Health care programs; fraud and abuse: Health Insurance Portability and Accountability Act Data collection program; final adverse actions reporting,

As Enacted ( Federal Register)

Cited authorities 3

Cited in

[Federal Register: October 26, 1999 (Volume 64, Number 206)]

[Rules and Regulations]

[Page 57739-57764]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr26oc99-22]

[[Page 57739]]

Part IV

Department of Health and Human Services

Office of the Secretary

Office of Inspector General

45 CFR Part 61

Health Care Fraud and Abuse Data Collection Program: Reporting of Final Adverse Actions; Final Rule

[[Page 57740]]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary Office of Inspector General

45 CFR Part 61

RIN 0906-AA46

Health Care Fraud and Abuse Data Collection Program: Reporting of Final Adverse Actions

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Final rule.

SUMMARY: This final rule establishes a new CFR part to implement the statutory requirements of section 1128E of the Social Security Act, as added by section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Section 221(a) of HIPAA specifically directs the Secretary to establish a national health care fraud and abuse data collection program for the reporting and disclosing of certain final adverse actions taken against health care providers, suppliers and practitioners, and to maintain a data base of final adverse actions taken against health care providers, suppliers and practitioners.

EFFECTIVE DATE: This rule is effective on October 26, 1999.

FOR FURTHER INFORMATION CONTACT: Thomas C. Croft, Director, Division of Quality Assurance, Bureau of Health Professions, Health Resources and Services Administration, (301) 443-2300.

SUPPLEMENTARY INFORMATION:

Background

The Healthcare Integrity and Protection Data Bank

On October 30, 1998, the Office of Inspector General (OIG) published a proposed rule in the Federal Register (63 FR 58341) designed to implement the statutory requirements of section 1128E of the Social Security Act (the Act), as added by section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Section 221(a) of HIPAA specifically directs the Secretary to establish a national health care fraud and abuse data collection program for the reporting and disclosing of certain final adverse actions taken against health care providers, suppliers and practitioners, and to maintain a data base of final adverse actions taken against health care providers, suppliers and practitioners. Final adverse actions include: (1) Civil judgments against a health care provider, supplier, or practitioner in Federal or State court related to the delivery of a health care item or service; (2) Federal or State criminal convictions against a health care provider, supplier or practitioner related to the delivery of a health care item or service; (3) actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers or practitioners; (4) exclusion of a health care provider, supplier or practitioner from participation in Federal or State health care programs; and (5) any other adjudicated actions or decisions that the Secretary establishes by regulation. Settlements in which no findings or admissions of liability have been made will be excluded from reporting. Access to this new data bank is limited to Federal and State Government agencies and health plans. Reporting is limited to these same groups. Health care providers, suppliers and practitioners may self query the data bank, but have no reporting responsibilities. The Act also requires the Secretary to implement the national health care fraud and abuse data collection program in such a manner as to (1) assure that the privacy of individuals is maintained; (2) establish reasonable fees for disclosure of information to recover full operating costs; and (3) avoid duplication with the reporting requirements established for the National Practitioner Data Bank (NPDB). This new data bank is known as the Healthcare Integrity and Protection Data Bank (HIPDB).
Summary of the Proposed Rule

The proposed regulations published on October 30, 1998 were developed to establish a new 45 CFR part 61 to implement the requirements for reporting of specific data elements to, and procedures for obtaining information from, the HIPDB (and are applicable to Federal and State Government agencies and health plans). Set forth below is a description of the major provisions of the proposed rule, including, among other things, proposed definitions for certain terms associated with the HIPDB, a discussion of the specific reporting requirements and when such information must be reported, the fees applicable to requests for information, the issues of the confidentiality of information, and how to dispute the accuracy of information in the HIPDB.

Provisions of the Proposed Rule

1. Definitions

The proposed regulations expanded on previous regulatory definitions and clarified aspects of a number of terms set forth in the statute. The clarifications served to provide additional examples of the scope of the statutory definitions, but did not go beyond congressional intent. The proposed rule specifically set forth definitions for the terms ``affiliated or associated;'' ``Government agency;'' ``health care provider;'' ``health care supplier;'' ``health plan;'' ``licensed health care practitioner, licensed practitioner and practitioner;'' and ``other adjudicated actions or decisions.'' 2. When Information Must Be Reported

The proposed regulations sought to establish the time frame for submitting reports to the HIPDB. As proposed, information would be submitted to the HIPDB (1) within 30 calendar days from the date the final adverse action was taken or the date when the reporting entity became aware of the final adverse action, or (2) by the close of the entity's next monthly reporting cycle, whichever is later. The date the final adverse action was taken, its effective date and duration of the action would all be contained in the information reported to the HIPDB.

We also proposed a list of ``mandatory'' data elements, as well as data elements that must be reported to the data bank ``if known.'' We note that section 1128E(b)(2)(A) of the Act mandates that Federal and State Government agencies and health care plans collect and report Social Security Numbers and Federal Employer Identification Numbers for the purposes of reporting to the HIPDB. 3. Reporting Errors, Omissions, Revisions and Actions on Appeal

In Sec. 61.6 of the proposed regulations, we indicated that if any errors or omissions in the final adverse action are discovered after the information has been reported, the person or entity that reported such information must send an addition or correction to the HIPDB within 60 calendar days of the discovery. We also proposed that any revision to the action or to appeal status must similarly be reported within 30 calendar days after the reporting entity learns of such revision or appeal. In turn, we proposed that each subject of a report will receive a copy when it is entered into the HIPDB and a copy of all revisions and corrections to the report. This is an opportunity only for the reporting entity to correct any errors or omissions in the information, not for the subjects to request re-adjudication of their cases.

[[Page 57741]]

4. Reporting Licensure Actions Taken by Federal or State Licensing and Certification Agencies

In proposed Sec. 61.7, we addressed the reporting of licensure actions taken by Federal and State licensing and certification agencies. We proposed defining the phrase ``any other negative action or finding'' by a Federal or State licensing and certification authority to mean any action or finding that is publicly available and rendered by a licensing or certification authority. These actions or findings include, but are not limited to, imposition of civil money penalties (CMPs) and administrative fines, limitations on the scope of practice, injunctions and forfeitures. As indicated in the proposed rule, this definition included final adverse actions occurring in conjunction with settlements in which no findings or admissions of liability have been made, and that would otherwise be reportable under the statute.

The statute also requires the reporting of a health care provider, supplier or practitioner who voluntarily surrenders a license or certification. Based on extensive discussions with various State agencies, we were advised that voluntary surrender and non-renewal of licensure and provider participation agreements are not infrequently used as means to exclude questionable health care providers, suppliers and practitioners from participating in Federal and State health care programs. These voluntary surrenders and non-renewal actions result in allowing questionable health care providers, suppliers or practitioners to move from State to State without the new State licensing agency becoming aware of the true nature of the action in the prior licensing State. Therefore, for reporting purposes, we proposed that the term ``voluntary surrender'' include a surrender made after a notification of investigation or a formal official request by Federal or State licensing or certification authorities for a health care provider, supplier or practitioner to surrender the license or certification (including certification agreements or contracts for participation in Federal or State health care programs). This proposed definition also included those instances where a health care provider, supplier or practitioner voluntarily surrenders a license or certification (including program participation agreements or contracts) in exchange for a decision by the licensing or certification authority to cease an investigation or similar proceeding, or in return for not conducting an investigation or proceeding, or in lieu of a disciplinary action.

We recognized that many voluntary surrenders are not a result of the types of adverse actions that are intended for inclusion in the HIPDB. Therefore, we proposed that voluntary surrenders and licensure non-renewals due to nonpayment of licensure fees, changes to inactive status, and retirement be excluded from reporting to the HIPDB unless they are taken in combination with one or more of the circumstances listed above (in which case they would be reportable). 5. Reporting Federal or State Criminal Convictions Related to the Delivery of a Health Care Item or Service

In proposed Sec. 61.8, we stated that Federal and State law enforcement and investigative agencies would be required to report criminal convictions against health care providers, suppliers or practitioners. Consistent with section 1128E(g)(1)(A)(ii) of the Act, we also proposed that criminal convictions unrelated to the delivery of health care items or services would not be reported under this section. 6. Reporting of Civil Judgments in Federal or State Court Related to the Delivery of a Health Care Item or Service

In proposed Sec. 61.9, we put forth that Federal and State law enforcement and investigative agencies and health plans be required to report civil judgments related to the delivery of a health care item or service (except those resulting from medical malpractice) against health care providers, suppliers or practitioners. The proposed rule indicated that civil judgments must be entered or approved by a Federal or State court. We also proposed that this reporting requirement would not include Consent Judgments that have been agreed upon and entered to provide security for civil settlements in which there was no finding or admission of liability. 7. Reporting Exclusion From Participation in Federal or State Health Care Programs

In proposed Sec. 61.10, we stated that the OIG would be required to report health care providers, suppliers or practitioners excluded from participating in Federal or State health care programs. We also proposed that this section include exclusions made in a matter in which there also was a settlement even though the settlement itself is not reported because no findings or admissions of liability had been made. 8. Reporting Other Adjudicated Actions or Decisions

In proposed Sec. 61.11, we proposed that Federal and State agencies and health plans be required to report other adjudicated actions or decisions. Although not specifically required by the statute, we proposed that ``any other adjudicated actions or decisions'' should relate to the delivery of a health care item or service, as do criminal convictions and civil judgments collected under the statute. We also proposed in this section that a due process mechanism be available with all adjudicated actions or decisions. In the proposed rule, we provided examples of an adjudicated action or decision to include, but not be limited to:

‹bullet› Orders by an administrative law judge;

‹bullet› CMPs and assessments;

‹bullet› Revocations, debarments or other restrictions from participating in Federal or State government contracts or programs;

‹bullet› Liquidation, dissolution, cancellation or revocation of a professional license; or

‹bullet› Limitations on either clinical privileges or staff privileges by a health plan. 9. Fees Applicable to Requests for Information

Proposed Sec. 61.13 addressed fees applicable to all requests for information from the HIPDB. In accordance with this proposed section, fees to be charged would be based on the full costs of operating the database, as authorized in section 1128E(d)(2) of the Act; criteria for assessing fees would be based on the guidelines set forth in OMB Circular A-25. These costs would encompass all direct and indirect costs of providing such information, including but not limited to:

‹bullet› Direct and indirect personnel costs;

‹bullet› Physical overhead, consulting, and other indirect costs;

‹bullet› Agency management and supervisory costs; and

‹bullet› Costs of enforcement, collection, research, establishment, regulations and guidance.

For maximum efficiency, we proposed that the HIPDB be an all- electronic system, with all fees collected through the most cost- effective methods (such as credit card and electronic funds transfer). The Act exempts Federal agencies from these fees. 10. Confidentiality of HIPDB Information

In proposed Sec. 61.14, we stated that the confidentiality requirements would

[[Page 57742]]

apply to all information obtained from the HIPDB. The confidentiality requirements are clearly specified in sections 1128E(b)(3) and (d)(1) and 1128C(a)(3)(B)(ii) of the Act. Specifically, section 1128E(b)(3) of the Act requires the Secretary to protect the privacy of individuals receiving health care services when determining what information is required. Section 1128E(d)(1) of the Act requires that information in the HIPDB will be available to Federal and State Government agencies and health plans. Section 1128C(a)(3)(B)(ii) of the Act requires the Secretary to assure that HIPDB information is provided and utilized in a manner that appropriately protects the confidentiality of the information. We proposed that information from this system be confidential and disclosed only for the purpose for which it was provided. We also proposed that appropriate uses of the information would include the prevention of fraud and abuse activities and improving the quality of patient care. This proposed provision did not go beyond the requirements set forth in the Act. The proposed requirements would not prevent an authorized user from sharing information from the HIPDB within the entity that requested it, as long as the information is used solely for the purpose for which it was provided. However, in accordance with section 1128E(b)(3) of the Act, we proposed that information obtained by a Government contractor, e.g., a Medicare carrier, an intermediary or auditor, may only be used in the furtherance of its contractual responsibilities. 11. How To Obtain Access to, and Dispute the Accuracy of, HIPDB Information

The proposed regulations outlined the procedures for obtaining access to a report, submitting a statement, filing a dispute, and revising disputed information in a previously submitted report. These procedures are basically comparable to, or more generous than, procedures established in the Department's Privacy Act regulations at 45 CFR part 5b. The Secretary has exempted the HIPDB from those Privacy Act requirements in order to establish a more comprehensive and generous notification, access and correction procedure. While these procedures basically are comparable to similar provisions in the Privacy Act, these procedures include significant rights in addition to those set forth in the Privacy Act. For example, when a HIPDB report is created or amended, we automatically provide subjects a copy of the all report. Subjects may also file a statement of disagreement with a report as soon as the report is filed, rather than at the end of an appeal process, as under the Privacy Act.

In addition, we proposed that the subject of a report may dispute only the factual accuracy of the information contained in the HIPDB report concerning the individual or entity. As indicated in the proposed rule, the dispute process would afford the subject an opportunity to bring relevant factual information, including reversals of criminal convictions by an appeals court, to the attention of the reporter. The proposed dispute process would be consistent with that for the NPDB. 12. Sanctions for Failure To Report

We incorporated the new CMP sanctions provision for failure to report information to the data bank, as set forth in section 4331 of Public Law 105-33, the Balanced Budget Act of 1997. In the proposed rule, we indicated that any health plan that fails to report information on a final adverse action that is required to be reported would be subject to a CMP of not more than $25,000 for each such adverse action not reported. Such penalties would be imposed and collected in the same manner as other CMPs under section 1128A of the Act.
Summary and Response to Public Comments

As we have noted, the statute upon which the proposed regulations were drafted is quite broad and affords the Secretary numerous areas of discretionary authority on which we sought the benefit of public comment and input. The proposed rule set forth a 60-day public comment period ending December 29, 1998. On December 30, 1998, we extended the comment period for the proposed rule by an additional 2 weeks until January 11, 1999 (63 FR 71819). As a result, we received a total of 117 timely-filedpublic comments from Federal and State law enforcement agencies; health care practitioner and provider licensing boards, health departments, private attorneys representing health care providers, suppliers and practitioners; and various health plans, health plan associations, hospitals, professional associations, health care practitioners and other individuals and entities. Based on review of the statute and the assessment of public comments received, we believe the final regulations implementing this authority fully and adequately balance the concerns of the Department with those expressed by outside individuals and entities.

Set forth below is an overview of the various comments and recommendations received and our responses to those concerns. Section IV. of this preamble sets forth a summary of the specific revisions and clarifications to be made to the final regulations as a result of those comments.
1. Scope and Intent of the HIPDB
  
  Comment: A principal concern raised in the majority of comments was the interpretation of what constitutes the reporting threshold for all final adverse actions under the term ``health care fraud and abuse.'' Many commenters believed that the OIG broadened the definitions and criteria unnecessarily for reportable actions, well beyond a ``health care fraud and abuse'' data collection system. Specifically, these commenters only wanted actions involving health care related fraud and abuse reported to the HIPDB.
  
  Response: It is clear from reviewing the statutory language of the implementing Act, and the legislative history (such as congressional conference reports), that the HIPDB is not merely about establishing an information collection system. Rather, it is directed at combating fraud and abuse in a broader scope. Congress used the term health care fraud and abuse only once in the provision's opening paragraph for purposes of naming the data collection program. The term does not appear elsewhere, especially with regard to limiting the scope of reportable actions. Instead, Congress defined reportable ``final adverse actions'' by specifying a finite list of actions. These actions include civil judgments related to the delivery of a health care item or service; Federal or State criminal convictions related to the delivery of a health care item or service; actions taken by Federal or State licensing or certification agencies; exclusions from participation in Federal or State health care programs; and any other adjudicated actions or decisions taken by a Federal or State Government agency or health plan. To limit the adverse actions collected by the data bank to only those that are based on health care fraud and abuse would create a data bank that does not fully capture the types of reports that Congress clearly intended to be collected in accordance with the statute.
  
  The term ``health care fraud and abuse,'' as used in the statute, merely represents congressional intent that the HIPDB support efforts to prevent such activities. To limit actions collected only to those based on fraud and abuse would deny investigators, Government contracting officers, health plans and
  
  [[Page 57743]]
  
  others the reports which are necessary to effectively research the relevant backgrounds of potential providers, suppliers and practitioners. As indicated by one State licensing board, narrowing the scope of reportable actions may create an even greater burden on reporters to screen out final adverse action based solely on health care fraud and abuse. Accordingly, the definition related to final adverse actions, as well as the definitions of health care provider, supplier and practitioner, represent the statutorily-mandated reporting criteria for the HIPDB--and is not limited to health care fraud and abuse. It has been our goal to establish a complete and comprehensive data bank that effectively deters health care fraud and abuse in the health care industry, while promoting quality health care and protecting the public. A further discussion of the term ``health care fraud and abuse'' is contained in section III. B. 6. of this preamble.
2. Section-by-Section Analysis of Issues
  
  Section 61.1 The Healthcare Integrity and Protection Data Bank
  
  Comment: Several commenters viewed the regulations, in general, as overly-broad and complex. Two commenters stated that information reported to the HIPDB should be directly related to health care fraud and abuse (see discussion regarding the definition of ``health care fraud and abuse'' in the discussion of Sec. 61.3 later in this section of this preamble). Another commenter expressed concern that the HIPDB would contain data on individuals who have not committed fraud. This commenter and others believed that the OIG will establish a vast system not targeted to identify truly egregious individuals and entities.
  
