[Federal Register Volume 64, Number 30 (Tuesday, February 16, 1999)]
[Notices]
[Pages 7653-7657]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-3568]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Privacy Act; Notification of New System of Records in Conjunction 
With the Healthcare Integrity and Protection Data Bank

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Office of the Inspector General (OIG) is setting forth a notice of a 
proposed new system of records in order to implement the requirements 
of the Healthcare Integrity and Protection Data Bank (HIPDB). The new 
HIPDB is being established in accordance with section 1128E of the 
Social Security Act (the Act), as added by section 221(a) of the Health 
Insurance Portability and Accountability Act of 1996. Section 1128E of 
the Act specifically directs the Secretary, acting through the OIG, to 
create a national health care fraud and abuse data collection program 
for the reporting and disclosure of certain final adverse actions 
(excluding settlements in which no findings of liability have been 
made) taken against health care providers, suppliers, or practitioners, 
and maintain a data base of final adverse actions taken against health 
care providers, suppliers, or practitioners.
    Groups that have access to this new data bank system include 
Federal and State government agencies; health plans; and self queries 
from health care suppliers, providers and practitioners. Reporting is 
limited to the same groups that have access to the information. We 
invite comments from interested parties on the proposed internal and 
routine use of information in this system of records.

DATES: The OIG has sent a Report of a New System of Records to the 
Congress and to the Office of Management and Budget (OMB) on February 
16, 1999. This new system of records will be effective 40 days from the 
date submitted to OMB unless the OIG receives public comments that 
would result in a contrary determination. To assure consideration, 
public comments must be delivered to the address provided below by no 
later than 4 p.m. on March 18, 1999.

ADDRESSEES: Please mail or deliver your written comments on the new 
system of records to: Office of Inspector General, Department of Health 
and Human Services, Attention: OIG-61-N, Room 5246, Cohen Building, 330 
Independence Avenue, SW., Washington, DC 20201.
    Because of staffing and resource limitations, we cannot accept 
comments by facsimile (FAX) transmission. In commenting, please refer 
to file code OIG-61-N.

FOR FURTHER INFORMATION CONTACT: Rick Burguieres, Investigative Policy 
and

[[Page 7654]]

Information Management Staff, Office of Investigations, Office of 
Inspector General, (202) 205-5200.

SUPPLEMENTARY INFORMATION:

1. Establishment of the Healthcare Integrity and Protection Data 
Bank

    Section 221(a) of the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996, Pub. L. 104-191, requires the 
Department of Justice and the Secretary, acting through the OIG, to 
establish a new health care fraud and abuse control program to combat 
health care fraud and abuse (section 1128C of the Act). Among the major 
steps in this program is the establishment of a national data bank to 
receive and disclose certain final adverse actions against health care 
providers, suppliers, or practitioners, as required by section 1128E of 
the Act, in accordance with section 221(a) of HIPAA. The Act 
specifically directs the Secretary, acting through the OIG, to maintain 
a data base of such final adverse actions. The data bank, known as the 
Healthcare Integrity and Protection Data Bank (HIPDB), will contain the 
following types of information: (1) Civil judgments against a health 
care provider, supplier, or practitioner in Federal or State court 
related to the delivery of a health care item or service; (2) Federal 
or State criminal convictions against a health care provider, supplier, 
or practitioner related to the delivery of a health care item or 
service; (3) final adverse actions by Federal or State agencies 
responsible for the licensing and certification of health care 
providers, suppliers or practitioners; (4) exclusion of a health care 
provider, supplier or practitioner from participation in Federal or 
State health care programs; and (5) any other adjudicated actions or 
decisions that the Secretary establishes by regulation. Settlements in 
which no findings or admissions of liability have been made would be 
excluded from reporting. However, any final adverse action that 
emanates from such settlements, and that would otherwise be reportable 
under the statute, would be reportable to the data bank. Final adverse 
actions would be reported, regardless of whether such actions are being 
appealed by the subject of the report.
    Proposed regulations setting forth the policy and procedures for 
implementing the new HIPDB were published in the Federal Register on 
October 30, 1998 (63 FR 58341).

