Privacy Act of 1974; Report of an Altered System of Records
Federal Register, Volume 77 Issue 62 (Friday, March 30, 2012)
Federal Register Volume 77, Number 62 (Friday, March 30, 2012)
From the Federal Register Online via the Government Printing Office www.gpo.gov
FR Doc No: 2012-7612
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Resources and Services Administration
Privacy Act of 1974; Report of an Altered System of Records
AGENCY: Department of Health and Human Services (HHS), Health Resources and Services Administration (HRSA).
ACTION: Notice of an Altered System of Records (SOR).
SUMMARY: In accordance with the requirements of the Privacy Act of 1974 (5 U.S.C. 552a), as amended, the Health Resources and Services Administration (HRSA) is publishing a notice to alter the system of records for the National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR. The System of Records Notice (SORN) 09-15-0054 was last published on October 1, 2010 (75 FR 60763). The Health Care Quality Improvement Act of 1986, as amended, title IV of Public Law 99-660 (42 U.S.C. 11101 et seq.) authorized the Secretary to establish a National Practitioner Data Bank (NPDB) to collect and release certain information relating to the professional competence and conduct of physicians, dentists, and other health care practitioners. By law, the information is releasable only to the specific entities described in the SORN. The law requires the maintenance of records such as medical malpractice payments, adverse licensure and clinical privilege actions, disciplinary actions taken by Boards of Medical Examiners, and professional review actions taken by entities against physicians, dentists, and other healthcare practitioners. Section 1921 of the Social Security Act, as amended, expands reporting to the NPDB to authorize maintenance of records of adverse licensure actions and negative actions or findings taken by a State licensing authority, peer review organization, or private accreditation entity against all health care practitioners or healthcare entities.
The primary purpose of this alteration is to publish the Privacy Act exemptions that became necessary after implementation of Section 1921, which entitles law enforcement agencies to access NPDB information and which therefore requires a similar exemption from certain provisions of the Privacy Act that the Healthcare Integrity and Protection Data Bank (HIPDB) has for investigative materials. Because some of the records may be queried by law enforcement agencies for investigative purposes (i.e., as opposed to employment or other purposes), the system will be exempt from certain Privacy Act requirements to the extent necessary to avoid revealing law enforcement investigative interest and compromising law enforcement investigations. Another purpose of this alteration is to add a new routine use pertaining to system security, which is being added to other SORNs published by HHS.
DATES: As required by the Privacy Act (5 U.S.C. 552a(r)), HRSA filed an altered system of records report with the Chair of the House Committee on Oversight and Government Reform, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), on 1/25/12. To ensure all parties have adequate time in which to comment, the altered system will become effective 30 days from the publication of this notice or 40 days from the date it was submitted to OMB and Congress, whichever is later, unless HRSA receives comments that require alterations to this notice.
ADDRESSES: Please address comments to Associate Administrator, Bureau of Health Professions, Health Resources and Services Administration, 5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857. Comments received will be available for inspection at this same address from 9 a.m. to 3 p.m. (Eastern Standard Time Zone), Monday through Friday.
FOR FURTHER INFORMATION CONTACT: Director, Division of Practitioner Data Banks, Bureau of Health Professions, 5600 Fishers Lane, Room 8-
103, Rockville, Maryland 20857; Telephone: (301) 443-2300. This is not a toll-free number.
SUPPLEMENTARY INFORMATION: The National Practitioner Data Bank (NPDB) is primarily an alert or flagging system intended to facilitate a comprehensive review of health care practitioners' professional credentials for the purpose of protecting the public from unfit practitioners. On January 28, 2010, the Health Resources and Services Administration published a final rule in the Federal Register (75 FR 4656) designed to implement section 1921 of the Social Security Act (herein referred to as section 1921). Section 1921 expands the scope of the NPDB. Section 1921 requires each state to adopt a system of reporting to the Secretary certain adverse licensure actions taken against health care practitioners and health care entities by any authority of the state responsible for the licensing of such practitioners or entities. It also requires each state to report any negative action or finding that a state licensing authority, a peer review organization, or a private accreditation entity has finalized against a health care practitioner or entity. Practically speaking, Section 1921 resulted in, among other consequences, the inclusion of the vast majority of information contained in the Healthcare Integrity and Protection Data Bank (HIPDB), a companion data bank, in the NPDB.
