B.4 PERFORMANCE WORK STATEMENT HAZARDOUS WASTE & NON-HAZARDOUS PHARMACEUTICAL WASTE COLLECTION AND REMOVAL 1. General/Background: The VA medical facilities, located at Poplar Bluff Missouri and Cape Girardeau Missouri, intend to award a Firm Fixed Price Service/Indefinite Delivery Indefinite Quantity (IDIQ) Contract to a qualified firm with the capability and capacity to provide collection and disposal of hazardous waste and non-hazardous pharmaceutical waste. The contract shall include be 5 year IDIQ with task orders issued each 12 month period at the Government s discretion. The services shall be provided in accordance with current federal, state, and local regulations. This contract shall not include the disposal of radiological, infectious, or bio-hazardous waste, but may include small quantities of dual waste (i.e., infectious, and hazardous pharmaceutical waste). 2. Description of Services: The contractor shall collect and dispose of hazardous waste and non-hazardous pharmaceutical waste from the above referenced VA facilities. The contractor shall provide all supplies, services, and equipment necessary to: collect and transport hazardous waste and non-hazardous pharmaceuticals from Satellite Accumulation Areas (SAAs) to the Central Accumulation Areas (CAAs), collect and transport hazardous waste and non-hazardous pharmaceuticals from the CAAs to the final Treatment, Storage, & Disposal Facility (TSDF), review waste streams and the pharmaceutical formulary for waste characterization, develop profiles, conduct technical consulting, and electronic record keeping in accordance with all Federal, State, and Local regulations. 3. Scope, specific tasks, and other requirements 3.1. The contractor shall provide hazardous waste and non-hazardous pharmaceutical waste disposal services for all the above referenced medical facilities. 3.2. Services shall include all labor, materials/supplies, tools, equipment, analysis, travel, transportation, documentation, waste treatment, disposal and support services required to categorize, package, transport, document and dispose of hazardous wastes and non-hazardous pharmaceutical wastes from medical centers referenced above. 3.3. Routine (non-emergency) service for each facility shall occur: 3.3.1 weekly to collect and transport waste from the SAAs to the CAAs, and 3.3.2 monthly to collect and transport waste from the CAAs to the final TSDF. 3.4. The Contractor must possess the necessary technical expertise and resources to successfully perform all services required by this solicitation to be considered for contract award. 3.5. The Contractor shall have a centralized waste tracking system. The centralized tracking system shall include: 3.5.1. a centralized database for all waste characterizations and determinations 3.5.2. hazardous waste manifests, universal bill of lading for wastes 3.5.3. methods of final (end) disposal, final (end) disposal sites, 3.5.4. monthly, quarterly, and annual waste generation reports. 3.6. Waste characterizations and determination reports are due to the COR after initial analysis is complete and anytime a new waste stream is determined. 4. Pharmaceutical Formulary Review The contractor shall provide an electronic review of the national Veterans Affairs pharmaceutical formulary, to be provided within 60 days of contract award, (annually thereafter), and provide recommendations for Best Management Practice (BMP) waste disposal as appropriate. The completed review shall identify all listed waste, characteristic waste, and RCRA-equivalent waste. The review shall also identify Department of Transportation packing and labeling instructions. The final review shall be submitted in Microsoft Excel spreadsheet in an electronic file to the COR by 1 November for each year of the contract. 5. Consulting Services At the medical center s request, the vendor shall provide technical expert consulting services on topics identified by the COR, or the COR s designated representative, that are related to EPA, state-specific RCRA, DOT, and other environmental regulations. 6. Supplies and Installation for Waste Containers The contractor shall supply waste collection containers of various sizes, foot operated pedal stands, and/or wall mount brackets for hospital employee use in satellite collection areas. Containers shall be replaced as needed. The Contractor shall furnish all containers, packing material, and any other necessary equipment and documentation for lab packs. The contractor may, on occasion, be requested to furnish other waste storage containers (e.g., for bulk wastes). STATEMENT OF WORK PART II SUPPORTING INFORMATION 7. General Task Statement -The successful contractor shall be required to provide removal of hazardous waste and non-hazardous pharmaceutical wastes from all respective medical facilities mentioned above. Quantities of each item listed in the schedule are estimates based on a per item amount. Additional wastes not listed may be added to this contract by amendment by the Contracting Office (CO), if such wastes are identified during this contract. Additional chemicals not listed in the schedule shall not be removed from the premises without written authorization from the COR. 7.1. All hazardous wastes and non-hazardous pharmaceutical wastes generated by the medical facilities shall be disposed of by the Contractor in accordance with current Federal, State, and local regulations governing hazardous wastes and non-hazardous pharmaceutical waste disposal and destruction. 