TITLE: B-299258, SourceLink Ohio, LLC, March 12, 2007
BNUMBER: B-299258
DATE: March 12, 2007
**********************************************
B-299258, SourceLink Ohio, LLC, March 12, 2007

   Decision

   Matter of: SourceLink Ohio, LLC

   File: B-299258

   Date: March 12, 2007

   Craig Morgan for the protester.

   Roy E. Potter, Esq., United States Government Printing Office, for the
   agency.

   Nora K. Adkins, Esq., and James A. Spangenberg, Esq., Office of the
   General Counsel, GAO, participated in the preparation of the decision.

   DIGEST

   Protest challenging the rejection of bid by Government Printing Office as
   nonresponsive, under an invitation for bids to produce and mail
   beneficiary notices, for failure to submit with the bid a Data Use
   Agreement--an agreement which requires the contractor to establish and
   maintain administrative, technical and physical safeguards to protect the
   confidentiality of the data controlled by Centers for Medicare and
   Medicaid Services (CMS) needed to perform the contract and which
   procedurally calls for CMS's approval prior to agreement execution and the
   dissemination of CMS's data--is sustained because this is a matter
   concerning the bidder's responsibility, not the responsiveness of the bid.

   DECISION

   SourceLink Ohio, LLC protests the rejection of its bid as nonresponsive
   under invitation for bids (IFB) Program No. 2552-S(R1), issued by the
   United States Government Printing Office (GPO) for producing and mailing
   beneficiary notices as requisitioned by the Department of Health and Human
   Services, Centers for Medicare and Medicaid Services (CMS). The protester
   maintains that its failure to submit with its bid a Data Use Agreement
   (DUA) involves a matter of bidder responsibility, not bid responsiveness,
   and as a result, it should be afforded an opportunity to submit a DUA
   application any time prior to award.

   We sustain the protest.

   The solicitation, issued on October 26, 2006, sought a contractor to
   produce and mail Medicare and Medicaid beneficiary notices and related
   documents to designated recipients. The performance of this work
   necessitates the awardee having access to CMS's records of individual
   identifying data, which includes such information as recipients' names and
   addresses.

   To obtain use of this data, which is controlled by CMS, the contractor
   must first sign and submit a DUA to CMS for approval. The DUA is an
   agreement required by CMS's policies when an external entity requests
   individual identifying data covered by the Privacy Act of 1974, 5 U.S.C.
   sect. 522a (Supp. IV 2004). The purpose of the DUA is to secure the data
   that resides within the CMS Privacy Act System of Records. Under the DUA,
   the external entity (in this case, the contractor) agrees to comply with
   the terms of the agreement to ensure the integrity, security, and
   confidentiality of the information maintained by CMS. These terms include
   such matters as establishing and maintaining administrative, technical and
   physical safeguards to protect the confidentiality of the data. The DUA
   instructions begin as follows:

     This agreement must be executed prior to the disclosure from CMS' System
     of Records to ensure that the disclosure will comply with the
     requirements of the Privacy Act, the Privacy Rule and CMS data release
     policies. It must be completed prior to the release of, or access to,
     specified data files containing protected health information and
     individual identifiers.

   IFB, attach., DUA at 1.

   Once an external entity submits a DUA,[1] CMS representatives first review
   it for privacy and policy concerns; if it is approved, CMS will complete
   and sign the remainder of the agreement and provide the entity with a
   signed copy for its files. IFB, attach., DUA, at 1. Thereafter, data
   dissemination can occur. By its terms, the DUA is not binding until both
   parties have completed and signed the document.

   The solicitation required bidders to sign and submit a DUA with their
   bids. A blank DUA was furnished with the solicitation as an attachment.
   The solicitation stated:

     CONTRACTOR MUST SIGN AND SUBMIT WITH THEIR BID A "DATA USE AGREEMENT" TO
     ENSURE THE INTEGRITY, SECURITY AND CONFIDENTIALITY OF INFORMATION
     MAINTAINED BY CMS AND FOR RELEASE OF FURNISHED DATA TAPES.

   IFB at 8. The solicitation further advised, "Failure to complete and
   submit this agreement may cause the contractor to be found
   NON-responsive." Id. Nothing in the IFB required that the bid include
   evidence that the DUA had been submitted to, or approved by, CMS.

   GPO opened sealed bids from seven bidders on November 9, 2006. SourceLink
   was the apparent low bidder at $156,468.60. SourceLink's bid was found
   nonresponsive by GPO because it did not include a completed DUA. On
   November 21, 2006, award was made to Gannett Direct Marketing, the next
   lowest bidder, at $174,296.17.

