[Federal Register Volume 64, Number 30 (Tuesday, February 16, 1999)]
[Notices]
[Pages 7653-7657]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-3568]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Privacy Act; Notification of New System of Records in Conjunction
With the Healthcare Integrity and Protection Data Bank
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act, the
Office of the Inspector General (OIG) is setting forth a notice of a
proposed new system of records in order to implement the requirements
of the Healthcare Integrity and Protection Data Bank (HIPDB). The new
HIPDB is being established in accordance with section 1128E of the
Social Security Act (the Act), as added by section 221(a) of the Health
Insurance Portability and Accountability Act of 1996. Section 1128E of
the Act specifically directs the Secretary, acting through the OIG, to
create a national health care fraud and abuse data collection program
for the reporting and disclosure of certain final adverse actions
(excluding settlements in which no findings of liability have been
made) taken against health care providers, suppliers, or practitioners,
and maintain a data base of final adverse actions taken against health
care providers, suppliers, or practitioners.
Groups that have access to this new data bank system include
Federal and State government agencies; health plans; and self queries
from health care suppliers, providers and practitioners. Reporting is
limited to the same groups that have access to the information. We
invite comments from interested parties on the proposed internal and
routine use of information in this system of records.
DATES: The OIG has sent a Report of a New System of Records to the
Congress and to the Office of Management and Budget (OMB) on February
16, 1999. This new system of records will be effective 40 days from the
date submitted to OMB unless the OIG receives public comments that
would result in a contrary determination. To assure consideration,
public comments must be delivered to the address provided below by no
later than 4 p.m. on March 18, 1999.
ADDRESSEES: Please mail or deliver your written comments on the new
system of records to: Office of Inspector General, Department of Health
and Human Services, Attention: OIG-61-N, Room 5246, Cohen Building, 330
Independence Avenue, SW., Washington, DC 20201.
Because of staffing and resource limitations, we cannot accept
comments by facsimile (FAX) transmission. In commenting, please refer
to file code OIG-61-N.
FOR FURTHER INFORMATION CONTACT: Rick Burguieres, Investigative Policy
and
[[Page 7654]]
Information Management Staff, Office of Investigations, Office of
Inspector General, (202) 205-5200.
SUPPLEMENTARY INFORMATION:
1. Establishment of the Healthcare Integrity and Protection Data
Bank
Section 221(a) of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996, Pub. L. 104-191, requires the
Department of Justice and the Secretary, acting through the OIG, to
establish a new health care fraud and abuse control program to combat
health care fraud and abuse (section 1128C of the Act). Among the major
steps in this program is the establishment of a national data bank to
receive and disclose certain final adverse actions against health care
providers, suppliers, or practitioners, as required by section 1128E of
the Act, in accordance with section 221(a) of HIPAA. The Act
specifically directs the Secretary, acting through the OIG, to maintain
a data base of such final adverse actions. The data bank, known as the
Healthcare Integrity and Protection Data Bank (HIPDB), will contain the
following types of information: (1) Civil judgments against a health
care provider, supplier, or practitioner in Federal or State court
related to the delivery of a health care item or service; (2) Federal
or State criminal convictions against a health care provider, supplier,
or practitioner related to the delivery of a health care item or
service; (3) final adverse actions by Federal or State agencies
responsible for the licensing and certification of health care
providers, suppliers or practitioners; (4) exclusion of a health care
provider, supplier or practitioner from participation in Federal or
State health care programs; and (5) any other adjudicated actions or
decisions that the Secretary establishes by regulation. Settlements in
which no findings or admissions of liability have been made would be
excluded from reporting. However, any final adverse action that
emanates from such settlements, and that would otherwise be reportable
under the statute, would be reportable to the data bank. Final adverse
actions would be reported, regardless of whether such actions are being
appealed by the subject of the report.
Proposed regulations setting forth the policy and procedures for
implementing the new HIPDB were published in the Federal Register on
October 30, 1998 (63 FR 58341).
2. Privacy Act Number
No. 09-90-0103.
3. Categories of Eligible Users of the System
Groups that have access to this new data bank system include
Federal and State government agencies; health plans; and self queries
from health care suppliers, providers and practitioners. For purposes
of the HIPDB:
A government agency includes, but is not limited to: (1) The
Department of Justice; (2) the Department of Health and Human Services;
(3) any other Federal agency that either administers or provides
payment for the delivery of health care services (including, but not
limited to, the Department of Defense and the Department of Veterans
Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud
Control Units; and (6) other Federal or State agencies responsible for
the licensing and certification of health care providers, suppliers or
licensed health care practitioners.
