[Federal Register Volume 64, Number 206 (Tuesday, October 26, 1999)]
[Rules and Regulations]
[Pages 57740-57764]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-27472]



[[Page 57739]]

_______________________________________________________________________

Part IV





Department of Health and Human Services





_______________________________________________________________________



Office of the Secretary



_______________________________________________________________________



Office of Inspector General



_______________________________________________________________________



45 CFR Part 61



Health Care Fraud and Abuse Data Collection Program: Reporting of Final 
Adverse Actions; Final Rule

  Federal Register / Vol. 64, No. 206 / Tuesday, October 26, 1999 / 
Rules and Regulations  

[[Page 57740]]



DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary
Office of Inspector General

45 CFR Part 61

RIN 0906-AA46


Health Care Fraud and Abuse Data Collection Program: Reporting of 
Final Adverse Actions

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule establishes a new CFR part to implement the 
statutory requirements of section 1128E of the Social Security Act, as 
added by section 221(a) of the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996. Section 221(a) of HIPAA 
specifically directs the Secretary to establish a national health care 
fraud and abuse data collection program for the reporting and 
disclosing of certain final adverse actions taken against health care 
providers, suppliers and practitioners, and to maintain a data base of 
final adverse actions taken against health care providers, suppliers 
and practitioners.

EFFECTIVE DATE: This rule is effective on October 26, 1999.

FOR FURTHER INFORMATION CONTACT: Thomas C. Croft, Director, Division of 
Quality Assurance, Bureau of Health Professions, Health Resources and 
Services Administration, (301) 443-2300.

SUPPLEMENTARY INFORMATION:

I. Background

The Healthcare Integrity and Protection Data Bank

    On October 30, 1998, the Office of Inspector General (OIG) 
published a proposed rule in the Federal Register (63 FR 58341) 
designed to implement the statutory requirements of section 1128E of 
the Social Security Act (the Act), as added by section 221(a) of the 
Health Insurance Portability and Accountability Act (HIPAA) of 1996. 
Section 221(a) of HIPAA specifically directs the Secretary to establish 
a national health care fraud and abuse data collection program for the 
reporting and disclosing of certain final adverse actions taken against 
health care providers, suppliers and practitioners, and to maintain a 
data base of final adverse actions taken against health care providers, 
suppliers and practitioners. Final adverse actions include: (1) Civil 
judgments against a health care provider, supplier, or practitioner in 
Federal or State court related to the delivery of a health care item or 
service; (2) Federal or State criminal convictions against a health 
care provider, supplier or practitioner related to the delivery of a 
health care item or service; (3) actions by Federal or State agencies 
responsible for the licensing and certification of health care 
providers, suppliers or practitioners; (4) exclusion of a health care 
provider, supplier or practitioner from participation in Federal or 
State health care programs; and (5) any other adjudicated actions or 
decisions that the Secretary establishes by regulation. Settlements in 
which no findings or admissions of liability have been made will be 
excluded from reporting. Access to this new data bank is limited to 
Federal and State Government agencies and health plans. Reporting is 
limited to these same groups. Health care providers, suppliers and 
practitioners may self query the data bank, but have no reporting 
responsibilities. The Act also requires the Secretary to implement the 
national health care fraud and abuse data collection program in such a 
manner as to (1) assure that the privacy of individuals is maintained; 
(2) establish reasonable fees for disclosure of information to recover 
full operating costs; and (3) avoid duplication with the reporting 
requirements established for the National Practitioner Data Bank 
(NPDB). This new data bank is known as the Healthcare Integrity and 
Protection Data Bank (HIPDB).

II. Summary of the Proposed Rule

    The proposed regulations published on October 30, 1998 were 
developed to establish a new 45 CFR part 61 to implement the 
requirements for reporting of specific data elements to, and procedures 
for obtaining information from, the HIPDB (and are applicable to 
Federal and State Government agencies and health plans). Set forth 
below is a description of the major provisions of the proposed rule, 
including, among other things, proposed definitions for certain terms 
associated with the HIPDB, a discussion of the specific reporting 
requirements and when such information must be reported, the fees 
applicable to requests for information, the issues of the 
confidentiality of information, and how to dispute the accuracy of 
information in the HIPDB.

Provisions of the Proposed Rule

1. Definitions
    The proposed regulations expanded on previous regulatory 
definitions and clarified aspects of a number of terms set forth in the 
statute. The clarifications served to provide additional examples of 
the scope of the statutory definitions, but did not go beyond 
congressional intent. The proposed rule specifically set forth 
definitions for the terms ``affiliated or associated;'' ``Government 
agency;'' ``health care provider;'' ``health care supplier;'' ``health 
plan;'' ``licensed health care practitioner, licensed practitioner and 
practitioner;'' and ``other adjudicated actions or decisions.''
2. When Information Must Be Reported
    The proposed regulations sought to establish the time frame for 
submitting reports to the HIPDB. As proposed, information would be 
submitted to the HIPDB (1) within 30 calendar days from the date the 
final adverse action was taken or the date when the reporting entity 
became aware of the final adverse action, or (2) by the close of the 
entity's next monthly reporting cycle, whichever is later. The date the 
final adverse action was taken, its effective date and duration of the 
action would all be contained in the information reported to the HIPDB.
    We also proposed a list of ``mandatory'' data elements, as well as 
data elements that must be reported to the data bank ``if known.'' We 
note that section 1128E(b)(2)(A) of the Act mandates that Federal and 
State Government agencies and health care plans collect and report 
Social Security Numbers and Federal Employer Identification Numbers for 
the purposes of reporting to the HIPDB.
3. Reporting Errors, Omissions, Revisions and Actions on Appeal
    In Sec. 61.6 of the proposed regulations, we indicated that if any 
errors or omissions in the final adverse action are discovered after 
the information has been reported, the person or entity that reported 
such information must send an addition or correction to the HIPDB 
within 60 calendar days of the discovery. We also proposed that any 
revision to the action or to appeal status must similarly be reported 
within 30 calendar days after the reporting entity learns of such 
revision or appeal. In turn, we proposed that each subject of a report 
will receive a copy when it is entered into the HIPDB and a copy of all 
revisions and corrections to the report. This is an opportunity only 
for the reporting entity to correct any errors or omissions in the 
information, not for the subjects to request re-adjudication of their 
cases.

[[Page 57741]]

4. Reporting Licensure Actions Taken by Federal or State Licensing and 
Certification Agencies
    In proposed Sec. 61.7, we addressed the reporting of licensure 
actions taken by Federal and State licensing and certification 
agencies. We proposed defining the phrase ``any other negative action 
or finding'' by a Federal or State licensing and certification 
authority to mean any action or finding that is publicly available and 
rendered by a licensing or certification authority. These actions or 
findings include, but are not limited to, imposition of civil money 
penalties (CMPs) and administrative fines, limitations on the scope of 
practice, injunctions and forfeitures. As indicated in the proposed 
rule, this definition included final adverse actions occurring in 
conjunction with settlements in which no findings or admissions of 
liability have been made, and that would otherwise be reportable under 
the statute.
    The statute also requires the reporting of a health care provider, 
supplier or practitioner who voluntarily surrenders a license or 
certification. Based on extensive discussions with various State 
agencies, we were advised that voluntary surrender and non-renewal of 
licensure and provider participation agreements are not infrequently 
used as means to exclude questionable health care providers, suppliers 
and practitioners from participating in Federal and State health care 
programs. These voluntary surrenders and non-renewal actions result in 
allowing questionable health care providers, suppliers or practitioners 
to move from State to State without the new State licensing agency 
becoming aware of the true nature of the action in the prior licensing 
State. Therefore, for reporting purposes, we proposed that the term 
``voluntary surrender'' include a surrender made after a notification 
of investigation or a formal official request by Federal or State 
licensing or certification authorities for a health care provider, 
supplier or practitioner to surrender the license or certification 
(including certification agreements or contracts for participation in 
Federal or State health care programs). This proposed definition also 
included those instances where a health care provider, supplier or 
practitioner voluntarily surrenders a license or certification 
(including program participation agreements or contracts) in exchange 
for a decision by the licensing or certification authority to cease an 
investigation or similar proceeding, or in return for not conducting an 
investigation or proceeding, or in lieu of a disciplinary action.
    We recognized that many voluntary surrenders are not a result of 
the types of adverse actions that are intended for inclusion in the 
HIPDB. Therefore, we proposed that voluntary surrenders and licensure 
non-renewals due to nonpayment of licensure fees, changes to inactive 
status, and retirement be excluded from reporting to the HIPDB unless 
they are taken in combination with one or more of the circumstances 
listed above (in which case they would be reportable).
5. Reporting Federal or State Criminal Convictions Related to the 
Delivery of a Health Care Item or Service
    In proposed Sec. 61.8, we stated that Federal and State law 
enforcement and investigative agencies would be required to report 
criminal convictions against health care providers, suppliers or 
practitioners. Consistent with section 1128E(g)(1)(A)(ii) of the Act, 
we also proposed that criminal convictions unrelated to the delivery of 
health care items or services would not be reported under this section.
6. Reporting of Civil Judgments in Federal or State Court Related to 
the Delivery of a Health Care Item or Service
    In proposed Sec. 61.9, we put forth that Federal and State law 
enforcement and investigative agencies and health plans be required to 
report civil judgments related to the delivery of a health care item or 
service (except those resulting from medical malpractice) against 
health care providers, suppliers or practitioners. The proposed rule 
indicated that civil judgments must be entered or approved by a Federal 
or State court. We also proposed that this reporting requirement would 
not include Consent Judgments that have been agreed upon and entered to 
provide security for civil settlements in which there was no finding or 
admission of liability.
7. Reporting Exclusion From Participation in Federal or State Health 
Care Programs
    In proposed Sec. 61.10, we stated that the OIG would be required to 
report health care providers, suppliers or practitioners excluded from 
participating in Federal or State health care programs. We also 
proposed that this section include exclusions made in a matter in which 
there also was a settlement even though the settlement itself is not 
reported because no findings or admissions of liability had been made.
8. Reporting Other Adjudicated Actions or Decisions
    In proposed Sec. 61.11, we proposed that Federal and State agencies 
and health plans be required to report other adjudicated actions or 
decisions. Although not specifically required by the statute, we 
proposed that ``any other adjudicated actions or decisions'' should 
relate to the delivery of a health care item or service, as do criminal 
convictions and civil judgments collected under the statute. We also 
proposed in this section that a due process mechanism be available with 
all adjudicated actions or decisions. In the proposed rule, we provided 
examples of an adjudicated action or decision to include, but not be 
limited to:
     Orders by an administrative law judge;
     CMPs and assessments;
     Revocations, debarments or other restrictions from 
participating in Federal or State government contracts or programs;
     Liquidation, dissolution, cancellation or revocation of a 
professional license; or
     Limitations on either clinical privileges or staff 
privileges by a health plan.
9. Fees Applicable to Requests for Information
    Proposed Sec. 61.13 addressed fees applicable to all requests for 
information from the HIPDB. In accordance with this proposed section, 
fees to be charged would be based on the full costs of operating the 
database, as authorized in section 1128E(d)(2) of the Act; criteria for 
assessing fees would be based on the guidelines set forth in OMB 
Circular A-25. These costs would encompass all direct and indirect 
costs of providing such information, including but not limited to:
     Direct and indirect personnel costs;
     Physical overhead, consulting, and other indirect costs;
     Agency management and supervisory costs; and
     Costs of enforcement, collection, research, establishment, 
regulations and guidance.
    For maximum efficiency, we proposed that the HIPDB be an all-
electronic system, with all fees collected through the most cost-
effective methods (such as credit card and electronic funds transfer). 
The Act exempts Federal agencies from these fees.
10. Confidentiality of HIPDB Information
    In proposed Sec. 61.14, we stated that the confidentiality 
requirements would

[[Page 57742]]

apply to all information obtained from the HIPDB. The confidentiality 
requirements are clearly specified in sections 1128E(b)(3) and (d)(1) 
and 1128C(a)(3)(B)(ii) of the Act. Specifically, section 1128E(b)(3) of 
the Act requires the Secretary to protect the privacy of individuals 
receiving health care services when determining what information is 
required. Section 1128E(d)(1) of the Act requires that information in 
the HIPDB will be available to Federal and State Government agencies 
and health plans. Section 1128C(a)(3)(B)(ii) of the Act requires the 
Secretary to assure that HIPDB information is provided and utilized in 
a manner that appropriately protects the confidentiality of the 
information. We proposed that information from this system be 
confidential and disclosed only for the purpose for which it was 
provided. We also proposed that appropriate uses of the information 
would include the prevention of fraud and abuse activities and 
improving the quality of patient care. This proposed provision did not 
go beyond the requirements set forth in the Act. The proposed 
requirements would not prevent an authorized user from sharing 
information from the HIPDB within the entity that requested it, as long 
as the information is used solely for the purpose for which it was 
provided. However, in accordance with section 1128E(b)(3) of the Act, 
we proposed that information obtained by a Government contractor, e.g., 
a Medicare carrier, an intermediary or auditor, may only be used in the 
furtherance of its contractual responsibilities.
11. How To Obtain Access to, and Dispute the Accuracy of, HIPDB 
Information
    The proposed regulations outlined the procedures for obtaining 
access to a report, submitting a statement, filing a dispute, and 
revising disputed information in a previously submitted report. These 
procedures are basically comparable to, or more generous than, 
procedures established in the Department's Privacy Act regulations at 
45 CFR part 5b. The Secretary has exempted the HIPDB from those Privacy 
Act requirements in order to establish a more comprehensive and 
generous notification, access and correction procedure. While these 
procedures basically are comparable to similar provisions in the 
Privacy Act, these procedures include significant rights in addition to 
those set forth in the Privacy Act. For example, when a HIPDB report is 
created or amended, we automatically provide subjects a copy of the all 
report. Subjects may also file a statement of disagreement with a 
report as soon as the report is filed , rather than at the end of an 
appeal process, as under the Privacy Act.
    In addition, we proposed that the subject of a report may dispute 
only the factual accuracy of the information contained in the HIPDB 
report concerning the individual or entity. As indicated in the 
proposed rule, the dispute process would afford the subject an 
opportunity to bring relevant factual information, including reversals 
of criminal convictions by an appeals court, to the attention of the 
reporter. The proposed dispute process would be consistent with that 
for the NPDB.
12. Sanctions for Failure To Report
    We incorporated the new CMP sanctions provision for failure to 
report information to the data bank, as set forth in section 4331 of 
Public Law 105-33, the Balanced Budget Act of 1997. In the proposed 
rule, we indicated that any health plan that fails to report 
information on a final adverse action that is required to be reported 
would be subject to a CMP of not more than $25,000 for each such 
adverse action not reported. Such penalties would be imposed and 
collected in the same manner as other CMPs under section 1128A of the 
Act.

III. Summary and Response to Public Comments

    As we have noted, the statute upon which the proposed regulations 
were drafted is quite broad and affords the Secretary numerous areas of 
discretionary authority on which we sought the benefit of public 
comment and input. The proposed rule set forth a 60-day public comment 
period ending December 29, 1998. On December 30, 1998, we extended the 
comment period for the proposed rule by an additional 2 weeks until 
January 11, 1999 (63 FR 71819). As a result, we received a total of 117 
timely-filed public comments from Federal and State law enforcement 
agencies; health care practitioner and provider licensing boards, 
health departments, private attorneys representing health care 
providers, suppliers and practitioners; and various health plans, 
health plan associations, hospitals, professional associations, health 
care practitioners and other individuals and entities. Based on review 
of the statute and the assessment of public comments received, we 
believe the final regulations implementing this authority fully and 
adequately balance the concerns of the Department with those expressed 
by outside individuals and entities.
    Set forth below is an overview of the various comments and 
recommendations received and our responses to those concerns. Section 
IV. of this preamble sets forth a summary of the specific revisions and 
clarifications to be made to the final regulations as a result of those 
comments.

A. Scope and Intent of the HIPDB

    Comment: A principal concern raised in the majority of comments was 
the interpretation of what constitutes the reporting threshold for all 
final adverse actions under the term ``health care fraud and abuse.'' 
Many commenters believed that the OIG broadened the definitions and 
criteria unnecessarily for reportable actions, well beyond a ``health 
care fraud and abuse'' data collection system. Specifically, these 
commenters only wanted actions involving health care related fraud and 
abuse reported to the HIPDB.
    Response: It is clear from reviewing the statutory language of the 
implementing Act, and the legislative history (such as congressional 
conference reports), that the HIPDB is not merely about establishing an 
information collection system. Rather, it is directed at combating 
fraud and abuse in a broader scope. Congress used the term health care 
fraud and abuse only once in the provision's opening paragraph for 
purposes of naming the data collection program. The term does not 
appear elsewhere, especially with regard to limiting the scope of 
reportable actions. Instead, Congress defined reportable ``final 
adverse actions'' by specifying a finite list of actions. These actions 
include civil judgments related to the delivery of a health care item 
or service; Federal or State criminal convictions related to the 
delivery of a health care item or service; actions taken by Federal or 
State licensing or certification agencies; exclusions from 
participation in Federal or State health care programs; and any other 
adjudicated actions or decisions taken by a Federal or State Government 
agency or health plan. To limit the adverse actions collected by the 
data bank to only those that are based on health care fraud and abuse 
would create a data bank that does not fully capture the types of 
reports that Congress clearly intended to be collected in accordance 
with the statute.
    The term ``health care fraud and abuse,'' as used in the statute, 
merely represents congressional intent that the HIPDB support efforts 
to prevent such activities. To limit actions collected only to those 
based on fraud and abuse would deny investigators, Government 
contracting officers, health plans and

[[Page 57743]]

others the reports which are necessary to effectively research the 
relevant backgrounds of potential providers, suppliers and 
practitioners. As indicated by one State licensing board, narrowing the 
scope of reportable actions may create an even greater burden on 
reporters to screen out final adverse action based solely on health 
care fraud and abuse. Accordingly, the definition related to final 
adverse actions, as well as the definitions of health care provider, 
supplier and practitioner, represent the statutorily-mandated reporting 
criteria for the HIPDB--and is not limited to health care fraud and 
abuse. It has been our goal to establish a complete and comprehensive 
data bank that effectively deters health care fraud and abuse in the 
health care industry, while promoting quality health care and 
protecting the public. A further discussion of the term ``health care 
fraud and abuse'' is contained in section III. B. 6. of this preamble.

