[Federal Register Volume 62, Number 51 (Monday, March 17, 1997)]
[Notices]
[Pages 12653-12656]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-6591]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Resources and Services Administration


Privacy Act of 1974; Altered System of Records

AGENCY: Health Resources and Services Administration, HHS.

ACTION: Notification of an altered system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Health Resources and Services Administration (HRSA) is publishing 
notice of a proposal to add a new category of records to 09-15-0054, 
the National Practitioner Data Bank for Adverse Information on 
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPr. HRSA 
proposes to add specific information already available to the public 
from the Health Care Financing Administration (HCFA) on physicians, 
practitioners, providers, and other health care entities which the 
Office of Inspector General (OIG), HHS has excluded from participation 
in and from recovering payment from the Medicare and Medicaid programs.

DATES: HRSA invites interested parties to submit comments on the 
proposed internal and routine use of this information on or before 
April 28, 1997. HRSA has sent a Report of Altered System to the 
Congress and to the Office of Management and Budget (OMB) on March 3, 
1997. The alteration to the system will be effective 40 days from the 
date submitted to OMB unless HRSA receives comments which would result 
in a contrary determination.

ADDRESSEES: Please address comments on the altered system of records to 
the Health Resources and Services Administration (HRSA) Privacy Act 
Officer, Department of Health and Human Services, 5600 Fishers Lane, 
Room 14A-20, Rockville, Maryland 20857, telephone (301) 443-3780. This 
is not a toll-free number.

FOR FURTHER INFORMATION CONTACT: Director, Division of Quality 
Assurance, BHPr/HRSA. Room 8A-55, Parklawn Building, 5600 Fishers Lane, 
Rockville, Maryland, telephone (301) 443-2300. This is not a toll-free 
number.

SUPPLEMENTARY INFORMATION: The Office of the Inspector General, HHS, 
has the authority to exclude individuals/entities from participating in 
the Medicare and/or certain State health care plans under sections 
1128(a), 1128(b), 1892, or 1156 of the Social Security Act. The 
exclusion also applies to all other Executive Branch procurement and 
non-procurement programs and activities. Disclosure of the OIG 
Exclusion List to HRSA is under authority of section 1106(a) of the 
Social Security Act, 42 CFR 401.105, and routine use exception of the 
Privacy Act (5 U.S.C. 522a(b)(3)). HCFA is authorized to provide 
certain specific information on physicians, practitioners, providers, 
and health care entities which OIG has excluded from participation in 
and from recovering payment from the Medicare and Medicaid programs. 
HCFA will retain full responsibility for the content and accuracy of 
HCFA Exclusion reports; the Data Bank will only act as a disclosure 
service. Notification of exclusion from HCFA programs is made by HCFA. 
Inquiries on the appropriateness or content of HCFA Exclusion Reports 
will be referred to HCFA for response. The National Practitioner Data 
Bank (Data Bank) will disclose such information to authorized health 
care industry queriers on request, using the Data Bank's fully 
automated and secure systems and procedures.
    Editorial changes have been made throughout the system to enhance 
clarity and specificity and to accommodate normal updating changes.
    The following notice is written in the present, rather than the 
future tense, to avoid the unnecessary expenditure of public funds to 
republish the notice after the routine use has become effective.

    Dated: March 3, 1997.
 Ciro V. Sumaya,
 Administrator.
09-15-0054

SYSTEM NAME:
    National Practitioner Data Bank for Adverse Information on 
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPr.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    The SRA Corporation (the Contractor) operates the National 
Practitioner Data Bank (Data Bank) under contract with the Bureau of 
Health Professions (BHPr), Health Resources and Services Administration 
(HRSA). Records are located at the following address: National 
Practitioner Data Bank, PO Box 10832, Chantilly, VA 20151. For security 
reasons, the street address cannot be disclosed.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Health care practitioners including physicians, dentists, and all 
other health care practitioners (such as nurses, optometrists, 
pharmacists, and podiatrists), licensed or otherwise authorized by a 
State to provide health care services, on whose behalf a payment has 
been made as a result of a malpractice action or claim; physicians and 
dentists who are the subject of licensure disciplinary actions; and 
physicians, dentists and other health care practitioners who are on 
medical staffs or who hold clinical privileges, or who are members of 
professional societies, against whom certain adverse actions have been 
taken as a result of a professional review action.

