This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in
FAR Subpart 12.6, as supplemented with additional information included in this notice. This
announcement constitutes the only solicitation: quotes are being requested and a written solicitation will
not be issued. Solicitation number W91YTZ-18-T-0184 is issued as a Request for Quotation (RFQ). The
solicitation document and incorporated provisions and clauses are those in effect through Federal
Acquisition Circular FAC 2005-95 and Defense Federal Acquisition Supplement Publication (DPN)
20161222.
This acquisition is issued on an UNRESTRICTED FULL AND OPEN COMPETITION basis under NAICS
CODE: 339113 and Size Standard is 750. The Government anticipates awarding a single award issued
as Firm Fixed Price. The requirement of this solicitation is to provide a one-time buy for a Sigma Knee
System for Eisenhower Army Medical Center, Fort Gordon, GA. All responsible sources may submit a
quotation which shall be considered by the agency.
Quotes are due by 6 April 2018 at 12:00 pm EST. Quotes and questions shall be submitted via
email to
[email protected].
This is a BRAND NAME OR EQUAL SOLICITATION. The Brand Name is DEPUY Sigma Knee System.
If submitting an "or equal" quote, the offer must comply with the Addendum to FAR 52.212-1 and FAR
52.211-6, Brand Name or Equal.
ITEM NO 0001. Sigma Knee System
QTY: 1 UNIT: EACH UNIT PRICE:
TOTAL:
TOTAL $
Delivery Address
Eisenhower Army Medical Center
300 Hospital Road
Fort Gordon, GA 30905
The following provisions in their latest edition apply to this solicitation FAR Clauses and provisions
can be viewed at https://farsite.hill.af.mil.
SOLICITATION PROVISIONS
52.212-1 -- INSTRUCTIONS TO OFFERORS -- COMMERCIAL ITEMS (JAN 2017)
Addendum to 52.212-1
Para (b) Submission of Offers: The following supplements this paragraph with respect to the
information and documents required for submission in response to this solicitation.
All responsible offerors must submit:
- Technical Description of items being offered (see note)
- CLIN/ITEM Number Pricing (filled out)
- Company's Dunn and Bradstreet number (DUNS)
- CAGE code
- Delivery Time
- Company Contact Information, for evaluation purposes.
2
- Fill out and return 52.212-3 Alt I (Registration in SAM can be substituted for FAR 52.212- 3 Alt I.
The information in SAM must be current and complete before an award can be made. Contractor
shall not have any Active Exclusion Record in SAM.
NOTE: If providing an "equal" item(s), comply with FAR Provision 52.211-6, Brand Name or Equal.
Explain in detail how the proposed items will meet the salient characteristics of the items as specified
here in the solicitation. Offerors shall demonstrate that the product proposed complies with the technical
requirements described in the salient characteristics via the submission of a written capability statement,
product literature, or other materials, with their offer. Offerors shall cross-reference their product to its
"equal" in the solicitation via the use of part numbers or another methodology that clearly identifies what
the submitted product is "equal" to. Offerors shall ensure their proposed quantities result in the same
number of items required, as identified in the solicitation.
Salient Characteristics:
Performance
1 each Sigma knee implant and instrumentation or equivalent with vendor rep available in the operating
room during patient specific surgery scheduled for 10 APR 2018. The SIGMA® surgical total knee system
must be of High Performance Partial Knee is a unique system comprised of unicondylar and patellofemoral
implants and be able to perform both of these procedures. The system's implants must be able to treat
degenerative joint disease one compartment at a time: medial uni, lateral uni and patellofemoral. The
modularity of the system must be capable of detecting early intervention revision, and disease progression.
It must have the ability to maintain the ACL with this system, and the normal kinematics in activities of daily
living. The uni components must be designed for patients who require a higher than normal degree of
flexion, and provide support up to 155 degrees. The combination of the polished cobalt chrome tray with a
moderately cross linked polyethylene insert is required to help reduce backside wear. The surgical
instrumentation must be able to preserve bone and soft tissue.
(m) The non-FAR Part 12 discretionary FAR, DFARS, AFARS, and MEDCOM provisions included
herein are incorporated into this solicitation either by reference or in full text. If incorporated by
reference, see provision 52.252-1 for locations where full text can be obtained.