B. Section-by-Section Analysis of Issues

Section 61.1  The Healthcare Integrity and Protection Data Bank

    Comment: Several commenters viewed the regulations, in general, as 
overly-broad and complex. Two commenters stated that information 
reported to the HIPDB should be directly related to health care fraud 
and abuse (see discussion regarding the definition of ``health care 
fraud and abuse'' in the discussion of Sec. 61.3 later in this section 
of this preamble). Another commenter expressed concern that the HIPDB 
would contain data on individuals who have not committed fraud. This 
commenter and others believed that the OIG will establish a vast system 
not targeted to identify truly egregious individuals and entities.
    Response: We disagree with these comments. As indicated in the 
proposed rule and in the summary section above in this preamble, we 
believe this rulemaking and the HIPDB clearly focus on specific final 
adverse actions taken against individuals and entities, and that those 
actions relate to these actions that could be defined as ``health care 
fraud and abuse.'' We believe these implementing regulations and the 
data bank are consistent with statutory intent and are properly 
targeted at capturing specific types of information relevant to the 
HIPDB's intended purpose.

Section 61.3  Definitions

1. Affiliated or Associated
    Comment: With regard to the definition and application of the term 
``affiliated or associated,'' several commenters stated that the 
proposed definition overreached the intent of the statute.
    Response: The OIG believes the definition supports congressional 
intent to enable authorized users who conduct fraud and abuse 
investigations to identify other business or commercial affiliations 
through which the subject may have committed other acts of wrongdoing, 
and to aid with subject identification, if the affiliation or 
association is known by the reporter.
    Comment: Several commenters requested the definition be refined to 
exclude irrelevant affiliations and associations. The commenters 
recommended that the definition be limited to (1) those entities in 
which the subject has a business interest, and (2) those associations 
having the power to revoke or suspend a license.
    Response: We agree that the definition and implementation of the 
term ``affiliated or associated'' set forth in the proposed rule may 
have resulted in some confusion. As a result, we are limiting the 
definition, in accordance with the first part of the commenters' 
concerns, to those health care entities in which the subject has a 
commercial interest.
    Comment: A number of commenters believed that the collection of 
this information set forth in the definition would be in violation of 
the Privacy Act, as it implies guilt by association.
    Response: The inclusion of an entity in this category by a reporter 
will in no way imply that the entity was a party to the act(s) or 
omission(s) that led to a reportable final adverse action. We believe 
that the revised definition will eliminate naming of professional 
affiliations or associations and the implied fear of invasion of 
privacy. We also note only individuals, not entities (even if the 
entity is an individual professional corporation), are protected by the 
Privacy Act.
    Comment: One commenter believed that ``affiliated or associated'' 
entities should be included only if such entities had an active role in 
the underlying sanction. Another commenter stated the names of 
``affiliated or associated'' entities should be expunged after an 
investigation that determined there was no involvement by the 
affiliation or association entity. A third commenter believed that 
there would be increased liability for reporters as a result of the 
definition set forth for this term.
    Response: We believe limiting ``affiliations or associations'' to 
those health care entities with an active role in the underlying 
sanction, or removing the names after an investigation has determined 
there was no involvement by the affiliated or associated entity, would 
be contrary to the specific language of the statute. The statute 
explicitly requires that the names of affiliated or associated health 
care entities be reported. Involvement or non-involvement in the 
underlying action is irrelevant to this reporting requirement. Further, 
we do not agree that merely identifying an entity as being affiliated 
with the subject of a report somehow imputes wrongdoing to the 
affiliated entity, and a statement to this effect will be included in 
the data base report. There will be no independent identification of 
affiliated or associated entities in the HIPDB other than as part of a 
subject's report, unless the entity also has been the subject of a 
final adverse action. If it comes to the attention of a business entity 
that it is incorrectly identified in a subject's report as having a 
commercial business affiliation with the subject, then the business 
entity may avail itself of the same correction procedures that are 
available to the subject of a report. The affiliated entity first may 
ask the reporting agency or health plan to correct the subject's 
report. If the reporter declines to do so, the affiliated entity may 
request a correction to the subject's report by the Secretary. With 
respect to an increase in liability for reporters, the OIG is providing 
an immunity provision in the final rule that will alleviate any 
perceived increase in liability.
    Comment: One commenter requested that the HIPDB provide written 
notice to each entity listed as an ``affiliated or associated health 
care entity'' within a final adverse action report, and that the HIPDB 
offer an appeal process to these entities in the event that the 
entities are incorrectly reported.
    Response: The revised definition will require that a commercial 
relationship exist between the subject and the affiliate or associate. 
As we have previously noted, we believe that this data field in no way 
implies wrongdoing on the part of the reported affiliate or associate, 
and thus eliminates the need for these entities to be notified.
2. Any Other Negative Action or Finding
    Comment: We received several comments regarding the manner in which 
the term ``any other negative action or finding'' was defined. Most of 
the commenters stated the proposed definition was too broad in nature 
and would create a tremendous burden on the reporters, especially if 
actions or findings pertaining to administrative fines and citations 
were to be included in the HIPDB. Several commenters

[[Page 57744]]

expressed concern that there is a range of actions or findings taken 
that may or may not be the same from State to State and do not relate 
to health care per se (such as a practitioner fined for failure to 
provide a new address). The commenters requested that the OIG clarify 
and limit the definition of this term to actions that are directly 
connected to health care violations.
    Response: We agree with the commenters that there will be variation 
from State to State regarding the types of final actions taken against 
health care providers, suppliers and practitioners. However, the HIPDB 
is being designed as a ``flagging system'' that will contain 
information on actions taken in a particular State or program that are 
considered by the State or program to warrant attention. We intend the 
data to provide a summary of the actions taken against a health care 
provider, supplier or practitioner. In addition, we acknowledge that 
there are certain kinds of actions or findings that would not meet the 
intent of the legislation and should not be reportable. For instance, 
administrative actions, such as limited training permits, limited 
licenses for telemedicine, fines or citations that do not restrict a 
practitioner's practice, or personnel actions for tardiness, are not 
within the range of actions intended by the statute. As a result of 
these comments, we are modifying the final regulations to exclude 
administrative fines or citations, corrective action plans and other 
personnel actions unless they are (1) connected to the billing, 
provision or delivery of health care services, and (2) taken in 
conjunction with other licensure or certification actions such as 
revocation, suspension, censure, reprimand, probation, or surrender. 
For example, a nurse agreed to settle claims that he received Medicare 
and Medicaid reimbursement to which he was not entitled. As a result of 
this action, the State licensing board reprimanded the nurse and 
imposed a $5,000 fine. This action would be reportable.
    Comment: Several commenters expressed concern that the preamble 
language that indicated that ``settlements in which no findings or 
admissions of liability have been made will be excluded from 
reporting'' conflicted with the next sentence in that discussion, which 
read, ``However, any final adverse action that emanates from such 
settlements and consent judgments, and that would otherwise be 
reportable under the statute, is to be reported to the data bank.''
    Response: We agree that the statutory language is clear that 
settlement in which no findings of liability have been made will not be 
reportable to the HIPDB. However, if another action is taken against 
the provider, supplier or practitioner of a health care item or 
service, as a result of or in conjunction with the settlement, the 
second action is reportable. For example, a civil court settlement in 
which no finding against or admission of liability by a practitioner is 
made is not reportable. However, for example, if the State licensing 
board suspends the practitioner's license as a result of a civil court 
settlement, the licensing board must report the suspension of the 
license. Similarly, if the OIG excludes a provider, supplier or 
practitioner based on actions that were also the subject of a civil 
settlement in which no finding or admission of liability was made, the 
exclusion must be reported to the HIPDB.
    Comment: One commenter questioned whether non-practitioners, such 
as an executive director, should be reported to the HIPDB, while 
another commenter requested clarification on the reporting of actions 
pertaining to the handling of an impaired practitioner.
    Response: The OIG reiterates the statutory intent that any final 
action taken against a licensed or certified health care provider, 
supplier or practitioner by a Federal or State licencing or 
certification agency that is publicly available information is a 
reportable action. If, for example in the case of an executive 
director, he or she is licensed or certified as a health care provider, 
supplier or practitioner, then that individual will be subject to the 
HIPDB reporting requirements. If a Federal or State licensing agency 
takes a final adverse action that is publicly available information 
against an impaired practitioner, the final adverse action is 
reportable.
3. Clinical Privileges
    Comment: Several commenters expressed concern that Congress never 
intended that clinical privilege actions would be reported to the 
HIPDB, particularly since such actions are already reported to the 
NPDB. Some commenters expressed a desire that clinical privileges 
suspensions only be reported when they are in effect for a period 
longer than 30 days, indicating that this limitation would parallel 
existing NPDB requirements for reporting of clinical privilege actions. 
Another commenter questioned why the proposed definition specifically 
mentioned physicians and dentists, when they believed the definition 
was to apply to all licensed health care practitioners.
    Response: The OIG agrees with these concerns and, as a result, the 
HIPDB will not collect data on clinical privileging actions. We note 
that clinical privileging actions are already collected by the NPDB. We 
believe that information on clinical privileging actions will not be of 
significant value to HIPDB queriers, since queriers who have a need for 
this information will already be accessing it through the NPDB. 
Accordingly, we are adding language to the definition of the term 
``other adjudicated actions or decisions'' to specify that the 
reporting of clinical privileging actions is excluded.
4. Exclusion
    Comment: One commenter raised a concern about the term 
``exclusion'' and mistakenly applied the definition for this term to a 
reportable licensure action.
    Response: The OIG has clarified that the term ``exclusion'' applies 
only to debarment of an individual or entity from participation in any 
Federal or State health care related program; this term is only 
applicable to reporting exclusion from participation in Federal or 
State health care programs.
5. Government Agency
    Comment: One commenter asserted that the definition of ``Government 
agency'' was too broad and potentially open-ended. The commenter 
requested clarification as to which agencies qualify as ``Federal and 
State agencies responsible for the licensing and certification of 
health care providers, suppliers and practitioners.'' A second 
commenter suggested that the definition of ``Government agency'' be 
amended to include all agencies authorized to investigate health care 
fraud.
    Response: We recognize the commenters' concerns and understand that 
regulatory boards and licensing programs vary from State to State. For 
this very reason, however, it is not possible for the OIG in this 
rulemaking to provide a listing of all agencies responsible for the 
licensing and certification of health care providers, suppliers and 
practitioners. In response to the proposed rule, we received only two 
comments from States that identified the agencies responsible for 
licensing. We believe that the definition of ``Government agency'' 
includes all agencies authorized to investigate health care fraud and 
abuse and, as a result, are making no changes to the final rule.
6. Health Care Fraud and Abuse
    Comment: In general, comments reflected an assumption that the 
terms ``health care fraud'' and ``health care

[[Page 57745]]

abuse'' defined the reporting criteria for all final adverse actions 
mandated by the statute. Specifically, commenters found the term 
``health care fraud,'' when used in conjunction with the proposed 
preamble definition of ``health care abuse,'' to be too broad. Several 
commenters requested that definitions for health care fraud and abuse 
(and thus the nature of adverse actions collected) be limited to 
activities relating to financial violations, or require the reportable 
activities to meet a legal standard of fraud or abuse. One commenter 
stated that health care abuse should be limited to those actions 
against a health care system and not those relating to personal abuse. 
Other commenters believed that the terms should be combined into one 
definition. One State licensing agency requested specific guidance on 
whether all final adverse actions must be based on health care fraud 
and abuse to be reportable to HIPDB. The agency pointed out that only 
one percent of its adverse licensing actions would meet such a fraud 
and abuse reporting threshold. Three commenters did acknowledge and 
agree that the term ``health care abuse'' was properly described within 
the regulation and the statute as ``final adverse actions.''
    Response: By attempting to define the terms ``health care fraud'' 
and ``health care abuse'' in the proposed rule, we gave the erroneous 
impression to some readers that final adverse actions may not be 
reported to the data bank unless they are categorized by the reporter 
as being based upon ``health care fraud and abuse.'' That 
interpretation is too limiting. Congress intended that this data bank 
support efforts to prevent and combat health care fraud and abuse, and 
not merely catalogue adverse actions that reporters may choose to 
describe as arising from ``health care fraud and abuse.'' Restricting 
reportable final adverse actions to those specifically relating to 
health care fraud and abuse would eliminate the reporting of many 
relevant actions that are included in the statutory definition of 
``final adverse actions.'' Accordingly, and as a result of the comments 
received, we are deleting the definition for the term ``health care 
fraud'' from the final rule and are opting not to define ``health care 
abuse.'' Instead, we defer to the statutory definition of ``final 
adverse actions'' as encompassing the range of actions to be reported.
    Comment: Several commenters requested changes to the ``health care 
fraud and abuse'' definition to narrow the range of actions, indicating 
that final adverse actions related to billing errors, benefits 
administration, payment and reimbursement issues, and quality of 
patient outcomes be excluded from the definition of ``health care fraud 
and abuse.''
    Response: There may be instances when billing errors, benefits 
administration, payment and reimbursement issues, and quality of 
patient outcomes meet the criteria and, therefore, will be reported. 
However, it is also foreseeable that certain of the aforementioned 
actions may not be final adverse actions and, therefore, not 
reportable. The OIG takes the position that any action is reportable to 
the data bank as long as the action meets the criteria of a ``final 
adverse action,'' as specified in the final rule.
    Comment: One commenter requested that ``health care fraud'' exclude 
offenses by health plans or insurance companies and be limited to 
offenses by health care providers, suppliers, or practitioners against 
health plans or health plan sponsors. Another commenter stated that the 
reporting of health care abuse should be optional and CMPs should not 
be imposed for failure to report. One commenter questioned the value of 
report data containing actions related to health care abuse since such 
actions may suggest a standard of measurement less than a court 
adjudication or administrative review panel finding.
    Response: The OIG believes that excluding organizations, such as 
health plans and insurance companies, would limit the effectiveness of 
the data bank to serve its intended function as a fraud and abuse 
prevention tool. We also believe that the intent of the statute is 
clear that all final adverse actions taken against a health care 
provider, supplier or practitioner must be reported to the HIPDB, and 
that failure to report such actions may result in the imposition of a 
CMP.
7. Health Care Provider
    Comment: Several commenters indicated that the definition of 
``health care provider'' was too broad and complex, and suggested as an 
alternative that the OIG use the definition set forth in section 
1861(u) of the Act. Two commenters objected to the inclusion of health 
care entities, such as health maintenance organizations (HMOs) in this 
definition. The commenters believed the definition for this term was 
conflicting, since health care entities could be potential subjects of 
the HIPDB as well as reporting entities. One commenter stated that most 
States did not take compliance actions against these types of entities.
    Response: Since Congress elected not to define ``health care 
provider'' in the Act, we believe the congressional intent was for this 
term to be defined broadly. There is no inherent conflict in health 
care entities being potential subjects of the HIPDB, as well as 
reporting entities. This is entirely consistent with the intent of the 
Act.
8. Health Care Supplier
    Comment: The majority of commenters responding to the definition of 
``health care supplier'' stated that the definition went beyond 
statutory authority and could allow inappropriate access to 
information. For example, several commenters noted that the definition 
included both direct and indirect providers of health care items and 
services. Several commenters recommended the definition be limited to 
suppliers as defined in section 1861(s) of the Act, and believed that 
the definition should not include health insurance or benefits 
providers, such as insurance agents, brokers, solicitors, consultants 
and reinsurance intermediaries. Other commenters pointed out that to 
broadly include health insurance or benefit providers in the definition 
of supplier also could have the effect of including nearly all public 
and private employers as the potential subjects of reports. These 
commenters requested that suppliers be limited to those who directly 
provide covered items or services to beneficiaries, or who directly 
receive reimbursement from a health care program.
    One commenter requested that reportable subjects not be limited to 
practitioners, providers and suppliers, but rather encompass all 
individuals and entities involved in health care fraud, including 
beneficiaries, Government and private employees, managed care marketers 
and any individual who is responsible for the actions of an entity. One 
commenter requested clarification of the term ``subject.''
    Response: We disagree with the contention of some commenters that 
Congress intended to collect final adverse action information only on 
direct providers of items or services covered by a health care program 
or plan. Such a definition would exclude many entities that are the 
subject of health care fraud and abuse investigations and actions. The 
OIG believes that the intent of Congress was to have a broad 
interpretation of the terms supplier, practitioner and provider. For 
example, Congress did define the terms ``health care practitioner'' and 
``health care provider''

