[Federal Register Volume 76, Number 226 (Wednesday, November 23, 2011)]
[Rules and Regulations]
[Pages 72325-72327]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-30292]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Part 5b

RIN 0906-AA91


Privacy Act; Exempt Record System

AGENCY: Health Resources and Services Administration (HRSA), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule exempts the system of records (09-15-0054, the 
National Practitioner Data Bank for Adverse Information on Physicians 
and Other Health Care Practitioners, HHS/HRSA/BHPr) for the National 
Practitioner Data Bank (NPDB) from certain provisions of the Privacy 
Act (5 U.S.C. 552a). The exemption is necessary due to the recent 
expansion of the NPDB under section 1921 of the Social Security Act to 
include the investigative materials compiled for law enforcement 
purposes reported to the Healthcare Integrity and Protection Data Bank 
(HIPDB). The system of records for the HIPDB is exempt from certain 
provisions of the Privacy Act (see 45 CFR 5b.11(b)(2)(ii)(F)). In order 
to maintain the exemption for the HIPDB investigative materials, which 
will now also be available through the NPDB, it is necessary to extend 
the same exemption to the NPDB.

DATES: The effective date of this rule is December 23, 2011.

FOR FURTHER INFORMATION CONTACT: Cynthia Grubbs, Director, Division of 
Practitioner Data Banks, Bureau of Health Professions, Health Resources 
and Services Administration, Parklawn Building, 5600 Fishers Lane, Room 
8-103, Rockville, MD 20857; telephone number: (301) 443-2300.

SUPPLEMENTARY INFORMATION:

I. Background

    The NPDB was established by Title IV of Public Law 99-660, the 
Health Care Quality Improvement Act of 1986, as amended. The NPDB is 
primarily an alert or flagging system intended to facilitate a 
comprehensive review of health care practitioners' professional 
credentials. On January 28, 2010, HRSA published a final rule in the 
Federal Register (75 FR 4656) designed to implement section 1921 of the 
Social Security Act (herein referred to as section 1921). Section 1921 
expands the scope of the NPDB. Section 1921 requires each State to 
adopt a system of reporting to the Secretary certain adverse licensure 
actions taken against health care practitioners and health care 
entities by any authority of the State responsible for the licensing of 
such practitioners or entities. It also requires each State to report 
any negative action or finding that a State licensing authority, a peer 
review organization, or a private accreditation entity has finalized 
against a health care practitioner or entity. Practically speaking, 
section 1921 resulted in, among other consequences, the transfer of the 
vast majority of information contained in the HIPDB, a companion data 
bank, to the NPDB.
    The HIPDB was created by the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996, Public Law (Pub. L. 104-191), which 
required the Secretary, acting through the Office of Inspector General 
(OIG) and the United States Attorney General, to establish a new health 
care fraud and abuse control program, to combat health care fraud and 
abuse. Together, the HIPDB and NPDB serve to facilitate review of 
health care practitioners' and entities' backgrounds.

II. Summary of the Proposed Rule

    In the February 17, 2011 Federal Register (76 FR 9295), HRSA 
published a proposed rule that would exempt the NPDB system of records 
from subsection (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and 
(f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). These 
exemptions are necessary to deal with the expansion of NPDB information 
after implementation of section 1921 on March 1, 2010. Groups that have 
access to the section 1921 information in the NPDB include all 
organizations eligible to query the NPDB under the Health Care Quality 
Improvement Act of 1986 (hospitals, other health care entities that 
conduct peer review and provide health care services, State medical or 
dental boards, and other health care practitioner State boards), other 
State licensing authorities, agencies administering Federal health care 
programs (including private entities administering such programs under 
contract), State agencies administering or supervising the 
administration of State health care programs, State Medicaid Fraud 
Control Units, certain law enforcement agencies, utilization and 
quality control peer review organizations (referred to as QIOs), as 
defined in Part B of title XI of the Social

[[Page 72326]]

Security Act, and appropriate entities with contracts under section 
1154(a)(4)(C) of the Social Security Act. Individual health care 
practitioners and entities can self-query.
    One of the purposes of these data will be use of this information 
by a Federal or State government agency charged with the responsibility 
of investigating or prosecuting a case where there is an indication of 
a violation or potential violation of law, whether civil, criminal, or 
regulatory in nature. The information in this system may also be used 
in the preparation for a trial or hearing for such violation.
    Specifically, this final rule now exempts the NPDB from the 
following subsections of the Privacy Act for the reasons set forth 
below:
     Subsection (c)(3). This provision requires that 
individuals be provided an accounting of disclosures of their records 
from a Privacy Act system, if requested. Providing an accounting of 
disclosures (i.e., an accounting of queries made by law enforcement 
agencies) to an individual who is the subject of an investigation could 
reveal the nature and scope of the investigation and could lead to the 
destruction or alteration of evidence, tampering with witnesses, and 
other evasive actions that could impede or compromise an investigation.
     Subsections (d)(1) through (d)(4). These provisions 
require that individuals be allowed to access and correct or amend 
their records in a Privacy Act system, if requested. Release of 
investigative records to an individual who is the subject of an 
investigation could interfere with pending or prospective law 
enforcement proceedings, or could reveal sensitive investigative 
techniques and procedures. Report subjects will have access to 
information on all other queries to the data bank. Report subjects are 
guaranteed access to, and correction rights for, substantive 
information reported to the NPDB. The procedures, appearing in 45 CFR 
part 60, use the Privacy Act access and correction procedures as a 
basic framework while, at the same time, providing significant 
additional rights (such as automatic notification to the record subject 
of any report filed with the data bank). Data bank subjects also have 
broader rights on NPDB correction procedures, including the right to 
file a statement of disagreement as soon as a report is filed with the 
data bank.
     Subsections (e)(4)(G) and (H), and (f). These provisions 
require that the system of records notice for a Privacy Act system 
provide the procedures whereby individuals can be notified at their 
request if the system contains records about them and can request and 
gain access to, and contest the content of, their records. Notifying an 
individual who is the subject of an investigation or a witness that a 
system of records contains information about him or her could reveal 
the nature and scope of the investigation and could result in the 
altering or destruction of evidence, improper influencing of witnesses, 
and other evasive actions that could impede or compromise an 
investigation. Report subjects are guaranteed access to, and correction 
rights for, substantive information reported to the NPDB. The same 
correction procedures apply (contained in 45 CFR part 60) as mentioned 
in the earlier bullet for subsections (d)(1) through (d)(4).
    Accordingly, HRSA proposes to amend 45 CFR 5b.11(b)(2)(ii) of the 
HHS Privacy Act regulations by adding the following:
     A new paragraph (L) that exempts investigative materials 
compiled for law enforcement purposes for the National Practitioner 
Data Bank from requirements (c)(3), (d)(1) through (d)(4), (e)(4)(G) 
and (H), and (f) of the Privacy Act (5 U.S.C. 552a).
    The system of records for the NPDB, which was last published in the 
Federal Register on October 1, 2010 (75 FR 60763), will be re-published 
promptly to reflect this change.

III. Summary and Response to Public Comments

    The proposed rule set forth a 60-day public comment period, ending 
April 18, 2011. HRSA received one response from a national association 
representing physicians. Following are two concerns highlighted by the 
commenter and our responses to those concerns.
    Issue #1: Commenter believes that shielding law enforcement queries 
from a NPDB physician subject's review would result in wasted law 
enforcement resources and would deny physicians due process.
    Response: The restriction on revealing law enforcement queries to 
data bank report subjects has been in place for the last 15 years for 
the Healthcare Integrity and Protection Data Bank (HIPDB). Law 
enforcement queries constitute less than one percent of the total 
queries to the data bank and on average there are only 20 law 
enforcement queries per year. The act of querying the data bank does 
not deny providers due process rights or bar them from availing 
themselves of correction procedures, if a report is filed against them 
in the data bank. Law enforcement agencies are not required to notify 
subjects that they are under investigation and doing so would most 
likely compromise an investigation. The commenter additionally claims 
that law enforcement resources are being wasted. This claim has no 
evidentiary support, and HRSA feels it is best left to law enforcement 
officials to make this determination.
    Issue #2: When commenting on the exemption of the NPDB from Privacy 
Act access and amendment procedures, commenter expressed support 
maintaining NPDB access and correction procedures so that NPDB subjects 
are guaranteed access to, and correction rights for, information 
reported to the NPDB. However, the commenter feels that shielding law 
enforcement queries from disclosure to physicians would hamper the 
physician's ability to ensure the accuracy of the information that has 
been reported to the NPDB.
    Response: NPDB access and correction procedures, which guarantee 
access to, and correction rights for, information reported to the NPDB, 
are maintained. HRSA disagrees with the statement that disclosure of 
law enforcement queries would affect a physician's ability to ensure 
the accuracy of information reported to the data bank. Data bank 
reports and data bank queries are two separate things. Data bank 
reports reflect an adverse action taken by a reporting entity, whereas 
a data bank query is a request for information on a practitioner. 
Practitioners receive a copy of all reports submitted by a reporting 
entity along with instructions on correction procedures. If a 
practitioner elects, they can receive an accounting of entities that 
have queried them by submitting a self- query. Shielding law 
enforcement query history does not affect a practitioner's ability to 
use the report correction procedures. Information on how to dispute the 
accuracy of a data bank report can be accessed on page F-1 of the NPDB 
Guidebook at: http://www.npdb-hipdb.hrsa.gov/resources/NPDBGuidebook.pdf.
    Based on HRSA's review of the public comments, no revisions have 
been made to the final rule.

Economic and Regulatory Impact

    We have reviewed this final rule in accordance with the provisions 
of Executive Orders 13563 and 12866 and the Regulatory Flexibility Act 
(5 U.S.C. 601-612) and have determined that it will have no major 
effect on the economy or Federal expenditures. Executive Orders 13563 
and 12866 direct agencies to assess all costs and benefits of available 
regulatory alternatives and, when rulemaking is necessary, to select 
regulatory

[[Page 72327]]

approaches that maximize net benefits, including potential economic, 
environmental, public health, safety distributive, and equity effects.
    The Secretary has determined that this final rule is not a ``major 
rule'' within the meaning of the statute providing for Congressional 
Review of Agency Rulemaking, 5 U.S.C. 801, and has determined that it 
does not meet the criteria for a significant regulatory action. In 
addition, under the Small Business Enforcement Act (SBEA) of 1996, if a 
rule has a significant economic effect on a substantial number of small 
businesses, the Secretary must specifically consider the economic 
effect of a rule on small business entities and analyze regulatory 
options that could lessen the impact of the rule. The Secretary has 
reviewed this exemption in accordance with the provisions of the SBEA 
and certifies that this exemption will not have a significant impact on 
a substantial number of small entities. Specifically, as indicated 
above, while the reports of adverse actions to the NPDB will be known 
to the subjects of the records in the data bank, the access and use of 
such information by law enforcement agencies would not be known to the 
subjects of the records, because HRSA believes that disclosure of this 
information could compromise ongoing law enforcement activities.
    Similarly, the final rule will not have effects on State, local, 
and Tribal governments, and on the private sector such as to require 
consultation under the Unfunded Mandates Reform Act of 1995.
    The Secretary has reviewed this final rule in accordance with 
Executive Order 13132 regarding federalism and has determined that it 
does not have ``federalism implications.'' This rule would not ``have 
substantial direct effects on the States, or on the relationship 
between the national government and the States, or on the distribution 
of power and responsibilities among the various levels of government.''
    The proposals made in this final rule would not adversely affect 
the following family elements: Family safety, family stability, marital 
commitment; parental rights in the education, nurture and supervision 
of their children; family functioning, disposable income, or poverty; 
or the behavior and personal responsibility of youth, as determined 
under section 654(c) of the Treasury and General Government 
Appropriations Act of 1999.
    In accordance with the provisions of Executive Order 12866, this 
final rule was not reviewed by the Office of Management and Budget.

Paperwork Reduction Act

    This final rule does not have any information collection 
requirements.

    Dated: October 20, 2011.
Mary Wakefield,
Administrator, Health Resources and Services Administration.
    Approved: November 16, 2011.
Kathleen Sebelius,
Secretary.

List of Subjects in 45 CFR Part 5b

    Privacy.

PART 5b--PRIVACY ACT REGULATIONS

    Accordingly, 45 CFR part 5b is amended as set forth below:

0
1. The authority citation for part 5b continues to read as follows:

    Authority: 5 U.S.C. 301, 5 U.S.C. 552a.


0
2. Add Sec.  5b.11(b)(2)(ii)(L) to read as follows:


Sec.  5b.11  Exempt systems.

* * * * *
    (b) * * *
    (2) * * *
    (ii) * * *
    (L) Investigative materials compiled for law enforcement purposes 
in the National Practitioner Data Bank (NPDB). (See Sec.  60.16 of this 
subtitle for access and correction rights under the NPDB by subjects of 
the Data Bank.)
* * * * *
[FR Doc. 2011-30292 Filed 11-22-11; 8:45 am]
BILLING CODE 4165-15-P