Privacy Act of 1974; Report of an Altered System of Records, 47322-47326 [2013-18599]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Health Resources and Services Administration

[Federal Register Volume 78, Number 150 (Monday, August 5, 2013)]
[Notices]
[Pages 47322-47326]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-18599]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Resources and Services Administration


Privacy Act of 1974; Report of an Altered System of Records

AGENCY: Health Resources and Services Administration, Department of 
Health and Human Services (HHS).

ACTION: Notice of an altered system of records and deletion of a 
related system.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
(5 U.S.C. 552a), the Health Resources and Services Administration 
(HRSA) is publishing notice of a proposal to alter the system of 
records entitled and numbered National Practitioner Data Bank for 
Adverse Information on Physicians and other Health Care Practitioners 
(NPDB), 09-15-0054, to include information covered under a 
related system of records, the Healthcare Integrity and Protection Data 
Bank (HIPDB), SORN 09-90-0103, which is being deleted. The NPDB SORN 
was last published March 30, 2012 (77 FR 19295). The proposed 
alterations to the NPDB SORN include revising the Purpose section, 
expanding the Categories of Individuals, Categories of Records, and 
Record Sources Categories sections, revising two existing routine uses 
and adding one new routine use, deleting three unnecessary routine 
uses, and updating the Authority and Policies and Practices sections.

DATES: HRSA filed an altered system report with the Chair of the House 
Committee on Government Reform and Oversight, the Chair of the Senate 
Committee on Homeland Security and Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on July 17, 2013. To ensure all parties 
have adequate time in which to comment, the system alterations proposed 
in this notice will become effective 30 days from the publication of 
this notice in the Federal Register or 40 days from the date the 
altered system report was submitted to OMB and Congress, whichever is 
later, unless HRSA receives comments that require alterations to this 
notice. The HIPDB SORN will be considered deleted when the system 
alterations proposed in this notice are effective.

ADDRESSES: Please address comments to Associate Administrator, Bureau 
of Health Professions, Health Resources and Services Administration, 
5600 Fishers Lane, Room 9-05 Rockville, Maryland 20857. Comments 
received will be available for inspection at this same address from 
9:00 a.m. to 3:00 p.m. (Eastern Standard Time Zone), Monday through 
Friday.

FOR FURTHER INFORMATION CONTACT: Director, Division of Practitioner 
Data Banks, Bureau of Health Professions, Health Resources and Services 
Administration, 5600 Fishers Lane, Room 8-103, Rockville, Maryland 
20857; Telephone: (301) 443-2300. This is not a toll-free number.

SUPPLEMENTARY INFORMATION:

I. Merger of HIPDB Into NPDB

    The NPDB and the HIPDB were authorized by separate laws to improve 
the quality of health care and to combat fraud and abuse, respectively. 
Title IV of the Health Care Quality Improvement Act (Title IV) and 
Section 1921 of the Social Security Act (Section 1921) govern the NPDB. 
Section 1128E of the Social Security Act (Section 1128E) governs the 
HIPDB. There was overlap between the two data banks following 
implementation of Section 1921 legislation in March 2010. Section 1921 
expanded the scope of the NPDB, requiring each state to adopt a system 
of reporting to the Secretary certain adverse licensure actions taken 
against health care practitioners and health care entities by any 
authority of the state responsible for the licensing of such 
practitioners or entities. It also required each state to report any 
negative action or finding that a state licensing authority, a peer 
review organization, or a private accreditation entity has finalized 
against a health care practitioner or entity. Practically speaking, 
Section 1921 resulted in, among other consequences, including in the 
NPDB the vast majority of information contained in the HIPDB. On March 
23, 2010, the Affordable Care Act was signed into law. Section 6403 of 
the law called for the elimination of duplication between the NPDB and 
the HIPDB. Section 1921 and Section 1128E statutory authorities were 
altered to eliminate duplicative reporting requirements.
    The NPDB and HIPDB will merge to form one data bank. The HIPDB will 
cease operations following the merge, but the underlying statutory 
authority will remain intact and actions reported under that authority 
will now be moved to the NPDB. HRSA published a Final Rule merging the 
two databank systems on April 5, 2013 (78 FR 20473) that went into 
effect on May 6, 2013.

