Privacy Act; implementation,

[Federal Register: October 26, 1999 (Volume 64, Number 206)]

[Proposed Rules]

[Page 57619-57620]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr26oc99-34]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary Office of Inspector General

45 CFR Part 5b

RIN 0991-AA99

Privacy Act; Exempt Record System

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice of proposed rulemaking.

SUMMARY: This proposed rule would exempt the new system of records, the Healthcare Integrity and Protection Data Bank (HIPDB), from certain provisions of the Privacy Act (5 U.S.C. 552a). The establishment of the HIPDB is required by section 1128E of the Social Security Act (the Act), as added by section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Section 1128E of the Act directed the Secretary to establish a national health care fraud and abuse data collection program for the reporting and disclosing of certain final adverse actions taken against health care providers, suppliers or practitioners, and to maintain a data base of final adverse actions taken against health care providers, suppliers and practitioners. The new HIPDB system of records is being established by separate Federal Register notice. The proposed exemption being set forth in this rule would apply to investigative materials compiled for law enforcement purposes in anticipation of civil or criminal proceedings. This rule specifically seeks public comments on the proposed exemption.

DATES: To assure consideration, public comments must be delivered to the address provided below by no later than 5 p.m. on November 26, 1999.

ADDRESSES: Please mail or deliver your written comments to the following address: Department of Health and Human Services, Office of Inspector General, 330 Independence Avenue, SW, Room 5246, Attention: OIG-60-P, Washington, DC 20201.

Because of staffing and resource limitations, we cannot accept comments by facsimile (FAX) transmission. In commenting, please refer to file code OIG-60-P.

FOR FURTHER INFORMATION CONTACT: Rick Burguieres, Investigative Policy and Information Management Staff, Office of Investigations, (202) 205- 5200.

SUPPLEMENTARY INFORMATION: The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, requires the Secretary, acting through the Office of Inspector General (OIG) and the United States Attorney General, to establish a new health care fraud and abuse control program to combat health care fraud and abuse (see section 1128C of the Act, as enacted by section 201(a) of HIPAA). Among the major steps in this program is the establishment of a national data bank to receive and disclose certain final adverse actions against health care providers, suppliers, or practitioners (see section 1128C(a)(1)(E) of the Act). The establishment of the data bank is required by section 1128E of the Act (added by section 221(a) of HIPAA), which directs the Secretary to maintain a data base of such final adverse actions. Final adverse actions include: (1) Civil judgments against a health care provider, supplier, or practitioner in Federal or State court related to the delivery of a health care item or service; (2) Federal or State criminal convictions against a health care provider, supplier, or practitioner related to the delivery of a health care item or service; (3) actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or practitioners; (4) exclusion of a health care provider, supplier, or practitioner from participation in Federal or State health care programs; and (5) any other adjudicated actions or decisions that the Secretary establishes by regulations. Settlements in which no findings or admissions of liability have been made will be excluded from reporting. However, any final adverse action that emanates from such settlements, and that would otherwise be reportable under the statute, is to be reported to the data bank. Final adverse actions are to be reported, regardless of whether such actions are being appealed by the subject of the report (see section 1128E(b)(2)(C) of the Act).

[[Page 57620]]

Groups that have access to this new data bank system include Federal and State government agencies; health plans; and self queries from health care suppliers, providers and practitioners. Reporting is limited to the same groups that have access to the information. One of the primary purposes of these data will be use of this information by a Federal or State government agency charged with the responsibility of investigating or prosecuting a case where there is an indication of a violation or potential violation of law, whether civil, criminal or regulatory in nature. The information in this system may also be used in the preparation for a trial or hearing for such violation.

Specifically, this proposed rule would exempt this new records system from certain provisions of the Privacy Act.‹SUP›1‹/SUP› This exemption is intended to protect, from release to the record subject, information on law enforcement queries to the data bank. It would also exempt the data bank from Privacy Act access and amendment procedures in order to establish access and amendment procedures in the HIPDB regulations.

\1\ Subsections (c)(3), (d)(1)-(4), and (e)(4)(G) and (H) of the Privacy Act, in accordance with 5 U.S.C. 522a(k)(2) and 45 CFR 5b.11(b)(ii)(F).

While subjects will have access to information on all other queries to the data bank, disclosure of law enforcement queries could compromise ongoing investigation activities. The premature disclosure of the existence of a law enforcement activity to an outside party (who may also be the subject of the investigation) could lead to, among other things, the destruction or alteration of evidence and the tampering with witnesses.

Record subjects are guaranteed access to, and correction rights for, substantive information reported to the HIPDB. The procedures, set out in 45 CFR part 61, use the Privacy Act access and correction procedures as a basic framework while, at the same time, providing significant additional rights (such as automatic notification to the record subject of any report filedwith the data bank). Data bank subjects also have broader rights on HIPDB correction procedures, including the right to file a statement of disagreement as soon as a report is filedwith the data bank.

Regulatory Impact Statement

The Office of Management and Budget has reviewed this proposed rule in accordance with the provisions of Executive Order 12866 and the Regulatory Flexibility Act (5 U.S.C. 601-612), and has determined that it does not meet the criteria for a significant regulatory action. Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when rulemaking is necessary, to select regulatory approaches that maximize net benefits, including potential economic, environmental, public health, safety distributive and equity effects. In addition, under the Small Business Enforcement Act (SBEA) of 1996, if a rule has a significant economic effect on a substantial number of small businesses, the Secretary must specifically consider the economic effect of a rule on small business entities and analyze regulatory options that could lessen the impact of the rule. The Secretary has reviewed this proposed exemption in accordance with the provisions of the SBEA, and certifies that this proposed exemption will not have a significant impact on a substantial number of small entities. Specifically, as indicated above, while the reports of adverse actions to the HIPDB will be known to the subjects of the records in the data bank, the access and use of such information by law enforcement agencies would not be known to the subjects of the records. As a result, we believe that disclosure of this information could compromise ongoing law enforcement activities.

Public Inspection of Comments and Response to Comments

Comments will be available for public inspection November 9, 1999, in Room 5518, Office of Counsel to the Inspector General, at 330 Independence Avenue, SW, Washington, DC on Monday through Friday of each week (Federal holidays excepted) between the hours of 9 a.m. and 4 p.m., (202) 619-0089.

Because of the large number of items of correspondence we normally receive on Federal Register documents published for comment, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and will respond to the comments in the preamble of the final rule.

List of Subjects in 5 CFR Part 5b

Privacy.

Accordingly, the Department's Privacy Act regulations at 45 CFR part 5b would be amended follows:

PART 5b--[AMENDED]

Part 5b would be amended as follows:

1. The authority citation for part 5b would continue to read as follows:

   Authority: 5 U.S.C. 301, 5 U.S.C. 552a.

2. Section 5b.11 would be amended by adding a new paragraph (b)(2)(ii)(F) to read as follows:

   Sec. 5b. 11 Exempt systems.

   * * * * *

   (b) Specific systems of records exempt. * * *

   (2) * * *

   (ii) * * *

   (F) The Healthcare Integrity and Protection Data Bank (HIPDB) of the Office of Inspector General. (See Sec. 61.15 of this title for access and correction rights under the HIPDB by subjects of the Data Bank.) * * * * *

   Dated: June 3, 1999. June Gibbs Brown, Inspector General.

   Approved: July 2, 1999. Donna E. Shalala, Secretary.

   [FR Doc. 99-27587Filed10-25-99; 8:45 am]

   BILLING CODE 4160-15-P