  Response: We disagree with these comments. As indicated in the proposed rule and in the summary section above in this preamble, we believe this rulemaking and the HIPDB clearly focus on specific final adverse actions taken against individuals and entities, and that those actions relate to these actions that could be defined as ``health care fraud and abuse.'' We believe these implementing regulations and the data bank are consistent with statutory intent and are properly targeted at capturing specific types of information relevant to the HIPDB's intended purpose.
  
  Section 61.3 Definitions
  
  1. Affiliated or Associated
  
  Comment: With regard to the definition and application of the term ``affiliated or associated,'' several commenters stated that the proposed definition overreached the intent of the statute.
  
  Response: The OIG believes the definition supports congressional intent to enable authorized users who conduct fraud and abuse investigations to identify other business or commercial affiliations through which the subject may have committed other acts of wrongdoing, and to aid with subject identification, if the affiliation or association is known by the reporter.
  
  Comment: Several commenters requested the definition be refined to exclude irrelevant affiliations and associations. The commenters recommended that the definition be limited to (1) those entities in which the subject has a business interest, and (2) those associations having the power to revoke or suspend a license.
  
  Response: We agree that the definition and implementation of the term ``affiliated or associated'' set forth in the proposed rule may have resulted in some confusion. As a result, we are limiting the definition, in accordance with the first part of the commenters' concerns, to those health care entities in which the subject has a commercial interest.
  
  Comment: A number of commenters believed that the collection of this information set forth in the definition would be in violation of the Privacy Act, as it implies guilt by association.
  
  Response: The inclusion of an entity in this category by a reporter will in no way imply that the entity was a party to the act(s) or omission(s) that led to a reportable final adverse action. We believe that the revised definition will eliminate naming of professional affiliations or associations and the implied fear of invasion of privacy. We also note only individuals, not entities (even if the entity is an individual professional corporation), are protected by the Privacy Act.
  
  Comment: One commenter believed that ``affiliated or associated'' entities should be included only if such entities had an active role in the underlying sanction. Another commenter stated the names of ``affiliated or associated'' entities should be expunged after an investigation that determined there was no involvement by the affiliation or association entity. A third commenter believed that there would be increased liability for reporters as a result of the definition set forth for this term.
  
  Response: We believe limiting ``affiliations or associations'' to those health care entities with an active role in the underlying sanction, or removing the names after an investigation has determined there was no involvement by the affiliated or associated entity, would be contrary to the specific language of the statute. The statute explicitly requires that the names of affiliated or associated health care entities be reported. Involvement or non-involvement in the underlying action is irrelevant to this reporting requirement. Further, we do not agree that merely identifying an entity as being affiliated with the subject of a report somehow imputes wrongdoing to the affiliated entity, and a statement to this effect will be included in the data base report. There will be no independent identification of affiliated or associated entities in the HIPDB other than as part of a subject's report, unless the entity also has been the subject of a final adverse action. If it comes to the attention of a business entity that it is incorrectly identified in a subject's report as having a commercial business affiliation with the subject, then the business entity may avail itself of the same correction procedures that are available to the subject of a report. The affiliated entity first may ask the reporting agency or health plan to correct the subject's report. If the reporter declines to do so, the affiliated entity may request a correction to the subject's report by the Secretary. With respect to an increase in liability for reporters, the OIG is providing an immunity provision in the final rule that will alleviate any perceived increase in liability.
  
  Comment: One commenter requested that the HIPDB provide written notice to each entity listed as an ``affiliated or associated health care entity'' within a final adverse action report, and that the HIPDB offer an appeal process to these entities in the event that the entities are incorrectly reported.
  
  Response: The revised definition will require that a commercial relationship exist between the subject and the affiliate or associate. As we have previously noted, we believe that this data field in no way implies wrongdoing on the part of the reported affiliate or associate, and thus eliminates the need for these entities to be notified. 2. Any Other Negative Action or Finding
  
  Comment: We received several comments regarding the manner in which the term ``any other negative action or finding'' was defined. Most of the commenters stated the proposed definition was too broad in nature and would create a tremendous burden on the reporters, especially if actions or findings pertaining to administrative fines and citations were to be included in the HIPDB. Several commenters
  
  [[Page 57744]]
  
  expressed concern that there is a range of actions or findings taken that may or may not be the same from State to State and do not relate to health care per se (such as a practitioner fined for failure to provide a new address). The commenters requested that the OIG clarify and limit the definition of this term to actions that are directly connected to health care violations.
  
  Response: We agree with the commenters that there will be variation from State to State regarding the types of final actions taken against health care providers, suppliers and practitioners. However, the HIPDB is being designed as a ``flagging system'' that will contain information on actions taken in a particular State or program that are considered by the State or program to warrant attention. We intend the data to provide a summary of the actions taken against a health care provider, supplier or practitioner. In addition, we acknowledge that there are certain kinds of actions or findings that would not meet the intent of the legislation and should not be reportable. For instance, administrative actions, such as limited training permits, limited licenses for telemedicine, fines or citations that do not restrict a practitioner's practice, or personnel actions for tardiness, are not within the range of actions intended by the statute. As a result of these comments, we are modifying the final regulations to exclude administrative fines or citations, corrective action plans and other personnel actions unless they are (1) connected to the billing, provision or delivery of health care services, and (2) taken in conjunction with other licensure or certification actions such as revocation, suspension, censure, reprimand, probation, or surrender. For example, a nurse agreed to settle claims that he received Medicare and Medicaid reimbursement to which he was not entitled. As a result of this action, the State licensing board reprimanded the nurse and imposed a $5,000 fine. This action would be reportable.
  
  Comment: Several commenters expressed concern that the preamble language that indicated that ``settlements in which no findings or admissions of liability have been made will be excluded from reporting'' conflicted with the next sentence in that discussion, which read, ``However, any final adverse action that emanates from such settlements and consent judgments, and that would otherwise be reportable under the statute, is to be reported to the data bank.''
  
  Response: We agree that the statutory language is clear that settlement in which no findings of liability have been made will not be reportable to the HIPDB. However, if another action is taken against the provider, supplier or practitioner of a health care item or service, as a result of or in conjunction with the settlement, the second action is reportable. For example, a civil court settlement in which no finding against or admission of liability by a practitioner is made is not reportable. However, for example, if the State licensing board suspends the practitioner's license as a result of a civil court settlement, the licensing board must report the suspension of the license. Similarly, if the OIG excludes a provider, supplier or practitioner based on actions that were also the subject of a civil settlement in which no finding or admission of liability was made, the exclusion must be reported to the HIPDB.
  
  Comment: One commenter questioned whether non-practitioners, such as an executive director, should be reported to the HIPDB, while another commenter requested clarification on the reporting of actions pertaining to the handling of an impaired practitioner.
  
  Response: The OIG reiterates the statutory intent that any final action taken against a licensed or certified health care provider, supplier or practitioner by a Federal or State licencing or certification agency that is publicly available information is a reportable action. If, for example in the case of an executive director, he or she is licensed or certified as a health care provider, supplier or practitioner, then that individual will be subject to the HIPDB reporting requirements. If a Federal or State licensing agency takes a final adverse action that is publicly available information against an impaired practitioner, the final adverse action is reportable. 3. Clinical Privileges
  
  Comment: Several commenters expressed concern that Congress never intended that clinical privilege actions would be reported to the HIPDB, particularly since such actions are already reported to the NPDB. Some commenters expressed a desire that clinical privileges suspensions only be reported when they are in effect for a period longer than 30 days, indicating that this limitation would parallel existing NPDB requirements for reporting of clinical privilege actions. Another commenter questioned why the proposed definition specifically mentioned physicians and dentists, when they believed the definition was to apply to all licensed health care practitioners.
  
  Response: The OIG agrees with these concerns and, as a result, the HIPDB will not collect data on clinical privileging actions. We note that clinical privileging actions are already collected by the NPDB. We believe that information on clinical privileging actions will not be of significant value to HIPDB queriers, since queriers who have a need for this information will already be accessing it through the NPDB. Accordingly, we are adding language to the definition of the term ``other adjudicated actions or decisions'' to specify that the reporting of clinical privileging actions is excluded. 4. Exclusion
  
  Comment: One commenter raised a concern about the term ``exclusion'' and mistakenly applied the definition for this term to a reportable licensure action.
  
  Response: The OIG has clarified that the term ``exclusion'' applies only to debarment of an individual or entity from participation in any Federal or State health care related program; this term is only applicable to reporting exclusion from participation in Federal or State health care programs. 5. Government Agency
  
  Comment: One commenter asserted that the definition of ``Government agency'' was too broad and potentially open-ended. The commenter requested clarification as to which agencies qualify as ``Federal and State agencies responsible for the licensing and certification of health care providers, suppliers and practitioners.'' A second commenter suggested that the definition of ``Government agency'' be amended to include all agencies authorized to investigate health care fraud.
  
  Response: We recognize the commenters' concerns and understand that regulatory boards and licensing programs vary from State to State. For this very reason, however, it is not possible for the OIG in this rulemaking to provide a listing of all agencies responsible for the licensing and certification of health care providers, suppliers and practitioners. In response to the proposed rule, we received only two comments from States that identified the agencies responsible for licensing. We believe that the definition of ``Government agency'' includes all agencies authorized to investigate health care fraud and abuse and, as a result, are making no changes to the final rule. 6. Health Care Fraud and Abuse
  
  Comment: In general, comments reflected an assumption that the terms ``health care fraud'' and ``health care
  
  [[Page 57745]]
  
  abuse'' defined the reporting criteria for all final adverse actions mandated by the statute. Specifically, commenters found the term ``health care fraud,'' when used in conjunction with the proposed preamble definition of ``health care abuse,'' to be too broad. Several commenters requested that definitions for health care fraud and abuse (and thus the nature of adverse actions collected) be limited to activities relating to financial violations, or require the reportable activities to meet a legal standard of fraud or abuse. One commenter stated that health care abuse should be limited to those actions against a health care system and not those relating to personal abuse. Other commenters believed that the terms should be combined into one definition. One State licensing agency requested specific guidance on whether all final adverse actions must be based on health care fraud and abuse to be reportable to HIPDB. The agency pointed out that only one percent of its adverse licensing actions would meet such a fraud and abuse reporting threshold. Three commenters did acknowledge and agree that the term ``health care abuse'' was properly described within the regulation and the statute as ``final adverse actions.''
  
  Response: By attempting to define the terms ``health care fraud'' and ``health care abuse'' in the proposed rule, we gave the erroneous impression to some readers that final adverse actions may not be reported to the data bank unless they are categorized by the reporter as being based upon ``health care fraud and abuse.'' That interpretation is too limiting. Congress intended that this data bank support efforts to prevent and combat health care fraud and abuse, and not merely catalogue adverse actions that reporters may choose to describe as arising from ``health care fraud and abuse.'' Restricting reportable final adverse actions to those specifically relating to health care fraud and abuse would eliminate the reporting of many relevant actions that are included in the statutory definition of ``final adverse actions.'' Accordingly, and as a result of the comments received, we are deleting the definition for the term ``health care fraud'' from the final rule and are opting not to define ``health care abuse.'' Instead, we defer to the statutory definition of ``final adverse actions'' as encompassing the range of actions to be reported.
  
  Comment: Several commenters requested changes to the ``health care fraud and abuse'' definition to narrow the range of actions, indicating that final adverse actions related to billing errors, benefits administration, payment and reimbursement issues, and quality of patient outcomes be excluded from the definition of ``health care fraud and abuse.''
  
  Response: There may be instances when billing errors, benefits administration, payment and reimbursement issues, and quality of patient outcomes meet the criteria and, therefore, will be reported. However, it is also foreseeable that certain of the aforementioned actions may not be final adverse actions and, therefore, not reportable. The OIG takes the position that any action is reportable to the data bank as long as the action meets the criteria of a ``final adverse action,'' as specified in the final rule.
  
  Comment: One commenter requested that ``health care fraud'' exclude offenses by health plans or insurance companies and be limited to offenses by health care providers, suppliers, or practitioners against health plans or health plan sponsors. Another commenter stated that the reporting of health care abuse should be optional and CMPs should not be imposed for failure to report. One commenter questioned the value of report data containing actions related to health care abuse since such actions may suggest a standard of measurement less than a court adjudication or administrative review panel finding.
  
  Response: The OIG believes that excluding organizations, such as health plans and insurance companies, would limit the effectiveness of the data bank to serve its intended function as a fraud and abuse prevention tool. We also believe that the intent of the statute is clear that all final adverse actions taken against a health care provider, supplier or practitioner must be reported to the HIPDB, and that failure to report such actions may result in the imposition of a CMP. 7. Health Care Provider
  
  Comment: Several commenters indicated that the definition of ``health care provider'' was too broad and complex, and suggested as an alternative that the OIG use the definition set forth in section 1861(u) of the Act. Two commenters objected to the inclusion of health care entities, such as health maintenance organizations (HMOs) in this definition. The commenters believed the definition for this term was conflicting, since health care entities could be potential subjects of the HIPDB as well as reporting entities. One commenter stated that most States did not take compliance actions against these types of entities.
  
  Response: Since Congress elected not to define ``health care provider'' in the Act, we believe the congressional intent was for this term to be defined broadly. There is no inherent conflict in health care entities being potential subjects of the HIPDB, as well as reporting entities. This is entirely consistent with the intent of the Act. 8. Health Care Supplier
  
  Comment: The majority of commenters responding to the definition of ``health care supplier'' stated that the definition went beyond statutory authority and could allow inappropriate access to information. For example, several commenters noted that the definition included both direct and indirect providers of health care items and services. Several commenters recommended the definition be limited to suppliers as defined in section 1861(s) of the Act, and believed that the definition should not include health insurance or benefits providers, such as insurance agents, brokers, solicitors, consultants and reinsurance intermediaries. Other commenters pointed out that to broadly include health insurance or benefit providers in the definition of supplier also could have the effect of including nearly all public and private employers as the potential subjects of reports. These commenters requested that suppliers be limited to those who directly provide covered items or services to beneficiaries, or who directly receive reimbursement from a health care program.
  
  One commenter requested that reportable subjects not be limited to practitioners, providers and suppliers, but rather encompass all individuals and entities involved in health care fraud, including beneficiaries, Government and private employees, managed care marketers and any individual who is responsible for the actions of an entity. One commenter requested clarification of the term ``subject.''
  
  Response: We disagree with the contention of some commenters that Congress intended to collect final adverse action information only on direct providers of items or services covered by a health care program or plan. Such a definition would exclude many entities that are the subject of health care fraud and abuse investigations and actions. The OIG believes that the intent of Congress was to have a broad interpretation of the terms supplier, practitioner and provider. For example, Congress did define the terms ``health care practitioner'' and ``health care provider''
  
  [[Page 57746]]
  
  elsewhere in the statute, yet it did not specifically apply these definitions to the HIPDB. The term ``health care supplier'' is defined in these regulations to capture all final adverse actions relating to the delivery of a health care item or service. Accordingly, the OIG is electing to keep both direct and indirect suppliers in the definition of ``health care supplier.'' Including indirect suppliers in the definition also is consistent with the definition of ``supplier'' used in the regulations implementing OIG exclusion authorities resulting from HIPAA (63 FR 46676; September 2, 1998).
  
  However, we do not intend to include in the definition of ``supplier'' all public and private employers, unless they are self- insured for health care coverage. The definition will still include health plans, consultants, health insurance producers, agents, brokers and reinsurance intermediaries. On the other hand, the definition will not include businesses that merely provide their employees with health insurance coverage through a contract with a health insurance producer or a health plan. Therefore, in response to the concerns raised by the various commenters, we have modified the definition of ``health care supplier'' to clarify and limit its scope. Accordingly, we are replacing the proposed language with the term ``health plan'' and are inserting additional language excluding employers, unless they are self-insured.
  
  In response to the request that reporting be expanded beyond health care providers, suppliers and practitioners, we note that individuals or entities can only be subjects of HIPDB reports if final adverse actions were taken against them. Beneficiaries are not included in that category. For the purposes of this regulation, the term ``subject'' means a health care provider, supplier or practitioner upon whom a reportable final adverse action was taken.
  