7.2. Packaging of wastes shall be in the largest container available for that waste stream. Smaller sizes shall be used for partial loads or to meet the disposal priorities or DOT requirements. 7.3. Contractor shall dispose of hazardous waste in a manner that leaves no future expense potential to the VA or the federal government. Wastes should be disposed of in the following preferred priority: 7.3.1. Recycling of chemicals to another party for future use if economically feasible and practical. 7.4. The treatment of the pharmaceutical waste (at a facility approved for such processing by an appropriate state or federal agency) in a manner that renders it no longer a hazardous waste as defined in the 40 CFR series. These processes include (but are not limited to): 7.4.1. Reprocessing or recovery followed by recycling/reuse. 7.4.2. Chemical neutralization or detoxification. 7.4.3. Thermal treatment (e.g., incineration, pyrolysis). 7.4.4. The long-term internment (burial) in a secure chemical landfill site approved for such by the appropriate state or federal agency. 7.5. Acceptance of the hazardous property at a properly permitted treatment, storage, or disposal site does not constitute disposal and/or completion of the contract. It is the prime contractor s responsibility to obtain all necessary documentation to prove that the end disposal of all items has been accomplished. 7.6. Out of country shipments are prohibited under this contract. 7.7. Waste Characterization - The Contractor is required to perform characterization of all waste streams identified by each facility using process knowledge, identity of the chemicals, and other types of chemical analysis including but not limited to Toxicity Characteristic Leaching Procedure (TCLP). Pharmaceutical chemical wastes shall include but not be limited to ignitable, corrosives, toxics, and reactive wastes. Work shall be performed in accordance with all applicable, Federal, State, Local and governing regulations. The Contractor shall obtain permission from the COR before conducting chemical analysis to be charged against the contract. 7.8. Containerizing - The Contractor shall be responsible to package bulk wastes into the largest container feasible. The Contractor shall be responsible for properly containerizing all lab-packs and for assuming all safety measures to prevent harm or injury to VA patients, visitors, employees, contractor employees (example: PPE) and the environment (example: storm drain covers). Only the above-mentioned facility s COR, Safety Officer/Specialists, Industrial Hygienists, Green Environmental Management System (GEMS) Program Manager or VA Police have the authority under this contract to present a verbal stop work order pertaining to job activity they reasonably believe represents an imminent hazard to life, property, or the environment. This verbal order shall be followed up by a written stop work order issued by the CO as soon as feasible after the imminently hazardous situation has been stabilized or abated. 7.9. Accidental Release - Should hazardous and/or non-hazardous pharmaceutical waste be released during the performance of services under this contract, through no fault of the VA facilities, the Contractor shall be equipped to remediate and shall be responsible for all costs associated with the satisfactory remediation of the spill(s). This shall include the cost of all labor and materials as well as any actual damages incurred to the facility and/or harm caused to patients, visitors, and staff of the medical center. The remediation efforts shall be performed to the satisfaction of the cognizant regulatory authorities and the medical center GEMS Program Managers. 7.10. Location of Pick-Up Points - The Contractor shall be responsible for the pickup of hazardous and nonhazardous waste from multiple storage locations throughout the medical center. The location points may be identified at the time of notification of need for removal service. Access to the waste storage area and pick up locations is to be coordinated with the GEMS Program Managers or designated representative at each facility. 