Contractor shall furnish all tools, labor, parts, materials, supervision, and travel to provide
preventive maintenance, calibration services, and as needed, emergency repair service at an hourly
fixed rate to maintain the medical laser equipment as identified in Section B in accordance with the OEM
specifications. All parts to be replaced under normal preventive maintenance (PM) as defined in the
OEM s service manual will be included under this contract. Repair parts outside of those included in
the PM will be provided by VHA and repair service will be billable on an hourly basis and paid by
govt credit card outside of the contract. Approval for govt credit card use requires VA Biomedical Engineering approval before work can be completed for any repairs.
2. EQUIPMENT
Equipment List:
Locations of equipment:
Â
Sacramento VA
10535 Hospital Way Sacramento, CA 95655
Â
Martinez VA - CLC/CREC
150 Muir Road Martinez, CA 94553
Â
Chico:
1601 Concord Ave Chico, CA 95928
Â
Fairfield VA
103 Bodin Circle, Bldg. 778 Travis AFB, CA 94535
Â
Mare Island VA OPC
201 Walnut Avenue Mare Island, CA 94592
Â
McClellan VA
5342 Dudley Boulevard McClellan Park, CA 95652
Â
Redding:
3455 Knighton Road Redding, CA 96002
Â
Stockton
7777 Freedom Way French Camp, CA 95231
2. DEFINITIONS/ACRONYMS:
A. Biomedical Engineering-Supervisor or designee
B. CO-Contracting Officer
C. COR-Contracting Officer s Representative
D. PM-Preventive Maintenance Inspection. Services which are periodic in nature and are
required to maintain the equipment in such condition that it may be operated in
accordance with its intended design and functional capacity with minimal incidence of
malfunction or operative conditions. Service shall consist of calibration and testing in
accordance with the manufacturer s latest established service procedures to ensure
operation of equipment within manufacturer s or VA s performance specifications,
whichever is the most rigorous. PM includes cleaning, inspecting lubricating and testing
all equipment. All equipment shall be operated at least one complete operating cycle at
the end of each PM.
E. FSE-Field Service Engineer. A person who is authorized by the contractor to perform
maintenance (corrective and/or preventive) services on the VA Outpatient Clinic
premises.
F. ESR-Vendor Engineering Service Report. A documentation of the services rendered for
each incidence of work performance under the terms and conditions of the contract.
G. Acceptance Signature-VAOPC employee who indicates FSE demonstrated service
conclusion/status and user has accepted work as complete/pending as stated in ESR.
H. Authorization Signature- COT S signature; indicates COR accepts work status as stated
in ESR.
I. NFPA-National Fire Protection Association.
J. CDRH-Center for Devices and Radiological Health.
K. VAOPC-Department of Veterans Affairs Outpatient Clinic.
L. OEM-Original Equipment Manufacturer.
3. CONFORMANCE STANDARDS:
Contractor Shall provide services and material to ensure that the equipment functions in conformance with the latest requirements of NFPA-99, JCAHO, NEC, OSHA, CAP, Federal and VA specifications and requirements as applicable. The equipment shall be maintained such that it meets or exceeds the performance specifications as established in the OEM s technical specifications. Additional performance specifications that exceed the OEM specifications shall be specified in writing by the VA.
4. PREVENTIVE MAINTENANCE (PM):
A. Preventative maintenance inspection s hall be performed annually. The date and time of
the inspections will be arranged by the contractor s service representative in least 1 week
in advance by contacting the COR or his/her designee.
B. The contractor shall ensure that PM services are performed to ensure that the equipment
listed in Section 2 is maintained in accordance with the Statement of Work (SOW),
Paragraph 3, and Conformance Standards. The contractor shall provide and utilize
procedures and checklists with worksheet originals indicating work performed and actual
values obtained (as applicable) which shall be provided to the COR at the completion of
each PM. The contractor s PM procedure and checklist shall match the OEM s recommend PM inspection procedure.
C. The contractor shall perform PM services in accordance with, and during the hours
defined in the preventive maintenance schedule established herein. All exceptions to the
PM schedule shall be arranged and approved in advance with the COR.
D. Any charges for parts, services, manuals, tools, or software required to successfully
complete scheduled PM are included within this contract, and it s agreed upon price,
unless specifically stated in writing otherwise.
E. The contractor shall furnish documentation, including all measurement and calibration
data to certify that the system is performing in accordance with the Conformance
Standards.
5. EMERGENCY MAINTENANCE:
A. The CO, COR or designated alternate has the authority to approve/request a service call
from the contractor at the fixed hourly rate paid by govt credit card outside of the
contract.
6. HOURS OF COVERAGE:
A. Normal hours of coverage are (Monday through Friday) from 7:00 am to 5:00pm,
excluding Federal Holidays. All services/repairs will be performed during normal hours
of coverage unless requested and /or approved by the COR.