II. Proposed Alterations to NPDB

    The revised NPDB SORN that follows includes these system 
alterations:
     revises the Purpose section to reflect the addition of 
information previously collected under the HIPDB related to fraud and 
abuse, specifically the inclusion of health care providers and 
suppliers and collection of health care related criminal convictions, 
civil judgments, and other adjudicated actions
     expands the Categories of Individuals section to include 
health care providers and health care suppliers
     expands the Categories of Records section to include 
records of federal licensure or certification actions, health care 
related criminal convictions, health care related civil judgments, and 
other adjudicated actions or decisions. These additional records 
resulted in one revised and eleven new personally identifiable 
information data elements numbered 4 and 21-31, respectively.
     expands the ``Records Sources Categories'' section to 
include federal licensing and certification agencies, federal and state 
prosecutors and attorneys, health plans, federal government agencies, 
and state law and fraud enforcement agencies
     revises two routine uses (numbered 8 and 15) to reflect 
inclusion of health care providers and suppliers and to remove outdated 
references to only Section 1921 information;
     adds one new routine use (numbered 14) to allow disclosure 
of certain information to health plans
     deletes three unnecessary routine uses, pertaining to the 
Comptroller General, the U.S. Attorney General, and statistical 
information (numbered 7, 8 and 12 in the current version of the SORN, 
published March 30, 2012)
     updates the Authority section to cite Section 1128E of the 
Social Security Act as amended by the Patient Protection and Affordable 
Care Act of 2010
     updates the Policies and Procedures section related to 
Safeguards, specifically removing reference to only Title IV reporting

III. Background on the Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the U.S. 
Government collects, maintains, and uses information about individuals 
in a system of records. A ``system of records'' is a group of any 
records under the control of a federal agency from

[[Page 47323]]

which information about an individual is retrieved by the individual's 
name or other personal identifier. The Privacy Act requires each agency 
to publish in the Federal Register a system of records notice (SORN) 
identifying and describing each system of records the agency maintains, 
including the purpose for which the agency uses information about 
individuals in the system, the routine uses for which the agency 
discloses such information outside the agency, and how individual 
record subjects can exercise their rights under the Privacy Act (e.g., 
to determine if the system contains information about them).

    Dated: July 5, 2013.
Mary K. Wakefield,
Administrator.

SYSTEM NUMBER:
    09-15-0054

SYSTEM NAME:
    National Practitioner Data Bank

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    A contractor operates and maintains the system through a technical 
service contract for the Division of Practitioner Data Banks, Bureau of 
Health Professions, Health Resources and Services Administration. This 
system is located at a contractor run data center, a secure facility; 
the street address will not be disclosed for security reasons. The 
address of the Division of Practitioner Data Banks, Bureau of Health 
Professions, Health Resources and Services Administration, is Room 8-
103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system collects and maintains records pertaining to the 
professional competence and conduct of health care practitioners as 
defined by 45 CFR 60.3 (e.g., physicians, dentists, nurses, allied 
health care professionals, social workers), health care suppliers as 
defined by 45 CFR 60.3 (e.g., durable medical equipment suppliers, 
manufactures of health care items, pharmaceutical suppliers and 
manufacturers), health care providers as defined by 45 CFR 60.3 (e.g., 
hospitals and health plans) and health care entities as defined by 45 
CFR 60.3 (e.g., hospitals and health maintenance organizations which 
are licensed by a state). The first three categories (health care 
practitioners, providers and suppliers) include only individuals, or a 
mixture of individuals and entities.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system collects and maintains reports and query history 
records.
    Reports include: (1) Medical malpractice payment reports for all 
health care practitioners (e.g., physicians, dentists, nurses, 
optometrists, pharmacists, podiatrists, etc.); (2) adverse licensure 
and certification action reports taken by states against health care 
practitioners, health care entities, providers or suppliers; (3) 
adverse licensure and certification action reports taken by federal 
agencies against health care practitioners, providers, or suppliers; 
(4) adverse clinical privileging actions reports for physicians, 
dentists, or other health care practitioners who may have medical staff 
privileges; (5) adverse professional society membership action reports 
for physicians, dentists or other health care practitioners; (6) 
negative actions or findings taken against health care practitioners, 
health care entities, providers, or suppliers by peer review 
organizations and private accreditation entities; (7) federal or state 
criminal convictions related to the delivery of a health care item or 
service reports for health care practitioners, providers, or suppliers; 
(8) civil judgments related to the delivery of a health care item or 
service for health care practitioners, providers, or suppliers; (9) 
reports of exclusions of health care practitioners, providers, or 
suppliers from participation in state or federal health care programs; 
and (10) other adjudicated actions taken against health care 
practitioners, providers, or suppliers by federal agencies, state 
agencies, or health plans. Reports may contain the following 
personally-identifiable data elements and records:
    1. Name
    2. Work address
    3. Home address
    4. Social Security number or individual tax identification number 
(ITIN)
    5. Date of birth
    6. Name of each professional school attended and year of graduation
    7. Professional license(s) number
    8. Field of licensure
    9. Name of the state or territory in which the license is held
    10. Drug Enforcement Administration (DEA) registration numbers
    11. Centers for Medicare & Medicaid Services (CMS) unique 
practitioner identification number (for exclusions only)
    12. Names of each hospital with which the practitioner is 
affiliated
    13. Name and address of the entity making the payment
    14. Name, title, and telephone number of the official responsible 
for submitting the report on behalf of the entity
    15. Payment information including the date and amount of payment 
and whether it is for a judgment or settlement
    16. Date action occurred
    17. Acts or omissions upon which the action or claim was based
    18. Description of the action/omissions and injuries or illnesses 
upon which the action or claim was based
    19. Description of the Board action, the date of action and its 
effective date
    20. Classification of the action/omission per reporting code
    21. Court or judicial venue in which action was taken
    22. Docket or court file number
    23. Name of prosecuting agency or Civil Plaintiff
    24. Prosecuting agency's case number
    25. Statutory offense and counts
    26. Date of judgment/sentence
    27. Length of sentence
    28. Amount of judgment or monetary penalty
    29. Restitution or other orders
    30. Nature of offense on which the action was based
    31. Investigative agencies involved and any case/file numbers, if 
known

