AGENCY:

Health Resources and Services Administration, Department of Health and Human Services (HHS).

ACTION:

Notice of an altered system of records and deletion of a related system.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974 (5 U.S.C. 552a), the Health Resources and Services Administration (HRSA) is publishing notice of a proposal to alter the system of records entitled and numbered National Practitioner Data Bank for Adverse Information on Physicians and other Health Care Practitioners (NPDB), #09-15-0054, to include information covered under a related system of records, the Healthcare Integrity and Protection Data Bank (HIPDB), SORN 09-90-0103, which is being deleted. The NPDB SORN was last published March 30, 2012 (77 FR 19295). The proposed alterations to the NPDB SORN include revising the Purpose section, expanding the Categories of Individuals, Categories of Records, and Record Sources Categories sections, revising two existing routine uses and adding one new routine use, deleting three unnecessary routine uses, and updating the Authority and Policies and Practices sections.

DATES:

HRSA filed an altered system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on July 17, 2013. To ensure all parties have adequate time in which to comment, the system alterations proposed in this notice will become effective 30 days from the publication of this notice in the Federal Register or 40 days from the date the altered system report was submitted to OMB and Congress, whichever is later, unless HRSA receives comments that require alterations to this notice. The HIPDB SORN will be considered deleted when the system alterations proposed in this notice are effective.

ADDRESSES:

Please address comments to Associate Administrator, Bureau of Health Professions, Health Resources and Services Administration, 5600 Fishers Lane, Room 9-05 Rockville, Maryland 20857. Comments received will be available for inspection at this same address from 9:00 a.m. to 3:00 p.m. (Eastern Standard Time Zone), Monday through Friday.

FOR FURTHER INFORMATION CONTACT:

Director, Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, 5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857; Telephone: (301) 443-2300. This is not a toll-free number.

SUPPLEMENTARY INFORMATION:

I. Merger of HIPDB Into NPDB

The NPDB and the HIPDB were authorized by separate laws to improve the quality of health care and to combat fraud and abuse, respectively. Title IV of the Health Care Quality Improvement Act (Title IV) and Section 1921 of the Social Security Act (Section 1921) govern the NPDB. Section 1128E of the Social Security Act (Section 1128E) governs the HIPDB. There was overlap between the two data banks following implementation of Section 1921 legislation in March 2010. Section 1921 expanded the scope of the NPDB, requiring each state to adopt a system of reporting to the Secretary certain adverse licensure actions taken against health care practitioners and health care entities by any authority of the state responsible for the licensing of such practitioners or entities. It also required each state to report any negative action or finding that a state licensing authority, a peer review organization, or a private accreditation entity has finalized against a health care practitioner or entity. Practically speaking, Section 1921 resulted in, among other consequences, including in the NPDB the vast majority of information contained in the HIPDB. On March 23, 2010, the Affordable Care Act was signed into law. Section 6403 of the law called for the elimination of duplication between the NPDB and the HIPDB. Section 1921 and Section 1128E statutory authorities were altered to eliminate duplicative reporting requirements.

The NPDB and HIPDB will merge to form one data bank. The HIPDB will cease operations following the merge, but the underlying statutory authority will remain intact and actions reported under that authority will now be moved to the NPDB. HRSA published a Final Rule merging the two databank systems on April 5, 2013 (78 FR 20473) that went into effect on May 6, 2013.

II. Proposed Alterations to NPDB

The revised NPDB SORN that follows includes these system alterations:

• revises the Purpose section to reflect the addition of information previously collected under the HIPDB related to fraud and abuse, specifically the inclusion of health care providers and suppliers and collection of health care related criminal convictions, civil judgments, and other adjudicated actions
• expands the Categories of Individuals section to include health care providers and health care suppliers
• expands the Categories of Records section to include records of federal licensure or certification actions, health care related criminal convictions, health care related civil judgments, and other adjudicated actions or decisions. These additional records resulted in one revised and eleven new personally identifiable information data elements numbered 4 and 21-31, respectively.
• expands the “Records Sources Categories” section to include federal licensing and certification agencies, federal and state prosecutors and attorneys, health plans, federal government agencies, and state law and fraud enforcement agencies
• revises two routine uses (numbered 8 and 15) to reflect inclusion of health care providers and suppliers and to remove outdated references to only Section 1921 information;
• adds one new routine use (numbered 14) to allow disclosure of certain information to health plans
• deletes three unnecessary routine uses, pertaining to the Comptroller General, the U.S. Attorney General, and statistical information (numbered 7, 8 and 12 in the current version of the SORN, published March 30, 2012)
• updates the Authority section to cite Section 1128E of the Social Security Act as amended by the Patient Protection and Affordable Care Act of 2010
• updates the Policies and Procedures section related to Safeguards, specifically removing reference to only Title IV reporting