(End of Provision)
52.204-16 - COMMERCIAL AND GOVERNMENT ENTITY CODE REPORTING (JUL 2016)
52.211-6 -- BRAND NAME OR EQUAL (AUG 1999)
52.214-34 - SUBMISSION OF OFFERS IN THE ENGLISH LANGUAGE (APR 1991)
52.223-1 - BIOBASED PRODUCT CERTIFICATION (MAY 2012)
52.225-25 -- PROHIBITION ON ENGAGING IN SANCTIONED ACTIVITIES RELATING TO IRANCERTIFICATION
(OCT 2015)
52.209-2 -- PROHIBITION ON CONTRACTING WITH INVERTED DOMESTIC
CORPORATIONS - REPRESENTATIONS (NOV 2015)
52.209-11 - REPRESENTATION BY CORPORATIONS REGARDING DELINQUENT TAX
LIABILITY OR A FELONY CONVICTION UNDER ANY FEDERAL LAW (FEB 2016)
3
52.252-1 -- SOLICITATION PROVISIONS INCORPORATED BY REFERENCE (FEB 1998);
http://farsite.hill.af.mil/ (Fill-in Text)
52.252-5 -- AUTHORIZED DEVIATIONS IN PROVISIONS (APR 1984) ( "DoD FAR
Supplement (48 CFR Chapter 2)" in paragraph (b)) (Filled-in Text)
252.203-7005 -- REPRESENTATION RELATING TO COMPENSATION OF FORMER DOD OFFICIALS
(NOV 2011)
252.204-7008 - COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATION
CONTROLS (OCT 2016)
252.204-7011 -- ALTERNATIVE LINE-ITEM STRUCTURE (SEP 2011) (See CLINS)
252.225-7000 - BUY AMERICAN - BALANCE OF PAYMENTS PROGRAM CERTIFICATE - BASIC
(NOV 2014)
(End of Addendum to 52.212-1)
52.212-2 -- EVALUATION -- COMMERCIAL ITEMS (OCT 2014)
Addendum to 52.212-2
The Government will award a contract resulting from this solicitation to the responsible offeror whose
offer conforming to the solicitation will be most advantageous to the Government, price and other
factors considered. The following factors shall be used to evaluate offers: Lowest Price Technically
Accepted (LPTA). Award may be made without discussions with offerors (except communications
conducted for the purpose of minor clarification). Therefore, each initial offer should contain the
offeror's best terms from a technical and price standpoint.
However, the Government reserves the right to conduct discussions if it is later determined by the
contracting officer to be necessary.
Paragraph (a) is hereby replaced with the following:
(a). The Government will award a Firm-Fixed-Price contract resulting from this solicitation, to the
responsible offer conforming to the solicitation that is lowest price technical acceptability. The
following factors shall be used to evaluate offers:
1. In Accordance with Brand Name or Equal FAR 52.211-6. Sigma Knee System to be
considered for award, offers of "equal" products, including "equal" products of the brand name
manufacturer, must -
a. Meet the salient physical, functional, or performance characteristic
specified below and in this solicitation;
b. Clearly identify the item by-
(i) Brand name, if any; and
(ii) Make or model number
c. Include descriptive literature such as illustrations, drawings, or a clear reference
to previous furnished descriptive data or information available to the Contracting
Officer; and clearly describe any modification the offeror plans to make in a
product to make it conform to the solicitation requirements. Mark any
descriptive material to clearly show the modification.
d. Product Quality: Provide evidence for the quality of product.
e. Warranty for product detailing length of service coverage, parts
covered must be included.
4
f. Price will be evaluated for fairness and reasonability in terms of:
(i) That the prices are consistent with and reflect the proposed requirement.
(ii) Pricing will be evaluated for fair and reasonable in terms of the Government's
requirements. The Government is interested in proposals that meet the
requirements with acceptable risk, at the lowest price technically acceptable.
g. Quoters shall submit quotes to Gordon Health Contracting Cell Office to arrive
no later than 12:00 PM eastern standard time on 6 April, 2018. Quotes can
be submitted via email to
[email protected]. Mailed and faxed
submissions are not acceptable.
h. Evaluation Process: All quotes will be evaluated on overall product quality,
warranty, service repair and price. Must meet the functional characteristics
referenced.
(End of Addendum to 52.212-2)
52.212-3 -- OFFEROR REPRESENTATIONS AND CERTIFICATIONS -- COMMERCIAL ITEMS (JAN
2017) ALTERNATE I (OCT 2014)
CONTRACT CLAUSES
52.212-4 -- CONTRACT TERMS AND CONDITIONS -- COMMERCIAL ITEMS (JAN 2017)
Addendum to 52.212-4
The following policy applies only if the contractor will be on the Government installation for more
than thirty (30) days.
(v) Policy for Reporting Incidents of Sexual Assault and Sexual Harassment under the Sexual
Assault Prevention and Response Program (SHARP).
The contractor shall comply with OTSG/MEDCOM Policy Memo 13-062, Policy for Reporting
Incidents of Sexual Assault and Sexual Harassment under the Sexual Assault Prevention and
Response Program (SHARP), 12 Nov 2013. The SHARP reporting requirements apply only to
knowledge obtained by contractor personnel while performing services under this contract.
The contractor shall require all Contract Service Providers (CSP) with knowledge of an incident of
sexual assault occurring on a Government facility, to include a Government leased facility, where
the contractor is providing services under this contract, to report the incident to the contractor who
shall immediately (within 24 hours) report the incident in writing to the government's COR. All
incidents shall be reported whether they involve contractor personnel or Government personnel, or
other individuals.