The HIPDB was created by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law (Pub. L. 104-191), which required the Secretary of HHS, acting through the Office of Inspector General (OIG) and the United States Attorney General, to establish a new health care fraud and abuse control program to combat health care fraud and abuse. Although their purposes are different, together the HIPDB and NPDB serve to facilitate review of health care practitioners' and entities' backgrounds. The HIPDB is exempt from certain provisions of the Privacy Act (see 45 CFR 5b.11(b)(2)(ii)(F)). In order to maintain the exemption for the HIPDB investigative materials, which are now also available through the NPDB, and other expanded information which law enforcement agencies can access, it was necessary to extend similar Privacy Act exemptions for the HIPDB to the NPDB. The new routine use that is being added for this system pertains to system security. It is not specific to the NPDB system; it is being added to new, existing, and updated SORNs published by HHS for other systems that are affected by the same security requirement.
Dated: March 21, 2012.
Mary K. Wakefield,
National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR.
A contractor, SRA International, Inc., operates and maintains an Internet-based system through a technical service contract for the Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration. SRA's physical address is 4350 Fair Lakes Courts, Fairfax, Virginia 22033-4233. This system is located at the AT&T Data Center, a secure facility; the street address will not be disclosed for security reasons.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system collects and maintains records pertaining to the professional competence and conduct of individual health care practitioners (doctors, dentists, nurses, allied health care professionals, social workers, etc.) and health care entities (hospitals, laboratories, pharmacies, etc.).
CATEGORIES OF RECORDS IN THE SYSTEM:
The system collects and maintains reports and query history records. Reports include: (1) Medical malpractice payment reports for all health care practitioners, i.e., physicians, dentists, nurses, optometrists, pharmacists, and podiatrists, etc.; (2) adverse clinical privilege action reports for physicians, dentists, and other healthcare practitioners who may have medical staff privileges either restricted or surrendered; (3) adverse licensure action reports for physicians, dentists and other healthcare practitioners and healthcare entities such as a suspension or revocation; (4) adverse professional society membership action reports for physicians, dentists, and other health care practitioners; (5) reports of the results of formal proceedings by a State licensing authority, peer review organization, or private accreditation organization concluded against a health care practitioner or entity; (6) reports of Medicare/Medicaid exclusions of all healthcare practitioners; and (7) reports of adverse actions taken against the U.S. Drug Enforcement Administration (DEA) registration of all healthcare practitioners.
Reports may contain the following personally-identifiable data elements:
Social Security number;
Date of birth;
Name of each professional school attended and year of graduation;
Professional license(s) number;
Field of licensure;
Name of the State or Territory in which the license is held;
DEA registration numbers;
CMS unique practitioner identification number (for exclusions only);
Names of each hospital with which the practitioner is affiliated;
Name and address of the entity making the payment;
Name, title, and telephone number of the official responsible for submitting the report on behalf of the entity;
Payment information including the date and amount of payment and whether it is for a judgment or settlement;
Date action occurred;
Acts or omissions upon which the action or claim was based;
Description of the action/omissions and injuries or illnesses upon which the action or claim was based;
Description of the Board action, the date of action and its effective date; and
Classification of the action/omission per reporting code.
Query histories indicate the dates that an individual health care practitioner's report(s) were accessed/queried in the system and by whom. Each practitioner's report(s) and query history are available to him or her, if the practitioner elects to submit a self-query. However, the query history will not include query activity by law enforcement agencies, if any, due to the system's exemption.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
The Health Care Quality Improvement Act of 1986, as amended, title IV of Public Law 99-660 42 U.S.C. 11101 et seq., and Section 1921 of the Social Security Act, as amended.
