[Federal Register Volume 62, Number 51 (Monday, March 17, 1997)]
[Notices]
[Pages 12653-12656]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-6591]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Resources and Services Administration
Privacy Act of 1974; Altered System of Records
AGENCY: Health Resources and Services Administration, HHS.
ACTION: Notification of an altered system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act, the
Health Resources and Services Administration (HRSA) is publishing
notice of a proposal to add a new category of records to 09-15-0054,
the National Practitioner Data Bank for Adverse Information on
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPr. HRSA
proposes to add specific information already available to the public
from the Health Care Financing Administration (HCFA) on physicians,
practitioners, providers, and other health care entities which the
Office of Inspector General (OIG), HHS has excluded from participation
in and from recovering payment from the Medicare and Medicaid programs.
DATES: HRSA invites interested parties to submit comments on the
proposed internal and routine use of this information on or before
April 28, 1997. HRSA has sent a Report of Altered System to the
Congress and to the Office of Management and Budget (OMB) on March 3,
1997. The alteration to the system will be effective 40 days from the
date submitted to OMB unless HRSA receives comments which would result
in a contrary determination.
ADDRESSEES: Please address comments on the altered system of records to
the Health Resources and Services Administration (HRSA) Privacy Act
Officer, Department of Health and Human Services, 5600 Fishers Lane,
Room 14A-20, Rockville, Maryland 20857, telephone (301) 443-3780. This
is not a toll-free number.
FOR FURTHER INFORMATION CONTACT: Director, Division of Quality
Assurance, BHPr/HRSA. Room 8A-55, Parklawn Building, 5600 Fishers Lane,
Rockville, Maryland, telephone (301) 443-2300. This is not a toll-free
number.
SUPPLEMENTARY INFORMATION: The Office of the Inspector General, HHS,
has the authority to exclude individuals/entities from participating in
the Medicare and/or certain State health care plans under sections
1128(a), 1128(b), 1892, or 1156 of the Social Security Act. The
exclusion also applies to all other Executive Branch procurement and
non-procurement programs and activities. Disclosure of the OIG
Exclusion List to HRSA is under authority of section 1106(a) of the
Social Security Act, 42 CFR 401.105, and routine use exception of the
Privacy Act (5 U.S.C. 522a(b)(3)). HCFA is authorized to provide
certain specific information on physicians, practitioners, providers,
and health care entities which OIG has excluded from participation in
and from recovering payment from the Medicare and Medicaid programs.
HCFA will retain full responsibility for the content and accuracy of
HCFA Exclusion reports; the Data Bank will only act as a disclosure
service. Notification of exclusion from HCFA programs is made by HCFA.
Inquiries on the appropriateness or content of HCFA Exclusion Reports
will be referred to HCFA for response. The National Practitioner Data
Bank (Data Bank) will disclose such information to authorized health
care industry queriers on request, using the Data Bank's fully
automated and secure systems and procedures.
Editorial changes have been made throughout the system to enhance
clarity and specificity and to accommodate normal updating changes.
The following notice is written in the present, rather than the
future tense, to avoid the unnecessary expenditure of public funds to
republish the notice after the routine use has become effective.
Dated: March 3, 1997.
Ciro V. Sumaya,
Administrator.
09-15-0054
SYSTEM NAME:
National Practitioner Data Bank for Adverse Information on
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPr.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
The SRA Corporation (the Contractor) operates the National
Practitioner Data Bank (Data Bank) under contract with the Bureau of
Health Professions (BHPr), Health Resources and Services Administration
(HRSA). Records are located at the following address: National
Practitioner Data Bank, PO Box 10832, Chantilly, VA 20151. For security
reasons, the street address cannot be disclosed.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Health care practitioners including physicians, dentists, and all
other health care practitioners (such as nurses, optometrists,
pharmacists, and podiatrists), licensed or otherwise authorized by a
State to provide health care services, on whose behalf a payment has
been made as a result of a malpractice action or claim; physicians and
dentists who are the subject of licensure disciplinary actions; and
physicians, dentists and other health care practitioners who are on
medical staffs or who hold clinical privileges, or who are members of
professional societies, against whom certain adverse actions have been
taken as a result of a professional review action.
