Privacy Act of 1974; Report of an Altered System of Records, 60763-60767 [2010-24568]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Health Resources and Services Administration

[Federal Register Volume 75, Number 190 (Friday, October 1, 2010)]
[Notices]
[Pages 60763-60767]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-24568]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Resources and Services Administration


Privacy Act of 1974; Report of an Altered System of Records

AGENCY: Department of Health and Human Services (HHS), Health Resources 
and Services Administration (HRSA).

ACTION: Notice of an Altered System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, the Health Resources and Services Administration (HRSA) is 
publishing a notice to alter the system of records for the National 
Practitioner Data Bank for Adverse Information on Physicians and other 
Health Care Practitioners, HHS/HRSA/BHPR. The SORN 09-15-0054 was last 
published March 17, 1997. In accordance with the Health Care Quality 
Improvement Act of 1986, as amended, title IV of Public Law 99-660 (42 
U.S.C. 11101 et seq.) authorizes the Secretary to establish a National 
Practitioner Data Bank (NPDB) to collect and release certain 
information relating to the professional competence and conduct of 
physicians, dentists, and other health care practitioners. This 
information is releasable only to specific entities described in the 
SORN. It requires the

[[Page 60764]]

maintenance of records such as medical malpractice payments, adverse 
licensure and clinical privilege actions, disciplinary actions taken by 
Boards of Medical Examiners, and professional review actions taken by 
health care entities against physicians, dentists, and other healthcare 
practitioners. Section 1921 of the Social Security Act, as amended by 
Section 5(b) of the Medicare and Medicaid Patient and Program 
Protection Act of 1987 (MMPPPA), and as amended by the Omnibus Budget 
Reconciliation Act of 1990 (OBRA), expands reporting to the NPDB to 
authorize maintenance of records of adverse licensure actions and 
negative actions or findings taken by a State licensing authority, peer 
review organization, or private accreditation entity against all 
healthcare practitioners or healthcare entities.
    The purpose of these alterations is to update: (1) System location; 
(2) Category of individuals covered by the system; (3) Category of 
records in the system; (4) Policies and practices for storing, 
retrieving, accessing, retaining, and disposing of records in the 
system; (5) Notification procedure; (6) Record access procedures; (7) 
Contesting record procedures; and (8) Routine uses for the contractors 
accessing the system. Also, HRSA is proposing an additional routine 
use, number 17 (Responding to a breach of the security or 
confidentiality of information) for this system of records. The 
physical NPDB system which includes hardware and software will not be 
altered.

DATES: HRSA filed an altered system report with the Chair of the House 
Committee on Government Reform and Oversight, the Chair of the Senate 
Committee on Homeland Security and Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on 6/13/10. To ensure all parties have 
adequate time in which to comment, the altered systems including the 
routine uses, will become effective 30 days from the publication of the 
notice or 40 days from the date it was submitted to OMB and Congress, 
whichever is later, unless HRSA receives comments that require 
alterations to this notice.

ADDRESSES: Please address comments to Associate Administrator, Bureau 
of Health Professions, Health Resources and Services Administration, 
5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857. Comments 
received will be available for inspection at this same address from 9 
a.m. to 3 p.m. (Eastern Standard Time Zone), Monday through Friday.

FOR FURTHER INFORMATION CONTACT: Director, Division of Practitioner 
Data Banks, Bureau of Health Professions, 5600 Fishers Lane, Room 8-
103, Rockville, Maryland 20857; Telephone: (301) 443-2300. This is not 
a toll-free number.

SUPPLEMENTARY INFORMATION: The Health Resources and Services 
Administration is proposing a change to: (1) System location; (2) 
Category of individuals covered by the system; (3) Category of records 
in the system; (4) Policies and practices for storing, retrieving, 
accessing, retaining, and disposing of records in the system; (5) 
Notification procedure; (6) Record access procedures; (7) Contesting 
record procedures; and (8) Routine uses for the contractors accessing 
the system.
    The above listed items are being modified to reflect changes in the 
business process and the addition of new information pursuant to 
Section 1921 of the Social Security Act. The specific changes are as 
follows: (1) System location reflects a move to new secure facility; 
(2) individual profession covered by the system is a new category; (3) 
record in the system changed from narrative to list format; (4) 
policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system to reflect changes in business 
practice and procedure; (5) notification procedures demonstrate the 
method used to notify a subject of a report; (6) record access 
procedures list the new Domain Name (DN); (7) contesting record 
procedures reflect a change from Health Care Financing Administration 
(HCFA) to Centers for Medicare and Medicaid Services (CMS); and (8) 
routine uses allow the contractor to perform their functions as it 
relates to the system.
    HRSA is also proposing an additional routine use, number 17, to 
permit disclosures to appropriate federal agencies and Department 
contractors that have a need to know the information for the purpose of 
assisting the Department's efforts to respond to a suspected or 
confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and necessary for that assistance.

