b.3.6.1.1 Requisition Form Requirements b.3.6.1.2 Alphabetized Test Name List b.3.6.1.3 Test Order Code b.3.6.1.4 Specimen Collection And Preservation Requirements b.3.6.1.5 Test Method Employed (indicate If Testing Performed In Duplicate) b.3.6.1.6 Test Reference Intervals Adjusted For Age, Sex Or Race, When Required b.3.6.1.7 Test Specific Sensitivity, Specificity And Interferences, When Required b.3.6.1.8 Test Critical Values, If Any b.3.6.1.9 Policy For Critical Value Notification b.3.6.1.10 Cpt Coding b.3.6.1.11 Test Turnaround Times (minimum And Maximum Times Indicated); Where The Turnaround Time Is Defined As The Time Between Receipt Of Specimen By The Contractor And Receipt Of Results By A Government Facility. b.3.6.1.12 Schedule Of Test Performance (specific Days Of Week Indicated) b.3.6.1.13 Location Of Test Performance By Test Name (i.e. Name Of Primary Laboratory, Name Of Separate Branch/division Of Primary Lab, Name And Address Of Secondary (sub-contracted) Laboratory Must Be Cited) b.3.6.2 Preliminary Result Interpretation the Contractor Shall Provide Preliminary Test Result Interpretation Of Ordered Test And Provide Guidance To Untested Portion Of Tests Provide Recommendations. The Contractor Shall Provide Recommendations For Reflex Testing And/or Cancellation Of Government Requested Testing. b.3.6.3 Contractor Shall Notify The Contracting Officer And The Cor Of Any Test Information Modifications No Later Than Two Weeks Prior To The Implementation Date Of The Test Change. b.3.6.4 Any New Test(s) Not Listed In Attachment 1 Must Be Added To The Contract Through A Formal Contract Modification By The Contracting Officer Prior To Specimen Being Tested. The Contractor Will Not Be Reimbursed For Any Services/testing Requested By Anyone Other Than The Contracting Officer Through A Formal Contract Modification. b.3.6.5 All Reference Laboratory Testing Shall Be Executed In Accordance With Standard Industry Practices. It Is Preferred That Test Methods Are Fda Approved. Any Non-fda Approved Method Being Performed Shall Have A Disclaimer And Documented Validation Plan. Upon Request, The Validation Plan And Validation Results Shall Be Made Available To The Cor Or Designee. b.3.6.6 The Contractor Shall Ensure The Accurate And Timely Performance Of Laboratory Testing Services. b.3.7 Specimen Retention b.3.7.1 The Contractor Shall Store The Specimens A Minimum Of Three (3) Days After The Test Is Reported Or In Accordance With The Retention Requirements Of Their Regulatory Body, Whichever, Is Longer, In The Event That Subsequent Action Is Necessitated, E.g. Problem Solving And/or Repeat Testing. b.3.7.2 All Anatomic Pathology Materials (e.g., Histology Blocks, Slides Or Other Anatomic Pathology Material) Generated By The Va Shall Be Returned Within 7 Calendar Days After Final Report Is Issued. b.3.8 Reporting Of Results b.3.8.1 Contractor Shall Provide Timely And Appropriate Testing Of Patient Specimens As Requested By The Government Facility. Due To The Criticality Of The Diagnostic Information That Results From This Testing, The Turnaround Time (defined As The Time From Receipt Of The Specimen In The Testing Laboratory To The Receipt Of Test Results By The Madison Va Facility And Based On Specimen Type), Shall Be Minimal And Are Defined In Attachment 1. b.3.8.2 A Final Report Of Laboratory Testing Results Must Be Issued As A Printed Hard Copy. Contractor Shall Deliver The Reports Without An Additional Charge By Expedited Overnight Courier Shipping, Mailing And/or Transportation Services By Hand Within 24 Hours, Or By Telephone Facsimile To A Protected Machine Identified To The Contractor By The Va. Contractor S Fax Machine To Transmit The Test Results Shall Be In A Secure Location. Delivery By Electronic Mail I.e. Ms Outlook, Etc. Is Prohibited. b.3.8.3 Each Test Report Shall, At Minimum, Include The Following Information: b.3.8.3.1 Patient's Full Name b.3.8.3.2 Patient S Identification Number, E.g. Social Security Number (ssn) b.3.8.3.3 Physician S Name (if Supplied) b.3.8.3.4 Government Laboratory Accession Number (if Supplied) b.3.8.3.5 Submitting Facility Name b.3.8.3.6 Submitting Facility Account Number b.3.8.3.7 Patient's Location (clinic/ward) (if Supplied) b.3.8.3.8 Test(s) Ordered b.3.8.3.9 Date/time Of Specimen Collection (when Available) b.3.8.3.10 Day And Time Specimen Was Received At The Testing Facility b.3.8.3.11 Date/time Test Completed b.3.8.3.12 Test Result b.3.8.3.13 Reference Intervals (adjusted For Age, Sex Or Race, When Appropriate) b.3.8.3.14 Toxic And Therapeutic Ranges, If Applicable b.3.8.3.15 Flagged Abnormal Results b.3.8.3.16 Reference Laboratory Accession Number b.3.8.3.17 Name And Address Of Testing Laboratory b.3.8.3.18 Any Other Information The Laboratory Has That May Indicate A Questionable Validity Of Test Results. b.3.8.3.19 Specimen Inadequacy Shall Be Reported With Documentation Supporting Its Unsuitability For Testing. b.3.8.4 Test Results Determined By The Contractor To Be Critical, Shall Be Communicated By Telephone To A Designated Government Contact Person(s) At The Originating Government Laboratory Facility Upon Verification Of The Critical Test Result. The Telephonic Report Shall Be Followed By A Final Report Issued As A Printed (hard) Copy As Required In B.3.8.2.. b.3.9 Customer Service b.3.9.1 Contractor Shall Provide Customer Service Monday Friday 8:00am 4:30pm & Saturday 8:00am Noon., That Is Accessible By Telephone Service To Assist Government Staff For Tracking And Resolving Related Issues/problems That May Arise In The Performance Under This Contract. b.3.9.2 The Contractor Shall Notify The Originating Laboratory By Telephone Of Specimens Cancelled Due To Unacceptability For Reasons Relating To Volume, Specimen Container, Identification, Loss Of Specimen, Etc. Government Notification Shall Be Provided Within 24 Hours From When The Specimen Was Received At The Testing Laboratory. b.3.10 Consultative Services/utilization