  Comment: Two commenters indicated that States' burden of reporting would be increased since States do not regulate or collect data about many of the types of entities included in the supplier definition.
  
  Response: The OIG reiterates that only final adverse actions, as specified in the statute and these regulations, taken against health care providers, suppliers and practitioners are reportable. Such actions are to be reported by the organization taking the action. The specific data required to be reported and responses to comments regarding the reporting burden are addressed below in response to comments on the regulatory impact statement. 9. Health Plan
  
  Comment: With regard to the proposed definition of the term ``health plan,'' commenters stated the definition is too broad, and suggested that the OIG use the definition as set forth in section 1128E of the Act, which incorporates the definition set forth in section 1128C(c) of the Act.
  
  Response: The OIG maintains that the statutory intent of the definition was not meant to be exclusive or exhaustive. The OIG interprets congressional use of the word ``includes'' in the statutory definition as an indication that additional entities may be recognized as ``health plans'' if they meet the basic definition of ``providing health benefits.'' Therefore, we will continue to use a broad definition. The statutory language indicates that Congress intended that ``guarantors of payment'' for health care services and items, including ``self insured employers'' who are often the subjects of health care fraud, have access to HIPDB information. The OIG believes that limiting the definition to the language of the statute would not provide a workable basis for organizations and those who provide health care services to appropriately determine their reporting responsibilities under the statute. In response to one commenter's recommendation to make the definition more inclusive, we are providing further clarification and modifying the proposed definition.
  
  Comment: One commenter requested an exclusion be provided within the definition for direct reimbursements of an employee, stating there is no relationship between the employer who provides the reimbursement and the practitioner who provides the service.
  
  Response: As revised, the definition of the term ``health plan'' reflects the variety of benefit plans with a wide range of organizations, groups and individuals that currently offer such health benefits that would include direct reimbursement. Given this change, we believe any further revision is not necessary.
  
  Comment: One commenter believed that State-sponsored workman's compensation programs should be included as an example of a health plan.
  
  Response: It is our intention that State-sponsored workman's compensation programs be covered under the regulations, and we believe the definition, as written, includes such programs, although not stated explicitly.
  
  Comment: Two commenters stated the proposed definition would cause confusion as to which entity is responsible for reporting the action, i.e., the employer providing the health care policy or the insurance corporation with whom the employer has contracted.
  
  Response: We are aware of the multiple structures under which a ``health plan'' may operate within an integrated health system. The final regulations state the entity taking the action is responsible for reporting the action to the HIPDB. The activity of reporting can be delegated to another entity, but the ultimate responsibility for the report will still lie with the entity taking the action. 10. Licensed health care practitioner, licensed practitioner or practitioner
  
  Comment: Several commenters suggested that the definition for this term should be more specific and include additional practitioner groups not listed, such as occupational therapists and occupational therapists' assistants. The commenters recommended that by providing a comprehensive list of all practitioners and allied health personnel eligible to be possible subjects of reports to the HIPDB, the OIG would ensure that all States report consistently regardless of their differences in professional licensing categories.
  
  Response: We note that the meaning of the term ``licensed health care practitioner, licensed practitioner or practitioner'' is consistent with the definition in section 1128E(g)(2) of the Act. We added the phrase ``but not limited to'' before our listing in order to provide adequate leeway for the inclusion of other health care practitioners as each individual State develops its own reporting categories. While we recognize the benefits of conformity in reporting practices, we have chosen not to sacrifice State flexibility and authority in determining appropriate reporting categories. Even Federal definitions may vary as to ``categorizing'' health care workers. In section 1861(s) of the Act, for example, both physical and occupational therapists are listed under the definition of supplier.
  
  Comment: Other commenters requested clarification on how this definition will be interpreted in States with ``title protection statutes.'' Generally, title protection statutes only restrict the use of a title of a health care practitioner and not the actual practice or the delivery of the service itself. Under title protection statutes, an individual may practice the profession without a license, but may not use the title unless licensed by the regulatory board.
  
  Response: The definition, as written, is consistent with the statutory
  
  [[Page 57747]]
  
  language. We recognize that ``title protection statutes'' may vary with each individual State. However, the statute only authorizes the collection of final adverse action information on an individual who is licensed or otherwise authorized by the State to provide health care services (including any individual who, without authority, holds himself or herself out to be so licensed or authorized by the State). 11. Organization Name and Type
  
  Comment: We received several comments concerning the mandatory element of ``organization name and type.'' Some commenters stated that they did not collect this type of information, while others were unclear as to the meaning of this term.
  
  Response: As a result of these comments, we are clarifying this term by specifically adding a new definition in Sec. 61.3 for the terms ``organization name'' and ``organization type.'' 12. Other Adjudicated Actions or Decisions
  
  Comment: Commenters raised numerous issues concerning different aspects of the definition for the term ``other adjudicated actions or decisions.'' Several commenters stated that the proposed definition was too broad or burdensome, and extended beyond the scope of the statute. A number of commenters suggested that all reportable ``adjudicated actions or decisions'' should be related only to fraud.
  
  Response: The OIG believes that the range of reportable ``other adjudicated actions or decisions'' is not overly broad or beyond the scope of the Social Security Act, since the statutory language states that all final adverse actions must be reported. Furthermore, as indicated above, the statute does not define fraud and abuse; it only defines final adverse actions. To promote an effective system to aid in deterring fraud and abuse, we believe it is necessary to define this term more inclusively, as is contemplated by the statute.
  
  Comment: The criteria set forth for the term ``other adjudicated actions or decisions'' caused confusion for a majority of commenters. Specifically, commenters indicated that they were unclear as to the meaning of the phrase ``official action,'' and whether actions involving (1) honest billing errors or differences in medical judgment, (2) employment or personnel-related actions and (3) CMPs would be reportable under this definition.
  
  Response: In response to these concerns, we have restructured the definition to clarify that in order for a formal or official action to be reported under this provision it must meet the three criteria that it (1) is taken against a health care provider, supplier or practitioner by a Federal or State Governmental agency or a health plan; (2) includes the availability of a due process mechanism; and (3) is based on acts or omissions that affect or could affect the payment, provision or delivery of a health care item or service. We also made minor changes in the definition to provide further clarity about the types of actions that are excluded from the definition.
  
  Comment: Two commenters requested clarification regarding the imposition of CMPs for failure to report. One commenter requested voluntary reporting of other adjudicated actions, in the hopes of eliminating such penalties. Another commenter asks that we include an intent clause as a necessary element to apply CMPs.
  
  Response: We disagree with the commenter's alternative approach regarding voluntary reporting, which we believe to be inconsistent with Congress' intent in creating a CMP for failure to report. In accordance with the statutory language that requires such action, a health plan failing to report any ``other adjudicated actions or decisions'' could be assessed a CMP of not more than $25,000. The regulations implementing this CMP provision are not a direct part of this HIPDB implementing rule and are being addressed in specific detail through separate OIG final rulemaking directed toward new or revised exclusion and CMP authorities resulting from Public Law 105-33.
  
  Comment: One commenter requested clarification on whether all reportable adjudicated actions must be related to professional competence or conduct.
  
  Response: The term ``other adjudicated actions or decisions'' does not need to relate to professional competence or conduct However, such actions must relate to the delivery of health care items or services.
  
  Comment: Several commenters stated the definition should be limited to final adverse actions involving a court or Government agency, in that reporting final adjudicated actions in which there was no finding of liability will discourage settlements; and adverse actions will vary from State to State, making it difficult to analyze or standardize the reporting process.
  
  Response: We believe that the statutory language is clear about which entities are required to report. Certain health plan actions will meet the criteria of ``other adjudicated actions or decisions,'' and, therefore, will be reportable. The statute also is clear that final actions resulting from settlements in which no findings of liability have been made are not reportable. The OIG recognizes the variation among States in the types of other adjudicated actions or decisions taken. We stress that the HIPDB is intended as a ``flagging system'' and that the information in the HIPDB should serve only to alert Federal and State agencies and health plans that there may be a problem with a particular provider's, supplier's or practitioner's background. The HIPDB information should be considered together with other relevant data in evaluating a provider's, supplier's or practitioner's background.
  
  A hallmark of any valid adjudicated action or decision is the availability of a due process mechanism. In general, if an ``adjudicated action or decision'' follows an agency's established administrative procedures (that ensure that due process is available to the subject of the final adverse action), it would qualify as a reportable action under this definition. For example, a formal or official final action taken by a Federal or State Government agency or health plan may include, but is not limited to, a personnel-related action such as suspension without pay, reduction in grade for cause, termination or other comparable action in connection with the delivery of a health care item or service. For health plans that are not Government entities, an action taken following adequate notice and opportunity for a hearing that meet the standards of due process set forth in section 412(b) of the Health Care Quality and Improvement Act (42 U.S.C. 11112(b)) also will qualify as a reportable action under this definition. The fact that the subject elects not to use the due process mechanism provided by the authority bringing the action is immaterial, as long as such a process is available to the subject before the adjudicated action or decision is made final.
  
  The revised definition for the term ``other adjudicated actions or decision'' specifically excludes clinical privileging actions taken by Federal or State governmental agencies, as well as the similar ``paneling actions'' taken by health plans. We will not collect'removal without cause'' actions taken by health plans, such as when the health plan has to eliminate some of its specialists or when the health plan concludes that a physician is not maintaining a desirable rate of patient visits. On the other hand, health plans will report ``quality actions'' that include the availability of a due process procedure, such as the formal removal
  
  [[Page 57748]]
  
  of a physician for problems based on quality of care or competence issues. Health plans also will report any health care related civil judgments they obtain against a health care practitioner, provider or supplier. The revised definition also clarifies that initial overpayment determinations by HCFA contractors, and similar overpayment decisions made by health plans, are not final, reportable actions. 13. Voluntary Surrender of License or Certification
  
  Comment: We received several comments on the definition of ``voluntary surrender of license or certification'' from a variety of State and local agencies, private sector organizations and others. The majority of the commenters supported a broader definition of the term. One commenter did not believe voluntary surrenders should be included in the system because of added burden resulting from such action. Several commenters requested that the OIG provide further clarification of the term in the final regulations.
  
  Response: In light of the strong support for the definition in the proposed regulations, we are adopting this definition in the final rule with certain clarifications. The OIG is aware that there are instances in which a voluntary surrender is used to identify practitioners who are deceased, retired, have not renewed their license or certification, or have simply moved out of the State. We are clarifying the definition to exclude non-disciplinary voluntary surrenders.
  
  Section 61.4 How Information Must Be Reported
  
  Comment: A number of commenters requested clarification on how information must be reported to the HIPDB. These commenters generally requested additional information on how electronic reporting would be accomplished, how consolidated reporting would occur for both the HIPDB and the NPDB, and whether all reporters would have the appropriate software and hardware to perform this function. Some commenters recommended, for example, that reporters be permitted to submit files electronically using file transfer protocol or electronic mail, and two commenters raised the issue of whether the HIPDB would accept paper reports.
  
  Response: In response to these concerns, we are indicating in this final rule that reports may be submitted to the HIPDB either through a secure interactive web-based reporting service (using state-of-the-art encryption technology) or by mailing to the HIPDB properly formatted report data on a diskette. Other types of electronic submissions will not be accepted, nor will paper reports. Reporters who are required to submit the same report to both the NPDB and the HIPDB will be able to satisfy their reporting obligations by submitting their report only once. Web-based reporting or querying will require a personal computer with a modem and access to the Internet. We will provide technical details regarding required data formats and access to the web site through technical manuals, guidebooks and on-line user help. We believe that most reporters possess these basic tools required to gain access to the data bank. We also recognize that there may be a small number of reporters who do not have these capabilities, but these entities should be able to perform any required functions through the services of an authorized agent, who would report to and query the data bank on the entity's behalf.
  
  Comment: One commenter requested that the NPDB and the HIPDB be consolidated in order to allow more efficient querying and reporting. The commenter also recommended allowing queriers to use search engines to more efficiently locate information.
  
  Response: The issue of integrating the NPDB and HIPDB is addressed in greater detail in section III. C. of this preamble, ``General Issues and Alternatives Suggestions.'' In response to the commenter's recommendation regarding the use of search engines for querying, queriers will be required to provide certain information about a provider, supplier or practitioner in order to process their query. Specific methods for querying will be addressed in subsequent guidance and technical documentation.
  
  Comment: To reduce the possibility that non-relevant reports will be submitted to the HIPDB, one commenter recommended that the Secretary establish a reporting threshold or specific criteria for each type of report.
  
  Response: Through development of a policy guidance guidebook, the Department intends to provide specific examples and establish the criteria for determining whether a final adverse action meets the standards established in regulations. These criteria will be specific to each type of action and will include examples of reportable and non- reportable actions. It will be up to each reporter, however, to review, understand and apply these criteria when reporting.
  
  Section 61.5 When Information Must Be Reported
  
  Comment: Commenters recommended extending the 30-day period for reporting final adverse actions to the HIPDB to 60 days. The commenters stated that the time frame set forth in the proposed rule was too stringent and unrealistic to be met by State licensing boards. Several associations representing State licensing boards suggested this time frame would place significant burden on licensing boards. By extending the time frame from 30 days to 60 days, commenters indicated that licensing boards would have adequate time to provide the information to their agent and, in turn, for the agent to submit the information to the HIPDB.
  
  Response: We are unable to make the changes suggested since the statutory language requires reports to be submitted regularly, but not less often than monthly.
  
  Section 61.6 Reporting Errors, Omissions, Revisions or Whether an Action Is on Appeal
  
  Comment: One commenter stated that if a reportable adverse action is on appeal, the action should not be reported until the appeal process is final; if the appeal reverses the decision, then the entire report should be removed from the HIPDB.
  
  Response: We disagree with the first aspect of the comment since the statutory language (section 1128E(b)(2)(C)) requires specifically that a statement as to whether the action is on appeal must be included in the report to the HIPDB. With respect to the second part of the commenter's concern, we agree that reports which have been reversed on appeal will require a revision to the report. The report may be voided by the reporter at the time of the revision.
  
  Comment: Some commenters stated that the reporting of revisions, such as a reinstatement of a license, will cause confusion for queriers, that the accuracy of the reports in the HIPDB will be compromised, and that reporters will abuse the system by reporting ``indiscriminately'' to avoid a sanction for failing to report and fulfilling the 30-day time frame. Commenters also expressed uncertainty as to who is responsible for reporting the revision.
  
  Response: We believe that there is a misconception on the part of some of the commenters. Specifically, when a reinstatement of a license occurs, the reporter must submit a revision to an action regarding the reinstatement.
  
  Comment: Two commenters raised concern over the fact that a subject of a
  
  [[Page 57749]]
  
  report may file a written statement to the HIPDB. The commenters believed this provision violates the due process rights of the entity taking the action. In addition, these commenters were concerned that the subject's statements could render an extremely inaccurate, biased and unreliable report. One commenter requested that reports be deleted after a 5-year period of time.
  
  Response: We note that only final adjudicated actions are reportable. The Act does not provide for the removal of reports from the data bank except through the dispute process. A subject's statement provides the subject with the opportunity to state his or her views on the final adverse action report; the report and the addendum will be sent to subsequent queriers. It is unclear what ``due process rights'' of the reporting entity could be violated by giving the subject of a report the right to state his or her views about the report. Further, we note that this approach parallels the long-standing practice used in reporting to the NPDB.
  
  Section 61.7 Reporting Licensure Actions Taken By Federal or State Licensing and Certification Agencies
  
  Comment: Several commenters were concerned about the possibility of duplicative reporting when a practitioner is licensed in more than one State. The question was raised as to who reports the adverse licensing action. Several commenters questioned the process for reporting reinstatement of a license.
  
  Response: The statute requires that the State taking the action is responsible for reporting that action to the HIPDB. Each respective State licensure action requires a separate report to HIPDB. This process of reporting parallels the approach taken under the NPDB. The process for reporting reinstatement of a license is explained in the preamble section discussing Sec. 61.6.
  
  Comment: With respect to reporting actions on individuals, a number of comments addressed the problem of collecting the mandatory and ``if known'' data elements.
  
  Response: We are addressing this issue below in section III. C. of this preamble.
  
  Comment: Several commenters believed that the description of actions in this section were too vague, and that the OIG should limit reportable actions to those that truly limit practice, such as revocation, suspension and limitation on licensure. Another commenter suggested the HIPDB should be collecting final adverse actions related only to fraud and abuse in the delivery of a health care item or service. Two commenters questioned whether censure letters and other de minimis sanctions are reportable since these actions are not usually subject to due process, and recommended that we include only actions taken against physicians holding full licenses to practice medicine.
  