2. Privacy Act Number

    No. 09-90-0103.

3. Categories of Eligible Users of the System

    Groups that have access to this new data bank system include 
Federal and State government agencies; health plans; and self queries 
from health care suppliers, providers and practitioners. For purposes 
of the HIPDB:
    A government agency includes, but is not limited to: (1) The 
Department of Justice; (2) the Department of Health and Human Services; 
(3) any other Federal agency that either administers or provides 
payment for the delivery of health care services (including, but not 
limited to, the Department of Defense and the Department of Veterans 
Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud 
Control Units; and (6) other Federal or State agencies responsible for 
the licensing and certification of health care providers, suppliers or 
licensed health care practitioners.
    Health plan means a plan, program or organization that provides 
health benefits, whether directly or through insurance, reimbursement 
or otherwise, and includes, but is not limited to:
    (1) A policy of health insurance; (2) a contract of a service 
benefit organization; (3) a membership agreement with a health 
maintenance organization or other prepaid health plan; (4) a plan, 
program or agreement established, maintained or made available by an 
employer or group of employers, a practitioner, provider or supplier 
group, third-party administrator, integrated health care delivery 
system, employee welfare association, public service group or 
organization, or professional association; and (5) an insurance 
company, insurance service, self-insured employer or insurance 
organization which is licensed to engage in the business of selling 
health care insurance in a State and which is subject to State law 
which regulates health insurance.

4. Routine Uses of Records in the System of Records

    Information in this system of records is considered confidential 
and disclosed only for the purpose for which it was provided. 
Appropriate uses of the information would include the prevention of 
fraud and abuse activities, decisions about hiring or retaining 
employees who may be reported to the system of records, and improving 
the quality of patient care. For example, a record from this system of 
records may be disclosed to a Federal or State law enforcement agency 
during a criminal, civil or administrative investigation of a health 
care practitioner, provider or supplier. A record from this system of 
records also may be disclosed to a Federal agency, in response to its 
request, concerning (1) the hiring or retention of a health care 
practitioner, provider or supplier, (2) the reporting of an 
investigation of a health care practitioner, provider, or supplier or 
(3) the letting of a contract, or the issuance of a license or 
certification to a health care practitioner, provider or supplier, to 
the extent that the record is relevant and necessary to the requesting 
agency's decision on the matter.

5. Public Inspection of Comments

    Comments will be available for public inspection March 2, 1999, in 
Room 5518, Office of counsel to the Inspector General, at 330 
Independence Avenue, SW., Washington, DC on Monday through Friday of 
each week between the hours of 9 a.m. and 4 p.m., (202) 619-0089.

    Dated: January 7, 1999.
June Gibbs Brown,
Inspector General.
09-90-0103

SYSTEM NAME:
    Healthcare Integrity and Protection Data Bank (HIPDB), HHS/OIG.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    The HIPDB will always be operated and maintained by a contractor. 
The SRA Corporation (the Contractor) currently operates and maintains 
the HIPDB under contract with the Bureau of Health Professions (BHPr), 
Health Resources and Services Administration (HRSA) who, under a 
memorandum of understanding with the Office of Inspector General (OIG), 
will operate the system. Records are found at the following address: 
Healthcare Integrity and Protection Data Bank, 4350 Fairs Lakes Court 
North, Suite 400, Fairfax, Virginia 22033. The program will publish any 
changes in the location of the system in the Federal Register.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system of records will cover the following categories of 
individuals:
     Health care practitioners, including physicians, dentists, 
and all other health care practitioners (such as nurses, optometrists, 
pharmacists, and podiatrists), licensed or otherwise authorized by a 
State to provide health care services.
     Health care suppliers who furnish or provide access to 
health care services,