7.11. Building Occupancy - The VA shall maintain full occupancy of the site for the duration of the services required under this contract unless an emergency requires localized evacuation (e.g., discovery of potentially unstable wastes). The Contractor shall not interfere or hinder the daily operations of the VA while performing services during other than exigent circumstances. 7.12. Documentation - The following documents will be collected by the contractor and provided to the COR upon request: 7.12.1. Compliance - The Contractor is required to comply with all Federal, State, and local regulations, policies and procedures regarding tracking, record keeping, manifesting and documentation of all hazardous and non-hazardous chemical waste. The contractor shall be required to comply with all changes to such Federal, State, and local regulations and procedures which occur during the term of this contract. The Contractor shall provide the COR any additional certifications that may be required because of changes in such laws. 7.12.2. Removal - The Contractor shall provide all manifests and documentation that apply to the removal and disposal of hazardous waste and non-hazardous pharmaceutical waste activities conducted by its workforces and/or its subcontractors at initial pick-up of the waste and a final copy (with signature from a disposal facility representative) after waste is accepted by the destination facility. The Contractor shall furnish a properly executed and legible copy of the appropriate manifests required to document the safe shipment and proper disposal of hazardous and non-hazardous chemical waste generated by each medical center facility under the terms of this contract. 7.12.3. Transportation - Prior to the removal and transport of hazardous waste and non-hazardous pharmaceutical waste generated by each of the above-mentioned facilities, the Contractor shall obtain approval and signature for each manifest from the VA Facility s COR or his/her designee verifying that the Contractor has accepted the waste from the VA. Manifests not signed by the COR or his/her designee shall not be deemed valid. The Generator Copy, Generator State Copy and Destination State Copy of the executed manifest (signed manifest shall be provided to the facility within 60 days) shall be provided to the VA Facility COR or the Safety Office when hazardous waste and/or non-hazardous pharmaceutical waste is disposed of as applicable. 7.12.4. Time Limits - In addition to providing the manifests, the Contractor shall provide a properly executed and signed disposal certificate for each manifest to the VA COR or his/her designee within sixty (60) calendar days of removal of waste from the facility. The disposal certificate shall clearly indicate that all waste has been properly disposed of and shall specify the site and date of disposal or incineration. Exceptions to this must be approved by the COR and/or GEMS Program Manager. 7.12.5. Electronic Data - All manifests, waste determinations, waste generation data, shipping information and other data required for the proper execution of this contract shall be maintained by the contractor in an electronic database. This system should enable tracking of generator status, generate monthly, quarterly, or annual reports, and enable tracking of compliance dates. The electronic database shall be provided to the COR upon request and/or at the end of the contract, whichever comes first in a Microsoft Excel spreadsheet or web-based information access. The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract. 7.12.6. The contractor/subcontractor agrees to: 7.12.6.1. Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies: 7.12.6.1.1. The Systems of Records (SOR); and 7.12.6.1.2. The design, development, or operation work that the contractor/subcontractor is to perform; 7.12.6.2. Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a SOR on individuals that is subject to the Privacy Act; and 7.12.6.3. Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a SOR. 8. CAPABILITY REQUIREMENTS/DELIVERY AND PERFORMANCE SCHEDULES 8.1. Training and Experience - Contractor representatives who perform services under this contract must be competent, experienced, and qualified to perform such services listed herein. All work performed shall be first class in accordance with established good waste management practices. The Contractor shall submit proof of appropriate training and experience for vendor personnel performing services. 8.2. Delivery Schedule - It is the intent of this contract to have a regular pick-up monthly. The responsible COR or his/her designee shall notify the Contractor of the necessity for a pickup for unusual circumstances outside of the normal schedule. The Contractor must coordinate all pickups with the facility COR/GEMS Program Managers. The Contractor shall be required to pick up waste within thirty (30) calendar days of telephonic notification by VA representative. 