The contractor shall require all CSPs with knowledge of an incident of sexual harassment occurring
on a Government facility, to include a Government leased facility, where the contractor is providing
services under this contract, to report the incident to the contractor who shall immediately (within 24
hours) report the incident in writing to the government's COR. All incidents shall be reported whether
they involve contractor personnel or Government personnel, or other individuals.
(w) The non-FAR Part 12 discretionary FAR, DFARS, AFARS, and LOCAL clauses included herein
are incorporated into this contract either by reference or in full text. If incorporated by reference, see
clause 52.252-2 for locations where full text can be found. Also, the full text of a clause may be
accessed electronically at this/these address(es):
http://farsite.hill.af.mil/
https://acquisition.gov/far/index.html
52.204-21 - BASIC SAFEGUARDING OF COVERED CONTRACTOR INFORMATION
SYSTEMS (JUN 2016)
52.219-4 -- NOTICE OF PRICE EVALUATION PERFERENCE FOR HUBZONE SMALL
5
BUSINESS CONCERNS (OCT 2014)
52.222-19 -- CHILD LABOR-COOPERATION WITH AUTHORITIES AND REMEDIES (JAN
2014)
52.222-50 -- COMBATING TRAFFICKING IN PERSONS (MAR 2015)
52.223-3 - HAZARDOUS MATERIAL IDENTIFICATION AND MATERIAL SAFETY DATA (JAN
1997)
52.223-5 -- POLLUTION PREVENTION AND RIGHT-TO-KNOW INFORMATION (MAY 2011)
52.223-18 -- ENCOURAGING CONTRACTOR POLICIES TO BAN TEXT MESSAGING WHILE
DRIVING (AUG 2011)
52.225-13 -- RESTRICTIONS ON CERTAIN FOREIGN PURCHASES (JUN 2008)
52.232-33 -- PAYMENT BY ELECTRONIC FUNDS TRANSFER-SYSTEM FOR AWARD
MANAGEMENT (JUL 2013)
52.232-39 -- UNENFORCEABILITY OF UNAUTHORIZED OBLIGATIONS (JUN 2013)
52.232-40 -- PROVIDING ACCELERATED PAYMENTS TO SMALL BUSINESS
SUBCONTRACTORS (DEC 2013)
52.233-3 -- PROTEST AFTER AWARD (AUG 1996)
52.233-4 -- APPLICABLE LAW FOR BREACH OF CONTRACT CLAIM (OCT 2004)
52.237-2 -- PROTECTION OF GOVERNMENT BUILDINGS, EQUIPMENT, AND VEGETATION (APR
1984)
252.203-7000 -- REQUIREMENTS RELATING TO COMPENSATION OF FORMER DOD
OFFICIALS (SEP 2011)
252.203-7002 -- REQUIREMENT TO INFORM EMPLOYEES OF WHISTLEBLOWER RIGHTS (SEP
2013)
252.204-7003 -- CONTROL OF GOVERNMENT PERSONNEL WORK PRODUCT (APR 1992)
252.225-7001 - BUY AMERICAN AND BALANCE OF PAYMENTS PROGRAM (AUG 2016)
252.225-7048 -- EXPORT CONTROLLED ITEMS (JUN 2013)
252.232-7003 -- ELECTRONIC SUBMISSION OF PAYMENT REQUESTS AND RECEIVING
REPORTS (JUN 2012)
252.232-7010 -- LEVIES ON CONTRACT PAYMENTS (DEC 2006)
52.209-10 -- PROHIBITION ON CONTRACTING WITH INVERTED DOMESTIC
CORPORATIONS (DEC 2014)
52.219-28 -- POST-AWARD SMALL BUSINESS PROGRAM REREPRESENTATION (JUL
2013) (NAICS: 339113) Filled-in text
52.252-2 -- CLAUSES INCORPORATED BY REFERENCE (FEB 1998) http://farsite.hill.af.mil and
https://acquistion.gov/far/index.html (Filled-in text)
52.252-6 -- AUTHORIZED DEVIATIONS IN CLAUSES (APR 1984) ("DoD FAR
Supplement (48 CFR Chapter 2)" in paragraph (b)) Filled-in text
252.204-7012 -- SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL
INFORMATION (OCT 2016)
252.204-7015 - DISCLOSURE OF INFORMATION TO LITIGATION SUPPORT
CONTRACTORS (MAY 2016)
252.211-7003 -- ITEM UNIQUE IDENTIFICATION AND VALUATION (DEC 2013) (CLIN
0001 Sigma Knee System) Filled-in text
252.244-7000 -- SUBCONTRACTS FOR COMMERCIAL ITEMS (JUN 2013)
252.247-7023 - TRANSPORTATION OF SUPPLIES BY SEA - BASIC (APR 2014)
52.212-5 -- CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT
STATUTES OR EXECUTIVE ORDERS -- COMMERCIAL ITEMS
(JAN 2017) (DEVIATION 2013-O0019)
iRAPT
Invoicing, Receipt, Acceptance and Property Transfer (iRAPT) - formerly known as WAWF
iRAPT is the authorized method to electronically process vendor request for payment. This application
allows DOD vendors to submit and track Invoices and Receipt/Acceptance documents electronically.