Reports b.3.10.1 Contractor Shall Provide Professional Consultative Services That Are Consistent With The Services Offered Commercially To Other Customers At No Cost To The Government. These Services May Include Consultations By Laboratory Professionals Or Experienced Physicians/phd On Test Or Methodology Selection Or Test Result Interpretation. b.3.10.2 Contractor Shall Provide Direct Communication With The Government Pathologist And Provide Additional Assistance In The Interpretation, Recommendation Of Additional Testing And Assist In The Diagnosis Of Clinical Illnesses. b.3.10.3 Contractor Shall Provide, To The Cor, A Monthly Report Detailing The Date And Time Of Specimen Receipt At The Testing Laboratory. b.4 Special Contract Requirements b.4.1 Services b.4.1.1 The Services Specified Herein May Be Changed By Written Modification To This Contract. The Va Contracting Officer Will Prepare The Modification (reference Far Clause 52.212-4(c), Changes) And, Prior To Becoming Effective, Shall Be Signed By Both Parties. Only The Contracting Officer Is Authorized To Make Commitments Or Issue Changes That Affect Price, Quantity, Or Quality Of Performance Of This Contract. In The Event The Contractor Effects Any Such Change At The Direction Of Any Person Other Than The Contracting Officer, The Change Shall Be Considered Unauthorized And No Adjustment Will Be Made In The Contract Price To Cover Any Increase In Costs Incurred As A Result Thereof. b.4.1.2 This Is A Non-personal Services Contract As Defined In Far 37.101. There Is No Employer-employee Relationship Between The Government And The Contractor Or The Contractor S Employee(s). Contractor Personnel Are Not Subject To The Supervision And Control Of A Government Officer Or Employee. Supervisory Functions Such As Hiring, Firing, Directing, And Counseling Of Contractor Personnel Are Not Performed By The Government. The Healthcare Contractor Who Furnishes Services Under This Contract Is Subject To Government Technical Oversight Of The Services. The Government Retains The Right To Reject Services For Contractual Non-performance. b.4.1.3 The Government May Evaluate The Quality Of Professional And Administrative Services Provided, But Retains No Control Over The Medical, Professional Aspects Of Services Rendered. b.4.1.4 Contractor Is Required To Maintain Medical Liability Insurance For The Duration Of This Contract. Medical Liability Insurance Shall Cover The Contractor For Services In All States Where Services Are Rendered By The Contractor. Contractor Shall Indemnify The Government For Any Liability Producing Act Or Omission By The Contractor, Its Employees And Agents Occurring During Contract Performance. b.4.1.5 Contractor Shall, In Writing, Keep The Contracting Officer Informed Of Any Unusual Circumstances In Conjunction With The Contract. b.4.1.6 Contractor Shall Not, Under Any Circumstances, Furnish Reports Directly To Patients. b.4.2 Term Of Contract b.4.2.1 This Contract Is Effective For A Base Period Of One (1) Year From The Effective Date Of Award. The Government, At Its Discretion, May Exercise Up To Four (4) Option Periods Of One (1) Year Each. The Contractor Shall Perform No Services After July 31st Of Each Year Until The Contracting Officer Authorizes Such Services In Writing. b.4.3 Availability Of Funds During A Continuing Resolution b.4.3.1 At The Beginning Of Each New Fiscal Year (october 1st) The Federal Government Or Parts Thereof May Be Operating Under A Continuing Resolution And Only Be Funded For A Limited Period Of Time Rather Than For The Entire Fiscal Year. If, At Any Time, Funds For This Contract Are Provided Under A Continuing Resolution (cr), Funds Will Only Be Available For Performance Under This Contract Up To And Including The Expiration Date Of The Cr, And Any Extension Thereof. The Government's Obligation For Performance Of This Contract Beyond That Date Is Contingent Upon The Availability Of Appropriated Funds From Which Payment For Contract Purposes Can Be Made. No Legal Liability On The Part Of The Government For Any Payment May Arise For Performance Under This Contract Beyond The Expiration Date Of The Cr, And Any Extension Thereof, Until Funds Are Made Available To The Contracting Officer For Performance And Until The Contractor Receives Notice Of Availability. b.4.4 Federal Holidays b.4.4.1 Contractor Is Not Required To Provide Transportation Of Specimens On Federal Holidays. The 11 Holidays Observed By The Federal Government Are: New Year S Day (january 1st), Martin Luther King S Birthday (3rd Monday In January), Presidents Day (3rd Monday In February), Memorial Day (last Monday In May), Juneteenth (june 19th) Independence Day (july 4th), Labor Day (1st Monday In September), Columbus Day/indigenous Peoples Day (2nd Monday In October), Veterans Day (november 11), Thanksgiving Day (4th Thursday In November), Christmas Day (december 25th) And Any Other Day Specifically Declared By The President Of The United States To Be A National Holiday. b.4.4.2 When One Of The Above Designated Legal Holidays Falls On A Sunday, The Following Monday Will Be Observed As A Legal Holiday. When A Legal Holiday Falls On A Saturday, The Preceding Friday Is Observed As A Holiday By U.s. Government Agencies. b.4.5 Hhs/oig to Ensure That The Individuals Providing Services Under The Contract Have Not Engaged In Fraud Or Abuse Regarding Sections 1128 And 1128a Of The Social Security Act Regarding Federal Health Care Programs, The Contractor Is Required To Check The Health And Human Services - Office Of Inspector General (hhs/oig), List Of Excluded Individuals/entities On The Oig Website (www.hhs.gov/oig) For Each Person Providing Services Under This Contract. The Listed Parties And Entities May Not Receive Federal Health Care Program Payments Due To Fraud And/or Abuse Of The Medicare And Medicaid Programs. During The Performance Of This Contract The Contractor Is Prohibited From Using Any Individual Or