  Response: Section 1128E(g)(1)(A)(iii) of the Act states that Federal and State licensing and certification agencies must report to the HIPDB all of the following final adverse actions that are taken against a health care provider, supplier or practitioner:
  
  ‹bullet› Formal or official actions, such as revocation or suspension of a license (and length of any such suspension ), reprimand, censure or probation;
  
  ‹bullet› Any other loss of the license or the right to apply for, or renew, a license of a provider, supplier or practitioner; and
  
  ‹bullet› Any other negative action or finding as defined by the Federal or State agency.
  
  Under section 1128E of the Act, the only limitation on a reportable disciplinary action is that it must be a formal or official action.
  
  Comment: One commenter believed that automatic suspension of a license for failure to pay family support for a child or spouse, for example, should not be included as a reportable event.
  
  Response: While we are aware of other ways in which a license may be suspended or revoked by other Federal laws not related to the HIPAA, this licensing action is considered a disciplinary action and, in accordance with the statute's definition of final adverse action, is reportable to the HIPDB.
  
  Comment: Concerning what information must be reported on organizations, one commenter recommended that the actions reported by Federal and State licensing and certification agencies be limited to those who traditionally provide these services. The commenter believed that the combination of the definitions of ``supplier'' and ``adverse action'' could lead to a data bank for reporting complaints and appeals, and not fraudulent activities.
  
  Response: In accordance with these comments, we are modifying the definitions of ``adverse actions'' and ``supplier'' in Sec. 61.3 in order to collect meaningful data on subjects of reportable final adverse actions.
  
  Comment: Several State licensing boards stated that they already report adverse action information to their individual professional association, and several professional associations also stated that they received reports from States on such actions. These commenters believed that they should be exempt from reporting to the HIPDB. Another commenter believed that HCFA should report all adverse actions to the HIPDB taken against Medicare and Medicaid providers and suppliers based on information that is already reported by State survey and certification agencies, thus leaving States with the responsibility to report only adverse actions taken against an entity based on State law.
  
  Response: The statute does not provide an exclusion from reporting to the HIPDB for individual professions that may report to other data banks. We encourage these organizations to designate their professional associations to act as authorized agents with the HIPDB. The statute requires that Federal and State Government agencies and health plans report any adverse action taken against a health care provider, supplier or practitioner. The OIG recognizes that State survey and certification agencies already report their findings to HCFA and we will continue to work with HCFA to find methods of streamlining and coordinating the reporting process.
  
  Section 61.8 Reporting Federal or State Criminal Convictions Related to the Delivery of a Health Care Item or Service
  
  Comment: One commenter indicated that States already report convictions to the Federal Bureau of Investigation (FBI) and, as such, reporting to the HIPDB would be duplicative and costly. Another commenter requested clarification of the term ``delivery.''
  
  Response: The scope of the HIPDB goes beyond the felony convictions obtained at the State and local level that are currently reported to the FBI. Information being reported to the data bank also will include misdemeanor convictions, nolo contendere pleas, and pre-trial diversions and similar actions, that are not reportable to the FBI. In addition, the FBI does not classify convictions as being related to the delivery of a health care item or service, nor does it classify those convicted individuals and entities as being health care providers, suppliers or practitioners. Consequently, the FBI's data bank does not contain every action that would be reportable to the HIPDB, nor does it provide a way in which all appropriate State and local convictions could be identified for use in the HIPDB. The term ``delivery'' includes, but is not limited to, participation in any part of the provision for or payment of a health care item or service.
  
  [[Page 57750]]
  
  Section 61.9 Reporting Civil Judgments Related to the Delivery of a Health Care Item or Service
  
  Comment: One commenter was not clear as to when a health plan would be obligated to report a civil action, and recommended that health plans only be required to report when no Government agency was a party to the action. The commenter also suggested that health plans should be able to assign responsibility for reporting to another entity, if the other entity also were party to the suit. A second commenter believed that civil actions are best reported by a prosecuting entity.
  
  Response: The OIG does not require that each party to a civil action report that action individually. However, to clarify who has the responsibility for reporting multi-claimant civil judgments, we are adding new language to Sec. 61.9 to address responsibilities for the reporting of multi-claimant actions.
  
  Section 61.10 Reporting Exclusion From Participation in Federal or State Health Care Programs
  
  Comment: One commenter stated that the OIG did not provide adequate and clear information for providers to use to identify excluded individuals or entities.
  
  Response: Revised OIG exclusion authorities were published as proposed rulemaking in the Federal Register on September 8, 1997 (62 FR 47182), and final regulations were published on September 2, 1998 (63 FR 46676). As indicated above in addressing the definition of the term ``health care supplier,'' in the OIG's final rulemaking on new exclusions and revised authorities resulting from HIPAA, the OIG has the authority to exclude any individual or entity who directly or indirectly provides or supplies items or services. The scope of this exclusion authority includes items or services manufactured, distributed or otherwise provided by individuals or entities that do not directly submit claims to Medicare, Medicaid or other Federal health care programs, but that supply items or services to providers, suppliers or practitioners who submit claims to these programs for such items or services. Therefore, the OIG has already established through that final rule the conditions for excluding an individual and entity from a Federal or State health care program. As such, we believe no further revisions or clarifications are necessary in this final rule.
  
  Section 61.12 Requesting Information From the HIPDB.
  
  Comment: Several commenters believed there should be public access to the HIPDB, while other commenters stated that access to the HIPDB should be open only to those who have the authority to take adverse actions. Additionally, citing the need to obtain the information for screening and credentialing potential employees, several commenters requested that hospitals also be able to request information. Several commenters also expressed concern regarding the data elements to be included in the release of aggregate data for research purposes.
  
  Response: While the OIG actively supports legislative proposals for expanding access to the HIPDB, the existing statute clearly limits access to the HIPDB to those entities that meet the definition of Federal or State agency or a health plan. Under the current statutory definition of entities having access, some hospitals will meet the criteria and be in a position to request information from the HIPDB, while other hospitals will not have access to the data bank. With regard to what data elements would be included, the OIG is clarifying the language in the final rule, as is discussed later in this preamble.
  
  As set forth in Sec. 61.12, at the time subjects request information as part of a ``self-query,'' the subjects will receive (1) any report(s) in the HIPDB specific to them, and (2) a disclosure history from the HIPDB of the name(s) of any entity (or entities) that have previously received the report(s). This disclosure history will be restricted in accordance with revisions being made to the Department's Privacy Act regulations at 45 CFR part 5b which, when issued in final form, will include an exemption for law enforcement access of the HIPDB.
  
  Section 61.13 Fees Applicable to Requests for Information
  
  Comment: The majority of the comments received on this section were from State agencies. The commenters requested free or discounted rates for querying the HIPDB. The commenters suggested that those State agencies that actually file reports with the HIPDB should, in exchange, be able to query the data bank for free or at a discounted rate. One commenter expressed a concern over having to pay a separate fee to query both the HIPDB and the NPDB.
  
  Response: The OIG is aware of the concerns of some State agencies. The HIPDB and the NPDB were established under separate statutes, each requiring a fee for querying. Each data bank, by statute, was designed to recover its own cost through the imposition of query fees. We are aware of the potential burden of dual querying and will make every effort to keep these fees to a minimum. The OIG cannot comply with this request to offer free or discounted queries to State agencies and others. Since the statute specifically mandates that the Department exempt only Federal agencies from query fees, in order to completely cover costs from paying customers, the OIG must charge all non-Federal customers the same rate.
  
  The OIG intends to announce the actual amounts of the fees for the data bank in periodic notices in the Federal Register.
  
  Comment: One commenter recommended that all Federal agencies also should be subjected to a fee when querying the HIPDB, while another commenter stated that since Federal agencies are exempted from paying fees, their access should be limited to ``bona fide'' purposes.
  
  Response: With regard to the one commenter's suggestion as to Federal agencies fees, section 1128E(d)(2) of the Act specifically prevents the OIG from charging Federal agencies a fee to query the HIPDB. The appropriate uses of HIPDB information for all users, including Federal agencies, is being defined in Sec. 61.14 of these regulations and the Privacy Act System of Records notice published in the Federal Register on February 16, 1999 (64 FR 7653).
  
  Comment: One commenter recommended that the OIG not establish a fee for health care practitioners, providers or suppliers requesting information about themselves (self-queries) from the HIPDB. This commenter believed that State licensing boards will ``game the system'' by requiring licensees to submit self-query responses when requesting initial licensure or re-licensure. This commenter noted this type of activity already occurs with the NPDB.
  
  Response: Since State licensing boards are not required by the statute to query, the OIG can not expressly mandate that they query the HIPDB directly in place of requiring practitioners to provide self- query responses. However, we will make every effort to strongly encourage State licensing boards to query the HIPDB directly to ensure they receive accurate and complete information.
  
  Comment: One commenter asked that the HIPDB provide an automatic copy (without a request and free of charge) of every report to the health care provider, supplier or practitioner who is the subject of the report, and not just when the report is initially entered into the HIPDB. This would include any report that is ``amended or deleted.'' A second commenter recommended that the OIG add a sentence to the final regulations
  
  [[Page 57751]]
  
  stating that the HIPDB also will provide a copy of every HIPDB report automatically, without a request and free of charge, to the reporter who submitted the report.
  
  Response: We agree with these comments and will modify the final regulations accordingly. The HIPDB will provide a copy of every HIPDB report to the reporter, as well as to the health care provider, supplier, or practitioner who is the subject of the report, when the report is initially entered. In addition, further notification will be made to these parties whenever the report is corrected or revised, and whenever the report is voided. We also agree to automatically provide the reporter with a copy of the revised report, without further request.
  
  Section 61.14 Confidentiality of the HIPDB Information
  
  Comment: The majority of the commenters responding to this provision questioned the confidentiality of the reported data bank elements and resulting privacy of the information once a report is submitted to the HIPDB. The confidentiality of individual elements, as well as of the report as a whole, were questioned and several commenters believed the final rule needed to be clarified further. Citing possible violation of the Privacy Act, commenters expressed concern about the ``purpose'' for which the data are provided and the process of how queriers may distribute and use the information provided in a report.
  
  Response: Similar to the NPDB, the HIPDB requires specific data elements to be reported in order to maximize the accuracy of matching subjects of reports by the querier. The Privacy Act of 1974 established the guidelines for Federal governmental systems of records that are maintained by the names of individuals. The HIPDB was established as a system of records subject to the Privacy Act by notice published in the Federal Register on February 16, 1999 (64 FR 7653). Section 552(i)(3) of the Privacy Act provides that obtaining information knowingly from an agency system of records under false pretenses will be treated as a misdemeanor and will incur a fine of not more than $5,000 per occurrence. Section 552b(3) of the Privacy Act allows disclosure for ``routine use,'' compatible with the purpose for which it was collected. Appropriate uses for the HIPDB information will include credentialing and employment decisions, fraud and abuse investigations, and use as a part of a querying entity's screening process which would indicate more complete details are needed about the subject. This ``routine use'' does not allow disclosure to the general public. We are clarifying this discussion in Sec. 61.14 of the final regulations.
  
  We note that information which would identify Federal or State agency health program beneficiaries, or other patients of providers or practitioners, is not reportable to the HIPDB. Further, we will disallow references to individual patients or beneficiaries in any rebuttal documents submitted as part of a report dispute process, or submitted as part of the written comments that a subject may submit to be included with a report.
  
  Comment: Several commenters stated that the wording of this section was confusing, and did not fully explain the ways in which information can be disseminated once it is released to an eligible entity.
  
  Response: With respect to the confidentiality requirements of information obtained from the HIPDB indirectly from another party, as well as information obtained directly from the data bank, an individual or entity that receives information from the HIPDB is permitted to disclose such information further in the course of carrying out the activity for which the information was sought. For example, during the course of a health plan's credentialing process, the plan may request information from the HIPDB on a practitioner's history of final adverse actions. The health plan may share this information with other individuals who are part of the credentialing review and decision making process on the practitioner's application. Nevertheless, the confidentiality limitations of the Act apply both to the health plan staff who initially receive the information and to the specific departmental staff who subsequently review this same information; they may each only use and disclose the information with respect to the credentialing decision.
  
  Section 61.15 How To Dispute the Accuracy of the HIPDB Information
  
  Comment: Several commenters were supportive of the mechanism set forth in the proposed rule that would allow practitioners to attach a 2,000 word statement to their report for purposes of disputing the accuracy of HIPDB information. Some commenters indicated that the inclusion of a 2,000 word statement to a report was unnecessary and recommended eliminating this provision for the final rule.
  
  Response: We believe this mechanism will be useful, and are retaining it in the final regulations.
  
  Comment: While some commenters believed a dispute mechanism was unnecessary or would greatly increase the burden on reporting entities, other commenters supported the inclusion of an additional dispute mechanism under which reporting entities could report disagreements with a Secretarial decision to delete a report from the HIPDB.
  
  Response: The statute specifically requires that the HIPDB have a dispute mechanism in place. We are adopting the dispute mechanism that currently is being used for reports to the NPDB, which has proven to be effective. We are addressing regulatory burden issues later in this preamble.
3. General Issues and Alternative Suggestions
  
  1. Coordination and distinctions between the HIPDB and the NPDB
  
  Comment: One commenter stated that an additional data bank was unnecessary. The commenter believed that the NPDB is adequate, and that the HIPDB will only serve to be duplicative in nature.
  
  Response: While we agree that the NPDB is adequate for its intended purpose of protecting the public from incompetent or unprofessional health care practitioners, the HIPDB reflects separate and distinct congressional intent, with unique data elements. The HIPDB data base is intended to collect a wide range of final adverse actions. The HIPDB serves a dual purpose of protecting the public, and assisting fraud and abuse investigations of health care practitioners, suppliers and providers. The HIPDB also contains information that is not reported to the NPDB, for purposes of meeting its intended statutory objectives.
  
  Comment: Some commenters expressed a desire that the HIPDB and the NPDB be combined into one system, and commenters believed that for reports required under both systems, the OIG should have reporters report such actions only once.
  
  Response: Although the HIPDB and the NPDB must be separate data banks, and serve different purposes, the HIPDB and the NPDB will, for certain reporting and querying purposes, form an integrated system, whereby a report required under both systems will only need to be reported once. The system will subsequently store the report in the HIPDB, the NPDB, or both, as appropriate. Additionally, a querier eligible to have access to both data banks can query both through a single request.
  
  Comment: One commenter expressed concern that under an integrated reporting system for the NPDB and the
  
  [[Page 57752]]
  
  HIPDB a medical malpractice insurer would be forced to submit certain fields required under the HIPDB, such as for an individual's Social Security Number.
  
  Response: This provision is only applicable to reports required under both data banks. For example, medical malpractice payment reports are only required to be reported to the NPDB; they are statutorily exempt from HIPDB reporting. Therefore, the HIPDB data elements required, such as an individual's Social Security Number, do not apply to those reports.
  
  Comment: One commenter expressed a desire that actions taken before August 21, 1996, the effective date of the HIPAA statute, be required to be reported to the HIPDB.
  
  Response: Since the Department does not have the statutory authority to retroactively require reports before the statute's date of enactment, we cannot accept this recommendation, and we would be unwilling to impose the burden of retroactive reporting on the reporting entities even if we had the authority to do so. 2. Immunity Provisions Under the HIPDB
  
  Comment: More than half of the comments received regarding immunity provision under the HIPDB stated that any immunity provisions must be included within the final regulations and not merely alluded to in the preamble. The commenters specifically requested immunity with regard to submitting reports to the HIPDB. Several commenters stated that any immunity provisions included within the final regulations needed to specifically provide immunity for agents.
  
  Response: We agree with the comments, and are adding a new Sec. 61.16 within the final regulations to address this concern.
  
  Comment: Three commenters were supportive of the proposed definition for the term ``knowledge of falsity'' to mean actual knowledge of falsity by the submitting party. One commenter requested the elimination of immunity for those who file information with the HIPDB recklessly.
  
  Response: The intention of the statute is to encourage final adverse actions to be reported against subjects, without fear of the subject retaliating with a lawsuit against those who report the action. In accordance with the comments and the statute, we will continue to interpret the term ``knowledge of falsity'' to mean actual acknowledge. Consequently, we are including language in the final regulations stating that the submitting reporter will not be immune from liability if there is actual knowledge of falsity of a report.
  
  Comment: One commenter stated the subject of a report should be required to follow the dispute resolution procedures before filing suit against a reporter for false knowledge in reporting to the HIPDB.
  
  Response: We decline to accept this comment. The statute does not provide the authority to require the subject of a report to follow the dispute resolution procedures prior to filing suit against a reporter. Further, we believe this would result in unnecessary delays in reporting final adverse actions to the HIPDB. 3. Sanctions for Failure To Report
  
  Comment: With regard to sanctions for failure to report to the HIPDB, commenters stated that a potential CMP of $25,000 per occurrence against health plans that fail to report was too severe. One commenter recommended that, because of the perceived breadth and ambiguity of the reporting requirements, the OIG should only assess CMPs against health plans that ``knowingly and willfully fail to report.'' Another commenter stated that the CMP was proportionately unfair to single service health plans.
  