[[Page 57746]]

elsewhere in the statute, yet it did not specifically apply these 
definitions to the HIPDB. The term ``health care supplier'' is defined 
in these regulations to capture all final adverse actions relating to 
the delivery of a health care item or service. Accordingly, the OIG is 
electing to keep both direct and indirect suppliers in the definition 
of ``health care supplier.'' Including indirect suppliers in the 
definition also is consistent with the definition of ``supplier'' used 
in the regulations implementing OIG exclusion authorities resulting 
from HIPAA (63 FR 46676; September 2, 1998).
    However, we do not intend to include in the definition of 
``supplier'' all public and private employers, unless they are self-
insured for health care coverage. The definition will still include 
health plans, consultants, health insurance producers, agents, brokers 
and reinsurance intermediaries. On the other hand, the definition will 
not include businesses that merely provide their employees with health 
insurance coverage through a contract with a health insurance producer 
or a health plan. Therefore, in response to the concerns raised by the 
various commenters, we have modified the definition of ``health care 
supplier'' to clarify and limit its scope. Accordingly, we are 
replacing the proposed language with the term ``health plan'' and are 
inserting additional language excluding employers, unless they are 
self-insured.
    In response to the request that reporting be expanded beyond health 
care providers, suppliers and practitioners, we note that individuals 
or entities can only be subjects of HIPDB reports if final adverse 
actions were taken against them. Beneficiaries are not included in that 
category. For the purposes of this regulation, the term ``subject'' 
means a health care provider, supplier or practitioner upon whom a 
reportable final adverse action was taken.
    Comment: Two commenters indicated that States' burden of reporting 
would be increased since States do not regulate or collect data about 
many of the types of entities included in the supplier definition.
    Response: The OIG reiterates that only final adverse actions, as 
specified in the statute and these regulations, taken against health 
care providers, suppliers and practitioners are reportable. Such 
actions are to be reported by the organization taking the action. The 
specific data required to be reported and responses to comments 
regarding the reporting burden are addressed below in response to 
comments on the regulatory impact statement.
9. Health Plan
    Comment: With regard to the proposed definition of the term 
``health plan,'' commenters stated the definition is too broad, and 
suggested that the OIG use the definition as set forth in section 1128E 
of the Act, which incorporates the definition set forth in section 
1128C(c) of the Act.
    Response: The OIG maintains that the statutory intent of the 
definition was not meant to be exclusive or exhaustive. The OIG 
interprets congressional use of the word ``includes'' in the statutory 
definition as an indication that additional entities may be recognized 
as ``health plans'' if they meet the basic definition of ``providing 
health benefits.'' Therefore, we will continue to use a broad 
definition. The statutory language indicates that Congress intended 
that ``guarantors of payment'' for health care services and items, 
including ``self insured employers'' who are often the subjects of 
health care fraud, have access to HIPDB information. The OIG believes 
that limiting the definition to the language of the statute would not 
provide a workable basis for organizations and those who provide health 
care services to appropriately determine their reporting 
responsibilities under the statute. In response to one commenter's 
recommendation to make the definition more inclusive, we are providing 
further clarification and modifying the proposed definition.
    Comment: One commenter requested an exclusion be provided within 
the definition for direct reimbursements of an employee, stating there 
is no relationship between the employer who provides the reimbursement 
and the practitioner who provides the service.
    Response: As revised, the definition of the term ``health plan'' 
reflects the variety of benefit plans with a wide range of 
organizations, groups and individuals that currently offer such health 
benefits that would include direct reimbursement. Given this change, we 
believe any further revision is not necessary.
    Comment: One commenter believed that State-sponsored workman's 
compensation programs should be included as an example of a health 
plan.
    Response: It is our intention that State-sponsored workman's 
compensation programs be covered under the regulations, and we believe 
the definition, as written, includes such programs, although not stated 
explicitly.
    Comment: Two commenters stated the proposed definition would cause 
confusion as to which entity is responsible for reporting the action, 
i.e., the employer providing the health care policy or the insurance 
corporation with whom the employer has contracted.
    Response: We are aware of the multiple structures under which a 
``health plan'' may operate within an integrated health system. The 
final regulations state the entity taking the action is responsible for 
reporting the action to the HIPDB. The activity of reporting can be 
delegated to another entity, but the ultimate responsibility for the 
report will still lie with the entity taking the action.
10. Licensed health care practitioner, licensed practitioner or 
practitioner
    Comment: Several commenters suggested that the definition for this 
term should be more specific and include additional practitioner groups 
not listed, such as occupational therapists and occupational 
therapists' assistants. The commenters recommended that by providing a 
comprehensive list of all practitioners and allied health personnel 
eligible to be possible subjects of reports to the HIPDB, the OIG would 
ensure that all States report consistently regardless of their 
differences in professional licensing categories.
    Response: We note that the meaning of the term ``licensed health 
care practitioner, licensed practitioner or practitioner'' is 
consistent with the definition in section 1128E(g)(2) of the Act. We 
added the phrase ``but not limited to'' before our listing in order to 
provide adequate leeway for the inclusion of other health care 
practitioners as each individual State develops its own reporting 
categories. While we recognize the benefits of conformity in reporting 
practices, we have chosen not to sacrifice State flexibility and 
authority in determining appropriate reporting categories. Even Federal 
definitions may vary as to ``categorizing'' health care workers. In 
section 1861(s) of the Act, for example, both physical and occupational 
therapists are listed under the definition of supplier.
    Comment: Other commenters requested clarification on how this 
definition will be interpreted in States with ``title protection 
statutes.'' Generally, title protection statutes only restrict the use 
of a title of a health care practitioner and not the actual practice or 
the delivery of the service itself. Under title protection statutes, an 
individual may practice the profession without a license, but may not 
use the title unless licensed by the regulatory board.
    Response: The definition, as written, is consistent with the 
statutory

[[Page 57747]]

language. We recognize that ``title protection statutes'' may vary with 
each individual State. However, the statute only authorizes the 
collection of final adverse action information on an individual who is 
licensed or otherwise authorized by the State to provide health care 
services (including any individual who, without authority, holds 
himself or herself out to be so licensed or authorized by the State).
11. Organization Name and Type
    Comment: We received several comments concerning the mandatory 
element of ``organization name and type.'' Some commenters stated that 
they did not collect this type of information, while others were 
unclear as to the meaning of this term.
    Response: As a result of these comments, we are clarifying this 
term by specifically adding a new definition in Sec. 61.3 for the terms 
``organization name'' and ``organization type.''
12. Other Adjudicated Actions or Decisions
    Comment: Commenters raised numerous issues concerning different 
aspects of the definition for the term ``other adjudicated actions or 
decisions.'' Several commenters stated that the proposed definition was 
too broad or burdensome, and extended beyond the scope of the statute. 
A number of commenters suggested that all reportable ``adjudicated 
actions or decisions'' should be related only to fraud.
    Response: The OIG believes that the range of reportable ``other 
adjudicated actions or decisions'' is not overly broad or beyond the 
scope of the Social Security Act, since the statutory language states 
that all final adverse actions must be reported. Furthermore, as 
indicated above, the statute does not define fraud and abuse; it only 
defines final adverse actions. To promote an effective system to aid in 
deterring fraud and abuse, we believe it is necessary to define this 
term more inclusively, as is contemplated by the statute.
    Comment: The criteria set forth for the term ``other adjudicated 
actions or decisions'' caused confusion for a majority of commenters. 
Specifically, commenters indicated that they were unclear as to the 
meaning of the phrase ``official action,'' and whether actions 
involving (1) honest billing errors or differences in medical judgment, 
(2) employment or personnel-related actions and (3) CMPs would be 
reportable under this definition.
    Response: In response to these concerns, we have restructured the 
definition to clarify that in order for a formal or official action to 
be reported under this provision it must meet the three criteria that 
it (1) is taken against a health care provider, supplier or 
practitioner by a Federal or State Governmental agency or a health 
plan; (2) includes the availability of a due process mechanism; and (3) 
is based on acts or omissions that affect or could affect the payment, 
provision or delivery of a health care item or service. We also made 
minor changes in the definition to provide further clarity about the 
types of actions that are excluded from the definition.
    Comment: Two commenters requested clarification regarding the 
imposition of CMPs for failure to report. One commenter requested 
voluntary reporting of other adjudicated actions, in the hopes of 
eliminating such penalties. Another commenter asks that we include an 
intent clause as a necessary element to apply CMPs.
    Response: We disagree with the commenter's alternative approach 
regarding voluntary reporting, which we believe to be inconsistent with 
Congress' intent in creating a CMP for failure to report. In accordance 
with the statutory language that requires such action, a health plan 
failing to report any ``other adjudicated actions or decisions'' could 
be assessed a CMP of not more than $25,000. The regulations 
implementing this CMP provision are not a direct part of this HIPDB 
implementing rule and are being addressed in specific detail through 
separate OIG final rulemaking directed toward new or revised exclusion 
and CMP authorities resulting from Public Law 105-33.
    Comment: One commenter requested clarification on whether all 
reportable adjudicated actions must be related to professional 
competence or conduct.
    Response: The term ``other adjudicated actions or decisions'' does 
not need to relate to professional competence or conduct However, such 
actions must relate to the delivery of health care items or services.
    Comment: Several commenters stated the definition should be limited 
to final adverse actions involving a court or Government agency, in 
that reporting final adjudicated actions in which there was no finding 
of liability will discourage settlements; and adverse actions will vary 
from State to State, making it difficult to analyze or standardize the 
reporting process.
    Response: We believe that the statutory language is clear about 
which entities are required to report. Certain health plan actions will 
meet the criteria of ``other adjudicated actions or decisions,'' and, 
therefore, will be reportable. The statute also is clear that final 
actions resulting from settlements in which no findings of liability 
have been made are not reportable. The OIG recognizes the variation 
among States in the types of other adjudicated actions or decisions 
taken. We stress that the HIPDB is intended as a ``flagging system'' 
and that the information in the HIPDB should serve only to alert 
Federal and State agencies and health plans that there may be a problem 
with a particular provider's, supplier's or practitioner's background. 
The HIPDB information should be considered together with other relevant 
data in evaluating a provider's, supplier's or practitioner's 
background.
    A hallmark of any valid adjudicated action or decision is the 
availability of a due process mechanism. In general, if an 
``adjudicated action or decision'' follows an agency's established 
administrative procedures (that ensure that due process is available to 
the subject of the final adverse action), it would qualify as a 
reportable action under this definition. For example, a formal or 
official final action taken by a Federal or State Government agency or 
health plan may include, but is not limited to, a personnel-related 
action such as suspension without pay, reduction in grade for cause, 
termination or other comparable action in connection with the delivery 
of a health care item or service. For health plans that are not 
Government entities, an action taken following adequate notice and 
opportunity for a hearing that meet the standards of due process set 
forth in section 412(b) of the Health Care Quality and Improvement Act 
(42 U.S.C. 11112(b)) also will qualify as a reportable action under 
this definition. The fact that the subject elects not to use the due 
process mechanism provided by the authority bringing the action is 
immaterial, as long as such a process is available to the subject 
before the adjudicated action or decision is made final.
    The revised definition for the term ``other adjudicated actions or 
decision'' specifically excludes clinical privileging actions taken by 
Federal or State governmental agencies, as well as the similar 
``paneling actions'' taken by health plans. We will not collect'removal 
without cause'' actions taken by health plans, such as when the health 
plan has to eliminate some of its specialists or when the health plan 
concludes that a physician is not maintaining a desirable rate of 
patient visits. On the other hand, health plans will report ``quality 
actions'' that include the availability of a due process procedure, 
such as the formal removal

[[Page 57748]]

of a physician for problems based on quality of care or competence 
issues. Health plans also will report any health care related civil 
judgments they obtain against a health care practitioner, provider or 
supplier. The revised definition also clarifies that initial 
overpayment determinations by HCFA contractors, and similar overpayment 
decisions made by health plans, are not final, reportable actions.
13. Voluntary Surrender of License or Certification
    Comment: We received several comments on the definition of 
``voluntary surrender of license or certification'' from a variety of 
State and local agencies, private sector organizations and others. The 
majority of the commenters supported a broader definition of the term. 
One commenter did not believe voluntary surrenders should be included 
in the system because of added burden resulting from such action. 
Several commenters requested that the OIG provide further clarification 
of the term in the final regulations.
    Response: In light of the strong support for the definition in the 
proposed regulations, we are adopting this definition in the final rule 
with certain clarifications. The OIG is aware that there are instances 
in which a voluntary surrender is used to identify practitioners who 
are deceased, retired, have not renewed their license or certification, 
or have simply moved out of the State. We are clarifying the definition 
to exclude non-disciplinary voluntary surrenders.

Section 61.4  How Information Must Be Reported

    Comment: A number of commenters requested clarification on how 
information must be reported to the HIPDB. These commenters generally 
requested additional information on how electronic reporting would be 
accomplished, how consolidated reporting would occur for both the HIPDB 
and the NPDB, and whether all reporters would have the appropriate 
software and hardware to perform this function. Some commenters 
recommended, for example, that reporters be permitted to submit files 
electronically using file transfer protocol or electronic mail, and two 
commenters raised the issue of whether the HIPDB would accept paper 
reports.
    Response: In response to these concerns, we are indicating in this 
final rule that reports may be submitted to the HIPDB either through a 
secure interactive web-based reporting service (using state-of-the-art 
encryption technology) or by mailing to the HIPDB properly formatted 
report data on a diskette. Other types of electronic submissions will 
not be accepted, nor will paper reports. Reporters who are required to 
submit the same report to both the NPDB and the HIPDB will be able to 
satisfy their reporting obligations by submitting their report only 
once. Web-based reporting or querying will require a personal computer 
with a modem and access to the Internet. We will provide technical 
details regarding required data formats and access to the web site 
through technical manuals, guidebooks and on-line user help. We believe 
that most reporters possess these basic tools required to gain access 
to the data bank. We also recognize that there may be a small number of 
reporters who do not have these capabilities, but these entities should 
be able to perform any required functions through the services of an 
authorized agent, who would report to and query the data bank on the 
entity's behalf.
    Comment: One commenter requested that the NPDB and the HIPDB be 
consolidated in order to allow more efficient querying and reporting. 
The commenter also recommended allowing queriers to use search engines 
to more efficiently locate information.
    Response: The issue of integrating the NPDB and HIPDB is addressed 
in greater detail in section III. C. of this preamble, ``General Issues 
and Alternatives Suggestions.'' In response to the commenter's 
recommendation regarding the use of search engines for querying, 
queriers will be required to provide certain information about a 
provider, supplier or practitioner in order to process their query. 
Specific methods for querying will be addressed in subsequent guidance 
and technical documentation.
    Comment: To reduce the possibility that non-relevant reports will 
be submitted to the HIPDB, one commenter recommended that the Secretary 
establish a reporting threshold or specific criteria for each type of 
report.
    Response: Through development of a policy guidance guidebook, the 
Department intends to provide specific examples and establish the 
criteria for determining whether a final adverse action meets the 
standards established in regulations. These criteria will be specific 
to each type of action and will include examples of reportable and non-
reportable actions. It will be up to each reporter, however, to review, 
understand and apply these criteria when reporting.

Section 61.5  When Information Must Be Reported

    Comment: Commenters recommended extending the 30-day period for 
reporting final adverse actions to the HIPDB to 60 days. The commenters 
stated that the time frame set forth in the proposed rule was too 
stringent and unrealistic to be met by State licensing boards. Several 
associations representing State licensing boards suggested this time 
frame would place significant burden on licensing boards. By extending 
the time frame from 30 days to 60 days, commenters indicated that 
licensing boards would have adequate time to provide the information to 
their agent and, in turn, for the agent to submit the information to 
the HIPDB.
    Response: We are unable to make the changes suggested since the 
statutory language requires reports to be submitted regularly, but not 
less often than monthly.

Section 61.6  Reporting Errors, Omissions, Revisions or Whether an 
Action Is on Appeal

    Comment: One commenter stated that if a reportable adverse action 
is on appeal, the action should not be reported until the appeal 
process is final; if the appeal reverses the decision, then the entire 
report should be removed from the HIPDB.
    Response: We disagree with the first aspect of the comment since 
the statutory language (section 1128E(b)(2)(C)) requires specifically 
that a statement as to whether the action is on appeal must be included 
in the report to the HIPDB. With respect to the second part of the 
commenter's concern, we agree that reports which have been reversed on 
appeal will require a revision to the report. The report may be voided 
by the reporter at the time of the revision.
    Comment: Some commenters stated that the reporting of revisions, 
such as a reinstatement of a license, will cause confusion for 
queriers, that the accuracy of the reports in the HIPDB will be 
compromised, and that reporters will abuse the system by reporting 
``indiscriminately'' to avoid a sanction for failing to report and 
fulfilling the 30-day time frame. Commenters also expressed uncertainty 
as to who is responsible for reporting the revision.
    Response: We believe that there is a misconception on the part of 
some of the commenters. Specifically, when a reinstatement of a license 
occurs, the reporter must submit a revision to an action regarding the 
reinstatement.
    Comment: Two commenters raised concern over the fact that a subject 
of a

[[Page 57749]]

report may file a written statement to the HIPDB. The commenters 
believed this provision violates the due process rights of the entity 
taking the action. In addition, these commenters were concerned that 
the subject's statements could render an extremely inaccurate, biased 
and unreliable report. One commenter requested that reports be deleted 
after a 5-year period of time.
    Response: We note that only final adjudicated actions are 
reportable. The Act does not provide for the removal of reports from 
the data bank except through the dispute process. A subject's statement 
provides the subject with the opportunity to state his or her views on 
the final adverse action report; the report and the addendum will be 
sent to subsequent queriers. It is unclear what ``due process rights'' 
of the reporting entity could be violated by giving the subject of a 
report the right to state his or her views about the report. Further, 
we note that this approach parallels the long-standing practice used in 
reporting to the NPDB.