    Dated: September 16, 2010.
Mary K. Wakefield,
Administrator.
System Number: 09-15-0054.

System Name:
    National Practitioner Data Bank for Adverse Information on 
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR.

Security Classification:
    None.

System Location:
    The contractor, SRA International, Inc., operates and maintains an 
internet-based system through a technical service contract for the 
Division of Practitioner Data Banks, Bureau of Health Professions, 
Health Resources and Services Administration. SRA's physical address is 
4350 Fair Lakes Courts, Fairfax Virginia 22033-4233. This system is 
located at the AT&T Data Center, a secure facility; the street address 
will not be disclosed for security reasons.

Categories of Individuals Covered by the System:
    The system collects and maintains information in accordance with 5 
U.S.C. 552a of the Privacy Act of 1974, as follows:
    (1) Medical malpractice payment reports for all health care 
practitioners, i.e. physicians, dentists, nurses, optometrists, 
pharmacists, and podiatrists, etc.; (2) adverse clinical privilege 
action reports for physicians, dentists, and other healthcare 
practitioners who may have medical staff privileges either restricted 
or surrendered; (3) adverse licensure action reports for physicians, 
dentists and other healthcare practitioners and healthcare entities 
such as a suspension or revocation; (4) adverse professional society 
membership action reports for physicians and dentists; (5) reports of 
the results of formal proceedings by a State licensing authority, peer 
review organization, or private accreditation organization concluded 
against a health care practitioner or entity; (6) reports of Medicare/
Medicaid exclusions of all healthcare practitioners; and (7) reports of 
adverse actions taken against the U.S. Drug Enforcement Administration 
(DEA) registration of all healthcare practitioners.

Categories of Records in the System:
    The system collects and maintains categories of information 
concerning healthcare practitioners such as:
    1. Name.
    2. Work address.
    3. Home address.
    4. Social Security number.
    5. Date of birth.
    6. Name of each professional school attended and year of 
graduation.
    7. Professional license(s) number.
    8. Field of licensure.
    9. Name of the State or Territory in which the license is held.

[[Page 60765]]

    10. DEA registration numbers.
    11. CMS unique practitioner identification number (for exclusions 
only).
    12. Names of each hospital with which the practitioner is 
affiliated.
    13. Name and address of the entity making the payment.
    14. Name, title, and telephone number of the official responsible 
for submitting the report on behalf of the entity.
    15. Payment information including the date and amount of payment 
and whether it is for a judgment or settlement.
    16. Date action occurred.
    17. Acts or omissions upon which the action or claim was based.
    18. Description of the action/omissions and injuries or illnesses 
upon which the action or claim was based.
    19. Description of the Board action, the date of action and its 
effective date.
    20. Classification of the action/omission per reporting code.

Authority for Maintenance of the System:
    The Health Care Quality Improvement Act of 1986, as amended, title 
IV of Public Law 99-660 [42 U.S.C. 11101 et seq.], authorizes the 
Secretary to establish a National Practitioner Data Bank (NPDB) to 
collect and release certain information relating to the professional 
competence and conduct of physicians, dentists, and other health care 
practitioners. This information is released only to specific entities 
described below. It requires the maintenance of records such as medical 
malpractice payments, adverse licensure and clinical privilege actions, 
disciplinary actions taken by Boards of Medical Examiners, and 
professional review actions taken by health care entities against 
physicians, dentists, and other healthcare practitioners. Section 1921 
of the Social Security Act, as amended by Section 5(b) of the Medicare 
and Medicaid Patient and Program Protection Act of 1987 (MMPPPA), and 
as amended by the Omnibus Budget Reconciliation Act of 1990 (OBRA), 
expands reporting to the NPDB to authorize maintenance of records of 
adverse licensure actions and the results of formal proceedings by a 
State licensing authority, peer review organization, or private 
accreditation entity against all healthcare practitioners or healthcare 
entities.