  Response: Section 4331 of Public Law 105-33, the Balanced Budget Act (BBA) of 1997, authorizes a CMP of up to $25,000 for each adverse action not reported by a health plan. The statute does not require that this full amount be imposed; a lesser penalty could be assessed at the discretion of the OIG. The statute does not require a ``knowing and willful'' standard as part of the CMP criteria. However, the OIG has discretion in choosing whether to assess a CMP, and the OIG applies various mitigating and aggravating factors, as set forth in the OIG/CMP regulations, in determining the CMP amount up to the $25,000 limit. Specific policies and factors regarding imposition of this CMP are being set forth by the OIG in separate final rulemaking addressing new and revised sanction authorities resulting from the BBA.
  
  Comment: One commenter asked whether the OIG would impose CMPs against health plans that cannot report because they do not collect all of the reportable data elements.
  
  Response: Every effort has been made to specify a set of data elements that will not impose an undue burden on reporters and that still ensure a high degree of confidence in matching names of health care practitioners, providers and suppliers with existing reports in the HIPDB. Reporters will be required to report mandatory data elements, and may report all other fields if they are known. However, reporters that fail to submit reports with the minimum mandatory data required by statute and regulations may be subject to the sanctions referenced above.
  
  Comment: Some commenters expressed concern that the OIG would impose CMPs for the non-reporting of adverse actions (or particular data elements associated with an adverse action) that occurred during the period between the effective date of HIPAA, August 21, 1996, and the effective date of this rule, a time period when the exact reporting requirements of the rule were not yet known to the entities now responsible for reporting.
  
  Response: The basic types of actions to be reported were specified in the HIPAA and were, therefore, noticed to potential reporters as of August 21, 1996. We do realize, however, that the specific definitions of terms used, and the specification of exact data elements to be reported, are set forth in this rule. While there is a duty to report actions (and data elements) dating from the period between August 21, 1996 and the promulgation of this rule, the OIG will give due consideration to the ability of a reporting agency or health plan to comply with requirements to report such actions (and data elements) in determining whether to impose a CMP for failure to report in accordance with 42 CFR 1003.102(b)(5)(ii). 4. Implementation Schedule
  
  Comment: Four comments were received regarding the implementation schedule for the HIPDB. Commenters stated that collecting data elements retroactively, as required by the Act, would be burdensome and difficult to obtain. One commenter recommended a separate date for ``other adjudicated actions,'' stating that these actions are not final until each case has exhausted all appeal rights. Several commenters suggested the OIG should allow for two different dates: one for data that are available at the time of the opening of the data bank, and another date (for example, 60 days later) for additional and retroactive data.
  
  Response: The OIG has taken these points into consideration. This concern is being addressed below in the section of this preamble discussing the burden of data collection. 5. Paperwork Reduction Act Statement
  1. Data elements to be reported to the HIPDB. The OIG solicited comments on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Department, including whether the
    
    [[Page 57753]]
    
    information will have practical utility; (2) the accuracy of the Department's estimate of the burden of the proposed collection of information; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology.
    
    Comment: Over half of the comments received concerned the data elements in general. Commenters stated that the proposed rule was overreaching the scope of the statute and created unintended reporting burdens with regard to the various data elements specified for collection. Some commenters indicated that they did not collect one or more of the required data elements, while others suggested that not all of the requested data elements were necessary for the HIPDB, or that only a minimal set of elements were needed to insure proper identification of a subject. Some commenters stated that the required data elements would force physicians to devote additional time and expense to reporting these actions.
    
    Response: The OIG disagrees with the commenters' assessments. The OIG continues to believe the data elements selected for inclusion into the HIPDB are essential for users in properly identifying individuals and entities which are the subjects of reports in the data bank. Further, as indicated earlier, with respect to the concerns indicated by some physicians, there are no requirements for physicians to report directly to the data bank and thus no additional non-medical time required of them with respect to the array of data elements.
    
    Comment: A number of State agencies cited their respective State statutes that prohibit the collection or reporting of Social Security Numbers and, in some instances, other personal data (such as sex and date of birth). Ten commenters stated that their organizations did not routinely collect Social Security Numbers or Taxpayer Identification Numbers.
    
    Response: The statute offers the OIG no discretion in this collection element provision. The Federal statute authorizing this data base takes precedence over and preempts State statutory requirements, and specifically requires the reporting of Taxpayer Identification Numbers, which includes Social Security Numbers and Federal Employer Identification Numbers. As to the inclusion of other personal identifiers, we have determined that these elements are required to insure proper identification of subjects reported to the data bank and, consequently, these requirements are being retained in the final regulations. We believe that the various reporting entities can make the proper adjustments to secure the required information without undue hardship or burden.
    
    Comment: Some commenters raised concern over the need to include ``Occupation'' as one of the mandatory element under the HIPDB.
    
    Response: For identification purposes, we believe it is important for a querier of the data bank to know a subject's occupation. Today's health care providers are frequently involved in different ventures and occupations. Reportable actions may arise in one area of a subject's endeavors, but not in others. Therefore, we believe that queriers must be made aware of all reportable actions against a subject, and an integral element of this is learning the occupation in which these actions were taken.
    
    Comment: Three commenters requested that ``Other Names Used'' be a mandatory field, particularly with regard to female subjects.
    
    Response: We are satisfied that this element should be reported ``if known,'' and we assume the reporters will provide these names if such information is available to them.
    
    Comment: We received comments regarding the ``Physician Specialty'' data element. Commenters questioned why specialty data were only being collected on physicians and not on other types of practitioners.
    
    Response: We agree with the suggestion that ``specialty'' should be reported for all practitioners, if applicable, and are modifying the regulations accordingly.
    
    Comment: Twenty-six commenters suggested that the ``Name of the Affiliated or Associated Health Care Entity'' not be made a mandatory field.
    
    Response: The statute requires that this information be reported ``if known.'' We agree with the commenters' concerns, and will clarify the language in the final regulations to emphasize that this information be reported only if known.
    
    Comment: Several comments stated that potential reporters do not currently collect the mandatory element ``National Provider Identifier'' (NPI).
    
    Response: We are aware that NPIs have not been issued and, therefore, cannot be reported. However, once HCFA issues these identification numbers, the collection and reporting of NPIs to the HIPDB will be mandatory. Reporters are advised to begin the necessary steps to collect this identifier in the future, as it becomes available. In this final rule, we are deleting the data field ``NPI for Affiliated or Associated Health Care Entities.''
    
    Comment: One commenter suggested that the HIPDB also add the method used to detect the act that underlies the action being reported.
    
    Response: We disagree. We believe this information will not be useful, and would create an additional reporting burden.
    
    Comment: Commenters stated that some reporters do not collect data on the ``Name of Each Professional School Attended and Year of Graduation.''
    
    Response: These data are mandatory requirements of the NPDB and are routinely provided by State agencies and organizations representing physicians and dentists. These NPDB requirements will remain unchanged. For reports made solely to the HIPDB, these data elements will be mandatory for licensing and certification actions reported by Federal and State agencies, which routinely collection this information, and will be designated as ``if known'' for all other reporters.
    
    Comment: Several commenters noted the unreliability of a ``Work Address'' element for individual subjects, and other commenters stated that only an ``Address of Record'' would be known by certain reporters.
    
    Response: The OIG agrees with these comments and is revising the final regulations accordingly. Only one address--either the subject's ``Home Address'' or the ``Address of Record''--will be mandatory for each report. Other addresses, such as a primary work address, will be reportable only ``if known.''
    
    Comment: Twelve comments were received concerning the mandatory ``Description of the Acts or Omissions'' and the ``Description of the Action'' fields. The commenters suggested use of numerical codes in lieu of narrative descriptions.
    
    Response: The statute is clear that the ``Description of the Acts or Omissions'' field is a mandatory element. However, to assist users of this information, we are adopting the suggestion of a code list that corresponds to the most common underlying acts expected to be reported. Use of this code will be mandatory, along with a narrative description of the acts or omissions and injuries upon which the reported action was based. With regard to the ``Description of the Action'' field, we have changed the final rule to show that the mandatory requirements for reporting an action are the date the action was taken, its effective date and duration, the amount of any monetary penalty, and whether
    
    [[Page 57754]]
    
    the action is on appeal. We believe these elements are essential for a user's understanding of the action being reported. The proposed rule also called for a mandatory ``Classification of the action'' in accordance with a reporting code adopted by the Secretary. While the ``Description of the action'' has been deleted, the ``Action code'' will remain as a mandatory element in the final regulations.
    
    Comment: Five comments were received requesting additional clarification regarding the reporting of ``Professional license, certification or registration.''
    
    Response: In response to these comments, we are clarifying the final regulations to indicate that for licensure certification or registration actions taken by Federal and State licensing and certification agencies, the mandatory information to be reported will be on the professional license, certification or registration on which the action was taken. Information on other licenses, certifications or registrations, including those issued in other States or by other agencies, will be reportable to the data bank ``if known.''
  2. Estimated burden of data collection requirements. Comment: A number of commenters stated that the proposed rule did not accurately address the burden as it applies to the cost of creating and maintaining the data collection system, or the costs associated with collecting the required data elements. Commenters stated that the start-up cost, indicated at $5,000, was significantly underestimated. One commenter strongly believed that the costs associated with the HIPDB system would far outweigh its benefit, and several commenters stated that they would need to hire new employees in order to meet the HIPDB reporting requirements. One commenter indicated that, while their State proportionally had a smaller number of health care providers than some of the larger States, its State agency nevertheless took 712 actions last year that would need to be reported to the HIPDB, resulting in what they believed would be a larger than estimated burden nationwide.
    
    Response: In developing our burden statement and estimate, calculations for the regulatory impact statement in the proposed rule were based on estimations derived from the regulatory impact prepared for the proposed rule currently being developed for State licensing boards addressing section 1921 of the Act. Section 1921 of the Act, as amended by section 5(b) of the Medicare and Medicaid Patient and Program Protection Act of 1987 and by the Omnibus Budget Reconciliation Act of 1990, requires each State to adopt a system that reports to the Secretary certain adverse licensure actions taken against health care practitioners and health care entities that are licensed or otherwise authorized by a State (or a political subdivision) to provide health care services. Similar to the information required for the HIPDB, section 1921 of the Act already requires, for reporting to the NPDB, that each State (1) report any negative actions or findings that a State licensing authority, peer review organization or private accreditation entity takes against a health care practitioner or health care entity; and (2) have an information reporting system in place as of January 1, 1992, regardless of whether the Secretary promulgated regulations to carry out these provisions. Therefore, since 1992, the States already have been required to collect much of the information to which they attribute their costs of collecting information for reporting to the HIPDB. However, we recognize that the regulatory impact will vary from State to State, and as a result, we have adjusted our burden estimates in this final rule accordingly. Specifically, after consideration of the concerns raised, we agree with the commenters that their developing or restructuring of a data collection system to incorporate the HIPDB requirements may have been underestimated. Therefore, we have increased the start-up cost estimate to $20,000 for each State licensing board. In terms of the reporting burden for State licensing agencies, we were advised by national organizations that represent State licensing boards that much of the requested data are already being collected and maintained by their organization. Therefore, we believe that the reporting burden for State licensing boards, such as nursing, chiropractic, optometry, physical therapist and social worker should be minimal.
    
    Comment: Some commenters believed that complying with the HIPDB would be labor intensive and costly. Commenters suggested that the HIPDB data collection requirements would create an administrative burden for State licensing boards.
    
    Response: As indicated above, the OIG has addressed the reporting requirements in detail in this preamble in response to public comments. We agree with many of the commenters' concerns, and are streamlining the HIPDB reporting requirements accordingly. The OIG believes that this final rule now reflects the least burdensome reporting requirements possible with respect to State agencies' compliance.
    
    Comment: Several commenters proposed alternatives that they believed might ease the burden on State licensing boards. Specifically, commenters recommended that the OIG make use of various authorized agents, such as the National Council of State Boards of Nursing, Federation of Chiropractic Licensing Boards, National Association of Boards of Pharmacy and the American Association of State Social Work Boards to collect and report the required information, thus lessening the burden on individual health plans and State agencies.
    
    Response: In developing this rulemaking, the OIG sought the input from States and representatives of various associations. Initially, the OIG met with State regulatory boards and associations, including the National Council of State Boards of Nursing, Federation of Chiropractic Licensing Boards, National Association of Boards of Pharmacy and the American Association of State Social Work Boards, to explain the requirements of the HIPDB and to explore options that would ease the regulatory burden on State agencies. As a result with respect to State licensing boards, we suggested the following options: (1) organizing a centralized or decentralized reporting mechanism within the State, or (2) reporting to the data bank through an authorized agent. If an authorized agent is utilized by the State, individual agreements must be made between the State and the professional association, as well as between the State and the HIPDB.
Summary of Revisions in the Final Rule

Based on our review and response to the array of public comments, and based on the discretionary authority given the Department under the statute, we are making the following revisions to the proposed regulations that we believe will allow the collection and dissemination of information to and from the HIPDB to occur in a more effective and efficient manner:

Section 61.3

‹bullet› We are revising the definition of the term ``Affiliated or associated'' to read as follows: Affiliated or Associated means health care entities with which a subject of a final adverse action has a commercial business relationship, including but not limited to, organizations, associations, corporations, or partnerships. It also includes a professional corporation or other business entity composed of a single individual.

[[Page 57755]]

‹bullet› In the definition of the term ``Any other negative action or finding,'' we are adding the following sentence: ``This definition excludes administrative fines or citations and corrective action plans, unless they are: (1) Connected to the delivery of health care services, and (2) taken in conjunction with other licensure or certification actions such as revocation, suspension, censure, reprimand, probation, or surrender.''

‹bullet› We are deleting the proposed definition for the term ``Clinical privileges.''

‹bullet› We are amending the fourth element in the definition of the term ``Government agency'' to include both Federal and State law enforcement agencies, and law enforcement investigators as well as States Attorneys General.

‹bullet› In the first sentence under the definition for the term ``Health care supplier,'' we have inserted a comma and are adding the phrase ``whether directly or indirectly,'' after the statement ``* * * or any individual or entity, other than a provider, who furnishes'' and we have replaced the example of ``manufacturers of health care related items'' with the phrase ``manufacturers of health care items.'' We have also revised the second sentence in the definition to read as follows: ``The term also includes any individual or entity under contract to provide such supplies, items or ancillary services, health plans as defined in this section (excluding employers that are not self-insured) and health insurance producers (including, but not limited to, agents, brokers, solicitors, consultants and reinsurance intermediaries).''

‹bullet› We are modifying the fourth element in the proposed definition of the term ``Health plan'' to make the definition more inclusive. As revised the fourth element will include, but not be limited to, ``[A] plan, program, agreement or other mechanism established, maintained or made available by a self insured employer or group of self insured employers, a practitioner, provider or supplier group, third party administrator, integrated health care delivery system, employee welfare association, public service group or organization or professional association * * *''

‹bullet› We are adding a definition for the term ``Organizational name and type.'' The ``organization name'' data element, to be reported for all types of actions described in Secs. 61.7, 61.8, 61.9, 61.10 and 61.11, means the subject's business or employer at the time the underlying acts occurred. If more than one business or employer is involved, the one most closely related to the underlying acts must be reported in ``organization name,'' with the others being reported in the ``affiliated or associated health care entities'' field. The ``organization type'' is a brief description of the nature of that business or employer.

‹bullet› The definition for ``Other adjudicated actions or decisions'' specifically excludes clinical privileging actions taken by Federal or State governmental agencies, paneling decisions made by health plans and overpayment determinations by Federal and State agency contractors or by health plans.

‹bullet› We are also adding a new definition for the term ``Voluntary surrender'' to mean a surrender made after a notification of investigation or a formal official request by Federal or State licensing or certification authorities for a health care provider, supplier, or practitioner to surrender the license or certification (including certification agreements or contracts for participation in Federal or State health care programs). The definition also includes those instances where a health care provider, supplier or practitioner voluntarily surrenders a license or certification (including program participation agreements or contracts) in exchange for a decision by the licensing or certification authority to cease an investigation or similar proceeding, or in return for not conducting an investigation or proceeding, or in lieu of a disciplinary action.

Section 61.9

‹bullet› With regard to reporting civil judgments related to the delivery of a health care item or service, we are adding the following language to Sec. 61.9(a): ``If a Government agency is party to a multi- claimant civil judgment, it must assume the responsibility for reporting the entire action, including all amounts awarded to all the claimants, both public and private. If there is no Government agency as a party, but there are multiple health plans as claimants, the health plan which receives the largest award must be responsible for reporting the total action for all parties.''