The purpose of the system is to: (1) Receive information such as adverse licensure actions on all healthcare practitioners or entities, clinical privileges and professional society membership actions on physicians and dentists based on professional competence and conduct, medical malpractice payment history on all health care practitioners, as well as the results of formal proceedings by a State authority, peer review organization or private accreditation organization concluded against any health care practitioner or entity; (2) store such reports so that future queriers may have access to pertinent information regarding the review of a health care practitioner and/or a healthcare entity in their process of making important decisions related to the delivery of health care services; and (3) disseminate such data to entities that qualify to receive the reports under the governing statutes as authorized by the Health Care Quality Improvement Act of 1986 and Section 1921 of the Social Security Act to protect the public from unfit practitioners and prevent unfit practitioners from providing patient care.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
Information from this system shall be disclosed to:
Hospitals requesting information, such as, adverse licensure actions, medical malpractice payments or exclusions from Medicare and Medicaid programs taken against all licensed healthcare practitioners such as physicians, dentists, nurses, podiatrists, chiropractors, and psychologists. The information is accessible to both public and private sector hospitals who can request information concerning a physician, dentist or other health care practitioner who is on its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the purpose of: (a) Screening the professional qualifications of individuals who apply for staff positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health Care Quality Improvement Act of 1986, which prescribes that a hospital must query the NPDB once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.
Other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist or other health care practitioner has applied for clinical privileges or appointment to the medical staff or who has entered or may be entering an employment or affiliation relationship. The purpose of these disclosures is to identify individuals whose professional conduct may be unsatisfactory.
A health care entity with respect to professional review activity. The purpose of these disclosures is to aid health care entities in the conduct of professional review activities, such as those involving determinations of whether a physician, dentist, or other health care practitioner may be granted membership in a professional society; the conditions of such membership, or of changes to such membership; and ongoing professional review activities conducted by a health care entity which provides health care services, of the professional performance or conduct of a physician, dentist, or other health care practitioner.
A State healthcare practitioner and/or entity licensing or certification authority can request information expanded by Section 1921 of the Social Security Act in conducting a review of all healthcare practitioners or health entities. A State healthcare practitioner and entity licensing or certification authority may also request information when making licensure determinations about healthcare practitioners and entities. The purpose of these disclosures is to aid the board or certification authority in meeting its responsibility to protect the health of the population in its jurisdiction, by identifying individuals whose professional performance or conduct may be unsatisfactory.
Federal and State health care programs (and their contractors) can request information reported under Section 1921 of the Social Security Act. The purpose of these disclosures is to aid Federal and State health programs to ensure the integrity and professional competence of affiliated health care practitioners and uncovering information needed to make appropriate decisions in the delivery of healthcare.
State Medicaid Fraud Control Units (MFCUs) can request information reported under Section 1921 of the Social Security Act to assist with investigating fraud and prosecution of healthcare practitioners and providers in the administration of the Medicaid programs.
U.S. Comptroller General can request information reported under Section 1921 of the Social Security Act to assist in determining the fitness of individuals to provide healthcare services, and protect the health and safety of individuals receiving health care through programs who employ these individuals.
U.S. Attorney General and other law enforcement agencies can request information reported under Section 1921 of the Social Security Act to assist with healthcare investigations involving healthcare practitioners and healthcare entities. The purpose of the disclosure would assist in determining the fitness of individuals to provide healthcare services, and protect the health and safety of individuals receiving health care through programs who employ these individuals.
Utilization and quality control Peer Review Organizations and those entities which are under contract with the CMS can request information reported under Section 1921 of the Social Security Act to protect and improve the quality of care for Medicare beneficiaries when performing quality of care reviews and other related activities.
A physician, dentist, or other health care practitioner can request information concerning himself or herself.
An entity that has been reported on may query the system to receive information concerning itself.
A person or entity can request statistical information, in a form which does not permit the identification of any individual or entity pursuant to the procedures established by the Department. An example of this disclosure involves researchers who may use statistical information to identify the total number of nurses with adverse licensure actions in a specific State.