Health plan means a plan, program or organization that provides
health benefits, whether directly or through insurance, reimbursement
or otherwise, and includes, but is not limited to:
(1) A policy of health insurance; (2) a contract of a service
benefit organization; (3) a membership agreement with a health
maintenance organization or other prepaid health plan; (4) a plan,
program or agreement established, maintained or made available by an
employer or group of employers, a practitioner, provider or supplier
group, third-party administrator, integrated health care delivery
system, employee welfare association, public service group or
organization, or professional association; and (5) an insurance
company, insurance service, self-insured employer or insurance
organization which is licensed to engage in the business of selling
health care insurance in a State and which is subject to State law
which regulates health insurance.
4. Routine Uses of Records in the System of Records
Information in this system of records is considered confidential
and disclosed only for the purpose for which it was provided.
Appropriate uses of the information would include the prevention of
fraud and abuse activities, decisions about hiring or retaining
employees who may be reported to the system of records, and improving
the quality of patient care. For example, a record from this system of
records may be disclosed to a Federal or State law enforcement agency
during a criminal, civil or administrative investigation of a health
care practitioner, provider or supplier. A record from this system of
records also may be disclosed to a Federal agency, in response to its
request, concerning (1) the hiring or retention of a health care
practitioner, provider or supplier, (2) the reporting of an
investigation of a health care practitioner, provider, or supplier or
(3) the letting of a contract, or the issuance of a license or
certification to a health care practitioner, provider or supplier, to
the extent that the record is relevant and necessary to the requesting
agency's decision on the matter.
5. Public Inspection of Comments
Comments will be available for public inspection March 2, 1999, in
Room 5518, Office of counsel to the Inspector General, at 330
Independence Avenue, SW., Washington, DC on Monday through Friday of
each week between the hours of 9 a.m. and 4 p.m., (202) 619-0089.
Dated: January 7, 1999.
June Gibbs Brown,
Inspector General.
09-90-0103
SYSTEM NAME:
Healthcare Integrity and Protection Data Bank (HIPDB), HHS/OIG.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
The HIPDB will always be operated and maintained by a contractor.
The SRA Corporation (the Contractor) currently operates and maintains
the HIPDB under contract with the Bureau of Health Professions (BHPr),
Health Resources and Services Administration (HRSA) who, under a
memorandum of understanding with the Office of Inspector General (OIG),
will operate the system. Records are found at the following address:
Healthcare Integrity and Protection Data Bank, 4350 Fairs Lakes Court
North, Suite 400, Fairfax, Virginia 22033. The program will publish any
changes in the location of the system in the Federal Register.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system of records will cover the following categories of
individuals:
Health care practitioners, including physicians, dentists,
and all other health care practitioners (such as nurses, optometrists,
pharmacists, and podiatrists), licensed or otherwise authorized by a
State to provide health care services.
Health care suppliers who furnish or provide access to
health care services,
[[Page 7655]]
supplies, items or ancillary services (including, but not limited to,
individuals who deliver health care services and are not required to
obtain State licensure or authorization, durable medical equipment
suppliers and manufacturers; pharmaceutical suppliers and
manufacturers; health record services which prepare and store medical,
dental and other patient records; health data suppliers; and billing
and transportation service suppliers), and any individual under
contract to provide health care supplies, items or ancillary services,
and any individual providing health benefits whether directly, or
indirectly through insurance, reimbursements or otherwise (including
insurance producers, such as agents, brokers, and solicitors).
These individuals must be the subject of the following final
adverse actions: (1) Civil judgments in Federal or State court related
to the delivery of a health care item or service; (2) Federal or State
criminal convictions related to the delivery of a health care item or
service; (3) actions by Federal or State agencies responsible for the
licensing and certification of health care providers, suppliers, or
practitioners; (4) exclusion from participation in Federal or State
health care programs; and (5) other adjudicated actions or decisions,
such as the removal of a physician from a health plan network via an
adjudicated action.
CATEGORIES OF RECORDS IN THE SYSTEM:
This system will contain the following types of records:
1. Information on an individual who is the subject of a civil
judgment or criminal conviction related to the delivery of a health
care item or service includes--
Full name; other name(s) used, if known; Social Security
number; date of birth; gender; home address; occupation; organization
name and type, if known; work address, if known; National Provider
Identifier (NPI) (when issued by HCFA); Unique Physician Identification
number(s), if known; Drug Enforcement Administration (DEA) registration
number(s), if known; name of each professional school attended and the
year of graduation, if known; for each professional license,
certification or registration: the license, certification, or
registration number, the field of licensure, certification, or
registration, and the name of the State or Territory in which the
license, certification or registration is held, if known;
With respect to the judgment/sentence: The court or
judicial venue in which action was taken; docket or court file number;
name of the primary prosecuting agency or Civil Plaintiff; prosecuting
agency's case number; statutory offense and counts; date of judgment/
sentence; length of the sentence; amount of judgment, restitution or
other orders; nature of offense upon which the action was based;
description of acts or omissions and injuries upon which the action was
based; investigative agencies involved, if known, and investigative
agencies' case/file number, if known; whether such action is on appeal;
and
With respect to the reporting entity: Name; title;
address, and telephone number of the reporting entity.