Section 61.12

‹bullet› With regard to requesting information from the HIPDB, we are revising the first sentence in Sec. 61.12 (a)(4) to indicate that information in the data bank will be available, upon request, to ``[A] person or entity who requests statistical information, which does not permit any personal identifiers for any individual or entity.''

Section 61.13

‹bullet› We are adding the following sentence to the end of Sec. 61.13 (a) with regard to our policy on fees applicable to requests for information: ``For the same purpose, the Department will provide a copy of the report--automatically, without a request and free of charge--to the reporter that submitted it.''

Data Elements To Be Reported to the HIPDB

In view of the comments and responses discussed above, and in an effort to clarify reporting requirements, the data elements have been reformatted. Sections 61.7, 61.8, 61.9, 61.10 and 61.11 are structured as follows:

‹bullet› The actions which must be reported and who is responsible for making those reports.

‹bullet› The mandatory personal identifiers and employment or professional identifiers for individual subjects; the mandatory identifiers for organization subjects; and the mandatory data elements for all subjects relating to the acts or omissions, the action taken and the reporting entity.

‹bullet› The ``if known'' personal identifiers and employment or professional identifiers for individual subjects; the ``if known'' identifiers for organization subjects; and the ``if known'' data elements for all subjects relating to the acts or omissions, and the action taken.

‹bullet› Each section concludes with the sanctions for failure to report.

Section 61.16

‹bullet› We are adding a new Sec. 61.16 Immunity, to indicate that individuals, entities or their authorized agents and the HIPDB will not be held liable in any civil action filedby the subject of a report unless the individual, entity or their authorized agent submitting the report has actual knowledge of falsity of the information contained in the report.
Regulatory Impact Statement

Executive Order 12866, the Unfunded Mandates Reform Act and the Regulatory Flexibility Act

The Office of Management and Budget (OMB) has reviewed this final rule in accordance with the provisions of Executive Order 12866, the Unfunded Mandates Reform Act and the Regulatory Flexibility Act (5 U.S.C. 601-612), and has determined that it does not meet the criteria for a significant regulatory action.

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and,

[[Page 57756]]

when rulemaking is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, safety, distributive and equity effects). The Unfunded Mandates Reform Act, Public Law 104-4, requires that agencies prepare an assessment of anticipated costs and benefits on any rulemaking that may result in an annual expenditure by State, local or tribal government, or by the private sector of $100 million or more. In addition, under the Regulatory Flexibility Act, if a rule has a significant economic effect on a substantial number of small entities, the Secretary must specifically consider the economic effect of a rule on small entities and analyze regulatory options that could lessen the impact of the rule.

Executive Order 12866 requires that all regulations reflect consideration of alternatives, costs, benefits, incentives, equity, and available information. Regulations must meet certain standards, such as avoiding unnecessary burden. Regulations that are ``significant'' because of cost, adverse effects on the economy, inconsistency with other agency actions, effects on the budget, or novel legal or policy issues, require special analysis. The resources required to implement the requirements in this final rule are minimal. We have determined that this final rule does not meet the criteria for a major rule, as defined by Executive Order 12866. As indicated above, this final rule is designed to establish procedures for reporting to and releasing from the HIPDB information on health care providers, suppliers, or practitioners against whom final adverse actions have been taken.

In accordance with the Unfunded Mandates Reform Act of 1995, we have determined the only costs (which we believe will not be significant) would include the ability to transmit the information electronically (e.g., Internet service) and additional staff hours needed to transmit the information. Based on the public comments, we have increased the initial start-up cost from $5,000 to $20,000 per State licensing and certification agency ($20,000 per State licensing and certification agency x 216 State agencies = $4,320,000). The Department determined that the initial start-up cost will be less than $100 per health plan ($100 per health plan x 20,000 health plans = $2,000,000). Section 221(a) of HIPAA intends that the Federal Government will not incur any costs for the operation and maintenance of the HIPDB; user fees are intended to cover the full costs of the HIPDB. For the reasons stated above, the Department has determined that this rule does not impose any mandates on State, local or tribal governments, or the private sector that will result in an annual expenditure of $100 million or more, and that a full analysis under the Act is not necessary.

In addition, in accordance with the Regulatory Flexibility Act of 1980 (RFA), and the Small Business Regulatory Enforcement Act of 1996, which amended the RFA, we are required to determine if this rule will have a significant economic effect on a substantial number of small entities and, if so, to identify regulatory options that could lessen the impact. For purposes of this final rule, we have not categorized health plans as small business entities in accordance with the RFA, nor have we included individuals and States in this definition of small entities. Rather, we have defined small entities as nonprofit organizations and local government agencies. Although the statute does not specify local government agencies as reporters, we also have given States the option to decide the manner in which they will report, i.e., having one centralized point for reporting or having multiple agencies such as municipalities and local government agencies (including District and County attorneys) report independently to the HIPDB. If States elect to have multiple agencies reporting independently to the HIPDB, we have determined that both the burden and costs associated with reporting to the HIPDB will be minimal. We also have determined that this rule would affect less than 100 nonprofit and local government agencies. Also with respect to health plans, we have determined that the burden and cost to them will be minimal. In an effort to reduce the reporting and impact burdens upon health plans, we have, as indicated above, clarified the definition of the term ``other adjudicated actions or decisions'' to emphasize that such an action requires the availability of a due process mechanism. We have in the rule specifically limited the types of actions that health plans will be required o report to a more limited and narrower category of actions. We are not preparing an analysis for the RFA, since we have determined, and the Secretary certifies, that this rule will not have a significant economic impact on a substantial number of small entities and, in accordance with the threshold criteria of Executive Order 13132 (August 4, 1999), have determined that these regulations do not significantly affect the rights, roles and responsibilities of States.

Paperwork Reduction Act

In compliance with section 3506(c)(2)(A) of the Paperwork Reduction Act (PWA) of 1995, we are required to solicit public comments, and receive final OMB approval, on any information collection requirements set forth in final rulemaking. As indicated above, in order to properly implement the HIPDB, the OIG requires the collection of certain information as set forth in Secs. 61.6, 61.7, 61.8, 61.9, 61.11, 61.12 and 61.15 of this final rule. In accordance with the PWA, we are submitting to OMB at this time the following requirements for seeking emergency review of these provisions. We are requesting an emergency review because the data collection and reporting of this information is needed before the expiration of the normal time limits under OMB's regulations at 5 CFR part 1320, to ensure the timely availability and reporting of data as necessary in order to improve the quality of patient care and to prevent health care fraud and abuse activities. Delaying the reporting process would delay implementation of the establishment of a complete data bank that effectively deters health care fraud and abuse in the health care industry and protects the public. We are requesting OMB review and approval of this collection within 16 working days from the date of publication of this rulemaking, with a 180-day approval period. Written comments and recommendations will be accepted from the public if received by the individual designated below within 15 working days from the dat of publication of these regulations. During this 180-day approval period, we will publish a separate Federal Register notice announcing the initiation of an extensive 60-day agency review and public comment period on the requirements set forth.

Collection of Information: The Healthcare Integrity and Protection Data Bank for Final Adverse Information on Health Care Providers, Suppliers and Practitioners.

Description: Information collected under Secs. 61.6, 61.7, 61.8, 61.9, 61.11, 61.12 and 61.15 of this final rule would be used by authorized parties, specified in the proposed rule, to prevent health care fraud and abuse activities and to improve the quality of patient care.

Description of Respondents: Federal and State Government agencies and health plans. The reports from Federal agencies are not subject to the PRA.

Estimated Annual Reporting: The Department estimates that the public reporting burden for this final rule is

[[Page 57757]]

185,099 hours. As a result of the public comments, we acknowledge that the proposed rule significantly under estimated the number of licensure and certification actions taken by State licensing authorities against health care providers, suppliers and practitioners. Therefore, we have increased the reporting burden from 132,733 to 185,099 hours.

The estimated annual reporting and querying burden is as follows:

Number of Responses per Total

Hours per Total burden Section No.

respondents respondent responses response

hours

61.6, Errors & Omissions........ \1\ 1,200

1

1,200

25

500 61.6, Revisions/Appeal Status...

1,000

1

1,000

75

1,250 61.7--Licensure Actions:

Disclosure by State

\2\ 1,836

22

40,400

75

50,500 Licensing Boards...........

Reporting by State Licensing

216

187

40,400

15

10,100 Authorities................ 61.8, Criminal Convictions......

\3\ 54

13

700

75

875 61.9, Civil Judgments...........

\4\ 62

8

500

75

625 61.11, Other Adjudicated Action

\5\ 66

12

800

75

1,000 or Decision.................... 61.12:

Queries..................... \6\ 5,601

201 1,127,512

5

93,959

Self-queries................

60,000

1

60,000

25

25,000

Entity verification \7\.....

5,000

1

5,000

10

833

Entity update...............

250

1

250

5

20 61.12, Authorized agent

100

1

100

10

16 designation \7\................ 61.12, Authorized agent

5

1

5

5

0.42 designation update............. 61.15--Disputed Reports & Secretarial Review:

Initial Request.............

\8\ 750

1

750

10

125

Request for Secretarial

37

1

37

480

296 Review.....................

Total.......................

76,177 .............. 1,278,654

185,099

Footnotes: 1. Section 61.6 requires each Government agency or health plan that reports information to the HIPDB to ensure the accuracy of the information. If there are any errors or omissions to the reports previously submitted to the HIPDB, the individual or entity that submitted the report to the HIPDB is also responsible for making the necessary correction or revision to the original report. If there is any revision to the action or the action is on appeal, the individual or entity that submitted the original report to the HIPDB is also responsible for reporting revisions and whether the action is on appeal. Based on corrections and revisions made to information contained in the NPDB, we have estimated that a total of 1,200 respondents will need to correct their reports each year and that a total of 1,000 respondents will need to revise actions originally reported, or to report whether an action is on appeal each year. Based on experience with the NPDB, a correction is expected to take 25 minutes to complete and submit. A revision is expected to take somewhat longer (75 minutes) because it involves completing a new report form rather that just correcting the individual items that are in error. 2. Section 61.7 requires Federal and State agencies responsible for the licensing and certification of health care providers, suppliers and practitioners to report all disciplinary licensure actions to the HIPDB. Therefore, we estimate that approximately 34 State licensing boards in each State will report to the State licensing and certification authorities (54 States and territories x 34 licensing boards/per State = 1,836 State licensing and certification boards), and the State licensing and certification authorities (4 per State) will be responsible for reporting information to the HIPDB (54 States and territories x 4 State licensing and certification authorities/per State = 216 State licensing and certification authorities). We estimate that 40,400 reports will be submitted directly to the HIPDB each year, for an average of 187 reports per State licensing and certification authority and 22 reports per State licensing board. Since disciplinary licensure actions by State licensing authorities in the NPDB overlap with this statute, this estimate includes all licensure actions that will be reported to both the NPDB and the HIPDB. The HIPDB will use similar forms and procedures for reporting as the NPDB. As a result, we estimate that it will take a State licensing board 75 minutes to complete and submit an initial report. We also estimate that it will take a State licensing and certification authority 15 minutes to verify the accuracy and completeness of the information contained in the initial report before electronically submitting the information to the HIPDB. 3. Section 61.8 requires Federal and State prosecutors to report criminal convictions related to the delivery of a health care item or service. Based on the number of health care providers, suppliers and practitioners convicted by the Federal Government, we estimate that there will be an approximate total of 700 State criminal convictions reported to the HIPDB each year, for an average of 13 convictions per State. Based on experience with the NPDB, we estimate that it will take 75 minutes to complete and submit each report. 4. Section 61.9 requires Federal and State attorneys and health care plans to report civil judgments against health care providers, suppliers and practitioners related to the delivery of a health care item or service. We estimate that there will be an approximate total of 500 civil judgments each year that will be reported by the 54 States Attorneys and an estimated 8 health plans, for a total of 62 reporters. Based on experience with the NPDB, we estimate that it will take 75 minutes to complete and submit each report. 5. Section 61.11 requires Federal and State Governmental agencies and health plans to report any adjudicated action or decision related to the delivery of a health care item or service against health care providers, suppliers and practitioners. We estimate that there will be an approximate total of 800 other adjudicated actions or decision reports submitted to the HIPDB each year by 54 State governmental agencies and an estimated 12 health plans, for a total of 66 reporters. Based on experience with the NPDB, we estimate that it will take 75 minutes to complete and submit each report. 6. Certain queriers have access to both the NPDB and the HIPDB. When these entities query one data bank, they may elect to automatically receive reports from both. The Department estimates that there will be 1,127,512 queries submitted to the HIPDB per year on health care providers, suppliers and practitioners, including an estimated 60,000 self-queries. These estimates include only queries submitted directly to the HIPDB; it does not include those transferred from the NPDB. The estimates of burden per response are based on experience with similar querying of the NPDB. 7. To access the HIPDB, entities are required to certify that they meet section 1128E reporting and querying requirements by completing an Entity Registration form and submitting it to the HIPDB. The information collected on this form provides the HIPDB with essential information concerning the entity, such as name, address and entity type. Eligible entities, such as State licensing agencies or certain managed care organizations, that have access to both the NPDB and the HIPDB have already registered for the NPDB and are not required to register separately for the HIPDB. Entities eligible to access only the HIPDB must complete and submit the Entity Registration form. We estimate that it will take an entity 10 minutes to complete and submit the Entity Registration form to the HIPDB. If there are any changes in the entity's name, address, telephone, entity type designation, or query and report point of contact, the entity representative must update the information on the Entity Information Update form and submit it to the HIPDB. Of the 5,000 new registrants, we estimate 250 entities (5 percent of all new registrants) will need to update their organization's information each year.

[[Page 57758]]

An eligible entity may elect to have an outside organization query or report to the HIPDB on its behalf. This organization is referred to as an authorized agent. Before an authorized agent acts on behalf of an entity, the eligible entity must complete and submit an Agent Designation form to the HIPDB Help Line. The information collected on this form provides the HIPDB with essential information concerning the agent, such as name, address and telephone number. We estimate that 100 entities (2 percent of all new registrants) will elect an authorized agent to query or report to the HIPDB on their behalf. We estimate that it will take an entity 10 minutes to complete and submit the Agent Designation form to the HIPDB. Any changes to the authorized agent designation, such as routing of responses to queries or termination of an authorized agent, the eligible entity must update the information on the Agent Designation Update form and submit it to the HIPDB. We estimate that five of the 100 eligible entities will need to update their agent's information each year. 8. Section 61.15 describes the process to be followed by a health care provider, supplier or practitioner in disputing the factual accuracy of information in a report and requesting Secretarial review of the disputed report. Based on experience with the NPDB, we estimate that 750 (10 percent of all new reports) will be entered into the ``disputed status.'' We estimate that it will take a health care provider, supplier or practitioner 10 minutes to notify the HIPDB to enter the report into ``disputed status.'' Of the 750 disputed reports, we estimate that only 37 reports (5 percent) will be forwarded to the Secretary for review. We estimate that it will take a health care provider, supplier or practitioner 8 hours to describe in writing which facts are in dispute and to gather supporting documentation related to the dispute.

Forms to be used in the day-to-day management of the HIPDB would include the following:

Hrs. per Form name

No. of Responses per Total

response Total burden Wage rate Total cost respondents respondent responses (minutes)

hours

Account Discrepancy.....................

2,000

1

2,000

5

166

$15

$2,490 Electronic Funds Transfer Authorization.

850

1

850

5

70

15

1,050 Entity Reactivation.....................

500

1

500

5

41

15

615

Total...............................

3,350 ..............

3,350 ..............

277 ..............

4,155

Comments on this information collection activity should be sent to: Allison Herron Eydt, OIG Desk Officer, Office of Management and Budget, Room 10235, New Executive Office Building, 725 17th Street, N.W., Washington, D.C. 20053, FAX: (202) 395-6974.
Waiver of Delayed Effective Date

In publishing final regulations, we usually indicate an effective date of 30 days following their publication in the Federal Register. However, this procedure may be waived when an agency finds good cause that a delay in the effective date is impracticable, unnecessary or contrary to the public interest.

Section 221(a) of HIPAA stated that the Secretary establish a national health care fraud and abuse data collection program by January 1, 1997. After a series of meetings with more than 1,000 current users of the NPDB and potential users of, and reporters to, the HIPDB (including health plans, State licensing boards, law enforcement officials, Federal and State Government agencies and professional associations), on October 31, 1998, we published a notice of proposed rulemaking in the Federal Register in which we requested public comment on the implementation of the HIPDB. As indicated, we received 117 formal public comments in response to that proposed rulemaking. Further, in developing the final rule, we have also taken into consideration the concerns of numerous Federal agencies, including the Department of Justice, the Department of Defense, the Department of Veterans Affairs and the U.S. Postal Inspection Service. Through this process, the Department has continued to work closely with the 17 national licensing boards organizations--including those for nurses, chiropractors, optometrists and physical therapists--that represent more than 4 million health care practitioners. In addition, the OIG also has contacted each State Governor regarding the reporting requirements of the HIPDB and continues to work with the States to help implement the States' reporting.

