[Federal Register Volume 64, Number 206 (Tuesday, October 26, 1999)]
[Rules and Regulations]
[Pages 57740-57764]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-27472]
[[Page 57739]]
_______________________________________________________________________
Part IV
Department of Health and Human Services
_______________________________________________________________________
Office of the Secretary
_______________________________________________________________________
Office of Inspector General
_______________________________________________________________________
45 CFR Part 61
Health Care Fraud and Abuse Data Collection Program: Reporting of Final
Adverse Actions; Final Rule
��Federal Register / Vol. 64, No. 206 / Tuesday, October 26, 1999 /
Rules and Regulations��
[[Page 57740]]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
Office of Inspector General
45 CFR Part 61
RIN 0906-AA46
Health Care Fraud and Abuse Data Collection Program: Reporting of
Final Adverse Actions
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule establishes a new CFR part to implement the
statutory requirements of section 1128E of the Social Security Act, as
added by section 221(a) of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996. Section 221(a) of HIPAA
specifically directs the Secretary to establish a national health care
fraud and abuse data collection program for the reporting and
disclosing of certain final adverse actions taken against health care
providers, suppliers and practitioners, and to maintain a data base of
final adverse actions taken against health care providers, suppliers
and practitioners.
EFFECTIVE DATE: This rule is effective on October 26, 1999.
FOR FURTHER INFORMATION CONTACT: Thomas C. Croft, Director, Division of
Quality Assurance, Bureau of Health Professions, Health Resources and
Services Administration, (301) 443-2300.
SUPPLEMENTARY INFORMATION:
I. Background
The Healthcare Integrity and Protection Data Bank
On October 30, 1998, the Office of Inspector General (OIG)
published a proposed rule in the Federal Register (63 FR 58341)
designed to implement the statutory requirements of section 1128E of
the Social Security Act (the Act), as added by section 221(a) of the
Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Section 221(a) of HIPAA specifically directs the Secretary to establish
a national health care fraud and abuse data collection program for the
reporting and disclosing of certain final adverse actions taken against
health care providers, suppliers and practitioners, and to maintain a
data base of final adverse actions taken against health care providers,
suppliers and practitioners. Final adverse actions include: (1) Civil
judgments against a health care provider, supplier, or practitioner in
Federal or State court related to the delivery of a health care item or
service; (2) Federal or State criminal convictions against a health
care provider, supplier or practitioner related to the delivery of a
health care item or service; (3) actions by Federal or State agencies
responsible for the licensing and certification of health care
providers, suppliers or practitioners; (4) exclusion of a health care
provider, supplier or practitioner from participation in Federal or
State health care programs; and (5) any other adjudicated actions or
decisions that the Secretary establishes by regulation. Settlements in
which no findings or admissions of liability have been made will be
excluded from reporting. Access to this new data bank is limited to
Federal and State Government agencies and health plans. Reporting is
limited to these same groups. Health care providers, suppliers and
practitioners may self query the data bank, but have no reporting
responsibilities. The Act also requires the Secretary to implement the
national health care fraud and abuse data collection program in such a
manner as to (1) assure that the privacy of individuals is maintained;
(2) establish reasonable fees for disclosure of information to recover
full operating costs; and (3) avoid duplication with the reporting
requirements established for the National Practitioner Data Bank
(NPDB). This new data bank is known as the Healthcare Integrity and
Protection Data Bank (HIPDB).
II. Summary of the Proposed Rule
The proposed regulations published on October 30, 1998 were
developed to establish a new 45 CFR part 61 to implement the
requirements for reporting of specific data elements to, and procedures
for obtaining information from, the HIPDB (and are applicable to
Federal and State Government agencies and health plans). Set forth
below is a description of the major provisions of the proposed rule,
including, among other things, proposed definitions for certain terms
associated with the HIPDB, a discussion of the specific reporting
requirements and when such information must be reported, the fees
applicable to requests for information, the issues of the
confidentiality of information, and how to dispute the accuracy of
information in the HIPDB.
Provisions of the Proposed Rule
1. Definitions
The proposed regulations expanded on previous regulatory
definitions and clarified aspects of a number of terms set forth in the
statute. The clarifications served to provide additional examples of
the scope of the statutory definitions, but did not go beyond
congressional intent. The proposed rule specifically set forth
definitions for the terms ``affiliated or associated;'' ``Government
agency;'' ``health care provider;'' ``health care supplier;'' ``health
plan;'' ``licensed health care practitioner, licensed practitioner and
practitioner;'' and ``other adjudicated actions or decisions.''
2. When Information Must Be Reported
The proposed regulations sought to establish the time frame for
submitting reports to the HIPDB. As proposed, information would be
submitted to the HIPDB (1) within 30 calendar days from the date the
final adverse action was taken or the date when the reporting entity
became aware of the final adverse action, or (2) by the close of the
entity's next monthly reporting cycle, whichever is later. The date the
final adverse action was taken, its effective date and duration of the
action would all be contained in the information reported to the HIPDB.
We also proposed a list of ``mandatory'' data elements, as well as
data elements that must be reported to the data bank ``if known.'' We
note that section 1128E(b)(2)(A) of the Act mandates that Federal and
State Government agencies and health care plans collect and report
Social Security Numbers and Federal Employer Identification Numbers for
the purposes of reporting to the HIPDB.
3. Reporting Errors, Omissions, Revisions and Actions on Appeal
In Sec. 61.6 of the proposed regulations, we indicated that if any
errors or omissions in the final adverse action are discovered after
the information has been reported, the person or entity that reported
such information must send an addition or correction to the HIPDB
within 60 calendar days of the discovery. We also proposed that any
revision to the action or to appeal status must similarly be reported
within 30 calendar days after the reporting entity learns of such
revision or appeal. In turn, we proposed that each subject of a report
will receive a copy when it is entered into the HIPDB and a copy of all
revisions and corrections to the report. This is an opportunity only
for the reporting entity to correct any errors or omissions in the
information, not for the subjects to request re-adjudication of their
cases.
[[Page 57741]]
4. Reporting Licensure Actions Taken by Federal or State Licensing and
Certification Agencies
In proposed Sec. 61.7, we addressed the reporting of licensure
actions taken by Federal and State licensing and certification
agencies. We proposed defining the phrase ``any other negative action
or finding'' by a Federal or State licensing and certification
authority to mean any action or finding that is publicly available and
rendered by a licensing or certification authority. These actions or
findings include, but are not limited to, imposition of civil money
penalties (CMPs) and administrative fines, limitations on the scope of
practice, injunctions and forfeitures. As indicated in the proposed
rule, this definition included final adverse actions occurring in
conjunction with settlements in which no findings or admissions of
liability have been made, and that would otherwise be reportable under
the statute.
The statute also requires the reporting of a health care provider,
supplier or practitioner who voluntarily surrenders a license or
certification. Based on extensive discussions with various State
agencies, we were advised that voluntary surrender and non-renewal of
licensure and provider participation agreements are not infrequently
used as means to exclude questionable health care providers, suppliers
and practitioners from participating in Federal and State health care
programs. These voluntary surrenders and non-renewal actions result in
allowing questionable health care providers, suppliers or practitioners
to move from State to State without the new State licensing agency
becoming aware of the true nature of the action in the prior licensing
State. Therefore, for reporting purposes, we proposed that the term
``voluntary surrender'' include a surrender made after a notification
of investigation or a formal official request by Federal or State
licensing or certification authorities for a health care provider,
supplier or practitioner to surrender the license or certification
(including certification agreements or contracts for participation in
Federal or State health care programs). This proposed definition also
included those instances where a health care provider, supplier or
practitioner voluntarily surrenders a license or certification
(including program participation agreements or contracts) in exchange
for a decision by the licensing or certification authority to cease an
investigation or similar proceeding, or in return for not conducting an
investigation or proceeding, or in lieu of a disciplinary action.
We recognized that many voluntary surrenders are not a result of
the types of adverse actions that are intended for inclusion in the
HIPDB. Therefore, we proposed that voluntary surrenders and licensure
non-renewals due to nonpayment of licensure fees, changes to inactive
status, and retirement be excluded from reporting to the HIPDB unless
they are taken in combination with one or more of the circumstances
listed above (in which case they would be reportable).
5. Reporting Federal or State Criminal Convictions Related to the
Delivery of a Health Care Item or Service
In proposed Sec. 61.8, we stated that Federal and State law
enforcement and investigative agencies would be required to report
criminal convictions against health care providers, suppliers or
practitioners. Consistent with section 1128E(g)(1)(A)(ii) of the Act,
we also proposed that criminal convictions unrelated to the delivery of
health care items or services would not be reported under this section.
6. Reporting of Civil Judgments in Federal or State Court Related to
the Delivery of a Health Care Item or Service
In proposed Sec. 61.9, we put forth that Federal and State law
enforcement and investigative agencies and health plans be required to
report civil judgments related to the delivery of a health care item or
service (except those resulting from medical malpractice) against
health care providers, suppliers or practitioners. The proposed rule
indicated that civil judgments must be entered or approved by a Federal
or State court. We also proposed that this reporting requirement would
not include Consent Judgments that have been agreed upon and entered to
provide security for civil settlements in which there was no finding or
admission of liability.
7. Reporting Exclusion From Participation in Federal or State Health
Care Programs
In proposed Sec. 61.10, we stated that the OIG would be required to
report health care providers, suppliers or practitioners excluded from
participating in Federal or State health care programs. We also
proposed that this section include exclusions made in a matter in which
there also was a settlement even though the settlement itself is not
reported because no findings or admissions of liability had been made.
8. Reporting Other Adjudicated Actions or Decisions
In proposed Sec. 61.11, we proposed that Federal and State agencies
and health plans be required to report other adjudicated actions or
decisions. Although not specifically required by the statute, we
proposed that ``any other adjudicated actions or decisions'' should
relate to the delivery of a health care item or service, as do criminal
convictions and civil judgments collected under the statute. We also
proposed in this section that a due process mechanism be available with
all adjudicated actions or decisions. In the proposed rule, we provided
examples of an adjudicated action or decision to include, but not be
limited to:
Orders by an administrative law judge;
CMPs and assessments;
Revocations, debarments or other restrictions from
participating in Federal or State government contracts or programs;
Liquidation, dissolution, cancellation or revocation of a
professional license; or
Limitations on either clinical privileges or staff
privileges by a health plan.
9. Fees Applicable to Requests for Information
Proposed Sec. 61.13 addressed fees applicable to all requests for
information from the HIPDB. In accordance with this proposed section,
fees to be charged would be based on the full costs of operating the
database, as authorized in section 1128E(d)(2) of the Act; criteria for
assessing fees would be based on the guidelines set forth in OMB
Circular A-25. These costs would encompass all direct and indirect
costs of providing such information, including but not limited to:
Direct and indirect personnel costs;
Physical overhead, consulting, and other indirect costs;
Agency management and supervisory costs; and
Costs of enforcement, collection, research, establishment,
regulations and guidance.
For maximum efficiency, we proposed that the HIPDB be an all-
electronic system, with all fees collected through the most cost-
effective methods (such as credit card and electronic funds transfer).
The Act exempts Federal agencies from these fees.
10. Confidentiality of HIPDB Information
In proposed Sec. 61.14, we stated that the confidentiality
requirements would
[[Page 57742]]
apply to all information obtained from the HIPDB. The confidentiality
requirements are clearly specified in sections 1128E(b)(3) and (d)(1)
and 1128C(a)(3)(B)(ii) of the Act. Specifically, section 1128E(b)(3) of
the Act requires the Secretary to protect the privacy of individuals
receiving health care services when determining what information is
required. Section 1128E(d)(1) of the Act requires that information in
the HIPDB will be available to Federal and State Government agencies
and health plans. Section 1128C(a)(3)(B)(ii) of the Act requires the
Secretary to assure that HIPDB information is provided and utilized in
a manner that appropriately protects the confidentiality of the
information. We proposed that information from this system be
confidential and disclosed only for the purpose for which it was
provided. We also proposed that appropriate uses of the information
would include the prevention of fraud and abuse activities and
improving the quality of patient care. This proposed provision did not
go beyond the requirements set forth in the Act. The proposed
requirements would not prevent an authorized user from sharing
information from the HIPDB within the entity that requested it, as long
as the information is used solely for the purpose for which it was
provided. However, in accordance with section 1128E(b)(3) of the Act,
we proposed that information obtained by a Government contractor, e.g.,
a Medicare carrier, an intermediary or auditor, may only be used in the
furtherance of its contractual responsibilities.
11. How To Obtain Access to, and Dispute the Accuracy of, HIPDB
Information
The proposed regulations outlined the procedures for obtaining
access to a report, submitting a statement, filing a dispute, and
revising disputed information in a previously submitted report. These
procedures are basically comparable to, or more generous than,
procedures established in the Department's Privacy Act regulations at
45 CFR part 5b. The Secretary has exempted the HIPDB from those Privacy
Act requirements in order to establish a more comprehensive and
generous notification, access and correction procedure. While these
procedures basically are comparable to similar provisions in the
Privacy Act, these procedures include significant rights in addition to
those set forth in the Privacy Act. For example, when a HIPDB report is
created or amended, we automatically provide subjects a copy of the all
report. Subjects may also file a statement of disagreement with a
report as soon as the report is filed , rather than at the end of an
appeal process, as under the Privacy Act.
In addition, we proposed that the subject of a report may dispute
only the factual accuracy of the information contained in the HIPDB
report concerning the individual or entity. As indicated in the
proposed rule, the dispute process would afford the subject an
opportunity to bring relevant factual information, including reversals
of criminal convictions by an appeals court, to the attention of the
reporter. The proposed dispute process would be consistent with that
for the NPDB.
12. Sanctions for Failure To Report
We incorporated the new CMP sanctions provision for failure to
report information to the data bank, as set forth in section 4331 of
Public Law 105-33, the Balanced Budget Act of 1997. In the proposed
rule, we indicated that any health plan that fails to report
information on a final adverse action that is required to be reported
would be subject to a CMP of not more than $25,000 for each such
adverse action not reported. Such penalties would be imposed and
collected in the same manner as other CMPs under section 1128A of the
Act.
III. Summary and Response to Public Comments
As we have noted, the statute upon which the proposed regulations
were drafted is quite broad and affords the Secretary numerous areas of
discretionary authority on which we sought the benefit of public
comment and input. The proposed rule set forth a 60-day public comment
period ending December 29, 1998. On December 30, 1998, we extended the
comment period for the proposed rule by an additional 2 weeks until
January 11, 1999 (63 FR 71819). As a result, we received a total of 117
timely-filed public comments from Federal and State law enforcement
agencies; health care practitioner and provider licensing boards,
health departments, private attorneys representing health care
providers, suppliers and practitioners; and various health plans,
health plan associations, hospitals, professional associations, health
care practitioners and other individuals and entities. Based on review
of the statute and the assessment of public comments received, we
believe the final regulations implementing this authority fully and
adequately balance the concerns of the Department with those expressed
by outside individuals and entities.
Set forth below is an overview of the various comments and
recommendations received and our responses to those concerns. Section
IV. of this preamble sets forth a summary of the specific revisions and
clarifications to be made to the final regulations as a result of those
comments.
A. Scope and Intent of the HIPDB
Comment: A principal concern raised in the majority of comments was
the interpretation of what constitutes the reporting threshold for all
final adverse actions under the term ``health care fraud and abuse.''
Many commenters believed that the OIG broadened the definitions and
criteria unnecessarily for reportable actions, well beyond a ``health
care fraud and abuse'' data collection system. Specifically, these
commenters only wanted actions involving health care related fraud and
abuse reported to the HIPDB.
Response: It is clear from reviewing the statutory language of the
implementing Act, and the legislative history (such as congressional
conference reports), that the HIPDB is not merely about establishing an
information collection system. Rather, it is directed at combating
fraud and abuse in a broader scope. Congress used the term health care
fraud and abuse only once in the provision's opening paragraph for
purposes of naming the data collection program. The term does not
appear elsewhere, especially with regard to limiting the scope of
reportable actions. Instead, Congress defined reportable ``final
adverse actions'' by specifying a finite list of actions. These actions
include civil judgments related to the delivery of a health care item
or service; Federal or State criminal convictions related to the
delivery of a health care item or service; actions taken by Federal or
State licensing or certification agencies; exclusions from
participation in Federal or State health care programs; and any other
adjudicated actions or decisions taken by a Federal or State Government
agency or health plan. To limit the adverse actions collected by the
data bank to only those that are based on health care fraud and abuse
would create a data bank that does not fully capture the types of
reports that Congress clearly intended to be collected in accordance
with the statute.
The term ``health care fraud and abuse,'' as used in the statute,
merely represents congressional intent that the HIPDB support efforts
to prevent such activities. To limit actions collected only to those
based on fraud and abuse would deny investigators, Government
contracting officers, health plans and
[[Page 57743]]
others the reports which are necessary to effectively research the
relevant backgrounds of potential providers, suppliers and
practitioners. As indicated by one State licensing board, narrowing the
scope of reportable actions may create an even greater burden on
reporters to screen out final adverse action based solely on health
care fraud and abuse. Accordingly, the definition related to final
adverse actions, as well as the definitions of health care provider,
supplier and practitioner, represent the statutorily-mandated reporting
criteria for the HIPDB--and is not limited to health care fraud and
abuse. It has been our goal to establish a complete and comprehensive
data bank that effectively deters health care fraud and abuse in the
health care industry, while promoting quality health care and
protecting the public. A further discussion of the term ``health care
fraud and abuse'' is contained in section III. B. 6. of this preamble.