2. Information on an individual who is the subject of a licensure
action taken by Federal or State licensing and certification agencies,
an adjudicated action or decision, or an individual excluded from
participation in a Federal or State health care program. This
information includes--
Full name; other name(s) used, if known; Social Security
number or Federal Employer Identification number; date of birth; date
of death, if deceased; gender; home address; occupation; organization
name and type, if known; work address, if known; physician specialty,
if applicable; NPI (when issued by HCFA); Unique Physician
Identification number(s), if known; DEA registration number(s), if
known; name of each professional school attended and the year of
graduation, if known; for each professional license, certification or
registration: The license, certification, or registration number, the
field of licensure, certification, or registration, and the name of the
State or Territory in which the license, certification or registration
is held, if known;
With respect to final adverse action: A description of the
acts or omissions or other reason for the action; date the action was
taken, its effective date and duration; classification of the action in
accordance with a reporting code adopted by the Secretary; amount of
monetary penalty, assessment or restitution, and name of the office or
program that took the adverse action; and
With respect to the reporting entity: Name; title;
address, and telephone number of the reporting entity.
3. Inquiry file includes copies of all inquiries received by the
HIPDB.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Section 1128E(b)(5) of the Social Security Act (the Act) authorizes
the collection and maintenance of records of civil judgments against a
health care provider, supplier or practitioner in Federal or State
court related to the delivery of a health care item or service; Federal
or State criminal convictions against a health care provider, supplier
or practitioner related to the delivery of a health care item or
service; actions by Federal or State agencies responsible for the
licensing and certification of health care providers, suppliers or
practitioners; exclusion of a health care provider, supplier or
practitioner from participation in Federal or State health care
programs; and any other adjudicated actions or decisions established by
the Secretary in regulation (45 CFR part 61).
PURPOSE(S):
The purposes of the system are to:
1. Receive from Government agencies and health plans information on
certain final adverse actions (excluding settlements in which no
findings of liability have been made) taken against health care
providers, suppliers, or practitioners; and
2. Disseminate such data to Government agencies and health plans,
as authorized by the Act.
A government agency includes, but is not limited to (1) the
Department of Justice; (2) the Department of Health and Human Services;
(3) any other Federal agency that either administers or provides
payment for the delivery of health care services (including, but not
limited to, the Department of Defense and the Department of Veterans
Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud
Control Units; and (6) other Federal or State agencies responsible for
the licensing and certification of health care providers, suppliers, or
licensed health care practitioners.
Health plan means a plan, program or organization that provides
health benefits, whether directly or through insurance, reimbursement
or otherwise, and includes, but is not limited to (1) a policy of
health insurance; (2) a contract of a service benefit organization; (3)
a membership agreement with a health maintenance organization or other
prepaid health plan; (4) a plan, program or agreement established,
maintained or made available by an employer or group of employers, a
practitioner, provider or supplier group, third-party administrator,
integrated health care delivery system, employee welfare association,
public service group or organization, or professional association; and
(5) an insurance company, insurance service, self-insured employer or
insurance organization which is licensed to engage in the business of
selling health care insurance in a State and which is
[[Page 7656]]
subject to State law that regulates health insurance.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
Data may be disclosed to:
1. A health plan requesting data concerning a health care provider,
supplier, or practitioner for the purposes of preventing fraud and
abuse activities and/or improving the quality of patient care, and in
the context of hiring or retaining providers, suppliers and
practitioners that are the subjects of reports.
2. Government agencies, as defined in 45 CFR 61.3, requesting data
concerning a health care provider, supplier or practitioner for the
purposes of preventing fraud and abuse activities and/or improving the
quality of patient care, and in the context of hiring or retaining the
providers, suppliers and practitioners that are the subject of reports
to the system. This would include law enforcement investigations and
other law enforcement activities.
STORAGE:
Records are maintained in electronic folders, on magnetic tape,
and/or disks.
RETRIEVABILITY:
Retrieval will be by use of personal identifiers, including a
unique identifier assigned by the HIPDB.
SAFEGUARDS:
1. Authorized Users: Access to records is limited to designated
employees of the Contractor and to designated HRSA and the OIG staff.
The Contracting Officer's Technical Representative (COTR) and AIS
Security Officers are among the HRSA staff who are authorized users.
Both HRSA and the contractor maintain lists of authorized users. Other
Departmental employees will have access to the records on an official
``need to know'' basis.
