B-299258, SourceLink Ohio, LLC, March 12, 2007

Case: B-299258 Agency: Protester: B Date: 2007-03-12 Sustained
View full decision with AI analysis on ProtestIntel →
B-299258 Mar 12, 2007 Jump To VIEW DECISION DOWNLOADS RELATED PAGES GAO CONTACTS Highlights SourceLink Ohio, LLC protests the rejection of its bid as nonresponsive under invitation for bids (IFB) Program No. 2552-S(R1), issued by the United States Government Printing Office (GPO) for producing and mailing beneficiary notices as requisitioned by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS). The protester maintains that its failure to submit with its bid a Data Use Agreement (DUA) involves a matter of bidder responsibility, not bid responsiveness, and as a result, it should be afforded an opportunity to submit a DUA application any time prior to award. We sustain the protest. View Decision B-299258, SourceLink Ohio, LLC, March 12, 2007 Decision Matter of: SourceLink Ohio, LLC File: B-299258 Date: March 12, 2007 Craig Morgan for the protester. Roy E. Potter, Esq., United States Government Printing Office, for the agency. Nora K. Adkins, Esq., and James A. Spangenberg, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision. DIGEST Protest challenging the rejection of bid by Government Printing Office as nonresponsive, under an invitation for bids to produce and mail beneficiary notices, for failure to submit with the bid a Data Use Agreement--an agreement which requires the contractor to establish and maintain administrative, technical and physical safeguards to protect the confidentiality of the data controlled by Centers for Medicare and Medicaid Services (CMS) needed to perform the contract and which procedurally calls for CMS's approval prior to agreement execution and the dissemination of CMS's data--is sustained because this is a matter concerning the bidder's responsibility, not the responsiveness of the bid. DECISION SourceLink Ohio, LLC protests the rejection of its bid as nonresponsive under invitation for bids (IFB) Program No. 2552-S(R1), issued by the United States Government Printing Office (GPO) for producing and mailing beneficiary notices as requisitioned by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS). The protester maintains that its failure to submit with its bid a Data Use Agreement (DUA) involves a matter of bidder responsibility, not bid responsiveness, and as a result, it should be afforded an opportunity to submit a DUA application any time prior to award. We sustain the protest. The solicitation, issued on October 26, 2006, sought a contractor to produce and mail Medicare and Medicaid beneficiary notices and related documents to designated recipients. The performance of this work necessitates the awardee having access to CMS's records of individual identifying data, which includes such information as recipients' names and addresses. To obtain use of this data, which is controlled by CMS, the contractor must first sign and submit a DUA to CMS for approval. The DUA is an agreement required by CMS's policies when an external entity requests individual identifying data covered by the Privacy Act of 1974, 5 U.S.C. sect. 522a (Supp. IV 2004). The purpose of the DUA is to secure the data that resides within the CMS Privacy Act System of Records. Under the DUA, the external entity (in this case, the contractor) agrees to comply with the terms of the agreement to ensure the integrity, security, and confidentiality of the information maintained by CMS. These terms include such matters as establishing and maintaining administrative, technical and physical safeguards to protect the confidentiality of the data. The DUA instructions begin as follows: This agreement must be executed prior to the disclosure from CMS' System of Records to ensure that the disclosure will comply with the requirements of the Privacy Act, the Privacy Rule and CMS data release policies. It must be completed prior to the release of, or access to, specified data files containing protected health information and individual identifiers. IFB, attach., DUA at 1. Once an external entity submits a DUA,[1] CMS representatives first review it for privacy and policy concerns; if it is approved, CMS will complete and sign the remainder of the agreement and provide the entity with a signed copy for its files. IFB, attach., DUA, at 1. Thereafter, data dissemination can occur. By its terms, the DUA is not binding until both parties have completed and signed the document. The solicitation required bidders to sign and submit a DUA with their bids. A blank DUA was furnished with the solicitation as an attachment. The solicitation stated: CONTRACTOR MUST SIGN AND SUBMIT WITH THEIR BID A –DATA USE AGREEMENT— TO ENSURE THE INTEGRITY, SECURITY AND CONFIDENTIALITY OF INFORMATION MAINTAINED BY CMS AND FOR RELEASE OF FURNISHED DATA TAPES. IFB at 8.

Full decision text continues on ProtestIntel...