B. Section-by-Section Analysis of Issues
Section 61.1 The Healthcare Integrity and Protection Data Bank
Comment: Several commenters viewed the regulations, in general, as
overly-broad and complex. Two commenters stated that information
reported to the HIPDB should be directly related to health care fraud
and abuse (see discussion regarding the definition of ``health care
fraud and abuse'' in the discussion of Sec. 61.3 later in this section
of this preamble). Another commenter expressed concern that the HIPDB
would contain data on individuals who have not committed fraud. This
commenter and others believed that the OIG will establish a vast system
not targeted to identify truly egregious individuals and entities.
Response: We disagree with these comments. As indicated in the
proposed rule and in the summary section above in this preamble, we
believe this rulemaking and the HIPDB clearly focus on specific final
adverse actions taken against individuals and entities, and that those
actions relate to these actions that could be defined as ``health care
fraud and abuse.'' We believe these implementing regulations and the
data bank are consistent with statutory intent and are properly
targeted at capturing specific types of information relevant to the
HIPDB's intended purpose.
Section 61.3 Definitions
1. Affiliated or Associated
Comment: With regard to the definition and application of the term
``affiliated or associated,'' several commenters stated that the
proposed definition overreached the intent of the statute.
Response: The OIG believes the definition supports congressional
intent to enable authorized users who conduct fraud and abuse
investigations to identify other business or commercial affiliations
through which the subject may have committed other acts of wrongdoing,
and to aid with subject identification, if the affiliation or
association is known by the reporter.
Comment: Several commenters requested the definition be refined to
exclude irrelevant affiliations and associations. The commenters
recommended that the definition be limited to (1) those entities in
which the subject has a business interest, and (2) those associations
having the power to revoke or suspend a license.
Response: We agree that the definition and implementation of the
term ``affiliated or associated'' set forth in the proposed rule may
have resulted in some confusion. As a result, we are limiting the
definition, in accordance with the first part of the commenters'
concerns, to those health care entities in which the subject has a
commercial interest.
Comment: A number of commenters believed that the collection of
this information set forth in the definition would be in violation of
the Privacy Act, as it implies guilt by association.
Response: The inclusion of an entity in this category by a reporter
will in no way imply that the entity was a party to the act(s) or
omission(s) that led to a reportable final adverse action. We believe
that the revised definition will eliminate naming of professional
affiliations or associations and the implied fear of invasion of
privacy. We also note only individuals, not entities (even if the
entity is an individual professional corporation), are protected by the
Privacy Act.
Comment: One commenter believed that ``affiliated or associated''
entities should be included only if such entities had an active role in
the underlying sanction. Another commenter stated the names of
``affiliated or associated'' entities should be expunged after an
investigation that determined there was no involvement by the
affiliation or association entity. A third commenter believed that
there would be increased liability for reporters as a result of the
definition set forth for this term.
Response: We believe limiting ``affiliations or associations'' to
those health care entities with an active role in the underlying
sanction, or removing the names after an investigation has determined
there was no involvement by the affiliated or associated entity, would
be contrary to the specific language of the statute. The statute
explicitly requires that the names of affiliated or associated health
care entities be reported. Involvement or non-involvement in the
underlying action is irrelevant to this reporting requirement. Further,
we do not agree that merely identifying an entity as being affiliated
with the subject of a report somehow imputes wrongdoing to the
affiliated entity, and a statement to this effect will be included in
the data base report. There will be no independent identification of
affiliated or associated entities in the HIPDB other than as part of a
subject's report, unless the entity also has been the subject of a
final adverse action. If it comes to the attention of a business entity
that it is incorrectly identified in a subject's report as having a
commercial business affiliation with the subject, then the business
entity may avail itself of the same correction procedures that are
available to the subject of a report. The affiliated entity first may
ask the reporting agency or health plan to correct the subject's
report. If the reporter declines to do so, the affiliated entity may
request a correction to the subject's report by the Secretary. With
respect to an increase in liability for reporters, the OIG is providing
an immunity provision in the final rule that will alleviate any
perceived increase in liability.
Comment: One commenter requested that the HIPDB provide written
notice to each entity listed as an ``affiliated or associated health
care entity'' within a final adverse action report, and that the HIPDB
offer an appeal process to these entities in the event that the
entities are incorrectly reported.
Response: The revised definition will require that a commercial
relationship exist between the subject and the affiliate or associate.
As we have previously noted, we believe that this data field in no way
implies wrongdoing on the part of the reported affiliate or associate,
and thus eliminates the need for these entities to be notified.
2. Any Other Negative Action or Finding
Comment: We received several comments regarding the manner in which
the term ``any other negative action or finding'' was defined. Most of
the commenters stated the proposed definition was too broad in nature
and would create a tremendous burden on the reporters, especially if
actions or findings pertaining to administrative fines and citations
were to be included in the HIPDB. Several commenters
[[Page 57744]]
expressed concern that there is a range of actions or findings taken
that may or may not be the same from State to State and do not relate
to health care per se (such as a practitioner fined for failure to
provide a new address). The commenters requested that the OIG clarify
and limit the definition of this term to actions that are directly
connected to health care violations.
Response: We agree with the commenters that there will be variation
from State to State regarding the types of final actions taken against
health care providers, suppliers and practitioners. However, the HIPDB
is being designed as a ``flagging system'' that will contain
information on actions taken in a particular State or program that are
considered by the State or program to warrant attention. We intend the
data to provide a summary of the actions taken against a health care
provider, supplier or practitioner. In addition, we acknowledge that
there are certain kinds of actions or findings that would not meet the
intent of the legislation and should not be reportable. For instance,
administrative actions, such as limited training permits, limited
licenses for telemedicine, fines or citations that do not restrict a
practitioner's practice, or personnel actions for tardiness, are not
within the range of actions intended by the statute. As a result of
these comments, we are modifying the final regulations to exclude
administrative fines or citations, corrective action plans and other
personnel actions unless they are (1) connected to the billing,
provision or delivery of health care services, and (2) taken in
conjunction with other licensure or certification actions such as
revocation, suspension, censure, reprimand, probation, or surrender.
For example, a nurse agreed to settle claims that he received Medicare
and Medicaid reimbursement to which he was not entitled. As a result of
this action, the State licensing board reprimanded the nurse and
imposed a $5,000 fine. This action would be reportable.
Comment: Several commenters expressed concern that the preamble
language that indicated that ``settlements in which no findings or
admissions of liability have been made will be excluded from
reporting'' conflicted with the next sentence in that discussion, which
read, ``However, any final adverse action that emanates from such
settlements and consent judgments, and that would otherwise be
reportable under the statute, is to be reported to the data bank.''
Response: We agree that the statutory language is clear that
settlement in which no findings of liability have been made will not be
reportable to the HIPDB. However, if another action is taken against
the provider, supplier or practitioner of a health care item or
service, as a result of or in conjunction with the settlement, the
second action is reportable. For example, a civil court settlement in
which no finding against or admission of liability by a practitioner is
made is not reportable. However, for example, if the State licensing
board suspends the practitioner's license as a result of a civil court
settlement, the licensing board must report the suspension of the
license. Similarly, if the OIG excludes a provider, supplier or
practitioner based on actions that were also the subject of a civil
settlement in which no finding or admission of liability was made, the
exclusion must be reported to the HIPDB.
Comment: One commenter questioned whether non-practitioners, such
as an executive director, should be reported to the HIPDB, while
another commenter requested clarification on the reporting of actions
pertaining to the handling of an impaired practitioner.
Response: The OIG reiterates the statutory intent that any final
action taken against a licensed or certified health care provider,
supplier or practitioner by a Federal or State licencing or
certification agency that is publicly available information is a
reportable action. If, for example in the case of an executive
director, he or she is licensed or certified as a health care provider,
supplier or practitioner, then that individual will be subject to the
HIPDB reporting requirements. If a Federal or State licensing agency
takes a final adverse action that is publicly available information
against an impaired practitioner, the final adverse action is
reportable.
3. Clinical Privileges
Comment: Several commenters expressed concern that Congress never
intended that clinical privilege actions would be reported to the
HIPDB, particularly since such actions are already reported to the
NPDB. Some commenters expressed a desire that clinical privileges
suspensions only be reported when they are in effect for a period
longer than 30 days, indicating that this limitation would parallel
existing NPDB requirements for reporting of clinical privilege actions.
Another commenter questioned why the proposed definition specifically
mentioned physicians and dentists, when they believed the definition
was to apply to all licensed health care practitioners.
Response: The OIG agrees with these concerns and, as a result, the
HIPDB will not collect data on clinical privileging actions. We note
that clinical privileging actions are already collected by the NPDB. We
believe that information on clinical privileging actions will not be of
significant value to HIPDB queriers, since queriers who have a need for
this information will already be accessing it through the NPDB.
Accordingly, we are adding language to the definition of the term
``other adjudicated actions or decisions'' to specify that the
reporting of clinical privileging actions is excluded.
4. Exclusion
Comment: One commenter raised a concern about the term
``exclusion'' and mistakenly applied the definition for this term to a
reportable licensure action.
Response: The OIG has clarified that the term ``exclusion'' applies
only to debarment of an individual or entity from participation in any
Federal or State health care related program; this term is only
applicable to reporting exclusion from participation in Federal or
State health care programs.
5. Government Agency
Comment: One commenter asserted that the definition of ``Government
agency'' was too broad and potentially open-ended. The commenter
requested clarification as to which agencies qualify as ``Federal and
State agencies responsible for the licensing and certification of
health care providers, suppliers and practitioners.'' A second
commenter suggested that the definition of ``Government agency'' be
amended to include all agencies authorized to investigate health care
fraud.
Response: We recognize the commenters' concerns and understand that
regulatory boards and licensing programs vary from State to State. For
this very reason, however, it is not possible for the OIG in this
rulemaking to provide a listing of all agencies responsible for the
licensing and certification of health care providers, suppliers and
practitioners. In response to the proposed rule, we received only two
comments from States that identified the agencies responsible for
licensing. We believe that the definition of ``Government agency''
includes all agencies authorized to investigate health care fraud and
abuse and, as a result, are making no changes to the final rule.
6. Health Care Fraud and Abuse
Comment: In general, comments reflected an assumption that the
terms ``health care fraud'' and ``health care
[[Page 57745]]
abuse'' defined the reporting criteria for all final adverse actions
mandated by the statute. Specifically, commenters found the term
``health care fraud,'' when used in conjunction with the proposed
preamble definition of ``health care abuse,'' to be too broad. Several
commenters requested that definitions for health care fraud and abuse
(and thus the nature of adverse actions collected) be limited to
activities relating to financial violations, or require the reportable
activities to meet a legal standard of fraud or abuse. One commenter
stated that health care abuse should be limited to those actions
against a health care system and not those relating to personal abuse.
Other commenters believed that the terms should be combined into one
definition. One State licensing agency requested specific guidance on
whether all final adverse actions must be based on health care fraud
and abuse to be reportable to HIPDB. The agency pointed out that only
one percent of its adverse licensing actions would meet such a fraud
and abuse reporting threshold. Three commenters did acknowledge and
agree that the term ``health care abuse'' was properly described within
the regulation and the statute as ``final adverse actions.''
Response: By attempting to define the terms ``health care fraud''
and ``health care abuse'' in the proposed rule, we gave the erroneous
impression to some readers that final adverse actions may not be
reported to the data bank unless they are categorized by the reporter
as being based upon ``health care fraud and abuse.'' That
interpretation is too limiting. Congress intended that this data bank
support efforts to prevent and combat health care fraud and abuse, and
not merely catalogue adverse actions that reporters may choose to
describe as arising from ``health care fraud and abuse.'' Restricting
reportable final adverse actions to those specifically relating to
health care fraud and abuse would eliminate the reporting of many
relevant actions that are included in the statutory definition of
``final adverse actions.'' Accordingly, and as a result of the comments
received, we are deleting the definition for the term ``health care
fraud'' from the final rule and are opting not to define ``health care
abuse.'' Instead, we defer to the statutory definition of ``final
adverse actions'' as encompassing the range of actions to be reported.
Comment: Several commenters requested changes to the ``health care
fraud and abuse'' definition to narrow the range of actions, indicating
that final adverse actions related to billing errors, benefits
administration, payment and reimbursement issues, and quality of
patient outcomes be excluded from the definition of ``health care fraud
and abuse.''
Response: There may be instances when billing errors, benefits
administration, payment and reimbursement issues, and quality of
patient outcomes meet the criteria and, therefore, will be reported.
However, it is also foreseeable that certain of the aforementioned
actions may not be final adverse actions and, therefore, not
reportable. The OIG takes the position that any action is reportable to
the data bank as long as the action meets the criteria of a ``final
adverse action,'' as specified in the final rule.
Comment: One commenter requested that ``health care fraud'' exclude
offenses by health plans or insurance companies and be limited to
offenses by health care providers, suppliers, or practitioners against
health plans or health plan sponsors. Another commenter stated that the
reporting of health care abuse should be optional and CMPs should not
be imposed for failure to report. One commenter questioned the value of
report data containing actions related to health care abuse since such
actions may suggest a standard of measurement less than a court
adjudication or administrative review panel finding.
Response: The OIG believes that excluding organizations, such as
health plans and insurance companies, would limit the effectiveness of
the data bank to serve its intended function as a fraud and abuse
prevention tool. We also believe that the intent of the statute is
clear that all final adverse actions taken against a health care
provider, supplier or practitioner must be reported to the HIPDB, and
that failure to report such actions may result in the imposition of a
CMP.
7. Health Care Provider
Comment: Several commenters indicated that the definition of
``health care provider'' was too broad and complex, and suggested as an
alternative that the OIG use the definition set forth in section
1861(u) of the Act. Two commenters objected to the inclusion of health
care entities, such as health maintenance organizations (HMOs) in this
definition. The commenters believed the definition for this term was
conflicting, since health care entities could be potential subjects of
the HIPDB as well as reporting entities. One commenter stated that most
States did not take compliance actions against these types of entities.
Response: Since Congress elected not to define ``health care
provider'' in the Act, we believe the congressional intent was for this
term to be defined broadly. There is no inherent conflict in health
care entities being potential subjects of the HIPDB, as well as
reporting entities. This is entirely consistent with the intent of the
Act.
8. Health Care Supplier
Comment: The majority of commenters responding to the definition of
``health care supplier'' stated that the definition went beyond
statutory authority and could allow inappropriate access to
information. For example, several commenters noted that the definition
included both direct and indirect providers of health care items and
services. Several commenters recommended the definition be limited to
suppliers as defined in section 1861(s) of the Act, and believed that
the definition should not include health insurance or benefits
providers, such as insurance agents, brokers, solicitors, consultants
and reinsurance intermediaries. Other commenters pointed out that to
broadly include health insurance or benefit providers in the definition
of supplier also could have the effect of including nearly all public
and private employers as the potential subjects of reports. These
commenters requested that suppliers be limited to those who directly
provide covered items or services to beneficiaries, or who directly
receive reimbursement from a health care program.
One commenter requested that reportable subjects not be limited to
practitioners, providers and suppliers, but rather encompass all
individuals and entities involved in health care fraud, including
beneficiaries, Government and private employees, managed care marketers
and any individual who is responsible for the actions of an entity. One
commenter requested clarification of the term ``subject.''
Response: We disagree with the contention of some commenters that
Congress intended to collect final adverse action information only on
direct providers of items or services covered by a health care program
or plan. Such a definition would exclude many entities that are the
subject of health care fraud and abuse investigations and actions. The
OIG believes that the intent of Congress was to have a broad
interpretation of the terms supplier, practitioner and provider. For
example, Congress did define the terms ``health care practitioner'' and
``health care provider''
[[Page 57746]]
elsewhere in the statute, yet it did not specifically apply these
definitions to the HIPDB. The term ``health care supplier'' is defined
in these regulations to capture all final adverse actions relating to
the delivery of a health care item or service. Accordingly, the OIG is
electing to keep both direct and indirect suppliers in the definition
of ``health care supplier.'' Including indirect suppliers in the
definition also is consistent with the definition of ``supplier'' used
in the regulations implementing OIG exclusion authorities resulting
from HIPAA (63 FR 46676; September 2, 1998).
However, we do not intend to include in the definition of
``supplier'' all public and private employers, unless they are self-
insured for health care coverage. The definition will still include
health plans, consultants, health insurance producers, agents, brokers
and reinsurance intermediaries. On the other hand, the definition will
not include businesses that merely provide their employees with health
insurance coverage through a contract with a health insurance producer
or a health plan. Therefore, in response to the concerns raised by the
various commenters, we have modified the definition of ``health care
supplier'' to clarify and limit its scope. Accordingly, we are
replacing the proposed language with the term ``health plan'' and are
inserting additional language excluding employers, unless they are
self-insured.