III. Background on the Privacy Act

The Privacy Act (5 U.S.C. 552a) governs the means by which the U.S. Government collects, maintains, and uses information about individuals in a system of records. A “system of records” is a group of any records under the control of a federal agency from Start Printed Page 47323which information about an individual is retrieved by the individual's name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purpose for which the agency uses information about individuals in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

SYSTEM NUMBER:

09-15-0054

SYSTEM NAME:

National Practitioner Data Bank

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

A contractor operates and maintains the system through a technical service contract for the Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration. This system is located at a contractor run data center, a secure facility; the street address will not be disclosed for security reasons. The address of the Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, is Room 8-103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system collects and maintains records pertaining to the professional competence and conduct of health care practitioners as defined by 45 CFR 60.3 (e.g., physicians, dentists, nurses, allied health care professionals, social workers), health care suppliers as defined by 45 CFR 60.3 (e.g., durable medical equipment suppliers, manufactures of health care items, pharmaceutical suppliers and manufacturers), health care providers as defined by 45 CFR 60.3 (e.g., hospitals and health plans) and health care entities as defined by 45 CFR 60.3 (e.g., hospitals and health maintenance organizations which are licensed by a state). The first three categories (health care practitioners, providers and suppliers) include only individuals, or a mixture of individuals and entities.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system collects and maintains reports and query history records.

Reports include: (1) Medical malpractice payment reports for all health care practitioners (e.g., physicians, dentists, nurses, optometrists, pharmacists, podiatrists, etc.); (2) adverse licensure and certification action reports taken by states against health care practitioners, health care entities, providers or suppliers; (3) adverse licensure and certification action reports taken by federal agencies against health care practitioners, providers, or suppliers; (4) adverse clinical privileging actions reports for physicians, dentists, or other health care practitioners who may have medical staff privileges; (5) adverse professional society membership action reports for physicians, dentists or other health care practitioners; (6) negative actions or findings taken against health care practitioners, health care entities, providers, or suppliers by peer review organizations and private accreditation entities; (7) federal or state criminal convictions related to the delivery of a health care item or service reports for health care practitioners, providers, or suppliers; (8) civil judgments related to the delivery of a health care item or service for health care practitioners, providers, or suppliers; (9) reports of exclusions of health care practitioners, providers, or suppliers from participation in state or federal health care programs; and (10) other adjudicated actions taken against health care practitioners, providers, or suppliers by federal agencies, state agencies, or health plans. Reports may contain the following personally-identifiable data elements and records:

1. Name

2. Work address

3. Home address

4. Social Security number or individual tax identification number (ITIN)

5. Date of birth

6. Name of each professional school attended and year of graduation

7. Professional license(s) number

8. Field of licensure

9. Name of the state or territory in which the license is held

10. Drug Enforcement Administration (DEA) registration numbers

11. Centers for Medicare & Medicaid Services (CMS) unique practitioner identification number (for exclusions only)

12. Names of each hospital with which the practitioner is affiliated

13. Name and address of the entity making the payment

14. Name, title, and telephone number of the official responsible for submitting the report on behalf of the entity

15. Payment information including the date and amount of payment and whether it is for a judgment or settlement

16. Date action occurred

17. Acts or omissions upon which the action or claim was based

18. Description of the action/omissions and injuries or illnesses upon which the action or claim was based

19. Description of the Board action, the date of action and its effective date

20. Classification of the action/omission per reporting code

21. Court or judicial venue in which action was taken

22. Docket or court file number

23. Name of prosecuting agency or Civil Plaintiff

24. Prosecuting agency's case number

25. Statutory offense and counts

26. Date of judgment/sentence

27. Length of sentence

28. Amount of judgment or monetary penalty

29. Restitution or other orders

30. Nature of offense on which the action was based

31. Investigative agencies involved and any case/file numbers, if known

Query histories indicate the dates that a health care practitioner's, provider's, supplier's, or entity's report(s) were accessed/queried in the system and by whom. An individual practitioner's, provider's or supplier's report(s) and query history are available to him or her, if he or she elects to submit a self-query. However, the query history will not include query activity by law enforcement agencies, if any, due to the system's exemption (described below, under “System Exempted From Certain Provisions of the Act”).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Title IV of the Health Care Quality Improvement Act of 1986 (Title IV), as amended, Section 1921 of the Social Security Act, as amended, and Section 1128E of the Social Security Act as amended.