An attorney, or individual representing himself or herself, who has filed a medical malpractice action or claim in a State or Federal court or other adjudicative body against a hospital, and who requests information regarding a specific physician, dentist, or other health care practitioner who is also named in the action or claim provided that: (a) This information will be disclosed only upon the submission of evidence that the hospital failed to request information from the NPDB as required by law; and (b) the information will be used solely with respect to litigation resulting from the action or claim against the hospital. The purpose of these disclosures is to permit an attorney (or a person representing himself or herself in a medical malpractice action) to have information from the NPDB on a health care practitioner, under the conditions set out in this routine use.
Any Federal entity, employing or otherwise engaging under arrangement (e.g., such as a contract) the services of a physician, dentist, or other health care practitioner, or having the authority to sanction such practitioners covered by a Federal program, which: (a) Enters into a memorandum of understanding with HHS regarding its participation in the NPDB; (b) engages in a professional review activity in determining an adverse action against a practitioner; and (c) maintains a Privacy Act system of records regarding the health care practitioners it employs, or whose services it engages under arrangement. The purpose of such disclosures is to enable hospitals and other facilities and health care providers under the jurisdiction of Federal agencies such as the Public Health Service, HHS; the Department of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to participate in the NPDB. The Health Care Quality Improvement Act of 1986 includes provisions regarding the participation of such agencies and of the DEA.
In the event of litigation where the defendant is: (a) The Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to affect directly the operation of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the Department of Justice has agreed to represent such employee, for example in defending a claim against the Public Health Service based upon an individual's mental or physical condition and alleged to have arisen because of activities of the Public Health Service in connection with such individual, disclosures may be made to the Department of Justice to enable the Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.
The contractor, SRA International Inc., accesses the system to operate and maintain it. These functions include but are not limited to providing continuous user availability, develop system enhancements, upgrade of hardware and software, security information assurance, and system backups.
To appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
Records are maintained on database servers with disk storage, optical jukebox storage, backup tapes and printed reports.
Records are retrieved by name, date of birth, social security number, educational information, and license number. The matching algorithm uses these data elements to match reports to the subject.
SAFEGUARDS FOR ACCESSING RECORDS:
Authorized Users include internal users such as the government and contractor personnel staff who support the NPDB and are required to obtain favorable adjudication for a Level 5 Position of Public Trust. New employees of the NPDB and the contractor must attend security training, sign a Non-Disclosure Agreement, and sign the Rules of Behavior which is renewed annually. Authorized users are given role-
based access to the system on a limited need-to-know basis. All physical and logical access to the system is removed upon termination of employment. External users, who are responsible for meeting Title IV reporting and/or querying requirements to the NPDB, are responsible for determining their eligibility to access the NPDB through a self-
certification process which requires completing an Entity Registration form. All external users must acknowledge the Rules of Behavior. All external users must re-register every two years to access the NPDB. Both HRSA and the contractor maintain lists of authorized users.
Physical Safeguards involve physical controls that are in place 24 hours a day/7 days a week such as identification badge access, cipher locks, locked hardware cages, man trap with biometric hand scanner, security guard monitoring, and closed circuit TV. All sites are protected with fire and environmental safety controls.
Technical Safeguards include firewalls, network intrusion detection, host-based intrusion detection and file integrity monitoring, user identification, and passwords restrictions. All Web-
based traffic is encrypted using 128 bit SSL and all network traffic is encrypted internally.
Administrative Safeguards involve certification and accreditation that is required every three years, which authorizes operation of the system based on acceptable risk. Security assessments are conducted continuously throughout the year to verify compliance with all required controls.
RETENTION AND DISPOSAL OF RECORDS:
HRSA is working with NARA to obtain the appropriate retention value.
SYSTEM MANAGER(S) AND ADDRESS:
Director, Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, Room 8-103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.
Subject to the exemption from the Privacy Act notification procedure requirement, information is available upon request, to the persons or entities, or to the authorized agents in such form or manner as the Secretary prescribes. Currently, the subject of a report is notified via U.S. mail when a report concerning the individual is submitted to the NPDB via Subject Notification Document (SND). This procedure is unchanged by the exemption.