Section 61.7  Reporting Licensure Actions Taken By Federal or State 
Licensing and Certification Agencies

    Comment: Several commenters were concerned about the possibility of 
duplicative reporting when a practitioner is licensed in more than one 
State. The question was raised as to who reports the adverse licensing 
action. Several commenters questioned the process for reporting 
reinstatement of a license.
    Response: The statute requires that the State taking the action is 
responsible for reporting that action to the HIPDB. Each respective 
State licensure action requires a separate report to HIPDB. This 
process of reporting parallels the approach taken under the NPDB. The 
process for reporting reinstatement of a license is explained in the 
preamble section discussing Sec. 61.6.
    Comment: With respect to reporting actions on individuals, a number 
of comments addressed the problem of collecting the mandatory and ``if 
known'' data elements.
    Response: We are addressing this issue below in section III. C. of 
this preamble.
    Comment: Several commenters believed that the description of 
actions in this section were too vague, and that the OIG should limit 
reportable actions to those that truly limit practice, such as 
revocation, suspension and limitation on licensure. Another commenter 
suggested the HIPDB should be collecting final adverse actions related 
only to fraud and abuse in the delivery of a health care item or 
service. Two commenters questioned whether censure letters and other de 
minimis sanctions are reportable since these actions are not usually 
subject to due process, and recommended that we include only actions 
taken against physicians holding full licenses to practice medicine.
    Response: Section 1128E(g)(1)(A)(iii) of the Act states that 
Federal and State licensing and certification agencies must report to 
the HIPDB all of the following final adverse actions that are taken 
against a health care provider, supplier or practitioner:
     Formal or official actions, such as revocation or 
suspension of a license (and length of any such suspension ), 
reprimand, censure or probation;
     Any other loss of the license or the right to apply for, 
or renew, a license of a provider, supplier or practitioner; and
     Any other negative action or finding as defined by the 
Federal or State agency.
    Under section 1128E of the Act, the only limitation on a reportable 
disciplinary action is that it must be a formal or official action.
    Comment: One commenter believed that automatic suspension of a 
license for failure to pay family support for a child or spouse, for 
example, should not be included as a reportable event.
    Response: While we are aware of other ways in which a license may 
be suspended or revoked by other Federal laws not related to the HIPAA, 
this licensing action is considered a disciplinary action and, in 
accordance with the statute's definition of final adverse action, is 
reportable to the HIPDB.
    Comment: Concerning what information must be reported on 
organizations, one commenter recommended that the actions reported by 
Federal and State licensing and certification agencies be limited to 
those who traditionally provide these services. The commenter believed 
that the combination of the definitions of ``supplier'' and ``adverse 
action'' could lead to a data bank for reporting complaints and 
appeals, and not fraudulent activities.
    Response: In accordance with these comments, we are modifying the 
definitions of ``adverse actions'' and ``supplier'' in Sec. 61.3 in 
order to collect meaningful data on subjects of reportable final 
adverse actions.
    Comment: Several State licensing boards stated that they already 
report adverse action information to their individual professional 
association, and several professional associations also stated that 
they received reports from States on such actions. These commenters 
believed that they should be exempt from reporting to the HIPDB. 
Another commenter believed that HCFA should report all adverse actions 
to the HIPDB taken against Medicare and Medicaid providers and 
suppliers based on information that is already reported by State survey 
and certification agencies, thus leaving States with the responsibility 
to report only adverse actions taken against an entity based on State 
law.
    Response: The statute does not provide an exclusion from reporting 
to the HIPDB for individual professions that may report to other data 
banks. We encourage these organizations to designate their professional 
associations to act as authorized agents with the HIPDB. The statute 
requires that Federal and State Government agencies and health plans 
report any adverse action taken against a health care provider, 
supplier or practitioner. The OIG recognizes that State survey and 
certification agencies already report their findings to HCFA and we 
will continue to work with HCFA to find methods of streamlining and 
coordinating the reporting process.

Section 61.8  Reporting Federal or State Criminal Convictions Related 
to the Delivery of a Health Care Item or Service

    Comment: One commenter indicated that States already report 
convictions to the Federal Bureau of Investigation (FBI) and, as such, 
reporting to the HIPDB would be duplicative and costly. Another 
commenter requested clarification of the term ``delivery.''
    Response: The scope of the HIPDB goes beyond the felony convictions 
obtained at the State and local level that are currently reported to 
the FBI. Information being reported to the data bank also will include 
misdemeanor convictions, nolo contendere pleas, and pre-trial 
diversions and similar actions, that are not reportable to the FBI. In 
addition, the FBI does not classify convictions as being related to the 
delivery of a health care item or service, nor does it classify those 
convicted individuals and entities as being health care providers, 
suppliers or practitioners. Consequently, the FBI's data bank does not 
contain every action that would be reportable to the HIPDB, nor does it 
provide a way in which all appropriate State and local convictions 
could be identified for use in the HIPDB. The term ``delivery'' 
includes, but is not limited to, participation in any part of the 
provision for or payment of a health care item or service.

[[Page 57750]]

Section 61.9  Reporting Civil Judgments Related to the Delivery of a 
Health Care Item or Service

    Comment: One commenter was not clear as to when a health plan would 
be obligated to report a civil action, and recommended that health 
plans only be required to report when no Government agency was a party 
to the action. The commenter also suggested that health plans should be 
able to assign responsibility for reporting to another entity, if the 
other entity also were party to the suit. A second commenter believed 
that civil actions are best reported by a prosecuting entity.
    Response: The OIG does not require that each party to a civil 
action report that action individually. However, to clarify who has the 
responsibility for reporting multi-claimant civil judgments, we are 
adding new language to Sec. 61.9 to address responsibilities for the 
reporting of multi-claimant actions.

Section 61.10  Reporting Exclusion From Participation in Federal or 
State Health Care Programs

    Comment: One commenter stated that the OIG did not provide adequate 
and clear information for providers to use to identify excluded 
individuals or entities.
    Response: Revised OIG exclusion authorities were published as 
proposed rulemaking in the Federal Register on September 8, 1997 (62 FR 
47182), and final regulations were published on September 2, 1998 (63 
FR 46676). As indicated above in addressing the definition of the term 
``health care supplier,'' in the OIG's final rulemaking on new 
exclusions and revised authorities resulting from HIPAA, the OIG has 
the authority to exclude any individual or entity who directly or 
indirectly provides or supplies items or services. The scope of this 
exclusion authority includes items or services manufactured, 
distributed or otherwise provided by individuals or entities that do 
not directly submit claims to Medicare, Medicaid or other Federal 
health care programs, but that supply items or services to providers, 
suppliers or practitioners who submit claims to these programs for such 
items or services. Therefore, the OIG has already established through 
that final rule the conditions for excluding an individual and entity 
from a Federal or State health care program. As such, we believe no 
further revisions or clarifications are necessary in this final rule.

Section 61.12  Requesting Information From the HIPDB.

    Comment: Several commenters believed there should be public access 
to the HIPDB, while other commenters stated that access to the HIPDB 
should be open only to those who have the authority to take adverse 
actions. Additionally, citing the need to obtain the information for 
screening and credentialing potential employees, several commenters 
requested that hospitals also be able to request information. Several 
commenters also expressed concern regarding the data elements to be 
included in the release of aggregate data for research purposes.
    Response: While the OIG actively supports legislative proposals for 
expanding access to the HIPDB, the existing statute clearly limits 
access to the HIPDB to those entities that meet the definition of 
Federal or State agency or a health plan. Under the current statutory 
definition of entities having access, some hospitals will meet the 
criteria and be in a position to request information from the HIPDB, 
while other hospitals will not have access to the data bank. With 
regard to what data elements would be included, the OIG is clarifying 
the language in the final rule, as is discussed later in this preamble.
    As set forth in Sec. 61.12, at the time subjects request 
information as part of a ``self-query,'' the subjects will receive (1) 
any report(s) in the HIPDB specific to them, and (2) a disclosure 
history from the HIPDB of the name(s) of any entity (or entities) that 
have previously received the report(s). This disclosure history will be 
restricted in accordance with revisions being made to the Department's 
Privacy Act regulations at 45 CFR part 5b which, when issued in final 
form, will include an exemption for law enforcement access of the 
HIPDB.

Section 61.13  Fees Applicable to Requests for Information

    Comment: The majority of the comments received on this section were 
from State agencies. The commenters requested free or discounted rates 
for querying the HIPDB. The commenters suggested that those State 
agencies that actually file reports with the HIPDB should, in exchange, 
be able to query the data bank for free or at a discounted rate. One 
commenter expressed a concern over having to pay a separate fee to 
query both the HIPDB and the NPDB.
    Response: The OIG is aware of the concerns of some State agencies. 
The HIPDB and the NPDB were established under separate statutes, each 
requiring a fee for querying. Each data bank, by statute, was designed 
to recover its own cost through the imposition of query fees. We are 
aware of the potential burden of dual querying and will make every 
effort to keep these fees to a minimum. The OIG cannot comply with this 
request to offer free or discounted queries to State agencies and 
others. Since the statute specifically mandates that the Department 
exempt only Federal agencies from query fees, in order to completely 
cover costs from paying customers, the OIG must charge all non-Federal 
customers the same rate.
    The OIG intends to announce the actual amounts of the fees for the 
data bank in periodic notices in the Federal Register.
    Comment: One commenter recommended that all Federal agencies also 
should be subjected to a fee when querying the HIPDB, while another 
commenter stated that since Federal agencies are exempted from paying 
fees, their access should be limited to ``bona fide'' purposes.
    Response: With regard to the one commenter's suggestion as to 
Federal agencies fees, section 1128E(d)(2) of the Act specifically 
prevents the OIG from charging Federal agencies a fee to query the 
HIPDB. The appropriate uses of HIPDB information for all users, 
including Federal agencies, is being defined in Sec. 61.14 of these 
regulations and the Privacy Act System of Records notice published in 
the Federal Register on February 16, 1999 (64 FR 7653).
    Comment: One commenter recommended that the OIG not establish a fee 
for health care practitioners, providers or suppliers requesting 
information about themselves (self-queries) from the HIPDB. This 
commenter believed that State licensing boards will ``game the system'' 
by requiring licensees to submit self-query responses when requesting 
initial licensure or re-licensure. This commenter noted this type of 
activity already occurs with the NPDB.
    Response: Since State licensing boards are not required by the 
statute to query, the OIG can not expressly mandate that they query the 
HIPDB directly in place of requiring practitioners to provide self-
query responses. However, we will make every effort to strongly 
encourage State licensing boards to query the HIPDB directly to ensure 
they receive accurate and complete information.
    Comment: One commenter asked that the HIPDB provide an automatic 
copy (without a request and free of charge) of every report to the 
health care provider, supplier or practitioner who is the subject of 
the report, and not just when the report is initially entered into the 
HIPDB. This would include any report that is ``amended or deleted.'' A 
second commenter recommended that the OIG add a sentence to the final 
regulations

[[Page 57751]]

stating that the HIPDB also will provide a copy of every HIPDB report 
automatically, without a request and free of charge, to the reporter 
who submitted the report.
    Response: We agree with these comments and will modify the final 
regulations accordingly. The HIPDB will provide a copy of every HIPDB 
report to the reporter, as well as to the health care provider, 
supplier, or practitioner who is the subject of the report, when the 
report is initially entered. In addition, further notification will be 
made to these parties whenever the report is corrected or revised, and 
whenever the report is voided. We also agree to automatically provide 
the reporter with a copy of the revised report, without further 
request.

Section 61.14  Confidentiality of the HIPDB Information

    Comment: The majority of the commenters responding to this 
provision questioned the confidentiality of the reported data bank 
elements and resulting privacy of the information once a report is 
submitted to the HIPDB. The confidentiality of individual elements, as 
well as of the report as a whole, were questioned and several 
commenters believed the final rule needed to be clarified further. 
Citing possible violation of the Privacy Act, commenters expressed 
concern about the ``purpose'' for which the data are provided and the 
process of how queriers may distribute and use the information provided 
in a report.
    Response: Similar to the NPDB, the HIPDB requires specific data 
elements to be reported in order to maximize the accuracy of matching 
subjects of reports by the querier. The Privacy Act of 1974 established 
the guidelines for Federal governmental systems of records that are 
maintained by the names of individuals. The HIPDB was established as a 
system of records subject to the Privacy Act by notice published in the 
Federal Register on February 16, 1999 (64 FR 7653). Section 552(i)(3) 
of the Privacy Act provides that obtaining information knowingly from 
an agency system of records under false pretenses will be treated as a 
misdemeanor and will incur a fine of not more than $5,000 per 
occurrence. Section 552b(3) of the Privacy Act allows disclosure for 
``routine use,'' compatible with the purpose for which it was 
collected. Appropriate uses for the HIPDB information will include 
credentialing and employment decisions, fraud and abuse investigations, 
and use as a part of a querying entity's screening process which would 
indicate more complete details are needed about the subject. This 
``routine use'' does not allow disclosure to the general public. We are 
clarifying this discussion in Sec. 61.14 of the final regulations.
    We note that information which would identify Federal or State 
agency health program beneficiaries, or other patients of providers or 
practitioners, is not reportable to the HIPDB. Further, we will 
disallow references to individual patients or beneficiaries in any 
rebuttal documents submitted as part of a report dispute process, or 
submitted as part of the written comments that a subject may submit to 
be included with a report.
    Comment: Several commenters stated that the wording of this section 
was confusing, and did not fully explain the ways in which information 
can be disseminated once it is released to an eligible entity.
    Response: With respect to the confidentiality requirements of 
information obtained from the HIPDB indirectly from another party, as 
well as information obtained directly from the data bank, an individual 
or entity that receives information from the HIPDB is permitted to 
disclose such information further in the course of carrying out the 
activity for which the information was sought. For example, during the 
course of a health plan's credentialing process, the plan may request 
information from the HIPDB on a practitioner's history of final adverse 
actions. The health plan may share this information with other 
individuals who are part of the credentialing review and decision 
making process on the practitioner's application. Nevertheless, the 
confidentiality limitations of the Act apply both to the health plan 
staff who initially receive the information and to the specific 
departmental staff who subsequently review this same information; they 
may each only use and disclose the information with respect to the 
credentialing decision.

Section 61.15  How To Dispute the Accuracy of the HIPDB Information

    Comment: Several commenters were supportive of the mechanism set 
forth in the proposed rule that would allow practitioners to attach a 
2,000 word statement to their report for purposes of disputing the 
accuracy of HIPDB information. Some commenters indicated that the 
inclusion of a 2,000 word statement to a report was unnecessary and 
recommended eliminating this provision for the final rule.
    Response: We believe this mechanism will be useful, and are 
retaining it in the final regulations.
    Comment: While some commenters believed a dispute mechanism was 
unnecessary or would greatly increase the burden on reporting entities, 
other commenters supported the inclusion of an additional dispute 
mechanism under which reporting entities could report disagreements 
with a Secretarial decision to delete a report from the HIPDB.
    Response: The statute specifically requires that the HIPDB have a 
dispute mechanism in place. We are adopting the dispute mechanism that 
currently is being used for reports to the NPDB, which has proven to be 
effective. We are addressing regulatory burden issues later in this 
preamble.

C. General Issues and Alternative Suggestions

1. Coordination and distinctions between the HIPDB and the NPDB
    Comment: One commenter stated that an additional data bank was 
unnecessary. The commenter believed that the NPDB is adequate, and that 
the HIPDB will only serve to be duplicative in nature.
    Response: While we agree that the NPDB is adequate for its intended 
purpose of protecting the public from incompetent or unprofessional 
health care practitioners, the HIPDB reflects separate and distinct 
congressional intent, with unique data elements. The HIPDB data base is 
intended to collect a wide range of final adverse actions. The HIPDB 
serves a dual purpose of protecting the public, and assisting fraud and 
abuse investigations of health care practitioners, suppliers and 
providers. The HIPDB also contains information that is not reported to 
the NPDB, for purposes of meeting its intended statutory objectives.
    Comment: Some commenters expressed a desire that the HIPDB and the 
NPDB be combined into one system, and commenters believed that for 
reports required under both systems, the OIG should have reporters 
report such actions only once.
    Response: Although the HIPDB and the NPDB must be separate data 
banks, and serve different purposes, the HIPDB and the NPDB will, for 
certain reporting and querying purposes, form an integrated system, 
whereby a report required under both systems will only need to be 
reported once. The system will subsequently store the report in the 
HIPDB, the NPDB, or both, as appropriate. Additionally, a querier 
eligible to have access to both data banks can query both through a 
single request.
    Comment: One commenter expressed concern that under an integrated 
reporting system for the NPDB and the

[[Page 57752]]

