Privacy Act; Implementation

AGENCY:

Office of Inspector General (OIG), HHS.

ACTION:

Final rule.

SUMMARY:

This final rule exempts the new system of records, the Healthcare Integrity and Protection Data Bank (HIPDB), from certain provisions of the Privacy Act (5 U.S.C. 552a). The establishment of the HIPDB is required by section 1128E of the Social Security Act (the Act), as added by section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Section 1128E of the Act directed the Secretary to establish a national health care fraud and abuse data collection program for the reporting and disclosing of certain final adverse actions taken against health care providers, suppliers or practitioners, and to maintain a data base of final adverse actions taken against health care providers, suppliers and practitioners. Regulations implementing the new HIPDB were published in the Federal Register on October 26, 1999 (64 FR 57740). The exemption being set forth in this rule applies to investigative materials compiled for law enforcement purposes.

EFFECTIVE DATE:

This rule is effective on June 1, 2000.

FOR FURTHER INFORMATION CONTACT:

Rick Burguieres, Investigative Policy and Information Management Staff, Office of Investigations, (202) 205-5200.

SUPPLEMENTARY INFORMATION:

I. The Healthcare Integrity and Protection Data Bank

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, requires the Secretary, acting through the Office of Inspector General (OIG) and the United States Attorney General, to establish a new health care fraud and abuse control program to combat health care fraud and abuse (see section 1128C of the Act, as enacted by section 201(a) of HIPAA). Among the major steps in this program is the establishment of a national data bank to receive and disclose certain final adverse actions against health care providers, suppliers, or practitioners (see section 1128C(a)(1)(E) of the Act). The establishment of the data bank is required by section 1128E of the Act (added by section 221(a) of HIPAA), which directs the Secretary to maintain a data base of such final adverse actions. Final adverse actions include: (1) Civil judgments against a health care provider, supplier, or practitioner in Federal or State court related to the delivery of a health care item or service; (2) Federal or State criminal convictions against a health care provider, supplier, or practitioner related to the delivery of a health care item or service; (3) actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or practitioners; (4) exclusion of a health care provider, supplier, or practitioner from participation in Federal or State health care programs; and (5) any other adjudicated actions or decisions that the Secretary establishes by regulations. Settlements in which no findings or admissions of liability have been made will be excluded from reporting. However, any final adverse action that emanates from such settlements, and that would otherwise be reportable under the statute, is to be reported to the data bank. Final adverse actions are to be reported, regardless of whether such actions are being appealed by the subject of the report (see section 1128E(b)(2)(C) of the Act). Final regulations implementing the statutory requirements of section 1128E of the Act and establishing the new HIPDB were published in the Federal Register on October 26, 1999 (64 FR 57740).

Groups that have access to this new data bank system include Federal and State government agencies; health plans; and self queries from health care suppliers, providers and practitioners. Reporting is limited to the same groups that have access to the information. One of the primary purposes of these data will be use of this information by a Federal or State government agency charged with the responsibility of investigating or prosecuting a case where there is an indication of a violation or potential violation of law, whether civil, criminal or regulatory in nature. The information in this system may also be used in the preparation for a trial or hearing for such violation.

II. Summary of the Proposed Rule

On October 26, 1999, the Department also published, through the Office of Inspector General, a proposed rule (64 FR 57619) to exempt this new records system from certain provisions of the Privacy Act. This proposed exemption was intended to protect, from release to the record subject, information on law enforcement queries to the data bank, to exempt the data bank from Privacy Act access and amendment procedures in order to establish access and amendment procedures in the HIPDB regulations. The proposed rule specifically sought public comments on the proposed exemption.

In accordance with the rulemaking, record subjects would be guaranteed access to, and correction rights for, substantive information reported to the HIPDB. The procedures, set out in 45 CFR part 61, use the Privacy Act access and correction procedures as a basic framework while, at the same time, providing significant additional rights (such as automatic notification to the record subject of any report filed with the data bank). Data bank subjects would also have broader rights on HIPDB correction procedures, including the right to file a statement of disagreement as soon as a report is filed with the data bank.

III. Response to Public Comments

In response to the proposed rule, we received timely-filed public comments from two health professional organizations. Set forth below is a summary of those comments and our response to those concerns.

Comment: One commenter believed that the provisions to exempt the HIPDB from provisions of the Privacy Act were duplicative and unnecessary. The commenter believed that this waiver was not necessary since the Privacy Act already contains an exemption for law enforcement queries.