Business Listed On The List Of Excluded Individuals/entities. Any Healthcare Provider Or Entity That Employ Or Enter Into Contracts With Excluded Individuals Or Entities May Have A Civil Monetary Penalty (cmp) Imposed Against Them. By Signing This Offer, The Contractor Certifies That All Persons Or Entities Listed In The Contractor S Proposal Have Been Compared Against The Oig List And Are Not Listed As Of The Date The Offer Was Signed. b.4.6 Record Keeping Contractor contractor Shall Establish A Record Keeping System Of All Tests Performed. b.4.7 Medical Records clinical Or Other Medical Records (i.e. Test Results) Of Va Veteran Patients Treated By Contractor Under This Contract Are Owned By The Va And The Contractor Is Not Authorized To Release Or Utilize This Data For Any Use Other Than Contract Performance. If Requested, Test Results Will Be Mailed To The Va At No Additional Cost To The Government. Mail Shall Be Sent In Accordance With Va Directive 6609, Mailing Of Sensitive Personal Information. Contractor May Obtain A Copy Of Va Directive 6609 At The Following Website: Http://www1.va.gov/vhapublications/index.cfm. If A Subpoena Or Court Order Is Received For The Production Of A Medical Record/test Result, The Contractor Shall Notify The Contracting Officer That A Subpoena Or Court Order Was Received. b.4.8 Confidentiality Of Patient Records b.4.8.1 The Contractor Is A Va Contractor And Will Assist In The Provision Of Health Care To Patients Seeking Such Care From Or Through Va. As Such, The Contractor Is Considered As Being Part Of The Department Health Care Activity. Contractor Is Considered To Be A Va Contractor For Purposes Of The Privacy Act, Title 5 U.s.c. 552a. Further, For The Purpose Of Va Records Access And Patient Confidentiality, Contractor Is Considered To Be A Va Contractor For The Following Provisions: Title 38 U.s.c. 5701, 5705, And 7332. Therefore, Contractor May Have Access, As Would Other Appropriate Components Of Va, To Patient Medical Records Including Patient Treatment Records Pertaining To Drug And Alcohol Abuse, Hiv, And Sickle Cell Anemia, To The Extent Necessary To Perform Its Contractual Responsibilities. However, Like Other Components Of The Department, And Not Withstanding Any Other Provisions Of The Sharing Agreement, The Contractor Is Restricted From Making Disclosures Of Va Records, Or Information Contained In Such Records, To Which It May Have Access, Except To The Extent That Explicit Disclosure Authority From Va Has Been Received Or Disclosure Is Required By Law. The Contractor Is Subject To The Same Penalties And Liabilities For Unauthorized Disclosures Of Such Records As Va. b.4.8.2 The Records Referred To Above Shall Be And Remain The Property Of Va And Shall Not Be Removed Or Transferred From Va Except In Accordance With U.s.c.551a (privacy Act), 38 U.s.c. 5701 (confidentiality Of Claimants Records), 5 U.s.c. 552 (foia), 38 U.s.c. 5705 (confidentiality Of Medical Quality Assurance Records) 38 U.s.c. 7332 (confidentiality Of Certain Medical Records) And Federal Laws, Rules And Regulations. Subject To Applicable Federal Confidentiality Or Privacy Laws, The Contractor, Or Their Designated Representatives, And Designated Representatives Of Federal Regulatory Agencies Having Jurisdiction Over Contractor, May Have Access To Va S Records, At Va S Place Of Business On Request During Normal Business Hours, To Inspect And Review And Make Copies Of Such Records. b.4.9 Hipaa Compliance contractor Must Adhere To The Provisions Of Public Law 104-191, Health Insurance Portability And Accountability Act (hipaa) Of 1996 And The National Standards To Protect The Privacy And Security Of Protected Health Information (phi). As Required By Hipaa, The Department Of Health And Human Services (hhs) Has Promulgated Rules Governing The Security And Use And Disclosure Of Protected Health Information By Covered Entities, Including The Department Of Veterans Affairs (va). The Va Has Recognized Diagnostic Laboratory Facilities As Healthcare Providers And That The Phi Is Being Disclosed And/or Used For Treatment. Therefore, No Baa Is Required For Reference Laboratory Services. b.4.10 Designation Of Contract Representatives the Madison General Diagnostics Laboratory Supervisor Will Be Designated As The Contracting Officer Representative (cor) To Represent The Contracting Officer In Furnishing Guidance And Advice Regarding The Work Being Performed Under This Contract. The Cor Will Provide Technical Guidance, Verify Services Were Actually Performed, And Also Verify That Documentation For Services Performed Is Received Prior To Certifying Payment. The Foregoing Is Not To Be Construed As Authorization To Interpret Or Furnish Advice And Information To The Contractor Relative To The Financial Or Legal Aspects Of The Contract. Enforcement Of These Segments Is Vested In And Is The Responsibility Of The Contracting Officer. The Extent And Limitations Of The Cor Designation Will Be Provided In The Cor Delegation Memo. b.4.11 Contract Performance Monitoring b.4.11.1 Monitoring Of Contractor S Performance Shall Be Demonstrated Through Clinical And Administrative Record Reviews. Cor Will Be Responsible For Verifying Contract Compliance. Contracting Officer's Representative (cor) Will Designate Appropriate Va Personnel To Monitor Services Through One Or A Combination Of The Following Mechanisms: b.4.11.2 Departments Being Served Will Monitor Contractor Performance To Ensure That Services Called For In The Contract Have Been Received By Va In A Timely Manner. Any Incidents Of Contractor Noncompliance As Evidenced By The Monitoring Procedures Will Be Forwarded Immediately To The Contracting Officer. b.4.11.3 Documentation Of Services Performed Will Be Reviewed Prior To Certifying Payment. The Cor Will Perform Periodic Spot Checks And Document With The Using Service To Ensure Records Monitoring. Va Will Pay Only For Services Actually Provided, And In Strict Accordance With