[Federal Register Volume 63, Number 144 (Tuesday, July 28, 1998)]
[Notices]
[Pages 40297-40300]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-20093]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Care Financing Administration
Privacy Act of 1974; Report of New System
AGENCY: Department of Health and Human Services (HHS), Health Care
Financing Administration (HCFA).
ACTION: Notice of new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, we are proposing to establish a new system of records, called the
``National Provider System (NPS),'' HHS/HCFA/OIS No. 09-70-0008. We
have provided background information about the proposed system in the
``Supplementary Information'' section below. Both institutional (e.g.,
hospitals, skilled nursing facilities) and individually identifiable
(e.g., physicians and other practitioners) providers are included in
the NPS database. The institutional providers' data are covered by
section 1106 of the Social Security Act and the Freedom of Information
Act, while the individually identifiable providers' data are also
covered by the Privacy Act of 1974. Although the Privacy Act requires
only that the ``routine uses'' portion of the system be published for
comment, HCFA invites comments on all portions of this notice. See
``Effective Dates'' for comment period.
EFFECTIVE DATES: HCFA filed a new system report with the Chairman of
the Committee on Government Reform and Oversight of the House of
Representatives, the Chairman of the Committee on Governmental Affairs
of the Senate, and the Acting Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget (OMB), on July 8,
1998. The new system of records, including routine uses, will become
effective 40 days from the date submitted to OMB and the Congress,
unless HCFA receives comments which require alteration to this notice.
HCFA will also consider revisions to this notice based upon comments
received on the National Provider Identifier (NPI) notice of proposed
rulemaking (FR/Vol. 63, No. 88/May 7, 1998). The NPS will not become
operational until sometime after the NPI final rule is published and
the system is in full compliance with the requirements of the final
rule.
ADDRESSES: The public should address comments to the HCFA Privacy Act
Officer, Division of Freedom of Information & Privacy, Office of
Information Services, Health Care Financing Administration, 7500
Security Boulevard, C2-01-11, Baltimore, Maryland 21244-1850. Comments
received will be available for review at this location by appointment
during regular business hours, Monday through Friday 9 a.m.--3 p.m.
Eastern Time Zone.
FOR FURTHER INFORMATION CONTACT: Patricia Peyton, Office of Information
Services, Health Care Financing Administration, 7500 Security
Boulevard, N3-09-16, Baltimore, Maryland 21244-1850. The telephone
number is (410) 786-1812.
SUPPLEMENTARY INFORMATION: This system will allow better administration
of all health care programs. Currently, there is no standard health
care provider identifier in use in the health care industry. Health
care providers are assigned multiple identifiers by the health plans in
which they participate; such assignments are made routinely and
independently of each other. The identifiers are frequently not
standardized within a single health plan or across plans. A single
health care provider may have different identification numbers for each
health program, and often multiple billing numbers issued within the
same program.
[[Page 40298]]
Nonstandard enumeration of health care providers significantly
complicates health care providers' claims submission processes. It also
contributes to the unintentional issuance of the same identification
number to different health care providers.
Most health plans have to be able to coordinate benefits with other
health plans to ensure appropriate payment. The lack of a single,
unique identifier for each health care provider within each health plan
and across health plans, based on the same core data, makes exchanging
data both expensive and difficult.
These factors, which indicate the complexities of exchanging
information on health care providers within and among organizations,
result in increasing numbers of claims-related problems and increasing
costs of data processing. The need for a standard health care provider
identifier becomes more and more evident as we become more dependent on
data automation and proceed in planning for health care in the future.
In addition to overcoming communication and coordination
difficulties, use of a standard, unique health care provider identifier
would enhance our ability to eliminate fraud and abuse in health care
programs.
This system will issue the standard health care provider
identifiers--called National Provider Identifiers (NPIs)--which will be
used by Medicare, Medicaid, other Federal programs named as health
plans, non-Government health plans, health care providers, and health
care clearinghouses.
