[Federal Register Volume 63, Number 144 (Tuesday, July 28, 1998)]
[Notices]
[Pages 40297-40300]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-20093]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Care Financing Administration


Privacy Act of 1974; Report of New System

AGENCY: Department of Health and Human Services (HHS), Health Care 
Financing Administration (HCFA).

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to establish a new system of records, called the 
``National Provider System (NPS),'' HHS/HCFA/OIS No. 09-70-0008. We 
have provided background information about the proposed system in the 
``Supplementary Information'' section below. Both institutional (e.g., 
hospitals, skilled nursing facilities) and individually identifiable 
(e.g., physicians and other practitioners) providers are included in 
the NPS database. The institutional providers' data are covered by 
section 1106 of the Social Security Act and the Freedom of Information 
Act, while the individually identifiable providers' data are also 
covered by the Privacy Act of 1974. Although the Privacy Act requires 
only that the ``routine uses'' portion of the system be published for 
comment, HCFA invites comments on all portions of this notice. See 
``Effective Dates'' for comment period.

EFFECTIVE DATES: HCFA filed a new system report with the Chairman of 
the Committee on Government Reform and Oversight of the House of 
Representatives, the Chairman of the Committee on Governmental Affairs 
of the Senate, and the Acting Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB), on July 8, 
1998. The new system of records, including routine uses, will become 
effective 40 days from the date submitted to OMB and the Congress, 
unless HCFA receives comments which require alteration to this notice. 
HCFA will also consider revisions to this notice based upon comments 
received on the National Provider Identifier (NPI) notice of proposed 
rulemaking (FR/Vol. 63, No. 88/May 7, 1998). The NPS will not become 
operational until sometime after the NPI final rule is published and 
the system is in full compliance with the requirements of the final 
rule.

ADDRESSES: The public should address comments to the HCFA Privacy Act 
Officer, Division of Freedom of Information & Privacy, Office of 
Information Services, Health Care Financing Administration, 7500 
Security Boulevard, C2-01-11, Baltimore, Maryland 21244-1850. Comments 
received will be available for review at this location by appointment 
during regular business hours, Monday through Friday 9 a.m.--3 p.m. 
Eastern Time Zone.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, Office of Information 
Services, Health Care Financing Administration, 7500 Security 
Boulevard, N3-09-16, Baltimore, Maryland 21244-1850. The telephone 
number is (410) 786-1812.

SUPPLEMENTARY INFORMATION: This system will allow better administration 
of all health care programs. Currently, there is no standard health 
care provider identifier in use in the health care industry. Health 
care providers are assigned multiple identifiers by the health plans in 
which they participate; such assignments are made routinely and 
independently of each other. The identifiers are frequently not 
standardized within a single health plan or across plans. A single 
health care provider may have different identification numbers for each 
health program, and often multiple billing numbers issued within the 
same program.

[[Page 40298]]