In response to the request that reporting be expanded beyond health
care providers, suppliers and practitioners, we note that individuals
or entities can only be subjects of HIPDB reports if final adverse
actions were taken against them. Beneficiaries are not included in that
category. For the purposes of this regulation, the term ``subject''
means a health care provider, supplier or practitioner upon whom a
reportable final adverse action was taken.
Comment: Two commenters indicated that States' burden of reporting
would be increased since States do not regulate or collect data about
many of the types of entities included in the supplier definition.
Response: The OIG reiterates that only final adverse actions, as
specified in the statute and these regulations, taken against health
care providers, suppliers and practitioners are reportable. Such
actions are to be reported by the organization taking the action. The
specific data required to be reported and responses to comments
regarding the reporting burden are addressed below in response to
comments on the regulatory impact statement.
9. Health Plan
Comment: With regard to the proposed definition of the term
``health plan,'' commenters stated the definition is too broad, and
suggested that the OIG use the definition as set forth in section 1128E
of the Act, which incorporates the definition set forth in section
1128C(c) of the Act.
Response: The OIG maintains that the statutory intent of the
definition was not meant to be exclusive or exhaustive. The OIG
interprets congressional use of the word ``includes'' in the statutory
definition as an indication that additional entities may be recognized
as ``health plans'' if they meet the basic definition of ``providing
health benefits.'' Therefore, we will continue to use a broad
definition. The statutory language indicates that Congress intended
that ``guarantors of payment'' for health care services and items,
including ``self insured employers'' who are often the subjects of
health care fraud, have access to HIPDB information. The OIG believes
that limiting the definition to the language of the statute would not
provide a workable basis for organizations and those who provide health
care services to appropriately determine their reporting
responsibilities under the statute. In response to one commenter's
recommendation to make the definition more inclusive, we are providing
further clarification and modifying the proposed definition.
Comment: One commenter requested an exclusion be provided within
the definition for direct reimbursements of an employee, stating there
is no relationship between the employer who provides the reimbursement
and the practitioner who provides the service.
Response: As revised, the definition of the term ``health plan''
reflects the variety of benefit plans with a wide range of
organizations, groups and individuals that currently offer such health
benefits that would include direct reimbursement. Given this change, we
believe any further revision is not necessary.
Comment: One commenter believed that State-sponsored workman's
compensation programs should be included as an example of a health
plan.
Response: It is our intention that State-sponsored workman's
compensation programs be covered under the regulations, and we believe
the definition, as written, includes such programs, although not stated
explicitly.
Comment: Two commenters stated the proposed definition would cause
confusion as to which entity is responsible for reporting the action,
i.e., the employer providing the health care policy or the insurance
corporation with whom the employer has contracted.
Response: We are aware of the multiple structures under which a
``health plan'' may operate within an integrated health system. The
final regulations state the entity taking the action is responsible for
reporting the action to the HIPDB. The activity of reporting can be
delegated to another entity, but the ultimate responsibility for the
report will still lie with the entity taking the action.
10. Licensed health care practitioner, licensed practitioner or
practitioner
Comment: Several commenters suggested that the definition for this
term should be more specific and include additional practitioner groups
not listed, such as occupational therapists and occupational
therapists' assistants. The commenters recommended that by providing a
comprehensive list of all practitioners and allied health personnel
eligible to be possible subjects of reports to the HIPDB, the OIG would
ensure that all States report consistently regardless of their
differences in professional licensing categories.
Response: We note that the meaning of the term ``licensed health
care practitioner, licensed practitioner or practitioner'' is
consistent with the definition in section 1128E(g)(2) of the Act. We
added the phrase ``but not limited to'' before our listing in order to
provide adequate leeway for the inclusion of other health care
practitioners as each individual State develops its own reporting
categories. While we recognize the benefits of conformity in reporting
practices, we have chosen not to sacrifice State flexibility and
authority in determining appropriate reporting categories. Even Federal
definitions may vary as to ``categorizing'' health care workers. In
section 1861(s) of the Act, for example, both physical and occupational
therapists are listed under the definition of supplier.
Comment: Other commenters requested clarification on how this
definition will be interpreted in States with ``title protection
statutes.'' Generally, title protection statutes only restrict the use
of a title of a health care practitioner and not the actual practice or
the delivery of the service itself. Under title protection statutes, an
individual may practice the profession without a license, but may not
use the title unless licensed by the regulatory board.
Response: The definition, as written, is consistent with the
statutory
[[Page 57747]]
language. We recognize that ``title protection statutes'' may vary with
each individual State. However, the statute only authorizes the
collection of final adverse action information on an individual who is
licensed or otherwise authorized by the State to provide health care
services (including any individual who, without authority, holds
himself or herself out to be so licensed or authorized by the State).
11. Organization Name and Type
Comment: We received several comments concerning the mandatory
element of ``organization name and type.'' Some commenters stated that
they did not collect this type of information, while others were
unclear as to the meaning of this term.
Response: As a result of these comments, we are clarifying this
term by specifically adding a new definition in Sec. 61.3 for the terms
``organization name'' and ``organization type.''
12. Other Adjudicated Actions or Decisions
Comment: Commenters raised numerous issues concerning different
aspects of the definition for the term ``other adjudicated actions or
decisions.'' Several commenters stated that the proposed definition was
too broad or burdensome, and extended beyond the scope of the statute.
A number of commenters suggested that all reportable ``adjudicated
actions or decisions'' should be related only to fraud.
Response: The OIG believes that the range of reportable ``other
adjudicated actions or decisions'' is not overly broad or beyond the
scope of the Social Security Act, since the statutory language states
that all final adverse actions must be reported. Furthermore, as
indicated above, the statute does not define fraud and abuse; it only
defines final adverse actions. To promote an effective system to aid in
deterring fraud and abuse, we believe it is necessary to define this
term more inclusively, as is contemplated by the statute.
Comment: The criteria set forth for the term ``other adjudicated
actions or decisions'' caused confusion for a majority of commenters.
Specifically, commenters indicated that they were unclear as to the
meaning of the phrase ``official action,'' and whether actions
involving (1) honest billing errors or differences in medical judgment,
(2) employment or personnel-related actions and (3) CMPs would be
reportable under this definition.
Response: In response to these concerns, we have restructured the
definition to clarify that in order for a formal or official action to
be reported under this provision it must meet the three criteria that
it (1) is taken against a health care provider, supplier or
practitioner by a Federal or State Governmental agency or a health
plan; (2) includes the availability of a due process mechanism; and (3)
is based on acts or omissions that affect or could affect the payment,
provision or delivery of a health care item or service. We also made
minor changes in the definition to provide further clarity about the
types of actions that are excluded from the definition.
Comment: Two commenters requested clarification regarding the
imposition of CMPs for failure to report. One commenter requested
voluntary reporting of other adjudicated actions, in the hopes of
eliminating such penalties. Another commenter asks that we include an
intent clause as a necessary element to apply CMPs.
Response: We disagree with the commenter's alternative approach
regarding voluntary reporting, which we believe to be inconsistent with
Congress' intent in creating a CMP for failure to report. In accordance
with the statutory language that requires such action, a health plan
failing to report any ``other adjudicated actions or decisions'' could
be assessed a CMP of not more than $25,000. The regulations
implementing this CMP provision are not a direct part of this HIPDB
implementing rule and are being addressed in specific detail through
separate OIG final rulemaking directed toward new or revised exclusion
and CMP authorities resulting from Public Law 105-33.
Comment: One commenter requested clarification on whether all
reportable adjudicated actions must be related to professional
competence or conduct.
Response: The term ``other adjudicated actions or decisions'' does
not need to relate to professional competence or conduct However, such
actions must relate to the delivery of health care items or services.
Comment: Several commenters stated the definition should be limited
to final adverse actions involving a court or Government agency, in
that reporting final adjudicated actions in which there was no finding
of liability will discourage settlements; and adverse actions will vary
from State to State, making it difficult to analyze or standardize the
reporting process.
Response: We believe that the statutory language is clear about
which entities are required to report. Certain health plan actions will
meet the criteria of ``other adjudicated actions or decisions,'' and,
therefore, will be reportable. The statute also is clear that final
actions resulting from settlements in which no findings of liability
have been made are not reportable. The OIG recognizes the variation
among States in the types of other adjudicated actions or decisions
taken. We stress that the HIPDB is intended as a ``flagging system''
and that the information in the HIPDB should serve only to alert
Federal and State agencies and health plans that there may be a problem
with a particular provider's, supplier's or practitioner's background.
The HIPDB information should be considered together with other relevant
data in evaluating a provider's, supplier's or practitioner's
background.
A hallmark of any valid adjudicated action or decision is the
availability of a due process mechanism. In general, if an
``adjudicated action or decision'' follows an agency's established
administrative procedures (that ensure that due process is available to
the subject of the final adverse action), it would qualify as a
reportable action under this definition. For example, a formal or
official final action taken by a Federal or State Government agency or
health plan may include, but is not limited to, a personnel-related
action such as suspension without pay, reduction in grade for cause,
termination or other comparable action in connection with the delivery
of a health care item or service. For health plans that are not
Government entities, an action taken following adequate notice and
opportunity for a hearing that meet the standards of due process set
forth in section 412(b) of the Health Care Quality and Improvement Act
(42 U.S.C. 11112(b)) also will qualify as a reportable action under
this definition. The fact that the subject elects not to use the due
process mechanism provided by the authority bringing the action is
immaterial, as long as such a process is available to the subject
before the adjudicated action or decision is made final.
The revised definition for the term ``other adjudicated actions or
decision'' specifically excludes clinical privileging actions taken by
Federal or State governmental agencies, as well as the similar
``paneling actions'' taken by health plans. We will not collect'removal
without cause'' actions taken by health plans, such as when the health
plan has to eliminate some of its specialists or when the health plan
concludes that a physician is not maintaining a desirable rate of
patient visits. On the other hand, health plans will report ``quality
actions'' that include the availability of a due process procedure,
such as the formal removal
[[Page 57748]]
of a physician for problems based on quality of care or competence
issues. Health plans also will report any health care related civil
judgments they obtain against a health care practitioner, provider or
supplier. The revised definition also clarifies that initial
overpayment determinations by HCFA contractors, and similar overpayment
decisions made by health plans, are not final, reportable actions.
13. Voluntary Surrender of License or Certification
Comment: We received several comments on the definition of
``voluntary surrender of license or certification'' from a variety of
State and local agencies, private sector organizations and others. The
majority of the commenters supported a broader definition of the term.
One commenter did not believe voluntary surrenders should be included
in the system because of added burden resulting from such action.
Several commenters requested that the OIG provide further clarification
of the term in the final regulations.
Response: In light of the strong support for the definition in the
proposed regulations, we are adopting this definition in the final rule
with certain clarifications. The OIG is aware that there are instances
in which a voluntary surrender is used to identify practitioners who
are deceased, retired, have not renewed their license or certification,
or have simply moved out of the State. We are clarifying the definition
to exclude non-disciplinary voluntary surrenders.
Section 61.4 How Information Must Be Reported
Comment: A number of commenters requested clarification on how
information must be reported to the HIPDB. These commenters generally
requested additional information on how electronic reporting would be
accomplished, how consolidated reporting would occur for both the HIPDB
and the NPDB, and whether all reporters would have the appropriate
software and hardware to perform this function. Some commenters
recommended, for example, that reporters be permitted to submit files
electronically using file transfer protocol or electronic mail, and two
commenters raised the issue of whether the HIPDB would accept paper
reports.
Response: In response to these concerns, we are indicating in this
final rule that reports may be submitted to the HIPDB either through a
secure interactive web-based reporting service (using state-of-the-art
encryption technology) or by mailing to the HIPDB properly formatted
report data on a diskette. Other types of electronic submissions will
not be accepted, nor will paper reports. Reporters who are required to
submit the same report to both the NPDB and the HIPDB will be able to
satisfy their reporting obligations by submitting their report only
once. Web-based reporting or querying will require a personal computer
with a modem and access to the Internet. We will provide technical
details regarding required data formats and access to the web site
through technical manuals, guidebooks and on-line user help. We believe
that most reporters possess these basic tools required to gain access
to the data bank. We also recognize that there may be a small number of
reporters who do not have these capabilities, but these entities should
be able to perform any required functions through the services of an
authorized agent, who would report to and query the data bank on the
entity's behalf.
Comment: One commenter requested that the NPDB and the HIPDB be
consolidated in order to allow more efficient querying and reporting.
The commenter also recommended allowing queriers to use search engines
to more efficiently locate information.
Response: The issue of integrating the NPDB and HIPDB is addressed
in greater detail in section III. C. of this preamble, ``General Issues
and Alternatives Suggestions.'' In response to the commenter's
recommendation regarding the use of search engines for querying,
queriers will be required to provide certain information about a
provider, supplier or practitioner in order to process their query.
Specific methods for querying will be addressed in subsequent guidance
and technical documentation.
Comment: To reduce the possibility that non-relevant reports will
be submitted to the HIPDB, one commenter recommended that the Secretary
establish a reporting threshold or specific criteria for each type of
report.
Response: Through development of a policy guidance guidebook, the
Department intends to provide specific examples and establish the
criteria for determining whether a final adverse action meets the
standards established in regulations. These criteria will be specific
to each type of action and will include examples of reportable and non-
reportable actions. It will be up to each reporter, however, to review,
understand and apply these criteria when reporting.
Section 61.5 When Information Must Be Reported
Comment: Commenters recommended extending the 30-day period for
reporting final adverse actions to the HIPDB to 60 days. The commenters
stated that the time frame set forth in the proposed rule was too
stringent and unrealistic to be met by State licensing boards. Several
associations representing State licensing boards suggested this time
frame would place significant burden on licensing boards. By extending
the time frame from 30 days to 60 days, commenters indicated that
licensing boards would have adequate time to provide the information to
their agent and, in turn, for the agent to submit the information to
the HIPDB.
Response: We are unable to make the changes suggested since the
statutory language requires reports to be submitted regularly, but not
less often than monthly.
Section 61.6 Reporting Errors, Omissions, Revisions or Whether an
Action Is on Appeal
Comment: One commenter stated that if a reportable adverse action
is on appeal, the action should not be reported until the appeal
process is final; if the appeal reverses the decision, then the entire
report should be removed from the HIPDB.
Response: We disagree with the first aspect of the comment since
the statutory language (section 1128E(b)(2)(C)) requires specifically
that a statement as to whether the action is on appeal must be included
in the report to the HIPDB. With respect to the second part of the
commenter's concern, we agree that reports which have been reversed on
appeal will require a revision to the report. The report may be voided
by the reporter at the time of the revision.
Comment: Some commenters stated that the reporting of revisions,
such as a reinstatement of a license, will cause confusion for
queriers, that the accuracy of the reports in the HIPDB will be
compromised, and that reporters will abuse the system by reporting
``indiscriminately'' to avoid a sanction for failing to report and
fulfilling the 30-day time frame. Commenters also expressed uncertainty
as to who is responsible for reporting the revision.
Response: We believe that there is a misconception on the part of
some of the commenters. Specifically, when a reinstatement of a license
occurs, the reporter must submit a revision to an action regarding the
reinstatement.
Comment: Two commenters raised concern over the fact that a subject
of a
[[Page 57749]]
report may file a written statement to the HIPDB. The commenters
believed this provision violates the due process rights of the entity
taking the action. In addition, these commenters were concerned that
the subject's statements could render an extremely inaccurate, biased
and unreliable report. One commenter requested that reports be deleted
after a 5-year period of time.
Response: We note that only final adjudicated actions are
reportable. The Act does not provide for the removal of reports from
the data bank except through the dispute process. A subject's statement
provides the subject with the opportunity to state his or her views on
the final adverse action report; the report and the addendum will be
sent to subsequent queriers. It is unclear what ``due process rights''
of the reporting entity could be violated by giving the subject of a
report the right to state his or her views about the report. Further,
we note that this approach parallels the long-standing practice used in
reporting to the NPDB.
Section 61.7 Reporting Licensure Actions Taken By Federal or State
Licensing and Certification Agencies
Comment: Several commenters were concerned about the possibility of
duplicative reporting when a practitioner is licensed in more than one
State. The question was raised as to who reports the adverse licensing
action. Several commenters questioned the process for reporting
reinstatement of a license.
Response: The statute requires that the State taking the action is
responsible for reporting that action to the HIPDB. Each respective
State licensure action requires a separate report to HIPDB. This
process of reporting parallels the approach taken under the NPDB. The
process for reporting reinstatement of a license is explained in the
preamble section discussing Sec. 61.6.
Comment: With respect to reporting actions on individuals, a number
of comments addressed the problem of collecting the mandatory and ``if
known'' data elements.
Response: We are addressing this issue below in section III. C. of
this preamble.
Comment: Several commenters believed that the description of
actions in this section were too vague, and that the OIG should limit
reportable actions to those that truly limit practice, such as
revocation, suspension and limitation on licensure. Another commenter
suggested the HIPDB should be collecting final adverse actions related
only to fraud and abuse in the delivery of a health care item or
service. Two commenters questioned whether censure letters and other de
minimis sanctions are reportable since these actions are not usually
subject to due process, and recommended that we include only actions
taken against physicians holding full licenses to practice medicine.