The Price Schedule/attachment A. Contract Monitoring And Recordkeeping Procedures Will Be Sufficient To Ensure Proper Payment And Allow Audit Verification That Services Were Provided. b.4.11.4 Departments Being Served, Through The Cor, Will Provide A Written Statement Annually To The Contracting Officer To Include A Summary Of Contractor Actions And A Statement That All Requirements Of The Contract Have Been Fulfilled As Agreed. This Summary Evaluation Will Be Submitted 45 Days Prior To Expiration Of Contract (and/or Prior To Election Of Option Year Renewals, If Applicable). b.4.12 Quality Assurance Monitoring b.4.12.1 Contractor Shall Maintain A Quality Assurance Program Related To Reference Laboratory Services Covered Under This Contract. b.4.12.2 Contractor Shall Also Participate In A Joint Quality Assurance Surveillance Program (qasp) With The Government Facility. This Program Must Minimally Address The Quality Aspects Representative To The Testing Process, I.e. Pre-analytical, Analytical And Post-analytical Variables And Include A Description Of Monitoring And Evaluation Activities. There Must Be A Mutually Agreed Upon Procedure For Responding To Issues, Problems And/or Concerns Identified By The Government With Details As To Whom And In What Timeframe The Matters Will Be Reconciled. The Issues That May Need To Be Addressed May Be General In Nature Or Specific To An Incident Or Event. The Contractor Will Meet Or Communicate With The Facility Staff For Process Review And Improvement Of Contract Performance On An As Needed Basis. b.4.12.3 Copies Of Licensure/certifications Are Also Required To Be Submitted Upon Request By The Va. b.4.12.4 Quality Factors That Va May Consider When Monitoring Quality Of Care May Include, But Are Not Limited To: Patient Medical Records, Security/privacy, Adverse Event Reporting, Turn-around Times, Timeliness To Customer Service Requests, Adherence To Transportation Requirements. b.4.12.5 These Monitoring Procedures And Disincentives For Contractor S Failure In Meeting These Tasks Are Further Illustrated In The Following Performance Requirements Summary Matrix: performance Objective tasks: performance standard acceptable (minimal) quality level (aql) monitoring method disincentives1 ensure The Safety And Integrity Of Bone Marrow Or Tissue Specimens no Loss Or Destruction Of Bone Marrow Or Tissue Specimens Iaw Pws B.3.4 99.5% Of The Time contractor Reporting; Government Inquiries. $572 For Each Bone Marrow Or Tissue Specimen Lost Or Destroyed Will Be Deducted From The Monthly Invoice. ensure The Safety And Integrity Of Peripheral Blood Specimens no Loss Or Destruction Of Peripheral Blood Specimens Iaw Pws B.3.4 98% Of The Time contractor Reporting; Government Inquiries. $71 For Each Peripheral Blood Specimen Lost Or Destroyed Will Be Deducted From The Monthly Invoice. transportation Of Bone all Bone Marrow Or 99.5% Of The 100% Inspection Of $572 For Each Bone Marrow Or 1 The Disincentives Above Are Based On The Va S Internal Costs Incurred When Additional Medical Procedures Or A Delay Of Healthcare Occurs Due To A Lost Or Destroyed Specimen. The Calculation Of Internal Costs Was Based On Cms Cpt Codes, Labor Costs And Patient Transportation Costs That Would Be Incurred If A Specimen Was To Be Recollected. marrow Or Tissue Specimens Within The Designated Timeframe tissue Specimens Are Transported To The Testing Facility Within 8 Hours Of Notification Iaw Pws B.3.5.3 time tat On 6 Randomly Selected Test Per Quarter tissue Specimen Lost Or Destroyed Will Be Deducted From The Monthly Invoice. transportation Of Peripheral Blood Specimens Within The Designated Timeframe all Peripheral Blood Specimens Are Transported To The Testing Facility Within 8 Hours Of Notification Iaw Pws B.3.5.3 98% Of The Time 100% Inspection Of Tat On 6 Randomly Selected Test Per Quarter $71 For Each Peripheral Blood Specimen Lost Or Destroyed Will Be Deducted From The Monthly Invoice. testing Services Will Be Performed In Accordance With The Defined Turnaround Times (tat) results Will Be Reported Within The Established Number Of Calendar Days Iaw Pws 3.8.1. 90% Of The Time. 100% Inspection Of The Tat On 6 Randomly Selected Tests Per Quarter 5% Of The Cost Of Each Test Result Reported Late Shall Be Deducted From The Monthly Invoice. b.4.12.6 If The Contractor Believes There Are Excusable Circumstances, The Contractor Shall Inform The Contracting Officer And The Cor And Provide A Detailed Explanation With The Excusable Delay Request. Excusable Circumstances May Result In Adjustment Of The Disincentives Established In The Performance Matrix Based Upon The Contracting Officer S Determination And Findings. b.4.13 Contractor Certification b.4.13.1 Citizenship-related Requirements: Contractor Must Adhere To And Return The Signed Certification Attachment 2 Found In Section D Of This Solicitation. This Certification Concerns A Matter Within The Jurisdiction Of An Agency Of The United States And The Making Of A False, Fictitious, Or Fraudulent Certification May Render The Maker Subject To Prosecutions Under 18 U.s.c. 1001. b.4.14 Required Registration With Contractor Performance Assessment System (cpars) b.4.14.1 As Prescribed In Federal Acquisition Regulation (far) Part 42.15, The Department Of Veterans Affairs (va) Evaluates Contractor Past Performance On All Contracts That Exceed The Thresholds Outlined In Far Part 42.15, And Shares Those Evaluations With Other Federal Government Contract Specialists And Procurement Officials Through The Past Performance Information Retrieval System (ppirs). The Far Requires That The Contractor Be Provided An Opportunity To Comment On Past Performance Evaluations Prior To The Posting Of Each Report. To Fulfill This Requirement Va Uses An Online Database, The Contractor Performance Assessment Reporting System (cpars). The Cpars Database Information Is Uploaded To The Past Performance Information Retrieval System (ppirs) Database, Which