TITLE: B-299258, SourceLink Ohio, LLC, March 12, 2007
BNUMBER: B-299258
DATE: March 12, 2007
**********************************************
B-299258, SourceLink Ohio, LLC, March 12, 2007
Decision
Matter of: SourceLink Ohio, LLC
File: B-299258
Date: March 12, 2007
Craig Morgan for the protester.
Roy E. Potter, Esq., United States Government Printing Office, for the
agency.
Nora K. Adkins, Esq., and James A. Spangenberg, Esq., Office of the
General Counsel, GAO, participated in the preparation of the decision.
DIGEST
Protest challenging the rejection of bid by Government Printing Office as
nonresponsive, under an invitation for bids to produce and mail
beneficiary notices, for failure to submit with the bid a Data Use
Agreement--an agreement which requires the contractor to establish and
maintain administrative, technical and physical safeguards to protect the
confidentiality of the data controlled by Centers for Medicare and
Medicaid Services (CMS) needed to perform the contract and which
procedurally calls for CMS's approval prior to agreement execution and the
dissemination of CMS's data--is sustained because this is a matter
concerning the bidder's responsibility, not the responsiveness of the bid.
DECISION
SourceLink Ohio, LLC protests the rejection of its bid as nonresponsive
under invitation for bids (IFB) Program No. 2552-S(R1), issued by the
United States Government Printing Office (GPO) for producing and mailing
beneficiary notices as requisitioned by the Department of Health and Human
Services, Centers for Medicare and Medicaid Services (CMS). The protester
maintains that its failure to submit with its bid a Data Use Agreement
(DUA) involves a matter of bidder responsibility, not bid responsiveness,
and as a result, it should be afforded an opportunity to submit a DUA
application any time prior to award.
We sustain the protest.
The solicitation, issued on October 26, 2006, sought a contractor to
produce and mail Medicare and Medicaid beneficiary notices and related
documents to designated recipients. The performance of this work
necessitates the awardee having access to CMS's records of individual
identifying data, which includes such information as recipients' names and
addresses.
To obtain use of this data, which is controlled by CMS, the contractor
must first sign and submit a DUA to CMS for approval. The DUA is an
agreement required by CMS's policies when an external entity requests
individual identifying data covered by the Privacy Act of 1974, 5 U.S.C.
sect. 522a (Supp. IV 2004). The purpose of the DUA is to secure the data
that resides within the CMS Privacy Act System of Records. Under the DUA,
the external entity (in this case, the contractor) agrees to comply with
the terms of the agreement to ensure the integrity, security, and
confidentiality of the information maintained by CMS. These terms include
such matters as establishing and maintaining administrative, technical and
physical safeguards to protect the confidentiality of the data. The DUA
instructions begin as follows:
This agreement must be executed prior to the disclosure from CMS' System
of Records to ensure that the disclosure will comply with the
requirements of the Privacy Act, the Privacy Rule and CMS data release
policies. It must be completed prior to the release of, or access to,
specified data files containing protected health information and
individual identifiers.
IFB, attach., DUA at 1.
Once an external entity submits a DUA,[1] CMS representatives first review
it for privacy and policy concerns; if it is approved, CMS will complete
and sign the remainder of the agreement and provide the entity with a
signed copy for its files. IFB, attach., DUA, at 1. Thereafter, data
dissemination can occur. By its terms, the DUA is not binding until both
parties have completed and signed the document.
The solicitation required bidders to sign and submit a DUA with their
bids. A blank DUA was furnished with the solicitation as an attachment.
The solicitation stated:
CONTRACTOR MUST SIGN AND SUBMIT WITH THEIR BID A "DATA USE AGREEMENT" TO
ENSURE THE INTEGRITY, SECURITY AND CONFIDENTIALITY OF INFORMATION
MAINTAINED BY CMS AND FOR RELEASE OF FURNISHED DATA TAPES.
IFB at 8. The solicitation further advised, "Failure to complete and
submit this agreement may cause the contractor to be found
NON-responsive." Id. Nothing in the IFB required that the bid include
evidence that the DUA had been submitted to, or approved by, CMS.
GPO opened sealed bids from seven bidders on November 9, 2006. SourceLink
was the apparent low bidder at $156,468.60. SourceLink's bid was found
nonresponsive by GPO because it did not include a completed DUA. On
November 21, 2006, award was made to Gannett Direct Marketing, the next
lowest bidder, at $174,296.17.