Response: Section 1128E(g)(1)(A)(iii) of the Act states that
Federal and State licensing and certification agencies must report to
the HIPDB all of the following final adverse actions that are taken
against a health care provider, supplier or practitioner:
Formal or official actions, such as revocation or
suspension of a license (and length of any such suspension ),
reprimand, censure or probation;
Any other loss of the license or the right to apply for,
or renew, a license of a provider, supplier or practitioner; and
Any other negative action or finding as defined by the
Federal or State agency.
Under section 1128E of the Act, the only limitation on a reportable
disciplinary action is that it must be a formal or official action.
Comment: One commenter believed that automatic suspension of a
license for failure to pay family support for a child or spouse, for
example, should not be included as a reportable event.
Response: While we are aware of other ways in which a license may
be suspended or revoked by other Federal laws not related to the HIPAA,
this licensing action is considered a disciplinary action and, in
accordance with the statute's definition of final adverse action, is
reportable to the HIPDB.
Comment: Concerning what information must be reported on
organizations, one commenter recommended that the actions reported by
Federal and State licensing and certification agencies be limited to
those who traditionally provide these services. The commenter believed
that the combination of the definitions of ``supplier'' and ``adverse
action'' could lead to a data bank for reporting complaints and
appeals, and not fraudulent activities.
Response: In accordance with these comments, we are modifying the
definitions of ``adverse actions'' and ``supplier'' in Sec. 61.3 in
order to collect meaningful data on subjects of reportable final
adverse actions.
Comment: Several State licensing boards stated that they already
report adverse action information to their individual professional
association, and several professional associations also stated that
they received reports from States on such actions. These commenters
believed that they should be exempt from reporting to the HIPDB.
Another commenter believed that HCFA should report all adverse actions
to the HIPDB taken against Medicare and Medicaid providers and
suppliers based on information that is already reported by State survey
and certification agencies, thus leaving States with the responsibility
to report only adverse actions taken against an entity based on State
law.
Response: The statute does not provide an exclusion from reporting
to the HIPDB for individual professions that may report to other data
banks. We encourage these organizations to designate their professional
associations to act as authorized agents with the HIPDB. The statute
requires that Federal and State Government agencies and health plans
report any adverse action taken against a health care provider,
supplier or practitioner. The OIG recognizes that State survey and
certification agencies already report their findings to HCFA and we
will continue to work with HCFA to find methods of streamlining and
coordinating the reporting process.
Section 61.8 Reporting Federal or State Criminal Convictions Related
to the Delivery of a Health Care Item or Service
Comment: One commenter indicated that States already report
convictions to the Federal Bureau of Investigation (FBI) and, as such,
reporting to the HIPDB would be duplicative and costly. Another
commenter requested clarification of the term ``delivery.''
Response: The scope of the HIPDB goes beyond the felony convictions
obtained at the State and local level that are currently reported to
the FBI. Information being reported to the data bank also will include
misdemeanor convictions, nolo contendere pleas, and pre-trial
diversions and similar actions, that are not reportable to the FBI. In
addition, the FBI does not classify convictions as being related to the
delivery of a health care item or service, nor does it classify those
convicted individuals and entities as being health care providers,
suppliers or practitioners. Consequently, the FBI's data bank does not
contain every action that would be reportable to the HIPDB, nor does it
provide a way in which all appropriate State and local convictions
could be identified for use in the HIPDB. The term ``delivery''
includes, but is not limited to, participation in any part of the
provision for or payment of a health care item or service.
[[Page 57750]]
Section 61.9 Reporting Civil Judgments Related to the Delivery of a
Health Care Item or Service
Comment: One commenter was not clear as to when a health plan would
be obligated to report a civil action, and recommended that health
plans only be required to report when no Government agency was a party
to the action. The commenter also suggested that health plans should be
able to assign responsibility for reporting to another entity, if the
other entity also were party to the suit. A second commenter believed
that civil actions are best reported by a prosecuting entity.
Response: The OIG does not require that each party to a civil
action report that action individually. However, to clarify who has the
responsibility for reporting multi-claimant civil judgments, we are
adding new language to Sec. 61.9 to address responsibilities for the
reporting of multi-claimant actions.
Section 61.10 Reporting Exclusion From Participation in Federal or
State Health Care Programs
Comment: One commenter stated that the OIG did not provide adequate
and clear information for providers to use to identify excluded
individuals or entities.
Response: Revised OIG exclusion authorities were published as
proposed rulemaking in the Federal Register on September 8, 1997 (62 FR
47182), and final regulations were published on September 2, 1998 (63
FR 46676). As indicated above in addressing the definition of the term
``health care supplier,'' in the OIG's final rulemaking on new
exclusions and revised authorities resulting from HIPAA, the OIG has
the authority to exclude any individual or entity who directly or
indirectly provides or supplies items or services. The scope of this
exclusion authority includes items or services manufactured,
distributed or otherwise provided by individuals or entities that do
not directly submit claims to Medicare, Medicaid or other Federal
health care programs, but that supply items or services to providers,
suppliers or practitioners who submit claims to these programs for such
items or services. Therefore, the OIG has already established through
that final rule the conditions for excluding an individual and entity
from a Federal or State health care program. As such, we believe no
further revisions or clarifications are necessary in this final rule.
Section 61.12 Requesting Information From the HIPDB.
Comment: Several commenters believed there should be public access
to the HIPDB, while other commenters stated that access to the HIPDB
should be open only to those who have the authority to take adverse
actions. Additionally, citing the need to obtain the information for
screening and credentialing potential employees, several commenters
requested that hospitals also be able to request information. Several
commenters also expressed concern regarding the data elements to be
included in the release of aggregate data for research purposes.
Response: While the OIG actively supports legislative proposals for
expanding access to the HIPDB, the existing statute clearly limits
access to the HIPDB to those entities that meet the definition of
Federal or State agency or a health plan. Under the current statutory
definition of entities having access, some hospitals will meet the
criteria and be in a position to request information from the HIPDB,
while other hospitals will not have access to the data bank. With
regard to what data elements would be included, the OIG is clarifying
the language in the final rule, as is discussed later in this preamble.
As set forth in Sec. 61.12, at the time subjects request
information as part of a ``self-query,'' the subjects will receive (1)
any report(s) in the HIPDB specific to them, and (2) a disclosure
history from the HIPDB of the name(s) of any entity (or entities) that
have previously received the report(s). This disclosure history will be
restricted in accordance with revisions being made to the Department's
Privacy Act regulations at 45 CFR part 5b which, when issued in final
form, will include an exemption for law enforcement access of the
HIPDB.
Section 61.13 Fees Applicable to Requests for Information
Comment: The majority of the comments received on this section were
from State agencies. The commenters requested free or discounted rates
for querying the HIPDB. The commenters suggested that those State
agencies that actually file reports with the HIPDB should, in exchange,
be able to query the data bank for free or at a discounted rate. One
commenter expressed a concern over having to pay a separate fee to
query both the HIPDB and the NPDB.
Response: The OIG is aware of the concerns of some State agencies.
The HIPDB and the NPDB were established under separate statutes, each
requiring a fee for querying. Each data bank, by statute, was designed
to recover its own cost through the imposition of query fees. We are
aware of the potential burden of dual querying and will make every
effort to keep these fees to a minimum. The OIG cannot comply with this
request to offer free or discounted queries to State agencies and
others. Since the statute specifically mandates that the Department
exempt only Federal agencies from query fees, in order to completely
cover costs from paying customers, the OIG must charge all non-Federal
customers the same rate.
The OIG intends to announce the actual amounts of the fees for the
data bank in periodic notices in the Federal Register.
Comment: One commenter recommended that all Federal agencies also
should be subjected to a fee when querying the HIPDB, while another
commenter stated that since Federal agencies are exempted from paying
fees, their access should be limited to ``bona fide'' purposes.
Response: With regard to the one commenter's suggestion as to
Federal agencies fees, section 1128E(d)(2) of the Act specifically
prevents the OIG from charging Federal agencies a fee to query the
HIPDB. The appropriate uses of HIPDB information for all users,
including Federal agencies, is being defined in Sec. 61.14 of these
regulations and the Privacy Act System of Records notice published in
the Federal Register on February 16, 1999 (64 FR 7653).
Comment: One commenter recommended that the OIG not establish a fee
for health care practitioners, providers or suppliers requesting
information about themselves (self-queries) from the HIPDB. This
commenter believed that State licensing boards will ``game the system''
by requiring licensees to submit self-query responses when requesting
initial licensure or re-licensure. This commenter noted this type of
activity already occurs with the NPDB.
Response: Since State licensing boards are not required by the
statute to query, the OIG can not expressly mandate that they query the
HIPDB directly in place of requiring practitioners to provide self-
query responses. However, we will make every effort to strongly
encourage State licensing boards to query the HIPDB directly to ensure
they receive accurate and complete information.
Comment: One commenter asked that the HIPDB provide an automatic
copy (without a request and free of charge) of every report to the
health care provider, supplier or practitioner who is the subject of
the report, and not just when the report is initially entered into the
HIPDB. This would include any report that is ``amended or deleted.'' A
second commenter recommended that the OIG add a sentence to the final
regulations
[[Page 57751]]
stating that the HIPDB also will provide a copy of every HIPDB report
automatically, without a request and free of charge, to the reporter
who submitted the report.
Response: We agree with these comments and will modify the final
regulations accordingly. The HIPDB will provide a copy of every HIPDB
report to the reporter, as well as to the health care provider,
supplier, or practitioner who is the subject of the report, when the
report is initially entered. In addition, further notification will be
made to these parties whenever the report is corrected or revised, and
whenever the report is voided. We also agree to automatically provide
the reporter with a copy of the revised report, without further
request.
Section 61.14 Confidentiality of the HIPDB Information
Comment: The majority of the commenters responding to this
provision questioned the confidentiality of the reported data bank
elements and resulting privacy of the information once a report is
submitted to the HIPDB. The confidentiality of individual elements, as
well as of the report as a whole, were questioned and several
commenters believed the final rule needed to be clarified further.
Citing possible violation of the Privacy Act, commenters expressed
concern about the ``purpose'' for which the data are provided and the
process of how queriers may distribute and use the information provided
in a report.
Response: Similar to the NPDB, the HIPDB requires specific data
elements to be reported in order to maximize the accuracy of matching
subjects of reports by the querier. The Privacy Act of 1974 established
the guidelines for Federal governmental systems of records that are
maintained by the names of individuals. The HIPDB was established as a
system of records subject to the Privacy Act by notice published in the
Federal Register on February 16, 1999 (64 FR 7653). Section 552(i)(3)
of the Privacy Act provides that obtaining information knowingly from
an agency system of records under false pretenses will be treated as a
misdemeanor and will incur a fine of not more than $5,000 per
occurrence. Section 552b(3) of the Privacy Act allows disclosure for
``routine use,'' compatible with the purpose for which it was
collected. Appropriate uses for the HIPDB information will include
credentialing and employment decisions, fraud and abuse investigations,
and use as a part of a querying entity's screening process which would
indicate more complete details are needed about the subject. This
``routine use'' does not allow disclosure to the general public. We are
clarifying this discussion in Sec. 61.14 of the final regulations.
We note that information which would identify Federal or State
agency health program beneficiaries, or other patients of providers or
practitioners, is not reportable to the HIPDB. Further, we will
disallow references to individual patients or beneficiaries in any
rebuttal documents submitted as part of a report dispute process, or
submitted as part of the written comments that a subject may submit to
be included with a report.
Comment: Several commenters stated that the wording of this section
was confusing, and did not fully explain the ways in which information
can be disseminated once it is released to an eligible entity.
Response: With respect to the confidentiality requirements of
information obtained from the HIPDB indirectly from another party, as
well as information obtained directly from the data bank, an individual
or entity that receives information from the HIPDB is permitted to
disclose such information further in the course of carrying out the
activity for which the information was sought. For example, during the
course of a health plan's credentialing process, the plan may request
information from the HIPDB on a practitioner's history of final adverse
actions. The health plan may share this information with other
individuals who are part of the credentialing review and decision
making process on the practitioner's application. Nevertheless, the
confidentiality limitations of the Act apply both to the health plan
staff who initially receive the information and to the specific
departmental staff who subsequently review this same information; they
may each only use and disclose the information with respect to the
credentialing decision.
Section 61.15 How To Dispute the Accuracy of the HIPDB Information
Comment: Several commenters were supportive of the mechanism set
forth in the proposed rule that would allow practitioners to attach a
2,000 word statement to their report for purposes of disputing the
accuracy of HIPDB information. Some commenters indicated that the
inclusion of a 2,000 word statement to a report was unnecessary and
recommended eliminating this provision for the final rule.
Response: We believe this mechanism will be useful, and are
retaining it in the final regulations.
Comment: While some commenters believed a dispute mechanism was
unnecessary or would greatly increase the burden on reporting entities,
other commenters supported the inclusion of an additional dispute
mechanism under which reporting entities could report disagreements
with a Secretarial decision to delete a report from the HIPDB.
Response: The statute specifically requires that the HIPDB have a
dispute mechanism in place. We are adopting the dispute mechanism that
currently is being used for reports to the NPDB, which has proven to be
effective. We are addressing regulatory burden issues later in this
preamble.
C. General Issues and Alternative Suggestions
1. Coordination and distinctions between the HIPDB and the NPDB
Comment: One commenter stated that an additional data bank was
unnecessary. The commenter believed that the NPDB is adequate, and that
the HIPDB will only serve to be duplicative in nature.
Response: While we agree that the NPDB is adequate for its intended
purpose of protecting the public from incompetent or unprofessional
health care practitioners, the HIPDB reflects separate and distinct
congressional intent, with unique data elements. The HIPDB data base is
intended to collect a wide range of final adverse actions. The HIPDB
serves a dual purpose of protecting the public, and assisting fraud and
abuse investigations of health care practitioners, suppliers and
providers. The HIPDB also contains information that is not reported to
the NPDB, for purposes of meeting its intended statutory objectives.
Comment: Some commenters expressed a desire that the HIPDB and the
NPDB be combined into one system, and commenters believed that for
reports required under both systems, the OIG should have reporters
report such actions only once.
Response: Although the HIPDB and the NPDB must be separate data
banks, and serve different purposes, the HIPDB and the NPDB will, for
certain reporting and querying purposes, form an integrated system,
whereby a report required under both systems will only need to be
reported once. The system will subsequently store the report in the
HIPDB, the NPDB, or both, as appropriate. Additionally, a querier
eligible to have access to both data banks can query both through a
single request.
Comment: One commenter expressed concern that under an integrated
reporting system for the NPDB and the
[[Page 57752]]
HIPDB a medical malpractice insurer would be forced to submit certain
fields required under the HIPDB, such as for an individual's Social
Security Number.
Response: This provision is only applicable to reports required
under both data banks. For example, medical malpractice payment reports
are only required to be reported to the NPDB; they are statutorily
exempt from HIPDB reporting. Therefore, the HIPDB data elements
required, such as an individual's Social Security Number, do not apply
to those reports.
Comment: One commenter expressed a desire that actions taken before
August 21, 1996, the effective date of the HIPAA statute, be required
to be reported to the HIPDB.
Response: Since the Department does not have the statutory
authority to retroactively require reports before the statute's date of
enactment, we cannot accept this recommendation, and we would be
unwilling to impose the burden of retroactive reporting on the
reporting entities even if we had the authority to do so.
2. Immunity Provisions Under the HIPDB
Comment: More than half of the comments received regarding immunity
provision under the HIPDB stated that any immunity provisions must be
included within the final regulations and not merely alluded to in the
preamble. The commenters specifically requested immunity with regard to
submitting reports to the HIPDB. Several commenters stated that any
immunity provisions included within the final regulations needed to
specifically provide immunity for agents.
Response: We agree with the comments, and are adding a new
Sec. 61.16 within the final regulations to address this concern.
Comment: Three commenters were supportive of the proposed
definition for the term ``knowledge of falsity'' to mean actual
knowledge of falsity by the submitting party. One commenter requested
the elimination of immunity for those who file information with the
HIPDB recklessly.
Response: The intention of the statute is to encourage final
adverse actions to be reported against subjects, without fear of the
subject retaliating with a lawsuit against those who report the action.
In accordance with the comments and the statute, we will continue to
interpret the term ``knowledge of falsity'' to mean actual acknowledge.
Consequently, we are including language in the final regulations
stating that the submitting reporter will not be immune from liability
if there is actual knowledge of falsity of a report.
Comment: One commenter stated the subject of a report should be
required to follow the dispute resolution procedures before filing suit
against a reporter for false knowledge in reporting to the HIPDB.
Response: We decline to accept this comment. The statute does not
provide the authority to require the subject of a report to follow the
dispute resolution procedures prior to filing suit against a reporter.
Further, we believe this would result in unnecessary delays in
reporting final adverse actions to the HIPDB.
3. Sanctions for Failure To Report
Comment: With regard to sanctions for failure to report to the
HIPDB, commenters stated that a potential CMP of $25,000 per occurrence
against health plans that fail to report was too severe. One commenter
recommended that, because of the perceived breadth and ambiguity of the
reporting requirements, the OIG should only assess CMPs against health
plans that ``knowingly and willfully fail to report.'' Another
commenter stated that the CMP was proportionately unfair to single
service health plans.