PURPOSE(S):

The purpose of the system is to: (1) Receive information such as medical malpractice payment reports, negative peer review actions, adverse licensure or certification actions, health care related criminal convictions, health care related civil judgments, exclusions, adverse clinical privileging actions, and other adjudicated actions as enumerated in the Categories of Reports, above, on all health care practitioners, suppliers, providers and entities; (2) store such Start Printed Page 47324reports so that future queriers may have access to pertinent information in the course of making important decisions related to the delivery of health care services; and (3) disseminate such data to individuals and entities that qualify to receive the reports under the governing statutes as authorized by the Health Care Quality Improvement Act of 1986, Section 1921 of the Social Security Act and Section 1128E of the Social Security Act to protect the public from unfit practitioners and to prevent fraud and abuse. The system also allows practitioners, providers, and suppliers to self-query.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

Information from this system is disclosed outside the agency for the following routine uses:

1. To hospitals requesting information such as adverse licensure actions, medical malpractice payments or exclusions from Medicare and Medicaid programs taken against all licensed health care practitioners such as physicians, dentists, nurses, podiatrists, chiropractors, and psychologists. The information is accessible to both public and private sector hospitals that can request information concerning a physician, dentist or other health care practitioner who is on its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the purpose of: (a) Screening the professional qualifications of individuals who apply for staff positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health Care Quality Improvement Act of 1986, which prescribes that a hospital must query the NPDB once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.

2. To other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist or other health care practitioner has applied for clinical privileges or appointment to the medical staff or who has entered or may be entering an employment or affiliation relationship. The purpose of these disclosures is to assess the individual practitioner's qualifications for staff appointment or clinical privileges.

3. To a health care entity with respect to professional review activity. The purpose of these disclosures is to aid health care entities in the conduct of professional review activities, such as those involving determinations of whether a physician, dentist, or other health care practitioner may be granted membership in a professional society, the conditions of such membership, or changes to such membership; and ongoing professional review activities of the professional performance or conduct of a physician, dentist, or other health care practitioner.

4. To a state health care practitioner and/or entity licensing or certification authority that requests information in the course of conducting a review of all health care practitioners or health care entities or when making licensure determinations about health care practitioners and entities. The purpose of these disclosures is to aid the board or certification authority in meeting its responsibility to protect the health of the population in its jurisdiction, and to assess the qualifications of individuals seeking licenses or certifications.

5. To federal and state health care programs (and their contractors) that request information to aid them in ensuring the integrity of their programs and the professional competence of affiliated health care practitioners and uncovering information needed to make appropriate decisions in the delivery of health care.

6. To state Medicaid Fraud Control Units that request information to assist with investigating fraud, waste and abuse and in the prosecution of health care practitioners and providers relating to the Medicaid programs.

7. To utilization and quality control Peer Review Organizations and those entities which are under contract with the CMS, when they request information to protect and improve the quality of care for Medicare beneficiaries in the course of performing quality of care reviews and other related activities.

8. To a health care provider, supplier, or practitioner who requests information concerning himself, herself, or itself.

9. To a health care entity that has been reported on, when the entity queries the system to receive information concerning itself.

10. To an attorney, or an individual representing himself or herself, who has filed a medical malpractice action or claim in a state or federal court or other adjudicative body against a hospital, and who requests information regarding a specific physician, dentist, or other health care practitioner who is also named in the action or claim, provided that: (a) This information will be disclosed only upon the submission of evidence that the hospital failed to request information from the NPDB as required by law; and (b) the information will be used solely with respect to litigation resulting from the action or claim against the hospital. The purpose of these disclosures is to permit an attorney (or a person representing himself or herself in a medical malpractice action) to have information from the NPDB on a health care practitioner, under the conditions set out in this routine use.