This initiative was mandated by the administrative simplification
provisions of Pub. L. 104-191, the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). HIPAA mandates the adoption of a
standard health care provider identifier and its assignment to every
health care provider that transacts electronically any of the
transactions specified in that law. Creation of a standard health care
provider identifier and its assignment to Medicare and Medicaid
providers also supports HCFA's Strategic Plan goal of data
standardization.
It is important to clarify that NPS responsibilities are limited to
unique health care provider identification, enumeration of those health
care providers, and updating the health care provider enumeration data.
Responsibility for determining whether a provider is qualified for any
particular program remains the responsibility of that program.
Furthermore, the creation of a national health care provider identifier
should not alter the current relationship between health care providers
and health plans in any fundamental way; health care providers will
still be governed by each health plan's rules for program enrollment,
credentialing and claims submission. The NPS will provide the means to
uniquely identify and enumerate a health care provider at the national
level.
The Department of Health and Human Services is proposing, in a
notice of proposed rulemaking, that the information needed to enumerate
health care providers that participate in Federal health plans (e.g.,
Medicare, Tricare/CHAMPUS) and Medicaid be obtained from the pre-
existing health care provider enrollment databases of those plans.
Approximately 85 percent of health care providers requiring NPIs exist
in those databases. Enumerating information about the remaining health
care providers requiring NPIs will be obtained from an application
form. Information in the Federal health plan and Medicaid enrollment
databases will be validated and reformatted into the NPS Standard
Record Format so it can be loaded into the National Provider System.
The Privacy Act permits us to disclose information without the
consent of individuals for ``routine uses'--that is, disclosures that
are compatible with the purpose for which we collected the information.
The proposed routine uses in the new system meet the compatibility
criterion of the statute. We anticipate the disclosures under the
routine uses will not result in any unwarranted adverse effects on
personal privacy.
Dated: July 8, 1998.
Nancy-Ann Min DeParle,
Administrator, Health Care Financing Administration.
09-70-0008
SYSTEM NAME:
National Provider System (NPS), HHS/HCFA/OIS.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
Health Care Financing Administration, Office of Information
Services, HCFA Data Center, North Building, 7500 Security Boulevard,
Baltimore, Maryland 21244-1850.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
As defined by section 1171(3) of the Social Security Act (the Act),
a health care provider is a provider of services as defined in section
1861(u) of the Act, a provider of medical or other health services as
defined in section 1861(s) of the Social Security Act, and any other
person who furnishes health care services or supplies. For purposes of
the NPS in assigning NPIs, the definition of health care provider is
limited to those entities that furnish, or bill and are paid for,
health care services in the normal course of business. The statutory
definition of a health care provider is broad, with section 1861(u)
containing the Medicare definition of an institutional provider (such
as hospitals, home health agencies, etc.), and section 1861(s)
containing the Medicare definition of other facilities and
practitioners (such as assorted clinics, physicians, clinical
laboratories, suppliers of durable medical equipment, other licensed/
certified health care practitioners). This System of Records applies
only to appropriately licensed or certified individual practitioners.
While the National Provider System will also include health care
providers that are organizations (e.g., hospitals, pharmacies) and
groups (entities composed of one or more individuals, as described
earlier), these health care providers will not be addressed further in
this systems notice because they are not covered under the Privacy Act.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system contains a unique identifier for each health care
provider (the NPI, which is assigned by the NPS) along with other
information about the provider. This information includes other
identifiers, name(s), demographic, educational/professional data, and
business address data.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Sections 1173 and 1175 of the Act, as amended by Pub. L. 104-191,
authorize the assignment of a unique identifier to all health care
providers and the maintenance of a database on such health care
providers. Sections 1874, 1816, 1842, 1876, 1880, 1881(c)(7), 1124, and
1124A of the Social Security Act authorize the assignment of a unique
number to each Medicare provider and the maintenance of a database on
such providers. Sections 1902(a)(4)(A), 1902(a)(6), 1902(a)(25),
1902(a)(27), 1902(a)(49), 1902(a)(59), 1903(r)(6)(H), and 1124 of the
Act authorizes the assignment of a unique number to each Medicaid
provider and the maintenance of a database on such providers. With
respect to physicians who furnish services for which Medicare payment
may be made, section 1842(r) of the Act mandates such a system.