CATEGORIES OF RECORDS IN THE SYSTEM:
    1.  For malpractice payments. Information on the physician, dentist 
or other licensed health care practitioner such as name; work address; 
home address, if known; Social Security number, if known, and obtained 
in accordance with section 7 of the Privacy Act of 1974; date of birth; 
name of each professional school attended and year of graduation; for 
each professional license: The license number, the field of licensure, 
and the name of the State or Territory in which the license is held; 
Drug Enforcement Administration registration number(s), if known; and 
name of each hospital with which the practitioner is affiliated, if 
known. Information on the person or entity making the payment, such as 
the name and address of the person or entity making the payment; and 
the name, title, and telephone number of the responsible official 
submitting the report on behalf of the entity.
    Information on the payments, such as the date of the occurrence of 
the acts or omissions upon which the action or claim was based 
occurred; date and amount of payment; description of the

[[Page 12654]]

acts or omissions and injuries or illnesses upon which the action or 
claim was based; and classification of the acts or omission per 
reporting code.
    2. For State Medical or Dental Board actions. Information such as: 
The physician's or dentist's name; work address; homes address, if 
known; Social Security number, if known, and if obtained in accordance 
with section 7 of the Privacy Act of 1974; date of birth; name of each 
professional school attended and year of graduation; for each 
professional license: The license number, the field of licensure, and 
the name of the State or Territory in which the license is held; Drug 
Enforcement Administration registration number, if known; description 
of the acts or omission or other reasons for the action taken; 
description of the Board action; the date the action was taken and its 
effective date; and classification of the action per reporting code.
    3.  For certain professional review actions. Information such as 
the physician's, dentist's or other health care practitioner's name; 
work address; home address, if known; date of birth; name of each 
professional school attended and year of graduation; for each 
professional license: The license number, the field of licensure, and 
the names of the State or Territory in which the license is held; Drug 
Enforcement Administration registration number, if known; Social 
Security number, if known, and if obtained in accordance with section 7 
of the Privacy Act of 1974; description of the acts or omissions or 
other reasons for clinical privilege or professional society membership 
loss or, if known, for surrender; and action taken, date the action was 
taken, and effective date the action was taken, and effective date of 
the action.
    4. Inquiry file. Copies of all inquiries received by the Data Bank.
    5. For OIG Medicare/Medicaid Exclusions. Under authority of section 
1106(a) of the Social Security Act, 42 CFR 401.105, and routine use 
exception of the Privacy Act (5 U.S.C. 522a(b)(3)), HCFA will provide 
certain specific information on physicians, practitioners, providers, 
and other health care entities which the OIG has excluded from 
participation in and from recovering payment from the Medicare and 
Medicaid programs. HCFA will provide information such as the 
physician's, dentist's or other health care practitioner's name; Social 
Security number (used for Data Bank matching purposes only; not 
disclosed to authorized queriers); HCFA's unique practitioner 
identifier number; date of birth; basis for exclusion; facts about the 
exclusion; status of exclusion; and other information as necessary to 
ensure proper identification.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Under the Health Care Quality Improvement Act of 1986 (the Act), as 
amended, section 424(b), 42 U.S.C. 11134(b), authorizes the maintenance 
of records of medical malpractice payments, disciplinary actions taken 
by Boards of Medical Examiners, and professional review actions taken 
by health care entities.