Is Available To All Federal Agencies. b.4.14.2 Each Contractor Whose Contract Award Is Estimated To Exceed The Thresholds Outlined In Far Part 42.15 Is Required To Provide To The Contracting Officer Contact Information For The Contractor S Representative With Their Response To The Solicitation. The Contractor Is Responsible To Notify The Contracting Officer Of Any Change To The Contractor S Representative During The Contract Performance Period. Contractor S Representative Contact Information Consists Of A Name And Email Address. b.4.14.3 The Government Will Register The Contract Within Thirty Days After Contract Award. For Contracts With A Period Of One Year Or Less, The Contracting Officer Will Perform A Single Evaluation When The Contract Is Complete. For Contracts Exceeding One Year, The Contracting Officer Will Evaluate The Contractor S Performance Annually. Intermediate Reports Will Be Filed Each Year Until The Last Year Of The Contract, When The Final Report Will Be Completed. Each Report Shall Be Forwarded In Cpars To The Contractor S Designated Representative For Comment. the Contractor S Representative Will Have Thirty Days To Submit Any Comments And Return The Report To The Va Contracting Officer. Failure By The Contractor To Respond Within Those Thirty Days Will Result In The Government S Evaluation Being Placed On File In Ppirs Without Contractor S Comments. [end Of Special Contract Requirements] b.5 Contract Security Requirements b.5.1 General b.5.1.1 Contractors, Contractor Personnel, Subcontractors, And Subcontractor Personnel Shall Be Subject To The Same Federal Laws, Regulations, Standards, And Va Directives And Handbooks As Va And Va Personnel Regarding Information And Information System Security. b.5.2 Contractor Personnel Security Requirements b.5.2.1 Failure To Comply With The Government S Personnel Security Requirements May Result In Termination Of The Contract For Default. b.5.2.2 Contractor And Its Subcontractors Shall Have A Current Process In Place For Conducting Employee Screening/background Checks As A Condition Of Employment With The Contractor Or Subcontractor. Contractor Shall Also Provide A Certification Memo Indicating That All Its Employees And Subcontractor Employees Having Access To Va Sensitive Information (ie. Laboratory Technicians And/or Technologists, Administrative Personnel) During The Performance Of This Contract Have Successfully Passed Through This Process To Their Standards. The Certification Memo Shall Be Provided To The Contracting Officer And Cor On An Annual Basis (employee Screening/background Checks Are Not Required To Be Re-conducted Annually). b.5.3 Security Training b.5.3.1 Due To The Increased Emphasis On Privacy And Information Security, The Following Special Contract Requirements Are Established And Hereby Made Part Of The Contract Entered Into With The Department Of Veterans Affairs. All Contractor Employees And Subcontractor Employees Requiring Access To Va Information And Va Information Systems Shall Complete The Following Before Being Granted To Va Information And Its Systems: b.5.3.2 Privacy & Information Security Training: Contractor And Their Sub-contractors Assigned Work Under The Contract Are Required To Receive Annual Training On Patient Privacy As Established By Hipaa Statues. Training Must Meet Vha S And/or The Department Of Health And Human Services Standards For Privacy Of Individually-identifiable Health Information. For Contractors And Sub-contractors Who Do Not Have Access To Vha Computer Systems, This Requirement Is Met By Receiving Vha National Privacy Training, Other Vha Approved Privacy Training, Or Contractor Furnished Training That Meets The Requirements Of The Hhs Standards. Contractor Shall Provide Certification To The Va Upon Request That All Employees And Sub-contractor Employees Assigned Work And/or Having Access To Protected Health Information Have Received Annual Training. b.5.3.3 Rules Of Behavior: Contractor Personnel Having Access To Va Systems Are Required To Read And Sign A Rules Of Behavior Statement, Which Outline Rules Of Behavior Related To Va Contracts. b.5.3.4 Failure To Complete Mandatory Annual Training And/or Sign The Rules Of Behavior Annually, Within The Timeframe Required, Is Grounds For Suspension Or Termination Of All Physical Or Electronic Access Privileges And Removal From Work On The Contract Until Such Time As The Training And Documents Are Complete. Information On Fulfilling The Training Requirements As Stated In Sections B.5.3.2 And B.5.3.3 Can Be Found At The Va Talent Management System (tms) At Https://www.tms.va.gov/secureauth35/. Once There, Follow The Steps To Create An Account, Launch The Mandatory Training, And Complete The Content. The Training Will Provide Information Regarding Privacy, Information Security, Rules Of Behavior, And Other Pertinent Topics Relevant To Work At The Va. If Any Difficulty Is Experienced While Creating An Account Or Completing The Mandatory Content, Contact The Va Mse Help Desk At 1.888.501.4917 Or Via Email At Vamsehelp@gpworldwide.com. b.5.3.5 As Va Routinely Reviews And Updates Policies And Procedures Covering Contractor Computer Access, Security Requirements May Change During The Term Of This Contract And New Policies And Procedures May Be Implemented Unilaterally During The Term Of This Contract. b.5.4 Va Information Custodial Language b.5.4.1 Information Made Available To The Contractor Or Subcontractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor/subcontractor In Performance Or Administration Of The Contract Shall Be Used Only For Those Purposes And Shall Not Be Used In Any Other Way Without The Prior Written Agreement Of The Va. This Clause Expressly Limits The Contractor/subcontractor's Rights To Use Data As Described In Rights In Data - General, Far 52.227-14(d) (1). b.5.4.2 Va Information Should Not Be Co-mingled, If Possible, With Any Other Data On The Contractors/subcontractor S Information Systems