Similarly, section 1834(j) of the Act requires durable medical
[[Page 40299]]
equipment suppliers to obtain and renew a supplier number and limits
the conditions under which HCFA may issue more than one number to a
supplier (see section 131(a) of the 1994 Social Security Amendments).
The Economy Act of 1932 as amended (31 U.S.C. 1535 and 1536) is the
authority with respect to other Federal agencies.
PURPOSE(S):
The purpose of the system is to collect the information needed to
uniquely identify an individual health care provider, to assign an NPI
to that health care provider, to maintain and update the information
about the health care provider, and to disseminate health care provider
information in accordance with the provisions of the Privacy Act.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSE OF SUCH USES:
Section 552a(b) of the Privacy Act specifies a number of permitted
releases for information held in systems of records. Section 552a(b)(3)
permits an agency to identify additional routine uses, compatible with
the purpose for which the information was collected, under which the
information may be released without the consent of the individual to
whom the information pertains. HCFA is identifying the following
routine uses for information held in the National Provider System. Each
proposed disclosure of information under these routine uses will be
evaluated to ensure that the disclosure is legally permissible,
including, but not limited to, ensuring that the purpose of the
disclosure is compatible with the purpose for which the information was
collected. Also, HCFA will require each prospective recipient of such
information to agree in writing to certain conditions to ensure the
continuing confidentiality of the information. More specifically, as a
condition of each disclosure under these routine uses, HCFA will, as
necessary and appropriate:
(a) Determine that no other Federal statute specifically prohibits
disclosure of the information;
(b) Determine that the use or disclosure does not violate legal
limitations under which the information was provided, collected, or
obtained;
(c) Determine that the purpose for which the disclosure is to be
made;
(1) Cannot reasonably be accomplished unless the information is
provided in individually identifiable form,
(2) Is of sufficient importance to warrant the effect on, or the
risk to, the privacy of the individual(s) that additional exposure of
the record(s) might bring, and
(3) There is a reasonable probability that the purpose of the
disclosure will be accomplished.
(d) Require the recipient of the information to;
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized access, use or disclosure of the
record or any part thereof. The physical safeguards shall provide a
level of security that is at least the equivalent of the level of
security contemplated in OMB Circular No. A-130 (revised), Appendix
III, Security of Federal Automated Information Systems which sets forth
guidelines for security plans for automated information systems in
Federal agencies,
(2) Remove or destroy the information that allows subject
individual(s) to be identified at the earliest time at which removal or
destruction can be accomplished, consistent with the purpose of the
request,
(3) Refrain from using or disclosing the information for any
purpose other than the stated purpose under which the information was
disclosed, and
(4) Make no further uses or disclosure of the information, except:
(i) To prevent or address an emergency directly affecting the
health or safety of an individual;
(ii) For use on another project under the same conditions, provided
HCFA has authorized the additional use(s) in writing; or
(iii) When required by law;
(e) Secure a written statement or agreement from the prospective
recipient of the information whereby the prospective recipient attests
to an understanding of, and willingness to abide by, the foregoing
provisions and any additional provisions that HCFA deems appropriate in
the particular circumstances; and
(f) Determine whether the disclosure constitutes a computer
``matching program'' as defined in 5 U.S.C. 552a(a)(8). If the
disclosure is determined to be a computer ``matching program,'' the
procedures for matching agreements as contained in 5 U.S.C. 552a(o)
must be followed.
Disclosure may be made:
1. To Federal and Medicaid health plans that are enumerators, their
agents, and the NPS registry for the purpose of uniquely identifying
and assigning NPIs to providers.
2. To entities implementing or maintaining systems and data files
necessary for compliance with standards promulgated to comply with
title XI, part C, of the Social Security Act.