PURPOSE(S):
    The purposes of the system are to (1) Receive from insurance 
companies and others making payments as a result of malpractice actions 
or claims, State Medical and Dental Boards, and health care entities, 
information pertaining to the professional performance or conduct of 
physicians, dentists and other licensed health care practitioners; and 
(2) disseminate such data to health care entities, to State 
professional licensing boards, and to others as authorized by the Act.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Data may be disclosed to:
    1. A hospital requesting data concerning a physician, dentist or 
other health care practitioner who is on its medical staff (courtesy or 
otherwise) or who has clinical privileges at the hospital, for the 
purpose of: (a) Screening the professional qualifications of 
individuals who apply for staff positions or clinical privileges at the 
hospital; and (b) meeting the requirements of the Health Care Quality 
Improvement Act of 1986, which also prescribes that a hospital must 
query the Bank once every 2 years regarding all individuals on its 
medical staff or who hold clinical privileges.
    2. Other health care entities, as defined in 45 CFR 60.3, to which 
a physician, dentist or other health care practitioner has applied for 
clinical privileges or appointment to the medical staff or who has 
entered or may be entering an employment or affiliation relationship. 
The purpose of these disclosures is to identify individuals whose 
professional conduct may be unsatisfactory.
    3. A health care entity with respect to professional review 
activity. The purpose of these disclosures is to aid health care 
entities in the conduct of professional review activities, such as 
those involving determinations of whether a physician, dentist, or 
other health care practitioner may be granted membership in a 
professional society; the conditions of such membership, or of changes 
to such membership; and ongoing professional review activities 
conducted by a health care entity which provides health care services, 
of the professional performance or professional conduct of a physician, 
dentist, or other health care practitioner.
    4. A State professional licensing board conducting a review of an 
individual. The purpose of these disclosures is to aid the board in 
meeting its responsibility to protect the health of the population in 
its jurisdiction, by identifying individuals whose professional 
performance or professional conduct may be unsatisfactory.
    5. An attorney, or individual representing himself or herself, who 
has filed a medical malpractice action or claim in a State or Federal 
court or other adjudicative body against a hospital, and who requests 
information regarding a specific physician, dentist, or other health 
care practitioner who is also named in the action or claim provided 
that (a) This information will be disclosed only upon the submission of 
evidence that the hospital failed to request information from the Bank 
as required by law, and (b) the information will be used solely with 
respect to litigation resulting from the action or claim against the 
hospital. The purpose of these disclosures is to permit an attorney (or 
a person representing himself or herself in a medical malpractice 
action) to have information from the Bank on a health care 
practitioner, under the conditions set out in this routine use.
    6. Any Federal entity, employing or otherwise engaging under 
arrangement (e.g., such as a contract) the services of a physician, 
dentist, or other health care practitioner, or having the authority to 
sanction such practitioners covered by a Federal program, which (a) 
Enters into a memorandum of understanding with HHS regarding its 
participation in the Bank; (b) engages in a professional review 
activity in determining an adverse action against a practitioner; and 
(c) maintains a Privacy Act system of records regarding the health care 
practitioners it employs, or whose services it engages under 
arrangement. The purpose of such disclosures is to enable hospitals and 
other facilities and health care providers under the jurisdiction of 
Federal agencies such as the Public Health Service, HHS; the Department 
of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; 
and the Bureau of Prisons, Department of Justice, to participate in the 
Bank. The Health Care Quality

[[Page 12655]]

Improvement Act of 1986 includes provisions regarding the participation 
of such agencies, and of the Federal Drug Enforcement Administration, 
in the Bank.
    7. In the event of litigation where the defendant is (a) The 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
affect directly the operation of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Department of Justice has agreed to represent such 
employee, for example in defending a claim against the Public Health 
Service based upon an individual's mental or physical condition and 
alleged to have arisen because of activities of the Public Health 
Service in connection with such individual, disclosures may be made to 
the Department of Justice to enable the Department to present an 
effective defense, provided that such disclosure is compatible with the 
purpose for which the records were collected.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained in electronic folders, on magnetic tape, 
and/or disks.

RETRIEVABILITY:
    Retrieval will be by use of personal identifiers, including a 
unique identifier assigned by the Data Bank.

SAFEGUARDS:
    1. Authorized Users: Access to records is limited to designated 
employees of the Contractor and to designated HRSA staff. The Data Bank 
Project Director and Manager of Operations are among the Contractor's 
employees who are authorized users. The Contracting Officer's Technical 
Representative (COTR) and AIS Security Officer are among the HRSA staff 
who are authorized users. Both HRSA and the contractor maintain lists 
of authorized users.
    2. Physical Safeguards: Magnetic tapes, disks, computer equipment, 
and hard copy files are stored in areas where fire and environmental 
safety codes are strictly enforced. All automated and nonautomated 
documents are protected on a 24-hour basis. Perimeter security includes 
intrusion alarms, random guard patrols, monitors, key/passcard/
combination controls, receptionist controlled area, and reception alarm 
button.
    3. Procedural and Technical Safeguards: A password is required to 
access the system, and additional identification numbers and passwords, 
to limit access to data to only authorized users. All users of personal 
information, in connection with the performance of their jobs, protect 
information from public view and from unauthorized personnel entering 
an unsupervised area. All authorized users will sign a nondisclosure 
statement. To protect the confidentiality of information contained in 
the system, when a person leaves or no longer has authorized duties, 
the Security Officer deletes his or her identification number and 
password, retrieves all-electronic access cards, and changes all 
combinations to which the departing employee had access. The system 
automatically logs all access to data resources.
    Access to records is limited to those authorized personnel trained 
in accordance with the Privacy Act and ADP security procedures. The 
Contractor is required to assure the confidentiality safeguards of 
these records and to comply with all provisions of the Privacy Act. All 
individuals who have access to these records must have the appropriate 
ADP security clearances. Privacy Act and ADP system security 
requirements are included in the contract with the SRA Corporation. In 
addition, the Data Bank Project Officer and the System Manager oversee 
compliance with these requirements. HRSA staff who are authorized users 
will make site visits to the Contractor's facilities to assure 
compliance with security and Privacy Act requirements.
    The safeguards described above were established in accordance with 
DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the 
General Administration Manual, and the DHHS Information Resources 
Management Manual, Part 6. ``ADP Systems Security.''

