Privacy Act of 1974; Report of an Altered System of Records

Download PDF
Federal RegisterOct 1, 2010
75 Fed. Reg. 60763 (Oct. 1, 2010)

AGENCY:

Department of Health and Human Services (HHS), Health Resources and Services Administration (HRSA).

ACTION:

Notice of an Altered System of Records (SOR).

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, the Health Resources and Services Administration (HRSA) is publishing a notice to alter the system of records for the National Practitioner Data Bank for Adverse Information on Physicians and other Health Care Practitioners, HHS/HRSA/BHPR. The SORN 09-15-0054 was last published March 17, 1997. In accordance with the Health Care Quality Improvement Act of 1986, as amended, title IV of Public Law 99-660 (42 U.S.C. 11101 et seq.) authorizes the Secretary to establish a National Practitioner Data Bank (NPDB) to collect and release certain information relating to the professional competence and conduct of physicians, dentists, and other health care practitioners. This information is releasable only to specific entities described in the SORN. It requires the maintenance of records such as medical malpractice payments, adverse licensure and clinical privilege actions, disciplinary actions taken by Boards of Medical Examiners, and professional review actions taken by health care entities against physicians, dentists, and other healthcare practitioners. Section 1921 of the Social Security Act, as amended by Section 5(b) of the Medicare and Medicaid Patient and Program Protection Act of 1987 (MMPPPA), and as amended by the Omnibus Budget Reconciliation Act of 1990 (OBRA), expands reporting to the NPDB to authorize maintenance of records of adverse licensure actions and negative actions or findings taken by a State licensing authority, peer review organization, or private accreditation entity against all healthcare practitioners or healthcare entities.

The purpose of these alterations is to update: (1) System location; (2) Category of individuals covered by the system; (3) Category of records in the system; (4) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system; (5) Notification procedure; (6) Record access procedures; (7) Contesting record procedures; and (8) Routine uses for the contractors accessing the system. Also, HRSA is proposing an additional routine use, number 17 (Responding to a breach of the security or confidentiality of information) for this system of records. The physical NPDB system which includes hardware and software will not be altered.

DATES:

HRSA filed an altered system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on 6/13/10. To ensure all parties have adequate time in which to comment, the altered systems including the routine uses, will become effective 30 days from the publication of the notice or 40 days from the date it was submitted to OMB and Congress, whichever is later, unless HRSA receives comments that require alterations to this notice.

ADDRESSES:

Please address comments to Associate Administrator, Bureau of Health Professions, Health Resources and Services Administration, 5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857. Comments received will be available for inspection at this same address from 9 a.m. to 3 p.m. (Eastern Standard Time Zone), Monday through Friday.

FOR FURTHER INFORMATION CONTACT:

Director, Division of Practitioner Data Banks, Bureau of Health Professions, 5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857; Telephone: (301) 443-2300. This is not a toll-free number.

SUPPLEMENTARY INFORMATION:

The Health Resources and Services Administration is proposing a change to: (1) System location; (2) Category of individuals covered by the system; (3) Category of records in the system; (4) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system; (5) Notification procedure; (6) Record access procedures; (7) Contesting record procedures; and (8) Routine uses for the contractors accessing the system.

The above listed items are being modified to reflect changes in the business process and the addition of new information pursuant to Section 1921 of the Social Security Act. The specific changes are as follows: (1) System location reflects a move to new secure facility; (2) individual profession covered by the system is a new category; (3) record in the system changed from narrative to list format; (4) policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system to reflect changes in business practice and procedure; (5) notification procedures demonstrate the method used to notify a subject of a report; (6) record access procedures list the new Domain Name (DN); (7) contesting record procedures reflect a change from Health Care Financing Administration (HCFA) to Centers for Medicare and Medicaid Services (CMS); and (8) routine uses allow the contractor to perform their functions as it relates to the system.

HRSA is also proposing an additional routine use, number 17, to permit disclosures to appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

Dated: September 16, 2010.

Mary K. Wakefield,

Administrator.

System Number: 09-15-0054.

System Name:

National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR.

Security Classification:

None.

System Location:

The contractor, SRA International, Inc., operates and maintains an internet-based system through a technical service contract for the Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration. SRA's physical address is 4350 Fair Lakes Courts, Fairfax Virginia 22033-4233. This system is located at the AT&T Data Center, a secure facility; the street address will not be disclosed for security reasons.

