Decision

Matter of: SourceLink Ohio, LLC

File: B-299258

Date: March 12, 2007

DIGEST

Protest challenging the rejection of bid by Government Printing Office as nonresponsive, under an invitation for bids to produce and mail beneficiary notices, for failure to submit with the bid a Data Use Agreement--an agreement which requires the contractor to establish and maintain administrative, technical and physical safeguards to protect the confidentiality of the data controlled by Centers for Medicare and Medicaid Services (CMS) needed to perform the contract and which procedurally calls for CMS's approval prior to agreement execution and the dissemination of CMS's data--is sustained because this is a matter concerning the bidder's responsibility, not the responsiveness of the bid.

SourceLink Ohio, LLC protests the rejection of its bid as nonresponsive under invitation for bids (IFB) Program No. 2552-S(R1), issued by the United States Government Printing Office (GPO) for producing and mailing beneficiary notices as requisitioned by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS). The protester maintains that its failure to submit with its bid a Data Use Agreement (DUA) involves a matter of bidder responsibility, not bid responsiveness, and as a result, it should be afforded an opportunity to submit a DUA application any time prior to award.

We sustain the protest.

The solicitation, issued on October 26, 2006, sought a contractor to produce and mail Medicare and Medicaid beneficiary notices and related documents to designated recipients. The performance of this work necessitates the awardee having access to CMS's records of individual identifying data, which includes such information as recipients' names and addresses.

To obtain use of this data, which is controlled by CMS, the contractor must first sign and submit a DUA to CMS for approval. The DUA is an agreement required by CMS's policies when an external entity requests individual identifying data covered by the Privacy Act of 1974, 5 U.S.C. sect. 522a (Supp. IV 2004). The purpose of the DUA is to secure the data that resides within the CMS Privacy Act System of Records. Under the DUA, the external entity (in this case, the contractor) agrees to comply with the terms of the agreement to ensure the integrity, security, and confidentiality of the information maintained by CMS. These terms include such matters as establishing and maintaining administrative, technical and physical safeguards to protect the confidentiality of the data. The DUA instructions begin as follows:

This agreement must be executed prior to the disclosure from CMS' System of Records to ensure that the disclosure will comply with the requirements of the Privacy Act, the Privacy Rule and CMS data release policies. It must be completed prior to the release of, or access to, specified data files containing protected health information and individual identifiers.

IFB, attach., DUA at 1.

Once an external entity submits a DUA,[1] CMS representatives first review it for privacy and policy concerns; if it is approved, CMS will complete and sign the remainder of the agreement and provide the entity with a signed copy for its files. IFB, attach., DUA, at 1. Thereafter, data dissemination can occur. By its terms, the DUA is not binding until both parties have completed and signed the document.

The solicitation required bidders to sign and submit a DUA with their bids. A blank DUA was furnished with the solicitation as an attachment. The solicitation stated:

CONTRACTOR MUST SIGN AND SUBMIT WITH THEIR BID A –DATA USE AGREEMENT— TO ENSURE THE INTEGRITY, SECURITY AND CONFIDENTIALITY OF INFORMATION MAINTAINED BY CMS AND FOR RELEASE OF FURNISHED DATA TAPES.

IFB at 8. The solicitation further advised, –Failure to complete and submit this agreement may cause the contractor to be found NON-responsive.— Id.Nothing in the IFB required that the bid include evidence that the DUA had been submitted to, or approved by, CMS.

GPO opened sealed bids from seven bidders on November 9, 2006. SourceLink was the apparent low bidder at $156,468.60. SourceLink's bid was found nonresponsive by GPO because it did not include a completed DUA. On November 21, 2006, award was made to Gannett Direct Marketing, the next lowest bidder, at $174,296.17.

SourceLink contends that the agency should not have rejected its bid as nonresponsive because the failure to submit a DUA is not a matter of responsiveness, inasmuch as a DUA need only be in place prior to the release of the CMS data to perform the contract.

In general, to be responsive, a bid must be an unequivocal offer to perform without exception all the material terms and conditions of the solicitation. Tennier Indus., Inc., B-239025, July 11, 1990, 90-2 CPD para. 25 at 2. Where a bidder provides information with its bid that does not constitute an unequivocal offer or which reduces, limits, or modifies a material requirement of the solicitation, the bid must be rejected as nonresponsive. Gardner Zemke Co., B'238334, Apr. 5, 1990, 90-1 CPD para. 372 at 3. Bid responsiveness is to be determined based upon the contents of the bid as of bid opening. Id.Responsibility, by contrast, refers not to a bidder's promise to perform, but rather its apparent ability and capacity to perform the contract requirements, and is determined not at the time of bid opening, but at any time prior to award, based on any information received by the agency up to that time. Id.

As indicated, the protester did not include a DUA with its bid; however, this did not reduce, limit, or modify any material requirement of the solicitation, nor did it limit the protester's unequivocal acceptance of the solicitation terms. Under the terms of the DUA, in order to bind the contractor, the DUA first must be approved and countersigned by CMS, after CMS reviews the information in the DUA for privacy and policy concerns. Further, by its terms, the DUA need only be approved by CMS prior to data dissemination, and nothing indicates that CMS would approve the DUA prior to bid opening.[2] Thus, the DUA is similar to an application for a license, permit, or other approval required prior to performance, and thus can be provided any time prior to award.

It is well established that licensing-type requirements are matters of responsibility, not responsiveness. Victory Van Corp.; Columbia Van Lines, Inc., B-180419, Apr. 8, 1974, 74-1 CPD para. 178 at 2. We have held that a solicitation requiring a bidder to obtain a specific license or permit concerns the bidder's responsibility (i.e., its ability to perform), rather than bid responsiveness (i.e., its promise to perform). See Midwest Sec. Agency, Inc., B-222424, Apr. 7, 1986, 86-1 CPD para. 345 at 2 (evidence of having appropriate security guard licenses or of having applied for them is matter concerning responsibility); Carolina Waste Sys., Inc., B-215689.3, Jan. 7, 1985, 85'1 CPD para. 22 at 2 (evidence of state certification of a waste disposal site is a matter of responsibility). Much like a license or permit, a solicitation term requiring submission of information to a responsible third-party agency (i.e., not the procuring agency) for approval prior to contract performance is also a matter of responsibility. See Astro-Med, Inc., B-232633, Dec. 22, 1988, 88-2 CPD para. 619 at 3 (solicitation requiring Food and Drug Administration approval to become a registered supplier of medical devices prior to performance pertains to responsibility).

Here, by signing the DUA and including it in its bid submission to GPO, the bidder is merely indicating a readiness to apply for approval from CMS to use CMS data; approval itself can be given at any time prior to data disclosure. Thus, we find the DUA requirement goes only to the bidder's ability to perform (i.e., the bidder's responsibility) and that SourceLink should have been provided a reasonable opportunity to provide a completed DUA prior to award. Therefore, GPO's rejection of SourceLink's bid as nonresponsive was improper.

We recommend that SourceLink be provided an opportunity to submit a completed DUA. If CMS approves the DUA, we recommend that Gannett's contract be terminated and that award be made to SourceLink. We also recommend that the agency reimburse the protester the costs of filing and pursuing its protest, including reasonable attorneys' fees. Bid Protest Regulations, 4 C.F.R. sect. 21.8(d)(1) (2006). In accordance with section 21.8(f) of our Regulations, Sourcelink's certified claim for costs, detailing the time expended and the costs incurred, must be submitted directly to the agency within 60 days of receiving this decision.

The protest is sustained.

Gary L. Kepplinger
General Counsel