Purpose(s):
    The purpose of the system is to: (1) Receive information such as 
adverse licensure actions on all healthcare practitioners or entities, 
clinical privileges and professional society membership actions on 
physicians and dentists based on professional competence and conduct, 
medical malpractice payment history on all health care practitioners, 
as well as the results of formal proceedings by a State authority, peer 
review organization or private accreditation organization concluded 
against any health care practitioner or entity; (2) store such reports 
so that future queriers may have access to pertinent information 
regarding the review of a health care practitioner and/or a healthcare 
entity in their process of making important decisions related to the 
delivery of health care services; and (3) disseminate such data to 
entities that qualify to receive the reports under the governing 
statutes as authorized by the Health Care Quality Improvement Act of 
1986 and Section 1921 of the Social Security Act to protect the public 
from unfit practitioners from providing patient care.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    Information shall be disclosed to:
    1. Hospitals requesting information on adverse licensure actions, 
medical malpractice payments or exclusions from Medicare and Medicaid 
programs taken against all licensed healthcare practitioners such as 
physicians, dentists, nurses, podiatrists, chiropractors, and 
psychologists, among many. The information is accessible to both public 
and private sector hospitals who can request information concerning a 
physician, dentist or other health care practitioner who is on its 
medical staff (courtesy or otherwise) or who has clinical privileges at 
the hospital, for the purpose of: (a) Screening the professional 
qualifications of individuals who apply for staff positions or clinical 
privileges at the hospital; and (b) meeting the requirements of the 
Health Care Quality Improvement Act of 1986, which prescribes that a 
hospital must query the Data Bank once every 2 years regarding all 
individuals on its medical staff or who hold clinical privileges.
    2. Other health care entities, as defined in 45 CFR 60.3, to which 
a physician, dentist or other health care practitioner has applied for 
clinical privileges or appointment to the medical staff or who has 
entered or may be entering an employment or affiliation relationship. 
The purpose of these disclosures is to identify individuals whose 
professional conduct may be unsatisfactory.
    3. A health care entity with respect to professional review 
activity. The purpose of these disclosures is to aid health care 
entities in the conduct of professional review activities, such as 
those involving determinations of whether a physician, dentist, or 
other health care practitioner may be granted membership in a 
professional society; the conditions of such membership, or of changes 
to such membership; and ongoing professional review activities 
conducted by a health care entity which provides health care services, 
of the professional performance or conduct of a physician, dentist, or 
other health care practitioner.
    4. A State healthcare practitioner and/or entity licensing or 
certification authority can request information expanded by Section 
1921 of the Social Security Act in conducting a review of all 
healthcare practitioners or health entities. A State healthcare 
practitioner and entity licensing or certification authority may also 
request information when making licensure determinations about 
healthcare practitioners and entities. The purpose of these disclosures 
is to aid the board or certification authority in meeting its 
responsibility to protect the health of the population in its 
jurisdiction, by identifying individuals whose professional performance 
or conduct may be unsatisfactory.
    5. Federal and State health care programs (and their contractors) 
can request information reported under Section 1921 of the Social 
Security Act. The purpose of these disclosures is to aid Federal and 
State health programs to ensure the integrity and professional 
competence of affiliated health care practitioners and uncovering 
information needed to make appropriate decisions in the delivery of 
healthcare.
    6. State Medicaid Fraud Control Units (MFCUs) can request 
information reported under Section 1921 of the Social Security Act to 
assist with investigating fraud and prosecution of healthcare 
practitioners and providers in the administration of the Medicaid 
programs.
    7. U.S. Comptroller General can request information reported under 
Section 1921 of the Social Security Act to assist in determining the 
fitness of individuals to provide healthcare services, and protect the 
health and safety of individuals receiving health care through programs 
who employ these individuals.
    8. U.S. Attorney General and other law enforcement agencies can 
request information reported under Section 1921 of the Social Security 
Act to assist with healthcare investigations involving healthcare 
practitioners and healthcare entities. The purpose of the disclosure