Response: Section 4331 of Public Law 105-33, the Balanced Budget
Act (BBA) of 1997, authorizes a CMP of up to $25,000 for each adverse
action not reported by a health plan. The statute does not require that
this full amount be imposed; a lesser penalty could be assessed at the
discretion of the OIG. The statute does not require a ``knowing and
willful'' standard as part of the CMP criteria. However, the OIG has
discretion in choosing whether to assess a CMP, and the OIG applies
various mitigating and aggravating factors, as set forth in the OIG/CMP
regulations, in determining the CMP amount up to the $25,000 limit.
Specific policies and factors regarding imposition of this CMP are
being set forth by the OIG in separate final rulemaking addressing new
and revised sanction authorities resulting from the BBA.
Comment: One commenter asked whether the OIG would impose CMPs
against health plans that cannot report because they do not collect all
of the reportable data elements.
Response: Every effort has been made to specify a set of data
elements that will not impose an undue burden on reporters and that
still ensure a high degree of confidence in matching names of health
care practitioners, providers and suppliers with existing reports in
the HIPDB. Reporters will be required to report mandatory data
elements, and may report all other fields if they are known. However,
reporters that fail to submit reports with the minimum mandatory data
required by statute and regulations may be subject to the sanctions
referenced above.
Comment: Some commenters expressed concern that the OIG would
impose CMPs for the non-reporting of adverse actions (or particular
data elements associated with an adverse action) that occurred during
the period between the effective date of HIPAA, August 21, 1996, and
the effective date of this rule, a time period when the exact reporting
requirements of the rule were not yet known to the entities now
responsible for reporting.
Response: The basic types of actions to be reported were specified
in the HIPAA and were, therefore, noticed to potential reporters as of
August 21, 1996. We do realize, however, that the specific definitions
of terms used, and the specification of exact data elements to be
reported, are set forth in this rule. While there is a duty to report
actions (and data elements) dating from the period between August 21,
1996 and the promulgation of this rule, the OIG will give due
consideration to the ability of a reporting agency or health plan to
comply with requirements to report such actions (and data elements) in
determining whether to impose a CMP for failure to report in accordance
with 42 CFR 1003.102(b)(5)(ii).
4. Implementation Schedule
Comment: Four comments were received regarding the implementation
schedule for the HIPDB. Commenters stated that collecting data elements
retroactively, as required by the Act, would be burdensome and
difficult to obtain. One commenter recommended a separate date for
``other adjudicated actions,'' stating that these actions are not final
until each case has exhausted all appeal rights. Several commenters
suggested the OIG should allow for two different dates: one for data
that are available at the time of the opening of the data bank, and
another date (for example, 60 days later) for additional and
retroactive data.
Response: The OIG has taken these points into consideration. This
concern is being addressed below in the section of this preamble
discussing the burden of data collection.
5. Paperwork Reduction Act Statement
a. Data elements to be reported to the HIPDB. The OIG solicited
comments on: (1) Whether the proposed collection of information is
necessary for the proper performance of the functions of the
Department, including whether the
[[Page 57753]]
information will have practical utility; (2) the accuracy of the
Department's estimate of the burden of the proposed collection of
information; (3) ways to enhance the quality, utility and clarity of
the information to be collected; and (4) ways to minimize the burden of
the collection of information on respondents, including through the use
of automated collection techniques or other forms of information
technology.
Comment: Over half of the comments received concerned the data
elements in general. Commenters stated that the proposed rule was
overreaching the scope of the statute and created unintended reporting
burdens with regard to the various data elements specified for
collection. Some commenters indicated that they did not collect one or
more of the required data elements, while others suggested that not all
of the requested data elements were necessary for the HIPDB, or that
only a minimal set of elements were needed to insure proper
identification of a subject. Some commenters stated that the required
data elements would force physicians to devote additional time and
expense to reporting these actions.
Response: The OIG disagrees with the commenters' assessments. The
OIG continues to believe the data elements selected for inclusion into
the HIPDB are essential for users in properly identifying individuals
and entities which are the subjects of reports in the data bank.
Further, as indicated earlier, with respect to the concerns indicated
by some physicians, there are no requirements for physicians to report
directly to the data bank and thus no additional non-medical time
required of them with respect to the array of data elements.
Comment: A number of State agencies cited their respective State
statutes that prohibit the collection or reporting of Social Security
Numbers and, in some instances, other personal data (such as sex and
date of birth). Ten commenters stated that their organizations did not
routinely collect Social Security Numbers or Taxpayer Identification
Numbers.
Response: The statute offers the OIG no discretion in this
collection element provision. The Federal statute authorizing this data
base takes precedence over and preempts State statutory requirements,
and specifically requires the reporting of Taxpayer Identification
Numbers, which includes Social Security Numbers and Federal Employer
Identification Numbers. As to the inclusion of other personal
identifiers, we have determined that these elements are required to
insure proper identification of subjects reported to the data bank and,
consequently, these requirements are being retained in the final
regulations. We believe that the various reporting entities can make
the proper adjustments to secure the required information without undue
hardship or burden.
Comment: Some commenters raised concern over the need to include
``Occupation'' as one of the mandatory element under the HIPDB.
Response: For identification purposes, we believe it is important
for a querier of the data bank to know a subject's occupation. Today's
health care providers are frequently involved in different ventures and
occupations. Reportable actions may arise in one area of a subject's
endeavors, but not in others. Therefore, we believe that queriers must
be made aware of all reportable actions against a subject, and an
integral element of this is learning the occupation in which these
actions were taken.
Comment: Three commenters requested that ``Other Names Used'' be a
mandatory field, particularly with regard to female subjects.
Response: We are satisfied that this element should be reported
``if known,'' and we assume the reporters will provide these names if
such information is available to them.
Comment: We received comments regarding the ``Physician Specialty''
data element. Commenters questioned why specialty data were only being
collected on physicians and not on other types of practitioners.
Response: We agree with the suggestion that ``specialty'' should be
reported for all practitioners, if applicable, and are modifying the
regulations accordingly.
Comment: Twenty-six commenters suggested that the ``Name of the
Affiliated or Associated Health Care Entity'' not be made a mandatory
field.
Response: The statute requires that this information be reported
``if known.'' We agree with the commenters' concerns, and will clarify
the language in the final regulations to emphasize that this
information be reported only if known.
Comment: Several comments stated that potential reporters do not
currently collect the mandatory element ``National Provider
Identifier'' (NPI).
Response: We are aware that NPIs have not been issued and,
therefore, cannot be reported. However, once HCFA issues these
identification numbers, the collection and reporting of NPIs to the
HIPDB will be mandatory. Reporters are advised to begin the necessary
steps to collect this identifier in the future, as it becomes
available. In this final rule, we are deleting the data field ``NPI for
Affiliated or Associated Health Care Entities.''
Comment: One commenter suggested that the HIPDB also add the method
used to detect the act that underlies the action being reported.
Response: We disagree. We believe this information will not be
useful, and would create an additional reporting burden.
Comment: Commenters stated that some reporters do not collect data
on the ``Name of Each Professional School Attended and Year of
Graduation.''
Response: These data are mandatory requirements of the NPDB and are
routinely provided by State agencies and organizations representing
physicians and dentists. These NPDB requirements will remain unchanged.
For reports made solely to the HIPDB, these data elements will be
mandatory for licensing and certification actions reported by Federal
and State agencies, which routinely collection this information, and
will be designated as ``if known'' for all other reporters.
Comment: Several commenters noted the unreliability of a ``Work
Address'' element for individual subjects, and other commenters stated
that only an ``Address of Record'' would be known by certain reporters.
Response: The OIG agrees with these comments and is revising the
final regulations accordingly. Only one address--either the subject's
``Home Address'' or the ``Address of Record''--will be mandatory for
each report. Other addresses, such as a primary work address, will be
reportable only ``if known.''
Comment: Twelve comments were received concerning the mandatory
``Description of the Acts or Omissions'' and the ``Description of the
Action'' fields. The commenters suggested use of numerical codes in
lieu of narrative descriptions.
Response: The statute is clear that the ``Description of the Acts
or Omissions'' field is a mandatory element. However, to assist users
of this information, we are adopting the suggestion of a code list that
corresponds to the most common underlying acts expected to be reported.
Use of this code will be mandatory, along with a narrative description
of the acts or omissions and injuries upon which the reported action
was based. With regard to the ``Description of the Action'' field, we
have changed the final rule to show that the mandatory requirements for
reporting an action are the date the action was taken, its effective
date and duration, the amount of any monetary penalty, and whether
[[Page 57754]]
the action is on appeal. We believe these elements are essential for a
user's understanding of the action being reported. The proposed rule
also called for a mandatory ``Classification of the action'' in
accordance with a reporting code adopted by the Secretary. While the
``Description of the action'' has been deleted, the ``Action code''
will remain as a mandatory element in the final regulations.
Comment: Five comments were received requesting additional
clarification regarding the reporting of ``Professional license,
certification or registration.''
Response: In response to these comments, we are clarifying the
final regulations to indicate that for licensure certification or
registration actions taken by Federal and State licensing and
certification agencies, the mandatory information to be reported will
be on the professional license, certification or registration on which
the action was taken. Information on other licenses, certifications or
registrations, including those issued in other States or by other
agencies, will be reportable to the data bank ``if known.''
b. Estimated burden of data collection requirements. Comment: A
number of commenters stated that the proposed rule did not accurately
address the burden as it applies to the cost of creating and
maintaining the data collection system, or the costs associated with
collecting the required data elements. Commenters stated that the
start-up cost, indicated at $5,000, was significantly underestimated.
One commenter strongly believed that the costs associated with the
HIPDB system would far outweigh its benefit, and several commenters
stated that they would need to hire new employees in order to meet the
HIPDB reporting requirements. One commenter indicated that, while their
State proportionally had a smaller number of health care providers than
some of the larger States, its State agency nevertheless took 712
actions last year that would need to be reported to the HIPDB,
resulting in what they believed would be a larger than estimated burden
nationwide.
Response: In developing our burden statement and estimate,
calculations for the regulatory impact statement in the proposed rule
were based on estimations derived from the regulatory impact prepared
for the proposed rule currently being developed for State licensing
boards addressing section 1921 of the Act. Section 1921 of the Act, as
amended by section 5(b) of the Medicare and Medicaid Patient and
Program Protection Act of 1987 and by the Omnibus Budget Reconciliation
Act of 1990, requires each State to adopt a system that reports to the
Secretary certain adverse licensure actions taken against health care
practitioners and health care entities that are licensed or otherwise
authorized by a State (or a political subdivision) to provide health
care services. Similar to the information required for the HIPDB,
section 1921 of the Act already requires, for reporting to the NPDB,
that each State (1) report any negative actions or findings that a
State licensing authority, peer review organization or private
accreditation entity takes against a health care practitioner or health
care entity; and (2) have an information reporting system in place as
of January 1, 1992, regardless of whether the Secretary promulgated
regulations to carry out these provisions. Therefore, since 1992, the
States already have been required to collect much of the information to
which they attribute their costs of collecting information for
reporting to the HIPDB. However, we recognize that the regulatory
impact will vary from State to State, and as a result, we have adjusted
our burden estimates in this final rule accordingly. Specifically,
after consideration of the concerns raised, we agree with the
commenters that their developing or restructuring of a data collection
system to incorporate the HIPDB requirements may have been
underestimated. Therefore, we have increased the start-up cost estimate
to $20,000 for each State licensing board. In terms of the reporting
burden for State licensing agencies, we were advised by national
organizations that represent State licensing boards that much of the
requested data are already being collected and maintained by their
organization. Therefore, we believe that the reporting burden for State
licensing boards, such as nursing, chiropractic, optometry, physical
therapist and social worker should be minimal.
Comment: Some commenters believed that complying with the HIPDB
would be labor intensive and costly. Commenters suggested that the
HIPDB data collection requirements would create an administrative
burden for State licensing boards.
Response: As indicated above, the OIG has addressed the reporting
requirements in detail in this preamble in response to public comments.
We agree with many of the commenters' concerns, and are streamlining
the HIPDB reporting requirements accordingly. The OIG believes that
this final rule now reflects the least burdensome reporting
requirements possible with respect to State agencies' compliance.
Comment: Several commenters proposed alternatives that they
believed might ease the burden on State licensing boards. Specifically,
commenters recommended that the OIG make use of various authorized
agents, such as the National Council of State Boards of Nursing,
Federation of Chiropractic Licensing Boards, National Association of
Boards of Pharmacy and the American Association of State Social Work
Boards to collect and report the required information, thus lessening
the burden on individual health plans and State agencies.
Response: In developing this rulemaking, the OIG sought the input
from States and representatives of various associations. Initially, the
OIG met with State regulatory boards and associations, including the
National Council of State Boards of Nursing, Federation of Chiropractic
Licensing Boards, National Association of Boards of Pharmacy and the
American Association of State Social Work Boards, to explain the
requirements of the HIPDB and to explore options that would ease the
regulatory burden on State agencies. As a result with respect to State
licensing boards, we suggested the following options: (1) organizing a
centralized or decentralized reporting mechanism within the State, or
(2) reporting to the data bank through an authorized agent. If an
authorized agent is utilized by the State, individual agreements must
be made between the State and the professional association, as well as
between the State and the HIPDB.
IV. Summary of Revisions in the Final Rule
Based on our review and response to the array of public comments,
and based on the discretionary authority given the Department under the
statute, we are making the following revisions to the proposed
regulations that we believe will allow the collection and dissemination
of information to and from the HIPDB to occur in a more effective and
efficient manner:
Section 61.3
We are revising the definition of the term ``Affiliated or
associated'' to read as follows: Affiliated or Associated means health
care entities with which a subject of a final adverse action has a
commercial business relationship, including but not limited to,
organizations, associations, corporations, or partnerships. It also
includes a professional corporation or other business entity composed
of a single individual.
[[Page 57755]]
In the definition of the term ``Any other negative action
or finding,'' we are adding the following sentence: ``This definition
excludes administrative fines or citations and corrective action plans,
unless they are: (1) Connected to the delivery of health care services,
and (2) taken in conjunction with other licensure or certification
actions such as revocation, suspension, censure, reprimand, probation,
or surrender.''
We are deleting the proposed definition for the term
``Clinical privileges.''
We are amending the fourth element in the definition of
the term ``Government agency'' to include both Federal and State law
enforcement agencies, and law enforcement investigators as well as
States Attorneys General.
In the first sentence under the definition for the term
``Health care supplier,'' we have inserted a comma and are adding the
phrase ``whether directly or indirectly,'' after the statement ``* * *
or any individual or entity, other than a provider, who furnishes'' and
we have replaced the example of ``manufacturers of health care related
items'' with the phrase ``manufacturers of health care items.'' We have
also revised the second sentence in the definition to read as follows:
``The term also includes any individual or entity under contract to
provide such supplies, items or ancillary services, health plans as
defined in this section (excluding employers that are not self-insured)
and health insurance producers (including, but not limited to, agents,
brokers, solicitors, consultants and reinsurance intermediaries).''
We are modifying the fourth element in the proposed
definition of the term ``Health plan'' to make the definition more
inclusive. As revised the fourth element will include, but not be
limited to, ``[A] plan, program, agreement or other mechanism
established, maintained or made available by a self insured employer or
group of self insured employers, a practitioner, provider or supplier
group, third party administrator, integrated health care delivery
system, employee welfare association, public service group or
organization or professional association * * *''
We are adding a definition for the term ``Organizational
name and type.'' The ``organization name'' data element, to be reported
for all types of actions described in Secs. 61.7, 61.8, 61.9, 61.10 and
61.11, means the subject's business or employer at the time the
underlying acts occurred. If more than one business or employer is
involved, the one most closely related to the underlying acts must be
reported in ``organization name,'' with the others being reported in
the ``affiliated or associated health care entities'' field. The
``organization type'' is a brief description of the nature of that
business or employer.
The definition for ``Other adjudicated actions or
decisions'' specifically excludes clinical privileging actions taken by
Federal or State governmental agencies, paneling decisions made by
health plans and overpayment determinations by Federal and State agency
contractors or by health plans.
We are also adding a new definition for the term
``Voluntary surrender'' to mean a surrender made after a notification
of investigation or a formal official request by Federal or State
licensing or certification authorities for a health care provider,
supplier, or practitioner to surrender the license or certification
(including certification agreements or contracts for participation in
Federal or State health care programs). The definition also includes
those instances where a health care provider, supplier or practitioner
voluntarily surrenders a license or certification (including program
participation agreements or contracts) in exchange for a decision by
the licensing or certification authority to cease an investigation or
similar proceeding, or in return for not conducting an investigation or
proceeding, or in lieu of a disciplinary action.
Section 61.9
With regard to reporting civil judgments related to the
delivery of a health care item or service, we are adding the following
language to Sec. 61.9(a): ``If a Government agency is party to a multi-
claimant civil judgment, it must assume the responsibility for
reporting the entire action, including all amounts awarded to all the
claimants, both public and private. If there is no Government agency as
a party, but there are multiple health plans as claimants, the health
plan which receives the largest award must be responsible for reporting
the total action for all parties.''
Section 61.12
With regard to requesting information from the HIPDB, we
are revising the first sentence in Sec. 61.12 (a)(4) to indicate that
information in the data bank will be available, upon request, to ``[A]
person or entity who requests statistical information, which does not
permit any personal identifiers for any individual or entity.''