3. To a congressional office, from the record of an individual, in
response to an inquiry from the congressional office made at the
request of that individual.
4. To another Federal agency for use in processing research and
statistical data directly related to the administration of its
programs.
5. To the Department of Justice, to a court or other tribunal, or
to another party before such tribunal, when
(a) HHS, or any component thereof, or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her individual capacity, where the
Department of Justice (or HHS, where it is authorized to do so) has
agreed to represent the employee; or
(d) The United States or any agency thereof where HHS determines that
the litigation is likely to affect HHS or any of its components,
is party to litigation or has an interest in such litigation, and HHS
determines that the use of such records by the Department of Justice,
the tribunal, or the other party is relevant and necessary to the
litigation and would help in the effective representation of the
governmental party or interest, provided, however, that in each case
HHS determines that such disclosure is compatible with the purpose for
which the records were collected.
6. To an individual or organization for a research, demonstration,
evaluation, or epidemiological project related to the prevention of
disease or disability, the restoration or maintenance of health, or for
the purposes of determining, evaluating and/or assessing cost,
effectiveness, and/or the quality of health care services provided.
7. To an agency contractor for the purpose of collating, analyzing,
aggregating or otherwise refining or processing records in this system,
or for developing, modifying and/or manipulating automated information
systems (ADP) software. Data would also be disclosed to contractors
incidental to consultation, programming, operation, user assistance, or
maintenance for ADP or telecommunications systems containing or
supporting records in the system.
8. To an agency of a state Government, or established by state law,
for purposes of determining, evaluating and/or assessing cost,
effectiveness, and/or quality of health care services provided in the
state.
9. To another Federal or state agency:
(a) As necessary to enable such agency to fulfill a requirement of
a
[[Page 40300]]
Federal statute or regulation, or a state statute or regulation that
implements a program funded in whole or in part with Federal funds.
(b) For the purpose of identifying health care providers for debt
collection under the provisions of the Debt Collection Information Act
of 1996 and the Balanced Budget Act of 1997.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
All records are stored on paper or magnetic media.
RETRIEVABILITY:
The records are retrieved by the NPI, employer identification
number, other provider number, or as defined by query or report.
SAFEGUARDS:
For computerized records, safeguards established in accordance with
Department standards and National Institute of Standards and Technology
guidelines (e.g., security codes) will be used, limiting access to
authorized personnel. System securities are established in accordance
with HHS, Information Resources Management (IRM) Circular #10,
Automated Information Systems Security Program; and HCFA Automated
Information System (AIS) Guide, Systems Security Policies; and OMB
Circular No. A-130 (revised), Appendix III.
RETENTION AND DISPOSAL:
The records are retained indefinitely, except in the instance of an
individual provider's death, in which case HCFA would retain such
records for a 10-year period following the provider's death.
SYSTEM MANAGER(S) AND ADDRESS:
Director, Office of Information Services, Health Care Financing
Administration, 7500 Security Boulevard, Baltimore, Maryland 21244-
1850.
NOTIFICATION PROCEDURE:
For purpose of notification, the subject individual should write
the system manager, who will require the system name, provider name,
and, for verification purposes, date of birth, and medical school (if
applicable), to ascertain whether or not the individual's record is in
the system. (These notification procedures are in accordance with
Department regulation 45 CFR part 5b.)
RECORD ACCESS PROCEDURE:
Same as notification procedures. Requestors should also reasonably
specify the record contents being sought. (These access procedures are
in accordance with the Department regulation 45 CFR 5b.5(a)(2).)
CONTESTING RECORD PROCEDURES:
Contact the system manager named above, and reasonably identify the
record and specify the information to be contested. State the
corrective action sought and the reasons for the correction with
supporting justification. (These procedures are in accordance with
Department regulation 45 CFR 5b.7.)
RECORD SOURCE CATEGORIES:
Information from Federal health plan and Medicaid provider
enrollment forms or applications that identify health care providers
and give supporting information on same.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. 98-20093 Filed 7-27-98; 8:45 am]
BILLING CODE 4120-03-P