HIPDB a medical malpractice insurer would be forced to submit certain 
fields required under the HIPDB, such as for an individual's Social 
Security Number.
    Response: This provision is only applicable to reports required 
under both data banks. For example, medical malpractice payment reports 
are only required to be reported to the NPDB; they are statutorily 
exempt from HIPDB reporting. Therefore, the HIPDB data elements 
required, such as an individual's Social Security Number, do not apply 
to those reports.
    Comment: One commenter expressed a desire that actions taken before 
August 21, 1996, the effective date of the HIPAA statute, be required 
to be reported to the HIPDB.
    Response: Since the Department does not have the statutory 
authority to retroactively require reports before the statute's date of 
enactment, we cannot accept this recommendation, and we would be 
unwilling to impose the burden of retroactive reporting on the 
reporting entities even if we had the authority to do so.
2. Immunity Provisions Under the HIPDB
    Comment: More than half of the comments received regarding immunity 
provision under the HIPDB stated that any immunity provisions must be 
included within the final regulations and not merely alluded to in the 
preamble. The commenters specifically requested immunity with regard to 
submitting reports to the HIPDB. Several commenters stated that any 
immunity provisions included within the final regulations needed to 
specifically provide immunity for agents.
    Response: We agree with the comments, and are adding a new 
Sec. 61.16 within the final regulations to address this concern.
    Comment: Three commenters were supportive of the proposed 
definition for the term ``knowledge of falsity'' to mean actual 
knowledge of falsity by the submitting party. One commenter requested 
the elimination of immunity for those who file information with the 
HIPDB recklessly.
    Response: The intention of the statute is to encourage final 
adverse actions to be reported against subjects, without fear of the 
subject retaliating with a lawsuit against those who report the action. 
In accordance with the comments and the statute, we will continue to 
interpret the term ``knowledge of falsity'' to mean actual acknowledge. 
Consequently, we are including language in the final regulations 
stating that the submitting reporter will not be immune from liability 
if there is actual knowledge of falsity of a report.
    Comment: One commenter stated the subject of a report should be 
required to follow the dispute resolution procedures before filing suit 
against a reporter for false knowledge in reporting to the HIPDB.
    Response: We decline to accept this comment. The statute does not 
provide the authority to require the subject of a report to follow the 
dispute resolution procedures prior to filing suit against a reporter. 
Further, we believe this would result in unnecessary delays in 
reporting final adverse actions to the HIPDB.
3. Sanctions for Failure To Report
    Comment: With regard to sanctions for failure to report to the 
HIPDB, commenters stated that a potential CMP of $25,000 per occurrence 
against health plans that fail to report was too severe. One commenter 
recommended that, because of the perceived breadth and ambiguity of the 
reporting requirements, the OIG should only assess CMPs against health 
plans that ``knowingly and willfully fail to report.'' Another 
commenter stated that the CMP was proportionately unfair to single 
service health plans.
    Response: Section 4331 of Public Law 105-33, the Balanced Budget 
Act (BBA) of 1997, authorizes a CMP of up to $25,000 for each adverse 
action not reported by a health plan. The statute does not require that 
this full amount be imposed; a lesser penalty could be assessed at the 
discretion of the OIG. The statute does not require a ``knowing and 
willful'' standard as part of the CMP criteria. However, the OIG has 
discretion in choosing whether to assess a CMP, and the OIG applies 
various mitigating and aggravating factors, as set forth in the OIG/CMP 
regulations, in determining the CMP amount up to the $25,000 limit. 
Specific policies and factors regarding imposition of this CMP are 
being set forth by the OIG in separate final rulemaking addressing new 
and revised sanction authorities resulting from the BBA.
    Comment: One commenter asked whether the OIG would impose CMPs 
against health plans that cannot report because they do not collect all 
of the reportable data elements.
    Response: Every effort has been made to specify a set of data 
elements that will not impose an undue burden on reporters and that 
still ensure a high degree of confidence in matching names of health 
care practitioners, providers and suppliers with existing reports in 
the HIPDB. Reporters will be required to report mandatory data 
elements, and may report all other fields if they are known. However, 
reporters that fail to submit reports with the minimum mandatory data 
required by statute and regulations may be subject to the sanctions 
referenced above.
    Comment: Some commenters expressed concern that the OIG would 
impose CMPs for the non-reporting of adverse actions (or particular 
data elements associated with an adverse action) that occurred during 
the period between the effective date of HIPAA, August 21, 1996, and 
the effective date of this rule, a time period when the exact reporting 
requirements of the rule were not yet known to the entities now 
responsible for reporting.
    Response: The basic types of actions to be reported were specified 
in the HIPAA and were, therefore, noticed to potential reporters as of 
August 21, 1996. We do realize, however, that the specific definitions 
of terms used, and the specification of exact data elements to be 
reported, are set forth in this rule. While there is a duty to report 
actions (and data elements) dating from the period between August 21, 
1996 and the promulgation of this rule, the OIG will give due 
consideration to the ability of a reporting agency or health plan to 
comply with requirements to report such actions (and data elements) in 
determining whether to impose a CMP for failure to report in accordance 
with 42 CFR 1003.102(b)(5)(ii).
4. Implementation Schedule
    Comment: Four comments were received regarding the implementation 
schedule for the HIPDB. Commenters stated that collecting data elements 
retroactively, as required by the Act, would be burdensome and 
difficult to obtain. One commenter recommended a separate date for 
``other adjudicated actions,'' stating that these actions are not final 
until each case has exhausted all appeal rights. Several commenters 
suggested the OIG should allow for two different dates: one for data 
that are available at the time of the opening of the data bank, and 
another date (for example, 60 days later) for additional and 
retroactive data.
    Response: The OIG has taken these points into consideration. This 
concern is being addressed below in the section of this preamble 
discussing the burden of data collection.
5. Paperwork Reduction Act Statement
    a. Data elements to be reported to the HIPDB. The OIG solicited 
comments on: (1) Whether the proposed collection of information is 
necessary for the proper performance of the functions of the 
Department, including whether the

[[Page 57753]]

information will have practical utility; (2) the accuracy of the 
Department's estimate of the burden of the proposed collection of 
information; (3) ways to enhance the quality, utility and clarity of 
the information to be collected; and (4) ways to minimize the burden of 
the collection of information on respondents, including through the use 
of automated collection techniques or other forms of information 
technology.
    Comment: Over half of the comments received concerned the data 
elements in general. Commenters stated that the proposed rule was 
overreaching the scope of the statute and created unintended reporting 
burdens with regard to the various data elements specified for 
collection. Some commenters indicated that they did not collect one or 
more of the required data elements, while others suggested that not all 
of the requested data elements were necessary for the HIPDB, or that 
only a minimal set of elements were needed to insure proper 
identification of a subject. Some commenters stated that the required 
data elements would force physicians to devote additional time and 
expense to reporting these actions.
    Response: The OIG disagrees with the commenters' assessments. The 
OIG continues to believe the data elements selected for inclusion into 
the HIPDB are essential for users in properly identifying individuals 
and entities which are the subjects of reports in the data bank. 
Further, as indicated earlier, with respect to the concerns indicated 
by some physicians, there are no requirements for physicians to report 
directly to the data bank and thus no additional non-medical time 
required of them with respect to the array of data elements.
    Comment: A number of State agencies cited their respective State 
statutes that prohibit the collection or reporting of Social Security 
Numbers and, in some instances, other personal data (such as sex and 
date of birth). Ten commenters stated that their organizations did not 
routinely collect Social Security Numbers or Taxpayer Identification 
Numbers.
    Response: The statute offers the OIG no discretion in this 
collection element provision. The Federal statute authorizing this data 
base takes precedence over and preempts State statutory requirements, 
and specifically requires the reporting of Taxpayer Identification 
Numbers, which includes Social Security Numbers and Federal Employer 
Identification Numbers. As to the inclusion of other personal 
identifiers, we have determined that these elements are required to 
insure proper identification of subjects reported to the data bank and, 
consequently, these requirements are being retained in the final 
regulations. We believe that the various reporting entities can make 
the proper adjustments to secure the required information without undue 
hardship or burden.
    Comment: Some commenters raised concern over the need to include 
``Occupation'' as one of the mandatory element under the HIPDB.
    Response: For identification purposes, we believe it is important 
for a querier of the data bank to know a subject's occupation. Today's 
health care providers are frequently involved in different ventures and 
occupations. Reportable actions may arise in one area of a subject's 
endeavors, but not in others. Therefore, we believe that queriers must 
be made aware of all reportable actions against a subject, and an 
integral element of this is learning the occupation in which these 
actions were taken.
    Comment: Three commenters requested that ``Other Names Used'' be a 
mandatory field, particularly with regard to female subjects.
    Response: We are satisfied that this element should be reported 
``if known,'' and we assume the reporters will provide these names if 
such information is available to them.
    Comment: We received comments regarding the ``Physician Specialty'' 
data element. Commenters questioned why specialty data were only being 
collected on physicians and not on other types of practitioners.
    Response: We agree with the suggestion that ``specialty'' should be 
reported for all practitioners, if applicable, and are modifying the 
regulations accordingly.
    Comment: Twenty-six commenters suggested that the ``Name of the 
Affiliated or Associated Health Care Entity'' not be made a mandatory 
field.
    Response: The statute requires that this information be reported 
``if known.'' We agree with the commenters' concerns, and will clarify 
the language in the final regulations to emphasize that this 
information be reported only if known.
    Comment: Several comments stated that potential reporters do not 
currently collect the mandatory element ``National Provider 
Identifier'' (NPI).
    Response: We are aware that NPIs have not been issued and, 
therefore, cannot be reported. However, once HCFA issues these 
identification numbers, the collection and reporting of NPIs to the 
HIPDB will be mandatory. Reporters are advised to begin the necessary 
steps to collect this identifier in the future, as it becomes 
available. In this final rule, we are deleting the data field ``NPI for 
Affiliated or Associated Health Care Entities.''
    Comment: One commenter suggested that the HIPDB also add the method 
used to detect the act that underlies the action being reported.
    Response: We disagree. We believe this information will not be 
useful, and would create an additional reporting burden.
    Comment: Commenters stated that some reporters do not collect data 
on the ``Name of Each Professional School Attended and Year of 
Graduation.''
    Response: These data are mandatory requirements of the NPDB and are 
routinely provided by State agencies and organizations representing 
physicians and dentists. These NPDB requirements will remain unchanged. 
For reports made solely to the HIPDB, these data elements will be 
mandatory for licensing and certification actions reported by Federal 
and State agencies, which routinely collection this information, and 
will be designated as ``if known'' for all other reporters.
    Comment: Several commenters noted the unreliability of a ``Work 
Address'' element for individual subjects, and other commenters stated 
that only an ``Address of Record'' would be known by certain reporters.
    Response: The OIG agrees with these comments and is revising the 
final regulations accordingly. Only one address--either the subject's 
``Home Address'' or the ``Address of Record''--will be mandatory for 
each report. Other addresses, such as a primary work address, will be 
reportable only ``if known.''
    Comment: Twelve comments were received concerning the mandatory 
``Description of the Acts or Omissions'' and the ``Description of the 
Action'' fields. The commenters suggested use of numerical codes in 
lieu of narrative descriptions.
    Response: The statute is clear that the ``Description of the Acts 
or Omissions'' field is a mandatory element. However, to assist users 
of this information, we are adopting the suggestion of a code list that 
corresponds to the most common underlying acts expected to be reported. 
Use of this code will be mandatory, along with a narrative description 
of the acts or omissions and injuries upon which the reported action 
was based. With regard to the ``Description of the Action'' field, we 
have changed the final rule to show that the mandatory requirements for 
reporting an action are the date the action was taken, its effective 
date and duration, the amount of any monetary penalty, and whether

[[Page 57754]]

the action is on appeal. We believe these elements are essential for a 
user's understanding of the action being reported. The proposed rule 
also called for a mandatory ``Classification of the action'' in 
accordance with a reporting code adopted by the Secretary. While the 
``Description of the action'' has been deleted, the ``Action code'' 
will remain as a mandatory element in the final regulations.
    Comment: Five comments were received requesting additional 
clarification regarding the reporting of ``Professional license, 
certification or registration.''
    Response: In response to these comments, we are clarifying the 
final regulations to indicate that for licensure certification or 
registration actions taken by Federal and State licensing and 
certification agencies, the mandatory information to be reported will 
be on the professional license, certification or registration on which 
the action was taken. Information on other licenses, certifications or 
registrations, including those issued in other States or by other 
agencies, will be reportable to the data bank ``if known.''
    b. Estimated burden of data collection requirements. Comment: A 
number of commenters stated that the proposed rule did not accurately 
address the burden as it applies to the cost of creating and 
maintaining the data collection system, or the costs associated with 
collecting the required data elements. Commenters stated that the 
start-up cost, indicated at $5,000, was significantly underestimated. 
One commenter strongly believed that the costs associated with the 
HIPDB system would far outweigh its benefit, and several commenters 
stated that they would need to hire new employees in order to meet the 
HIPDB reporting requirements. One commenter indicated that, while their 
State proportionally had a smaller number of health care providers than 
some of the larger States, its State agency nevertheless took 712 
actions last year that would need to be reported to the HIPDB, 
resulting in what they believed would be a larger than estimated burden 
nationwide.
    Response: In developing our burden statement and estimate, 
calculations for the regulatory impact statement in the proposed rule 
were based on estimations derived from the regulatory impact prepared 
for the proposed rule currently being developed for State licensing 
boards addressing section 1921 of the Act. Section 1921 of the Act, as 
amended by section 5(b) of the Medicare and Medicaid Patient and 
Program Protection Act of 1987 and by the Omnibus Budget Reconciliation 
Act of 1990, requires each State to adopt a system that reports to the 
Secretary certain adverse licensure actions taken against health care 
practitioners and health care entities that are licensed or otherwise 
authorized by a State (or a political subdivision) to provide health 
care services. Similar to the information required for the HIPDB, 
section 1921 of the Act already requires, for reporting to the NPDB, 
that each State (1) report any negative actions or findings that a 
State licensing authority, peer review organization or private 
accreditation entity takes against a health care practitioner or health 
care entity; and (2) have an information reporting system in place as 
of January 1, 1992, regardless of whether the Secretary promulgated 
regulations to carry out these provisions. Therefore, since 1992, the 
States already have been required to collect much of the information to 
which they attribute their costs of collecting information for 
reporting to the HIPDB. However, we recognize that the regulatory 
impact will vary from State to State, and as a result, we have adjusted 
our burden estimates in this final rule accordingly. Specifically, 
after consideration of the concerns raised, we agree with the 
commenters that their developing or restructuring of a data collection 
system to incorporate the HIPDB requirements may have been 
underestimated. Therefore, we have increased the start-up cost estimate 
to $20,000 for each State licensing board. In terms of the reporting 
burden for State licensing agencies, we were advised by national 
organizations that represent State licensing boards that much of the 
requested data are already being collected and maintained by their 
organization. Therefore, we believe that the reporting burden for State 
licensing boards, such as nursing, chiropractic, optometry, physical 
therapist and social worker should be minimal.
    Comment: Some commenters believed that complying with the HIPDB 
would be labor intensive and costly. Commenters suggested that the 
HIPDB data collection requirements would create an administrative 
burden for State licensing boards.
    Response: As indicated above, the OIG has addressed the reporting 
requirements in detail in this preamble in response to public comments. 
We agree with many of the commenters' concerns, and are streamlining 
the HIPDB reporting requirements accordingly. The OIG believes that 
this final rule now reflects the least burdensome reporting 
requirements possible with respect to State agencies' compliance.
    Comment: Several commenters proposed alternatives that they 
believed might ease the burden on State licensing boards. Specifically, 
commenters recommended that the OIG make use of various authorized 
agents, such as the National Council of State Boards of Nursing, 
Federation of Chiropractic Licensing Boards, National Association of 
Boards of Pharmacy and the American Association of State Social Work 
Boards to collect and report the required information, thus lessening 
the burden on individual health plans and State agencies.
    Response: In developing this rulemaking, the OIG sought the input 
from States and representatives of various associations. Initially, the 
OIG met with State regulatory boards and associations, including the 
National Council of State Boards of Nursing, Federation of Chiropractic 
Licensing Boards, National Association of Boards of Pharmacy and the 
American Association of State Social Work Boards, to explain the 
requirements of the HIPDB and to explore options that would ease the 
regulatory burden on State agencies. As a result with respect to State 
licensing boards, we suggested the following options: (1) organizing a 
centralized or decentralized reporting mechanism within the State, or 
(2) reporting to the data bank through an authorized agent. If an 
authorized agent is utilized by the State, individual agreements must 
be made between the State and the professional association, as well as 
between the State and the HIPDB.

IV. Summary of Revisions in the Final Rule

    Based on our review and response to the array of public comments, 
and based on the discretionary authority given the Department under the 
statute, we are making the following revisions to the proposed 
regulations that we believe will allow the collection and dissemination 
of information to and from the HIPDB to occur in a more effective and 
efficient manner:

Section 61.3

     We are revising the definition of the term ``Affiliated or 
associated'' to read as follows: Affiliated or Associated means health 
care entities with which a subject of a final adverse action has a 
commercial business relationship, including but not limited to, 
organizations, associations, corporations, or partnerships. It also 
includes a professional corporation or other business entity composed 
of a single individual.

[[Page 57755]]

     In the definition of the term ``Any other negative action 
or finding,'' we are adding the following sentence: ``This definition 
excludes administrative fines or citations and corrective action plans, 
unless they are: (1) Connected to the delivery of health care services, 
and (2) taken in conjunction with other licensure or certification 
actions such as revocation, suspension, censure, reprimand, probation, 
or surrender.''
     We are deleting the proposed definition for the term 
``Clinical privileges.''
     We are amending the fourth element in the definition of 
the term ``Government agency'' to include both Federal and State law 
enforcement agencies, and law enforcement investigators as well as 
States Attorneys General.
     In the first sentence under the definition for the term 
``Health care supplier,'' we have inserted a comma and are adding the 
phrase ``whether directly or indirectly,'' after the statement ``* * * 
or any individual or entity, other than a provider, who furnishes'' and 
we have replaced the example of ``manufacturers of health care related 
items'' with the phrase ``manufacturers of health care items.'' We have 
also revised the second sentence in the definition to read as follows: 
``The term also includes any individual or entity under contract to 
provide such supplies, items or ancillary services, health plans as 
defined in this section (excluding employers that are not self-insured) 
and health insurance producers (including, but not limited to, agents, 
brokers, solicitors, consultants and reinsurance intermediaries).''
     We are modifying the fourth element in the proposed 
definition of the term ``Health plan'' to make the definition more 
inclusive. As revised the fourth element will include, but not be 
limited to, ``[A] plan, program, agreement or other mechanism 
established, maintained or made available by a self insured employer or 
group of self insured employers, a practitioner, provider or supplier 
group, third party administrator, integrated health care delivery 
system, employee welfare association, public service group or 
organization or professional association * * *''
     We are adding a definition for the term ``Organizational 
name and type.'' The ``organization name'' data element, to be reported 
for all types of actions described in Secs. 61.7, 61.8, 61.9, 61.10 and 
61.11, means the subject's business or employer at the time the 
underlying acts occurred. If more than one business or employer is 
involved, the one most closely related to the underlying acts must be 
reported in ``organization name,'' with the others being reported in 
the ``affiliated or associated health care entities'' field. The 
``organization type'' is a brief description of the nature of that 
business or employer.
     The definition for ``Other adjudicated actions or 
decisions'' specifically excludes clinical privileging actions taken by 
Federal or State governmental agencies, paneling decisions made by 
health plans and overpayment determinations by Federal and State agency 
contractors or by health plans.
     We are also adding a new definition for the term 
``Voluntary surrender'' to mean a surrender made after a notification 
of investigation or a formal official request by Federal or State 
licensing or certification authorities for a health care provider, 
supplier, or practitioner to surrender the license or certification 
(including certification agreements or contracts for participation in 
Federal or State health care programs). The definition also includes 
those instances where a health care provider, supplier or practitioner 
voluntarily surrenders a license or certification (including program 
participation agreements or contracts) in exchange for a decision by 
the licensing or certification authority to cease an investigation or 
similar proceeding, or in return for not conducting an investigation or 
proceeding, or in lieu of a disciplinary action.

Section 61.9

     With regard to reporting civil judgments related to the 
delivery of a health care item or service, we are adding the following 
language to Sec. 61.9(a): ``If a Government agency is party to a multi-
claimant civil judgment, it must assume the responsibility for 
reporting the entire action, including all amounts awarded to all the 
claimants, both public and private. If there is no Government agency as 
a party, but there are multiple health plans as claimants, the health 
plan which receives the largest award must be responsible for reporting 
the total action for all parties.''