Section 61.13
We are adding the following sentence to the end of
Sec. 61.13 (a) with regard to our policy on fees applicable to requests
for information: ``For the same purpose, the Department will provide a
copy of the report--automatically, without a request and free of
charge--to the reporter that submitted it.''
Data Elements To Be Reported to the HIPDB
In view of the comments and responses discussed above, and in an
effort to clarify reporting requirements, the data elements have been
reformatted. Sections 61.7, 61.8, 61.9, 61.10 and 61.11 are structured
as follows:
The actions which must be reported and who is responsible
for making those reports.
The mandatory personal identifiers and employment or
professional identifiers for individual subjects; the mandatory
identifiers for organization subjects; and the mandatory data elements
for all subjects relating to the acts or omissions, the action taken
and the reporting entity.
The ``if known'' personal identifiers and employment or
professional identifiers for individual subjects; the ``if known''
identifiers for organization subjects; and the ``if known'' data
elements for all subjects relating to the acts or omissions, and the
action taken.
Each section concludes with the sanctions for failure to
report.
Section 61.16
We are adding a new Sec. 61.16 Immunity, to indicate that
individuals, entities or their authorized agents and the HIPDB will not
be held liable in any civil action filed by the subject of a report
unless the individual, entity or their authorized agent submitting the
report has actual knowledge of falsity of the information contained in
the report.
V. Regulatory Impact Statement
Executive Order 12866, the Unfunded Mandates Reform Act and the
Regulatory Flexibility Act
The Office of Management and Budget (OMB) has reviewed this final
rule in accordance with the provisions of Executive Order 12866, the
Unfunded Mandates Reform Act and the Regulatory Flexibility Act (5
U.S.C. 601-612), and has determined that it does not meet the criteria
for a significant regulatory action.
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and,
[[Page 57756]]
when rulemaking is necessary, to select regulatory approaches that
maximize net benefits (including potential economic, environmental,
public health, safety, distributive and equity effects). The Unfunded
Mandates Reform Act, Public Law 104-4, requires that agencies prepare
an assessment of anticipated costs and benefits on any rulemaking that
may result in an annual expenditure by State, local or tribal
government, or by the private sector of $100 million or more. In
addition, under the Regulatory Flexibility Act, if a rule has a
significant economic effect on a substantial number of small entities,
the Secretary must specifically consider the economic effect of a rule
on small entities and analyze regulatory options that could lessen the
impact of the rule.
Executive Order 12866 requires that all regulations reflect
consideration of alternatives, costs, benefits, incentives, equity, and
available information. Regulations must meet certain standards, such as
avoiding unnecessary burden. Regulations that are ``significant''
because of cost, adverse effects on the economy, inconsistency with
other agency actions, effects on the budget, or novel legal or policy
issues, require special analysis. The resources required to implement
the requirements in this final rule are minimal. We have determined
that this final rule does not meet the criteria for a major rule, as
defined by Executive Order 12866. As indicated above, this final rule
is designed to establish procedures for reporting to and releasing from
the HIPDB information on health care providers, suppliers, or
practitioners against whom final adverse actions have been taken.
In accordance with the Unfunded Mandates Reform Act of 1995, we
have determined the only costs (which we believe will not be
significant) would include the ability to transmit the information
electronically (e.g., Internet service) and additional staff hours
needed to transmit the information. Based on the public comments, we
have increased the initial start-up cost from $5,000 to $20,000 per
State licensing and certification agency ($20,000 per State licensing
and certification agency x 216 State agencies = $4,320,000). The
Department determined that the initial start-up cost will be less than
$100 per health plan ($100 per health plan x 20,000 health plans =
$2,000,000). Section 221(a) of HIPAA intends that the Federal
Government will not incur any costs for the operation and maintenance
of the HIPDB; user fees are intended to cover the full costs of the
HIPDB. For the reasons stated above, the Department has determined that
this rule does not impose any mandates on State, local or tribal
governments, or the private sector that will result in an annual
expenditure of $100 million or more, and that a full analysis under the
Act is not necessary.
In addition, in accordance with the Regulatory Flexibility Act of
1980 (RFA), and the Small Business Regulatory Enforcement Act of 1996,
which amended the RFA, we are required to determine if this rule will
have a significant economic effect on a substantial number of small
entities and, if so, to identify regulatory options that could lessen
the impact. For purposes of this final rule, we have not categorized
health plans as small business entities in accordance with the RFA, nor
have we included individuals and States in this definition of small
entities. Rather, we have defined small entities as nonprofit
organizations and local government agencies. Although the statute does
not specify local government agencies as reporters, we also have given
States the option to decide the manner in which they will report, i.e.,
having one centralized point for reporting or having multiple agencies
such as municipalities and local government agencies (including
District and County attorneys) report independently to the HIPDB. If
States elect to have multiple agencies reporting independently to the
HIPDB, we have determined that both the burden and costs associated
with reporting to the HIPDB will be minimal. We also have determined
that this rule would affect less than 100 nonprofit and local
government agencies. Also with respect to health plans, we have
determined that the burden and cost to them will be minimal. In an
effort to reduce the reporting and impact burdens upon health plans, we
have, as indicated above, clarified the definition of the term ``other
adjudicated actions or decisions'' to emphasize that such an action
requires the availability of a due process mechanism. We have in the
rule specifically limited the types of actions that health plans will
be required o report to a more limited and narrower category of
actions. We are not preparing an analysis for the RFA, since we have
determined, and the Secretary certifies, that this rule will not have a
significant economic impact on a substantial number of small entities
and, in accordance with the threshold criteria of Executive Order 13132
(August 4, 1999), have determined that these regulations do not
significantly affect the rights, roles and responsibilities of States.
Paperwork Reduction Act
In compliance with section 3506(c)(2)(A) of the Paperwork Reduction
Act (PWA) of 1995, we are required to solicit public comments, and
receive final OMB approval, on any information collection requirements
set forth in final rulemaking. As indicated above, in order to properly
implement the HIPDB, the OIG requires the collection of certain
information as set forth in Secs. 61.6, 61.7, 61.8, 61.9, 61.11, 61.12
and 61.15 of this final rule. In accordance with the PWA, we are
submitting to OMB at this time the following requirements for seeking
emergency review of these provisions. We are requesting an emergency
review because the data collection and reporting of this information is
needed before the expiration of the normal time limits under OMB's
regulations at 5 CFR part 1320, to ensure the timely availability and
reporting of data as necessary in order to improve the quality of
patient care and to prevent health care fraud and abuse activities.
Delaying the reporting process would delay implementation of the
establishment of a complete data bank that effectively deters health
care fraud and abuse in the health care industry and protects the
public. We are requesting OMB review and approval of this collection
within 16 working days from the date of publication of this rulemaking,
with a 180-day approval period. Written comments and recommendations
will be accepted from the public if received by the individual
designated below within 15 working days from the dat of publication of
these regulations. During this 180-day approval period, we will publish
a separate Federal Register notice announcing the initiation of an
extensive 60-day agency review and public comment period on the
requirements set forth.
Collection of Information: The Healthcare Integrity and Protection
Data Bank for Final Adverse Information on Health Care Providers,
Suppliers and Practitioners.
Description: Information collected under Secs. 61.6, 61.7, 61.8,
61.9, 61.11, 61.12 and 61.15 of this final rule would be used by
authorized parties, specified in the proposed rule, to prevent health
care fraud and abuse activities and to improve the quality of patient
care.
Description of Respondents: Federal and State Government agencies
and health plans. The reports from Federal agencies are not subject to
the PRA.
Estimated Annual Reporting: The Department estimates that the
public reporting burden for this final rule is
[[Page 57757]]
185,099 hours. As a result of the public comments, we acknowledge that
the proposed rule significantly under estimated the number of licensure
and certification actions taken by State licensing authorities against
health care providers, suppliers and practitioners. Therefore, we have
increased the reporting burden from 132,733 to 185,099 hours.
The estimated annual reporting and querying burden is as follows:
----------------------------------------------------------------------------------------------------------------
Number of Responses per Total Hours per Total burden
Section No. respondents respondent responses response hours
----------------------------------------------------------------------------------------------------------------
61.6, Errors & Omissions........ \1\ 1,200 1 1,200 25 500
61.6, Revisions/Appeal Status... 1,000 1 1,000 75 1,250
61.7--Licensure Actions:
Disclosure by State \2\ 1,836 22 40,400 75 50,500
Licensing Boards...........
Reporting by State Licensing 216 187 40,400 15 10,100
Authorities................
61.8, Criminal Convictions...... \3\ 54 13 700 75 875
61.9, Civil Judgments........... \4\ 62 8 500 75 625
61.11, Other Adjudicated Action \5\ 66 12 800 75 1,000
or Decision....................
61.12:
Queries..................... \6\ 5,601 201 1,127,512 5 93,959
Self-queries................ 60,000 1 60,000 25 25,000
Entity verification \7\..... 5,000 1 5,000 10 833
Entity update............... 250 1 250 5 20
61.12, Authorized agent 100 1 100 10 16
designation \7\................
61.12, Authorized agent 5 1 5 5 0.42
designation update.............
61.15--Disputed Reports &
Secretarial Review:
Initial Request............. \8\ 750 1 750 10 125
Request for Secretarial 37 1 37 480 296
Review.....................
-------------------------------------------------------------------------------
Total....................... 76,177 .............. 1,278,654 185,099
----------------------------------------------------------------------------------------------------------------
Footnotes:
1. Section 61.6 requires each Government agency or health plan that reports information to the HIPDB to ensure
the accuracy of the information. If there are any errors or omissions to the reports previously submitted to
the HIPDB, the individual or entity that submitted the report to the HIPDB is also responsible for making the
necessary correction or revision to the original report. If there is any revision to the action or the action
is on appeal, the individual or entity that submitted the original report to the HIPDB is also responsible for
reporting revisions and whether the action is on appeal. Based on corrections and revisions made to
information contained in the NPDB, we have estimated that a total of 1,200 respondents will need to correct
their reports each year and that a total of 1,000 respondents will need to revise actions originally reported,
or to report whether an action is on appeal each year. Based on experience with the NPDB, a correction is
expected to take 25 minutes to complete and submit. A revision is expected to take somewhat longer (75
minutes) because it involves completing a new report form rather that just correcting the individual items
that are in error.
2. Section 61.7 requires Federal and State agencies responsible for the licensing and certification of health
care providers, suppliers and practitioners to report all disciplinary licensure actions to the HIPDB.
Therefore, we estimate that approximately 34 State licensing boards in each State will report to the State
licensing and certification authorities (54 States and territories x 34 licensing boards/per State = 1,836
State licensing and certification boards), and the State licensing and certification authorities (4 per State)
will be responsible for reporting information to the HIPDB (54 States and territories x 4 State licensing and
certification authorities/per State = 216 State licensing and certification authorities). We estimate that
40,400 reports will be submitted directly to the HIPDB each year, for an average of 187 reports per State
licensing and certification authority and 22 reports per State licensing board. Since disciplinary licensure
actions by State licensing authorities in the NPDB overlap with this statute, this estimate includes all
licensure actions that will be reported to both the NPDB and the HIPDB. The HIPDB will use similar forms and
procedures for reporting as the NPDB. As a result, we estimate that it will take a State licensing board 75
minutes to complete and submit an initial report. We also estimate that it will take a State licensing and
certification authority 15 minutes to verify the accuracy and completeness of the information contained in the
initial report before electronically submitting the information to the HIPDB.
3. Section 61.8 requires Federal and State prosecutors to report criminal convictions related to the delivery of
a health care item or service. Based on the number of health care providers, suppliers and practitioners
convicted by the Federal Government, we estimate that there will be an approximate total of 700 State criminal
convictions reported to the HIPDB each year, for an average of 13 convictions per State. Based on experience
with the NPDB, we estimate that it will take 75 minutes to complete and submit each report.
4. Section 61.9 requires Federal and State attorneys and health care plans to report civil judgments against
health care providers, suppliers and practitioners related to the delivery of a health care item or service.
We estimate that there will be an approximate total of 500 civil judgments each year that will be reported by
the 54 States Attorneys and an estimated 8 health plans, for a total of 62 reporters. Based on experience with
the NPDB, we estimate that it will take 75 minutes to complete and submit each report.
5. Section 61.11 requires Federal and State Governmental agencies and health plans to report any adjudicated
action or decision related to the delivery of a health care item or service against health care providers,
suppliers and practitioners. We estimate that there will be an approximate total of 800 other adjudicated
actions or decision reports submitted to the HIPDB each year by 54 State governmental agencies and an
estimated 12 health plans, for a total of 66 reporters. Based on experience with the NPDB, we estimate that it
will take 75 minutes to complete and submit each report.
6. Certain queriers have access to both the NPDB and the HIPDB. When these entities query one data bank, they
may elect to automatically receive reports from both. The Department estimates that there will be 1,127,512
queries submitted to the HIPDB per year on health care providers, suppliers and practitioners, including an
estimated 60,000 self-queries. These estimates include only queries submitted directly to the HIPDB; it does
not include those transferred from the NPDB. The estimates of burden per response are based on experience with
similar querying of the NPDB.
7. To access the HIPDB, entities are required to certify that they meet section 1128E reporting and querying
requirements by completing an Entity Registration form and submitting it to the HIPDB. The information
collected on this form provides the HIPDB with essential information concerning the entity, such as name,
address and entity type. Eligible entities, such as State licensing agencies or certain managed care
organizations, that have access to both the NPDB and the HIPDB have already registered for the NPDB and are
not required to register separately for the HIPDB. Entities eligible to access only the HIPDB must complete
and submit the Entity Registration form. We estimate that it will take an entity 10 minutes to complete and
submit the Entity Registration form to the HIPDB. If there are any changes in the entity's name, address,
telephone, entity type designation, or query and report point of contact, the entity representative must
update the information on the Entity Information Update form and submit it to the HIPDB. Of the 5,000 new
registrants, we estimate 250 entities (5 percent of all new registrants) will need to update their
organization's information each year.
[[Page 57758]]
An eligible entity may elect to have an outside organization query or report to the HIPDB on its behalf. This
organization is referred to as an authorized agent. Before an authorized agent acts on behalf of an entity,
the eligible entity must complete and submit an Agent Designation form to the HIPDB Help Line. The information
collected on this form provides the HIPDB with essential information concerning the agent, such as name,
address and telephone number. We estimate that 100 entities (2 percent of all new registrants) will elect an
authorized agent to query or report to the HIPDB on their behalf. We estimate that it will take an entity 10
minutes to complete and submit the Agent Designation form to the HIPDB. Any changes to the authorized agent
designation, such as routing of responses to queries or termination of an authorized agent, the eligible
entity must update the information on the Agent Designation Update form and submit it to the HIPDB. We
estimate that five of the 100 eligible entities will need to update their agent's information each year.
8. Section 61.15 describes the process to be followed by a health care provider, supplier or practitioner in
disputing the factual accuracy of information in a report and requesting Secretarial review of the disputed
report. Based on experience with the NPDB, we estimate that 750 (10 percent of all new reports) will be
entered into the ``disputed status.'' We estimate that it will take a health care provider, supplier or
practitioner 10 minutes to notify the HIPDB to enter the report into ``disputed status.'' Of the 750 disputed
reports, we estimate that only 37 reports (5 percent) will be forwarded to the Secretary for review. We
estimate that it will take a health care provider, supplier or practitioner 8 hours to describe in writing
which facts are in dispute and to gather supporting documentation related to the dispute.
Forms to be used in the day-to-day management of the HIPDB would
include the following:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hrs. per
Form name No. of Responses per Total response Total burden Wage rate Total cost
respondents respondent responses (minutes) hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
Account Discrepancy..................... 2,000 1 2,000 5 166 $15 $2,490
Electronic Funds Transfer Authorization. 850 1 850 5 70 15 1,050
Entity Reactivation..................... 500 1 500 5 41 15 615
---------------------------------------------------------------------------------------------------------------
Total............................... 3,350 .............. 3,350 .............. 277 .............. 4,155
--------------------------------------------------------------------------------------------------------------------------------------------------------
Comments on this information collection activity should be sent to:
Allison Herron Eydt, OIG Desk Officer, Office of Management and Budget,
Room 10235, New Executive Office Building, 725 17th Street, N.W.,
Washington, D.C. 20053, FAX: (202) 395-6974.
VI. Waiver of Delayed Effective Date
In publishing final regulations, we usually indicate an effective
date of 30 days following their publication in the Federal Register.
However, this procedure may be waived when an agency finds good cause
that a delay in the effective date is impracticable, unnecessary or
contrary to the public interest.
Section 221(a) of HIPAA stated that the Secretary establish a
national health care fraud and abuse data collection program by January
1, 1997. After a series of meetings with more than 1,000 current users
of the NPDB and potential users of, and reporters to, the HIPDB
(including health plans, State licensing boards, law enforcement
officials, Federal and State Government agencies and professional
associations), on October 31, 1998, we published a notice of proposed
rulemaking in the Federal Register in which we requested public comment
on the implementation of the HIPDB. As indicated, we received 117
formal public comments in response to that proposed rulemaking.