11. To any federal entity, employing or otherwise engaging under arrangement (e.g., such as a contract) the services of a physician, dentist, or other health care practitioner, or having the authority to sanction such individuals covered by a federal program, which: (a) Enters into a memorandum of understanding with HHS regarding its participation in the NPDB; (b) engages in a professional review activity in determining an adverse action against a practitioner; and (c) maintains a Privacy Act system of records regarding the health care practitioners it employs, or whose services it engages under arrangement. The purpose of such disclosures is to enable hospitals and other facilities and health care providers under the jurisdiction of federal agencies such as the Public Health Service, HHS; the Department of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to participate in the NPDB. The Health Care Quality Improvement Act of 1986 includes provisions regarding the participation of such agencies and of the DEA.

12. To the Department of Justice in the event of litigation, for the purpose of enabling HHS to present an effective defense, where the defendant is: (a) HHS, any component of HHS, or any HHS employee in his or her official capacity; (b) the United States where HHS determines that the claim, if successful, is likely to affect directly the operation of HHS or any of its components; or (c) any HHS employee in his or her individual capacity where the Department of Justice has agreed to represent such employee, for example in defending a claim against the Public Health Service based upon an individual's mental or physical condition and alleged to have arisen because of activities of the Public Health Service in connection with such individual; provided that such disclosure is compatible with the purpose for which the records were collected.

13. To the contractor engaged by the agency to operate and maintain the system. Operation and maintenance functions include but are not limited to providing continuous user availability, developing system enhancements, upgrading hardware and software, providing information security assurance, and performing system backups.Start Printed Page 47325

14. To a health plan requesting data concerning a health care provider, supplier, or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining providers, suppliers and practitioners that are the subjects of reports.

15. To federal agencies requesting data concerning a health care provider, supplier, or physician, dentist or other practitioner for the purposes of anti-fraud and abuse activities and investigations, audits, evaluations, inspections and prosecutions relating to the delivery of and payment for health care in the United States and/or improving the quality of patient care, and in the context of hiring or retaining the providers, suppliers and individuals that are the subject of reports to the system. This would include law enforcement investigations and other law enforcement activities.

16. To appropriate federal agencies and HHS contractors that have a need to know the information for the purpose of assisting HHS' efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE: Records are maintained on database servers with disk storage, optical jukebox storage, backup tapes and printed reports.

RETRIEVABILITY: Records are retrieved by name, date of birth, Social Security Number, educational information, and license number. The matching algorithm uses these data elements to match reports to the subject.

SAFEGUARDS:

1. Authorized users include internal users such as government and contractor personnel who support the NPDB. Users are required to obtain favorable adjudication for a Level 5 Position of Public Trust. Government and contractor personnel who support the NPDB must attend security training, sign a Non-Disclosure Agreement, and sign the Rules of Behavior, which is renewed annually. Users are given role-based access to the system on a limited need-to-know basis. All physical and logical access to the system is removed upon termination of employment. External users, who are responsible for meeting NPDB reporting and/or querying requirements to the NPDB, are responsible for determining their eligibility to access the NPDB through a self-certification process which requires completing an Entity Registration form. All external users must acknowledge the Rules of Behavior. All external users must re-register every two years to access the NPDB. The registration process consists of an electronic authentication process where each user needs to prove his or her identity and organizational affiliation based on requirements in National Institute of Standards and Technology (NIST) SP 800-63-1. Both HRSA and the contractor maintain lists of authorized users.

2. Physical safeguards involve physical controls that are in place 24 hours a day/7 days a week such as identification badge access, cipher locks, locked hardware cages, man trap with biometric hand scanner, security guard monitoring, and closed circuit TV. All sites are protected with fire and environmental safety controls.

3. Technical safeguards include firewalls, network intrusion detection, host-based intrusion detection and file integrity monitoring, user identification, database activity monitoring, data loss prevention and passwords restrictions. All web-based traffic is encrypted using 128 bit SSL and all network traffic is encrypted internally.

4. Administrative safeguards involve certification and accreditation that is required every three years, which authorizes operation of the system based on acceptable risk. Security assessments are conducted continuously throughout the year to verify compliance with all required controls.

RETENTION AND DISPOSAL OF RECORDS:

HRSA is working with the National Archive and Records Administration (NARA) to determine the appropriate retention period for electronic records. The records require long-term retention. Pending finalization of an appropriate disposition schedule with the National Archives and Records Administration (NARA), the records are being retained indefinitely.