Contractor shall (i) register to use iRAPT at https://wawf.eb.mil and (ii) ensure an electronic business point
of contract (POC) is designated in the System for Award Management at https://www.sam.gov within ten
(10) calendar days after award of this contract/order.
iRAPT Instructions:
Questions concerning payments should be directed to the Defense Finance and Accounting Service (DFAS)
location listed in Block 18a of your purchase order/contract. Please have your purchase order/contract
6
number ready when calling about payments.
You can easily access payment and receipt information using the DFAS web site at
http://www.dfas.mil/money/vendor . Your purchase order/contract number or invoice number will be
required to inquire status of your payment.
The following codes and information will be required to assure successful flow of iRAPT documents.
Foreign Vendors will submit banking information in the Comments Tab of the iRAPT invoice.
TYPE OF DOCUMENT [X the appropriate block]
Invoice (Contractor Only)
_X Invoice and Receiving Report (COMBO)
Invoice as 2-in-1 (Services Only)
Receiving Report (Government
Only) CAGE CODE:
ISSUE BY DODAAC: W91YTZ
ADMIN BY DODAAC: W91YTZ
INSPECT BY DODAAC: W33BWP
ACCEPT BY DODAAC: W33BWP
SHIP TO DODAAC: W33BWP
PAYMENT OFFICE FISCAL STATION CODE: HQ0490
EMAIL POINTS OF CONTACT LISTING: (Use Group e-mail accounts if applicable)
INSPECTOR Primary:
Alternate:
ACCEPTOR Primary:
Alternate:
RECEIVING OFFICE POC: Primary:
Alternate:
CONTRACT ADMINISTRATOR/ SPECIALIST:Johnnie Huffin,
[email protected] , DSN: 773
Comm: (706)787-7944 - Fax:
CONTRACTING OFFICER: Sebrena L. Lane, Contracting Officer, (706)787-2377,
[email protected] .
ADDITIONAL CONTACT: Gordon Health Contracting Cell
43 Central Hospital Court, Bldg 332
Fort Gordon, GA 30905
Any modification requests must be in writing and submitted to:ADMIN DODAAC.
HIPPA
Non-Defense Health Agency (Non-DHA) Health Insurance Portability
and Accountability Act (HIPAA) Business Associate Agreement (BAA) (7 July 2014)
1
Introduction
In accordance with 45 CFR 164.502(e)(2) and 164.504(e) and paragraph C.3.4.1.3 of DoD 6025.18-R,
"DoD Health Information Privacy Regulation," January 24, 2003, this document serves as a BAA between
the signatory parties for purposes of the HIPAA and the "HITECH Act" amendments thereof, as
implemented by the HIPAA Rules and DoD HIPAA Issuances (both defined below). The parties are a DoD
Military Health System (MHS) component, acting as a HIPAA covered entity, and a DoD contractor, acting
as a HIPAA business associate. The HIPAA Rules require BAAs between covered entities and business
associates. Implementing this BAA requirement, the applicable DoD HIPAA Issuance (DoD 6025.18-R,
paragraph C3.4.1.3) provides that requirements applicable to business associates must be incorporated (or
incorporated by reference) into the contract or agreement between the parties.
(a) Catchall Definition. Except as provided otherwise in this BAA, the following terms used in this BAA shall
have the same meaning as those terms in the DoD HIPAA Rules: Data Aggregation, Designated Record
Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices
(NoPP), Protected Health Information (PHI), Required By Law, Secretary, Security Incident, Subcontractor,
Unsecured Protected Health Information, and Use.
-Breach means actual or possible loss of control, unauthorized disclosure of or unauthorized access to
PHI or other PII (which may include, but is not limited to PHI), where persons other than authorized users
gain access or potential access to such information for any purpose other than authorized purposes, where
one or more individuals will be adversely affected. The foregoing definition is based on the definition of
breach in DoD Privacy Act Issuances as defined herein.
-Business Associate shall generally have the same meaning as the term "business associate" in the DoD
HIPAA Issuances, and in reference to this BAA, shall mean [insert name of Business Associate
signatory to this BAA].
-Agreement means this BAA together with the documents and/or other arrangements under which the
Business Associate signatory performs services involving access to PHI on behalf of the MHS component
signatory to this BAA.
-Covered Entity shall generally have the same meaning as the term "covered entity" in the DoD HIPAA
Issuances, and in reference to this BAA, shall mean [insert name of MHS component signatory to this
BAA].
-DHA Privacy Office means the DHA Privacy and Civil Liberties Office. The DHA Privacy Office Director is
the HIPAA Privacy and Security Officer for DHA, including the National Capital Region Medical Directorate
(NCRMD).
-DoD HIPAA Issuances means the DoD issuances implementing the HIPAA Rules in the DoD Military
Health System (MHS). These issuances are DoD 6025.18-R (2003), DoDI 6025.18 (2009), and DoD
8580.02-R (2007).
