[Federal Register Volume 75, Number 190 (Friday, October 1, 2010)]
[Notices]
[Pages 60763-60767]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-24568]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Resources and Services Administration
Privacy Act of 1974; Report of an Altered System of Records
AGENCY: Department of Health and Human Services (HHS), Health Resources
and Services Administration (HRSA).
ACTION: Notice of an Altered System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, the Health Resources and Services Administration (HRSA) is
publishing a notice to alter the system of records for the National
Practitioner Data Bank for Adverse Information on Physicians and other
Health Care Practitioners, HHS/HRSA/BHPR. The SORN 09-15-0054 was last
published March 17, 1997. In accordance with the Health Care Quality
Improvement Act of 1986, as amended, title IV of Public Law 99-660 (42
U.S.C. 11101 et seq.) authorizes the Secretary to establish a National
Practitioner Data Bank (NPDB) to collect and release certain
information relating to the professional competence and conduct of
physicians, dentists, and other health care practitioners. This
information is releasable only to specific entities described in the
SORN. It requires the
[[Page 60764]]
maintenance of records such as medical malpractice payments, adverse
licensure and clinical privilege actions, disciplinary actions taken by
Boards of Medical Examiners, and professional review actions taken by
health care entities against physicians, dentists, and other healthcare
practitioners. Section 1921 of the Social Security Act, as amended by
Section 5(b) of the Medicare and Medicaid Patient and Program
Protection Act of 1987 (MMPPPA), and as amended by the Omnibus Budget
Reconciliation Act of 1990 (OBRA), expands reporting to the NPDB to
authorize maintenance of records of adverse licensure actions and
negative actions or findings taken by a State licensing authority, peer
review organization, or private accreditation entity against all
healthcare practitioners or healthcare entities.
The purpose of these alterations is to update: (1) System location;
(2) Category of individuals covered by the system; (3) Category of
records in the system; (4) Policies and practices for storing,
retrieving, accessing, retaining, and disposing of records in the
system; (5) Notification procedure; (6) Record access procedures; (7)
Contesting record procedures; and (8) Routine uses for the contractors
accessing the system. Also, HRSA is proposing an additional routine
use, number 17 (Responding to a breach of the security or
confidentiality of information) for this system of records. The
physical NPDB system which includes hardware and software will not be
altered.
DATES: HRSA filed an altered system report with the Chair of the House
Committee on Government Reform and Oversight, the Chair of the Senate
Committee on Homeland Security and Governmental Affairs, and the
Administrator, Office of Information and Regulatory Affairs, Office of
Management and Budget (OMB) on 6/13/10. To ensure all parties have
adequate time in which to comment, the altered systems including the
routine uses, will become effective 30 days from the publication of the
notice or 40 days from the date it was submitted to OMB and Congress,
whichever is later, unless HRSA receives comments that require
alterations to this notice.
ADDRESSES: Please address comments to Associate Administrator, Bureau
of Health Professions, Health Resources and Services Administration,
5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857. Comments
received will be available for inspection at this same address from 9
a.m. to 3 p.m. (Eastern Standard Time Zone), Monday through Friday.
FOR FURTHER INFORMATION CONTACT: Director, Division of Practitioner
Data Banks, Bureau of Health Professions, 5600 Fishers Lane, Room 8-
103, Rockville, Maryland 20857; Telephone: (301) 443-2300. This is not
a toll-free number.
SUPPLEMENTARY INFORMATION: The Health Resources and Services
Administration is proposing a change to: (1) System location; (2)
Category of individuals covered by the system; (3) Category of records
in the system; (4) Policies and practices for storing, retrieving,
accessing, retaining, and disposing of records in the system; (5)
Notification procedure; (6) Record access procedures; (7) Contesting
record procedures; and (8) Routine uses for the contractors accessing
the system.
The above listed items are being modified to reflect changes in the
business process and the addition of new information pursuant to
Section 1921 of the Social Security Act. The specific changes are as
follows: (1) System location reflects a move to new secure facility;
(2) individual profession covered by the system is a new category; (3)
record in the system changed from narrative to list format; (4)
policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system to reflect changes in business
practice and procedure; (5) notification procedures demonstrate the
method used to notify a subject of a report; (6) record access
procedures list the new Domain Name (DN); (7) contesting record
procedures reflect a change from Health Care Financing Administration
(HCFA) to Centers for Medicare and Medicaid Services (CMS); and (8)
routine uses allow the contractor to perform their functions as it
relates to the system.
