[Federal Register Volume 65, Number 106 (Thursday, June 1, 2000)]
[Rules and Regulations]
[Pages 34986-34988]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-13602]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

Office of Inspector General

45 CFR Part 5b

RIN 0991-AA99


Privacy Act; Implementation

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule exempts the new system of records, the 
Healthcare Integrity and Protection Data Bank (HIPDB), from certain 
provisions of the Privacy Act (5 U.S.C. 552a). The establishment of the 
HIPDB is required by section 1128E of the Social Security Act (the 
Act), as added by section 221(a) of the Health Insurance Portability 
and Accountability Act (HIPAA) of 1996. Section 1128E of the Act 
directed the Secretary to establish a national health care fraud and 
abuse data collection program for the reporting and disclosing of 
certain final adverse actions taken against health care providers, 
suppliers or practitioners, and to maintain a data base of final 
adverse actions taken against health care providers, suppliers and 
practitioners. Regulations implementing the new HIPDB were published in 
the Federal Register on October 26, 1999 (64 FR 57740). The exemption 
being set forth in this rule applies to investigative materials 
compiled for law enforcement purposes.

EFFECTIVE DATE: This rule is effective on June 1, 2000.

FOR FURTHER INFORMATION CONTACT: Rick Burguieres, Investigative Policy 
and Information Management Staff, Office of Investigations, (202) 205-
5200.

SUPPLEMENTARY INFORMATION:

I. The Healthcare Integrity and Protection Data Bank

    The Health Insurance Portability and Accountability Act (HIPAA) of 
1996, Public Law 104-191, requires the Secretary, acting through the 
Office of Inspector General (OIG) and the United States Attorney 
General, to establish a new health care fraud and abuse control program 
to combat health care fraud and abuse (see section 1128C of the Act, as 
enacted by section 201(a) of HIPAA). Among the major steps in this 
program is the establishment of a national data bank to receive and 
disclose certain final adverse actions against health care providers, 
suppliers, or practitioners (see section 1128C(a)(1)(E) of the Act). 
The establishment of the data bank is required by section 1128E of the 
Act (added by section 221(a) of HIPAA), which directs the Secretary to 
maintain a data base of such final adverse actions. Final adverse 
actions include: (1) Civil judgments against a health care provider, 
supplier, or practitioner in Federal or State court related to the 
delivery of a health care item or service; (2) Federal or State 
criminal convictions against a health care provider, supplier, or 
practitioner related to the delivery of a health care item or service; 
(3) actions by Federal or State agencies responsible for the licensing 
and certification of health care providers, suppliers, or 
practitioners; (4) exclusion of a health care provider, supplier, or 
practitioner from participation in Federal or State health care 
programs; and (5) any other adjudicated actions or decisions that the 
Secretary establishes by regulations. Settlements in which no findings 
or admissions of liability have been made will be excluded from 
reporting. However, any final adverse action that emanates from such 
settlements, and that would otherwise be reportable under the statute, 
is to be reported to the data bank. Final adverse actions are to be 
reported, regardless of whether such actions are being appealed by the 
subject of the report (see section 1128E(b)(2)(C) of the Act). Final 
regulations implementing the statutory requirements of section 1128E of 
the Act and establishing the new HIPDB were published in the Federal 
Register on October 26, 1999 (64 FR 57740).
    Groups that have access to this new data bank system include 
Federal and State government agencies; health plans; and self queries 
from health care suppliers, providers and practitioners. Reporting is 
limited to the same groups that have access to the information. One of 
the primary purposes of these data will be use of this information by a 
Federal or State government agency charged with the responsibility of 
investigating or prosecuting a case where there is an indication of a 
violation or potential violation of law, whether civil, criminal or 
regulatory in nature. The information in this system

[[Page 34987]]

may also be used in the preparation for a trial or hearing for such 
violation.