[[Page 7655]]

supplies, items or ancillary services (including, but not limited to, 
individuals who deliver health care services and are not required to 
obtain State licensure or authorization, durable medical equipment 
suppliers and manufacturers; pharmaceutical suppliers and 
manufacturers; health record services which prepare and store medical, 
dental and other patient records; health data suppliers; and billing 
and transportation service suppliers), and any individual under 
contract to provide health care supplies, items or ancillary services, 
and any individual providing health benefits whether directly, or 
indirectly through insurance, reimbursements or otherwise (including 
insurance producers, such as agents, brokers, and solicitors).
    These individuals must be the subject of the following final 
adverse actions: (1) Civil judgments in Federal or State court related 
to the delivery of a health care item or service; (2) Federal or State 
criminal convictions related to the delivery of a health care item or 
service; (3) actions by Federal or State agencies responsible for the 
licensing and certification of health care providers, suppliers, or 
practitioners; (4) exclusion from participation in Federal or State 
health care programs; and (5) other adjudicated actions or decisions, 
such as the removal of a physician from a health plan network via an 
adjudicated action.

CATEGORIES OF RECORDS IN THE SYSTEM:
    This system will contain the following types of records:
    1. Information on an individual who is the subject of a civil 
judgment or criminal conviction related to the delivery of a health 
care item or service includes--
     Full name; other name(s) used, if known; Social Security 
number; date of birth; gender; home address; occupation; organization 
name and type, if known; work address, if known; National Provider 
Identifier (NPI) (when issued by HCFA); Unique Physician Identification 
number(s), if known; Drug Enforcement Administration (DEA) registration 
number(s), if known; name of each professional school attended and the 
year of graduation, if known; for each professional license, 
certification or registration: the license, certification, or 
registration number, the field of licensure, certification, or 
registration, and the name of the State or Territory in which the 
license, certification or registration is held, if known;
     With respect to the judgment/sentence: The court or 
judicial venue in which action was taken; docket or court file number; 
name of the primary prosecuting agency or Civil Plaintiff; prosecuting 
agency's case number; statutory offense and counts; date of judgment/
sentence; length of the sentence; amount of judgment, restitution or 
other orders; nature of offense upon which the action was based; 
description of acts or omissions and injuries upon which the action was 
based; investigative agencies involved, if known, and investigative 
agencies' case/file number, if known; whether such action is on appeal; 
and
     With respect to the reporting entity: Name; title; 
address, and telephone number of the reporting entity.
    2. Information on an individual who is the subject of a licensure 
action taken by Federal or State licensing and certification agencies, 
an adjudicated action or decision, or an individual excluded from 
participation in a Federal or State health care program. This 
information includes--
     Full name; other name(s) used, if known; Social Security 
number or Federal Employer Identification number; date of birth; date 
of death, if deceased; gender; home address; occupation; organization 
name and type, if known; work address, if known; physician specialty, 
if applicable; NPI (when issued by HCFA); Unique Physician 
Identification number(s), if known; DEA registration number(s), if 
known; name of each professional school attended and the year of 
graduation, if known; for each professional license, certification or 
registration: The license, certification, or registration number, the 
field of licensure, certification, or registration, and the name of the 
State or Territory in which the license, certification or registration 
is held, if known;
     With respect to final adverse action: A description of the 
acts or omissions or other reason for the action; date the action was 
taken, its effective date and duration; classification of the action in 
accordance with a reporting code adopted by the Secretary; amount of 
monetary penalty, assessment or restitution, and name of the office or 
program that took the adverse action; and
     With respect to the reporting entity: Name; title; 
address, and telephone number of the reporting entity.
    3. Inquiry file includes copies of all inquiries received by the 
HIPDB.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 1128E(b)(5) of the Social Security Act (the Act) authorizes 
the collection and maintenance of records of civil judgments against a 
health care provider, supplier or practitioner in Federal or State 
court related to the delivery of a health care item or service; Federal 
or State criminal convictions against a health care provider, supplier 
or practitioner related to the delivery of a health care item or 
service; actions by Federal or State agencies responsible for the 
licensing and certification of health care providers, suppliers or 
practitioners; exclusion of a health care provider, supplier or 
practitioner from participation in Federal or State health care 
programs; and any other adjudicated actions or decisions established by 
the Secretary in regulation (45 CFR part 61).