8.3. Government Estimates - The Government requires services on a recurring basis. There shall be no penalty or additional costs incurred should a medical center require more or less than the estimated pickups or disposal volume outlined in the schedule of costs. 8.4. Safety Requirements - In the performance of this contract, the Contractor shall take such safety precautions as reasonably necessary to protect the lives and health of VA patients, visitors, staff, and the general public. The COR or his/her designee shall notify the Contractor of any concerns relating to lack of proper safety precautions as well as the recommended corrective action to remedy the safety concerns. The Contractor shall, after receipt of such notice, immediately correct the conditions to which attention has been directed. If the Contractor fails or refuses to comply promptly to satisfactorily abate the hazardous condition or situation, the COR may issue an order stopping all or any part of the work and hold the Contractor in material breach of this contract. 9. STATEMENT OF WORK PART III SUBMITTALS 9.1. Introduction - The Contractor shall, without additional cost to the VA, provide and maintain all licenses and permits for operational personnel, trailers, containers, vehicles, and other resources required for proper removal of hazardous wastes and non-hazardous pharmaceutical wastes in accordance with all applicable Federal, State, Municipal, and local regulations. If appropriate licenses are not maintained in accordance with Federal, State, and local requirements, the VA may terminate the contract effective upon discovery. The VA reserves the right to halt work if the COR determines work is being done in an unsafe/unhealthy manner or that could harm the environment. The VA Healthcare Systems for the respective VA medical facilities shall not incur additional costs if work is halted for good cause. 9.2. Required Submittals - The following shall be provided to the COR with quote submission for evaluation purposes and annually within thirty (30) days of the renewal date of this contract, with any changes to original submission clearly identified and highlighted: 9.2.1. Current waste transporter permit(s) 9.2.2. List of all transfer stations, treatment, storage, and disposal facilities (TSDFs) including incineration, wastewater and sludge treatment facilities that shall be utilized during this contract to include the capacity of these facilities and the waste codes for the waste streams they are permitted to accept by treatment technology. Address, phone number and other contact information shall be provided. The VA reserves the right to inspect each of these facilities before approving its use or at any time during or after contract period while VA wastes are present. 9.2.3. Copy of Operator permit(s) 9.2.4. Certificates of training and experience of staff and/or personnel who shall perform site work under this contract (all technicians that shall work on VA premises shall be expected to have received at least the minimum training required by law as specified in 29 CFR 1910-120, 40 CFR Parts 260-265 and 49 CFR Parts 171-178). 9.2.5. Provide the contractor s experience in hazardous waste packaging, transport, and disposal. 9.2.6. Provide a copy of US EPA identification number(s) certificate for each business entity operated by the contractor that shall provide service regarding any aspect of VA waste disposal program (i.e., storage, transfer, incinerator sites). 9.2.7. Provide a copy of certificate of registration with the State EPA as a hazardous waste transporter for each business entity operated by the contractor that shall provide hazardous waste transportation services for any aspect of VA waste disposal program. 9.2.8. Provide written acknowledgement of Contractor responsibility for acquisition of all applicable business licenses and permits required by law. Contractor shall certify that it acknowledges and is in possession of all required business licenses and permits. 9.2.9. Provide a list of any violations and/or citations that the contractor has received for non-compliance with any hazardous waste laws, permit requirements, and/or OSHA requirements during the past three years from the date of submission of quote. Contractor shall include information on all related business entities including associated firms that are owned by the contractor or owned by a common parent company that shall be involved in any portion of the processing of VA waste disposal program. If no discharge or violations have occurred, contractor must provide a statement that certifies no discharges or violations have occurred. 9.2.10. Provide a plan describing Standard Operating Procedures (SOPs) that shall be followed while conducting normal hazardous waste and non-hazardous pharmaceutical waste management activities. The contractor shall describe: 9.2.10.1. Site safety and contingency procedures (e.g., spill management). 9.2.10.2. Operational procedures and site management structure. 9.2.10.3. Supplies and equipment practices. 