Section 61.12

     With regard to requesting information from the HIPDB, we 
are revising the first sentence in Sec. 61.12 (a)(4) to indicate that 
information in the data bank will be available, upon request, to ``[A] 
person or entity who requests statistical information, which does not 
permit any personal identifiers for any individual or entity.''

Section 61.13

     We are adding the following sentence to the end of 
Sec. 61.13 (a) with regard to our policy on fees applicable to requests 
for information: ``For the same purpose, the Department will provide a 
copy of the report--automatically, without a request and free of 
charge--to the reporter that submitted it.''

Data Elements To Be Reported to the HIPDB

    In view of the comments and responses discussed above, and in an 
effort to clarify reporting requirements, the data elements have been 
reformatted. Sections 61.7, 61.8, 61.9, 61.10 and 61.11 are structured 
as follows:
     The actions which must be reported and who is responsible 
for making those reports.
     The mandatory personal identifiers and employment or 
professional identifiers for individual subjects; the mandatory 
identifiers for organization subjects; and the mandatory data elements 
for all subjects relating to the acts or omissions, the action taken 
and the reporting entity.
     The ``if known'' personal identifiers and employment or 
professional identifiers for individual subjects; the ``if known'' 
identifiers for organization subjects; and the ``if known'' data 
elements for all subjects relating to the acts or omissions, and the 
action taken.
     Each section concludes with the sanctions for failure to 
report.

Section 61.16

     We are adding a new Sec. 61.16 Immunity, to indicate that 
individuals, entities or their authorized agents and the HIPDB will not 
be held liable in any civil action filed by the subject of a report 
unless the individual, entity or their authorized agent submitting the 
report has actual knowledge of falsity of the information contained in 
the report.

V. Regulatory Impact Statement

Executive Order 12866, the Unfunded Mandates Reform Act and the 
Regulatory Flexibility Act

    The Office of Management and Budget (OMB) has reviewed this final 
rule in accordance with the provisions of Executive Order 12866, the 
Unfunded Mandates Reform Act and the Regulatory Flexibility Act (5 
U.S.C. 601-612), and has determined that it does not meet the criteria 
for a significant regulatory action.
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and,

[[Page 57756]]

when rulemaking is necessary, to select regulatory approaches that 
maximize net benefits (including potential economic, environmental, 
public health, safety, distributive and equity effects). The Unfunded 
Mandates Reform Act, Public Law 104-4, requires that agencies prepare 
an assessment of anticipated costs and benefits on any rulemaking that 
may result in an annual expenditure by State, local or tribal 
government, or by the private sector of $100 million or more. In 
addition, under the Regulatory Flexibility Act, if a rule has a 
significant economic effect on a substantial number of small entities, 
the Secretary must specifically consider the economic effect of a rule 
on small entities and analyze regulatory options that could lessen the 
impact of the rule.
    Executive Order 12866 requires that all regulations reflect 
consideration of alternatives, costs, benefits, incentives, equity, and 
available information. Regulations must meet certain standards, such as 
avoiding unnecessary burden. Regulations that are ``significant'' 
because of cost, adverse effects on the economy, inconsistency with 
other agency actions, effects on the budget, or novel legal or policy 
issues, require special analysis. The resources required to implement 
the requirements in this final rule are minimal. We have determined 
that this final rule does not meet the criteria for a major rule, as 
defined by Executive Order 12866. As indicated above, this final rule 
is designed to establish procedures for reporting to and releasing from 
the HIPDB information on health care providers, suppliers, or 
practitioners against whom final adverse actions have been taken.
    In accordance with the Unfunded Mandates Reform Act of 1995, we 
have determined the only costs (which we believe will not be 
significant) would include the ability to transmit the information 
electronically (e.g., Internet service) and additional staff hours 
needed to transmit the information. Based on the public comments, we 
have increased the initial start-up cost from $5,000 to $20,000 per 
State licensing and certification agency ($20,000 per State licensing 
and certification agency  x  216 State agencies = $4,320,000). The 
Department determined that the initial start-up cost will be less than 
$100 per health plan ($100 per health plan  x  20,000 health plans = 
$2,000,000). Section 221(a) of HIPAA intends that the Federal 
Government will not incur any costs for the operation and maintenance 
of the HIPDB; user fees are intended to cover the full costs of the 
HIPDB. For the reasons stated above, the Department has determined that 
this rule does not impose any mandates on State, local or tribal 
governments, or the private sector that will result in an annual 
expenditure of $100 million or more, and that a full analysis under the 
Act is not necessary.
    In addition, in accordance with the Regulatory Flexibility Act of 
1980 (RFA), and the Small Business Regulatory Enforcement Act of 1996, 
which amended the RFA, we are required to determine if this rule will 
have a significant economic effect on a substantial number of small 
entities and, if so, to identify regulatory options that could lessen 
the impact. For purposes of this final rule, we have not categorized 
health plans as small business entities in accordance with the RFA, nor 
have we included individuals and States in this definition of small 
entities. Rather, we have defined small entities as nonprofit 
organizations and local government agencies. Although the statute does 
not specify local government agencies as reporters, we also have given 
States the option to decide the manner in which they will report, i.e., 
having one centralized point for reporting or having multiple agencies 
such as municipalities and local government agencies (including 
District and County attorneys) report independently to the HIPDB. If 
States elect to have multiple agencies reporting independently to the 
HIPDB, we have determined that both the burden and costs associated 
with reporting to the HIPDB will be minimal. We also have determined 
that this rule would affect less than 100 nonprofit and local 
government agencies. Also with respect to health plans, we have 
determined that the burden and cost to them will be minimal. In an 
effort to reduce the reporting and impact burdens upon health plans, we 
have, as indicated above, clarified the definition of the term ``other 
adjudicated actions or decisions'' to emphasize that such an action 
requires the availability of a due process mechanism. We have in the 
rule specifically limited the types of actions that health plans will 
be required o report to a more limited and narrower category of 
actions. We are not preparing an analysis for the RFA, since we have 
determined, and the Secretary certifies, that this rule will not have a 
significant economic impact on a substantial number of small entities 
and, in accordance with the threshold criteria of Executive Order 13132 
(August 4, 1999), have determined that these regulations do not 
significantly affect the rights, roles and responsibilities of States.

Paperwork Reduction Act

    In compliance with section 3506(c)(2)(A) of the Paperwork Reduction 
Act (PWA) of 1995, we are required to solicit public comments, and 
receive final OMB approval, on any information collection requirements 
set forth in final rulemaking. As indicated above, in order to properly 
implement the HIPDB, the OIG requires the collection of certain 
information as set forth in Secs. 61.6, 61.7, 61.8, 61.9, 61.11, 61.12 
and 61.15 of this final rule. In accordance with the PWA, we are 
submitting to OMB at this time the following requirements for seeking 
emergency review of these provisions. We are requesting an emergency 
review because the data collection and reporting of this information is 
needed before the expiration of the normal time limits under OMB's 
regulations at 5 CFR part 1320, to ensure the timely availability and 
reporting of data as necessary in order to improve the quality of 
patient care and to prevent health care fraud and abuse activities. 
Delaying the reporting process would delay implementation of the 
establishment of a complete data bank that effectively deters health 
care fraud and abuse in the health care industry and protects the 
public. We are requesting OMB review and approval of this collection 
within 16 working days from the date of publication of this rulemaking, 
with a 180-day approval period. Written comments and recommendations 
will be accepted from the public if received by the individual 
designated below within 15 working days from the dat of publication of 
these regulations. During this 180-day approval period, we will publish 
a separate Federal Register notice announcing the initiation of an 
extensive 60-day agency review and public comment period on the 
requirements set forth.
    Collection of Information: The Healthcare Integrity and Protection 
Data Bank for Final Adverse Information on Health Care Providers, 
Suppliers and Practitioners.
    Description: Information collected under Secs. 61.6, 61.7, 61.8, 
61.9, 61.11, 61.12 and 61.15 of this final rule would be used by 
authorized parties, specified in the proposed rule, to prevent health 
care fraud and abuse activities and to improve the quality of patient 
care.
    Description of Respondents: Federal and State Government agencies 
and health plans. The reports from Federal agencies are not subject to 
the PRA.
    Estimated Annual Reporting: The Department estimates that the 
public reporting burden for this final rule is

[[Page 57757]]

185,099 hours. As a result of the public comments, we acknowledge that 
the proposed rule significantly under estimated the number of licensure 
and certification actions taken by State licensing authorities against 
health care providers, suppliers and practitioners. Therefore, we have 
increased the reporting burden from 132,733 to 185,099 hours.
    The estimated annual reporting and querying burden is as follows:

----------------------------------------------------------------------------------------------------------------
                                     Number of     Responses per       Total         Hours per     Total burden
           Section No.              respondents     respondent       responses       response          hours
----------------------------------------------------------------------------------------------------------------
61.6, Errors & Omissions........       \1\ 1,200               1           1,200              25             500
61.6, Revisions/Appeal Status...           1,000               1           1,000              75           1,250
61.7--Licensure Actions:
    Disclosure by State                \2\ 1,836              22          40,400              75          50,500
     Licensing Boards...........
    Reporting by State Licensing             216             187          40,400              15          10,100
     Authorities................
61.8, Criminal Convictions......          \3\ 54              13             700              75             875
61.9, Civil Judgments...........          \4\ 62               8             500              75             625
61.11, Other Adjudicated Action           \5\ 66              12             800              75           1,000
 or Decision....................
61.12:
    Queries.....................       \6\ 5,601             201       1,127,512               5          93,959
    Self-queries................          60,000               1          60,000              25          25,000
    Entity verification \7\.....           5,000               1           5,000              10             833
    Entity update...............             250               1             250               5              20
61.12, Authorized agent                      100               1             100              10              16
 designation \7\................
61.12, Authorized agent                        5               1               5               5            0.42
 designation update.............
61.15--Disputed Reports &
 Secretarial Review:
    Initial Request.............         \8\ 750               1             750              10             125
    Request for Secretarial                   37               1              37             480             296
     Review.....................
                                 -------------------------------------------------------------------------------
    Total.......................          76,177  ..............       1,278,654        185,099
----------------------------------------------------------------------------------------------------------------
Footnotes:
1. Section 61.6 requires each Government agency or health plan that reports information to the HIPDB to ensure
  the accuracy of the information. If there are any errors or omissions to the reports previously submitted to
  the HIPDB, the individual or entity that submitted the report to the HIPDB is also responsible for making the
  necessary correction or revision to the original report. If there is any revision to the action or the action
  is on appeal, the individual or entity that submitted the original report to the HIPDB is also responsible for
  reporting revisions and whether the action is on appeal. Based on corrections and revisions made to
  information contained in the NPDB, we have estimated that a total of 1,200 respondents will need to correct
  their reports each year and that a total of 1,000 respondents will need to revise actions originally reported,
  or to report whether an action is on appeal each year. Based on experience with the NPDB, a correction is
  expected to take 25 minutes to complete and submit. A revision is expected to take somewhat longer (75
  minutes) because it involves completing a new report form rather that just correcting the individual items
  that are in error.
2. Section 61.7 requires Federal and State agencies responsible for the licensing and certification of health
  care providers, suppliers and practitioners to report all disciplinary licensure actions to the HIPDB.
  Therefore, we estimate that approximately 34 State licensing boards in each State will report to the State
  licensing and certification authorities (54 States and territories x 34 licensing boards/per State = 1,836
  State licensing and certification boards), and the State licensing and certification authorities (4 per State)
  will be responsible for reporting information to the HIPDB (54 States and territories x 4 State licensing and
  certification authorities/per State = 216 State licensing and certification authorities). We estimate that
  40,400 reports will be submitted directly to the HIPDB each year, for an average of 187 reports per State
  licensing and certification authority and 22 reports per State licensing board. Since disciplinary licensure
  actions by State licensing authorities in the NPDB overlap with this statute, this estimate includes all
  licensure actions that will be reported to both the NPDB and the HIPDB. The HIPDB will use similar forms and
  procedures for reporting as the NPDB. As a result, we estimate that it will take a State licensing board 75
  minutes to complete and submit an initial report. We also estimate that it will take a State licensing and
  certification authority 15 minutes to verify the accuracy and completeness of the information contained in the
  initial report before electronically submitting the information to the HIPDB.
3. Section 61.8 requires Federal and State prosecutors to report criminal convictions related to the delivery of
  a health care item or service. Based on the number of health care providers, suppliers and practitioners
  convicted by the Federal Government, we estimate that there will be an approximate total of 700 State criminal
  convictions reported to the HIPDB each year, for an average of 13 convictions per State. Based on experience
  with the NPDB, we estimate that it will take 75 minutes to complete and submit each report.
4. Section 61.9 requires Federal and State attorneys and health care plans to report civil judgments against
  health care providers, suppliers and practitioners related to the delivery of a health care item or service.
  We estimate that there will be an approximate total of 500 civil judgments each year that will be reported by
  the 54 States Attorneys and an estimated 8 health plans, for a total of 62 reporters. Based on experience with
  the NPDB, we estimate that it will take 75 minutes to complete and submit each report.
5. Section 61.11 requires Federal and State Governmental agencies and health plans to report any adjudicated
  action or decision related to the delivery of a health care item or service against health care providers,
  suppliers and practitioners. We estimate that there will be an approximate total of 800 other adjudicated
  actions or decision reports submitted to the HIPDB each year by 54 State governmental agencies and an
  estimated 12 health plans, for a total of 66 reporters. Based on experience with the NPDB, we estimate that it
  will take 75 minutes to complete and submit each report.
6. Certain queriers have access to both the NPDB and the HIPDB. When these entities query one data bank, they
  may elect to automatically receive reports from both. The Department estimates that there will be 1,127,512
  queries submitted to the HIPDB per year on health care providers, suppliers and practitioners, including an
  estimated 60,000 self-queries. These estimates include only queries submitted directly to the HIPDB; it does
  not include those transferred from the NPDB. The estimates of burden per response are based on experience with
  similar querying of the NPDB.
7. To access the HIPDB, entities are required to certify that they meet section 1128E reporting and querying
  requirements by completing an Entity Registration form and submitting it to the HIPDB. The information
  collected on this form provides the HIPDB with essential information concerning the entity, such as name,
  address and entity type. Eligible entities, such as State licensing agencies or certain managed care
  organizations, that have access to both the NPDB and the HIPDB have already registered for the NPDB and are
  not required to register separately for the HIPDB. Entities eligible to access only the HIPDB must complete
  and submit the Entity Registration form. We estimate that it will take an entity 10 minutes to complete and
  submit the Entity Registration form to the HIPDB. If there are any changes in the entity's name, address,
  telephone, entity type designation, or query and report point of contact, the entity representative must
  update the information on the Entity Information Update form and submit it to the HIPDB. Of the 5,000 new
  registrants, we estimate 250 entities (5 percent of all new registrants) will need to update their
  organization's information each year.

[[Page 57758]]

 
An eligible entity may elect to have an outside organization query or report to the HIPDB on its behalf. This
  organization is referred to as an authorized agent. Before an authorized agent acts on behalf of an entity,
  the eligible entity must complete and submit an Agent Designation form to the HIPDB Help Line. The information
  collected on this form provides the HIPDB with essential information concerning the agent, such as name,
  address and telephone number. We estimate that 100 entities (2 percent of all new registrants) will elect an
  authorized agent to query or report to the HIPDB on their behalf. We estimate that it will take an entity 10
  minutes to complete and submit the Agent Designation form to the HIPDB. Any changes to the authorized agent
  designation, such as routing of responses to queries or termination of an authorized agent, the eligible
  entity must update the information on the Agent Designation Update form and submit it to the HIPDB. We
  estimate that five of the 100 eligible entities will need to update their agent's information each year.
8. Section 61.15 describes the process to be followed by a health care provider, supplier or practitioner in
  disputing the factual accuracy of information in a report and requesting Secretarial review of the disputed
  report. Based on experience with the NPDB, we estimate that 750 (10 percent of all new reports) will be
  entered into the ``disputed status.'' We estimate that it will take a health care provider, supplier or
  practitioner 10 minutes to notify the HIPDB to enter the report into ``disputed status.'' Of the 750 disputed
  reports, we estimate that only 37 reports (5 percent) will be forwarded to the Secretary for review. We
  estimate that it will take a health care provider, supplier or practitioner 8 hours to describe in writing
  which facts are in dispute and to gather supporting documentation related to the dispute.

    Forms to be used in the day-to-day management of the HIPDB would 
include the following:

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                             Hrs. per
                Form name                     No. of       Responses per       Total         response      Total burden      Wage rate      Total cost
                                            respondents     respondent       responses       (minutes)         hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
Account Discrepancy.....................           2,000               1           2,000               5             166             $15          $2,490
Electronic Funds Transfer Authorization.             850               1             850               5              70              15           1,050
Entity Reactivation.....................             500               1             500               5              41              15             615
                                         ---------------------------------------------------------------------------------------------------------------
    Total...............................           3,350  ..............           3,350  ..............             277  ..............           4,155
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Comments on this information collection activity should be sent to: 
Allison Herron Eydt, OIG Desk Officer, Office of Management and Budget, 
Room 10235, New Executive Office Building, 725 17th Street, N.W., 
Washington, D.C. 20053, FAX: (202) 395-6974.