    Query histories indicate the dates that a health care 
practitioner's, provider's, supplier's, or entity's report(s) were 
accessed/queried in the system and by whom. An individual 
practitioner's, provider's or supplier's report(s) and query history 
are available to him or her, if he or she elects to submit a self-
query. However, the query history will not include query activity by 
law enforcement agencies, if any, due to the system's exemption 
(described below, under ``System Exempted From Certain Provisions of 
the Act'').

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title IV of the Health Care Quality Improvement Act of 1986 (Title 
IV), as amended, Section 1921 of the Social Security Act, as amended, 
and Section 1128E of the Social Security Act as amended.

PURPOSE(S):
    The purpose of the system is to: (1) Receive information such as 
medical malpractice payment reports, negative peer review actions, 
adverse licensure or certification actions, health care related 
criminal convictions, health care related civil judgments, exclusions, 
adverse clinical privileging actions, and other adjudicated actions as 
enumerated in the Categories of Reports, above, on all health care 
practitioners, suppliers, providers and entities; (2) store such

[[Page 47324]]

reports so that future queriers may have access to pertinent 
information in the course of making important decisions related to the 
delivery of health care services; and (3) disseminate such data to 
individuals and entities that qualify to receive the reports under the 
governing statutes as authorized by the Health Care Quality Improvement 
Act of 1986, Section 1921 of the Social Security Act and Section 1128E 
of the Social Security Act to protect the public from unfit 
practitioners and to prevent fraud and abuse. The system also allows 
practitioners, providers, and suppliers to self-query.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Information from this system is disclosed outside the agency for 
the following routine uses:
    1. To hospitals requesting information such as adverse licensure 
actions, medical malpractice payments or exclusions from Medicare and 
Medicaid programs taken against all licensed health care practitioners 
such as physicians, dentists, nurses, podiatrists, chiropractors, and 
psychologists. The information is accessible to both public and private 
sector hospitals that can request information concerning a physician, 
dentist or other health care practitioner who is on its medical staff 
(courtesy or otherwise) or who has clinical privileges at the hospital, 
for the purpose of: (a) Screening the professional qualifications of 
individuals who apply for staff positions or clinical privileges at the 
hospital; and (b) meeting the requirements of the Health Care Quality 
Improvement Act of 1986, which prescribes that a hospital must query 
the NPDB once every 2 years regarding all individuals on its medical 
staff or who hold clinical privileges.
    2. To other health care entities, as defined in 45 CFR 60.3, to 
which a physician, dentist or other health care practitioner has 
applied for clinical privileges or appointment to the medical staff or 
who has entered or may be entering an employment or affiliation 
relationship. The purpose of these disclosures is to assess the 
individual practitioner's qualifications for staff appointment or 
clinical privileges.
    3. To a health care entity with respect to professional review 
activity. The purpose of these disclosures is to aid health care 
entities in the conduct of professional review activities, such as 
those involving determinations of whether a physician, dentist, or 
other health care practitioner may be granted membership in a 
professional society, the conditions of such membership, or changes to 
such membership; and ongoing professional review activities of the 
professional performance or conduct of a physician, dentist, or other 
health care practitioner.
    4. To a state health care practitioner and/or entity licensing or 
certification authority that requests information in the course of 
conducting a review of all health care practitioners or health care 
entities or when making licensure determinations about health care 
practitioners and entities. The purpose of these disclosures is to aid 
the board or certification authority in meeting its responsibility to 