To implement the requirements of the statute, we believe that it is urgent that final regulations be promulgated without further delay in order to (1) streamline the fact-gathering process by law enforcement officials, regulatory agencies and health plans; (2) allow health care- related final adverse actions taken against providers, practitioners and suppliers to be reported to the HIPDB; and (3) establish a centralized system that will make this information easily accessible to authorized users.

In light of the fact that we have provided ample opportunity for public input and comment, and have worked closely with Federal and State Government agencies and various national organizations and their members in developing the HIPDB, we find that imposing the normal 30- day delay would be contrary to public interest. Therefore, consistent with 5 U.S.C. 553(d), we find good cause to waive the delay in the effective date of this rule and allow for the timely implementation of final regulations and the start-up of the data bank.

List of Subjects in 45 CFR Part 61

Billing and transportation services, Durable medical equipment suppliers and manufacturers, Health care insurers, Health maintenance organizations, Health professions, Home health care agencies, Hospitals, Penalties, Pharmaceutical suppliers and manufacturers, Privacy, Reporting and recordkeeping requirements, Skilled nursing facilities.

Accordingly, a new 45 CFR part 61 is added to read as follows:

PART 61--HEALTHCARE INTEGRITY AND PROTECTION DATA BANK FOR FINAL ADVERSE INFORMATION ON HEALTH CARE PROVIDERS, SUPPLIERS AND PRACTITIONERS

Subpart A--General Provisions

Sec. 61.1 The Healthcare Integrity and Protection Data Bank. 61.2 Applicability of these regulations. 61.3 Definitions.

Subpart B--Reporting of Information

61.4 How information must be reported. 61.5 When information must be reported. 61.6 Reporting errors, omissions, revisions, or whether an action is on appeal. 61.7 Reporting licensure actions taken by Federal or State licensing and certification agencies. 61.8 Reporting Federal or State criminal convictions related to the delivery of a health care item or service. 61.9 Reporting civil judgments related to the delivery of a health care item or service. 61.10 Reporting exclusions from participation in Federal or State health care programs. 61.11 Reporting other adjudicated actions or decisions.

[[Page 57759]]

Subpart C--Disclosure of Information by the Healthcare Integrity and Protection Data Bank

61.12 Requesting information from the Healthcare Integrity and Protection Data Bank. 61.13 Fees applicable to requests for information. 61.14 Confidentiality of Healthcare Integrity and Protection Data Bank information. 61.15 How to dispute the accuracy of Healthcare Integrity and Protection Data Bank information. 61.16 Immunity.

Authority: 42 U.S.C. 1320a-7e.

Subpart A--General Provisions

Sec. 61.1 The Healthcare Integrity and Protection Data Bank.

(a) Section 1128E of the Social Security Act (the Act) authorizes the Secretary of Health and Human Services (the Secretary) to implement a national health care fraud and abuse data collection program for the reporting and disclosing of certain final adverse actions taken against health care providers, suppliers, or practitioners. Section 1128E of the Act also directs the Secretary to maintain a database of final adverse actions taken against health care providers, suppliers or practitioners. This data bank will be known as the Healthcare Integrity and Protection Data Bank (HIPDB). Settlements in which no findings or admissions of liability have been made will be excluded from being reported. However, if another action is taken against the provider, supplier or practitioner of a health care item or service as a result of or in conjunction with the settlement, that action is reportable to the HIPDB.

(b) Section 1128E of the Act also requires the Secretary to implement the HIPDB in such a manner as to avoid duplication with the reporting requirements established for the National Practitioner Data Bank (NPDB) (See 45 CFR part 60). In accordance with the statute, the reporter responsible for reporting the final adverse actions to both the HIPDB and the NPDB will be required to submit only one report, provided that reporting is made through the Department's consolidated reporting mechanism that will sort the appropriate actions into the HIPDB, NPDB, or both.

(c) The regulations in this part set forth the reporting and disclosure requirements for the HIPDB.

Sec. 61.2 Applicability of these regulations.

The regulations in this part establish reporting requirements applicable to Federal and State Government agencies and to health plans, as the terms are defined under Sec. 61.3.

Sec. 61.3 Definitions.

The following definitions apply to this part:

Act means the Social Security Act.

Affiliated or associated means health care entities with which a subject of a final adverse action has a commercial relationship, including but not limited to, organizations, associations, corporations, or partnerships. It also includes a professional corporation or other business entity composed of a single individual.

Any other negative action or finding by a Federal or State licensing agency means any action or finding that under the State's law is publicly available information, and rendered by a licensing or certification authority, including but not limited to, limitations on the scope of practice, liquidations, injunctions and forfeitures. This definition also includes final adverse actions rendered by a Federal or State licensing or certification authority, such as exclusions, revocations or suspension of license or certification that occur in conjunction with settlements in which no finding of liability has been made (although such a settlement itself is not reportable under the statute). This definition excludes citations, corrective action plans and personnel actions.

Civil judgment means a court-ordered action rendered in a Federal or State court proceeding, other than a criminal proceeding. This reporting requirement does not include Consent Judgments that have been agreed upon and entered to provide security for civil settlements in which there was no finding or admission of liability.

Criminal conviction means a conviction as described in section 1128(i) of the Act.

Exclusion means a temporary or permanent debarment of an individual or entity from participation in any Federal or State health-related program, in accordance with which items or services furnished by such person or entity will not be reimbursed under any Federal or State health-related program.

Government agency includes, but is not limited to--

(1) The U.S. Department of Justice;

(2) The U.S Department of Health and Human Services;

(3) Any other Federal agency that either administers or provides payment for the delivery of health care services, including, but not limited to, the U.S. Department of Defense and the U.S. Department of Veterans Affairs;

(4) Federal and State law enforcement agencies, including States Attorneys General and law enforcement investigators;

(5) State Medicaid Fraud Control Units; and

(6) Federal or State agencies responsible for the licensing and certification of health care providers, suppliers or licensed health care practitioners. Examples of such State agencies include Departments of Professional Regulation, Health, Social Services (including State Survey and Certification and Medicaid Single State agencies), Commerce and Insurance.

Health care provider means a provider of services as defined in section 1861(u) of the Act; any health care entity (including a health maintenance organization, preferred provider organization or group medical practice) that provides health care services and follows a formal peer review process for the purpose of furthering quality health care, and any other health care entity that, directly or through contracts, provides health care services.

Health care supplier means a provider of medical and other health care services as described in section 1861(s) of the Act; or any individual or entity, other than a provider, who furnishes, whether directly or indirectly, or provides access to, health care services, supplies, items, or ancillary services (including, but not limited to, durable medical equipment suppliers, manufacturers of health care items, pharmaceutical suppliers and manufacturers, health record services such as medical, dental and patient records, health data suppliers, and billing and transportation service suppliers). The term also includes any individual or entity under contract to provide such supplies, items or ancillary services; health plans as defined in this section (including employers that are self-insured); and health insurance producers (including but not limited to agents, brokers, solicitors, consultants and reinsurance intermediaries).

Health plan means a plan, program or organization that provides health benefits, whether directly, through insurance, reimbursement or otherwise, and includes but is not limited to--

(1) A policy of health insurance;

(2) A contract of a service benefit organization;

(3) A membership agreement with a health maintenance organization or other prepaid health plan;

(4) A plan, program, or agreement established, maintained or made available by an employer or group of employers, a practitioner, provider or supplier group, third party administrator, integrated health care delivery system, employee welfare

[[Page 57760]]

association, public service group or organization or professional association; and

(5) An insurance company, insurance service or insurance organization that is licensed to engage in the business of selling health care insurance in a State and which is subject to State law which regulates health insurance.

Licensed health care practitioner, licensed practitioner, or practitioner means, with respect to a State, an individual who is licensed or otherwise authorized by the State to provide health care services (or any individual who, without authority, holds himself or herself out to be so licensed or authorized).

Organization name means the subject's business or employer at the time the underlying acts occurred. If more than one business or employer is involved, the one most closely related to the underlying acts should be reported in the ``organization name,'' field with the others being reported in the ``affiliated or associated health care entities'' field.

Organization type means a brief description of the nature of that business or employer.

Other adjudicated actions or decisions means formal or official final actions taken against a health care provider, supplier or practitioner by a Federal or State governmental agency or a health plan; which include the availability of a due process mechanism, and; are based on acts or omissions that affect or could affect the payment, provision or delivery of a health care item or service. For example, a formal or official final action taken by a Federal or State governmental agency or a health plan may include, but is not limited to, a personnel-related action such as suspensions without pay, reductions in pay, reductions in grade for cause, terminations or other comparable actions. A hallmark of any valid adjudicated action or decision is the availability of a due process mechanism. The fact that the subject elects not to use the due process mechanism provided by the authority bringing the action is immaterial, as long as such a process is available to the subject before the adjudicated action or decision is made final. In general, if an ``adjudicated action or decision'' follows an agency's established administrative procedures (which ensure that due process is available to the subject of the final adverse action), it would qualify as a reportable action under this definition. This definition specifically excludes clinical privileging actions taken by Federal or State Government agencies and similar paneling decisions made by health plans. This definition does not include overpayment determinations made by Federal or State Government programs, their contractors or health plans; and it does not include denial of claims determinations made by Government agencies or health plans. For health plans that are not Government entities, an action taken following adequate notice and the opportunity for a hearing that meets the standards of due process set out in section 412(b) of the HCQIA (42 U.S.C. 11112(b)) also would qualify as a reportable action under this definition.

Secretary means the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated.

State means any of the fifty States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands and Guam.

Voluntary surrender means a surrender made after a notification of investigation or a formal official request by a Federal or State licensing or certification authority for a health care provider, supplier or practitioner to surrender the license or certification (including certification agreements or contracts for participation in Federal or State health care programs). The definition also includes those instances where a health care provider, supplier or practitioner voluntarily surrenders a license or certification (including program participation agreements or contracts) in exchange for a decision by the licensing or certification authority to cease an investigation or similar proceeding, or in return for not conducting an investigation or proceeding, or in lieu of a disciplinary action.

Subpart B--Reporting of Information

Sec. 61.4 How information must be reported.

Information must be reported to the HIPDB as required under Secs. 61.6, 61.7, 61.8, 61.9, 61.10, 61.11 and 61.15 in such form and manner as the Secretary may prescribe.

Sec. 61.5 When information must be reported.

(a) Information required under Secs. 61.7, 61.8, 61.9, 61.10 and 61.11 must be submitted to the HIPDB--

(1) Within 30 calendar days from the date the final adverse action was taken or the date when the reporting entity became aware of the final adverse action; or

(2) By the close of the entity's next monthly reporting cycle, whichever is later.

(b) The date the final adverse action was taken, its effective date and duration of the action would be contained in the information reported to the HIPDB under Secs. 61.7, 61.8, 61.9, 61.10 and 61.11.

Sec. 61.6 Reporting errors, omissions, revisions or whether an action is on appeal.

(a) If errors or omissions are found after information has been reported, the reporter must send an addition or correction to the HIPDB. The HIPDB will not accept requests for readjudication of the case.

(b) A reporter that reports information on licensure, criminal convictions, civil or administrative judgments, exclusions, or adjudicated actions or decisions under Secs. 61.7, 61.8, 61.9, 61.10 or 61.11 also must report any revision of the action originally reported. Revisions include, but are not limited to, reversal of a criminal conviction, reversal of a judgment or other adjudicated decisions or whether the action is on appeal, and reinstatement of a license.

(c) The subject will receive a copy of all reports, including revisions and corrections to the report.

(d) Upon receipt of a report, the subject--

(1) Can accept the report as written;

(2) May provide a statement to the HIPDB that will be permanently appended to the report, either directly or through a designated representative (The HIPDB will distribute the statement to queriers, where identifiable, and to the reporting entity and the subject of the report. The HIPDB will not edit the statement; only the subject can, upon request, make changes to the statement); or

(3) May follow the dispute process in accordance with Sec. 61.15.

Sec. 61.7 Reporting licensure actions taken by Federal or State licensing and certification agencies.

(a) What actions must be reported. Federal and State licensing and certification agencies must report to the HIPDB the following final adverse actions that are taken against a health care provider, supplier, or practitioner (regardless of whether the final adverse action is the subject of a pending appeal)--

(1) Formal or official actions, such as revocation or suspension of a license or certification agreement or contract for participation in Federal or State health care programs (and the length of any such suspension), reprimand, censure or probation;

(2) Any other loss of the license or loss of the certification agreement or contract for participation in Federal or

[[Page 57761]]

State health care programs, or the right to apply for, or renew, a license or certification agreement or contract of the provider, supplier, or practitioner, whether by operation of law, voluntary surrender, non-renewal (excluding nonrenewals due to nonpayment of fees, retirement, or change to inactive status), or otherwise; and

(3) Any other negative action or finding by such Federal or State agency that is publicly available information.

(b) Entities described in paragraph (a) of this section must report the following information:

(1) If the subject is an individual, personal identifiers, including:

(i) Name;

(ii) Social Security Number;

(iii) Home address or address of record;

(iv) Sex; and

(v) Date of birth.

(2) If the subject is an individual, that individual's employment or professional identifiers, including:

(i) Organization name and type;

(ii) Occupation and specialty, if applicable;

(iii) National Provider Identifier (NPI), when issued by the Health Care Financing Administration (HCFA);

(iv) Name of each professional school attended and year of graduation; and

(v) With respect to the State professional license (including professional certification and registration) on which the reported action was taken, the license number, the field of licensure, and the name of the State or territory in which the license is held.

(3) If the subject is an organization, identifiers, including:

(i) Name;

(ii) Business address;

(iii) Federal Employer Identification Number (FEIN), or Social Security Number when used by the subject as a Taxpayer Identification Number (TIN);

(iv) The NPI, when issued by HCFA;

(v) Type of organization; and

(vi) With respect to the State license (including certification and registration) on which the reported action was taken, the license and the name of the State or territory in which the license is held.

(4) For all subjects:

(i) A narrative description of the acts or omissions and injuries upon which the reported action was based;

(ii) Classification of the acts or omissions in accordance with a reporting code adopted by the Secretary;

(iii) Classification of the action taken in accordance with a reporting code adopted by the Secretary, and the amount of any monetary penalty resulting from the reported action;

(iv) The date the action was taken, its effective date and duration;

(v) If the action is on appeal;

(vi) Name of the agency taking the action;

(vii) Name and address of the reporting entity; and

(viii) The name, title and telephone number of the responsible official submitting the report on behalf of the reporting entity.

(c) Entities described in paragraph (a) of this section should report, if known, the following information:

(1) If the subject is an individual, personal identifiers, including:

(i) Other name (s) used;

(ii) Other address;

(iii) FEIN, when used by the individual as a TIN; and

(iv) If deceased, date of death.

(2) If the subject is an individual, that individual's employment or professional identifiers, including:

(i) Other State professional license number(s), field(s) of licensure, and the name(s) of the State or territory in which the license is held;

(ii) Other numbers assigned by Federal or State agencies, to include, but not limited to Drug Enforcement Administration (DEA) registration number(s), Unique Physician Identification Number(s) (UPIN), and Medicaid and Medicare provider number(s);

(iii) Name(s) and address(es) of any health care entity with which the subject is affiliated or associated; and

(iv) Nature of the subject's relationship to each associated or affiliated health care entity.

(3) If the subject is an organization, identifiers, including:

(i) Other name(s) used;

(ii) Other address(es) used;

(iii) Other FEIN(s) or Social Security Number(s) used;

(iv) Other NPI(s) used;

(v) Other State license number(s) and the name(s) of the State or territory in which the license is held;

(vi) Other numbers assigned by Federal or State agencies, to include, but not limited to Drug Enforcement Administration (DEA) registration number(s), Clinical Laboratory Improvement Act (CLIA) number(s), Food and Drug Administration (FDA) number(s), and Medicaid and Medicare provider number(s);

(vii) Names and titles of principal officers and owners;

(viii) Name(s) and address(es) of any health care entity with which the subject is affiliated or associated; and

(ix) Nature of the subject's relationship to each associated or affiliated health care entity.

(4) For all subjects:

(i) If the subject will be automatically reinstated; and

(ii) The date of appeal, if any.

(d) Sanctions for failure to report. The Secretary will provide for a publication of a public report that identifies those Government agencies that have failed to report information on adverse actions as required to be reported under this section.

Sec. 61.8 Reporting Federal or State criminal convictions related to the delivery of a health care item or service.

(a) Who must report. Federal and State prosecutors must report criminal convictions against health care providers, suppliers, and practitioners related to the delivery of a health care item or service (regardless of whether the conviction is the subject of a pending appeal).