VI. Waiver of Delayed Effective Date

    In publishing final regulations, we usually indicate an effective 
date of 30 days following their publication in the Federal Register. 
However, this procedure may be waived when an agency finds good cause 
that a delay in the effective date is impracticable, unnecessary or 
contrary to the public interest.
    Section 221(a) of HIPAA stated that the Secretary establish a 
national health care fraud and abuse data collection program by January 
1, 1997. After a series of meetings with more than 1,000 current users 
of the NPDB and potential users of, and reporters to, the HIPDB 
(including health plans, State licensing boards, law enforcement 
officials, Federal and State Government agencies and professional 
associations), on October 31, 1998, we published a notice of proposed 
rulemaking in the Federal Register in which we requested public comment 
on the implementation of the HIPDB. As indicated, we received 117 
formal public comments in response to that proposed rulemaking. 
Further, in developing the final rule, we have also taken into 
consideration the concerns of numerous Federal agencies, including the 
Department of Justice, the Department of Defense, the Department of 
Veterans Affairs and the U.S. Postal Inspection Service. Through this 
process, the Department has continued to work closely with the 17 
national licensing boards organizations--including those for nurses, 
chiropractors, optometrists and physical therapists--that represent 
more than 4 million health care practitioners. In addition, the OIG 
also has contacted each State Governor regarding the reporting 
requirements of the HIPDB and continues to work with the States to help 
implement the States' reporting.
    To implement the requirements of the statute, we believe that it is 
urgent that final regulations be promulgated without further delay in 
order to (1) streamline the fact-gathering process by law enforcement 
officials, regulatory agencies and health plans; (2) allow health care-
related final adverse actions taken against providers, practitioners 
and suppliers to be reported to the HIPDB; and (3) establish a 
centralized system that will make this information easily accessible to 
authorized users.
    In light of the fact that we have provided ample opportunity for 
public input and comment, and have worked closely with Federal and 
State Government agencies and various national organizations and their 
members in developing the HIPDB, we find that imposing the normal 30-
day delay would be contrary to public interest. Therefore, consistent 
with 5 U.S.C. 553(d), we find good cause to waive the delay in the 
effective date of this rule and allow for the timely implementation of 
final regulations and the start-up of the data bank.

List of Subjects in 45 CFR Part 61

    Billing and transportation services, Durable medical equipment 
suppliers and manufacturers, Health care insurers, Health maintenance 
organizations, Health professions, Home health care agencies, 
Hospitals, Penalties, Pharmaceutical suppliers and manufacturers, 
Privacy, Reporting and recordkeeping requirements, Skilled nursing 
facilities.
    Accordingly, a new 45 CFR part 61 is added to read as follows:

PART 61--HEALTHCARE INTEGRITY AND PROTECTION DATA BANK FOR FINAL 
ADVERSE INFORMATION ON HEALTH CARE PROVIDERS, SUPPLIERS AND 
PRACTITIONERS

Subpart A--General Provisions

Sec.
61.1  The Healthcare Integrity and Protection Data Bank.
61.2  Applicability of these regulations.
61.3  Definitions.

Subpart B--Reporting of Information

61.4  How information must be reported.
61.5  When information must be reported.
61.6  Reporting errors, omissions, revisions, or whether an action 
is on appeal.
61.7  Reporting licensure actions taken by Federal or State 
licensing and certification agencies.
61.8  Reporting Federal or State criminal convictions related to the 
delivery of a health care item or service.
61.9  Reporting civil judgments related to the delivery of a health 
care item or service.
61.10  Reporting exclusions from participation in Federal or State 
health care programs.
61.11  Reporting other adjudicated actions or decisions.

[[Page 57759]]

Subpart C--Disclosure of Information by the Healthcare Integrity and 
Protection Data Bank

61.12  Requesting information from the Healthcare Integrity and 
Protection Data Bank.
61.13  Fees applicable to requests for information.
61.14  Confidentiality of Healthcare Integrity and Protection Data 
Bank information.
61.15  How to dispute the accuracy of Healthcare Integrity and 
Protection Data Bank information.
61.16  Immunity.

    Authority: 42 U.S.C. 1320a-7e.

Subpart A--General Provisions


Sec. 61.1  The Healthcare Integrity and Protection Data Bank.

    (a) Section 1128E of the Social Security Act (the Act) authorizes 
the Secretary of Health and Human Services (the Secretary) to implement 
a national health care fraud and abuse data collection program for the 
reporting and disclosing of certain final adverse actions taken against 
health care providers, suppliers, or practitioners. Section 1128E of 
the Act also directs the Secretary to maintain a database of final 
adverse actions taken against health care providers, suppliers or 
practitioners. This data bank will be known as the Healthcare Integrity 
and Protection Data Bank (HIPDB). Settlements in which no findings or 
admissions of liability have been made will be excluded from being 
reported. However, if another action is taken against the provider, 
supplier or practitioner of a health care item or service as a result 
of or in conjunction with the settlement, that action is reportable to 
the HIPDB.
    (b) Section 1128E of the Act also requires the Secretary to 
implement the HIPDB in such a manner as to avoid duplication with the 
reporting requirements established for the National Practitioner Data 
Bank (NPDB) (See 45 CFR part 60). In accordance with the statute, the 
reporter responsible for reporting the final adverse actions to both 
the HIPDB and the NPDB will be required to submit only one report, 
provided that reporting is made through the Department's consolidated 
reporting mechanism that will sort the appropriate actions into the 
HIPDB, NPDB, or both.
    (c) The regulations in this part set forth the reporting and 
disclosure requirements for the HIPDB.


Sec. 61.2  Applicability of these regulations.

    The regulations in this part establish reporting requirements 
applicable to Federal and State Government agencies and to health 
plans, as the terms are defined under Sec. 61.3.


Sec. 61.3  Definitions.

    The following definitions apply to this part:
    Act means the Social Security Act.
    Affiliated or associated means health care entities with which a 
subject of a final adverse action has a commercial relationship, 
including but not limited to, organizations, associations, 
corporations, or partnerships. It also includes a professional 
corporation or other business entity composed of a single individual.
    Any other negative action or finding by a Federal or State 
licensing agency means any action or finding that under the State's law 
is publicly available information, and rendered by a licensing or 
certification authority, including but not limited to, limitations on 
the scope of practice, liquidations, injunctions and forfeitures. This 
definition also includes final adverse actions rendered by a Federal or 
State licensing or certification authority, such as exclusions, 
revocations or suspension of license or certification that occur in 
conjunction with settlements in which no finding of liability has been 
made (although such a settlement itself is not reportable under the 
statute). This definition excludes citations, corrective action plans 
and personnel actions.
    Civil judgment means a court-ordered action rendered in a Federal 
or State court proceeding, other than a criminal proceeding. This 
reporting requirement does not include Consent Judgments that have been 
agreed upon and entered to provide security for civil settlements in 
which there was no finding or admission of liability.
    Criminal conviction means a conviction as described in section 
1128(i) of the Act.
    Exclusion means a temporary or permanent debarment of an individual 
or entity from participation in any Federal or State health-related 
program, in accordance with which items or services furnished by such 
person or entity will not be reimbursed under any Federal or State 
health-related program.
    Government agency includes, but is not limited to--
    (1) The U.S. Department of Justice;
    (2) The U.S Department of Health and Human Services;
    (3) Any other Federal agency that either administers or provides 
payment for the delivery of health care services, including, but not 
limited to, the U.S. Department of Defense and the U.S. Department of 
Veterans Affairs;
    (4) Federal and State law enforcement agencies, including States 
Attorneys General and law enforcement investigators;
    (5) State Medicaid Fraud Control Units; and
    (6) Federal or State agencies responsible for the licensing and 
certification of health care providers, suppliers or licensed health 
care practitioners. Examples of such State agencies include Departments 
of Professional Regulation, Health, Social Services (including State 
Survey and Certification and Medicaid Single State agencies), Commerce 
and Insurance.
    Health care provider means a provider of services as defined in 
section 1861(u) of the Act; any health care entity (including a health 
maintenance organization, preferred provider organization or group 
medical practice) that provides health care services and follows a 
formal peer review process for the purpose of furthering quality health 
care, and any other health care entity that, directly or through 
contracts, provides health care services.
    Health care supplier means a provider of medical and other health 
care services as described in section 1861(s) of the Act; or any 
individual or entity, other than a provider, who furnishes, whether 
directly or indirectly, or provides access to, health care services, 
supplies, items, or ancillary services (including, but not limited to, 
durable medical equipment suppliers, manufacturers of health care 
items, pharmaceutical suppliers and manufacturers, health record 
services such as medical, dental and patient records, health data 
suppliers, and billing and transportation service suppliers). The term 
also includes any individual or entity under contract to provide such 
supplies, items or ancillary services; health plans as defined in this 
section (including employers that are self-insured); and health 
insurance producers (including but not limited to agents, brokers, 
solicitors, consultants and reinsurance intermediaries).
    Health plan means a plan, program or organization that provides 
health benefits, whether directly, through insurance, reimbursement or 
otherwise, and includes but is not limited to--
    (1) A policy of health insurance;
    (2) A contract of a service benefit organization;
    (3) A membership agreement with a health maintenance organization 
or other prepaid health plan;
    (4) A plan, program, or agreement established, maintained or made 
available by an employer or group of employers, a practitioner, 
provider or supplier group, third party administrator, integrated 
health care delivery system, employee welfare

[[Page 57760]]

association, public service group or organization or professional 
association; and
    (5) An insurance company, insurance service or insurance 
organization that is licensed to engage in the business of selling 
health care insurance in a State and which is subject to State law 
which regulates health insurance.
    Licensed health care practitioner, licensed practitioner, or 
practitioner means, with respect to a State, an individual who is 
licensed or otherwise authorized by the State to provide health care 
services (or any individual who, without authority, holds himself or 
herself out to be so licensed or authorized).
    Organization name means the subject's business or employer at the 
time the underlying acts occurred. If more than one business or 
employer is involved, the one most closely related to the underlying 
acts should be reported in the ``organization name,'' field with the 
others being reported in the ``affiliated or associated health care 
entities'' field.
    Organization type means a brief description of the nature of that 
business or employer.
    Other adjudicated actions or decisions means formal or official 
final actions taken against a health care provider, supplier or 
practitioner by a Federal or State governmental agency or a health 
plan; which include the availability of a due process mechanism, and; 
are based on acts or omissions that affect or could affect the payment, 
provision or delivery of a health care item or service. For example, a 
formal or official final action taken by a Federal or State 
governmental agency or a health plan may include, but is not limited 
to, a personnel-related action such as suspensions without pay, 
reductions in pay, reductions in grade for cause, terminations or other 
comparable actions. A hallmark of any valid adjudicated action or 
decision is the availability of a due process mechanism. The fact that 
the subject elects not to use the due process mechanism provided by the 
authority bringing the action is immaterial, as long as such a process 
is available to the subject before the adjudicated action or decision 
is made final. In general, if an ``adjudicated action or decision'' 
follows an agency's established administrative procedures (which ensure 
that due process is available to the subject of the final adverse 
action), it would qualify as a reportable action under this definition. 
This definition specifically excludes clinical privileging actions 
taken by Federal or State Government agencies and similar paneling 
decisions made by health plans. This definition does not include 
overpayment determinations made by Federal or State Government 
programs, their contractors or health plans; and it does not include 
denial of claims determinations made by Government agencies or health 
plans. For health plans that are not Government entities, an action 
taken following adequate notice and the opportunity for a hearing that 
meets the standards of due process set out in section 412(b) of the 
HCQIA (42 U.S.C. 11112(b)) also would qualify as a reportable action 
under this definition.
    Secretary means the Secretary of Health and Human Services and any 
other officer or employee of the Department of Health and Human 
Services to whom the authority involved has been delegated.
    State means any of the fifty States, the District of Columbia, the 
Commonwealth of Puerto Rico, the Virgin Islands and Guam.
    Voluntary surrender means a surrender made after a notification of 
investigation or a formal official request by a Federal or State 
licensing or certification authority for a health care provider, 
supplier or practitioner to surrender the license or certification 
(including certification agreements or contracts for participation in 
Federal or State health care programs). The definition also includes 
those instances where a health care provider, supplier or practitioner 
voluntarily surrenders a license or certification (including program 
participation agreements or contracts) in exchange for a decision by 
the licensing or certification authority to cease an investigation or 
similar proceeding, or in return for not conducting an investigation or 
proceeding, or in lieu of a disciplinary action.

Subpart B--Reporting of Information


Sec. 61.4  How information must be reported.

    Information must be reported to the HIPDB as required under 
Secs. 61.6, 61.7, 61.8, 61.9, 61.10, 61.11 and 61.15 in such form and 
manner as the Secretary may prescribe.


Sec. 61.5  When information must be reported.

    (a) Information required under Secs. 61.7, 61.8, 61.9, 61.10 and 
61.11 must be submitted to the HIPDB--
    (1) Within 30 calendar days from the date the final adverse action 
was taken or the date when the reporting entity became aware of the 
final adverse action; or
    (2) By the close of the entity's next monthly reporting cycle, 
whichever is later.
    (b) The date the final adverse action was taken, its effective date 
and duration of the action would be contained in the information 
reported to the HIPDB under Secs. 61.7, 61.8, 61.9, 61.10 and 61.11.


Sec. 61.6  Reporting errors, omissions, revisions or whether an action 
is on appeal.

    (a) If errors or omissions are found after information has been 
reported, the reporter must send an addition or correction to the 
HIPDB. The HIPDB will not accept requests for readjudication of the 
case.
    (b) A reporter that reports information on licensure, criminal 
convictions, civil or administrative judgments, exclusions, or 
adjudicated actions or decisions under Secs. 61.7, 61.8, 61.9, 61.10 or 
61.11 also must report any revision of the action originally reported. 
Revisions include, but are not limited to, reversal of a criminal 
conviction, reversal of a judgment or other adjudicated decisions or 
whether the action is on appeal, and reinstatement of a license.
    (c) The subject will receive a copy of all reports, including 
revisions and corrections to the report.
    (d) Upon receipt of a report, the subject--
    (1) Can accept the report as written;
    (2) May provide a statement to the HIPDB that will be permanently 
appended to the report, either directly or through a designated 
representative (The HIPDB will distribute the statement to queriers, 
where identifiable, and to the reporting entity and the subject of the 
report. The HIPDB will not edit the statement; only the subject can, 
upon request, make changes to the statement); or
    (3) May follow the dispute process in accordance with Sec. 61.15.


Sec. 61.7  Reporting licensure actions taken by Federal or State 
licensing and certification agencies.

    (a) What actions must be reported. Federal and State licensing and 
certification agencies must report to the HIPDB the following final 
adverse actions that are taken against a health care provider, 
supplier, or practitioner (regardless of whether the final adverse 
action is the subject of a pending appeal)--
    (1) Formal or official actions, such as revocation or suspension of 
a license or certification agreement or contract for participation in 
Federal or State health care programs (and the length of any such 
suspension), reprimand, censure or probation;
    (2) Any other loss of the license or loss of the certification 
agreement or contract for participation in Federal or

[[Page 57761]]

State health care programs, or the right to apply for, or renew, a 
license or certification agreement or contract of the provider, 
supplier, or practitioner, whether by operation of law, voluntary 
surrender, non-renewal (excluding nonrenewals due to nonpayment of 
fees, retirement, or change to inactive status), or otherwise; and
    (3) Any other negative action or finding by such Federal or State 
agency that is publicly available information.
    (b) Entities described in paragraph (a) of this section must report 
the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
    (i) Name;
    (ii) Social Security Number;
    (iii) Home address or address of record;
    (iv) Sex; and
    (v) Date of birth.
    (2) If the subject is an individual, that individual's employment 
or professional identifiers, including:
    (i) Organization name and type;
    (ii) Occupation and specialty, if applicable;
    (iii) National Provider Identifier (NPI), when issued by the Health 
Care Financing Administration (HCFA);
    (iv) Name of each professional school attended and year of 
graduation; and
    (v) With respect to the State professional license (including 
professional certification and registration) on which the reported 
action was taken, the license number, the field of licensure, and the 
name of the State or territory in which the license is held.
    (3) If the subject is an organization, identifiers, including:
    (i) Name;
    (ii) Business address;
    (iii) Federal Employer Identification Number (FEIN), or Social 
Security Number when used by the subject as a Taxpayer Identification 
Number (TIN);
    (iv) The NPI, when issued by HCFA;
    (v) Type of organization; and
    (vi) With respect to the State license (including certification and 
registration) on which the reported action was taken, the license and 
the name of the State or territory in which the license is held.
    (4) For all subjects:
    (i) A narrative description of the acts or omissions and injuries 
upon which the reported action was based;
    (ii) Classification of the acts or omissions in accordance with a 
reporting code adopted by the Secretary;
    (iii) Classification of the action taken in accordance with a 
reporting code adopted by the Secretary, and the amount of any monetary 
penalty resulting from the reported action;
    (iv) The date the action was taken, its effective date and 
duration;
    (v) If the action is on appeal;
    (vi) Name of the agency taking the action;
    (vii) Name and address of the reporting entity; and
    (viii) The name, title and telephone number of the responsible 
official submitting the report on behalf of the reporting entity.
    (c) Entities described in paragraph (a) of this section should 
report, if known, the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
    (i) Other name (s) used;
    (ii) Other address;
    (iii) FEIN, when used by the individual as a TIN; and
    (iv) If deceased, date of death.
    (2) If the subject is an individual, that individual's employment 
or professional identifiers, including:
    (i) Other State professional license number(s), field(s) of 
licensure, and the name(s) of the State or territory in which the 
license is held;
    (ii) Other numbers assigned by Federal or State agencies, to 
include, but not limited to Drug Enforcement Administration (DEA) 
registration number(s), Unique Physician Identification Number(s) 
(UPIN), and Medicaid and Medicare provider number(s);
    (iii) Name(s) and address(es) of any health care entity with which 
the subject is affiliated or associated; and
    (iv) Nature of the subject's relationship to each associated or 
affiliated health care entity.
    (3) If the subject is an organization, identifiers, including:
    (i) Other name(s) used;
    (ii) Other address(es) used;
    (iii) Other FEIN(s) or Social Security Number(s) used;
    (iv) Other NPI(s) used;
    (v) Other State license number(s) and the name(s) of the State or 
territory in which the license is held;
    (vi) Other numbers assigned by Federal or State agencies, to 
include, but not limited to Drug Enforcement Administration (DEA) 
registration number(s), Clinical Laboratory Improvement Act (CLIA) 
number(s), Food and Drug Administration (FDA) number(s), and Medicaid 
and Medicare provider number(s);
    (vii) Names and titles of principal officers and owners;
    (viii) Name(s) and address(es) of any health care entity with which 
the subject is affiliated or associated; and
    (ix) Nature of the subject's relationship to each associated or 
affiliated health care entity.
    (4) For all subjects:
    (i) If the subject will be automatically reinstated; and
    (ii) The date of appeal, if any.
    (d) Sanctions for failure to report. The Secretary will provide for 
a publication of a public report that identifies those Government 
agencies that have failed to report information on adverse actions as 
required to be reported under this section.


