The Central Texas VA Health Care System (CTVAHCS) in Temple, Texas is seeking Service Disabled Veteran Owned Small Business (SDVOSB), Veteran Owned Small Business (VOSB), or Small Business sources capable of meeting the requirement listed below. The acquisition will be accomplished using commercial item procedures in accordance with FAR Part 12.
NOTE: TO QUALIFY SDVOSB AND VOSB VENDORS MUST BE CERTIFIED IN THE SMALL BUSINESS SEARCH (SBS) DATABASE.
The North American Industry Classification System (NAICS) is 541519. Any SDVOSB, VOSB, or Small Business firms who wish to identify their interests and capability to provide this product must provide product specifications, performance and delivery information by notifying the Contract Specialist no later than TEN PM Central Time, April 24, 2026. Notification shall be e-mailed to Akisha Woods, at Akisha.Woods@va.gov.
Any vendor who responds to this Notice must provide credentials to perform the requirement as outlined in the below scope.
DISCLAIMER
This Sources Sought Notice is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in response to this Notice that is marked as proprietary will be handled accordingly. In accordance with the Federal Acquisition Regulation, responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this Notice.
SCOPE:
Introduction: Central Texas Veterans Health Care System (CTVHCS) clinicians use Theradoc to provide medical technology that interprets records, alerts clinicians, and recommends patient-specific treatment options that are based on current medical guidelines and evidence, resulting in better healthcare decisions. This favorably affects patients healthcare experiences and outcomes, while reducing costs. VHA has purchased a license for TheraDoc, a Document Storage Systems (DSS) product, which requires an annual maintenance and telephone support services contract for those health care systems that use TheraDoc.
(1) Background: CTVHCS has a continuing need to use TheraDoc in support of safe, efficient and effective patient care, and must have a maintenance and telephone services contract in place to do so. Use of TheraDoc is essential to patient care activities performed by many clinical staff, and it is imperative the maintenance service contract is established to make this possible. Theradoc provides clinicians with patient information and medical knowledge to promote better patient care decisions. It enables providers to make therapeutic interventions more quickly, improve appropriate use of antimicrobials, reduce adverse reactions, reduce the length of hospital stays, and more efficient, better and safer patient care. Theradoc interprets records, provides alerts to clinicians, recommends evidence-based treatment options based on current medical guidelines, which results in better health care decision that improve patient outcomes while reducing costs. It is imperative this medical surveillance capability for CTVHCS be maintained in fully operational status at all times in order to promote better patient care.
Scope of Work: The Contractor to provide service and support to an existing TheraDoc for VistA Large Hospital-TESA Platform, that will include the following services, in addition to software upgrades as needed:
1) DSS-TDOC-VistA-LVL1: TheraDoc for VistA - TESA Platform, Pharmacy Assistant, Infection Control Assistant. Includes interfaces for ADT, Lab, Micro, Surgery, Inpatient Pharmacy, Radiology, BCMA, Vital Signs, Problem List. Annual Limited License. Includes Support and Maintenance and 24x7 monitoring support. Level 1 facility
2) DSS-TDOC-DBUSER: DSS TheraDoc EMR Embedded DB and ColdFusion Software.
3) DSS-OUTPT-PHARM-LL: DSS Outpatient Pharmacy Interface for TheraDoc, Annual Limited License per hospital. Includes support and maintenance for a period of one year
4) DSS-MDI-VA-LL: DSS Medical Devices Interface (MDI) for TheraDoc, Annual Limited License per facility. Includes support and maintenance for a period of one year.
5) DSS-PREMAPPSUPPORT-VAAF: DSS ADHOC Premium Application Workflow Support - Remote, per facility annual fee.
6) DSS-INST-R: DSS Remote Installation Services Per Day
7) DSS-TDOC-EMR: DSS TheraDoc EMR Project Management, Technical and Training Services Per Hour.
8) TRAVEL-Z: Travel Per Diem Expenses, per person, per week.
2. REQUIREMENTS:
Type of Contract: Firm-Fixed-Price for the Base Year, followed by option years one through four.
General Requirements: To provide CTVHCS with continued support services performed by staff that are comprehensively trained in TheraDoc processes and procedures.
Period of Performance: The maintenance and telephone support services contract to run for the Base Year from start of contract through the option years.
3. REFERENCES:
Federal Standards and Guidance:
(1) The Health Insurance Portability and Accountability Act (HIPAA) of 1996
Computer Security Act of 1987, Public Law 10-235
(2) OMB Circular A-123, Management s Responsibility for Internal Control Revised (03/10/2026) (35 pages, 528KB)
(3) 5 U.S.C. 552a, Privacy Act of 1974, 5 United States Code 552a, Public Law 99-08.
(4) 5 U.S.C. 552, Freedom of Information Act, 5 United States Code 552, Public Law
(5) 18 U.S.C. 1030 (a) (3), Fraud and related activity in connection with computers.