RETENTION AND DISPOSAL:
    1. Project Director's Subject File-- significant documents 
associated with the creation and maintenance of the Data Bank, such as 
essential policy documents, regulations, and handbooks.
    Authorized disposition is permanent. Cut off superseded materials 
annually. Transfer to the WNRC in 5-year blocks when 5 years old. 
Transfer to the National Archives 5 years thereafter. Annual 
accumulation is less than one cubic foot. Amount on hand is less than 
one cubic foot.
    2. Source Documents--reporting and query forms.
    Authorized disposition is temporary. Destroy hardcopy forms after 
conversion to microfilm when no longer needed for administrative 
purposes. Dispose of microfilm and diskettes in contractor office space 
when no longer needed to support the reconstruction of, or serve as a 
backup to, the Master File, whichever is later.
    3. Master file and associated documentation.
    Authorized disposition is not authorized. Maintain until NARA and 
HRSA agree on a disposition. Data may be cut off annually. As the data 
and documentation remain unscheduled, maintenance and storage 
procedures shall conform with the provisions laid out in 36 CFR 
1234.28.
    4. General administrative records associated with the establishment 
and maintenance of the Data Bank, both at the contractor and at HRSA.
    Authorized disposition is temporary. Destroy when no longer needed 
for administrative purposes.

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Division of Quality Assurance, Bureau of Health 
Professions, Health Resources and Services Administration, Room 8A-55, 
Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

NOTIFICATION PROCEDURES:
    An individual is informed when a record concerning himself or 
herself is entered into the Data Bank, with the exception of HCFA 
exclusion reports.
    Requests by mail: Practitioners may submit a ``Request for 
Information Disclosure'' to the address under system location for any 
report on themselves. The request must contain the following: Name, 
address, date of birth, gender, Social Security Number (optional), 
professional schools and years of graduation, and the professional 
license(s). For license, include: The license number, the field of 
licensure, the name of the State or Territory in which the license is 
held, and Drug Enforcement Administration registration number(s). 
Practitioners must sign and have notarized their requests. Submitting a 
request under false pretenses is a criminal offense subject to, at a 
minimum, a $5,000 fine under provisions of the Privacy Act, and to a 
$10,000 fine under provisions of the Health Care Quality Improvement 
Act of 1986.
    Requests in person: Due to security considerations, the Data Bank 
cannot accept requests in person.
    Request by telephone: Practitioners may provide all of the 
identifying information stated above to the Data

[[Page 12656]]

Bank Helpline operator. Before the data request is fulfilled, the 
operator will return a paper copy of this information for verification, 
signature and notarization.

RECORD ACCESS PROCEDURES:
    Same as notification procedures. Requesters will receive an 
accounting of disclosure that has been made of their records, if any.

PROCEDURES FOR CONTESTING RECORDS:
    The Data Bank routinely mails a copy of any report filed (other 
than those filed by HCFA) in it to the subject individual. Any record 
subject may contest the accuracy of information in the Data Bank 
(except information filed by HCFA) concerning himself or herself and 
file a dispute. To dispute the accuracy of the information, the 
individual must notify the Data Bank by: (1) Identifying the record 
involved; (2) specifying the information being contested; (3) stating 
the corrective action sought and reason for requesting the correcting; 
and (4) submitting supporting justification and/or documentation to 
show how the record is inaccurate. At the same time, the individual 
must notify the reporting entity, in writing.
    Additional detail on the process of dispute resolution can be found 
at 45 CFR part 60 under Sec. 60.14 of the Data Bank regulations.

RECORD SOURCE CATEGORIES:
    Entities that have submitted records on individuals contained in 
the system; insurance companies and others who have made payment as a 
result of a malpractice action or claim; State Medical Boards; State 
Boards of Dentistry; State Licensing Boards; hospitals and other health 
care entities as defined in the Act; the Drug Enforcement 
Administration; and Federal entities which employ health practitioners 
or which have authority to sanction such practitioners covered by a 
Federal program.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 97-6591 Filed 3-14-97; 8:45 am]
BILLING CODE 4160-15-P