protect the health of the population in its jurisdiction, and to assess 
the qualifications of individuals seeking licenses or certifications.
    5. To federal and state health care programs (and their 
contractors) that request information to aid them in ensuring the 
integrity of their programs and the professional competence of 
affiliated health care practitioners and uncovering information needed 
to make appropriate decisions in the delivery of health care.
    6. To state Medicaid Fraud Control Units that request information 
to assist with investigating fraud, waste and abuse and in the 
prosecution of health care practitioners and providers relating to the 
Medicaid programs.
    7. To utilization and quality control Peer Review Organizations and 
those entities which are under contract with the CMS, when they request 
information to protect and improve the quality of care for Medicare 
beneficiaries in the course of performing quality of care reviews and 
other related activities.
    8. To a health care provider, supplier, or practitioner who 
requests information concerning himself, herself, or itself.
    9. To a health care entity that has been reported on, when the 
entity queries the system to receive information concerning itself.
    10. To an attorney, or an individual representing himself or 
herself, who has filed a medical malpractice action or claim in a state 
or federal court or other adjudicative body against a hospital, and who 
requests information regarding a specific physician, dentist, or other 
health care practitioner who is also named in the action or claim, 
provided that: (a) This information will be disclosed only upon the 
submission of evidence that the hospital failed to request information 
from the NPDB as required by law; and (b) the information will be used 
solely with respect to litigation resulting from the action or claim 
against the hospital. The purpose of these disclosures is to permit an 
attorney (or a person representing himself or herself in a medical 
malpractice action) to have information from the NPDB on a health care 
practitioner, under the conditions set out in this routine use.
    11. To any federal entity, employing or otherwise engaging under 
arrangement (e.g., such as a contract) the services of a physician, 
dentist, or other health care practitioner, or having the authority to 
sanction such individuals covered by a federal program, which: (a) 
Enters into a memorandum of understanding with HHS regarding its 
participation in the NPDB; (b) engages in a professional review 
activity in determining an adverse action against a practitioner; and 
(c) maintains a Privacy Act system of records regarding the health care 
practitioners it employs, or whose services it engages under 
arrangement. The purpose of such disclosures is to enable hospitals and 
other facilities and health care providers under the jurisdiction of 
federal agencies such as the Public Health Service, HHS; the Department 
of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; 
and the Bureau of Prisons, Department of Justice, to participate in the 
NPDB. The Health Care Quality Improvement Act of 1986 includes 
provisions regarding the participation of such agencies and of the DEA.
    12. To the Department of Justice in the event of litigation, for 
the purpose of enabling HHS to present an effective defense, where the 
defendant is: (a) HHS, any component of HHS, or any HHS employee in his 
or her official capacity; (b) the United States where HHS determines 
that the claim, if successful, is likely to affect directly the 
operation of HHS or any of its components; or (c) any HHS employee in 
his or her individual capacity where the Department of Justice has 
agreed to represent such employee, for example in defending a claim 
against the Public Health Service based upon an individual's mental or 
physical condition and alleged to have arisen because of activities of 
the Public Health Service in connection with such individual; provided 
that such disclosure is compatible with the purpose for which the 
records were collected.
    13. To the contractor engaged by the agency to operate and maintain 
the system. Operation and maintenance functions include but are not 
limited to providing continuous user availability, developing system 
enhancements, upgrading hardware and software, providing information 
security assurance, and performing system backups.