HRSA is also proposing an additional routine use, number 17, to
permit disclosures to appropriate federal agencies and Department
contractors that have a need to know the information for the purpose of
assisting the Department's efforts to respond to a suspected or
confirmed breach of the security or confidentiality of information
maintained in this system of records, and the information disclosed is
relevant and necessary for that assistance.
Dated: September 16, 2010.
Mary K. Wakefield,
Administrator.
System Number: 09-15-0054.
System Name:
National Practitioner Data Bank for Adverse Information on
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR.
Security Classification:
None.
System Location:
The contractor, SRA International, Inc., operates and maintains an
internet-based system through a technical service contract for the
Division of Practitioner Data Banks, Bureau of Health Professions,
Health Resources and Services Administration. SRA's physical address is
4350 Fair Lakes Courts, Fairfax Virginia 22033-4233. This system is
located at the AT&T Data Center, a secure facility; the street address
will not be disclosed for security reasons.
Categories of Individuals Covered by the System:
The system collects and maintains information in accordance with 5
U.S.C. 552a of the Privacy Act of 1974, as follows:
(1) Medical malpractice payment reports for all health care
practitioners, i.e. physicians, dentists, nurses, optometrists,
pharmacists, and podiatrists, etc.; (2) adverse clinical privilege
action reports for physicians, dentists, and other healthcare
practitioners who may have medical staff privileges either restricted
or surrendered; (3) adverse licensure action reports for physicians,
dentists and other healthcare practitioners and healthcare entities
such as a suspension or revocation; (4) adverse professional society
membership action reports for physicians and dentists; (5) reports of
the results of formal proceedings by a State licensing authority, peer
review organization, or private accreditation organization concluded
against a health care practitioner or entity; (6) reports of Medicare/
Medicaid exclusions of all healthcare practitioners; and (7) reports of
adverse actions taken against the U.S. Drug Enforcement Administration
(DEA) registration of all healthcare practitioners.
Categories of Records in the System:
The system collects and maintains categories of information
concerning healthcare practitioners such as:
1. Name.
2. Work address.
3. Home address.
4. Social Security number.
5. Date of birth.
6. Name of each professional school attended and year of
graduation.
7. Professional license(s) number.
8. Field of licensure.
9. Name of the State or Territory in which the license is held.
[[Page 60765]]
10. DEA registration numbers.
11. CMS unique practitioner identification number (for exclusions
only).
12. Names of each hospital with which the practitioner is
affiliated.
13. Name and address of the entity making the payment.
14. Name, title, and telephone number of the official responsible
for submitting the report on behalf of the entity.
15. Payment information including the date and amount of payment
and whether it is for a judgment or settlement.
16. Date action occurred.
17. Acts or omissions upon which the action or claim was based.
18. Description of the action/omissions and injuries or illnesses
upon which the action or claim was based.
19. Description of the Board action, the date of action and its
effective date.
20. Classification of the action/omission per reporting code.
Authority for Maintenance of the System:
The Health Care Quality Improvement Act of 1986, as amended, title
IV of Public Law 99-660 [42 U.S.C. 11101 et seq.], authorizes the
Secretary to establish a National Practitioner Data Bank (NPDB) to
collect and release certain information relating to the professional
competence and conduct of physicians, dentists, and other health care
practitioners. This information is released only to specific entities
described below. It requires the maintenance of records such as medical
malpractice payments, adverse licensure and clinical privilege actions,
disciplinary actions taken by Boards of Medical Examiners, and
professional review actions taken by health care entities against
physicians, dentists, and other healthcare practitioners. Section 1921
of the Social Security Act, as amended by Section 5(b) of the Medicare
and Medicaid Patient and Program Protection Act of 1987 (MMPPPA), and
as amended by the Omnibus Budget Reconciliation Act of 1990 (OBRA),
expands reporting to the NPDB to authorize maintenance of records of
adverse licensure actions and the results of formal proceedings by a
State licensing authority, peer review organization, or private
accreditation entity against all healthcare practitioners or healthcare
entities.