    Nonstandard enumeration of health care providers significantly 
complicates health care providers' claims submission processes. It also 
contributes to the unintentional issuance of the same identification 
number to different health care providers.
    Most health plans have to be able to coordinate benefits with other 
health plans to ensure appropriate payment. The lack of a single, 
unique identifier for each health care provider within each health plan 
and across health plans, based on the same core data, makes exchanging 
data both expensive and difficult.
    These factors, which indicate the complexities of exchanging 
information on health care providers within and among organizations, 
result in increasing numbers of claims-related problems and increasing 
costs of data processing. The need for a standard health care provider 
identifier becomes more and more evident as we become more dependent on 
data automation and proceed in planning for health care in the future.
    In addition to overcoming communication and coordination 
difficulties, use of a standard, unique health care provider identifier 
would enhance our ability to eliminate fraud and abuse in health care 
programs.
    This system will issue the standard health care provider 
identifiers--called National Provider Identifiers (NPIs)--which will be 
used by Medicare, Medicaid, other Federal programs named as health 
plans, non-Government health plans, health care providers, and health 
care clearinghouses.
    This initiative was mandated by the administrative simplification 
provisions of Pub. L. 104-191, the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). HIPAA mandates the adoption of a 
standard health care provider identifier and its assignment to every 
health care provider that transacts electronically any of the 
transactions specified in that law. Creation of a standard health care 
provider identifier and its assignment to Medicare and Medicaid 
providers also supports HCFA's Strategic Plan goal of data 
standardization.
    It is important to clarify that NPS responsibilities are limited to 
unique health care provider identification, enumeration of those health 
care providers, and updating the health care provider enumeration data. 
Responsibility for determining whether a provider is qualified for any 
particular program remains the responsibility of that program. 
Furthermore, the creation of a national health care provider identifier 
should not alter the current relationship between health care providers 
and health plans in any fundamental way; health care providers will 
still be governed by each health plan's rules for program enrollment, 
credentialing and claims submission. The NPS will provide the means to 
uniquely identify and enumerate a health care provider at the national 
level.
    The Department of Health and Human Services is proposing, in a 
notice of proposed rulemaking, that the information needed to enumerate 
health care providers that participate in Federal health plans (e.g., 
Medicare, Tricare/CHAMPUS) and Medicaid be obtained from the pre-
existing health care provider enrollment databases of those plans. 
Approximately 85 percent of health care providers requiring NPIs exist 
in those databases. Enumerating information about the remaining health 
care providers requiring NPIs will be obtained from an application 
form. Information in the Federal health plan and Medicaid enrollment 
databases will be validated and reformatted into the NPS Standard 
Record Format so it can be loaded into the National Provider System.
    The Privacy Act permits us to disclose information without the 
consent of individuals for ``routine uses'--that is, disclosures that 
are compatible with the purpose for which we collected the information. 
The proposed routine uses in the new system meet the compatibility 
criterion of the statute. We anticipate the disclosures under the 
routine uses will not result in any unwarranted adverse effects on 
personal privacy.

    Dated: July 8, 1998.
Nancy-Ann Min DeParle,
Administrator, Health Care Financing Administration.
09-70-0008

SYSTEM NAME:
National Provider System (NPS), HHS/HCFA/OIS.
SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    Health Care Financing Administration, Office of Information 
Services, HCFA Data Center, North Building, 7500 Security Boulevard, 
Baltimore, Maryland 21244-1850.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    As defined by section 1171(3) of the Social Security Act (the Act), 
a health care provider is a provider of services as defined in section 
1861(u) of the Act, a provider of medical or other health services as 
defined in section 1861(s) of the Social Security Act, and any other 
person who furnishes health care services or supplies. For purposes of 
the NPS in assigning NPIs, the definition of health care provider is 
limited to those entities that furnish, or bill and are paid for, 
health care services in the normal course of business. The statutory 
definition of a health care provider is broad, with section 1861(u) 
containing the Medicare definition of an institutional provider (such 
as hospitals, home health agencies, etc.), and section 1861(s) 
containing the Medicare definition of other facilities and 
practitioners (such as assorted clinics, physicians, clinical 
laboratories, suppliers of durable medical equipment, other licensed/
certified health care practitioners). This System of Records applies 
only to appropriately licensed or certified individual practitioners.
    While the National Provider System will also include health care 
providers that are organizations (e.g., hospitals, pharmacies) and 
groups (entities composed of one or more individuals, as described 
earlier), these health care providers will not be addressed further in 
this systems notice because they are not covered under the Privacy Act.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system contains a unique identifier for each health care 
provider (the NPI, which is assigned by the NPS) along with other 
information about the provider. This information includes other 
identifiers, name(s), demographic, educational/professional data, and 
business address data.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Sections 1173 and 1175 of the Act, as amended by Pub. L. 104-191, 
authorize the assignment of a unique identifier to all health care 
providers and the maintenance of a database on such health care 
providers. Sections 1874, 1816, 1842, 1876, 1880, 1881(c)(7), 1124, and 
1124A of the Social Security Act authorize the assignment of a unique 
number to each Medicare provider and the maintenance of a database on 
such providers. Sections 1902(a)(4)(A), 1902(a)(6), 1902(a)(25), 
1902(a)(27), 1902(a)(49), 1902(a)(59), 1903(r)(6)(H), and 1124 of the 
Act authorizes the assignment of a unique number to each Medicaid 
provider and the maintenance of a database on such providers. With 
respect to physicians who furnish services for which Medicare payment 
may be made, section 1842(r) of the Act mandates such a system. 
Similarly, section 1834(j) of the Act requires durable medical