9.2.10.4. Material sampling procedures. 9.2.10.5. Hazard assessment and categorization procedures. 9.2.10.6. Packing procedures. 9.2.10.7. Quality assurance and quality control procedures to ensure materials are properly identified, categorized, and packaged, and paperwork is properly completed. 9.2.10.8. Procedures for gaining waste acceptance into a transfer/ disposal facility. 9.2.10.9. Contractor and project management procedures. 9.2.11. Provide the following information regarding the hazardous waste fleet owned and operated by the contractor: 9.2.11.1. Basic description of transportation services offered and capabilities. 9.2.11.2. Fleet description of number, types, and ages of vehicles. 9.2.11.3. Description of service and maintenance programs. 9.2.11.4. Types of materials licensed to haul. 9.2.11.5. Latest DOT or MCS rating (include a copy of the last inspection). 9.2.11.6. The DOT compliance record. 9.2.11.7. Description of driver qualifications including training programs, and experience. 9.2.11.8. Provide evidence that background checks have been performed on all employees that shall perform any duties under this contract. VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE FOR INCLUSION INTO CONTRACTS GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA INFORMATION CUSTODIAL LANGUAGE Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). If VA determines that the contractor has violated any of the information confidentiality, privacy, security, and other provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. SECURITY INCIDENT INVESTIGATION The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. LIQUIDATED DAMAGES FOR DATA BREACH Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access); Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $__37.50__ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. TRAINING All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: Successfully complete the appropriate VA privacy training and annually complete required privacy training (See below training); and Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. 7. ADDITIONAL REQUIREMENTS a. The COR is responsible for coordinating with the Police prior to contractor arrival to identify the names of contractor personnel so that Police can ensure sufficient number of contractor badges are available for issuance prior to beginning work. COR is also responsible for signing out and signing in temporary contractor badges. b. The COR is also responsible for maintaining copies of signed Privacy training for all contractors according to RCS 10-1. c. Any work performed outside of official VA business hours after hours will require escorts. d. Escort duties for un-cleared contractors are strictly limited to government officials, specifically VA employees. At no time are contractors allowed to escort other contractors. VA Privacy Training for Personnel without Access to VA Computer Systems or Direct Access or Use to VA Sensitive Information The Department of Veterans Affairs, VA must comply with all applicable privacy and confidentiality statutes and regulations. One of the requirements in VA is to have all personnel trained annually on privacy requirements. Privacy represents what must be protected by VA in the collection, use, and disclosure of personal information whether the medium is electronic, paper or verbal. This document satisfies the basic privacy training requirement for a contractor, volunteer, or other personnel only if the individual does not use or have access to any VA computer system such as Time and Attendance, PAID, CPRS, VistA Web, VA sensitive information or protected health information (PHI), whether paper or electronic. You will find this training outlines your roles and responsibility for protecting VA sensitive information (medical, financial, or educational) that you may incidentally or accidentally see or overhear. If you have direct access to protected health information or access to a VA computer system where there is protected health information such as CPRS, VistA Web, you must take Privacy and HIPAA Focused Training (TMS 10203). VA Privacy and Information Security Awareness and Rules of Behavior (TMS 10176) is always required in order to use or gain access to a VA computer systems or VA sensitive information, whether or not protected health information is included. Both trainings are located within the VA Talent Management System (TMS): https://www.tms.va.gov What is VA Sensitive Information/Data? All Department information and/or data on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes not only information that identifies an individual but also other information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. What is Protected Health Information? The HIPAA Privacy Rule defines protected health information as Individually Identifiable Health Information transmitted or maintained