Purpose(s):
The purpose of the system is to: (1) Receive information such as
adverse licensure actions on all healthcare practitioners or entities,
clinical privileges and professional society membership actions on
physicians and dentists based on professional competence and conduct,
medical malpractice payment history on all health care practitioners,
as well as the results of formal proceedings by a State authority, peer
review organization or private accreditation organization concluded
against any health care practitioner or entity; (2) store such reports
so that future queriers may have access to pertinent information
regarding the review of a health care practitioner and/or a healthcare
entity in their process of making important decisions related to the
delivery of health care services; and (3) disseminate such data to
entities that qualify to receive the reports under the governing
statutes as authorized by the Health Care Quality Improvement Act of
1986 and Section 1921 of the Social Security Act to protect the public
from unfit practitioners from providing patient care.
Routine Uses of Records Maintained in the System, Including Categories
of Users and the Purposes of Such Uses:
Information shall be disclosed to:
1. Hospitals requesting information on adverse licensure actions,
medical malpractice payments or exclusions from Medicare and Medicaid
programs taken against all licensed healthcare practitioners such as
physicians, dentists, nurses, podiatrists, chiropractors, and
psychologists, among many. The information is accessible to both public
and private sector hospitals who can request information concerning a
physician, dentist or other health care practitioner who is on its
medical staff (courtesy or otherwise) or who has clinical privileges at
the hospital, for the purpose of: (a) Screening the professional
qualifications of individuals who apply for staff positions or clinical
privileges at the hospital; and (b) meeting the requirements of the
Health Care Quality Improvement Act of 1986, which prescribes that a
hospital must query the Data Bank once every 2 years regarding all
individuals on its medical staff or who hold clinical privileges.
2. Other health care entities, as defined in 45 CFR 60.3, to which
a physician, dentist or other health care practitioner has applied for
clinical privileges or appointment to the medical staff or who has
entered or may be entering an employment or affiliation relationship.
The purpose of these disclosures is to identify individuals whose
professional conduct may be unsatisfactory.
3. A health care entity with respect to professional review
activity. The purpose of these disclosures is to aid health care
entities in the conduct of professional review activities, such as
those involving determinations of whether a physician, dentist, or
other health care practitioner may be granted membership in a
professional society; the conditions of such membership, or of changes
to such membership; and ongoing professional review activities
conducted by a health care entity which provides health care services,
of the professional performance or conduct of a physician, dentist, or
other health care practitioner.
4. A State healthcare practitioner and/or entity licensing or
certification authority can request information expanded by Section
1921 of the Social Security Act in conducting a review of all
healthcare practitioners or health entities. A State healthcare
practitioner and entity licensing or certification authority may also
request information when making licensure determinations about
healthcare practitioners and entities. The purpose of these disclosures
is to aid the board or certification authority in meeting its
responsibility to protect the health of the population in its
jurisdiction, by identifying individuals whose professional performance
or conduct may be unsatisfactory.
5. Federal and State health care programs (and their contractors)
can request information reported under Section 1921 of the Social
Security Act. The purpose of these disclosures is to aid Federal and
State health programs to ensure the integrity and professional
competence of affiliated health care practitioners and uncovering
information needed to make appropriate decisions in the delivery of
healthcare.
6. State Medicaid Fraud Control Units (MFCUs) can request
information reported under Section 1921 of the Social Security Act to
assist with investigating fraud and prosecution of healthcare
practitioners and providers in the administration of the Medicaid
programs.
7. U.S. Comptroller General can request information reported under
Section 1921 of the Social Security Act to assist in determining the
fitness of individuals to provide healthcare services, and protect the
health and safety of individuals receiving health care through programs
who employ these individuals.
8. U.S. Attorney General and other law enforcement agencies can
request information reported under Section 1921 of the Social Security
Act to assist with healthcare investigations involving healthcare
practitioners and healthcare entities. The purpose of the disclosure
[[Page 60766]]
would assist in determining the fitness of individuals to provide
healthcare services, and protect the health and safety of individuals
receiving health care through programs who employ these individuals.
9. Utilization and quality control Peer Review Organizations and
those entities which are under contract with the CMS can request
information reported under Section 1921 of the Social Security Act to
protect and improve the quality of care for Medicare beneficiaries when
performing quality of care reviews and other related activities.
10. A physician, dentist, or other health care practitioner can
request information concerning himself or herself.