Further, in developing the final rule, we have also taken into
consideration the concerns of numerous Federal agencies, including the
Department of Justice, the Department of Defense, the Department of
Veterans Affairs and the U.S. Postal Inspection Service. Through this
process, the Department has continued to work closely with the 17
national licensing boards organizations--including those for nurses,
chiropractors, optometrists and physical therapists--that represent
more than 4 million health care practitioners. In addition, the OIG
also has contacted each State Governor regarding the reporting
requirements of the HIPDB and continues to work with the States to help
implement the States' reporting.
To implement the requirements of the statute, we believe that it is
urgent that final regulations be promulgated without further delay in
order to (1) streamline the fact-gathering process by law enforcement
officials, regulatory agencies and health plans; (2) allow health care-
related final adverse actions taken against providers, practitioners
and suppliers to be reported to the HIPDB; and (3) establish a
centralized system that will make this information easily accessible to
authorized users.
In light of the fact that we have provided ample opportunity for
public input and comment, and have worked closely with Federal and
State Government agencies and various national organizations and their
members in developing the HIPDB, we find that imposing the normal 30-
day delay would be contrary to public interest. Therefore, consistent
with 5 U.S.C. 553(d), we find good cause to waive the delay in the
effective date of this rule and allow for the timely implementation of
final regulations and the start-up of the data bank.
List of Subjects in 45 CFR Part 61
Billing and transportation services, Durable medical equipment
suppliers and manufacturers, Health care insurers, Health maintenance
organizations, Health professions, Home health care agencies,
Hospitals, Penalties, Pharmaceutical suppliers and manufacturers,
Privacy, Reporting and recordkeeping requirements, Skilled nursing
facilities.
Accordingly, a new 45 CFR part 61 is added to read as follows:
PART 61--HEALTHCARE INTEGRITY AND PROTECTION DATA BANK FOR FINAL
ADVERSE INFORMATION ON HEALTH CARE PROVIDERS, SUPPLIERS AND
PRACTITIONERS
Subpart A--General Provisions
Sec.
61.1 The Healthcare Integrity and Protection Data Bank.
61.2 Applicability of these regulations.
61.3 Definitions.
Subpart B--Reporting of Information
61.4 How information must be reported.
61.5 When information must be reported.
61.6 Reporting errors, omissions, revisions, or whether an action
is on appeal.
61.7 Reporting licensure actions taken by Federal or State
licensing and certification agencies.
61.8 Reporting Federal or State criminal convictions related to the
delivery of a health care item or service.
61.9 Reporting civil judgments related to the delivery of a health
care item or service.
61.10 Reporting exclusions from participation in Federal or State
health care programs.
61.11 Reporting other adjudicated actions or decisions.
[[Page 57759]]
Subpart C--Disclosure of Information by the Healthcare Integrity and
Protection Data Bank
61.12 Requesting information from the Healthcare Integrity and
Protection Data Bank.
61.13 Fees applicable to requests for information.
61.14 Confidentiality of Healthcare Integrity and Protection Data
Bank information.
61.15 How to dispute the accuracy of Healthcare Integrity and
Protection Data Bank information.
61.16 Immunity.
Authority: 42 U.S.C. 1320a-7e.
Subpart A--General Provisions
Sec. 61.1 The Healthcare Integrity and Protection Data Bank.
(a) Section 1128E of the Social Security Act (the Act) authorizes
the Secretary of Health and Human Services (the Secretary) to implement
a national health care fraud and abuse data collection program for the
reporting and disclosing of certain final adverse actions taken against
health care providers, suppliers, or practitioners. Section 1128E of
the Act also directs the Secretary to maintain a database of final
adverse actions taken against health care providers, suppliers or
practitioners. This data bank will be known as the Healthcare Integrity
and Protection Data Bank (HIPDB). Settlements in which no findings or
admissions of liability have been made will be excluded from being
reported. However, if another action is taken against the provider,
supplier or practitioner of a health care item or service as a result
of or in conjunction with the settlement, that action is reportable to
the HIPDB.
(b) Section 1128E of the Act also requires the Secretary to
implement the HIPDB in such a manner as to avoid duplication with the
reporting requirements established for the National Practitioner Data
Bank (NPDB) (See 45 CFR part 60). In accordance with the statute, the
reporter responsible for reporting the final adverse actions to both
the HIPDB and the NPDB will be required to submit only one report,
provided that reporting is made through the Department's consolidated
reporting mechanism that will sort the appropriate actions into the
HIPDB, NPDB, or both.
(c) The regulations in this part set forth the reporting and
disclosure requirements for the HIPDB.
Sec. 61.2 Applicability of these regulations.
The regulations in this part establish reporting requirements
applicable to Federal and State Government agencies and to health
plans, as the terms are defined under Sec. 61.3.
Sec. 61.3 Definitions.
The following definitions apply to this part:
Act means the Social Security Act.
Affiliated or associated means health care entities with which a
subject of a final adverse action has a commercial relationship,
including but not limited to, organizations, associations,
corporations, or partnerships. It also includes a professional
corporation or other business entity composed of a single individual.
Any other negative action or finding by a Federal or State
licensing agency means any action or finding that under the State's law
is publicly available information, and rendered by a licensing or
certification authority, including but not limited to, limitations on
the scope of practice, liquidations, injunctions and forfeitures. This
definition also includes final adverse actions rendered by a Federal or
State licensing or certification authority, such as exclusions,
revocations or suspension of license or certification that occur in
conjunction with settlements in which no finding of liability has been
made (although such a settlement itself is not reportable under the
statute). This definition excludes citations, corrective action plans
and personnel actions.
Civil judgment means a court-ordered action rendered in a Federal
or State court proceeding, other than a criminal proceeding. This
reporting requirement does not include Consent Judgments that have been
agreed upon and entered to provide security for civil settlements in
which there was no finding or admission of liability.
Criminal conviction means a conviction as described in section
1128(i) of the Act.
Exclusion means a temporary or permanent debarment of an individual
or entity from participation in any Federal or State health-related
program, in accordance with which items or services furnished by such
person or entity will not be reimbursed under any Federal or State
health-related program.
Government agency includes, but is not limited to--
(1) The U.S. Department of Justice;
(2) The U.S Department of Health and Human Services;
(3) Any other Federal agency that either administers or provides
payment for the delivery of health care services, including, but not
limited to, the U.S. Department of Defense and the U.S. Department of
Veterans Affairs;
(4) Federal and State law enforcement agencies, including States
Attorneys General and law enforcement investigators;
(5) State Medicaid Fraud Control Units; and
(6) Federal or State agencies responsible for the licensing and
certification of health care providers, suppliers or licensed health
care practitioners. Examples of such State agencies include Departments
of Professional Regulation, Health, Social Services (including State
Survey and Certification and Medicaid Single State agencies), Commerce
and Insurance.
Health care provider means a provider of services as defined in
section 1861(u) of the Act; any health care entity (including a health
maintenance organization, preferred provider organization or group
medical practice) that provides health care services and follows a
formal peer review process for the purpose of furthering quality health
care, and any other health care entity that, directly or through
contracts, provides health care services.
Health care supplier means a provider of medical and other health
care services as described in section 1861(s) of the Act; or any
individual or entity, other than a provider, who furnishes, whether
directly or indirectly, or provides access to, health care services,
supplies, items, or ancillary services (including, but not limited to,
durable medical equipment suppliers, manufacturers of health care
items, pharmaceutical suppliers and manufacturers, health record
services such as medical, dental and patient records, health data
suppliers, and billing and transportation service suppliers). The term
also includes any individual or entity under contract to provide such
supplies, items or ancillary services; health plans as defined in this
section (including employers that are self-insured); and health
insurance producers (including but not limited to agents, brokers,
solicitors, consultants and reinsurance intermediaries).
Health plan means a plan, program or organization that provides
health benefits, whether directly, through insurance, reimbursement or
otherwise, and includes but is not limited to--
(1) A policy of health insurance;
(2) A contract of a service benefit organization;
(3) A membership agreement with a health maintenance organization
or other prepaid health plan;
(4) A plan, program, or agreement established, maintained or made
available by an employer or group of employers, a practitioner,
provider or supplier group, third party administrator, integrated
health care delivery system, employee welfare
[[Page 57760]]
association, public service group or organization or professional
association; and
(5) An insurance company, insurance service or insurance
organization that is licensed to engage in the business of selling
health care insurance in a State and which is subject to State law
which regulates health insurance.
Licensed health care practitioner, licensed practitioner, or
practitioner means, with respect to a State, an individual who is
licensed or otherwise authorized by the State to provide health care
services (or any individual who, without authority, holds himself or
herself out to be so licensed or authorized).
Organization name means the subject's business or employer at the
time the underlying acts occurred. If more than one business or
employer is involved, the one most closely related to the underlying
acts should be reported in the ``organization name,'' field with the
others being reported in the ``affiliated or associated health care
entities'' field.
Organization type means a brief description of the nature of that
business or employer.
Other adjudicated actions or decisions means formal or official
final actions taken against a health care provider, supplier or
practitioner by a Federal or State governmental agency or a health
plan; which include the availability of a due process mechanism, and;
are based on acts or omissions that affect or could affect the payment,
provision or delivery of a health care item or service. For example, a
formal or official final action taken by a Federal or State
governmental agency or a health plan may include, but is not limited
to, a personnel-related action such as suspensions without pay,
reductions in pay, reductions in grade for cause, terminations or other
comparable actions. A hallmark of any valid adjudicated action or
decision is the availability of a due process mechanism. The fact that
the subject elects not to use the due process mechanism provided by the
authority bringing the action is immaterial, as long as such a process
is available to the subject before the adjudicated action or decision
is made final. In general, if an ``adjudicated action or decision''
follows an agency's established administrative procedures (which ensure
that due process is available to the subject of the final adverse
action), it would qualify as a reportable action under this definition.
This definition specifically excludes clinical privileging actions
taken by Federal or State Government agencies and similar paneling
decisions made by health plans. This definition does not include
overpayment determinations made by Federal or State Government
programs, their contractors or health plans; and it does not include
denial of claims determinations made by Government agencies or health
plans. For health plans that are not Government entities, an action
taken following adequate notice and the opportunity for a hearing that
meets the standards of due process set out in section 412(b) of the
HCQIA (42 U.S.C. 11112(b)) also would qualify as a reportable action
under this definition.
Secretary means the Secretary of Health and Human Services and any
other officer or employee of the Department of Health and Human
Services to whom the authority involved has been delegated.
State means any of the fifty States, the District of Columbia, the
Commonwealth of Puerto Rico, the Virgin Islands and Guam.
Voluntary surrender means a surrender made after a notification of
investigation or a formal official request by a Federal or State
licensing or certification authority for a health care provider,
supplier or practitioner to surrender the license or certification
(including certification agreements or contracts for participation in
Federal or State health care programs). The definition also includes
those instances where a health care provider, supplier or practitioner
voluntarily surrenders a license or certification (including program
participation agreements or contracts) in exchange for a decision by
the licensing or certification authority to cease an investigation or
similar proceeding, or in return for not conducting an investigation or
proceeding, or in lieu of a disciplinary action.
Subpart B--Reporting of Information
Sec. 61.4 How information must be reported.
Information must be reported to the HIPDB as required under
Secs. 61.6, 61.7, 61.8, 61.9, 61.10, 61.11 and 61.15 in such form and
manner as the Secretary may prescribe.
Sec. 61.5 When information must be reported.
(a) Information required under Secs. 61.7, 61.8, 61.9, 61.10 and
61.11 must be submitted to the HIPDB--
(1) Within 30 calendar days from the date the final adverse action
was taken or the date when the reporting entity became aware of the
final adverse action; or
(2) By the close of the entity's next monthly reporting cycle,
whichever is later.
(b) The date the final adverse action was taken, its effective date
and duration of the action would be contained in the information
reported to the HIPDB under Secs. 61.7, 61.8, 61.9, 61.10 and 61.11.
Sec. 61.6 Reporting errors, omissions, revisions or whether an action
is on appeal.
(a) If errors or omissions are found after information has been
reported, the reporter must send an addition or correction to the
HIPDB. The HIPDB will not accept requests for readjudication of the
case.
(b) A reporter that reports information on licensure, criminal
convictions, civil or administrative judgments, exclusions, or
adjudicated actions or decisions under Secs. 61.7, 61.8, 61.9, 61.10 or
61.11 also must report any revision of the action originally reported.
Revisions include, but are not limited to, reversal of a criminal
conviction, reversal of a judgment or other adjudicated decisions or
whether the action is on appeal, and reinstatement of a license.
(c) The subject will receive a copy of all reports, including
revisions and corrections to the report.
(d) Upon receipt of a report, the subject--
(1) Can accept the report as written;
(2) May provide a statement to the HIPDB that will be permanently
appended to the report, either directly or through a designated
representative (The HIPDB will distribute the statement to queriers,
where identifiable, and to the reporting entity and the subject of the
report. The HIPDB will not edit the statement; only the subject can,
upon request, make changes to the statement); or
(3) May follow the dispute process in accordance with Sec. 61.15.
Sec. 61.7 Reporting licensure actions taken by Federal or State
licensing and certification agencies.
(a) What actions must be reported. Federal and State licensing and
certification agencies must report to the HIPDB the following final
adverse actions that are taken against a health care provider,
supplier, or practitioner (regardless of whether the final adverse
action is the subject of a pending appeal)--
(1) Formal or official actions, such as revocation or suspension of
a license or certification agreement or contract for participation in
Federal or State health care programs (and the length of any such
suspension), reprimand, censure or probation;
(2) Any other loss of the license or loss of the certification
agreement or contract for participation in Federal or
[[Page 57761]]
State health care programs, or the right to apply for, or renew, a
license or certification agreement or contract of the provider,
supplier, or practitioner, whether by operation of law, voluntary
surrender, non-renewal (excluding nonrenewals due to nonpayment of
fees, retirement, or change to inactive status), or otherwise; and
(3) Any other negative action or finding by such Federal or State
agency that is publicly available information.
(b) Entities described in paragraph (a) of this section must report
the following information:
(1) If the subject is an individual, personal identifiers,
including:
(i) Name;
(ii) Social Security Number;
(iii) Home address or address of record;
(iv) Sex; and
(v) Date of birth.
(2) If the subject is an individual, that individual's employment
or professional identifiers, including:
(i) Organization name and type;
(ii) Occupation and specialty, if applicable;
(iii) National Provider Identifier (NPI), when issued by the Health
Care Financing Administration (HCFA);
(iv) Name of each professional school attended and year of
graduation; and
(v) With respect to the State professional license (including
professional certification and registration) on which the reported
action was taken, the license number, the field of licensure, and the
name of the State or territory in which the license is held.
(3) If the subject is an organization, identifiers, including:
(i) Name;
(ii) Business address;
(iii) Federal Employer Identification Number (FEIN), or Social
Security Number when used by the subject as a Taxpayer Identification
Number (TIN);
(iv) The NPI, when issued by HCFA;
(v) Type of organization; and
(vi) With respect to the State license (including certification and
registration) on which the reported action was taken, the license and
the name of the State or territory in which the license is held.
(4) For all subjects:
(i) A narrative description of the acts or omissions and injuries
upon which the reported action was based;
(ii) Classification of the acts or omissions in accordance with a
reporting code adopted by the Secretary;
(iii) Classification of the action taken in accordance with a
reporting code adopted by the Secretary, and the amount of any monetary
penalty resulting from the reported action;
(iv) The date the action was taken, its effective date and
duration;
(v) If the action is on appeal;
(vi) Name of the agency taking the action;
(vii) Name and address of the reporting entity; and
(viii) The name, title and telephone number of the responsible
official submitting the report on behalf of the reporting entity.
(c) Entities described in paragraph (a) of this section should
report, if known, the following information:
(1) If the subject is an individual, personal identifiers,
including:
(i) Other name (s) used;
(ii) Other address;
(iii) FEIN, when used by the individual as a TIN; and
(iv) If deceased, date of death.
(2) If the subject is an individual, that individual's employment
or professional identifiers, including:
(i) Other State professional license number(s), field(s) of
licensure, and the name(s) of the State or territory in which the
license is held;
(ii) Other numbers assigned by Federal or State agencies, to
include, but not limited to Drug Enforcement Administration (DEA)
registration number(s), Unique Physician Identification Number(s)
(UPIN), and Medicaid and Medicare provider number(s);
(iii) Name(s) and address(es) of any health care entity with which
the subject is affiliated or associated; and
(iv) Nature of the subject's relationship to each associated or
affiliated health care entity.
(3) If the subject is an organization, identifiers, including:
(i) Other name(s) used;
(ii) Other address(es) used;
(iii) Other FEIN(s) or Social Security Number(s) used;
(iv) Other NPI(s) used;
(v) Other State license number(s) and the name(s) of the State or
territory in which the license is held;
(vi) Other numbers assigned by Federal or State agencies, to
include, but not limited to Drug Enforcement Administration (DEA)
registration number(s), Clinical Laboratory Improvement Act (CLIA)
number(s), Food and Drug Administration (FDA) number(s), and Medicaid
and Medicare provider number(s);
(vii) Names and titles of principal officers and owners;
(viii) Name(s) and address(es) of any health care entity with which
the subject is affiliated or associated; and
(ix) Nature of the subject's relationship to each associated or
affiliated health care entity.