SYSTEM MANAGER AND ADDRESS:

Director, Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, Room 8-103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

NOTIFICATION PROCEDURE:

Currently, an individual report subject is notified via U.S. mail when a report concerning him or her is submitted to the NPDB via Subject Notification Document (SND). This procedure is unchanged by the exemption published for the system.

RECORD ACCESS PROCEDURES:

Although this system is exempt from the Privacy Act access requirement, the exemption is limited and discretionary. An individual report subject may seek access to his or her records in the NPDB by submitting a self-query request form on-line at: www.npdb.hrsa.gov. The requests are submitted over the web using the Integrated Query and Reporting Service (IQRS), Query and Reporting Extensible Markup Language Service (QRXS), Interface Control Document (ICD) Transfer Program (ITP) or the Continuous Query. Self-query, as described previously, may be initiated via the electronic system and is completed using the conventional mail system. Requesters, including self-queriers, will receive an accounting of disclosures that have been made of their records, if any. The exemption will prevent law enforcement query activity from being disclosed to the health care practitioner in response to a self-query. Notwithstanding the access exemption, a practitioner may request access to his or her full query history (i.e., including law enforcement query activity, if any), by submitting a written request to the System Manager identified above and following the same procedures indicated under “Notification Procedure.” The request will be processed pursuant to the agency's discretionary access authority under 45 CFR 5b.11(d).

REQUESTS BY MAIL:

Practitioners may submit a “Request for Information Disclosure” to the address under system location for any report on themselves. The request must contain the following: Name, address, date of birth, gender, Social Security Number (optional), professional schools and years of graduation, and the professional license(s). For license, include: The license number, the field of licensure, the name of the state or territory in which the license is held, and DEA registration number(s). The practitioner must submit a signed and notarized self-query request.

REQUESTS IN PERSON:

Due to security considerations, the NPDB cannot accept requests in person.

REQUESTS BY TELEPHONE:

Practitioners may provide all of the identifying information stated above to the NPDB Customer Service Center operator. Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization.Start Printed Page 47326

PENALTIES FOR VIOLATION:

Submitting a request under false pretenses is a criminal offense and subject to a civil monetary penalty of up to $11,000 for each violation. 42 CFR 1003.103(c).

CONTESTING RECORD PROCEDURES:

Because of the system's exemption, the procedures for disputing an NPDB report will not apply to law enforcement query history information that is exempt from access, and all amendment requests will be governed by the procedures at 45 CFR 60.21. The NPDB routinely mails a copy of any report filed in it to the subject individual. A subject individual may contest the accuracy of information in the NPDB concerning himself or herself and file a dispute. To dispute the accuracy of the information, the individual must contact the NPDB and the reporting entity to: (1) Request that the reporting entity file a correction to the report; and (2) request the information be entered into a “disputed” status and submit a statement regarding the basis for the inaccuracy of the information in the report. If the reporting entity declines to change the disputed report or takes no actions, the subject may request that the Secretary of HHS review the disputed report. In order to seek a review, the subject must: (1) Provide written documentation containing clear and brief factual information regarding the information of the report; (2) submit supporting documentation or justification substantiating that the reporting entity's information is inaccurate; and (3) submit proof that the subject individual has attempted to resolve the disagreement with the reporting entity but was unsuccessful. The Department can only determine whether the report was legally required to be filed and whether the report accurately depicts the action taken and the reporter's basis for action. Additional detail on the process of dispute resolution can be found at 45 CFR 60.21 of the NPDB regulations.

RECORD SOURCE CATEGORIES:

The records contained in the system are submitted by the following entities: (1) Insurance companies and others who have made payment as a result of a malpractice action or claim; (2) state health care licensing and certification authorities; (3) federal licensing and certification agencies (e.g., DEA); (4) peer review organizations and private accreditation entities; (5) hospitals and other health care entities (includes professional societies); (6) federal and state prosecutors and attorneys; (7) health plans; (8) federal government agencies; and (9) state law and fraud enforcement agencies.

SYSTEM EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

The Secretary has exempted law enforcement query records in this system from certain provisions of the Privacy Act. In accordance with 5 USC 552a(k)(2) and 45 CFR 5b.11(b)(2)(ii)(L), with respect to law enforcement query records, this system is exempt from subsections (c)(3), (d)(1)-(4), (e)(4)(G) and (H), and (f) of 5 USC 552a. See 76 FR 72325, published November 23, 2011, adding NPDB as an exempt system.