Or Media Storage Systems In Order To Ensure Va Requirements Related To Data Protection And Media Sanitization Can Be Met. If Co-mingling Must Be Allowed To Meet The Requirements Of The Business Need, The Contractor Must Ensure That Va S Information Is Returned To The Va Or Destroyed In Accordance With Va S Sanitization Requirements. Va Reserves The Right To Conduct On-site Inspections Of Contractor And Subcontractor It Resources To Ensure Data Security Controls, Separation Of Data And Job Duties, And Destruction/media Sanitization Procedures Are In Compliance With Va Directive Requirements. b.5.4.3 Prior To Termination Or Completion Of This Contract, Contractor/subcontractor Must Not Destroy Information Received From Va, Or Gathered/created By The Contractor In The Course Of Performing This Contract Without Prior Written Approval By The Va. Any Data Destruction Done On Behalf Of Va By A Contractor/subcontractor Must Be Done In Accordance With National Archives And Records Administration (nara) Requirements As Outlined In Va Directive 6300, Records And Information Management And Its Handbook 6300.1 Records Management Procedures, Applicable Va Records Control Schedules, And Va Handbook 6500.1, Electronic Media Sanitization. Self-certification By The Contractor That The Data Destruction Requirements Above Have Been Met Must Be Sent To The Va Contracting Officer Within 30 Days Of Termination Of The Contract. b.5.4.4 The Contractor/subcontractor Must Receive, Gather, Store, Back Up, Maintain, Use, Disclose And Dispose Of Va Information Only In Compliance With The Terms Of The Contract And Applicable Federal And Va Information Confidentiality And Security Laws, Regulations And Policies. If Federal Or Va Information Confidentiality And Security Laws, Regulations And Policies Become Applicable To The Va Information Or Information Systems After Execution Of The Contract, Or If Nist Issues Or Updates Applicable Fips Or Special Publications (sp) After Execution Of This Contract, The Parties Agree To Negotiate In Good Faith To Implement The Information Confidentiality And Security Laws, Regulations And Policies In This Contract. b.5.4.5 The Contractor/subcontractor Shall Not Make Copies Of Va Information Except As Authorized And Necessary To Perform The Terms Of The Agreement Or To Preserve Electronic Information Stored On Contractor/subcontractor Electronic Storage Media For Restoration In Case Any Electronic Equipment Or Data Used By The Contractor/subcontractor Needs To Be Restored To An Operating State. If Copies Are Made For Restoration Purposes, After The Restoration Is Complete, The Copies Must Be Appropriately Destroyed. b.5.4.6 If Va Determines That The Contractor Has Violated Any Of The Information Confidentiality, Privacy, And Security Provisions Of The Contract, It Shall Be Sufficient Grounds For Va To Withhold Payment To The Contractor Or Third Party Or Terminate The Contract For Default Or Terminate For Cause Under Federal Acquisition Regulation (far) Part 12. b.5.4.7 If A Vha Contract Is Terminated For Cause, Any Associated Baa Must Also Be Terminated And Appropriate Actions Taken In Accordance With Vha Handbook 1600.01, Business Associate Agreements. Absent An Agreement To Use Or Disclose Protected Health Information, There Is No Business Associate Relationship. b.5.4.8 The Contractor/subcontractor Must Store, Transport, Or Transmit Va Sensitive Information In An Encrypted Form, Using Va-approved Encryption Tools That Are, At A Minimum, Fips 140-2 Validated. b.5.4.9 The Contractor/subcontractor S Firewall And Web Services Security Controls, If Applicable, Shall Meet Or Exceed Va S Minimum Requirements. Va Configuration Guidelines Are Available Upon Request. b.5.4.10 Except For Uses And Disclosures Of Va Information Authorized By This Contract For Performance Of The Contract, The Contractor/subcontractor May Use And Disclose Va Information Only In Two Other Situations: (i) In Response To A Qualifying Order Of A Court Of Competent Jurisdiction, Or (ii) With Va S Prior Written Approval. The Contractor/subcontractor Must Refer All Requests For, Demands For Production Of, Or Inquiries About, Va Information And Information Systems To The Va Contracting Officer For Response. b.5.4.11 Notwithstanding The Provision Above, The Contractor/subcontractor Shall Not Release Va Records Protected By Title 38 U.s.c. 5705, Confidentiality Of Medical Quality Assurance Records And/or Title 38 U.s.c. 7332, Confidentiality Of Certain Health Records Pertaining To Drug Addiction, Sickle Cell Anemia, Alcoholism Or Alcohol Abuse, Or Infection With Human Immunodeficiency Virus. If The Contractor/subcontractor Is In Receipt Of A Court Order Or Other Requests For The Above Mentioned Information, That Contractor/subcontractor Shall Immediately Refer Such Court Orders Or Other Requests To The Va Contracting Officer For Response. b.5.4.12 For Service That Involves The Storage, Generating, Transmitting, Or Exchanging Of Va Sensitive Information But Does Not Require C&a Or An Mou-isa For System Interconnection, The Contractor/subcontractor Must Complete A Contractor Security Control Assessment (csca) On A Yearly Basis And Provide It To The Co And Cor. b.5.5 Information System Hosting, Operation, Maintenance, Or Use b.5.5.1 For Information Systems That Are Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities, Contractors/subcontractors Are Fully Responsible And Accountable For Ensuring Compliance With All Hipaa, Privacy Act, Fisma, Nist, Fips, And Va Security And Privacy Directives And Handbooks. This Includes Conducting Compliant Risk Assessments, Routine Vulnerability Scanning, System Patching And Change Management Procedures, And The Completion Of An Acceptable Contingency Plan For Each System. The Contractor S Security Control Procedures Must Be Equivalent, To Those Procedures Used To Secure Va Systems. A Privacy Impact Assessment (pia) Must Also Be Provided To The Cor And Approved By