CATEGORIES OF RECORDS IN THE SYSTEM:
1. For malpractice payments. Information on the physician, dentist
or other licensed health care practitioner such as name; work address;
home address, if known; Social Security number, if known, and obtained
in accordance with section 7 of the Privacy Act of 1974; date of birth;
name of each professional school attended and year of graduation; for
each professional license: The license number, the field of licensure,
and the name of the State or Territory in which the license is held;
Drug Enforcement Administration registration number(s), if known; and
name of each hospital with which the practitioner is affiliated, if
known. Information on the person or entity making the payment, such as
the name and address of the person or entity making the payment; and
the name, title, and telephone number of the responsible official
submitting the report on behalf of the entity.
Information on the payments, such as the date of the occurrence of
the acts or omissions upon which the action or claim was based
occurred; date and amount of payment; description of the
[[Page 12654]]
acts or omissions and injuries or illnesses upon which the action or
claim was based; and classification of the acts or omission per
reporting code.
2. For State Medical or Dental Board actions. Information such as:
The physician's or dentist's name; work address; homes address, if
known; Social Security number, if known, and if obtained in accordance
with section 7 of the Privacy Act of 1974; date of birth; name of each
professional school attended and year of graduation; for each
professional license: The license number, the field of licensure, and
the name of the State or Territory in which the license is held; Drug
Enforcement Administration registration number, if known; description
of the acts or omission or other reasons for the action taken;
description of the Board action; the date the action was taken and its
effective date; and classification of the action per reporting code.
3. For certain professional review actions. Information such as
the physician's, dentist's or other health care practitioner's name;
work address; home address, if known; date of birth; name of each
professional school attended and year of graduation; for each
professional license: The license number, the field of licensure, and
the names of the State or Territory in which the license is held; Drug
Enforcement Administration registration number, if known; Social
Security number, if known, and if obtained in accordance with section 7
of the Privacy Act of 1974; description of the acts or omissions or
other reasons for clinical privilege or professional society membership
loss or, if known, for surrender; and action taken, date the action was
taken, and effective date the action was taken, and effective date of
the action.
4. Inquiry file. Copies of all inquiries received by the Data Bank.
5. For OIG Medicare/Medicaid Exclusions. Under authority of section
1106(a) of the Social Security Act, 42 CFR 401.105, and routine use
exception of the Privacy Act (5 U.S.C. 522a(b)(3)), HCFA will provide
certain specific information on physicians, practitioners, providers,
and other health care entities which the OIG has excluded from
participation in and from recovering payment from the Medicare and
Medicaid programs. HCFA will provide information such as the
physician's, dentist's or other health care practitioner's name; Social
Security number (used for Data Bank matching purposes only; not
disclosed to authorized queriers); HCFA's unique practitioner
identifier number; date of birth; basis for exclusion; facts about the
exclusion; status of exclusion; and other information as necessary to
ensure proper identification.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Under the Health Care Quality Improvement Act of 1986 (the Act), as
amended, section 424(b), 42 U.S.C. 11134(b), authorizes the maintenance
of records of medical malpractice payments, disciplinary actions taken
by Boards of Medical Examiners, and professional review actions taken
by health care entities.
PURPOSE(S):
The purposes of the system are to (1) Receive from insurance
companies and others making payments as a result of malpractice actions
or claims, State Medical and Dental Boards, and health care entities,
information pertaining to the professional performance or conduct of
physicians, dentists and other licensed health care practitioners; and
(2) disseminate such data to health care entities, to State
professional licensing boards, and to others as authorized by the Act.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
Data may be disclosed to:
1. A hospital requesting data concerning a physician, dentist or
other health care practitioner who is on its medical staff (courtesy or
otherwise) or who has clinical privileges at the hospital, for the
purpose of: (a) Screening the professional qualifications of
individuals who apply for staff positions or clinical privileges at the
hospital; and (b) meeting the requirements of the Health Care Quality
Improvement Act of 1986, which also prescribes that a hospital must
query the Bank once every 2 years regarding all individuals on its
medical staff or who hold clinical privileges.
2. Other health care entities, as defined in 45 CFR 60.3, to which
a physician, dentist or other health care practitioner has applied for
clinical privileges or appointment to the medical staff or who has
entered or may be entering an employment or affiliation relationship.
The purpose of these disclosures is to identify individuals whose
professional conduct may be unsatisfactory.
3. A health care entity with respect to professional review
activity. The purpose of these disclosures is to aid health care
entities in the conduct of professional review activities, such as
those involving determinations of whether a physician, dentist, or
other health care practitioner may be granted membership in a
professional society; the conditions of such membership, or of changes
to such membership; and ongoing professional review activities
conducted by a health care entity which provides health care services,
of the professional performance or professional conduct of a physician,
dentist, or other health care practitioner.