II. Summary of the Proposed Rule

    On October 26, 1999, the Department also published, through the 
Office of Inspector General, a proposed rule (64 FR 57619) to exempt 
this new records system from certain provisions of the Privacy Act.\1\ 
This proposed exemption was intended to protect, from release to the 
record subject, information on law enforcement queries to the data 
bank, to exempt the data bank from Privacy Act access and amendment 
procedures in order to establish access and amendment procedures in the 
HIPDB regulations. The proposed rule specifically sought public 
comments on the proposed exemption.
---------------------------------------------------------------------------

    \1\ Subsections (c)(3), (d)(1)-(4), and (e)(4)(G) and (H) of the 
Privacy Act, in accordance with 5 U.S.C. 522a(k)(2) and 45 CFR 
5b.11(b)(ii)(F).
---------------------------------------------------------------------------

    In accordance with the rulemaking, record subjects would be 
guaranteed access to, and correction rights for, substantive 
information reported to the HIPDB. The procedures, set out in 45 CFR 
part 61, use the Privacy Act access and correction procedures as a 
basic framework while, at the same time, providing significant 
additional rights (such as automatic notification to the record subject 
of any report filed with the data bank). Data bank subjects would also 
have broader rights on HIPDB correction procedures, including the right 
to file a statement of disagreement as soon as a report is filed with 
the data bank.

III. Response to Public Comments

    In response to the proposed rule, we received timely-filed public 
comments from two health professional organizations. Set forth below is 
a summary of those comments and our response to those concerns.
    Comment: One commenter believed that the provisions to exempt the 
HIPDB from provisions of the Privacy Act were duplicative and 
unnecessary. The commenter believed that this waiver was not necessary 
since the Privacy Act already contains an exemption for law enforcement 
queries.
    Response: The commenter is correct that a law enforcement agency 
may request information from the HIPDB by having an appropriate 
official formally file a written request under 5 U.S.C. 552a(b)(7). 
Such queries are not available to the subject of the Privacy Act record 
under 5 U.S.C. 552a(c)(3). However, requiring law enforcement agencies 
to use the more cumbersome process of submitting requests in writing 
defeats one of the primary purposes of the HIPDB, which is to provide 
for instant, online access to data for its designated users, including 
law enforcement agencies.\2\ Therefore, disclosures to law enforcement 
agencies will generally be made in accordance with the routine use 
provision of the Privacy Act, 5 U.S.C. 552a(b)(3), and this exemption 
is necessary to protect the queries from release to the record subject.
---------------------------------------------------------------------------

    \2\ The HIPAA, which mandates that the HIPDB information be 
available to law enforcement agencies, requires that the HIPDB be 
established to function in coordination with the existing National 
Practitioner Data Bank--a computerized system that functions 
exclusively by electronic reporting and on-line access by users (42 
U.S.C. 1320a07e(f)). Further, section IV of the Health Care Fraud 
and Abuse Control Program and Guidelines, issued by the Attorney 
General and the Secretary of HHS under HIPAA, calls for the 
establishment of an adverse action data bank with electronic 
reporting and on-line access by authorized users to minimize costs 
and maximize response times.
---------------------------------------------------------------------------

    Comment: One commenter stated that the proposed modification to 45 
CFR 5b.11(b)(2)(ii) appeared to exempt all queries from the history 
disclosure requirement of the Privacy Act, rather than just those that 
are made by law enforcement agencies. The commenter indicated, however, 
that nothing in proposed subparagraph (F) of this section would limit 
the exemption to law enforcement queries.
    Response: As stated in the proposed rule, subjects will have access 
to information on all other queries to the data bank. The exemption is 
only intended to protect against harm to ongoing investigations. Under 
the HIPDB implementing regulations (October 26, 1999; 64 FR 57740), 
information reports made available to the report subjects will include 
all other query information.
    Comment: One association indicated their support of the proposed 
modification regarding the exemption of law enforcement agencies from 
the Privacy Act, but recommended that the regulatory agencies, such as 
dental boards, also be included in the exemption.
    Response: As indicated above, the exemption is designed to protect 
only law enforcement queries permitted by the statute. If a 
governmental agency is entitled to access the HIPDB for law enforcement 
purposes, that query would be covered by the exemption. Questions on 
what types of queries are ``law enforcement'' queries can always be 
raised with the OIG's Office of Investigations' Investigative Policy 
and Information Management Staff at (202) 205-5200.