-DoD Privacy Act Issuances means the DoD issuances implementing the Privacy Act, which are DoDD
5400.11 (2007) and DoD 5400.11-R (2007).
-HHS Breach means a breach that satisfies the HIPAA Breach Rule definition of breach in 45 CFR
164.402.
-HIPAA Rules means, collectively, the HIPAA Privacy, Security, Breach and Enforcement Rules, issued by
the U.S. Department of Health and Human Services (HHS) and codified at 45 CFR Part 160 and Part 164,
Subpart E (Privacy), Subpart C (Security), Subpart D (Breach) and Part 160, Subparts C-D (Enforcement),
as amended by the 2013 modifications to those Rules, implementing the "HITECH Act" provisions of Pub. L.
111-5. See 78 FR 5566-5702 (Jan. 25, 2013) (with corrections at 78 FR 32464 (June 7, 2013)). Additional
HIPAA rules regarding electronic transactions and code sets (45 CFR Part 162) are not addressed in this
BAA and are not included in the term HIPAA Rules.
-Service-Level Privacy Office means one or more offices within the military services (Army, Navy, or Air
Force) with oversight authority over Privacy Act and HIPAA privacy compliance.
I. Obligations and Activities of Business Associate
1
(a) The Business Associate shall not use or disclose PHI other than as permitted or required by the
Agreement or as required by law.
(b) The Business Associate shall use appropriate safeguards, and comply with the DoD HIPAA Rules with
respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.
(c) The Business Associate shall report to Covered Entity any Breach of which it becomes aware, and shall
proceed with breach response steps as required by Part V of this BAA. With respect to electronic PHI, the
Business Associate shall also respond to any security incident of which it becomes aware in accordance
with any Information Assurance provisions of the Agreement. If at any point the Business Associate
becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate
breach response as required by part V of this BAA.
(d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), respectively), as applicable, the
Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on
behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to
the Business Associate with respect to such PHI.
(e) The Business Associate shall make available PHI in a Designated Record Set, to the Covered Entity or,
as directed by the Covered Entity, to an Individual, as necessary to satisfy the Covered Entity obligations
under 45 CFR 164.524.
(f) The Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or
agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to
satisfy Covered Entity's obligations under 45 CFR 164.526.
(g) The Business Associate shall maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528.
(h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under
the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of HIPAA Privacy Rule
that apply to the Covered Entity in the performance of such obligation(s); and
(i) The Business Associate shall make its internal practices, books, and records available to the Secretary
for purposes of determining compliance with the HIPAA Rules.
II. Permitted Uses and Disclosures by Business Associate
(a) The Business Associate may only use or disclose PHI as necessary to perform the services set forth in
the Agreement or as required by law. The Business Associate is not permitted to de-identify PHI under
DoD HIPAA issuances or the corresponding 45 CFR 164.514(a)-(c), nor is it permitted to use or disclose deidentified
PHI, except as provided by the Agreement or directed by the Covered Entity.
(b) The Business Associate agrees to use, disclose and request PHI only in accordance with the HIPAA
Privacy Rule "minimum necessary" standard and corresponding DHA policies and procedures as stated in
the DoD HIPAA Issuances.
(c) The Business Associate shall not use or disclose PHI in a manner that would violate the DoD HIPAA
Issuances or HIPAA Privacy Rules if done by the Covered Entity, except uses and disclosures for the
Business Associate's own management and administration and legal responsibilities or for data aggregation
services as set forth in the following three paragraphs.
(d) Except as otherwise limited in the Agreement, the Business Associate may use PHI for the proper
management and administration of the Business Associate or to carry out the legal responsibilities of the
Business Associate. The foregoing authority to use PHI does not apply to disclosure of PHI, which is
covered in the next paragraph.
(e) Except as otherwise limited in the Agreement, the Business Associate may disclose PHI for the proper
management and administration of the Business Associate or to carry out the legal responsibilities of the
Business Associate, provided that disclosures are required by law, or the Business Associate obtains
reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and
1
used or further disclosed only as required by law or for the purposes for which it was disclosed to the
person, and the person notifies the Business Associate of any instances of which it is aware in which the
confidentiality of the information has been breached.
(f) Except as otherwise limited in the Agreement, the Business Associate may use PHI to provide Data
Aggregation services relating to the Covered Entity's health care operations.
III. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
(a) The Covered Entity shall provide the Business Associate with the notice of privacy practices that the
Covered Entity produces in accordance with 45 CFR 164.520 and the corresponding provision of the DoD
HIPAA Issuances.
(b) The Covered Entity shall notify the Business Associate of any changes in, or revocation of, the
permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the
Business Associate's use or disclosure of PHI.
(c) The Covered Entity shall notify the Business Associate of any restriction on the use or disclosure of PHI
that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that
such changes may affect the Business Associate's use or disclosure of PHI.