B. Federal Holidays are: New Year s Day, Martin Luther King Jr. s Day, President s Day,
Memorial Day, Independence Day, Labor Day, Columbus Day, Veteran s Day,
Thanksgiving Day, Christmas Day, and any day designated by the President of the United
States as a Federal Holiday.
C. Work performed outside the normal hours of coverage at the request of COR will be
billed at the Emergency Repair fixed hourly rate listed in Section B. Billing will include
services time plus one (1) hour for travel time, and will exclude parts as they are included
in Section B. A separate purchase order will be issued if necessary to cover the cost(s) associated with any additional call back service as described herein.
D. Work performed outside of the normal hours of coverage at the request of the FSE and
approved by the COR will not be billed at the Emergency Repair fixed hourly rate.
Such time is considered normal hours of coverage for each individual occurrence.
7. SERVICE MANUALS:
The VA shall not provide service manuals or service diagnostic software to the contractor for use in providing services under this contract. The contractor shall obtain, have on file, and make available to its FSE s all operational and technical documentation, (such as: operational and service manuals, schematics, and parts list), which are necessary to meet the performance requirements of this contract. The location and listing of the service data manuals, by name, and or the manuals themselves shall be provided to the COR upon request.
8. DOCUMENTATION/REPORTS:
The documentation will be included equipment down time and detailed description s of the scheduled and unscheduled maintenance procedures performed, including replaced parts and prices (for outside normal working hour services) required to maintain the equipment in accordance with conformance standards. Such documentation shall meet the guidelines as set forth in the conformance standards. In addition, each ESR must at a minimum document the following data legibly and in complete detail.
Name of Contractor
B. Name of FSE who performed services.
C. Contractor Service ESR Number/Log Number.
D. Date, Time (starting and ending), House-On-Site for service call.
E. VA Purchase Order Numbers (s) (if any) covering the call, if outside normal working
hours.
F. Description of Problem Reported by COR/User.
G. Identification of Equipment to be serviced included the following: Equipment ID# or EE#
from the bar-code, Manufacturer s Name, Device Name, Model#, Serial #, and any other
Manufacturer s identification numbers.
H. Itemized Description of Service(s) Performed (including Costs associated with after
normal working hour services), including: Labor and Travel, Parts (with part numbers)
and Materials and Circuit Location of problem/corrective action.
I. Total Costs to be billed.
J. Signatures from the following:
i. FSE performing series described.
ii. VA Employee who witnessed service described.
K. Equipment downtime, calculated in accordance with Conformance Standards.
NOTE: ANY ADDITIONAL CHARGES CLAIMED MUST APPROVED BY THE
COR BEFORE SERVICE IS COMPLETED!
9. REPORTING REQUIREMENTS:
The contractor shall report to Biomedical Engineering to check-in upon arrival and prior to
performance of work under this contract. This check-in is mandatory and can be accomplished in
person or by phone contact. When the service(s) is/are completed, the FSE shall document the
services rendered on a legible ESR(s). The FSE shall be required to check out the biomedical
Engineering Department (location to be specified at time of contract award) and submit the ESR (s) to the COR. All ESRs shall be submitted to the equipment user for an acceptance signature and to the COR for an authorization signature. If the COR is unavailable, a signed accepted copy of the ESR will be sent to the COR within 5 business days of work completion.
FAILURE TO COMPLY, EITHER IN WHOLE OR IN PART, WITH EITHER THE
NOTIFICATION OR ESR REQUIREMENTS WILL BE DEEMED SIGNIFICANT NONCOMPLIANCE WITH THE CONTRACT AND MAY BE JUSTIFICATION FOR
TERMINATION OF THE CONTRACT.
10. ADDITIONAL CHARGES:
There will be no additional charge for time spent at the site during, or after the normal hours of
coverage awaiting the arrival of additional FSE and/or delivery of parts.
11. REPORTING REQUIRED SERVICES BEYOND THE CONTRACT SCOPE:
The contractor shall immediately, but no later than 24 consecutive hours after discovery, notify the CO and COR, (in writing), of the existence or the development of any defects in, or repairs required to the scheduled equipment which the Contractor considers he/she is not responsible for under the terms of the contract. The contractor shall furnish the CO and COR with a written estimate of the cost to make necessary repairs.
12. CONDITION OF EQUIPMENT:
The contractor accepts responsibility for the equipment described in Section B, in as is condition. Failure to inspect the equipment prior to contract award will not relieve the contractor from performance of the requirements of this contract.
13. COMPETENCY OF PERSONNEL SERVICING EQUIPMENT:
A. Each respondent must have an established business with an office and full-time staff. The
staff includes a fully qualified FSE and a fully qualified FSE who will serve as the
backup.
B. Fully Qualified is based upon training and on experience in the field. For training, the
FSE9s) shall have successfully completed a formalized training program, for the
equipment identified in Section B. For field experience, the FSE(s) shall have a minimum
of two years of experience, with respect to scheduled and unscheduled preventive and
remedial maintenance on equipment identified in Section B.