11. An entity that has been reported on may query the system to
receive information concerning itself.
12. A person or entity can request statistical information, in a
form which does not permit the identification of any individual or
entity. An example of this disclosure involves researchers who may use
statistical information to identify the total number of nurses with
adverse licensure actions in a specific State.
13. An attorney, or individual representing himself or herself, who
has filed a medical malpractice action or claim in a State or Federal
court or other adjudicative body against a hospital, and who requests
information regarding a specific physician, dentist, or other health
care practitioner who is also named in the action or claim provided
that: (a) This information will be disclosed only upon the submission
of evidence that the hospital failed to request information from the
Data Bank as required by law; and (b) the information will be used
solely with respect to litigation resulting from the action or claim
against the hospital. The purpose of these disclosures is to permit an
attorney (or a person representing himself or herself in a medical
malpractice action) to have information from the Data Bank on a health
care practitioner, under the conditions set out in this routine use.
14. Any Federal entity, employing or otherwise engaging under
arrangement (e.g., such as a contract) the services of a physician,
dentist, or other health care practitioner, or having the authority to
sanction such practitioners covered by a Federal program, which: (a)
Enters into a memorandum of understanding with HHS regarding its
participation in the Data Bank; (b) engages in a professional review
activity in determining an adverse action against a practitioner; and
(c) maintains a Privacy Act system of records regarding the health care
practitioners it employs, or whose services it engages under
arrangement. The purpose of such disclosures is to enable hospitals and
other facilities and health care providers under the jurisdiction of
Federal agencies such as the Public Health Service, HHS; the Department
of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard;
and the Bureau of Prisons, Department of Justice, to participate in the
Data Bank. The Health Care Quality Improvement Act of 1986 includes
provisions regarding the participation of such agencies and of the DEA.
15. In the event of litigation where the defendant is: (a) The
Department, any component of the Department, or any employee of the
Department in his or her official capacity; (b) the United States where
the Department determines that the claim, if successful, is likely to
affect directly the operation of the Department or any of its
components; or (c) any Department employee in his or her individual
capacity where the Department of Justice has agreed to represent such
employee, for example in defending a claim against the Public Health
Service based upon an individual's mental or physical condition and
alleged to have arisen because of activities of the Public Health
Service in connection with such individual, disclosures may be made to
the Department of Justice to enable the Department to present an
effective defense, provided that such disclosure is compatible with the
purpose for which the records were collected.
16. The contractor, SRA International Inc., accesses the system to
operate and maintain it. These functions include but are not limited to
providing continuous user availability, develop system enhancements,
upgrade of hardware and software, security information assurance, and
system backups.
17. To appropriate Federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in this
system of records, and the information disclosed is relevant and
necessary for that assistance.
Policies and Practices for Storing, Retrieving, Accessing, Retaining,
and Disposing of Records in the System:
Storage:
Records are maintained on database servers with disk storage,
optical jukebox storage, backup tapes and printed reports.
Retrievability:
Records are retrieved by name, date of birth, Social Security
number, educational information, and license number. The matching
algorithm uses these data elements to match reports to the subject.
Safeguards for Accessing Records:
1. Authorized Users include internal users such as the government
and contractor personnel staff who support the Data Banks and are
required to obtain favorable adjudication for a Level 5 Position of
Public Trust. New employees of the NPDB and the contractor must attend
security training, sign a Non-Disclosure Agreement, and sign the Rules
of Behavior which is renewed annually. Authorized users are given role-
based access to the system on a limited need-to-know basis. All
physical and logical access to the system is removed upon termination
of employment. External users, who are responsible for meeting Title IV
reporting and/or querying requirements to the Data Banks, are
responsible for determining their eligibility to access the Data Banks
through a self-certification process which requires completing an
Entity Registration form. All external users must acknowledge the Rules
of Behavior. All external users must re-register every two years to
access the Data Banks. Both HRSA and the contractor maintain lists of
authorized users.
2. Physical Safeguards involve physical controls that are in place
24 hours a day/7 days a week such as identification badge access,
cipher locks, locked hardware cages, man trap with biometric hand
scanner, security guard monitoring, and closed circuit TV. All sites
are protected with fire and environmental safety controls.