Response: The commenter is correct that a law enforcement agency may request information from the HIPDB by having an appropriate official formally file a written request under 5 U.S.C. 552a(b)(7). Such queries are not available to the subject of the Privacy Act record under 5 U.S.C. 552a(c)(3). However, requiring law enforcement agencies to use the more cumbersome process of submitting requests in writing defeats one of the primary purposes of the HIPDB, which is to provide for instant, online access to data for its designated users, including law enforcement agencies. Therefore, disclosures to law enforcement agencies will generally be made in accordance with the routine use provision of the Privacy Act, 5 U.S.C. 552a(b)(3), and this exemption is necessary to protect the queries from release to the record subject.

Comment: One commenter stated that the proposed modification to 45 CFR 5b.11(b)(2)(ii) appeared to exempt all queries from the history disclosure requirement of the Privacy Act, rather than just those that are made by law enforcement agencies. The commenter indicated, however, that nothing in proposed subparagraph (F) of this section would limit the exemption to law enforcement queries.

Response: As stated in the proposed rule, subjects will have access to information on all other queries to the data bank. The exemption is only intended to protect against harm to ongoing investigations. Under the HIPDB implementing regulations (October 26, 1999; 64 FR 57740), information reports made available to the report subjects will include all other query information.

Comment: One association indicated their support of the proposed modification regarding the exemption of law enforcement agencies from the Privacy Act, but recommended that the regulatory agencies, such as dental boards, also be included in the exemption.

Response: As indicated above, the exemption is designed to protect only law enforcement queries permitted by the statute. If a governmental agency is entitled to access the HIPDB for law enforcement purposes, that query would be covered by the exemption. Questions on what types of queries are “law enforcement” queries can always be raised with the OIG's Office of Investigations' Investigative Policy and Information Management Staff at (202) 205-5200.

IV. Regulatory Impact Statement

The Office of Management and Budget has reviewed this final rule in accordance with the provisions of Executive Order 12866, the Unfunded Mandates Reform Act and Executive Order 13132, and has determined that this rule does not meet the criteria for an economically siginificant regulatory action.

Specifically, Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when rulemaking is necessary, to select regulatory approaches that maximize net benefits, including potential economic, environmental, public health, safety distributive and equity effects. Section 202 of the Unfunded Mandates reform Act, Public Law 104-4, requires that agencies prepare an assessment of anticipated costs and benefits on any rule that may result in an expenditure by State, local or tribe governments, or by the private sector, of $100 million or more in any given year. In addition, under the Small Business Enforcement Act (SBEA) of 1996, if a rule has a significant economic effect on a substantial number of small businesses, the Secretary must specifically consider the economic effect of a rule on small business entities and analyze regulatory options that could lessen the impact of the rule. Further, Executive Order 13132, Federalism, requires agencies to determine if a rule will have a significant effect on States, on their relationship with the Federal Government, and on the distribution of power and responsibility among the various levels of government.

In accordance with the exemption being set forth in this rule, while the reports of adverse actions to the HIPDB will be known to the subjects of the records in the data bank, the access and use of such information by law enforcement agencies would not be known to the subjects of the records. As indicated above, we believe that disclosure of this information could have a negative impact and compromise ongoing law enforcement activities.

We believe that the aggregate economic impact of this final rule is minimal and will have no effect of the economy or on Federal or State expenditures. Similarly, we believe that there are no significant costs associated with this Privacy Act exemption that will impose any mandates on State, local or tribal governments or on the private sector that will result in an expenditure of $100 million or more in any given year. In addition, in accordance with the provisions of the SEBA and the threshold criteria of Executive Order 13132, the Secretary certifies that this exemption will not have a significant impact on a substantial number of small entities, and will not significantly affect the rights, roles and responsibilities of States, and that a full analysis under these Acts is not necessary.

List of Subjects in 5 CFR Part 5b

• Privacy

Accordingly, the Department's Privacy Act regulations at 45 CFR part 5b are amended as set forth below:

PART 5b—[AMENDED]

Part 5b are amended as follows:

1. The authority citation for part 5b continue to read as follows:

Authority: 5 U.S.C. 301, 5 U.S.C. 552a.

2. Section 5b.11 is amended by adding a new paragraph (b)(2)(ii)(F) to read as follows: