[Federal Register Volume 69, Number 116 (Thursday, June 17, 2004)]
[Rules and Regulations]
[Pages 33866-33869]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-13675]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

Office of Inspector General

45 CFR Part 61

RIN 0991-AB31


Health Care Fraud and Abuse Data Collection Program: Technical 
Revisions to Healthcare Integrity and Protection Data Bank Data 
Collection Activities

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Interim final rule with comment period.

-----------------------------------------------------------------------

SUMMARY: The rule makes technical changes to the Healthcare Integrity 
and Protection Data Bank (HIPDB) data collection reporting requirements 
set forth in 45 CFR part 61 by clarifying the types of personal numeric 
identifiers that may be reported to the data bank in connection with 
adverse actions. Specifically, the rule clarifies that in lieu of a 
Social Security Number (SSN), an individual taxpayer identification 
number (ITIN) may be reported to the data bank when, in those limited 
situations, an individual does not have an SSN.

DATES: Effective date: These regulations are effective on July 19, 
2004.
    Comment date: We will consider comments if we receive them at the 
appropriate address, as provided in the address section below, no later 
than 5 p.m. on July 19, 2004.

ADDRESSES: In commenting, please refer to file code OIG-55-FC. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission. Please mail or deliver your written 
comments to the following address: Office of Inspector General, 
Department of Health and Human Services, Attention: OIG-55-FC, Room 
5246, Cohen Building, 330 Independence Avenue, SW., Washington, DC 
20201.
    Please allow sufficient time for us to receive mailed comments by 
the due date in the event of delivery delays. Because access to the 
Cohen Building is not readily available to persons without Federal 
government identification, commenters are encouraged to leave their 
comments in the OIG drop box located in the main lobby of the building. 
For information on viewing public comments, see section IV in the 
SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Joel Schaer, Office of Management and 
Policy, (202) 619-0089; or Anne MacArthur, Office of Counsel to the 
Inspector General, (202) 619-0335.

SUPPLEMENTARY INFORMATION:

I. The Healthcare Integrity and Protection Data Bank (HIPDB)

    Section 221(a) of the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996, Public Law 104-91, required the 
Department, acting through the Office of Inspector General, to 
establish a health care fraud and abuse control program to combat 
health care fraud and abuse (section 1128C of the Social Security Act 
(the Act)). Among the major steps in this program has been the 
establishment of a national data bank to receive and disclose certain 
final adverse actions against health care providers, suppliers, or 
practitioners, as required by section 1128E of the Act, in accordance 
with section 221(a) of HIPAA. The data bank, known as the Healthcare 
Integrity and Protection Data Bank (HIPDB), is designed to collect and 
disseminate the following types of information regarding final adverse 
actions: (1) Civil judgments against health care providers, suppliers, 
or practitioners in Federal or State court that are related to the 
delivery of a health care item or service; (2) Federal or State 
criminal convictions against a health care provider, supplier, or 
practitioner related to the delivery of a health care item or service; 
(3) final adverse actions by Federal or State agencies responsible for 
the licensing and certification of health care providers, suppliers, or 
practitioners; (4) exclusion of a health care provider, supplier, or 
practitioner from participation in Federal or State health care 
programs; and (5) any other adjudicated actions or decisions that the 
Secretary establishes by regulation.

Data Elements To Be Reported to the HIPDB

    Section 1128E(b)(2) of the Act cited a number of required elements 
or types of data that must be reported to the HIPDB. These elements 
include: (1) The name of the individual or entity; (2) a taxpayer 
identification number; (3) the name of any affiliated or associated 
health care entity; (4) the nature of the final adverse action and 
whether the action is on appeal; (5) a description of the acts or 
omissions, or injuries, upon which a final adverse action is based; and 
(6) any other additional information deemed appropriate by the 
Secretary. With respect to this last element, we have exercised this 
discretion to add additional reportable data elements reflecting much 
of the information that is already routinely collected by the Federal 
and State reporting agencies.
    Final regulations implementing the HIPDB were published in the 
Federal Register on October 26, 1999 (64 FR 57740). In those final 
regulations, for an individual (1) who is the subject of a civil 
judgment or criminal conviction related to the delivery of a health 
care item or service; or (2) who is the subject of a licensure action 
taken by Federal or State licensing and certification agencies, an 
adjudicated action or decision, or an individual excluded from 
participation in a Federal or State health care program, the current 
HIPDB systems of records contains, among other things, the individual's 
full name, other names used (if known), and his or her SSN. We 
specifically indicated that use of personal identifiers, such as SSNs 
and Federal Employer Identification Numbers (FEINs), in the collection 
and reporting to the HIPDB:
     Provides explicit matching of specific adverse action 
reports to and from the data bank;
     Provides a greater confidence level in the system's 
matching algorithm and maximizes the system's ability to prevent the 
erroneous reporting and disclosure of health care providers, suppliers 
and practitioners; and
     Strengthens States' ability to detect individuals who move 
from State to State without disclosure or discovery of previous 
damaging performance.

[[Page 33867]]

    However, in addressing the list of ``mandatory'' data elements that 
must be reported to the data bank in connection with adverse actions, 
the final regulations inadvertently omitted reference to the reporting 
of an ITIN to the data bank when, in those limited situations, an 
individual does not have a SSN.

Tax Identification Numbers as Defined by the Internal Revenue Code

    As indicated above, HIPAA requires ``the name and TIN (as defined 
in section 7701(a)(41) of the Internal Revenue Code (IRC) of 1986) of 
any health care provider, supplier, or practitioner who is the subject 
of a final adverse action'' to be reported to the data bank. Section 
7701(a)(41) of the IRC does not specifically define TIN, but instead 
refers to section 6109 of the Code. Section 6109(d) states that an 
individual's SSN is the tax identifying number for an individual, 
except as otherwise specified in regulations by the Secretary of the 
Treasury. In turn, the Department of the Treasury regulations set forth 
at 26 CFR 301.6109-1(a)(ii)(B) provides for the issuance of an ITIN for 
individuals who are not eligible for a SSN.

II. Technical Revisions to 45 CFR Part 61

    The HIPDB regulations at 45 CFR part 61 currently require the SSN 
on reports of adverse actions on individuals. Although the SSN meets 
the statutory requirement of a TIN, we believe that the inclusion of 
the ITIN, which is also a TIN, is consistent with the statutory 
requirements of HIPAA. Most reportable final adverse actions are taken 
against individual health care practitioners who are permitted to work 
in the United States. Non-citizens in the United States with permission 
to work are eligible for SSNs. However, we have become aware that there 
are non-citizens who do not have permission to work in the United 
States, but who do have ITINs assigned by the Internal Revenue Service 
(IRS) for tax purposes \1\ and hold valid State health care licenses. 
One example would be a foreign physician who does not practice in the 
United States, but desires to have a State license as a qualification 
of his or her ability to practice medicine. We believe that there may 
be very limited incidences where reportable adverse actions, 
particularly licensing actions, may be taken against these health care 
practitioners, such as an adverse licensing action taken by a medical 
licensing authority in a foreign country that is then reported to a 
State medical licensing board which then revokes the State medical 
license of the foreign physician. However, if the physician does not 
have a SSN, the State medical licensing authority is currently unable 
to report the action. We believe that the revision of the HIPDB 
regulations to include the collection of the ITIN for individuals who 
do not have SSNs, but have been assigned an ITIN, will enable the data 
bank to receive reports that presently it cannot receive.
---------------------------------------------------------------------------

    \1\ These individuals can use previously IRS assigned ITINs, 
although they cannot qualify for an ITIN solely for licensing 
purposes.
---------------------------------------------------------------------------

    As a result, in order to allow for the collection and dissemination 
of all appropriate information to and from the data bank, we are 
revising Sec. Sec.  61.7, 61.8, and 61.10 of the HIPDB regulations at 
45 CFR part 61 to indicate that for the reporting of (1) licensure 
actions taken by Federal and State licensing and certification 
agencies, (2) Federal or State criminal convictions related to the 
delivery of a health care item or service, or (3) exclusions from 
participation in Federal or State health care programs:
     If the subject is an individual, entities must report 
either the SSN or ITIN;
     If the subject is an organization, entities must report 
the FEIN, or SSN or ITIN when used by the subject as a TIN; and
     If the subject is an organization, entities should report, 
if known, any FEINs, SSNs or ITINs used.
    These revisions will also allow the reporting of ITINs, by 
reference, to the reports required in Sec. Sec.  61.9 and 61.11.
    We note that while the inclusion of a SSN or ITIN is a necessary 
reporting element in reporting adverse actions to the HIPDB, the Social 
Security Administration and the Internal Revenue Service are not 
required to assign a SSN or an ITIN, respectively, to those individuals 
who do not otherwise qualify for such identification numbers.

III. Regulatory Impact Statement

A. Regulatory Analysis

    We have examined the impacts of this technical rule revision as 
required by Executive Order 12866, the Regulatory Flexibility Act (RFA) 
of 1980, the Unfunded Mandates Reform Act of 1995, and Executive Order 
13132.
1. Executive Order 12866
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulations are 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health, and safety 
effects; distributive impacts; and equity). A regulatory impact 
analysis must be prepared for major rules with economically significant 
effects ($100 million or more in any given year). This is not a major 
rule as defined at 5 U.S.C. 804(2), and it is not economically 
significant since this technical revision will not have a significant 
effect on program expenditures and there will be no additional 
substantive cost through codification of this change. Specifically, the 
revisions to 45 CFR part 61 set forth in this rule are technical in 
nature and are designed to further clarify statutory requirements. The 
economic effect of these revisions will impact only those limited few 
individuals or organizations that are that subject of an adverse action 
reportable to the data bank. As such, we believe that the aggregate 
economic impact of this technical revision to the regulations will be 
minimal and have no appreciable effect on the economy or on Federal or 
State expenditures.
2. Regulatory Flexibility Act
    The RFA and the Small Business Regulatory Enforcement and Fairness 
Act of 1996, which amended the RFA, require agencies to analyze options 
for regulatory relief of small businesses. For purposes of the RFA, 
small entities include small businesses, nonprofit organizations, and 
government agencies. Most providers are considered to be small entities 
by having revenues of $6 million to $29 million or less in any one 
year. For purposes of the RFA, most physicians and suppliers are 
considered to be small entities. In addition, section 1102(b) of the 
Social Security Act requires us to prepare a regulatory impact analysis 
if a rule may have a significant impact on the operations of a 
substantial number of small rural providers. This analysis must conform 
to the provisions of section 604 of the RFA.
    We anticipate that the number of individuals who do not have 
permission to work in the United States but who have ITINs, who hold 
valid State health care licenses, and who will be the subject of a 
report to the HIPDB will be minimal. Even in those very limited 
incidences where reportable adverse actions, such as licensing actions, 
may be taken against a health care practitioner, we believe that the 
aggregate economic impact of this technical revision will be minimal 
since it is the nature of the conduct and not the size or type of the 
entity that would result in the violation and the need to report the 
adverse action to the HIPDB. As a result, we have concluded that this 
technical rule should not have a

[[Page 33868]]

significant impact on the operations of a substantial number of small 
or rural providers, and that a regulatory flexibility analysis is not 
required for this rulemaking.
3. Unfunded Mandates Reform Act
    Section 202 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 
104-4) also requires that agencies assess anticipated costs and 
benefits before issuing any rule that may result in expenditure in any 
one year by State, local, or tribal governments, in the aggregate, or 
by the private sector, of $110 million. As indicated, these technical 
revisions comport with statutory intent and clarify the legal 
authorities for reporting information to the data bank against those 
who have acted improperly against the Federal and State health care 
programs. As a result, we believe that there are no significant costs 
associated with these revisions that would impose any mandates on 
State, local, or tribal governments, or the private sector that will 
result in an expenditure of $110 million or more (adjusted for 
inflation) in any given year, and that a full analysis under the 
Unfunded Mandates Reform Act is not necessary.
4. Executive Order 13132
    Executive Order 13132, Federalism, establishes certain requirements 
that an agency must meet when it promulgates a rule that imposes 
substantial direct requirements or costs on State and local 
governments, preempts State law, or otherwise has Federalism 
implications. In reviewing this rule under the threshold criteria of 
Executive Order 13132, we have determined that this rule will not 
significantly affect the rights, roles, and responsibilities of State 
or local governments.
    The Office of Management and Budget (OMB) has reviewed this final 
rule in accordance with Executive Order 12866.

B. Paperwork Reduction Act

    The provisions of this rulemaking impose no express new reporting 
or recordkeeping requirements on reporting entities. As indicated, this 
additional reportable data element reflects information that is already 
routinely collected by the Federal and State reporting agencies on 
health care providers, suppliers and practitioners, and imposes no new 
reporting burden beyond the data element fields already approved by 
OMB.

IV. Response to Public Comments

    Comments will be available for public inspection beginning on July 
6, 2004, in Room 5518 of the Office of Inspector General at 330 
Independence Avenue, SW., Washington, DC, on Monday and through Friday 
of each week from 8 a.m. to 4 p.m., (202) 619-0089. Because of the 
large number of comments we normally receive on regulations, we cannot 
acknowledge or respond to comments individually. However, we will 
consider all timely and appropriate comments when developing any 
revised final rulemaking.

V. Waiver of Proposed Rulemaking

    We ordinarily publish a proposed rule in the Federal Register and 
provide a period for public comment before we publish a final rule. We 
may waive this procedure, however, for good cause if we find that the 
notice and comment procedure is impracticable, unnecessary, or contrary 
to the public interest and if we incorporate a statement of this 
finding and its reasons in the rule issued. We find it unnecessary to 
undertake notice and comment rulemaking in this instance because we 
believe that it is in the public interest to comply with the statutory 
requirement in section 1128E of the Act that this information be 
included with respect to subjects of adverse actions reported to the 
data bank. Therefore, in accordance with MPDIMA and the Administrative 
Procedure Act (APA) (5 U.S.C. 553(b)(B)), for good cause, we waive 
notice and comment procedures. We are, however, providing a 30-day 
public comment period.

List of Subjects in 45 CFR Part 61

    Billing and transportation services, Durable medical equipment 
suppliers and manufacturers, Health care insurers, Health maintenance 
organizations, Health professions, Home health care agencies, 
Hospitals, Penalties, Pharmaceutical suppliers and manufacturers, 
Privacy, Reporting and recordkeeping requirements, Skilled nursing 
facilities.


0
Accordingly, 45 CFR part 61 is amended to read as follows:

PART 61--HEALTHCARE INTEGRITY AND PROTECTION DATA BANK FOR FINAL 
ADVERSE INFORMATION ON HEALTH CARE PROVIDERS, SUPPLIERS AND 
PRACTITIONERS

0
1. The authority citation for part 61 continues to read as follows:

    Authority: 42 U.S.C. 1320a-7e.


0
2. Section 61.7 is amended by republishing the introductory text for 
paragraphs (b) and (b)(1) and revising paragraph (b)(1)(ii); 
republishing introductory paragraph (b)(3) and revising paragraph 
(b)(3)(iii); and by republishing introductory paragraph (c) and (c)(3) 
and revising paragraph (c)(3)(iii) to read as follows:


Sec.  61.7  Reporting licensure actions taken by Federal or State 
licensing and certification agencies.

* * * * *
    (b) Entities described in paragraph (a) of this section must report 
the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
* * * * *
    (ii) Social Security Number (or Individual Taxpayer Identification 
Number (ITIN));
* * * * *
    (3) If the subject is an organization, identifiers, including:
* * * * *
    (iii) Federal Employer Identification Number (FEIN), or Social 
Security Number (or ITIN) when used by the subject as a Taxpayer 
Identification Number (TIN);
* * * * *
    (c) Entities described in paragraph (a) of this section should 
report, if known, the following information:
* * * * *
    (3) If the subject is an organization, identifiers, including:
* * * * *
    (iii) Other FEIN(s) or Social Security Numbers (or ITIN) used;
* * * * *
0
3. Section 61.8 is amended by republishing the introductory text for 
paragraphs (b) and (b)(1) and revising paragraph (b)(1)(ii); 
republishing introductory paragraph (b)(3) and revising paragraph 
(b)(3)(iii); and by republishing introductory paragraph (c) and (c)(3) 
and revising paragraph (c)(3)(iii) to read as follows:


Sec.  61.8  Reporting Federal or State criminal convictions related to 
the delivery of a health care item or service.

* * * * *
    (b) Entities described in paragraph (a) of this section must report 
the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
* * * * *
    (ii) Social Security Number (or ITIN);
* * * * *
    (3) If the subject is an organization, identifiers, including:
* * * * *
    (iii) Federal Employer Number (FEIN), or Social Security Number (or 
ITIN) when used by the subject as a Taxpayer Identification Number 
(TIN);
* * * * *

[[Page 33869]]

    (c) Entities described in paragraph (a) of this section should 
report, if known, the following information:
* * * * *
    (3) If the subject is an organization, identifiers, including:
* * * * *
    (iii) Other FEIN(s) or Social Security Numbers(s) (or ITINs) used;
* * * * *
0
4. Section 61.10 is amended by republishing the introductory text for 
paragraphs (b) and (b)(1) and revising paragraph (b)(1)(ii); 
republishing introductory paragraph (b)(3) and revising paragraph 
(b)(3)(iii); and by republishing introductory paragraph (c) and (c)(3) 
and revising paragraph (c)(3)(iii) to read as follows:


Sec.  61.10  Reporting exclusions from participation in Federal or 
State health care programs.

* * * * *
    (b) Entities described in paragraph (a) of this section must report 
the following information:
    (1) If the subject is an individual, personal identifiers, 
including:
* * * * *
    (ii) Social Security Number (or ITIN);
* * * * *
    (3) If the subject is an organization, identifiers, including:
* * * * *
    (iii) Federal Employer Identification Number (FEIN), or Social 
Security Number (or ITIN) when used by the subject as a Taxpayer 
Identification Number (TIN);
* * * * *
    (c) Entities described in paragraph (a) of this section should 
report, if known, the following information:
* * * * *
    (3) If the subject is an organization, identifiers, including:
* * * * *
    (iii) Other FEIN(s) or Social Security Numbers(s) (or ITINs) used;
* * * * *

    Dated: April 1, 2004.
Dara Corrigan,
Acting Principal Deputy Inspector General.

    Approved: April 19, 2004.
Tommy G. Thompson,
Secretary.
[FR Doc. 04-13675 Filed 6-16-04; 8:45 am]
BILLING CODE 4152-01-P