4. A State professional licensing board conducting a review of an
individual. The purpose of these disclosures is to aid the board in
meeting its responsibility to protect the health of the population in
its jurisdiction, by identifying individuals whose professional
performance or professional conduct may be unsatisfactory.
5. An attorney, or individual representing himself or herself, who
has filed a medical malpractice action or claim in a State or Federal
court or other adjudicative body against a hospital, and who requests
information regarding a specific physician, dentist, or other health
care practitioner who is also named in the action or claim provided
that (a) This information will be disclosed only upon the submission of
evidence that the hospital failed to request information from the Bank
as required by law, and (b) the information will be used solely with
respect to litigation resulting from the action or claim against the
hospital. The purpose of these disclosures is to permit an attorney (or
a person representing himself or herself in a medical malpractice
action) to have information from the Bank on a health care
practitioner, under the conditions set out in this routine use.
6. Any Federal entity, employing or otherwise engaging under
arrangement (e.g., such as a contract) the services of a physician,
dentist, or other health care practitioner, or having the authority to
sanction such practitioners covered by a Federal program, which (a)
Enters into a memorandum of understanding with HHS regarding its
participation in the Bank; (b) engages in a professional review
activity in determining an adverse action against a practitioner; and
(c) maintains a Privacy Act system of records regarding the health care
practitioners it employs, or whose services it engages under
arrangement. The purpose of such disclosures is to enable hospitals and
other facilities and health care providers under the jurisdiction of
Federal agencies such as the Public Health Service, HHS; the Department
of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard;
and the Bureau of Prisons, Department of Justice, to participate in the
Bank. The Health Care Quality
[[Page 12655]]
Improvement Act of 1986 includes provisions regarding the participation
of such agencies, and of the Federal Drug Enforcement Administration,
in the Bank.
7. In the event of litigation where the defendant is (a) The
Department, any component of the Department, or any employee of the
Department in his or her official capacity; (b) the United States where
the Department determines that the claim, if successful, is likely to
affect directly the operation of the Department or any of its
components; or (c) any Department employee in his or her individual
capacity where the Department of Justice has agreed to represent such
employee, for example in defending a claim against the Public Health
Service based upon an individual's mental or physical condition and
alleged to have arisen because of activities of the Public Health
Service in connection with such individual, disclosures may be made to
the Department of Justice to enable the Department to present an
effective defense, provided that such disclosure is compatible with the
purpose for which the records were collected.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records are maintained in electronic folders, on magnetic tape,
and/or disks.
RETRIEVABILITY:
Retrieval will be by use of personal identifiers, including a
unique identifier assigned by the Data Bank.
SAFEGUARDS:
1. Authorized Users: Access to records is limited to designated
employees of the Contractor and to designated HRSA staff. The Data Bank
Project Director and Manager of Operations are among the Contractor's
employees who are authorized users. The Contracting Officer's Technical
Representative (COTR) and AIS Security Officer are among the HRSA staff
who are authorized users. Both HRSA and the contractor maintain lists
of authorized users.
2. Physical Safeguards: Magnetic tapes, disks, computer equipment,
and hard copy files are stored in areas where fire and environmental
safety codes are strictly enforced. All automated and nonautomated
documents are protected on a 24-hour basis. Perimeter security includes
intrusion alarms, random guard patrols, monitors, key/passcard/
combination controls, receptionist controlled area, and reception alarm
button.
3. Procedural and Technical Safeguards: A password is required to
access the system, and additional identification numbers and passwords,
to limit access to data to only authorized users. All users of personal
information, in connection with the performance of their jobs, protect
information from public view and from unauthorized personnel entering
an unsupervised area. All authorized users will sign a nondisclosure
statement. To protect the confidentiality of information contained in
the system, when a person leaves or no longer has authorized duties,
the Security Officer deletes his or her identification number and
password, retrieves all-electronic access cards, and changes all
combinations to which the departing employee had access. The system
automatically logs all access to data resources.