REQUESTS BY MAIL:
Practitioners may submit a ``Request for Information Disclosure'' to the address under system location for any report on themselves. The request must contain the following: Name, address, date of birth, gender, Social Security Number (optional), professional schools and years of graduation, and the professional license(s). For license, include: The license number, the field of licensure, the name of the State or Territory in which the license is held, and DEA registration number(s). The practitioner must submit a signed and notarized self-
PENALTIES FOR VIOLATION:
Submitting a request under false pretenses is a criminal offense and subject to a civil monetary penalty of up to $11,000 for each violation.
REQUESTS IN PERSON:
Due to security considerations, the NPDB cannot accept requests in person.
REQUESTS BY TELEPHONE:
Practitioners may provide all of the identifying information stated above to the NPDB Customer Service Center operator. Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization.
RECORD ACCESS PROCEDURES:
Although this system will be exempt from the Privacy Act access requirement, the exemption will be limited and discretionary. An individual health care practitioner may continue to seek access to his or her records in the NPDB by submitting a self-query request form on-
line at: www.npdb-hipdb.hrsa.gov. The requests are submitted over the web using the Integrated Query and Reporting Service (IQRS), Query and Reporting Extensible Markup Language Service (QRXS), Interface Control Document (ICD) Transfer Program (ITP) or the Proactive Disclosure Service (PDS). Self-query, as described previously, may be initiated via the electronic system and is completed using the conventional mail system. Requesters, including self-queries, will receive an accounting of disclosure that has been made of their records, if any. The exemption will prevent law enforcement query activity from being disclosed to the health care practitioner in response to a self-query.
Notwithstanding the access exemption, a practitioner may request access to his or her full query history (i.e., including law enforcement query activity, if any), by submitting a written request to the System Manager identified above and following the same procedures indicated under ``Notification Procedure.'' The request will be processed pursuant to the agency's discretionary access authority under 45 CFR 5b.11(d).
CONTESTING RECORD PROCEDURES:
Because of the system's exemption, the procedures for disputing a NPDB report will not apply to any query history information that is exempt from access. The NPDB routinely mails a copy of any report filed in it to the subject individual. A subject individual may contest the accuracy of information in the NPDB concerning himself or herself and file a dispute. To dispute the accuracy of the information, the individual must contact the NPDB and the reporting entity to: (1) Request for the reporting entity to file correction to the report; and (2) request the information be entered into a ``disputed'' status and submit a statement regarding the basis for the inaccuracy of the information in the report. If the reporting entity declines to change the disputed report or takes no actions, the subject may request that the Secretary of HHS review the disputed report. In order to seek a Secretarial Review, the subject must: (1) Provide written documentation containing clear and brief factual information regarding the information of the report; (2) submit supporting documentation or justification substantiating that the reporting entity's information is inaccurate; and (3) submit proof that the subject individual has attempted to
resolve the disagreement with reporting entity but was unsuccessful. The Department can only determine whether the report was legally required to be filed and whether the report accurately depicts the action taken and the reporter's basis for action. Additional detail on the process of dispute resolution and Secretarial Review process can be found at 45 CFR 60.14 of the NPDB regulations.
RECORD SOURCE CATEGORIES:
The records contained in the system are submitted by the following entities: (1) Insurance companies and others who have made payment as a result of a malpractice action or claim, (2) State Boards of Medical and Dental Examiners; (3) State Licensing Boards; (4) hospitals and other health care entities; (5) DEA; and (6) Federal entities which employ health practitioners or who have authority to sanction such practitioners covered by a Federal program. Section 1921 of the Social Security Act expands reporting of actions submitted by State health care practitioner licensing and certification authorities (including medical and dental boards), State entity licensing and certification authorities, peer review organizations and private accreditation organizations.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
The Secretary has exempted this system from certain provisions of the Act. In accordance with 5 U.S.C. 552(k)(2) and 45 CFR 5b.11(b)(ii)(L), this system is exempt from subsections 5 U.S.C. 552a(c)(3), (d)(1)-(4), (e)(4)(G) and (H), and (f).
FR Doc. 2012-7612 Filed 3-29-12; 8:45 am
BILLING CODE 4165-15-P