SourceLink contends that the agency should not have rejected its bid as
nonresponsive because the failure to submit a DUA is not a matter of
responsiveness, inasmuch as a DUA need only be in place prior to the
release of the CMS data to perform the contract.
In general, to be responsive, a bid must be an unequivocal offer to
perform without exception all the material terms and conditions of the
solicitation. Tennier Indus., Inc., B-239025, July 11, 1990, 90-2 CPD
para. 25 at 2. Where a bidder provides information with its bid that does
not constitute an unequivocal offer or which reduces, limits, or modifies
a material requirement of the solicitation, the bid must be rejected as
nonresponsive. Gardner Zemke Co., B-238334, Apr. 5, 1990, 90-1 CPD para.
372 at 3. Bid responsiveness is to be determined based upon the contents
of the bid as of bid opening. Id. Responsibility, by contrast, refers not
to a bidder's promise to perform, but rather its apparent ability and
capacity to perform the contract requirements, and is determined not at
the time of bid opening, but at any time prior to award, based on any
information received by the agency up to that time. Id.
As indicated, the protester did not include a DUA with its bid; however,
this did not reduce, limit, or modify any material requirement of the
solicitation, nor did it limit the protester's unequivocal acceptance of
the solicitation terms. Under the terms of the DUA, in order to bind the
contractor, the DUA first must be approved and countersigned by CMS, after
CMS reviews the information in the DUA for privacy and policy concerns.
Further, by its terms, the DUA need only be approved by CMS prior to data
dissemination, and nothing indicates that CMS would approve the DUA prior
to bid opening.[2] Thus, the DUA is similar to an application for a
license, permit, or other approval required prior to performance, and thus
can be provided any time prior to award.
It is well established that licensing-type requirements are matters of
responsibility, not responsiveness. Victory Van Corp.; Columbia Van Lines,
Inc., B-180419, Apr. 8, 1974, 74-1 CPD para. 178 at 2. We have held that a
solicitation requiring a bidder to obtain a specific license or permit
concerns the bidder's responsibility (i.e., its ability to perform),
rather than bid responsiveness (i.e., its promise to perform). See Midwest
Sec. Agency, Inc., B-222424, Apr. 7, 1986, 86-1 CPD para. 345 at 2
(evidence of having appropriate security guard licenses or of having
applied for them is matter concerning responsibility); Carolina Waste
Sys., Inc., B-215689.3, Jan. 7, 1985, 85-1 CPD para. 22 at 2 (evidence of
state certification of a waste disposal site is a matter of
responsibility). Much like a license or permit, a solicitation term
requiring submission of information to a responsible third-party agency
(i.e., not the procuring agency) for approval prior to contract
performance is also a matter of responsibility. See Astro-Med, Inc.,
B-232633, Dec. 22, 1988, 88-2 CPD para. 619 at 3 (solicitation requiring
Food and Drug Administration approval to become a registered supplier of
medical devices prior to performance pertains to responsibility).
Here, by signing the DUA and including it in its bid submission to GPO,
the bidder is merely indicating a readiness to apply for approval from CMS
to use CMS data; approval itself can be given at any time prior to data
disclosure. Thus, we find the DUA requirement goes only to the bidder's
ability to perform (i.e., the bidder's responsibility) and that SourceLink
should have been provided a reasonable opportunity to provide a completed
DUA prior to award. Therefore, GPO's rejection of SourceLink's bid as
nonresponsive was improper.
We recommend that SourceLink be provided an opportunity to submit a
completed DUA. If CMS approves the DUA, we recommend that Gannett's
contract be terminated and that award be made to SourceLink. We also
recommend that the agency reimburse the protester the costs of filing and
pursuing its protest, including reasonable attorneys' fees. Bid Protest
Regulations, 4 C.F.R. sect. 21.8(d)(1) (2006). In accordance with section
21.8(f) of our Regulations, Sourcelink's certified claim for costs,
detailing the time expended and the costs incurred, must be submitted
directly to the agency within 60 days of receiving this decision.
The protest is sustained.
Gary L. Kepplinger
General Counsel
------------------------
[1] The external entity requesting data from CMS must provide the
following information in the DUA: its name; the data custodian's name,
address, phone number and email; the study or project name; the files and
years of the data requested; the completion date; the name of the funding
federal agency; and its representative's signature.
[2] In fact, nothing in the IFB or the DUA would prevent CMS from
approving or declining to approve the DUA after contract award but prior
to data dissemination. The record does not indicate whether such approval
is ordinarily obtained from CMS prior to award or prior to data
dissemination as part of contract performance.