14. TEST EQUIPMENT:
Prior to commencement of work on this contract, the contractor shall provide the VAPOC with a copy of the current calibration certification of all test equipment that is to be used by the contractor in performing work under the contract. This certification shall also be provided on a periodic basis when requested by the VAOPC. Test equipment calibration shall be traceable to a national standard.
15. IDENTIFICATION, PARKING, SMOKING, CELLULAR PHONE USE AND VA
REGULATIONS:
The contractor s FSE shall wear visible identification at all times while on the premises of the
VAOPC. It is the responsibility of the contractor to park in the appropriate designated parking areas.
Information on parking is available from the VA Police-Security Service. The VAOPC will not
invalidate or make reimbursement for parking violations of the contractor under any conditions.
Smoking is prohibited inside any buildings at the VAOPC. Cellular phones and two-way radios are
not to be used within six feet of any medical equipment. Possession of weapons is prohibited.
Enclosed containers, including tool kits, shall be subject to search. Violations of VA regulations may
result in a citation answerable in the United States (Federal) District Court, not a local district state, or municipal court.
16. COMPLIANCE WITH OSHA BLOODBORNE PATHOGENS STANDARD:
The contractor shall comply with the Federal/California OSHA Bloodborne Pathogens Standard. The
contractor shall:
A. Have methods by which all employees are educated as to risks associated with
bloodborne pathogens.
B. Have policies and procedures that reduce the risk of employee exposure to bloodborne
pathogens.
C. Have mechanisms for employee counseling and treatment following exposure to
bloodborne pathogens.
D. Provide appropriate personal protective equipment/clothing such as gloves, gowns,
masks, protect eyewear, mouthpieces for the employee during performance of the
contract.
RECORDS MANAGEMENT OBLIGATIONS
A. Â Applicability
This clause applies to all Contractors whose employees create, work with, or otherwise handle Federal records, as defined in Section B, regardless of the medium in which the record exists. Â
B. Â Definitions
Federal record as defined in 44 U.S.C. § 3301, includes all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them. Â
The term Federal record:
includes VHA records.Â
does not include personal materials.
applies to records created, received, or maintained by Contractors pursuant to their VHA contract.
may include deliverables and documentation associated with deliverables.
C. Â Requirements
Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion.Â
In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation.Â
In accordance with 36 CFR 1222.32, the Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data.Â
VHA and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of VHA or destroyed except in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage, or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of any unlawful or accidental removal, defacing, alteration, or destruction of records, the Contractor must report to VHA. The agency must report promptly to NARA in accordance with 36 CFR 1230.
The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records, or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records, and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government s behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records, and/or equipment is no longer required, it shall be returned to VHA control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand-carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4).
The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material, and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and VHA guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information.
The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with VHA policy.Â
The Contractor shall not create or maintain any records containing any non-public VHA information that is not specifically tied to or authorized by the contract.Â
The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act.Â
The VHA owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which VHA shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20.
Training. Â All Contractor employees assigned to this contract who create, work with or otherwise handle records are required to take VHA-provided records management training. The Contractor is responsible for confirming training has been completed according to agency policies, including initial training and any annual or refresher training.Â
[Note: To the extent an agency requires contractors to complete records management training, the agency must provide the training to the contractor.]Â
D. Â Flow down of requirements to subcontractors
The Contractor shall incorporate the substance of this clause, its terms, and requirements including this paragraph, in all subcontracts under this [contract vehicle], and require written subcontractor acknowledgment of same.Â
Violation by a subcontractor of any provision set forth in this clause will be attributed to the Contractor.
VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE
1. GENERAL
Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.
2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS
a. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.
b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.
c. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor.
d. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination.
3. VA INFORMATION CUSTODIAL LANGUAGE
a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).
b. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.
c. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.
d. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.
4. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE
a. VA prohibits the installation and use of personally-owned or contractor/subcontractor owned equipment or software on VA s network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required for government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE.
b. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc, with VA sensitive information must not be returned to the vendor at the end of the lease, for trade-in, or other purposes. For the specific options:
(1) Vendor must accept the system without the drive:
(2) VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or
(3) VA must reimburse the company for media at a reasonable open market replacement cost at the time of purchase.
(4) Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/ systems, if it is not possible for the VA to retain the hard drive then;
(a) The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and
(b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/ methods/ tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order contract.
5. SECURITY INCIDENT INVESTIGATION
a. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.
b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.
c. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.
6. LIQUIDATED DAMAGES FOR DATA BREACH
a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.
b. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:
(1) Notification;
(2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;
(3) Data breach analysis;
(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
(5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
(6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.
7. TRAINING
a. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:
(1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems;
(2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training;
(3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and
(4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]
b. The contractor shall provide to the contracting officer and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.
c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.