IV. Permissible Requests by Covered Entity
The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that
would not be permissible under the HIPAA Privacy Rule or any applicable Government regulations
(including without limitation, DoD HIPAA Issuances) if done by the Covered Entity, except for providing Data
Aggregation services to the Covered Entity and for management and administrative activities of the
Business Associate as otherwise permitted by this BAA.
V. Breach Response
(a) In general.
In the event of a breach of PII/PHI held by the Business Associate, the Business Associate shall follow the
breach response requirements set forth in this Part V, which is designed to satisfy both the Privacy Act and
HIPAA as applicable. If a breach involves PII without PHI, then the Business Associate shall comply with
DoD Privacy Act Issuance breach response requirements only; if a breach involves PHI (a subset of PII),
then the Business Associate shall comply with both Privacy Act and HIPAA breach response requirements.
A breach involving PHI may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then
the Business Associate has no HIPAA breach response obligations. In such cases, the Business Associate
must still comply with breach response requirements under the DoD Privacy Act Issuances.
If the DHA Privacy Office determines that a breach is an HHS Breach, then the Business Associate shall
comply with both the HIPAA Breach Rule and DoD Privacy Act Issuances, as directed by the DHA Privacy
Office, regardless of whether the breach occurs at DHA or at one of the Service components. If the DHA
Privacy Office determines that the breach does not constitute an HHS Breach, then the Business
Associate shall comply with DoD Privacy Act Issuances, as directed by the applicable Service-Level
Privacy Office.
The Business Associate shall contact the Covered Entity for guidance when the incident is not an HHS
Breach.
This Part V is designed to satisfy the DoD Privacy Act Issuances and the HIPAA Breach Rule as
implemented by the DoD HIPAA Issuances. In general, for breach response, the Business Associate shall
report the breach to the Covered Entity, assess the breach incident, notify affected individuals, and take
mitigation actions as applicable. Because DoD defines "breach" to include possible (suspected) as well as
actual (confirmed) breaches, the Business Associate shall implement these breach response requirements
immediately upon the Business Associate's discovery of a possible breach.
(b) Government Reporting Provisions
The Business Associate shall report the breach within one hour of discovery to the Covered Entity and to
the US Computer Emergency Readiness Team (US CERT) -the other parties as deemed appropriate by the
Covered Entity. The Business Associate is deemed to have discovered a breach as of the time a breach
1
(suspected or confirmed) is known, or by exercising reasonable diligence would have been known, to any
person (other than the person committing it) who is an employee, officer or other agent of the Business
Associate.
The Business Associate shall submit the US-CERT report using the online form at https://forms.uscert.
gov/report/. Before submission to US-CERT, the Business Associate shall save a copy of the on-line
report. After submission, the Business Associate shall record the US-CERT Reporting Number. Although
only limited information about the breach may be available as of the one hour deadline for submission, the
Business Associate shall submit the US-CERT report by the deadline. The Business Associate shall e-mail
updated information as it is obtained, following the instructions at http://www.us-cert.gov/pgp/email.html.
The Business Associate shall provide a copy of the initial or updated US-CERT report to the -Covered Entity
and the applicable Service-Level Privacy Office, if requested by either. Business Associate questions about
US-CERT reporting shall be directed to the Covered Entity or Service-Level Privacy Office, not the USCERT
office.
The additional US Army and the US Army Medical Command (MEDCOM) reporting requirements are
addressed in the PII Breach Reporting and Notification Policy. The latest version of this policy can be
obtained from the Covered Entity or the MEDCOM Privacy Act/Freedom of Information Act (FOIA) Office at:
[email protected] . If multiple beneficiaries are affected by a single
event or related set of events, then a single reportable breach may be deemed to have occurred, depending
on the circumstances. The Business Associate shall inform the Covered Entity as soon as possible if it
believes that "single event" breach response is appropriate; the Covered Entity will determine how the
Business Associate shall proceed and, if appropriate, consolidate separately reported breaches for
purposes of Business Associate report updates, beneficiary notification, and mitigation.
When a Breach Report initially submitted is incomplete or incorrect due to unavailable information, or when
significant developments require an update, the Business Associate shall submit a revised form or forms,
stating the updated status and previous report date(s) and showing any revisions or additions in red text.
Examples of updated information the Business Associate shall report include, but are not limited to:
confirmation on the exact data elements involved, the root cause of the incident, and any mitigation actions
to include, sanctions, training, incident containment, follow-up, etc. The Business Associate shall submit
these report updates promptly after the new information becomes available. Prompt reporting of updates is
required to allow the Covered Entity to make timely final determinations on any subsequent notifications or
reports. The Business Associate shall provide updates to the same parties as required for the initial Breach
Report. The Business Associate is responsible for reporting all information needed by the Covered Entity to
make timely and accurate determinations on reports to HHS as required by the HHS Breach Rule and
reports to the Defense Privacy and Civil Liberties Office as required by DoD Privacy Act Issuances.