(6) Electronic Communications Privacy Act of 1986, Public Law 99-08, 100 Stat. 1848.
b. Agency Policy and Guidelines:
(1) VA Directive 6008, Acquisition and Management of VA Information Technology Resources
(2) VA Directive 6102, Internet and Intranet Services
(3) VA Handbook 6340, Enterprise Mail Management Procedures
(4) VA Directive 6403, Software Asset Management
(5) VA Directive 6500, VA Cybersecurity Program
(6) VA Handbook 6500, Risk Management Framework for VA Information Systems, VA Information Security Program
(7) VA Handbook 6500.6, Contract Security
(8) VA Handbook 6513, Secure External Connections
(9) VA Directive 6515, Use of Web Based Collaboration Technologies
(10) VA Directive 6517 Risk Management Framework for Cloud Computing Services
c. Local Policies:
VHA Field VAMC Policy MCP 674-ISO-024, Management of Information Security and Privacy Incidents
VHA Field VAMC Policy MCP 00-25, Facility Information System Contingency Plan (ISCP) Business Impact Analysis (BIA) and Business Continuity Plan-Continuity of Operations Plan (BCP-COOP)
VHA Field VAMC Policy MCP 003-001, Internet and Intranet-SharePoint Content Development
(4) VHA Field VAMC Policy MCP 674-ISO-003 Use of Electronic Mail and Internet Usage Guidelines
(5) VHA Field VAMC Policy MCP 674-008-003, Records Management Program
4. DELIVERABLES:
Contractor to provide the following services as needed:
Work directly with users to address any issues with TheraDoc products.
Respond to issues within required response times.
Advise local OI&T and/or Biomedical Engineering staff regarding configurations for products, new installations of products, and end-user activities.
Assist local OI&T and/or Biomedical Engineering staff regarding issues with infrastructure requirements for products, including hardware, bandwidth, best practices, etc.
Advise local OI&T/Biomedical Engineering staff and/or other local points of contact regarding any issues which may impact usage of licensed products.
Provide software upgrades as required to resolve TheraDoc server vulnerabilities reported by the VA, as well as other application enhancements. This will include release notes for all versions included the upgrades, for Pharmacy and IP&C.
Provide reports upon request to local OI&T and/or Biomedical Engineering staff for:
Summary of tickets currently open, and those closed with the past 7 days
Summary of known issues impacting site use of products with current status, expected release date, and workaround if available
Requesting Support and Assigning Priority: Contractor staff will be considered second level support for local OI&T staff, and as such support can only be initiated by local OI&T staff. Priority of response is based on the following:
0-Urgent: Initial response within 1 hour, with follow-up response within 2 hours. For catastrophic incidents such as server crash, one or more product applications being inaccessible to all users, etc.
1-High: Initial response within 2 hours, with follow-up within 22 hours (2 business days). For instances in which the system is functioning, but in a severely reduced capacity significantly impacting portions of business operations
2-Medium: Initial response within 4 hours, with follow-up within 33 hours (3 business days). For instances of non-critical functionality loss in which some operations are impaired, but users and/or applications are able to continue to function
3-Low: Initial response with 8 hours, with follow-up within 44 hours (4 business days). For instances in which there is minimal impact to business operations.
5. QUALITY ASSURANCE SURVEILLANCE PROGRAM (QASP): The Contractor will ensure support services staff and actions are in compliance with the terms of the contract.
6. SECURITY CONSIDERATIONS: Safeguarding patient health information (PHI) is a primary concern for VA staff and for contractor personnel working in VA facilities and/or working with PHI or other confidential/sensitive information. DSS will adhere to all VA Information Security, Privacy and HIPAA requirements when obtaining and reviewing diagnostic information. This includes as log files, error traps, screen capture images and database query results used to aid in providing support services required by the contract.
a. The Computer Security Act requires federal agencies to provide for mandatory periodic training in computer security awareness and accepted computer security practices for all employees who are involved with the management, use, or operation of a federal computer system within or under the supervision of the federal agency. This includes contractors as well as employees of the agency. OMB Circular A-130, Appendix III, revised in 1996, enforces such mandatory training by requiring its completion prior to granting access to the system and through periodic refresher training for continued access. Therefore, each user must be versed in acceptable rules of behavior for the application before being allowed access to the system. VA and VHA policies specify mandatory orientation training prior to access and annual refresher training for all employees. The training program also informs users on procedures for reporting security incidents. Contractor staff must comply with training and security requirements to the same extent as VA staff.
b. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).
c. VA information should not be co-mingled, if possible, with any other data on the contractors of subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security
controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.
d. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification
by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.
e. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.
f. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.
g. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.
h. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.
i. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.
j. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request.
k. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer to all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.
l. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer to such court orders or other requests to the VA contracting officer for response. VA
.
m. A computer security incident is an adverse event in a computer system or network caused by a failure of a security mechanism or an attempted or threatened breach of these mechanisms. CTVHCS Policy Memo 003-10-11, Information Systems Security Incident Reporting outlines procedures for reporting an information systems security incident. In addition, the Office of Cyber and Information Security (OCIS) operates a national critical incident response center (VA-CIRC). Contractor staff who cause and/or identify a computer security incident must immediately report to Pharmacy, Infection Control, and/or OI&T Staff and take all necessary measures to minimize the extent/impact of any computer security incident.
7. Information Systems Officer, Information Protection:Â The Service Provider will have access to VA Desktop computers and will have access to online resources belonging to the government while conducting services in the application of complex adaptive system theory to health care organizations.
8. Privacy Officer: Service Provider will have access to Patient Health Information (PHI) and will have the capability of accessing patient information during the services provided to the VA.
9. Records Manager:Â
Citations to pertinent laws, codes and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228.
Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest.
Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records.
Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act.
Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract.
The Government Agency owns the rights to all data/records produced as part of this contract.
The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data.
Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.].
No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules.
Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information.
10. Training:
a. All contractor employees and subcontractor employees requiring access to VA
information and VA information systems shall complete the following before being granted access to VA information and its systems:
(1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems;
(2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training;
(3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and
(4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]
b. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.
c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.