Access to records is limited to those authorized personnel trained
in accordance with the Privacy Act and ADP security procedures. The
Contractor is required to assure the confidentiality safeguards of
these records and to comply with all provisions of the Privacy Act. All
individuals who have access to these records must have the appropriate
ADP security clearances. Privacy Act and ADP system security
requirements are included in the contract with the SRA Corporation. In
addition, the Data Bank Project Officer and the System Manager oversee
compliance with these requirements. HRSA staff who are authorized users
will make site visits to the Contractor's facilities to assure
compliance with security and Privacy Act requirements.
The safeguards described above were established in accordance with
DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the
General Administration Manual, and the DHHS Information Resources
Management Manual, Part 6. ``ADP Systems Security.''
RETENTION AND DISPOSAL:
1. Project Director's Subject File-- significant documents
associated with the creation and maintenance of the Data Bank, such as
essential policy documents, regulations, and handbooks.
Authorized disposition is permanent. Cut off superseded materials
annually. Transfer to the WNRC in 5-year blocks when 5 years old.
Transfer to the National Archives 5 years thereafter. Annual
accumulation is less than one cubic foot. Amount on hand is less than
one cubic foot.
2. Source Documents--reporting and query forms.
Authorized disposition is temporary. Destroy hardcopy forms after
conversion to microfilm when no longer needed for administrative
purposes. Dispose of microfilm and diskettes in contractor office space
when no longer needed to support the reconstruction of, or serve as a
backup to, the Master File, whichever is later.
3. Master file and associated documentation.
Authorized disposition is not authorized. Maintain until NARA and
HRSA agree on a disposition. Data may be cut off annually. As the data
and documentation remain unscheduled, maintenance and storage
procedures shall conform with the provisions laid out in 36 CFR
1234.28.
4. General administrative records associated with the establishment
and maintenance of the Data Bank, both at the contractor and at HRSA.
Authorized disposition is temporary. Destroy when no longer needed
for administrative purposes.
SYSTEM MANAGER(S) AND ADDRESS:
Director, Division of Quality Assurance, Bureau of Health
Professions, Health Resources and Services Administration, Room 8A-55,
Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.
NOTIFICATION PROCEDURES:
An individual is informed when a record concerning himself or
herself is entered into the Data Bank, with the exception of HCFA
exclusion reports.
Requests by mail: Practitioners may submit a ``Request for
Information Disclosure'' to the address under system location for any
report on themselves. The request must contain the following: Name,
address, date of birth, gender, Social Security Number (optional),
professional schools and years of graduation, and the professional
license(s). For license, include: The license number, the field of
licensure, the name of the State or Territory in which the license is
held, and Drug Enforcement Administration registration number(s).
Practitioners must sign and have notarized their requests. Submitting a
request under false pretenses is a criminal offense subject to, at a
minimum, a $5,000 fine under provisions of the Privacy Act, and to a
$10,000 fine under provisions of the Health Care Quality Improvement
Act of 1986.
Requests in person: Due to security considerations, the Data Bank
cannot accept requests in person.
Request by telephone: Practitioners may provide all of the
identifying information stated above to the Data
[[Page 12656]]
Bank Helpline operator. Before the data request is fulfilled, the
operator will return a paper copy of this information for verification,
signature and notarization.
RECORD ACCESS PROCEDURES:
Same as notification procedures. Requesters will receive an
accounting of disclosure that has been made of their records, if any.
PROCEDURES FOR CONTESTING RECORDS:
The Data Bank routinely mails a copy of any report filed (other
than those filed by HCFA) in it to the subject individual. Any record
subject may contest the accuracy of information in the Data Bank
(except information filed by HCFA) concerning himself or herself and
file a dispute. To dispute the accuracy of the information, the
individual must notify the Data Bank by: (1) Identifying the record
involved; (2) specifying the information being contested; (3) stating
the corrective action sought and reason for requesting the correcting;
and (4) submitting supporting justification and/or documentation to
show how the record is inaccurate. At the same time, the individual
must notify the reporting entity, in writing.
Additional detail on the process of dispute resolution can be found
at 45 CFR part 60 under Sec. 60.14 of the Data Bank regulations.
RECORD SOURCE CATEGORIES:
Entities that have submitted records on individuals contained in
the system; insurance companies and others who have made payment as a
result of a malpractice action or claim; State Medical Boards; State
Boards of Dentistry; State Licensing Boards; hospitals and other health
care entities as defined in the Act; the Drug Enforcement
Administration; and Federal entities which employ health practitioners
or which have authority to sanction such practitioners covered by a
Federal program.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. 97-6591 Filed 3-14-97; 8:45 am]
BILLING CODE 4160-15-P