in any form or medium by a covered entity, such as VHA. What is an Incidental Disclosure? An incidental disclosure is one where an individual s information may be disclosed incidentally even though appropriate safeguards are in place. Due to the nature of VA communications and practices, as well as the various environments in which Veterans receive healthcare or other services from VA, the potential exists for a Veteran s protected health information or VA sensitive information to be disclosed incidentally. For example: You overhear a healthcare provider s conversation with another provider or patient even when the conversation is taken place appropriately. You may see limited Veteran information on sign-in sheets or white boards within a treating area of the facility. Hearing a Veteran s name being called out for an appointment or when the Veteran is being transported/escorted to and from an appointment. Safeguards You Must Follow To Secure VA Sensitive Information: Secure any VA sensitive information found in unsecured public areas (parking lot, trash can, or vacated area) until information can be given to your supervisor or Privacy Officer. You must report such incidents to your Privacy Officer timely. Don t take VA sensitive information off facilities grounds without VA permission unless the VA information is general public information, i.e., brochures/pamphlets. Don t take pictures using a personal camera without the permission from the Medical Center Director. Any protected health information overheard or seen in VA should not be discussed or shared with anyone who does not have a need to know the information in the performance of their official job duties, this includes spouses, employers or colleagues. Do not share VA access cards, keys, or codes to enter the facility. Immediately report lost or stolen Personal Identity Verification (PIV) or Veteran Health Identification Cards (VHIC), any VA keys or keypad lock codes to your supervisor or VA police. Do not use a VA computer using another VA employee s access and password. Do not ask another VA employee to access your own protected health information. You must request this information in writing from the Release of Information section at your facility. What are the Six Privacy Laws and Statutes Governing VA? Freedom of Information Act (FOIA) compels disclosure of reasonably described VA records or a reasonably segregated portion of the records to any person upon written request unless one or more of the nine exemptions apply. Privacy Act of 1974 provides for the confidentiality of personal information about a living individual who is a United States citizen or an alien lawfully admitted to U.S. and whose information is retrieved by the individual s name or other unique identifier, e.g. Social Security Number. Health Insurance Portability and Accountability Act (HIPAA) provides for the improvement of the efficiency and effectiveness of health care systems by encouraging the development of health information systems through the establishment of standards and requirements for the electronic transmission, privacy, and security of certain health information. 38 U.S.C. 5701 provides for the confidentiality of all VA patient and claimant information, with special protection for their names and home addresses. 38 U.S.C. 7332 provides for the confidentiality of drug abuse, alcoholism and alcohol abuse, infection with the human immunodeficiency virus (HIV) and sickle cell anemia medical records and health information. 38 U.S.C. 5705 provides for the confidentiality of designated medical-quality assurance documents. What are the Privacy Rules Concerning Use and Disclosure? You are not authorized to use or disclose protected health information. In general, VHA personnel may only use information for purposes of treatment, payment or healthcare operations when they have a need-to-know in the course of their official job duties. VHA may only disclose protected health information upon written request by the individual who is the subject of the information or as authorized by law. How is Privacy Enforced? There are both civil and criminal penalties, including monetary penalties that may be imposed if a privacy violation has taken place. Any willful negligent or intentional violation of an individual s privacy by VA personnel, contract staff, volunteers, or others may result in such corrective action as deemed appropriate by VA including the potential loss of employment, contract, or volunteer status. Know your VA/VHA Privacy Officer and Information Security Officer. These are the individuals to whom you can report any potential violation of protected health information or VA sensitive information, or any other concerns regarding privacy of VA sensitive information. YOU ARE RESPONSIBLE FOR PROTECTING THE CONFIDENTIAL INFORMATION OF OUR VETERANS __________________________________________ ________________ Employee (Print Name) Date __________________________________________ Employee Signature __________________________________________ Print Name of Contract Agency, if contractor __________________________________________ Print Name of VHA Department/Supervisor/Local COR PROVIDE A COPY OF THIS FORM TO YOUR SUPERVISOR/LOCAL COR FOR DATA ENTRY INTO TALENT MANAGEMENT SYSTEM 1. Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion. 2. In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation. 3. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data. 4. JJP VAMC and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of JJP VAMC or destroyed except for in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of  any unlawful or accidental removal, defacing, alteration, or destruction of records, Contractor must report to JJP VAMC. The agency must report promptly to NARA in accordance with 36 CFR 1230. 5. The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government s behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to [FACILITY] control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4). 6. The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and JJP VAMC guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information. 7. The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with JJP VAMC policy. 8. The Contractor shall not create or maintain any records containing any non-public JJP VAMC information that are not specifically tied to or authorized by the contract. 9. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act. 10. John J Pershing VAMC owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which JJP VAMC shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20. 11. Training.  All Contractor employees assigned to this contract who create, work with, or otherwise handle records are required to take VHA-provided records management training. The Contractor is responsible for confirming training has been completed according to agency policies, including initial training and any annual or refresher training. COR will provide Contractor with Records Management for Everyone to review and attest completion. Reoccuring Waste Streams July 2021 - June 2022 Type Profiled as Times collected throughout the year Containers picked up Weights picked up (lbs) P-List UN1851 Waste Medicine, Liquid, Toxic, N.O.S. (Warfarin) 6.1 PGII One time 2 1, 1 RCRA Pharmaceutical Waste UN3248 Waste Medicine, Liquid, Flammable, Toxic, N.O.S. (Alcohols, Creosols) 3 (6.1) PGII 3 times 3 117, 43, 74 Laboratory waste (acidic) UN3264; Waste Corrosive Liquid, Acidic, Inorganic, N.O.S. (Sulfuric Acid, Hydrochloric Acid), 8, PGII RQ(100) 3 times 3 84, 72, 53 Laboratory waste (basic) UN3266 Waste Corrosive Liquid, Basic, Inorganic, N.O.S. (Sodium Hydroxide) 8, PGII 3 times 3 86, 78, 75 Microbiology Lab Waste UN1992 Waste Flammable Liquids, Toxic, N.O.S. (Acetone, Methyl Alcohol) 3 (6.1) PGII 6 times 10 118, 209, 86, 381, 61, 67 Incompatibles (aerosols, inhalers) UN1950 Waste Aerosols Flammable 2.1 2 times 2 17, 17, Non-hazardous Pharmaceuticals Non-RCRA, Non-DOT Regulated Material (debris, non-hazardous pharmaceutials) 5 times 11 148, 745, 174, 412, 184 Intermittent Waste Streams July 2021 - June 2022  UN1993 Waste Flammable Liquid, N.O.S. (Diethanolamine) 3, PGII One time 1 13 Reoccuring Waste Streams July 2022 - Current Type Profiled as Times collected throughout the year Containers picked up Weights picked up (lbs) P-List UN1851 Waste Medicine, Liquid, Toxic, N.O.S. (Warfarin) 6.1 PGII 2 times 2 3 RCRA Pharmaceutical Waste UN3248 Waste Medicine, Liquid, Flammable, Toxic, N.O.S. (Alcohols, Creosols) 3 (6.1) PGII 2 times 2 188, 96 Laboratory waste (acidic) UN3264; Waste Corrosive Liquid, Acidic, Inorganic, N.O.S. (Sulfuric Acid, Hydrochloric Acid), 8, PGII RQ(100) 2 times 2 83, 40 Laboratory waste (basic) UN3266 Waste Corrosive Liquid, Basic, Inorganic, N.O.S. (Sodium Hydroxide) 8, PGII 2 times 2 100, 107 Microbiology Lab Waste UN1992 Waste Flammable Liquids, Toxic, N.O.S. (Acetone, Methyl Alcohol) 3 (6.1) PGII 4 times 6 76, 72, 120, 161 Incompatibles (aerosols, inhalers) UN1950 Waste Aerosols Flammable 2.1 2 times 2 6, 18 Non-hazardous Pharmaceuticals Non-RCRA, Non-DOT Regulated Material (debris, non-hazardous pharmaceutials) 7 times 12 171, 365, 143, 272, 153, 184, 447 Intermittent Waste Streams July 2022 - Current  UN1263 Waste Paint related material (Hydrotreated heavy naptha petroleum, stoddard solvent) 3 PGII ERG(128) Awaiting Pickup  ~120  UN1823 Waste Sodium Hydroxide, solid (Caustic soda) 8 PGII ERG(154) Awaiting Pickup  ~50  NON DOT, NON RCRA Hazardosu Waste, Liquid Hydraulic Fluid / Compressor Oil Awaiting Pickup  ~350  UN1987 Waste Alcohols, N.O.S. (Methanol, Ethanol) 3 PGIII Methanol Wrights Stain RQ(D001=100lbs) ERG(127) Awaiting Pickup  ~5  UN2789 Waste Acetic Acid, Glacial 8 (3) PGII RQ(D001, D002) ERG(132) Awaiting Pickup  ~5