2. Physical Safeguards: Magnetic tapes, disks, computer equipment
and hard copy files are stored in areas where fire and environmental
safety codes are strictly enforced. All automated and non-automated
documents are protected on a 24-hour basis. Perimeter security includes
intrusion alarms, random guard patrols, monitors, key/passcard/
combination controls, receptionist controlled area and reception alarm
button.
3. Procedural and Technical Safeguards: A password is required to
access the system, and additional identification numbers and passwords
to limit access to data to only authorized users. All users of personal
information, in connection with the performance of their jobs, protect
information from public view and from unauthorized personnel entering
an unsupervised area. All authorized users will sign a nondisclosure
statement. To protect the confidentiality of information contained in
the system, when a person leaves or no longer has authorized duties,
the Security Officer deletes his or her identification number and
password, retrieves all-electronic access cards, and changes all
combinations to which the departing employee had access. The system
automatically logs all access to data resources.
Access to records is limited to those authorized personnel trained
in accordance with the Privacy Act and automatic data processing (ADP)
security procedures. The Contractor is required to assure the
confidentiality safeguards of these records and to comply with all
provisions of the Privacy Act. All individuals who have access to these
records must have the appropriate ADP security clearances. Privacy Act
and ADP system security requirements are included in the contract for
the operations and maintenance of the system. In addition, the HIPDB
Project Officer and the System Manager oversee compliance with these
requirements. HRSA staff who are authorized users will make site visits
to the Contractor's facilities to assure compliance with security and
Privacy Act requirements.
The safeguards described above were established in accordance with
DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the
General Administration Manual, and the DHHS Information Resources
Management Manual, Part 6. ``ADP Systems Security.''
RETENTION AND DISPOSAL:
All records in this system are retained permanently.
SYSTEM MANAGER(s) AND ADDRESS:
Tony Marziani, Director, Information Systems and Investigative
Support Staff, Office of Investigations, OIG, Room 5046, Cohen
Building, 330 Independence Avenue, SW., Washington, DC 20201, (202)
205-5200.
NOTIFICATION PROCEDURES:
Exempt from certain requirements of the Act. However, an individual
is informed when a record concerning himself or herself is entered into
the Healthcare Integrity and Protection Data Bank.
Requests by mail: Practitioners, providers or suppliers may submit
a ``Request for Information Disclosure'' to the address under system
location for any report on themselves. The request must contain the
following: Name, address, date of birth, gender, Social Security
Number, professional schools and years of graduation, and the
professional license(s). For license, include: The license number, the
field of licensure, the name of the State or Territory in which the
license is held, and Drug Enforcement Administration registration
number(s). Practitioners must sign and have notarized their requests.
Submitting a request under false pretenses is a criminal offense
subject to, at a minimum, a $5,000 fine under provisions of the Privacy
Act.
Requests in person: Due to security considerations, the HIPDB
cannot accept requests in person.
Request by telephone: Individuals may provide all of the
identifying information stated above to the HIPDB Helpline operator.
Before the data request is fulfilled, the operator will return a paper
copy of this information for verification, signature and notarization.
RECORD ACCESS PROCEDURES:
Same as notification procedures. Requesters also should reasonably
specify the record contents being sought.
CONTESTING RECORDS PROCEDURES:
The HIPDB routinely mails a copy of any report filed in it to the
subject. The subject may contest the accuracy of information in the
HIPDB concerning himself, herself, or itself and file a dispute. To
dispute the accuracy of the information, the individual must notify the
HIPDB by:
(1) Identifying the record involved; (2) specifying the information
being contested; (3) stating the corrective action sought and reason
for requesting the correction; and (4) submitting supporting
justification and/or documentation to show how the record is
inaccurate. At the same time, the individual must attempt to enter into
discussion with the reporting entity to resolve the dispute. Additional
detail on the process of dispute resolution can be found at 45 CFR
61.15 of the HIPDB regulations.
RECORD SOURCE CATEGORIES:
Entities that have submitted records on individuals and
organizations contained in the system; State Licensing Boards,
including State Medical and Dental Boards, Federal and State Agencies
as defined in the Act, and health plans as defined in the Act who take
a final adverse action (not including settlements in which no findings
of liability have been made)
[[Page 7657]]
taken against a health care provider, supplier, or practitioner. (See
PURPOSE section above)
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
The Secretary has exempted this system from certain provisions of
the Act. In accordance with 5 U.S.C. 552a(k)(2) and 45 CFR
5b.11(b)(ii)(F), this system is exempt from subsections (c)(3), (d)(1)-
(4), and (e)(4)(G) and (H) of the Privacy Act.
[FR Doc. 99-3568 Filed 2-12-99; 8:45 am]
BILLING CODE 4160-15-P