[[Page 60766]]

would assist in determining the fitness of individuals to provide 
healthcare services, and protect the health and safety of individuals 
receiving health care through programs who employ these individuals.
    9. Utilization and quality control Peer Review Organizations and 
those entities which are under contract with the CMS can request 
information reported under Section 1921 of the Social Security Act to 
protect and improve the quality of care for Medicare beneficiaries when 
performing quality of care reviews and other related activities.
    10. A physician, dentist, or other health care practitioner can 
request information concerning himself or herself.
    11. An entity that has been reported on may query the system to 
receive information concerning itself.
    12. A person or entity can request statistical information, in a 
form which does not permit the identification of any individual or 
entity. An example of this disclosure involves researchers who may use 
statistical information to identify the total number of nurses with 
adverse licensure actions in a specific State.
    13. An attorney, or individual representing himself or herself, who 
has filed a medical malpractice action or claim in a State or Federal 
court or other adjudicative body against a hospital, and who requests 
information regarding a specific physician, dentist, or other health 
care practitioner who is also named in the action or claim provided 
that: (a) This information will be disclosed only upon the submission 
of evidence that the hospital failed to request information from the 
Data Bank as required by law; and (b) the information will be used 
solely with respect to litigation resulting from the action or claim 
against the hospital. The purpose of these disclosures is to permit an 
attorney (or a person representing himself or herself in a medical 
malpractice action) to have information from the Data Bank on a health 
care practitioner, under the conditions set out in this routine use.
    14. Any Federal entity, employing or otherwise engaging under 
arrangement (e.g., such as a contract) the services of a physician, 
dentist, or other health care practitioner, or having the authority to 
sanction such practitioners covered by a Federal program, which: (a) 
Enters into a memorandum of understanding with HHS regarding its 
participation in the Data Bank; (b) engages in a professional review 
activity in determining an adverse action against a practitioner; and 
(c) maintains a Privacy Act system of records regarding the health care 
practitioners it employs, or whose services it engages under 
arrangement. The purpose of such disclosures is to enable hospitals and 
other facilities and health care providers under the jurisdiction of 
Federal agencies such as the Public Health Service, HHS; the Department 
of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; 
and the Bureau of Prisons, Department of Justice, to participate in the 
Data Bank. The Health Care Quality Improvement Act of 1986 includes 
provisions regarding the participation of such agencies and of the DEA.
    15. In the event of litigation where the defendant is: (a) The 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
affect directly the operation of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Department of Justice has agreed to represent such 
employee, for example in defending a claim against the Public Health 
Service based upon an individual's mental or physical condition and 
alleged to have arisen because of activities of the Public Health 
Service in connection with such individual, disclosures may be made to 
the Department of Justice to enable the Department to present an 
effective defense, provided that such disclosure is compatible with the 
purpose for which the records were collected.
    16. The contractor, SRA International Inc., accesses the system to 
operate and maintain it. These functions include but are not limited to 
providing continuous user availability, develop system enhancements, 
upgrade of hardware and software, security information assurance, and 
system backups.
    17. To appropriate Federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, and the information disclosed is relevant and 
necessary for that assistance.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    Records are maintained on database servers with disk storage, 
optical jukebox storage, backup tapes and printed reports.

Retrievability:
    Records are retrieved by name, date of birth, Social Security 
number, educational information, and license number. The matching 
algorithm uses these data elements to match reports to the subject.

Safeguards for Accessing Records:
    1. Authorized Users include internal users such as the government 
and contractor personnel staff who support the Data Banks and are 
required to obtain favorable adjudication for a Level 5 Position of 
Public Trust. New employees of the NPDB and the contractor must attend 
security training, sign a Non-Disclosure Agreement, and sign the Rules 
of Behavior which is renewed annually. Authorized users are given role-
based access to the system on a limited need-to-know basis. All 
physical and logical access to the system is removed upon termination 
of employment. External users, who are responsible for meeting Title IV 
reporting and/or querying requirements to the Data Banks, are 
responsible for determining their eligibility to access the Data Banks 
through a self-certification process which requires completing an 
Entity Registration form. All external users must acknowledge the Rules 
of Behavior. All external users must re-register every two years to 
access the Data Banks. Both HRSA and the contractor maintain lists of 
authorized users.
    2. Physical Safeguards involve physical controls that are in place 
24 hours a day/7 days a week such as identification badge access, 
cipher locks, locked hardware cages, man trap with biometric hand 
scanner, security guard monitoring, and closed circuit TV. All sites 
are protected with fire and environmental safety controls.
    3. Technical Safeguards include firewalls, network intrusion 
detection, host-based intrusion detection and file integrity 
monitoring, user identification, and passwords restrictions. All web-
based traffic is encrypted using 128 bit SSL and all network traffic is 
encrypted internally.
    4. Administrative Safeguards involve certification and 
accreditation that is required every three years, which authorizes 
operation of the system based on acceptable risk. Security assessments 
are conducted continuously throughout the year to verify compliance 
with all required controls.