[[Page 47325]]

    14. To a health plan requesting data concerning a health care 
provider, supplier, or practitioner for the purposes of preventing 
fraud and abuse activities and/or improving the quality of patient 
care, and in the context of hiring or retaining providers, suppliers 
and practitioners that are the subjects of reports.
    15. To federal agencies requesting data concerning a health care 
provider, supplier, or physician, dentist or other practitioner for the 
purposes of anti-fraud and abuse activities and investigations, audits, 
evaluations, inspections and prosecutions relating to the delivery of 
and payment for health care in the United States and/or improving the 
quality of patient care, and in the context of hiring or retaining the 
providers, suppliers and individuals that are the subject of reports to 
the system. This would include law enforcement investigations and other 
law enforcement activities.
    16. To appropriate federal agencies and HHS contractors that have a 
need to know the information for the purpose of assisting HHS' efforts 
to respond to a suspected or confirmed breach of the security or 
confidentiality of information maintained in this system of records, 
and the information disclosed is relevant and necessary for that 
assistance.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
    STORAGE: Records are maintained on database servers with disk 
storage, optical jukebox storage, backup tapes and printed reports.
    RETRIEVABILITY: Records are retrieved by name, date of birth, 
Social Security Number, educational information, and license number. 
The matching algorithm uses these data elements to match reports to the 
subject.
    SAFEGUARDS:
    1. Authorized users include internal users such as government and 
contractor personnel who support the NPDB. Users are required to obtain 
favorable adjudication for a Level 5 Position of Public Trust. 
Government and contractor personnel who support the NPDB must attend 
security training, sign a Non-Disclosure Agreement, and sign the Rules 
of Behavior, which is renewed annually. Users are given role-based 
access to the system on a limited need-to-know basis. All physical and 
logical access to the system is removed upon termination of employment. 
External users, who are responsible for meeting NPDB reporting and/or 
querying requirements to the NPDB, are responsible for determining 
their eligibility to access the NPDB through a self-certification 
process which requires completing an Entity Registration form. All 
external users must acknowledge the Rules of Behavior. All external 
users must re-register every two years to access the NPDB. The 
registration process consists of an electronic authentication process 
where each user needs to prove his or her identity and organizational 
affiliation based on requirements in National Institute of Standards 
and Technology (NIST) SP 800-63-1. Both HRSA and the contractor 
maintain lists of authorized users.
    2. Physical safeguards involve physical controls that are in place 
24 hours a day/7 days a week such as identification badge access, 
cipher locks, locked hardware cages, man trap with biometric hand 
scanner, security guard monitoring, and closed circuit TV. All sites 
are protected with fire and environmental safety controls.
    3. Technical safeguards include firewalls, network intrusion 
detection, host-based intrusion detection and file integrity 
monitoring, user identification, database activity monitoring, data 
loss prevention and passwords restrictions. All web-based traffic is 
encrypted using 128 bit SSL and all network traffic is encrypted 
internally.
    4. Administrative safeguards involve certification and 
accreditation that is required every three years, which authorizes 
operation of the system based on acceptable risk. Security assessments 
are conducted continuously throughout the year to verify compliance 
with all required controls.

RETENTION AND DISPOSAL OF RECORDS:
    HRSA is working with the National Archive and Records 
Administration (NARA) to determine the appropriate retention period for 
electronic records. The records require long-term retention. Pending 
finalization of an appropriate disposition schedule with the National 
Archives and Records Administration (NARA), the records are being 
retained indefinitely.

SYSTEM MANAGER AND ADDRESS:
    Director, Division of Practitioner Data Banks, Bureau of Health 
Professions, Health Resources and Services Administration, Room 8-103, 
Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

NOTIFICATION PROCEDURE:
    Currently, an individual report subject is notified via U.S. mail 
when a report concerning him or her is submitted to the NPDB via 
Subject Notification Document (SND). This procedure is unchanged by the 
exemption published for the system.