[[Page 40299]]

equipment suppliers to obtain and renew a supplier number and limits 
the conditions under which HCFA may issue more than one number to a 
supplier (see section 131(a) of the 1994 Social Security Amendments). 
The Economy Act of 1932 as amended (31 U.S.C. 1535 and 1536) is the 
authority with respect to other Federal agencies.

PURPOSE(S):
    The purpose of the system is to collect the information needed to 
uniquely identify an individual health care provider, to assign an NPI 
to that health care provider, to maintain and update the information 
about the health care provider, and to disseminate health care provider 
information in accordance with the provisions of the Privacy Act.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSE OF SUCH USES:
    Section 552a(b) of the Privacy Act specifies a number of permitted 
releases for information held in systems of records. Section 552a(b)(3) 
permits an agency to identify additional routine uses, compatible with 
the purpose for which the information was collected, under which the 
information may be released without the consent of the individual to 
whom the information pertains. HCFA is identifying the following 
routine uses for information held in the National Provider System. Each 
proposed disclosure of information under these routine uses will be 
evaluated to ensure that the disclosure is legally permissible, 
including, but not limited to, ensuring that the purpose of the 
disclosure is compatible with the purpose for which the information was 
collected. Also, HCFA will require each prospective recipient of such 
information to agree in writing to certain conditions to ensure the 
continuing confidentiality of the information. More specifically, as a 
condition of each disclosure under these routine uses, HCFA will, as 
necessary and appropriate:
    (a) Determine that no other Federal statute specifically prohibits 
disclosure of the information;
    (b) Determine that the use or disclosure does not violate legal 
limitations under which the information was provided, collected, or 
obtained;
    (c) Determine that the purpose for which the disclosure is to be 
made;
    (1) Cannot reasonably be accomplished unless the information is 
provided in individually identifiable form,
    (2) Is of sufficient importance to warrant the effect on, or the 
risk to, the privacy of the individual(s) that additional exposure of 
the record(s) might bring, and
    (3) There is a reasonable probability that the purpose of the 
disclosure will be accomplished.
    (d) Require the recipient of the information to;
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized access, use or disclosure of the 
record or any part thereof. The physical safeguards shall provide a 
level of security that is at least the equivalent of the level of 
security contemplated in OMB Circular No. A-130 (revised), Appendix 
III, Security of Federal Automated Information Systems which sets forth 
guidelines for security plans for automated information systems in 
Federal agencies,
    (2) Remove or destroy the information that allows subject 
individual(s) to be identified at the earliest time at which removal or 
destruction can be accomplished, consistent with the purpose of the 
request,
    (3) Refrain from using or disclosing the information for any 
purpose other than the stated purpose under which the information was 
disclosed, and
    (4) Make no further uses or disclosure of the information, except:
    (i) To prevent or address an emergency directly affecting the 
health or safety of an individual;
    (ii) For use on another project under the same conditions, provided 
HCFA has authorized the additional use(s) in writing; or
    (iii) When required by law;
    (e) Secure a written statement or agreement from the prospective 
recipient of the information whereby the prospective recipient attests 
to an understanding of, and willingness to abide by, the foregoing 
provisions and any additional provisions that HCFA deems appropriate in 
the particular circumstances; and
    (f) Determine whether the disclosure constitutes a computer 
``matching program'' as defined in 5 U.S.C. 552a(a)(8). If the 
disclosure is determined to be a computer ``matching program,'' the 
procedures for matching agreements as contained in 5 U.S.C. 552a(o) 
must be followed.
    Disclosure may be made:
    1. To Federal and Medicaid health plans that are enumerators, their 
agents, and the NPS registry for the purpose of uniquely identifying 
and assigning NPIs to providers.
    2. To entities implementing or maintaining systems and data files 
necessary for compliance with standards promulgated to comply with 
title XI, part C, of the Social Security Act.
    3. To a congressional office, from the record of an individual, in 
response to an inquiry from the congressional office made at the 
request of that individual.
    4. To another Federal agency for use in processing research and 
statistical data directly related to the administration of its 
programs.
    5. To the Department of Justice, to a court or other tribunal, or 
to another party before such tribunal, when