   SourceLink contends that the agency should not have rejected its bid as
   nonresponsive because the failure to submit a DUA is not a matter of
   responsiveness, inasmuch as a DUA need only be in place prior to the
   release of the CMS data to perform the contract.

   In general, to be responsive, a bid must be an unequivocal offer to
   perform without exception all the material terms and conditions of the
   solicitation. Tennier Indus., Inc., B-239025, July 11, 1990, 90-2 CPD
   para. 25 at 2. Where a bidder provides information with its bid that does
   not constitute an unequivocal offer or which reduces, limits, or modifies
   a material requirement of the solicitation, the bid must be rejected as
   nonresponsive. Gardner Zemke Co., B-238334, Apr. 5, 1990, 90-1 CPD para.
   372 at 3. Bid responsiveness is to be determined based upon the contents
   of the bid as of bid opening. Id. Responsibility, by contrast, refers not
   to a bidder's promise to perform, but rather its apparent ability and
   capacity to perform the contract requirements, and is determined not at
   the time of bid opening, but at any time prior to award, based on any
   information received by the agency up to that time. Id.

   As indicated, the protester did not include a DUA with its bid; however,
   this did not reduce, limit, or modify any material requirement of the
   solicitation, nor did it limit the protester's unequivocal acceptance of
   the solicitation terms. Under the terms of the DUA, in order to bind the
   contractor, the DUA first must be approved and countersigned by CMS, after
   CMS reviews the information in the DUA for privacy and policy concerns.
   Further, by its terms, the DUA need only be approved by CMS prior to data
   dissemination, and nothing indicates that CMS would approve the DUA prior
   to bid opening.[2] Thus, the DUA is similar to an application for a
   license, permit, or other approval required prior to performance, and thus
   can be provided any time prior to award.

   It is well established that licensing-type requirements are matters of
   responsibility, not responsiveness. Victory Van Corp.; Columbia Van Lines,
   Inc., B-180419, Apr. 8, 1974, 74-1 CPD para. 178 at 2. We have held that a
   solicitation requiring a bidder to obtain a specific license or permit
   concerns the bidder's responsibility (i.e., its ability to perform),
   rather than bid responsiveness (i.e., its promise to perform). See Midwest
   Sec. Agency, Inc., B-222424, Apr. 7, 1986, 86-1 CPD para. 345 at 2
   (evidence of having appropriate security guard licenses or of having
   applied for them is matter concerning responsibility); Carolina Waste
   Sys., Inc., B-215689.3, Jan. 7, 1985, 85-1 CPD para. 22 at 2 (evidence of
   state certification of a waste disposal site is a matter of
   responsibility). Much like a license or permit, a solicitation term
   requiring submission of information to a responsible third-party agency
   (i.e., not the procuring agency) for approval prior to contract
   performance is also a matter of responsibility. See Astro-Med, Inc.,
   B-232633, Dec. 22, 1988, 88-2 CPD para. 619 at 3 (solicitation requiring
   Food and Drug Administration approval to become a registered supplier of
   medical devices prior to performance pertains to responsibility).

   Here, by signing the DUA and including it in its bid submission to GPO,
   the bidder is merely indicating a readiness to apply for approval from CMS
   to use CMS data; approval itself can be given at any time prior to data
   disclosure. Thus, we find the DUA requirement goes only to the bidder's
   ability to perform (i.e., the bidder's responsibility) and that SourceLink
   should have been provided a reasonable opportunity to provide a completed
   DUA prior to award. Therefore, GPO's rejection of SourceLink's bid as
   nonresponsive was improper.

   We recommend that SourceLink be provided an opportunity to submit a
   completed DUA. If CMS approves the DUA, we recommend that Gannett's
   contract be terminated and that award be made to SourceLink. We also
   recommend that the agency reimburse the protester the costs of filing and
   pursuing its protest, including reasonable attorneys' fees. Bid Protest
   Regulations, 4 C.F.R. sect. 21.8(d)(1) (2006). In accordance with section
   21.8(f) of our Regulations, Sourcelink's certified claim for costs,
   detailing the time expended and the costs incurred, must be submitted
   directly to the agency within 60 days of receiving this decision.

   The protest is sustained.

   Gary L. Kepplinger
   General Counsel

   ------------------------

   [1] The external entity requesting data from CMS must provide the
   following information in the DUA: its name; the data custodian's name,
   address, phone number and email; the study or project name; the files and
   years of the data requested; the completion date; the name of the funding
   federal agency; and its representative's signature.

   [2] In fact, nothing in the IFB or the DUA would prevent CMS from
   approving or declining to approve the DUA after contract award but prior
   to data dissemination. The record does not indicate whether such approval
   is ordinarily obtained from CMS prior to award or prior to data
   dissemination as part of contract performance.