(4) For all subjects:
(i) If the subject will be automatically reinstated; and
(ii) The date of appeal, if any.
(d) Sanctions for failure to report. The Secretary will provide for
a publication of a public report that identifies those Government
agencies that have failed to report information on adverse actions as
required to be reported under this section.
Sec. 61.8 Reporting Federal or State criminal convictions related to
the delivery of a health care item or service.
(a) Who must report. Federal and State prosecutors must report
criminal convictions against health care providers, suppliers, and
practitioners related to the delivery of a health care item or service
(regardless of whether the conviction is the subject of a pending
appeal).
(b) Entities described in paragraph (a) of this section must report
the following information:
(1) If the subject is an individual, personal identifiers,
including:
(i) Name;
(ii) Social Security Number;
(iii) Home address or address of record;
(iv) Sex; and
(v) Date of birth.
(2) If the subject is an individual, that individual's employment
or professional identifiers, including:
(i) Organization name and type;
(ii) Occupation and specialty, if applicable; and
(iii) National Provider Identifier (NPI), when issued by the Health
Care Financing Administration (HCFA).
(3) If the subject is an organization, identifiers, including:
(i) Name;
(ii) Business address;
(iii) Federal Employer Identification Number (FEIN), or Social
Security Number when used by the subject as a Taxpayer Identification
Number (TIN);
(iv) The NPI, when issued by HCFA; and
(v) Type of organization.
(4) For all subjects:
(i) A narrative description of the acts or omissions and injuries
upon which the reported action was based;
(ii) Classification of the acts or omissions in accordance with a
reporting code adopted by the Secretary;
(iii) Name and location of court or judicial venue in which the
action was taken;
(iv) Docket or court file number;
(v) Type of action taken;
(vi) Statutory offense(s) and count(s);
(vii) Name of primary prosecuting agency (or the plaintiff in civil
actions);
[[Page 57762]]
(viii) Date of sentence or judgment;
(ix) Length of incarceration, detention, probation, community
service or suspended sentence;
(x) Amounts of any monetary judgment, penalty, fine, assessment or
restitution;
(xi) Other sentence, judgment or orders;
(xii) If the action is on appeal;
(xiii) Name and address of the reporting entity; and
(xiv) The name, title and telephone number of the responsible
official submitting the report on behalf of the reporting entity.
(c) Entities described in paragraph (a) of this section should
report, if known, the following information:
(1) If the subject is an individual, personal identifiers,
including:
(i) Other name (s) used;
(ii) Other address; and
(iii) FEIN, when used by the individual as a TIN.
(2) If the subject is an individual, that individual's employment
or professional identifiers, including:
(i) State professional license (including professional
certification and registration) number(s), field(s) of licensure, and
the name(s) of the State or territory in which the license is held;
(ii) Other numbers assigned by Federal or State agencies, to
include, but not limited to Drug Enforcement Administration (DEA)
registration number(s), Unique Physician Identification Number(s)
(UPIN), and Medicaid and Medicare provider number(s);
(iii) Name(s) and address(es) of any health care entity with which
the subject is affiliated or associated; and
(iv) Nature of the subject's relationship to each associated or
affiliated health care entity.
(3) If the subject is an organization, identifiers, including:
(i) Other name(s) used;
(ii) Other address(es) used;
(iii) Other FEIN(s) or Social Security Number(s) used;
(iv) Other NPI(s) used;
(v) State license (including certification and registration)
number(s) and the name(s) of the State or territory in which the
license is held;
(vi) Other numbers assigned by Federal or State agencies, to
include, but not limited to Drug Enforcement Administration (DEA)
registration number(s), Clinical Laboratory Improvement Act (CLIA)
number(s), Food and Drug Administration (FDA) number(s), and Medicaid
and Medicare provider number(s);
(vii) Names and titles of principal officers and owners;
(viii) Name(s) and address(es) of any health care entity with which
the subject is affiliated or associated; and
(ix) Nature of the subject's relationship to each associated or
affiliated health care entity.
(4) For all subjects:
(i) Prosecuting agency's case number;
(ii) Investigative agencies involved;
(iii) Investigative agencies case of file number(s); and
(iv) The date of appeal, if any.
(d) Sanctions for failure to report. The Secretary will provide for
publication of a public report that identifies those Government
agencies that have failed to report information on criminal convictions
as required to be reported under this section.
Sec. 61.9 Reporting civil judgments related to the delivery of a
health care item or service.
(a) Who must report. Federal and State attorneys and health plans
must report civil judgments against health care providers, suppliers,
or practitioners related to the delivery of a health care item or
service (regardless of whether the civil judgment is the subject of a
pending appeal). If a Government agency is party to a multi-claimant
civil judgment, it must assume the responsibility for reporting the
entire action, including all amounts awarded to all the claimants, both
public and private. If there is no Government agency as a party, but
there are multiple health plans as claimants, the health plan which
receives the largest award must be responsible for reporting the total
action for all parties.
(b) Entities described in paragraph (a) of this section must report
the information as required in Sec. 61.8(b).
(c) Entities described in paragraph (a) of this section should
report, if known the information as described in Sec. 61.8(c).
(d) Sanctions for failure to report. Any health plan that fails to
report information on a civil judgment required to be reported under
this section will be subject to a civil money penalty (CMP) of not more
than $25,000 for each such adverse action not reported. Such penalty
will be imposed and collected in the same manner as CMPs under
subsection (a) of section 1128A of the Act. The Secretary will provide
for publication of a public report that identifies those Government
agencies that have failed to report information on civil judgments as
required to be reported under this section.
Sec. 61.10 Reporting exclusions from participation in Federal or State
health care programs.
(a) Who must report. Federal and State Government agencies must
report health care providers, suppliers, or practitioners excluded from
participating in Federal or State health care programs, including
exclusions that were made in a matter in which there was also a
settlement that is not reported because no findings or admissions of
liability have been made (regardless of whether the exclusion is the
subject of a pending appeal) .
(b) Entities described in paragraph (a) of this section must report
the following information:
(1) If the subject is an individual, personal identifiers,
including:
(i) Name;
(ii) Social Security Number;
(iii) Home address or address of record;
(iv) Sex; and
(v) Date of birth.
(2) If the subject is an individual, that individual's employment
or professional identifiers, including:
(i) Organization name and type;
(ii) Occupation and specialty, if applicable; and
(iii) National Provider Identifier (NPI), when issued by the Health
Care Financing Administration (HCFA).
(3) If the subject is an organization, identifiers, including:
(i) Name;
(ii) Business address;
(iii) Federal Employer Identification Number (FEIN), or Social
Security Number when used by the subject as a Taxpayer Identification
Number (TIN);
(iv) The NPI, when issued by HCFA; and
(v) Type of organization.
(4) For all subjects:
(i) A narrative description of the acts or omissions and injuries
upon which the reported action was based;
(ii) Classification of the acts or omissions in accordance with a
reporting code adopted by the Secretary;
(iii) Classification of the action taken in accordance with a
reporting code adopted by the Secretary, and the amount of any monetary
penalty resulting from the reported action;
(iv) The date the action was taken, its effective date and
duration;
(v) If the action is on appeal;
(vi) Name of the agency taking the action;
(vii) Name and address of the reporting entity; and
(viii) The name, title and telephone number of the responsible
official submitting the report on behalf of the reporting entity.
[[Page 57763]]
(c) Entities described in paragraph (a) of this section should
report, if known, the following information:
(1) If the subject is an individual, personal identifiers,
including:
(i) Other name(s) used;
(ii) Other address;
(iii) FEIN, when used by the individual as a TIN;
(iv) Name of each professional school attended and year of
graduation; and
(v) If deceased, date of death.
(2) If the subject is an individual, that individual's employment
or professional identifiers, including:
(i) State professional license (including professional registration
and certification) number(s), field(s) of licensure, and the name(s) of
the State or Territory in which the license is held;
(ii) Other numbers assigned by Federal or State agencies, to
include, but not limited to Drug Enforcement Administration (DEA)
registration number(s), Unique Physician Identification Number(s)
(UPIN), and Medicaid and Medicare provider number(s);
(iii) Name(s) and address(es) of any health care entity with which
the subject is affiliated or associated; and
(iv) Nature of the subject's relationship to each associated or
affiliated health care entity.
(3) If the subject is an organization, identifiers, including:
(i) Other name(s) used;
(ii) Other address(es) used;
(iii) Other FEIN(s) or Social Security Number(s) used;
(iv) Other NPI(s) used;
(v) State license (including registration and certification)
number(s) and the name(s) of the State or territory in which the
license is held;
(vi) Other numbers assigned by Federal or State agencies, to
include, but not limited to Drug Enforcement Administration (DEA)
registration number(s), Clinical Laboratory Improvement Act (CLIA)
number(s), Food and Drug Administration (FDA) number(s), and Medicaid
and Medicare provider number(s);
(vii) Names and titles of principal officers and owners;
(viii) Name(s) and address(es) of any health care entity with which
the subject is affiliated or associated; and
(ix) Nature of the subject's relationship to each associated or
affiliated health care entity.
(4) For all subjects:
(i) If the subject will be automatically reinstated; and
(ii) The date of appeal, if any.
(d) Sanctions for failure to report. The Secretary will provide for
publication of a public report that identifies those Government
agencies that have failed to report information on exclusions or
debarments as required to be reported under this section.
Sec. 61.11 Reporting other adjudicated actions or decisions.
(a) Who must report. Federal and State governmental agencies and
health plans must report other adjudicated actions or decisions as
defined in Sec. 61.3 related to the delivery, payment or provision of a
health care item or service against health care providers, suppliers,
and practitioners (regardless of whether the other adjudicated action
or decision is subject to a pending appeal).
(b) Entities described in paragraph (a) of this section must report
the information as required in Sec. 61.10(b).
(c) Entities described in paragraph (a) of this section should
report, if known the information as described in Sec. 61.10(c).
(d) Sanctions for failure to report. Any health plan that fails to
report information on an other adjudicated action or decision required
to be reported under this section will be subject to a civil money
penalty (CMP) of not more than $25,000 for each such action not
reported. Such penalty will be imposed and collected in the same manner
as CMPs under subsection (a) of section 1128A of the Act. The Secretary
will provide for publication of a public report that identifies those
Government agencies that have failed to report information on other
adjudicated actions as required to be reported under this section.
Subpart C--Disclosure of Information by the Healthcare Integrity
and Protection Data Bank
Sec. 61.12 Requesting information from the Healthcare Integrity and
Protection Data Bank.
(a) Who may request information and what information may be
available. Information in the HIPDB will be available, upon request, to
the following persons or entities, or their authorized agents--
(1) Federal and State Government agencies;
(2) Health plans;
(3) A health care practitioner, provider, or supplier requesting
information concerning himself, herself or itself; and
(4) A person or entity requesting statistical information, which
does not permit identification of any individual or entity. (For
example, researchers can use statistical information to identify the
total number of practitioners excluded from the Medicare and Medicaid
programs. Similarly, health plans can use statistical information to
develop outcome measures in their efforts to monitor and improve
quality care.)
(b) Procedures for obtaining HIPDB information. Eligible
individuals and entities may obtain information from the HIPDB by
submitting a request in such form and manner as the Secretary may
prescribe. These requests are subject to fees set forth in Sec. 61.13.
The HIPDB will comply with the Department's principles of fair
information practice by providing each subject of a report with a copy
when the report is entered into the HIPDB.
(c) Information provided in response to self-queries. (1) At the
time subjects request information as part of a ``self-query,'' the
subject will receive--
(i) Any report(s) in the HIPDB specific to them; and
(ii) A disclosure history from the HIPDB of the name(s) of any
entity (or entities) that have previously received the report(s).
(2) The disclosure history will be restricted in accordance with
the Privacy Act regulations set forth in 45 CFR part 5b.
Sec. 61.13 Fees applicable to requests for information.
(a) Policy on fees. The fees described in this section apply to all
requests for information from the HIPDB, except requests from Federal
agencies. However, for purposes of verification and dispute resolution
at the time the report is accepted, the HIPDB will provide a copy--at
the time a report has been submitted automatically, without a request
and free of charge--of every report to the health care provider,
supplier or practitioner who is the subject of the report. For the same
purpose, the Department will provide a copy of the report--at the time
a report has been submitted automatically, without a request and free
of charge--to the reporter that submitted it. The fees are authorized
by section 1128E(d)(2) of the Act, and they reflect the full costs of
operating the database. The actual fees will be announced by the
Secretary in periodic notices in the Federal Register.
(b) Criteria for determining the fee. The amount of each fee will
be determined based on the following criteria --
(1) Direct and indirect personnel costs;
(2) Physical overhead, consulting, and other indirect costs
including rent and depreciation on land, buildings and equipment;
[[Page 57764]]
(3) Agency management and supervisory costs;
(4) Costs of enforcement, research and establishment of regulations
and guidance;
(5) Use of electronic data processing equipment to collect and
maintain information--the actual cost of the service, including
computer search time, runs and printouts; and
(6) Any other direct or indirect costs related to the provision of
services.
(c) Assessing and collecting fees. The Secretary will announce
through periodic notice in the Federal Register the method of payment
of fees. In determining these methods, the Secretary will consider
efficiency, effectiveness and convenience for users and for the
Department. Methods may include credit card, electronic funds transfer
and other methods of electronic payment.
Sec. 61.14 Confidentiality of Healthcare Integrity and Protection Data
Bank information.
Information reported to the HIPDB is considered confidential and
will not be disclosed outside the Department, except as specified in
Secs. 61.12 and 61.15. Persons and entities receiving information from
the HIPDB, either directly or from another party, must use it solely
with respect to the purpose for which it was provided. Nothing in this
section will prevent the disclosure of information by a party from its
own files used to create such reports where disclosure is otherwise
authorized under applicable State or Federal law.
Sec. 61.15 How to dispute the accuracy of Healthcare Integrity and
Protection Data Bank information.
(a) Who may dispute the HIPDB information. The HIPDB will routinely
mail or transmit electronically to the subject a copy of the report
filed in the HIPDB. The subject of the report or a designated
representative may dispute the accuracy of a report concerning himself,
herself or itself within 60 calendar days of receipt of the report.
(b) Procedures for disputing a report with the reporting entity.
If the subject disagrees with the reported information, the subject
must request in writing that the HIPDB enter the report into ``disputed
status.''
(2) The HIPDB will send the report, with a notation that the report
has been placed in ``disputed status,'' to queriers (where
identifiable), the reporting entity and the subject of the report.
(3) The subject must attempt to enter into discussion with the
reporting entity to resolve the dispute. If the reporting entity
revises the information originally submitted to the HIPDB, the HIPDB
will notify the subject and all entities to whom reports have been sent
that the original information has been revised. If the reporting entity
does not revise the reported information, or does not respond to the
subject within 60 days, the subject may request that the Secretary
review the report for accuracy. The Secretary will decide whether to
correct the report within 30 days of the request. This time frame may
be extended for good cause. The subject also may provide a statement to
the HIPDB, either directly or through a designated representative, that
will permanently append the report.
(c) Procedures for requesting a Secretarial review. The subject
must request, in writing, that the Secretary of the Department review
the report for accuracy. The subject must return this request to the
HIPDB along with appropriate materials that support the subject's
position. The Secretary will only review the accuracy of the reported
information, and will not consider the merits or appropriateness of the
action or the due process that the subject received.
(2) After the review, if the Secretary--
(i) Concludes that the information is accurate and reportable to
the HIPDB, the Secretary will inform the subject and the HIPDB of the
determination. The Secretary will include a brief statement
(Secretarial Statement) in the report that describes the basis for the
decision. The report will be removed from ``disputed status.'' The
HIPDB will distribute the corrected report and statement(s) to previous
queriers (where identifiable), the reporting entity and the subject of
the report.
(ii) Concludes that the information contained in the report is
inaccurate, the Secretary will inform the subject of the determination
and direct the HIPDB or the reporting entity to revise the report. The
Secretary will include a brief statement (Secretarial Statement) in the
report describing the findings. The HIPDB will distribute the corrected
report and statement (s) to previous queriers (where identifiable), the
reporting entity and the subject of the report.
(iii) Determines that the disputed issues are outside the scope of
the Department's review, the Secretary will inform the subject and the
HIPDB of the determination. The Secretary will include a brief
statement (Secretarial Statement) in the report describing the
findings. The report will be removed from ``disputed status.'' The
HIPDB will distribute the report and the statement(s) to previous
queriers (where identifiable), the reporting entity and the subject of
the report.
(iv) Determines that the adverse action was not reportable and
therefore should be removed from the HIPDB, the Secretary will inform
the subject and direct the HIPDB to void the report. The HIPDB will
distribute a notice to previous queriers (where identifiable), the
reporting entity and the subject of the report that the report has been
voided.
Sec. 61.16 Immunity.
Individuals, entities or their authorized agents and the HIPDB
shall not be held liable in any civil action filed by the subject of a
report unless the individual, entity or authorized agent submitting the
report has actual knowledge of the falsity of the information contained
in the report.
Dated: May 4, 1999.
June Gibbs Brown,
Inspector General.
Approved: May 21, 1999.
Donna E. Shalala,
Secretary.
[FR Doc. 99-27472 Filed 10-25-99; 8:45 am]
BILLING CODE 4150-04-P