Va Privacy Service Prior To Operational Approval. All External Internet Connections To Va S Network Involving Va Information Must Be Reviewed And Approved By Va Prior To Implementation. b.5.5.2 Adequate Security Controls For Collecting, Processing, Transmitting, And Storing Of Personally Identifiable Information (pii), As Determined By The Va Privacy Service, Must Be In Place, Tested, And Approved By Va Prior To Hosting, Operation, Maintenance, Or Use Of The Information System, Or Systems By Or On Behalf Of Va. These Security Controls Are To Be Assessed And Stated Within The Pia And If These Controls Are Determined Not To Be In Place, Or Inadequate, A Plan Of Action And Milestones (poa&m) Must Be Submitted And Approved Prior To The Collection Of Pii. b.5.5.3 Outsourcing (contractor Facility, Contractor Equipment Or Contractor Staff) Of Systems Or Network Operations, Telecommunications Services, Or Other Managed Services Requires Certification And Accreditation (authorization) (c&a) Of The Contractor S Systems In Accordance With Va Handbook 6500.3, Certification And Accreditation And/or The Va Ocs Certification Program Office. Government-owned (government Facility Or Government Equipment) Contractor-operated Systems, Third Party Or Business Partner Networks Require Memorandums Of Understanding And Interconnection Agreements (mou-isa) Which Detail What Data Types Are Shared, Who Has Access, And The Appropriate Level Of Security Controls For All Systems Connected To Va Networks. b.5.5.4 The Contractor/subcontractor S System Must Adhere To All Fisma, Fips, And Nist Standards Related To The Annual Fisma Security Controls Assessment And Review And Update The Pia. Any Deficiencies Noted During This Assessment Must Be Provided To The Va Contracting Officer And The Iso For Entry Into Va S Poa&m Management Process. The Contractor/subcontractor Must Use Va S Poa&m Process To Document Planned Remedial Actions To Address Any Deficiencies In Information Security Policies, Procedures, And Practices, And The Completion Of Those Activities. Security Deficiencies Must Be Corrected Within The Timeframes Approved By The Government. Contractor/subcontractor Procedures Are Subject To Periodic, Unannounced Assessments By Va Officials, Including The Va Office Of Inspector General. The Physical Security Aspects Associated With Contractor/subcontractor Activities Must Also Be Subject To Such Assessments. If Major Changes To The System Occur That May Affect The Privacy Or Security Of The Data Or The System, The C&a Of The System May Need To Be Reviewed, Retested And Re-authorized Per Va Handbook 6500.3. This May Require Reviewing And Updating All Of The Documentation (pia, System Security Plan, And Contingency Plan). The Certification Program Office Can Provide Guidance On Whether A New C&a Would Be Necessary. b.5.5.5 The Contractor/subcontractor Must Conduct An Annual Self-assessment On All Systems And Outsourced Services As Required. Both Hard Copy And Electronic Copies Of The Assessment Must Be Provided To The Co And The Cor. The Government Reserves The Right To Conduct Such An Assessment Using Government Personnel Or Another Contractor/subcontractor. The Contractor/subcontractor Must Take Appropriate And Timely Action (this Can Be Specified In The Contract) To Correct Or Mitigate Any Weaknesses Discovered During Such Testing, Generally At No Additional Cost. b.5.6 Security Incident Investigation b.5.6.1 The Term Security Incident Means An Event That Has, Or Could Have, Resulted In Unauthorized Access To, Loss Or Damage To Va Assets, Or Sensitive Information, Or An Action That Breaches Va Security Procedures. The Contractor/subcontractor Shall Immediately Notify The Cor And Simultaneously, The Designated Iso And Privacy Officer For The Contract Of Any Known Or Suspected Security/privacy Incidents, Or Any Unauthorized Disclosure Of Sensitive Information, Including That Contained In System(s) To Which The Contractor/subcontractor Has Access. b.5.6.2 To The Extent Known By The Contractor/subcontractor, The Contractor/subcontractor S Notice To Va Shall Identify The Information Involved, The Circumstances Surrounding The Incident (including To Whom, How, When, And Where The Va Information Or Assets Were Placed At Risk Or Compromised), And Any Other Information That The Contractor/subcontractor Considers Relevant. b.5.6.3 With Respect To Unsecured Protected Health Information, The Business Associate Is Deemed To Have Discovered A Data Breach When The Business Associate Knew Or Should Have Known Of A Breach Of Such Information. Upon Discovery, The Business Associate Must Notify The Covered Entity Of The Breach. Notifications Need To Be Made In Accordance With The Executed Business Associate Agreement. b.5.6.4 In Instances Of Theft Or Break-in Or Other Criminal Activity, The Contractor/subcontractor Must Concurrently Report The Incident To The Appropriate Law Enforcement Entity (or Entities) Of Jurisdiction, Including The Va Oig And Security And Law Enforcement. The Contractor, Its Employees, And Its Subcontractors And Their Employees Shall Cooperate With Va And Any Law Enforcement Authority Responsible For The Investigation And Prosecution Of Any Possible Criminal Law Violation(s) Associated With Any Incident. The Contractor/subcontractor Shall Cooperate With Va In Any Civil Litigation To Recover Va Information, Obtain Monetary Or Other Compensation From A Third Party For Damages Arising From Any Incident, Or Obtain Injunctive Relief Against Any Third Party Arising From, Or Related To, The Incident. b.5.7 Liquidated Damages For Data Breach b.5.7.1 Consistent With The Requirements Of 38 U.s.c. §5725, A Contract May Require Access To Sensitive Personal Information. If So, The Contractor Is Liable To Va For Liquidated Damages In The Event Of A Data Breach Or Privacy Incident Involving Any Spi The Contractor/subcontractor Processes Or Maintains Under This Contract. b.5.7.2 The Contractor/subcontractor