3. Technical Safeguards include firewalls, network intrusion
detection, host-based intrusion detection and file integrity
monitoring, user identification, and passwords restrictions. All web-
based traffic is encrypted using 128 bit SSL and all network traffic is
encrypted internally.
4. Administrative Safeguards involve certification and
accreditation that is required every three years, which authorizes
operation of the system based on acceptable risk. Security assessments
are conducted continuously throughout the year to verify compliance
with all required controls.
Retention and Disposal of records:
HRSA is working with NARA to obtain the appropriate retention
value.
[[Page 60767]]
System Manager(s) and Address:
Director, Division of Practitioner Data Banks, Bureau of Health
Professions, Health Resources and Services Administration, Room 8-103,
Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.
Notification Procedure:
Information is available upon request, to the persons or entities,
or to the authorized agents in such form or manner as the Secretary
prescribes. The subject of a report is notified via U.S. mail when a
record concerning the individual is submitted to the Data Bank via
Subject Notification Document (SND).
Requests by Mail:
Practitioners may submit a ``Request for Information Disclosure''
to the address under system location for any report on themselves. The
request must contain the following: Name, address, date of birth,
gender, Social Security Number (optional), professional schools and
years of graduation, and the professional license(s). For license,
include: The license number, the field of licensure, the name of the
State or Territory in which the license is held, and DEA registration
number(s). The practitioner must submit a signed and notarized self-
query request.
Penalties for Violation:
Submitting a request under false pretenses is a criminal offense
and subject to a civil monetary penalty of up to $11,000 for each
violation.
Requests in Person:
Due to security considerations, the Data Bank cannot accept
requests in person.
Request by Telephone:
Practitioners may provide all of the identifying information stated
above to the Data Bank Customer Service Center operator. Before the
data request is fulfilled, the operator will return a paper copy of
this information for verification, signature and notarization.
Record Access Procedures:
Request for access of records in the Data Bank may be completed
online at: http://www.npdb-hipdb.hrsa.gov. The requests are submitted
over the web using the Integrated Query and Reporting Service (IQRS),
Query and Reporting Extensible Markup Language Service (QRXS),
Interface Control Document (ICD) Transfer Program (ITP) or the
Proactive Disclosure Service (PDS). Self-query, as described
previously, may be initiated via the electronic system and is completed
using the conventional mail system. Requesters, including self-queries,
will receive an accounting of disclosure that has been made of their
records, if any.
Contesting Record Procedures:
The Data Bank routinely mails a copy of any report filed in it to
the subject individual. A subject individual may contest the accuracy
of information in the Data Bank concerning himself or herself and file
a dispute. To dispute the accuracy of the information, the individual
must contact the Data Bank and the reporting entity to: (1) Request for
the reporting entity to file correction to the report; and (2) request
the information be entered into a ``disputed'' status and submit a
statement regarding the basis for the inaccuracy of the information in
the report. If the reporting entity declines to change the disputed
report or takes no actions, the subject may request that the Secretary
of HHS review the disputed report. In order to seek a Secretarial
Review, the subject must: (1) Provide written documentation containing
clear and brief factual information regarding the information of the
report; (2) submit supporting documentation or justification
substantiating that the reporting entity's information is inaccurate;
and (3) submit proof that the subject individual has attempted to
resolve the disagreement with reporting entity but was unsuccessful.
The Department can only determine whether the report was legally
required to be filed and whether the report accurately depicts the
action taken and the reporter's basis for action. Additional detail on
the process of dispute resolution and Secretarial Review process can be
found at 45 CFR Sec. 60.14 of the Data Bank regulations.
Record Source Categories:
The records contained in the system are submitted by the following
entities: (1) Insurance companies and others who have made payment as a
result of a malpractice action or claim, (2) State Boards of Medical
and Dental Examiners; (3) State Licensing Boards; (4) hospitals and
other health care entities; (5) DEA; and (6) Federal entities which
employ health practitioners or who have authority to sanction such
practitioners covered by a Federal program. Section 1921 of the Social
Security Act expands reporting of actions submitted by State health
care practitioner licensing and certification authorities (including
medical and dental boards), State entity licensing and certification
authorities, peer review organizations and private accreditation
organizations.
Systems exempted from Certain Provisions of the Act:
None.
[FR Doc. 2010-24568 Filed 9-30-10; 8:45 am]
BILLING CODE 4160-15-P