In the event the Business Associate is uncertain on how to apply the above requirements, the Business
Associate shall consult with the Covered Entity (or the Service-Level Privacy Office, which will consult with
the DHA Privacy Office as appropriate) when determinations on applying the above requirements are
needed.
(c) Individual Notification Provisions
If the DHA Privacy Office determines that individual notification is required, the Business Associate shall
provide written notification to individuals affected by the breach as soon as possible, but no later than 10
working days after the breach is discovered and the identities of the individuals are ascertained. The 10 day
period begins when the Business Associate is able to determine the identities (including addresses) of the
individuals whose records were impacted.
The Business Associate's proposed notification to be issued to the affected individuals shall be submitted to
the parties to which reports are submitted under paragraph V (a) for their review, and for approval by the
DHA Privacy Office. Upon request, the Business Associate shall provide the DHA Privacy Office with the
final text of the notification letter sent to the affected individuals. If different groups of affected individuals
receive different notification letters, then the Business Associate shall provide the text of the letter for each
group. (PII shall not be included with the text of the letter(s) provided.) Copies of further correspondence
with affected individuals need not be provided unless requested by the Privacy Office. The Business
Associate's notification to the individuals, at a minimum, shall include the following:
-The individual(s) must be advised of what specific data was involved. It is insufficient to simply state that
PII has been lost. Where names, Social Security Numbers (SSNs) or truncated SSNs, and Dates of Birth
(DOBs) are involved, it is critical to advise the individual that these data elements potentially have been
1
breached.
-The individual(s) must be informed of the facts and circumstances surrounding the breach. The
description should be sufficiently detailed so that the individual clearly understands how the breach
occurred.
-The individual(s) must be informed of what protective actions the Business Associate is taking or the
individual can take to mitigate against potential future harm. The notice must refer the individual to the
current Federal Trade Commission (FTC) web site pages on identity theft and the FTC's Identity Theft
Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261.
-The individual(s) must also be informed of any mitigation support services (e.g., one year of free credit
monitoring, identification of fraud expense coverage for affected individuals, provision of credit freezes, etc.)
that the Business Associate may offer affected individuals, the process to follow to obtain those services
and the period of time the services will be made available, and contact information (including a phone
number, either direct or toll-free, e-mail address and postal address) for obtaining more information.
Business Associates shall ensure any envelope containing written notifications to affected individuals are
clearly labeled to alert the recipient to the importance of its contents, e.g., "Data Breach Information
Enclosed," and that the envelope is marked with the identity of the Business Associate and/or subcontractor
organization that suffered the breach. The letter must also include contact information for a designated
POC to include, phone number, email address, and postal address.
If the Business Associate determines that it cannot readily identify, or will be unable to reach, some affected
individuals within the 10 day period after discovering the breach, the Business Associate shall so indicate in
the initial or updated Breach Report. Within the 10 day period, the Business Associate shall provide the
approved notification to those individuals who can be reached. Other individuals must be notified within 10
days after their identities and addresses are ascertained. The Business Associate shall consult with the
DHA Privacy Office, which will determine which media notice is most likely to reach the population not
otherwise identified or reached. The Business Associate shall issue a generalized media notice(s) to that
population in accordance with Privacy Office approval.
The Business Associate shall, at no cost to the government, bear any costs associated with a breach of
PII/PHI that the Business Associate has caused or is otherwise responsible for addressing.
Breaches are not to be confused with security incidents (often referred to as cyber security incidents when
electronic information is involved), which may or may not involve a breach of PII/PHI. In the event of a
security incident not involving a PII/PHI breach, the Business Associate shall follow applicable DoD
Information Assurance requirements under its Agreement. If at any point the Business Associate finds that a
cyber security incident involves a PII/PHI breach (suspected or confirmed), the Business Associate shall
immediately initiate the breach response procedures set forth here. The Business Associate shall also
continue to follow any required cyber security incident response procedures to the extent needed to address
security issues, as determined by DoD/DHA.
VI. Termination
(a) Termination. Noncompliance by the Business Associate (or any of its staff, agents, or subcontractors)
with any requirement in this BAA may subject the Business Associate to termination under any applicable
default or other termination provision of the Agreement.
(b) Effect of Termination.
(1) If the Agreement has records management requirements, the Business Associate shall handle such
records in accordance with the records management requirements. If the Agreement does not have records
management requirements, the records should be handled in accordance with paragraphs (2) and (3)
below. If the Agreement has provisions for transfer of records and PII/PHI to a successor Business
Associate, or if DHA gives directions for such transfer, the Business Associate shall handle such records
and information in accordance with such Agreement provisions or DHA direction.
(2) If the Agreement does not have records management requirements, except as provided in the following
paragraph (3), upon termination of the Agreement, for any reason, the Business Associate shall return or
destroy all PHI received from the Covered Entity, or created or received by the Business Associate on
behalf of the Covered Entity that the Business Associate still maintains in any form. This provision shall
apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business
1
Associate shall retain no copies of the PHI.