IV. Regulatory Impact Statement

    The Office of Management and Budget has reviewed this final rule in 
accordance with the provisions of Executive Order 12866, the Unfunded 
Mandates Reform Act and Executive Order 13132, and has determined that 
this rule does not meet the criteria for an economically siginificant 
regulatory action.
    Specifically, Executive Order 12866 directs agencies to assess all 
costs and benefits of available regulatory alternatives and, when 
rulemaking is necessary, to select regulatory approaches that maximize 
net benefits, including potential economic, environmental, public 
health, safety distributive and equity effects. Section 202 of the 
Unfunded Mandates reform Act, Public Law 104-4, requires that agencies 
prepare an assessment of anticipated costs and benefits on any rule 
that may result in an expenditure by State, local or tribe governments, 
or by the private sector, of $100 million or more in any given year. In 
addition, under the Small Business Enforcement Act (SBEA) of 1996, if a 
rule has a significant economic effect on a substantial number of small 
businesses, the Secretary must specifically consider the economic 
effect of a rule on small business entities and analyze regulatory 
options that could lessen the impact of the rule. Further, Executive 
Order 13132, Federalism, requires agencies to determine if a rule will 
have a significant effect on States, on their relationship with the 
Federal Government, and on the distribution of power and responsibility 
among the various levels of government.
    In accordance with the exemption being set forth in this rule, 
while the reports of adverse actions to the HIPDB will be known to the 
subjects of the records in the data bank, the access and use of such 
information by law enforcement agencies would not be known to the 
subjects of the records. As indicated above, we believe that disclosure 
of this information could have a negative impact and compromise ongoing 
law enforcement activities.
    We believe that the aggregate economic impact of this final rule is 
minimal and will have no effect of the economy or on Federal or State 
expenditures. Similarly, we believe that there are no significant costs 
associated with this Privacy Act exemption that will impose any 
mandates on State, local or tribal governments or on the private sector 
that will result in an expenditure of $100 million or more in any given 
year. In addition, in accordance with the provisions of the

[[Page 34988]]

SEBA and the threshold criteria of Executive Order 13132, the Secretary 
certifies that this exemption will not have a significant impact on a 
substantial number of small entities, and will not significantly affect 
the rights, roles and responsibilities of States, and that a full 
analysis under these Acts is not necessary.

List of Subjects in 5 CFR Part 5b

    Privacy.

    Accordingly, the Department's Privacy Act regulations at 45 CFR 
part 5b are amended as set forth below:

PART 5b--[AMENDED]

    Part 5b are amended as follows:

    1. The authority citation for part 5b continue to read as follows:

    Authority: 5 U.S.C. 301, 5 U.S.C. 552a.


    2. Section 5b.11 is amended by adding a new paragraph (b)(2)(ii)(F) 
to read as follows:


Sec. 5b.11  Exempt systems.

* * * * *
    (b) Specific systems of records exempt. * * *
    (2) * * *
    (ii) * * *
    (F) Investigative materials compiled for law enforcement purposes 
for the Healthcare Integrity and Protection Data Bank (HIPDB), of the 
Office of Inspector General. (See Sec. 61.15 of this title for access 
and correction rights under the HIPDB by subjects of the Data Bank.)
* * * * *

    Dated: March 7, 2000.
June Gibbs Brown,
Inspector General.
    Approved: March 20, 2000.
Donna E. Shalala,
Secretary.
[FR Doc. 00-13602 Filed 5-31-00; 8:45 am]
BILLING CODE 4152-01-P