Retention and Disposal of records:
    HRSA is working with NARA to obtain the appropriate retention 
value.

[[Page 60767]]

System Manager(s) and Address:
    Director, Division of Practitioner Data Banks, Bureau of Health 
Professions, Health Resources and Services Administration, Room 8-103, 
Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

Notification Procedure:
    Information is available upon request, to the persons or entities, 
or to the authorized agents in such form or manner as the Secretary 
prescribes. The subject of a report is notified via U.S. mail when a 
record concerning the individual is submitted to the Data Bank via 
Subject Notification Document (SND).

Requests by Mail:
    Practitioners may submit a ``Request for Information Disclosure'' 
to the address under system location for any report on themselves. The 
request must contain the following: Name, address, date of birth, 
gender, Social Security Number (optional), professional schools and 
years of graduation, and the professional license(s). For license, 
include: The license number, the field of licensure, the name of the 
State or Territory in which the license is held, and DEA registration 
number(s). The practitioner must submit a signed and notarized self-
query request.

Penalties for Violation:
    Submitting a request under false pretenses is a criminal offense 
and subject to a civil monetary penalty of up to $11,000 for each 
violation.

Requests in Person:
    Due to security considerations, the Data Bank cannot accept 
requests in person.

Request by Telephone:
    Practitioners may provide all of the identifying information stated 
above to the Data Bank Customer Service Center operator. Before the 
data request is fulfilled, the operator will return a paper copy of 
this information for verification, signature and notarization.

Record Access Procedures:
    Request for access of records in the Data Bank may be completed 
online at: https://www.npdb-hipdb.hrsa.gov. The requests are submitted 
over the web using the Integrated Query and Reporting Service (IQRS), 
Query and Reporting Extensible Markup Language Service (QRXS), 
Interface Control Document (ICD) Transfer Program (ITP) or the 
Proactive Disclosure Service (PDS). Self-query, as described 
previously, may be initiated via the electronic system and is completed 
using the conventional mail system. Requesters, including self-queries, 
will receive an accounting of disclosure that has been made of their 
records, if any.

Contesting Record Procedures:
    The Data Bank routinely mails a copy of any report filed in it to 
the subject individual. A subject individual may contest the accuracy 
of information in the Data Bank concerning himself or herself and file 
a dispute. To dispute the accuracy of the information, the individual 
must contact the Data Bank and the reporting entity to: (1) Request for 
the reporting entity to file correction to the report; and (2) request 
the information be entered into a ``disputed'' status and submit a 
statement regarding the basis for the inaccuracy of the information in 
the report. If the reporting entity declines to change the disputed 
report or takes no actions, the subject may request that the Secretary 
of HHS review the disputed report. In order to seek a Secretarial 
Review, the subject must: (1) Provide written documentation containing 
clear and brief factual information regarding the information of the 
report; (2) submit supporting documentation or justification 
substantiating that the reporting entity's information is inaccurate; 
and (3) submit proof that the subject individual has attempted to 
resolve the disagreement with reporting entity but was unsuccessful. 
The Department can only determine whether the report was legally 
required to be filed and whether the report accurately depicts the 
action taken and the reporter's basis for action. Additional detail on 
the process of dispute resolution and Secretarial Review process can be 
found at 45 CFR Sec.  60.14 of the Data Bank regulations.

Record Source Categories:
    The records contained in the system are submitted by the following 
entities: (1) Insurance companies and others who have made payment as a 
result of a malpractice action or claim, (2) State Boards of Medical 
and Dental Examiners; (3) State Licensing Boards; (4) hospitals and 
other health care entities; (5) DEA; and (6) Federal entities which 
employ health practitioners or who have authority to sanction such 
practitioners covered by a Federal program. Section 1921 of the Social 
Security Act expands reporting of actions submitted by State health 
care practitioner licensing and certification authorities (including 
medical and dental boards), State entity licensing and certification 
authorities, peer review organizations and private accreditation 
organizations.

Systems exempted from Certain Provisions of the Act:
    None.

[FR Doc. 2010-24568 Filed 9-30-10; 8:45 am]
BILLING CODE 4160-15-P