Categories of Individuals Covered by the System:

The system collects and maintains information in accordance with 5 U.S.C. 552a of the Privacy Act of 1974, as follows:

(1) Medical malpractice payment reports for all health care practitioners, i.e. physicians, dentists, nurses, optometrists, pharmacists, and podiatrists, etc.; (2) adverse clinical privilege action reports for physicians, dentists, and other healthcare practitioners who may have medical staff privileges either restricted or surrendered; (3) adverse licensure action reports for physicians, dentists and other healthcare practitioners and healthcare entities such as a suspension or revocation; (4) adverse professional society membership action reports for physicians and dentists; (5) reports of the results of formal proceedings by a State licensing authority, peer review organization, or private accreditation organization concluded against a health care practitioner or entity; (6) reports of Medicare/Medicaid exclusions of all healthcare practitioners; and (7) reports of adverse actions taken against the U.S. Drug Enforcement Administration (DEA) registration of all healthcare practitioners.

Categories of Records in the System:

The system collects and maintains categories of information concerning healthcare practitioners such as:

1. Name.

2. Work address.

3. Home address.

4. Social Security number.

5. Date of birth.

6. Name of each professional school attended and year of graduation.

7. Professional license(s) number.

8. Field of licensure.

9. Name of the State or Territory in which the license is held.

10. DEA registration numbers.

11. CMS unique practitioner identification number (for exclusions only).

12. Names of each hospital with which the practitioner is affiliated.

13. Name and address of the entity making the payment.

14. Name, title, and telephone number of the official responsible for submitting the report on behalf of the entity.

15. Payment information including the date and amount of payment and whether it is for a judgment or settlement.

16. Date action occurred.

17. Acts or omissions upon which the action or claim was based.

18. Description of the action/omissions and injuries or illnesses upon which the action or claim was based.

19. Description of the Board action, the date of action and its effective date.

20. Classification of the action/omission per reporting code.

Authority for Maintenance of the System:

The Health Care Quality Improvement Act of 1986, as amended, title IV of Public Law 99-660 [42 U.S.C. 11101 et seq.], authorizes the Secretary to establish a National Practitioner Data Bank (NPDB) to collect and release certain information relating to the professional competence and conduct of physicians, dentists, and other health care practitioners. This information is released only to specific entities described below. It requires the maintenance of records such as medical malpractice payments, adverse licensure and clinical privilege actions, disciplinary actions taken by Boards of Medical Examiners, and professional review actions taken by health care entities against physicians, dentists, and other healthcare practitioners. Section 1921 of the Social Security Act, as amended by Section 5(b) of the Medicare and Medicaid Patient and Program Protection Act of 1987 (MMPPPA), and as amended by the Omnibus Budget Reconciliation Act of 1990 (OBRA), expands reporting to the NPDB to authorize maintenance of records of adverse licensure actions and the results of formal proceedings by a State licensing authority, peer review organization, or private accreditation entity against all healthcare practitioners or healthcare entities.

Purpose(s):

The purpose of the system is to: (1) Receive information such as adverse licensure actions on all healthcare practitioners or entities, clinical privileges and professional society membership actions on physicians and dentists based on professional competence and conduct, medical malpractice payment history on all health care practitioners, as well as the results of formal proceedings by a State authority, peer review organization or private accreditation organization concluded against any health care practitioner or entity; (2) store such reports so that future queriers may have access to pertinent information regarding the review of a health care practitioner and/or a healthcare entity in their process of making important decisions related to the delivery of health care services; and (3) disseminate such data to entities that qualify to receive the reports under the governing statutes as authorized by the Health Care Quality Improvement Act of 1986 and Section 1921 of the Social Security Act to protect the public from unfit practitioners from providing patient care.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

Information shall be disclosed to:

1. Hospitals requesting information on adverse licensure actions, medical malpractice payments or exclusions from Medicare and Medicaid programs taken against all licensed healthcare practitioners such as physicians, dentists, nurses, podiatrists, chiropractors, and psychologists, among many. The information is accessible to both public and private sector hospitals who can request information concerning a physician, dentist or other health care practitioner who is on its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the purpose of: (a) Screening the professional qualifications of individuals who apply for staff positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health Care Quality Improvement Act of 1986, which prescribes that a hospital must query the Data Bank once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.

2. Other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist or other health care practitioner has applied for clinical privileges or appointment to the medical staff or who has entered or may be entering an employment or affiliation relationship. The purpose of these disclosures is to identify individuals whose professional conduct may be unsatisfactory.

3. A health care entity with respect to professional review activity. The purpose of these disclosures is to aid health care entities in the conduct of professional review activities, such as those involving determinations of whether a physician, dentist, or other health care practitioner may be granted membership in a professional society; the conditions of such membership, or of changes to such membership; and ongoing professional review activities conducted by a health care entity which provides health care services, of the professional performance or conduct of a physician, dentist, or other health care practitioner.