Shall Provide Notice To Va Of A Security Incident As Set Forth In The Security Incident Investigation Section Above. Upon Such Notification, Va Must Secure From A Non-department Entity Or The Va Office Of Inspector General An Independent Risk Analysis Of The Data Breach To Determine The Level Of Risk Associated With The Data Breach For The Potential Misuse Of Any Sensitive Personal Information Involved In The Data Breach. The Term 'data Breach' Means The Loss, Theft, Or Other Unauthorized Access, Or Any Access Other Than That Incidental To The Scope Of Employment, To Data Containing Sensitive Personal Information, In Electronic Or Printed Form, That Results In The Potential Compromise Of The Confidentiality Or Integrity Of The Data. Contractor Shall Fully Cooperate With The Entity Performing The Risk Analysis. Failure To Cooperate May Be Deemed A Material Breach And Grounds For Contract Termination. b.5.7.3 Each Risk Analysis Shall Address All Relevant Information Concerning The Data Breach, Including The Following: b.5.7.3.1 Nature Of The Event (loss, Theft, Unauthorized Access); b.5.7.3.1 Description Of The Event, Including: b.5.7.3.1.1 Date Of Occurrence; b.5.7.3.1.2 Data Elements Involved, Including Any Pii, Such As Full Name, Social Security Number, Date Of Birth, Home Address, Account Number, Disability Code; b.5.7.3.2 Number Of Individuals Affected Or Potentially Affected; b.5.7.3.3 Names Of Individuals Or Groups Affected Or Potentially Affected; b.5.7.3.4 Ease Of Logical Data Access To The Lost, Stolen Or Improperly Accessed Data In Light Of The Degree Of Protection For The Data, E.g., Unencrypted, Plain Text; b.5.7.3.5 Amount Of Time The Data Has Been Out Of Va Control; b.5.7.3.6 The Likelihood That The Sensitive Personal Information Will Or Has Been Compromised (made Accessible To And Usable By Unauthorized Persons); b.5.7.3.7 Known Misuses Of Data Containing Sensitive Personal Information, If Any; b.5.7.3.8 Assessment Of The Potential Harm To The Affected Individuals; b.5.7.3.9 Data Breach Analysis As Outlined In 6500.2 Handbook, Management Of Security And privacy Incidents, As Appropriate; And b.5.7.3.10 Whether Credit Protection Services May Assist Record Subjects In Avoiding Or Mitigating The Results Of Identity Theft Based On The Sensitive Personal Information That May Have Been Compromised. b.5.7.4 Based On The Determinations Of The Independent Risk Analysis, The Contractor Shall Be Responsible For Paying To The Va Liquidated Damages In The Amount Of $37.50 Per Affected Individual To Cover The Cost Of Providing Credit Protection Services To Affected Individuals Consisting Of The Following: b.5.7.4.1 Notification; b.5.7.4.2 One Year Of Credit Monitoring Services Consisting Of Automatic Daily Monitoring Of At Least 3 Relevant Credit Bureau Reports; b.5.7.4.3 Data Breach Analysis; b.5.7.4.4 Fraud Resolution Services, Including Writing Dispute Letters, Initiating Fraud Alerts And Credit Freezes, To Assist Affected Individuals To Bring Matters To Resolution; b.5.7.4.5 One Year Of Identity Theft Insurance With $20,000.00 Coverage At $0 Deductible; And b.5.7.4.6 Necessary Legal Expenses The Subjects May Incur To Repair Falsified Or Damaged Credit Records, Histories, Or Financial Affairs. b.5.8 Security Controls Compliance Testing b.5.8.1 On A Periodic Basis, Va, Including The Office Of Inspector General, Reserves The Right To Evaluate Any Or All Of The Security Controls And Privacy Practices Implemented By The Contractor Under The Clauses Contained Within The Contract. With Ten (10) Business-day Notice, At The Request Of The Government, The Contractor Must Fully Cooperate And Assist In A Government-sponsored Security Controls Assessment At Each Location Wherein Va Information Is Processed Or Stored, Or Information Systems Are Developed, Operated, Maintained, Or Used On Behalf Of Va, Including Those Initiated By The Office Of Inspector General. The Government May Conduct A Security Control Assessment On Shorter Notice (to Include Unannounced Assessments) As Determined By Va In The Event Of A Security Incident Or At Any Other Time. b.5.9 Access To Va Information And Va Information Systems b.5.9.1 A Contractor/subcontractor Shall Request Logical (technical) Or Physical Access To Va Information And Va Information Systems For Their Employees, Subcontractors, And Affiliates Only To The Extent Necessary To Perform The Services Specified In The Contract, Agreement, Or Task Order b.5.10 Va Sensitive Information & Data Security Requirements b.5.10.1 Paper, Plastic Or Other Similar Based Media Containing Va Sensitive Data That Is Not Sent To The Va Will Be Properly Disposed Of By The Contractor By Methods Such As Shredders With No Larger Than 1/8 Inch Width Cuts And Then Cross Cut. This Media Will Be Destroyed Such That Information May Not Be Retrieved. Media With Small Print, Such As Microfilm Will Be Completely Destroyed Such As To Render The Information Unrecoverable. b.5.10.2 The Contractor Will Take Due Diligence To Make Sure That Va Sensitive Information And Data That Is Viewed, Faxed Or Similarly Transmitted, Or Discussed Verbally Is Protected From Unapproved Disclosure. b.5.10.3 Va Sensitive Information And Data May Not Be Transmitted Across The Internet Unencrypted (including Email And Instant Messaging) And Must Be Protected By (va-vpn) Va Virtual Private Network And/or Va Approved Encryption Process (example: Pki Public Key Infrastructure). b.5.10.4 Va Sensitive Information May Not Reside On Non-va Systems Or Devices Unless Specifically Designated And Approved As Appropriate For The Terms Of The Contract. All Systems That Store Or Process Va Data Will Be Protected With Va Approved Encryption (typically Fisps 140-2 Compliant). b.5.10.5 Any Security Violations Or Suspected Violations Shall Be Immediately Reported To The Va Contracting Officer And The Assigned Va Information Security Officer (iso). [end Of Contract Security Requirements] [end Of Section B]