(a) HHS, or any component thereof, or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her individual capacity, where the 
Department of Justice (or HHS, where it is authorized to do so) has 
agreed to represent the employee; or
(d) The United States or any agency thereof where HHS determines that 
the litigation is likely to affect HHS or any of its components,

is party to litigation or has an interest in such litigation, and HHS 
determines that the use of such records by the Department of Justice, 
the tribunal, or the other party is relevant and necessary to the 
litigation and would help in the effective representation of the 
governmental party or interest, provided, however, that in each case 
HHS determines that such disclosure is compatible with the purpose for 
which the records were collected.
    6. To an individual or organization for a research, demonstration, 
evaluation, or epidemiological project related to the prevention of 
disease or disability, the restoration or maintenance of health, or for 
the purposes of determining, evaluating and/or assessing cost, 
effectiveness, and/or the quality of health care services provided.
    7. To an agency contractor for the purpose of collating, analyzing, 
aggregating or otherwise refining or processing records in this system, 
or for developing, modifying and/or manipulating automated information 
systems (ADP) software. Data would also be disclosed to contractors 
incidental to consultation, programming, operation, user assistance, or 
maintenance for ADP or telecommunications systems containing or 
supporting records in the system.
    8. To an agency of a state Government, or established by state law, 
for purposes of determining, evaluating and/or assessing cost, 
effectiveness, and/or quality of health care services provided in the 
state.
    9. To another Federal or state agency:

    (a) As necessary to enable such agency to fulfill a requirement of 
a

[[Page 40300]]

Federal statute or regulation, or a state statute or regulation that 
implements a program funded in whole or in part with Federal funds.
    (b) For the purpose of identifying health care providers for debt 
collection under the provisions of the Debt Collection Information Act 
of 1996 and the Balanced Budget Act of 1997.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    All records are stored on paper or magnetic media.

RETRIEVABILITY:
    The records are retrieved by the NPI, employer identification 
number, other provider number, or as defined by query or report.

SAFEGUARDS:
    For computerized records, safeguards established in accordance with 
Department standards and National Institute of Standards and Technology 
guidelines (e.g., security codes) will be used, limiting access to 
authorized personnel. System securities are established in accordance 
with HHS, Information Resources Management (IRM) Circular #10, 
Automated Information Systems Security Program; and HCFA Automated 
Information System (AIS) Guide, Systems Security Policies; and OMB 
Circular No. A-130 (revised), Appendix III.

RETENTION AND DISPOSAL:
    The records are retained indefinitely, except in the instance of an 
individual provider's death, in which case HCFA would retain such 
records for a 10-year period following the provider's death.

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Office of Information Services, Health Care Financing 
Administration, 7500 Security Boulevard, Baltimore, Maryland 21244-
1850.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write 
the system manager, who will require the system name, provider name, 
and, for verification purposes, date of birth, and medical school (if 
applicable), to ascertain whether or not the individual's record is in 
the system. (These notification procedures are in accordance with 
Department regulation 45 CFR part 5b.)

RECORD ACCESS PROCEDURE:
    Same as notification procedures. Requestors should also reasonably 
specify the record contents being sought. (These access procedures are 
in accordance with the Department regulation 45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    Contact the system manager named above, and reasonably identify the 
record and specify the information to be contested. State the 
corrective action sought and the reasons for the correction with 
supporting justification. (These procedures are in accordance with 
Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Information from Federal health plan and Medicaid provider 
enrollment forms or applications that identify health care providers 
and give supporting information on same.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 98-20093 Filed 7-27-98; 8:45 am]
BILLING CODE 4120-03-P