4. A State healthcare practitioner and/or entity licensing or certification authority can request information expanded by Section 1921 of the Social Security Act in conducting a review of all healthcare practitioners or health entities. A State healthcare practitioner and entity licensing or certification authority may also request information when making licensure determinations about healthcare practitioners and entities. The purpose of these disclosures is to aid the board or certification authority in meeting its responsibility to protect the health of the population in its jurisdiction, by identifying individuals whose professional performance or conduct may be unsatisfactory.

5. Federal and State health care programs (and their contractors) can request information reported under Section 1921 of the Social Security Act. The purpose of these disclosures is to aid Federal and State health programs to ensure the integrity and professional competence of affiliated health care practitioners and uncovering information needed to make appropriate decisions in the delivery of healthcare.

6. State Medicaid Fraud Control Units (MFCUs) can request information reported under Section 1921 of the Social Security Act to assist with investigating fraud and prosecution of healthcare practitioners and providers in the administration of the Medicaid programs.

7. U.S. Comptroller General can request information reported under Section 1921 of the Social Security Act to assist in determining the fitness of individuals to provide healthcare services, and protect the health and safety of individuals receiving health care through programs who employ these individuals.

8. U.S. Attorney General and other law enforcement agencies can request information reported under Section 1921 of the Social Security Act to assist with healthcare investigations involving healthcare practitioners and healthcare entities. The purpose of the disclosure would assist in determining the fitness of individuals to provide healthcare services, and protect the health and safety of individuals receiving health care through programs who employ these individuals.

9. Utilization and quality control Peer Review Organizations and those entities which are under contract with the CMS can request information reported under Section 1921 of the Social Security Act to protect and improve the quality of care for Medicare beneficiaries when performing quality of care reviews and other related activities.

10. A physician, dentist, or other health care practitioner can request information concerning himself or herself.

11. An entity that has been reported on may query the system to receive information concerning itself.

12. A person or entity can request statistical information, in a form which does not permit the identification of any individual or entity. An example of this disclosure involves researchers who may use statistical information to identify the total number of nurses with adverse licensure actions in a specific State.

13. An attorney, or individual representing himself or herself, who has filed a medical malpractice action or claim in a State or Federal court or other adjudicative body against a hospital, and who requests information regarding a specific physician, dentist, or other health care practitioner who is also named in the action or claim provided that: (a) This information will be disclosed only upon the submission of evidence that the hospital failed to request information from the Data Bank as required by law; and (b) the information will be used solely with respect to litigation resulting from the action or claim against the hospital. The purpose of these disclosures is to permit an attorney (or a person representing himself or herself in a medical malpractice action) to have information from the Data Bank on a health care practitioner, under the conditions set out in this routine use.

14. Any Federal entity, employing or otherwise engaging under arrangement (e.g., such as a contract) the services of a physician, dentist, or other health care practitioner, or having the authority to sanction such practitioners covered by a Federal program, which: (a) Enters into a memorandum of understanding with HHS regarding its participation in the Data Bank; (b) engages in a professional review activity in determining an adverse action against a practitioner; and (c) maintains a Privacy Act system of records regarding the health care practitioners it employs, or whose services it engages under arrangement. The purpose of such disclosures is to enable hospitals and other facilities and health care providers under the jurisdiction of Federal agencies such as the Public Health Service, HHS; the Department of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to participate in the Data Bank. The Health Care Quality Improvement Act of 1986 includes provisions regarding the participation of such agencies and of the DEA.

15. In the event of litigation where the defendant is: (a) The Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to affect directly the operation of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the Department of Justice has agreed to represent such employee, for example in defending a claim against the Public Health Service based upon an individual's mental or physical condition and alleged to have arisen because of activities of the Public Health Service in connection with such individual, disclosures may be made to the Department of Justice to enable the Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.

16. The contractor, SRA International Inc., accesses the system to operate and maintain it. These functions include but are not limited to providing continuous user availability, develop system enhancements, upgrade of hardware and software, security information assurance, and system backups.

17. To appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

Records are maintained on database servers with disk storage, optical jukebox storage, backup tapes and printed reports.

Retrievability:

Records are retrieved by name, date of birth, Social Security number, educational information, and license number. The matching algorithm uses these data elements to match reports to the subject.