PURPOSE(S):
    The purposes of the system are to:
    1. Receive from Government agencies and health plans information on 
certain final adverse actions (excluding settlements in which no 
findings of liability have been made) taken against health care 
providers, suppliers, or practitioners; and
    2. Disseminate such data to Government agencies and health plans, 
as authorized by the Act.
    A government agency includes, but is not limited to (1) the 
Department of Justice; (2) the Department of Health and Human Services; 
(3) any other Federal agency that either administers or provides 
payment for the delivery of health care services (including, but not 
limited to, the Department of Defense and the Department of Veterans 
Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud 
Control Units; and (6) other Federal or State agencies responsible for 
the licensing and certification of health care providers, suppliers, or 
licensed health care practitioners.
    Health plan means a plan, program or organization that provides 
health benefits, whether directly or through insurance, reimbursement 
or otherwise, and includes, but is not limited to (1) a policy of 
health insurance; (2) a contract of a service benefit organization; (3) 
a membership agreement with a health maintenance organization or other 
prepaid health plan; (4) a plan, program or agreement established, 
maintained or made available by an employer or group of employers, a 
practitioner, provider or supplier group, third-party administrator, 
integrated health care delivery system, employee welfare association, 
public service group or organization, or professional association; and 
(5) an insurance company, insurance service, self-insured employer or 
insurance organization which is licensed to engage in the business of 
selling health care insurance in a State and which is

[[Page 7656]]

subject to State law that regulates health insurance.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Data may be disclosed to:
    1. A health plan requesting data concerning a health care provider, 
supplier, or practitioner for the purposes of preventing fraud and 
abuse activities and/or improving the quality of patient care, and in 
the context of hiring or retaining providers, suppliers and 
practitioners that are the subjects of reports.
    2. Government agencies, as defined in 45 CFR 61.3, requesting data 
concerning a health care provider, supplier or practitioner for the 
purposes of preventing fraud and abuse activities and/or improving the 
quality of patient care, and in the context of hiring or retaining the 
providers, suppliers and practitioners that are the subject of reports 
to the system. This would include law enforcement investigations and 
other law enforcement activities.

STORAGE:
    Records are maintained in electronic folders, on magnetic tape, 
and/or disks.

RETRIEVABILITY:
    Retrieval will be by use of personal identifiers, including a 
unique identifier assigned by the HIPDB.

SAFEGUARDS:
    1. Authorized Users: Access to records is limited to designated 
employees of the Contractor and to designated HRSA and the OIG staff. 
The Contracting Officer's Technical Representative (COTR) and AIS 
Security Officers are among the HRSA staff who are authorized users. 
Both HRSA and the contractor maintain lists of authorized users. Other 
Departmental employees will have access to the records on an official 
``need to know'' basis.
    2. Physical Safeguards: Magnetic tapes, disks, computer equipment 
and hard copy files are stored in areas where fire and environmental 
safety codes are strictly enforced. All automated and non-automated 
documents are protected on a 24-hour basis. Perimeter security includes 
intrusion alarms, random guard patrols, monitors, key/passcard/
combination controls, receptionist controlled area and reception alarm 
button.
    3. Procedural and Technical Safeguards: A password is required to 
access the system, and additional identification numbers and passwords 
to limit access to data to only authorized users. All users of personal 
information, in connection with the performance of their jobs, protect 
information from public view and from unauthorized personnel entering 
an unsupervised area. All authorized users will sign a nondisclosure 
statement. To protect the confidentiality of information contained in 
the system, when a person leaves or no longer has authorized duties, 
the Security Officer deletes his or her identification number and 
password, retrieves all-electronic access cards, and changes all 
combinations to which the departing employee had access. The system 
automatically logs all access to data resources.
    Access to records is limited to those authorized personnel trained 
in accordance with the Privacy Act and automatic data processing (ADP) 
security procedures. The Contractor is required to assure the 
confidentiality safeguards of these records and to comply with all 
provisions of the Privacy Act. All individuals who have access to these 
records must have the appropriate ADP security clearances. Privacy Act 
and ADP system security requirements are included in the contract for 
the operations and maintenance of the system. In addition, the HIPDB 
Project Officer and the System Manager oversee compliance with these 
requirements. HRSA staff who are authorized users will make site visits 
to the Contractor's facilities to assure compliance with security and 
Privacy Act requirements.
    The safeguards described above were established in accordance with 
DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the 
General Administration Manual, and the DHHS Information Resources 
Management Manual, Part 6. ``ADP Systems Security.''