Sec. 61.8  Reporting Federal or State criminal convictions related to 
the delivery of a health care item or service.

    (a) Who must report. Federal and State prosecutors must report 
criminal convictions against health care providers, suppliers, and 
practitioners related to the delivery of a health care item or service 
(regardless of whether the conviction is the subject of a pending 
appeal).
    (b) Entities described in paragraph (a) of this section must report 
the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
    (i) Name;
    (ii) Social Security Number;
    (iii) Home address or address of record;
    (iv) Sex; and
    (v) Date of birth.
    (2) If the subject is an individual, that individual's employment 
or professional identifiers, including:
    (i) Organization name and type;
    (ii) Occupation and specialty, if applicable; and
    (iii) National Provider Identifier (NPI), when issued by the Health 
Care Financing Administration (HCFA).
    (3) If the subject is an organization, identifiers, including:
    (i) Name;
    (ii) Business address;
    (iii) Federal Employer Identification Number (FEIN), or Social 
Security Number when used by the subject as a Taxpayer Identification 
Number (TIN);
    (iv) The NPI, when issued by HCFA; and
    (v) Type of organization.
    (4) For all subjects:
    (i) A narrative description of the acts or omissions and injuries 
upon which the reported action was based;
    (ii) Classification of the acts or omissions in accordance with a 
reporting code adopted by the Secretary;
    (iii) Name and location of court or judicial venue in which the 
action was taken;
    (iv) Docket or court file number;
    (v) Type of action taken;
    (vi) Statutory offense(s) and count(s);
    (vii) Name of primary prosecuting agency (or the plaintiff in civil 
actions);

[[Page 57762]]

    (viii) Date of sentence or judgment;
    (ix) Length of incarceration, detention, probation, community 
service or suspended sentence;
    (x) Amounts of any monetary judgment, penalty, fine, assessment or 
restitution;
    (xi) Other sentence, judgment or orders;
    (xii) If the action is on appeal;
    (xiii) Name and address of the reporting entity; and
    (xiv) The name, title and telephone number of the responsible 
official submitting the report on behalf of the reporting entity.
    (c) Entities described in paragraph (a) of this section should 
report, if known, the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
    (i) Other name (s) used;
    (ii) Other address; and
    (iii) FEIN, when used by the individual as a TIN.
    (2) If the subject is an individual, that individual's employment 
or professional identifiers, including:
    (i) State professional license (including professional 
certification and registration) number(s), field(s) of licensure, and 
the name(s) of the State or territory in which the license is held;
    (ii) Other numbers assigned by Federal or State agencies, to 
include, but not limited to Drug Enforcement Administration (DEA) 
registration number(s), Unique Physician Identification Number(s) 
(UPIN), and Medicaid and Medicare provider number(s);
    (iii) Name(s) and address(es) of any health care entity with which 
the subject is affiliated or associated; and
    (iv) Nature of the subject's relationship to each associated or 
affiliated health care entity.
    (3) If the subject is an organization, identifiers, including:
    (i) Other name(s) used;
    (ii) Other address(es) used;
    (iii) Other FEIN(s) or Social Security Number(s) used;
    (iv) Other NPI(s) used;
    (v) State license (including certification and registration) 
number(s) and the name(s) of the State or territory in which the 
license is held;
    (vi) Other numbers assigned by Federal or State agencies, to 
include, but not limited to Drug Enforcement Administration (DEA) 
registration number(s), Clinical Laboratory Improvement Act (CLIA) 
number(s), Food and Drug Administration (FDA) number(s), and Medicaid 
and Medicare provider number(s);
    (vii) Names and titles of principal officers and owners;
    (viii) Name(s) and address(es) of any health care entity with which 
the subject is affiliated or associated; and
    (ix) Nature of the subject's relationship to each associated or 
affiliated health care entity.
    (4) For all subjects:
    (i) Prosecuting agency's case number;
    (ii) Investigative agencies involved;
    (iii) Investigative agencies case of file number(s); and
    (iv) The date of appeal, if any.
    (d) Sanctions for failure to report. The Secretary will provide for 
publication of a public report that identifies those Government 
agencies that have failed to report information on criminal convictions 
as required to be reported under this section.


Sec. 61.9  Reporting civil judgments related to the delivery of a 
health care item or service.

    (a) Who must report. Federal and State attorneys and health plans 
must report civil judgments against health care providers, suppliers, 
or practitioners related to the delivery of a health care item or 
service (regardless of whether the civil judgment is the subject of a 
pending appeal). If a Government agency is party to a multi-claimant 
civil judgment, it must assume the responsibility for reporting the 
entire action, including all amounts awarded to all the claimants, both 
public and private. If there is no Government agency as a party, but 
there are multiple health plans as claimants, the health plan which 
receives the largest award must be responsible for reporting the total 
action for all parties.
    (b) Entities described in paragraph (a) of this section must report 
the information as required in Sec. 61.8(b).
    (c) Entities described in paragraph (a) of this section should 
report, if known the information as described in Sec. 61.8(c).
    (d) Sanctions for failure to report. Any health plan that fails to 
report information on a civil judgment required to be reported under 
this section will be subject to a civil money penalty (CMP) of not more 
than $25,000 for each such adverse action not reported. Such penalty 
will be imposed and collected in the same manner as CMPs under 
subsection (a) of section 1128A of the Act. The Secretary will provide 
for publication of a public report that identifies those Government 
agencies that have failed to report information on civil judgments as 
required to be reported under this section.


Sec. 61.10  Reporting exclusions from participation in Federal or State 
health care programs.

    (a) Who must report. Federal and State Government agencies must 
report health care providers, suppliers, or practitioners excluded from 
participating in Federal or State health care programs, including 
exclusions that were made in a matter in which there was also a 
settlement that is not reported because no findings or admissions of 
liability have been made (regardless of whether the exclusion is the 
subject of a pending appeal) .
    (b) Entities described in paragraph (a) of this section must report 
the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
    (i) Name;
    (ii) Social Security Number;
    (iii) Home address or address of record;
    (iv) Sex; and
    (v) Date of birth.
    (2) If the subject is an individual, that individual's employment 
or professional identifiers, including:
    (i) Organization name and type;
    (ii) Occupation and specialty, if applicable; and
    (iii) National Provider Identifier (NPI), when issued by the Health 
Care Financing Administration (HCFA).
    (3) If the subject is an organization, identifiers, including:
    (i) Name;
    (ii) Business address;
    (iii) Federal Employer Identification Number (FEIN), or Social 
Security Number when used by the subject as a Taxpayer Identification 
Number (TIN);
    (iv) The NPI, when issued by HCFA; and
    (v) Type of organization.
    (4) For all subjects:
    (i) A narrative description of the acts or omissions and injuries 
upon which the reported action was based;
    (ii) Classification of the acts or omissions in accordance with a 
reporting code adopted by the Secretary;
    (iii) Classification of the action taken in accordance with a 
reporting code adopted by the Secretary, and the amount of any monetary 
penalty resulting from the reported action;
    (iv) The date the action was taken, its effective date and 
duration;
    (v) If the action is on appeal;
    (vi) Name of the agency taking the action;
    (vii) Name and address of the reporting entity; and
    (viii) The name, title and telephone number of the responsible 
official submitting the report on behalf of the reporting entity.

[[Page 57763]]

    (c) Entities described in paragraph (a) of this section should 
report, if known, the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
    (i) Other name(s) used;
    (ii) Other address;
    (iii) FEIN, when used by the individual as a TIN;
    (iv) Name of each professional school attended and year of 
graduation; and
    (v) If deceased, date of death.
    (2) If the subject is an individual, that individual's employment 
or professional identifiers, including:
    (i) State professional license (including professional registration 
and certification) number(s), field(s) of licensure, and the name(s) of 
the State or Territory in which the license is held;
    (ii) Other numbers assigned by Federal or State agencies, to 
include, but not limited to Drug Enforcement Administration (DEA) 
registration number(s), Unique Physician Identification Number(s) 
(UPIN), and Medicaid and Medicare provider number(s);
    (iii) Name(s) and address(es) of any health care entity with which 
the subject is affiliated or associated; and
    (iv) Nature of the subject's relationship to each associated or 
affiliated health care entity.
    (3) If the subject is an organization, identifiers, including:
    (i) Other name(s) used;
    (ii) Other address(es) used;
    (iii) Other FEIN(s) or Social Security Number(s) used;
    (iv) Other NPI(s) used;
    (v) State license (including registration and certification) 
number(s) and the name(s) of the State or territory in which the 
license is held;
    (vi) Other numbers assigned by Federal or State agencies, to 
include, but not limited to Drug Enforcement Administration (DEA) 
registration number(s), Clinical Laboratory Improvement Act (CLIA) 
number(s), Food and Drug Administration (FDA) number(s), and Medicaid 
and Medicare provider number(s);
    (vii) Names and titles of principal officers and owners;
    (viii) Name(s) and address(es) of any health care entity with which 
the subject is affiliated or associated; and
    (ix) Nature of the subject's relationship to each associated or 
affiliated health care entity.
    (4) For all subjects:
    (i) If the subject will be automatically reinstated; and
    (ii) The date of appeal, if any.
    (d) Sanctions for failure to report. The Secretary will provide for 
publication of a public report that identifies those Government 
agencies that have failed to report information on exclusions or 
debarments as required to be reported under this section.


Sec. 61.11  Reporting other adjudicated actions or decisions.

    (a) Who must report. Federal and State governmental agencies and 
health plans must report other adjudicated actions or decisions as 
defined in Sec. 61.3 related to the delivery, payment or provision of a 
health care item or service against health care providers, suppliers, 
and practitioners (regardless of whether the other adjudicated action 
or decision is subject to a pending appeal).
    (b) Entities described in paragraph (a) of this section must report 
the information as required in Sec. 61.10(b).
    (c) Entities described in paragraph (a) of this section should 
report, if known the information as described in Sec. 61.10(c).
    (d) Sanctions for failure to report. Any health plan that fails to 
report information on an other adjudicated action or decision required 
to be reported under this section will be subject to a civil money 
penalty (CMP) of not more than $25,000 for each such action not 
reported. Such penalty will be imposed and collected in the same manner 
as CMPs under subsection (a) of section 1128A of the Act. The Secretary 
will provide for publication of a public report that identifies those 
Government agencies that have failed to report information on other 
adjudicated actions as required to be reported under this section.

Subpart C--Disclosure of Information by the Healthcare Integrity 
and Protection Data Bank


Sec. 61.12  Requesting information from the Healthcare Integrity and 
Protection Data Bank.

    (a) Who may request information and what information may be 
available. Information in the HIPDB will be available, upon request, to 
the following persons or entities, or their authorized agents--
    (1) Federal and State Government agencies;
    (2) Health plans;
    (3) A health care practitioner, provider, or supplier requesting 
information concerning himself, herself or itself; and
    (4) A person or entity requesting statistical information, which 
does not permit identification of any individual or entity. (For 
example, researchers can use statistical information to identify the 
total number of practitioners excluded from the Medicare and Medicaid 
programs. Similarly, health plans can use statistical information to 
develop outcome measures in their efforts to monitor and improve 
quality care.)
    (b) Procedures for obtaining HIPDB information. Eligible 
individuals and entities may obtain information from the HIPDB by 
submitting a request in such form and manner as the Secretary may 
prescribe. These requests are subject to fees set forth in Sec. 61.13. 
The HIPDB will comply with the Department's principles of fair 
information practice by providing each subject of a report with a copy 
when the report is entered into the HIPDB.
    (c) Information provided in response to self-queries. (1) At the 
time subjects request information as part of a ``self-query,'' the 
subject will receive--
    (i) Any report(s) in the HIPDB specific to them; and
    (ii) A disclosure history from the HIPDB of the name(s) of any 
entity (or entities) that have previously received the report(s).
    (2) The disclosure history will be restricted in accordance with 
the Privacy Act regulations set forth in 45 CFR part 5b.


Sec. 61.13  Fees applicable to requests for information.

    (a) Policy on fees. The fees described in this section apply to all 
requests for information from the HIPDB, except requests from Federal 
agencies. However, for purposes of verification and dispute resolution 
at the time the report is accepted, the HIPDB will provide a copy--at 
the time a report has been submitted automatically, without a request 
and free of charge--of every report to the health care provider, 
supplier or practitioner who is the subject of the report. For the same 
purpose, the Department will provide a copy of the report--at the time 
a report has been submitted automatically, without a request and free 
of charge--to the reporter that submitted it. The fees are authorized 
by section 1128E(d)(2) of the Act, and they reflect the full costs of 
operating the database. The actual fees will be announced by the 
Secretary in periodic notices in the Federal Register.
    (b) Criteria for determining the fee. The amount of each fee will 
be determined based on the following criteria --
    (1) Direct and indirect personnel costs;
    (2) Physical overhead, consulting, and other indirect costs 
including rent and depreciation on land, buildings and equipment;

[[Page 57764]]

    (3) Agency management and supervisory costs;
    (4) Costs of enforcement, research and establishment of regulations 
and guidance;
    (5) Use of electronic data processing equipment to collect and 
maintain information--the actual cost of the service, including 
computer search time, runs and printouts; and
    (6) Any other direct or indirect costs related to the provision of 
services.
    (c) Assessing and collecting fees. The Secretary will announce 
through periodic notice in the Federal Register the method of payment 
of fees. In determining these methods, the Secretary will consider 
efficiency, effectiveness and convenience for users and for the 
Department. Methods may include credit card, electronic funds transfer 
and other methods of electronic payment.


Sec. 61.14  Confidentiality of Healthcare Integrity and Protection Data 
Bank information.

    Information reported to the HIPDB is considered confidential and 
will not be disclosed outside the Department, except as specified in 
Secs. 61.12 and 61.15. Persons and entities receiving information from 
the HIPDB, either directly or from another party, must use it solely 
with respect to the purpose for which it was provided. Nothing in this 
section will prevent the disclosure of information by a party from its 
own files used to create such reports where disclosure is otherwise 
authorized under applicable State or Federal law.


Sec. 61.15  How to dispute the accuracy of Healthcare Integrity and 
Protection Data Bank information.

    (a) Who may dispute the HIPDB information. The HIPDB will routinely 
mail or transmit electronically to the subject a copy of the report 
filed in the HIPDB. The subject of the report or a designated 
representative may dispute the accuracy of a report concerning himself, 
herself or itself within 60 calendar days of receipt of the report.
    (b) Procedures for disputing a report with the reporting entity.  
If the subject disagrees with the reported information, the subject 
must request in writing that the HIPDB enter the report into ``disputed 
status.''
    (2) The HIPDB will send the report, with a notation that the report 
has been placed in ``disputed status,'' to queriers (where 
identifiable), the reporting entity and the subject of the report.
    (3) The subject must attempt to enter into discussion with the 
reporting entity to resolve the dispute. If the reporting entity 
revises the information originally submitted to the HIPDB, the HIPDB 
will notify the subject and all entities to whom reports have been sent 
that the original information has been revised. If the reporting entity 
does not revise the reported information, or does not respond to the 
subject within 60 days, the subject may request that the Secretary 
review the report for accuracy. The Secretary will decide whether to 
correct the report within 30 days of the request. This time frame may 
be extended for good cause. The subject also may provide a statement to 
the HIPDB, either directly or through a designated representative, that 
will permanently append the report.
    (c) Procedures for requesting a Secretarial review.  The subject 
must request, in writing, that the Secretary of the Department review 
the report for accuracy. The subject must return this request to the 
HIPDB along with appropriate materials that support the subject's 
position. The Secretary will only review the accuracy of the reported 
information, and will not consider the merits or appropriateness of the 
action or the due process that the subject received.
    (2) After the review, if the Secretary--
    (i) Concludes that the information is accurate and reportable to 
the HIPDB, the Secretary will inform the subject and the HIPDB of the 
determination. The Secretary will include a brief statement 
(Secretarial Statement) in the report that describes the basis for the 
decision. The report will be removed from ``disputed status.'' The 
HIPDB will distribute the corrected report and statement(s) to previous 
queriers (where identifiable), the reporting entity and the subject of 
the report.
    (ii) Concludes that the information contained in the report is 
inaccurate, the Secretary will inform the subject of the determination 
and direct the HIPDB or the reporting entity to revise the report. The 
Secretary will include a brief statement (Secretarial Statement) in the 
report describing the findings. The HIPDB will distribute the corrected 
report and statement (s) to previous queriers (where identifiable), the 
reporting entity and the subject of the report.
    (iii) Determines that the disputed issues are outside the scope of 
the Department's review, the Secretary will inform the subject and the 
HIPDB of the determination. The Secretary will include a brief 
statement (Secretarial Statement) in the report describing the 
findings. The report will be removed from ``disputed status.'' The 
HIPDB will distribute the report and the statement(s) to previous 
queriers (where identifiable), the reporting entity and the subject of 
the report.
    (iv) Determines that the adverse action was not reportable and 
therefore should be removed from the HIPDB, the Secretary will inform 
the subject and direct the HIPDB to void the report. The HIPDB will 
distribute a notice to previous queriers (where identifiable), the 
reporting entity and the subject of the report that the report has been 
voided.


Sec. 61.16  Immunity.

    Individuals, entities or their authorized agents and the HIPDB 
shall not be held liable in any civil action filed by the subject of a 
report unless the individual, entity or authorized agent submitting the 
report has actual knowledge of the falsity of the information contained 
in the report.

    Dated: May 4, 1999.
June Gibbs Brown,
Inspector General.

    Approved: May 21, 1999.
Donna E. Shalala,
Secretary.
[FR Doc. 99-27472 Filed 10-25-99; 8:45 am]
BILLING CODE 4150-04-P