Safeguards for Accessing Records:

1. Authorized Users include internal users such as the government and contractor personnel staff who support the Data Banks and are required to obtain favorable adjudication for a Level 5 Position of Public Trust. New employees of the NPDB and the contractor must attend security training, sign a Non-Disclosure Agreement, and sign the Rules of Behavior which is renewed annually. Authorized users are given role-based access to the system on a limited need-to-know basis. All physical and logical access to the system is removed upon termination of employment. External users, who are responsible for meeting Title IV reporting and/or querying requirements to the Data Banks, are responsible for determining their eligibility to access the Data Banks through a self-certification process which requires completing an Entity Registration form. All external users must acknowledge the Rules of Behavior. All external users must re-register every two years to access the Data Banks. Both HRSA and the contractor maintain lists of authorized users.

2. Physical Safeguards involve physical controls that are in place 24 hours a day/7 days a week such as identification badge access, cipher locks, locked hardware cages, man trap with biometric hand scanner, security guard monitoring, and closed circuit TV. All sites are protected with fire and environmental safety controls.

3. Technical Safeguards include firewalls, network intrusion detection, host-based intrusion detection and file integrity monitoring, user identification, and passwords restrictions. All web-based traffic is encrypted using 128 bit SSL and all network traffic is encrypted internally.

4. Administrative Safeguards involve certification and accreditation that is required every three years, which authorizes operation of the system based on acceptable risk. Security assessments are conducted continuously throughout the year to verify compliance with all required controls.

Retention and Disposal of records:

HRSA is working with NARA to obtain the appropriate retention value.

System Manager(s) and Address:

Director, Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, Room 8-103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

Notification Procedure:

Information is available upon request, to the persons or entities, or to the authorized agents in such form or manner as the Secretary prescribes. The subject of a report is notified via U.S. mail when a record concerning the individual is submitted to the Data Bank via Subject Notification Document (SND).

Requests by Mail:

Practitioners may submit a “Request for Information Disclosure” to the address under system location for any report on themselves. The request must contain the following: Name, address, date of birth, gender, Social Security Number (optional), professional schools and years of graduation, and the professional license(s). For license, include: The license number, the field of licensure, the name of the State or Territory in which the license is held, and DEA registration number(s). The practitioner must submit a signed and notarized self-query request.

Penalties for Violation:

Submitting a request under false pretenses is a criminal offense and subject to a civil monetary penalty of up to $11,000 for each violation.

Requests in Person:

Due to security considerations, the Data Bank cannot accept requests in person.

Request by Telephone:

Practitioners may provide all of the identifying information stated above to the Data Bank Customer Service Center operator. Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization.

Record Access Procedures:

Request for access of records in the Data Bank may be completed online at: http://www.npdb-hipdb.hrsa.gov. The requests are submitted over the web using the Integrated Query and Reporting Service (IQRS), Query and Reporting Extensible Markup Language Service (QRXS), Interface Control Document (ICD) Transfer Program (ITP) or the Proactive Disclosure Service (PDS). Self-query, as described previously, may be initiated via the electronic system and is completed using the conventional mail system. Requesters, including self-queries, will receive an accounting of disclosure that has been made of their records, if any.

Contesting Record Procedures:

The Data Bank routinely mails a copy of any report filed in it to the subject individual. A subject individual may contest the accuracy of information in the Data Bank concerning himself or herself and file a dispute. To dispute the accuracy of the information, the individual must contact the Data Bank and the reporting entity to: (1) Request for the reporting entity to file correction to the report; and (2) request the information be entered into a “disputed” status and submit a statement regarding the basis for the inaccuracy of the information in the report. If the reporting entity declines to change the disputed report or takes no actions, the subject may request that the Secretary of HHS review the disputed report. In order to seek a Secretarial Review, the subject must: (1) Provide written documentation containing clear and brief factual information regarding the information of the report; (2) submit supporting documentation or justification substantiating that the reporting entity's information is inaccurate; and (3) submit proof that the subject individual has attempted to resolve the disagreement with reporting entity but was unsuccessful. The Department can only determine whether the report was legally required to be filed and whether the report accurately depicts the action taken and the reporter's basis for action. Additional detail on the process of dispute resolution and Secretarial Review process can be found at 45 CFR § 60.14 of the Data Bank regulations.

Record Source Categories:

The records contained in the system are submitted by the following entities: (1) Insurance companies and others who have made payment as a result of a malpractice action or claim, (2) State Boards of Medical and Dental Examiners; (3) State Licensing Boards; (4) hospitals and other health care entities; (5) DEA; and (6) Federal entities which employ health practitioners or who have authority to sanction such practitioners covered by a Federal program. Section 1921 of the Social Security Act expands reporting of actions submitted by State health care practitioner licensing and certification authorities (including medical and dental boards), State entity licensing and certification authorities, peer review organizations and private accreditation organizations.

Systems exempted from Certain Provisions of the Act:

None.

[FR Doc. 2010-24568 Filed 9-30-10; 8:45 am]

BILLING CODE 4160-15-P