Health Care Fraud and Abuse Data Collection Program: Technical Revisions to Healthcare Integrity and Protection Data Bank Data Collection Activities

AGENCY:

Office of Inspector General (OIG), HHS.

ACTION:

Final rule.

SUMMARY:

The rule finalizes technical changes to the Healthcare Integrity and Protection Data Bank (HIPDB) data collection reporting requirements by clarifying the types of personal numeric identifiers that may be reported to the data bank in connection with adverse actions. The rule clarifies that in lieu of a Social Security Number (SSN), an individual taxpayer identification number (ITIN) may be reported to the data bank when, in those limited situations, an individual does not have an SSN.

DATES:

The regulations amending 45 CFR part 61 became effective on July 19, 2004.

FOR FURTHER INFORMATION CONTACT:

Joel Schaer, Office of External Affairs, (202) 619-0089.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Healthcare Integrity and Protection Data Bank (HIPDB)

Section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-91, required the Department, acting through the Office of Inspector General, to establish a health care fraud and abuse control program to combat health care fraud and abuse (section 1128C of the Social Security Act (the Act)). Among the major steps in this program has been the establishment of a national data bank to receive and disclose certain final adverse actions against health care providers, suppliers, or practitioners, as required by section 1128E of the Act, in accordance with section 221(a) of HIPAA. The data bank, known as the Healthcare Integrity and Protection Data Bank (HIPDB), is designed to collect and disseminate the following types of information regarding final adverse actions: (1) Civil judgments against health care providers, suppliers, or practitioners in Federal or State court that are related to the delivery of a health care item or service; (2) Federal or State criminal convictions against a health care provider, supplier, or practitioner related to the delivery of a health care item or service; (3) final adverse actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or practitioners; (4) exclusion of a health care provider, supplier, or practitioner from participation in Federal or State health care programs; and (5) any other adjudicated actions or decisions that the Secretary establishes by regulation.

1. Data Elements To Be Reported to the HIPDB

Section 1128E(b)(2) of the Act cited a number of required elements or types of data that must be reported to the HIPDB. These elements include: (1) The name of the individual or entity; (2) a taxpayer identification number; (3) the name of any affiliated or associated health care entity; (4) the nature of the final adverse action and whether the action is on appeal; (5) a description of the acts or omissions, or injuries, upon which a final adverse action is based; and (6) any other additional information deemed appropriate by the Secretary. With respect to this last element, we have exercised this discretion to add additional reportable data elements reflecting much of the information that is already routinely collected by the Federal and State reporting agencies.

Final regulations implementing the HIPDB were published in the Federal Register on October 26, 1999 (64 FR 57740). In those final regulations, for an individual (1) who is the subject of a civil judgment or criminal conviction related to the delivery of a health care item or service; or (2) who is the subject of a licensure action taken by Federal or State licensing and certification agencies, an adjudicated action or decision, or an individual excluded from participation in a Federal or State health care program, the current HIPDB systems of records contain, among other things, the individual's full name, other names used (if known), and his or her SSN. We specifically indicated that use of personal identifiers, such as SSNs and Federal Employer Identification Numbers (FEINs), in the collection and reporting to the HIPDB:

• Provides explicit matching of specific adverse action reports to and from the data bank;
• Provides a greater confidence level in the system's matching algorithm and maximizes the system's ability to prevent the erroneous reporting and disclosure of health care providers, suppliers and practitioners; and
• Strengthens States' ability to detect individuals who move from State to State without disclosure or discovery of previous damaging performance.

However, in addressing the list of “mandatory” data elements that must be reported to the data bank in connection with adverse actions, the final regulations inadvertently omitted reference to the reporting of an ITIN to the data bank when, in those limited situations, an individual does not have an SSN.

2. Tax Identification Numbers as Defined by the Internal Revenue Code

As indicated above, HIPAA requires “the name and TIN (as defined in section 7701(a)(41) of the Internal Revenue Code (IRC) of 1986) of any health care provider, supplier, or practitioner who is the subject of a final adverse action” to be reported to the data bank. Section 7701(a)(41) of the IRC does not specifically define TIN, but instead refers to section 6109 of the Code. Section 6109(d) states that an individual's SSN is the tax identifying number for an individual, except as otherwise specified in regulations by the Secretary of the Treasury. In turn, the Department of the Treasury regulations set forth at 26 CFR 301.6109-l(a)(ii)(B) provide for the issuance of an ITIN for individuals who are not eligible for an SSN.

C. Technical Revisions to 45 CFR Part 61

The HIPDB regulations at 45 CFR part 61 required the SSN on reports of adverse actions on individuals. Although the SSN meets the statutory requirement of a TIN, we believed that the inclusion of the ITIN, which is also a TIN, is consistent with the statutory requirements of HIPAA. Most reportable final adverse actions are taken against individual health care practitioners who are permitted to work in the United States. Non-citizens in the United States with permission to work are eligible for SSNs. However, we had become aware that there are non-citizens who do not have permission to work in the United States, but who do have ITINs assigned by the Internal Revenue Service (IRS) for tax purposes and hold valid State health care licenses. One example would be a foreign physician who does not practice in the United States, but desires to have a State license as a qualification of his or her ability to practice medicine. We believed that there may be very limited incidences where reportable adverse actions, particularly licensing actions, may be taken against these health care practitioners, such as an adverse licensing action taken by a medical licensing authority in a foreign country that is then reported to a State medical licensing board which then revokes the State medical license of the foreign physician. However, if the physician does not have a SSN, the State medical licensing authority is currently unable to report the action. We believed that the revision of the HIPDB regulations to include the collection of the ITIN for individuals who do not have SSNs, but have been assigned an ITIN, would enable the data bank to receive reports that it could not receive.