(3) If the Agreement does not have records management provisions and the Business Associate determines
that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity
notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the
Covered Entity and the Business Associate that return or destruction of PHI is infeasible, the Business
Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosures
of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business
Associate maintains such PHI.
VII. Miscellaneous
(a) Survival. The obligations of Business Associate under the "Effect of Termination" provision of this BAA
shall survive the termination of the Agreement.
(b) Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits the
Covered Entity and the Business Associate to comply with the HIPAA Rules and the DoD HIPAA Rules.
TOBACCO FREE MEDICAL CAMPUS (TFMC)
In accordance with Army Regulation 600-63, paragraph 7-3, 14 April 2015; Operations Order 15-48 (Army
Medical Command (MEDCOM) Tobacco Free Living - USAMEDCOM), 8 May 2015; and any Operations
Order, regulation or other instruction implementing, defining or otherwise addressing the Tobacco Free
Medical Campus (TFMC) on any military installation or DoD-controlled location, Contractor personnel are
prohibited from using any tobacco product on or within any TFMC while performing under this contract.
TFMCs are established at each installation or DoD-controlled location and include: (1) any property or nonresidential
building that is operated, maintained or assigned to support medical activities, including but not
limited to, hospitals, medical laboratories, outpatient clinics (including medical, dental, and veterinary
facilities), or aid stations operating for the primary purpose of delivering medical care and services for DOD
eligible beneficiaries and /or meeting the mission of the Army Medical Command; (2) all other facilities in
which medical activities or administration take place, to include HQ MEDCOM and Defense Health
Headquarters; (3) all internal roadways, sidewalks and parking lots; and (4) all sidewalks, parking lots and
grounds external but adjacent to the building or related to the migratory corridors surrounding the medical
facility. The Contractor shall obtain from the COR any orders, regulations, instructions or other documents
implementing, defining or otherwise addressing the TFMC for any given installation or DoD-controlled
location where Contractor personnel may perform under this contract and shall instruct Contractor
personnel on the TFMC limitations for installations or DoD-controlled locations where they may perform
under this contract.
Exclusion from Participation in Federal Health Care Programs (October 2015)
1. The Contractor shall not employ or contract with any individual or entity (hereinafter collectively referred
to as "person") to provide items or services that will be included in invoices submitted to the Government
under this contract if such person is listed on the Department of Health and Human Services (HHS) Office of
the Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) or the TRICARE Sanctioned
Provider List. The Government is legally prohibited from paying for provision of items or services by such
persons. The prohibition extends to services beyond direct patient care, such as services of persons in
executive or leadership roles and administrative and management services, whether or not such services
are billed separately. The LEIE may be found at http://oig.hhs.gov/fraud/exclusions.asp, and the TRICARE
Sanctioned Provider list at http://www.health.mil/Military-Health-Topics/Access-Cost-Quality-and-
Safety/Quality-And-Safety-of-Healthcare/Program-Integrity/Sanctioned-Providers. The LEIE and TRICARE
Sanctioned Provider List are hereinafter collectively referred to as "the Lists."
2. Prior to start of contract performance, the Contractor shall (a) query the Lists to determine whether the
name of any person the Contractor employs or contracts with to provide services or items for which
payment may be made under this contract appears on the Lists, and (b) certify to the Contracting Officer
that the Contractor has queried the Lists and no such names appear on either of the Lists.
3. During performance of the contract, and prior to persons other than those whose names were queried in
accordance with paragraph 2, above, (hereinafter "new persons") providing services or items under the
contract, the Contractor shall (a) query the Lists as in paragraph 2, and (b) certify to the Contracting Officer
that the names of such new persons do not appear on either of the Lists.
4. The Contractor is advised that during performance of the contract, MTF personnel will perform a recurrent
1
recheck of the names of contractor personnel working in the MTF against the Lists, as specified in
OTSG/MEDCOM Policy Memo 15-037. The Government will notify the Contractor in the event any
contractor personnel working in the MTF appear on either of the Lists.
5. Should any person providing items or services under the contract appear on either of the Lists at any time
during contract performance, the Contractor shall (a) in cases where the Contractor identified the person,
notify the Contracting Officer, and (b) promptly remove that person from the contract.
6. Violation of any aspect of the above paragraphs shall be considered a material breach of the contract and
may result in termination of the contract.
7. The Contractor is further advised that, in accordance with Civil Monetary Penalties Law [CMP] (codified at
42 USC § 1320a-7a):
a. There are steep civil monetary penalties associated with billing the Government for providing items or
services by a person on either of the Lists, and with failing to return to the Government any overpayments
received for provision of such items or services.
b. Billing under the contract for provision of items or services by a person on either List may also result in
exclusion of the person that employs or contracts with such person.
8. HHS OIG has issued a Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal
Health Care Programs with additional information on the CMP. The Special Advisory Bulletin may be found
at http://oig.hhs.gov/exclusions/files/sab-05092013.pdf.
(End of Addendum to 52.212-4)
Bid Protests Not Available
G