RECORD ACCESS PROCEDURES:
    Although this system is exempt from the Privacy Act access 
requirement, the exemption is limited and discretionary. An individual 
report subject may seek access to his or her records in the NPDB by 
submitting a self-query request form on-line at: www.npdb.hrsa.gov. The 
requests are submitted over the web using the Integrated Query and 
Reporting Service (IQRS), Query and Reporting Extensible Markup 
Language Service (QRXS), Interface Control Document (ICD) Transfer 
Program (ITP) or the Continuous Query. Self-query, as described 
previously, may be initiated via the electronic system and is completed 
using the conventional mail system. Requesters, including self-
queriers, will receive an accounting of disclosures that have been made 
of their records, if any. The exemption will prevent law enforcement 
query activity from being disclosed to the health care practitioner in 
response to a self-query. Notwithstanding the access exemption, a 
practitioner may request access to his or her full query history (i.e., 
including law enforcement query activity, if any), by submitting a 
written request to the System Manager identified above and following 
the same procedures indicated under ``Notification Procedure.'' The 
request will be processed pursuant to the agency's discretionary access 
authority under 45 CFR 5b.11(d).

REQUESTS BY MAIL:
    Practitioners may submit a ``Request for Information Disclosure'' 
to the address under system location for any report on themselves. The 
request must contain the following: Name, address, date of birth, 
gender, Social Security Number (optional), professional schools and 
years of graduation, and the professional license(s). For license, 
include: The license number, the field of licensure, the name of the 
state or territory in which the license is held, and DEA registration 
number(s). The practitioner must submit a signed and notarized self-
query request.

REQUESTS IN PERSON:
    Due to security considerations, the NPDB cannot accept requests in 
person.

REQUESTS BY TELEPHONE:
    Practitioners may provide all of the identifying information stated 
above to the NPDB Customer Service Center operator. Before the data 
request is fulfilled, the operator will return a paper copy of this 
information for verification, signature and notarization.

[[Page 47326]]

PENALTIES FOR VIOLATION:
    Submitting a request under false pretenses is a criminal offense 
and subject to a civil monetary penalty of up to $11,000 for each 
violation. 42 CFR 1003.103(c).

CONTESTING RECORD PROCEDURES:
    Because of the system's exemption, the procedures for disputing an 
NPDB report will not apply to law enforcement query history information 
that is exempt from access, and all amendment requests will be governed 
by the procedures at 45 CFR 60.21. The NPDB routinely mails a copy of 
any report filed in it to the subject individual. A subject individual 
may contest the accuracy of information in the NPDB concerning himself 
or herself and file a dispute. To dispute the accuracy of the 
information, the individual must contact the NPDB and the reporting 
entity to: (1) Request that the reporting entity file a correction to 
the report; and (2) request the information be entered into a 
``disputed'' status and submit a statement regarding the basis for the 
inaccuracy of the information in the report. If the reporting entity 
declines to change the disputed report or takes no actions, the subject 
may request that the Secretary of HHS review the disputed report. In 
order to seek a review, the subject must: (1) Provide written 
documentation containing clear and brief factual information regarding 
the information of the report; (2) submit supporting documentation or 
justification substantiating that the reporting entity's information is 
inaccurate; and (3) submit proof that the subject individual has 
attempted to resolve the disagreement with the reporting entity but was 
unsuccessful. The Department can only determine whether the report was 
legally required to be filed and whether the report accurately depicts 
the action taken and the reporter's basis for action. Additional detail 
on the process of dispute resolution can be found at 45 CFR 60.21 of 
the NPDB regulations.

RECORD SOURCE CATEGORIES:
    The records contained in the system are submitted by the following 
entities: (1) Insurance companies and others who have made payment as a 
result of a malpractice action or claim; (2) state health care 
licensing and certification authorities; (3) federal licensing and 
certification agencies (e.g., DEA); (4) peer review organizations and 
private accreditation entities; (5) hospitals and other health care 
entities (includes professional societies); (6) federal and state 
prosecutors and attorneys; (7) health plans; (8) federal government 
agencies; and (9) state law and fraud enforcement agencies.

SYSTEM EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    The Secretary has exempted law enforcement query records in this 
system from certain provisions of the Privacy Act. In accordance with 5 
USC 552a(k)(2) and 45 CFR 5b.11(b)(2)(ii)(L), with respect to law 
enforcement query records, this system is exempt from subsections 
(c)(3), (d)(1)-(4), (e)(4)(G) and (H), and (f) of 5 USC 552a. See 76 FR 
72325, published November 23, 2011, adding NPDB as an exempt system.

[FR Doc. 2013-18599 Filed 8-2-13; 8:45 am]
BILLING CODE 4160-15-P