II. Summary of Provisions of the Interim Final Rule With Comment Period

In order to allow for the collection and dissemination of all appropriate information to and from the data bank, on June 17, 2004, we published in the Federal Register (69 FR 33866) an interim final rule with comment period that revised §§ 61.7, 61.8, and 61.10 of the HIPDB regulations at 45 CFR part 61 to indicate that for the reporting of (1) licensure actions taken by Federal and State licensing and certification agencies, (2) Federal or State criminal convictions related to the delivery of a health care item or service, or (3) exclusions from participation in Federal or State health care programs:

• If the subject is an individual, entities must report either the SSN or ITIN;
• If the subject is an organization, entities must report the FEIN, or SSN or ITIN when used by the subject as a TIN; and
• If the subject is an organization, entities should report, if known, any FEINs, SSNs or ITINs used.

These revisions in the interim final rule also allowed the reporting of ITINs, by reference, to the reports required in §§ 61.9 and 61.11.

In addition, the interim final rule noted that while the inclusion of a SSN or ITIN was a necessary reporting element in reporting adverse actions to the HIPDB, the Social Security Administration and the Internal Revenue Service are not required to assign a SSN or an ITIN, respectively, to those individuals who do not otherwise qualify for such identification numbers.

III. Analysis of and Responses to Public Comments

We received no public comments in response to the June 17, 2004 interim final rule.

IV. Provisions of the Final Regulations

The provisions of this final rule are identical to the provisions of the June 17, 2004 interim final rule.

V. Regulatory Impact Statement

A. Regulatory Analysis

We have examined the impacts of this technical rule revision as required by Executive Order 12866, the Regulatory Flexibility Act (RFA) of 1980, the Unfunded Mandates Reform Act of 1995, and Executive Order 13132.

1. Executive Order 12866

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulations are necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, and safety effects; distributive impacts; and equity). A regulatory impact analysis must be prepared for major rules with economically significant effects ($100 million or more in any given year). This is not a major rule as defined at 5 U.S.C. 804(2), and it is not economically significant since this technical revision will not have a significant effect on program expenditures and there will be no additional substantive cost through codification of this change. Specifically, the revisions to 45 CFR part 61 set forth in this rule are technical in nature and are designed to further clarify statutory requirements. The economic effect of these revisions will impact only those limited few individuals or organizations that are that subject of an adverse action reportable to the data bank. As such, we believe that the aggregate economic impact of this technical revision to the regulations will be minimal and have no appreciable effect on the economy or on Federal or State expenditures.

2. Regulatory Flexibility Act

The RFA and the Small Business Regulatory Enforcement and Fairness Act of 1996, which amended the RFA, require agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and government agencies. Most providers are considered to be small entities by having revenues of $6 million to $29 million or less in any one year. For purposes of the RFA, most physicians and suppliers are considered to be small entities. In addition, section 1102(b) of the Social Security Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural providers. This analysis must conform to the provisions of section 604 of the RFA.

We anticipate that the number of individuals who do not have permission to work in the United States but who have ITINs, who hold valid State health care licenses, and who will be the subject of a report to the HIPDB will be minimal. Even in those very limited incidences where reportable adverse actions, such as licensing actions, may be taken against a health care practitioner, we believe that the aggregate economic impact of this technical revision will be minimal since it is the nature of the conduct and not the size or type of the entity that would result in the violation and the need to report the adverse action to the HIPDB. As a result, we have concluded that this technical rule should not have a significant impact on the operations of a substantial number of small or rural providers, and that a regulatory flexibility analysis is not required for this rulemaking.

3. Unfunded Mandates Reform Act

Section 202 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditure in any one year by State, local, or tribal governments, in the aggregate, or by the private sector, of $110 million. As indicated, these technical revisions comport with statutory intent and clarify the legal authorities for reporting information to the data bank against those who have acted improperly against the Federal and State health care programs. As a result, we believe that there are no significant costs associated with these revisions that would impose any mandates on State, local, or tribal governments, or the private sector that will result in an expenditure of $110 million or more (adjusted for inflation) in any given year, and that a full analysis under the Unfunded Mandates Reform Act is not necessary.

4. Executive Order 13132

Executive Order 13132, Federalism, establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct requirements or costs on State and local governments, preempts State law, or otherwise has Federalism implications. In reviewing this rule under the threshold criteria of Executive Order 13132, we have determined that this rule will not significantly affect the rights, roles, and responsibilities of State or local governments.

B. Paperwork Reduction Act

The provisions of this rulemaking impose no express new reporting or recordkeeping requirements on reporting entities. As indicated, this additional reportable data element reflects information that is already routinely collected by the Federal and State reporting agencies on health care providers, suppliers and practitioners, and imposes no new reporting burden beyond the data element fields already approved by 0MB.

List of Subjects in 45 CFR Part 61

• Billing and transportation services
• Durable medical equipment suppliers and manufacturers
• Health care insurers
• Health maintenance organizations
• Health professions
• Home health care agencies
• Hospitals
• Penalties
• Pharmaceutical suppliers and manufacturers
• Privacy
• Reporting and recordkeeping requirements
• Skilled nursing facilities

PART 61—HEALTHCARE INTEGRITY AND PROTECTION DATA BANK FOR FINAL ADVERSE INFORMATION ON HEALTH CARE PROVIDERS, SUPPLIERS AND PRACTITIONERS

Accordingly, the interim final rule with comment period amending 45 CFR part 61, which was published on June 17, 2004 in the Federal Register at 69 FR 33866-33869 is adopted as a final rule without change.