(b) Entities described in paragraph (a) of this section must report the following information:

(1) If the subject is an individual, personal identifiers, including:

(i) Name;

(ii) Social Security Number;

(iii) Home address or address of record;

(iv) Sex; and

(v) Date of birth.

(2) If the subject is an individual, that individual's employment or professional identifiers, including:

(i) Organization name and type;

(ii) Occupation and specialty, if applicable; and

(iii) National Provider Identifier (NPI), when issued by the Health Care Financing Administration (HCFA).

(3) If the subject is an organization, identifiers, including:

(i) Name;

(ii) Business address;

(iii) Federal Employer Identification Number (FEIN), or Social Security Number when used by the subject as a Taxpayer Identification Number (TIN);

(iv) The NPI, when issued by HCFA; and

(v) Type of organization.

(4) For all subjects:

(i) A narrative description of the acts or omissions and injuries upon which the reported action was based;

(ii) Classification of the acts or omissions in accordance with a reporting code adopted by the Secretary;

(iii) Name and location of court or judicial venue in which the action was taken;

(iv) Docket or court file number;

(v) Type of action taken;

(vi) Statutory offense(s) and count(s);

(vii) Name of primary prosecuting agency (or the plaintiff in civil actions);

[[Page 57762]]

(viii) Date of sentence or judgment;

(ix) Length of incarceration, detention, probation, community service or suspended sentence;

(x) Amounts of any monetary judgment, penalty, fine, assessment or restitution;

(xi) Other sentence, judgment or orders;

(xii) If the action is on appeal;

(xiii) Name and address of the reporting entity; and

(xiv) The name, title and telephone number of the responsible official submitting the report on behalf of the reporting entity.

(c) Entities described in paragraph (a) of this section should report, if known, the following information:

(1) If the subject is an individual, personal identifiers, including:

(i) Other name (s) used;

(ii) Other address; and

(iii) FEIN, when used by the individual as a TIN.

(2) If the subject is an individual, that individual's employment or professional identifiers, including:

(i) State professional license (including professional certification and registration) number(s), field(s) of licensure, and the name(s) of the State or territory in which the license is held;

(ii) Other numbers assigned by Federal or State agencies, to include, but not limited to Drug Enforcement Administration (DEA) registration number(s), Unique Physician Identification Number(s) (UPIN), and Medicaid and Medicare provider number(s);

(iii) Name(s) and address(es) of any health care entity with which the subject is affiliated or associated; and

(iv) Nature of the subject's relationship to each associated or affiliated health care entity.

(3) If the subject is an organization, identifiers, including:

(i) Other name(s) used;

(ii) Other address(es) used;

(iii) Other FEIN(s) or Social Security Number(s) used;

(iv) Other NPI(s) used;

(v) State license (including certification and registration) number(s) and the name(s) of the State or territory in which the license is held;

(vi) Other numbers assigned by Federal or State agencies, to include, but not limited to Drug Enforcement Administration (DEA) registration number(s), Clinical Laboratory Improvement Act (CLIA) number(s), Food and Drug Administration (FDA) number(s), and Medicaid and Medicare provider number(s);

(vii) Names and titles of principal officers and owners;

(viii) Name(s) and address(es) of any health care entity with which the subject is affiliated or associated; and

(ix) Nature of the subject's relationship to each associated or affiliated health care entity.

(4) For all subjects:

(i) Prosecuting agency's case number;

(ii) Investigative agencies involved;

(iii) Investigative agencies case of file number(s); and

(iv) The date of appeal, if any.

(d) Sanctions for failure to report. The Secretary will provide for publication of a public report that identifies those Government agencies that have failed to report information on criminal convictions as required to be reported under this section.

Sec. 61.9 Reporting civil judgments related to the delivery of a health care item or service.

(a) Who must report. Federal and State attorneys and health plans must report civil judgments against health care providers, suppliers, or practitioners related to the delivery of a health care item or service (regardless of whether the civil judgment is the subject of a pending appeal). If a Government agency is party to a multi-claimant civil judgment, it must assume the responsibility for reporting the entire action, including all amounts awarded to all the claimants, both public and private. If there is no Government agency as a party, but there are multiple health plans as claimants, the health plan which receives the largest award must be responsible for reporting the total action for all parties.

(b) Entities described in paragraph (a) of this section must report the information as required in Sec. 61.8(b).

(c) Entities described in paragraph (a) of this section should report, if known the information as described in Sec. 61.8(c).

(d) Sanctions for failure to report. Any health plan that fails to report information on a civil judgment required to be reported under this section will be subject to a civil money penalty (CMP) of not more than $25,000 for each such adverse action not reported. Such penalty will be imposed and collected in the same manner as CMPs under subsection (a) of section 1128A of the Act. The Secretary will provide for publication of a public report that identifies those Government agencies that have failed to report information on civil judgments as required to be reported under this section.

Sec. 61.10 Reporting exclusions from participation in Federal or State health care programs.

(a) Who must report. Federal and State Government agencies must report health care providers, suppliers, or practitioners excluded from participating in Federal or State health care programs, including exclusions that were made in a matter in which there was also a settlement that is not reported because no findings or admissions of liability have been made (regardless of whether the exclusion is the subject of a pending appeal) .

(b) Entities described in paragraph (a) of this section must report the following information:

(1) If the subject is an individual, personal identifiers, including:

(i) Name;

(ii) Social Security Number;

(iii) Home address or address of record;

(iv) Sex; and

(v) Date of birth.

(2) If the subject is an individual, that individual's employment or professional identifiers, including:

(i) Organization name and type;

(ii) Occupation and specialty, if applicable; and

(iii) National Provider Identifier (NPI), when issued by the Health Care Financing Administration (HCFA).

(3) If the subject is an organization, identifiers, including:

(i) Name;

(ii) Business address;

(iii) Federal Employer Identification Number (FEIN), or Social Security Number when used by the subject as a Taxpayer Identification Number (TIN);

(iv) The NPI, when issued by HCFA; and

(v) Type of organization.

(4) For all subjects:

(i) A narrative description of the acts or omissions and injuries upon which the reported action was based;

(ii) Classification of the acts or omissions in accordance with a reporting code adopted by the Secretary;

(iii) Classification of the action taken in accordance with a reporting code adopted by the Secretary, and the amount of any monetary penalty resulting from the reported action;

(iv) The date the action was taken, its effective date and duration;

(v) If the action is on appeal;

(vi) Name of the agency taking the action;

(vii) Name and address of the reporting entity; and

(viii) The name, title and telephone number of the responsible official submitting the report on behalf of the reporting entity.

[[Page 57763]]

(c) Entities described in paragraph (a) of this section should report, if known, the following information:

(1) If the subject is an individual, personal identifiers, including:

(i) Other name(s) used;

(ii) Other address;

(iii) FEIN, when used by the individual as a TIN;

(iv) Name of each professional school attended and year of graduation; and

(v) If deceased, date of death.

(2) If the subject is an individual, that individual's employment or professional identifiers, including:

(i) State professional license (including professional registration and certification) number(s), field(s) of licensure, and the name(s) of the State or Territory in which the license is held;

(ii) Other numbers assigned by Federal or State agencies, to include, but not limited to Drug Enforcement Administration (DEA) registration number(s), Unique Physician Identification Number(s) (UPIN), and Medicaid and Medicare provider number(s);

(iii) Name(s) and address(es) of any health care entity with which the subject is affiliated or associated; and

(iv) Nature of the subject's relationship to each associated or affiliated health care entity.

(3) If the subject is an organization, identifiers, including:

(i) Other name(s) used;

(ii) Other address(es) used;

(iii) Other FEIN(s) or Social Security Number(s) used;

(iv) Other NPI(s) used;

(v) State license (including registration and certification) number(s) and the name(s) of the State or territory in which the license is held;

(vi) Other numbers assigned by Federal or State agencies, to include, but not limited to Drug Enforcement Administration (DEA) registration number(s), Clinical Laboratory Improvement Act (CLIA) number(s), Food and Drug Administration (FDA) number(s), and Medicaid and Medicare provider number(s);

(vii) Names and titles of principal officers and owners;

(viii) Name(s) and address(es) of any health care entity with which the subject is affiliated or associated; and

(ix) Nature of the subject's relationship to each associated or affiliated health care entity.

(4) For all subjects:

(i) If the subject will be automatically reinstated; and

(ii) The date of appeal, if any.

(d) Sanctions for failure to report. The Secretary will provide for publication of a public report that identifies those Government agencies that have failed to report information on exclusions or debarments as required to be reported under this section.

Sec. 61.11 Reporting other adjudicated actions or decisions.

(a) Who must report. Federal and State governmental agencies and health plans must report other adjudicated actions or decisions as defined in Sec. 61.3 related to the delivery, payment or provision of a health care item or service against health care providers, suppliers, and practitioners (regardless of whether the other adjudicated action or decision is subject to a pending appeal).

(b) Entities described in paragraph (a) of this section must report the information as required in Sec. 61.10(b).

(c) Entities described in paragraph (a) of this section should report, if known the information as described in Sec. 61.10(c).

(d) Sanctions for failure to report. Any health plan that fails to report information on an other adjudicated action or decision required to be reported under this section will be subject to a civil money penalty (CMP) of not more than $25,000 for each such action not reported. Such penalty will be imposed and collected in the same manner as CMPs under subsection (a) of section 1128A of the Act. The Secretary will provide for publication of a public report that identifies those Government agencies that have failed to report information on other adjudicated actions as required to be reported under this section.

Subpart C--Disclosure of Information by the Healthcare Integrity and Protection Data Bank

Sec. 61.12 Requesting information from the Healthcare Integrity and Protection Data Bank.

(a) Who may request information and what information may be available. Information in the HIPDB will be available, upon request, to the following persons or entities, or their authorized agents--

(1) Federal and State Government agencies;

(2) Health plans;

(3) A health care practitioner, provider, or supplier requesting information concerning himself, herself or itself; and

(4) A person or entity requesting statistical information, which does not permit identification of any individual or entity. (For example, researchers can use statistical information to identify the total number of practitioners excluded from the Medicare and Medicaid programs. Similarly, health plans can use statistical information to develop outcome measures in their efforts to monitor and improve quality care.)

(b) Procedures for obtaining HIPDB information. Eligible individuals and entities may obtain information from the HIPDB by submitting a request in such form and manner as the Secretary may prescribe. These requests are subject to fees set forth in Sec. 61.13. The HIPDB will comply with the Department's principles of fair information practice by providing each subject of a report with a copy when the report is entered into the HIPDB.

(c) Information provided in response to self-queries. (1) At the time subjects request information as part of a ``self-query,'' the subject will receive--

(i) Any report(s) in the HIPDB specific to them; and

(ii) A disclosure history from the HIPDB of the name(s) of any entity (or entities) that have previously received the report(s).

(2) The disclosure history will be restricted in accordance with the Privacy Act regulations set forth in 45 CFR part 5b.

Sec. 61.13 Fees applicable to requests for information.

(a) Policy on fees. The fees described in this section apply to all requests for information from the HIPDB, except requests from Federal agencies. However, for purposes of verification and dispute resolution at the time the report is accepted, the HIPDB will provide a copy--at the time a report has been submitted automatically, without a request and free of charge--of every report to the health care provider, supplier or practitioner who is the subject of the report. For the same purpose, the Department will provide a copy of the report--at the time a report has been submitted automatically, without a request and free of charge--to the reporter that submitted it. The fees are authorized by section 1128E(d)(2) of the Act, and they reflect the full costs of operating the database. The actual fees will be announced by the Secretary in periodic notices in the Federal Register.

(b) Criteria for determining the fee. The amount of each fee will be determined based on the following criteria --

(1) Direct and indirect personnel costs;

(2) Physical overhead, consulting, and other indirect costs including rent and depreciation on land, buildings and equipment;

[[Page 57764]]

(3) Agency management and supervisory costs;

(4) Costs of enforcement, research and establishment of regulations and guidance;

(5) Use of electronic data processing equipment to collect and maintain information--the actual cost of the service, including computer search time, runs and printouts; and

(6) Any other direct or indirect costs related to the provision of services.

(c) Assessing and collecting fees. The Secretary will announce through periodic notice in the Federal Register the method of payment of fees. In determining these methods, the Secretary will consider efficiency, effectiveness and convenience for users and for the Department. Methods may include credit card, electronic funds transfer and other methods of electronic payment.

Sec. 61.14 Confidentiality of Healthcare Integrity and Protection Data Bank information.

Information reported to the HIPDB is considered confidential and will not be disclosed outside the Department, except as specified in Secs. 61.12 and 61.15. Persons and entities receiving information from the HIPDB, either directly or from another party, must use it solely with respect to the purpose for which it was provided. Nothing in this section will prevent the disclosure of information by a party from its own files used to create such reports where disclosure is otherwise authorized under applicable State or Federal law.

Sec. 61.15 How to dispute the accuracy of Healthcare Integrity and Protection Data Bank information.

(a) Who may dispute the HIPDB information. The HIPDB will routinely mail or transmit electronically to the subject a copy of the report filedin the HIPDB. The subject of the report or a designated representative may dispute the accuracy of a report concerning himself, herself or itself within 60 calendar days of receipt of the report.

(b) Procedures for disputing a report with the reporting entity. If the subject disagrees with the reported information, the subject must request in writing that the HIPDB enter the report into ``disputed status.''

(2) The HIPDB will send the report, with a notation that the report has been placed in ``disputed status,'' to queriers (where identifiable), the reporting entity and the subject of the report.

(3) The subject must attempt to enter into discussion with the reporting entity to resolve the dispute. If the reporting entity revises the information originally submitted to the HIPDB, the HIPDB will notify the subject and all entities to whom reports have been sent that the original information has been revised. If the reporting entity does not revise the reported information, or does not respond to the subject within 60 days, the subject may request that the Secretary review the report for accuracy. The Secretary will decide whether to correct the report within 30 days of the request. This time frame may be extended for good cause. The subject also may provide a statement to the HIPDB, either directly or through a designated representative, that will permanently append the report.

(c) Procedures for requesting a Secretarial review. The subject must request, in writing, that the Secretary of the Department review the report for accuracy. The subject must return this request to the HIPDB along with appropriate materials that support the subject's position. The Secretary will only review the accuracy of the reported information, and will not consider the merits or appropriateness of the action or the due process that the subject received.

(2) After the review, if the Secretary--

(i) Concludes that the information is accurate and reportable to the HIPDB, the Secretary will inform the subject and the HIPDB of the determination. The Secretary will include a brief statement (Secretarial Statement) in the report that describes the basis for the decision. The report will be removed from ``disputed status.'' The HIPDB will distribute the corrected report and statement(s) to previous queriers (where identifiable), the reporting entity and the subject of the report.

(ii) Concludes that the information contained in the report is inaccurate, the Secretary will inform the subject of the determination and direct the HIPDB or the reporting entity to revise the report. The Secretary will include a brief statement (Secretarial Statement) in the report describing the findings. The HIPDB will distribute the corrected report and statement (s) to previous queriers (where identifiable), the reporting entity and the subject of the report.

(iii) Determines that the disputed issues are outside the scope of the Department's review, the Secretary will inform the subject and the HIPDB of the determination. The Secretary will include a brief statement (Secretarial Statement) in the report describing the findings. The report will be removed from ``disputed status.'' The HIPDB will distribute the report and the statement(s) to previous queriers (where identifiable), the reporting entity and the subject of the report.

(iv) Determines that the adverse action was not reportable and therefore should be removed from the HIPDB, the Secretary will inform the subject and direct the HIPDB to void the report. The HIPDB will distribute a notice to previous queriers (where identifiable), the reporting entity and the subject of the report that the report has been voided.

Sec. 61.16 Immunity.

Individuals, entities or their authorized agents and the HIPDB shall not be held liable in any civil action filedby the subject of a report unless the individual, entity or authorized agent submitting the report has actual knowledge of the falsity of the information contained in the report.

Dated: May 4, 1999. June Gibbs Brown, Inspector General.

Approved: May 21, 1999. Donna E. Shalala, Secretary.

[FR Doc. 99-27472Filed10-25-99; 8:45 am]

BILLING CODE 4150-04-P

Subscribers can access the reported version of this case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the cited cases and legislation of a document.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the documents that have cited the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the revised versions of legislation with amendments.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see any amendments made to the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a visualisation of a case and its relationships to other cases. An alternative to lists of cases, the Precedent Map makes it easier to establish which ones may be of most relevance to your research and prioritise further reading. You also get a useful overview of how the case was received.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the list of results connected to your document through the topics and citations Vincent found.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Health care programs; fraud and abuse: Health Insurance Portability and Accountability Act Data collection program; final adverse actions reporting,

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

Health care programs; fraud and abuse: Health Insurance Portability and Accountability Act Data collection program; final adverse actions reporting,