RETENTION AND DISPOSAL:
    All records in this system are retained permanently.

SYSTEM MANAGER(s) AND ADDRESS:
    Tony Marziani, Director, Information Systems and Investigative 
Support Staff, Office of Investigations, OIG, Room 5046, Cohen 
Building, 330 Independence Avenue, SW., Washington, DC 20201, (202) 
205-5200.

NOTIFICATION PROCEDURES:
    Exempt from certain requirements of the Act. However, an individual 
is informed when a record concerning himself or herself is entered into 
the Healthcare Integrity and Protection Data Bank.
    Requests by mail: Practitioners, providers or suppliers may submit 
a ``Request for Information Disclosure'' to the address under system 
location for any report on themselves. The request must contain the 
following: Name, address, date of birth, gender, Social Security 
Number, professional schools and years of graduation, and the 
professional license(s). For license, include: The license number, the 
field of licensure, the name of the State or Territory in which the 
license is held, and Drug Enforcement Administration registration 
number(s). Practitioners must sign and have notarized their requests. 
Submitting a request under false pretenses is a criminal offense 
subject to, at a minimum, a $5,000 fine under provisions of the Privacy 
Act.
    Requests in person: Due to security considerations, the HIPDB 
cannot accept requests in person.
    Request by telephone: Individuals may provide all of the 
identifying information stated above to the HIPDB Helpline operator. 
Before the data request is fulfilled, the operator will return a paper 
copy of this information for verification, signature and notarization.

RECORD ACCESS PROCEDURES:
    Same as notification procedures. Requesters also should reasonably 
specify the record contents being sought.

CONTESTING RECORDS PROCEDURES:
    The HIPDB routinely mails a copy of any report filed in it to the 
subject. The subject may contest the accuracy of information in the 
HIPDB concerning himself, herself, or itself and file a dispute. To 
dispute the accuracy of the information, the individual must notify the 
HIPDB by:
    (1) Identifying the record involved; (2) specifying the information 
being contested; (3) stating the corrective action sought and reason 
for requesting the correction; and (4) submitting supporting 
justification and/or documentation to show how the record is 
inaccurate. At the same time, the individual must attempt to enter into 
discussion with the reporting entity to resolve the dispute. Additional 
detail on the process of dispute resolution can be found at 45 CFR 
61.15 of the HIPDB regulations.

RECORD SOURCE CATEGORIES:
    Entities that have submitted records on individuals and 
organizations contained in the system; State Licensing Boards, 
including State Medical and Dental Boards, Federal and State Agencies 
as defined in the Act, and health plans as defined in the Act who take 
a final adverse action (not including settlements in which no findings 
of liability have been made)

[[Page 7657]]

taken against a health care provider, supplier, or practitioner. (See 
PURPOSE section above)

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    The Secretary has exempted this system from certain provisions of 
the Act. In accordance with 5 U.S.C. 552a(k)(2) and 45 CFR 
5b.11(b)(ii)(F), this system is exempt from subsections (c)(3), (d)(1)-
(4), and (e)(4)(G) and (H) of the Privacy Act.

[FR Doc. 99-3568 Filed 2-12-99; 8:45 am]
BILLING CODE 4160-15-P