[Federal Register Volume 64, Number 30 (Tuesday, February 16, 1999)] [Notices] [Pages 7653-7657] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 99-3568] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of Inspector General Privacy Act; Notification of New System of Records in Conjunction With the Healthcare Integrity and Protection Data Bank AGENCY: Office of Inspector General (OIG), HHS. ACTION: Notice of a new system of records. ----------------------------------------------------------------------- SUMMARY: In accordance with the requirements of the Privacy Act, the Office of the Inspector General (OIG) is setting forth a notice of a proposed new system of records in order to implement the requirements of the Healthcare Integrity and Protection Data Bank (HIPDB). The new HIPDB is being established in accordance with section 1128E of the Social Security Act (the Act), as added by section 221(a) of the Health Insurance Portability and Accountability Act of 1996. Section 1128E of the Act specifically directs the Secretary, acting through the OIG, to create a national health care fraud and abuse data collection program for the reporting and disclosure of certain final adverse actions (excluding settlements in which no findings of liability have been made) taken against health care providers, suppliers, or practitioners, and maintain a data base of final adverse actions taken against health care providers, suppliers, or practitioners. Groups that have access to this new data bank system include Federal and State government agencies; health plans; and self queries from health care suppliers, providers and practitioners. Reporting is limited to the same groups that have access to the information. We invite comments from interested parties on the proposed internal and routine use of information in this system of records. DATES: The OIG has sent a Report of a New System of Records to the Congress and to the Office of Management and Budget (OMB) on February 16, 1999. This new system of records will be effective 40 days from the date submitted to OMB unless the OIG receives public comments that would result in a contrary determination. To assure consideration, public comments must be delivered to the address provided below by no later than 4 p.m. on March 18, 1999. ADDRESSEES: Please mail or deliver your written comments on the new system of records to: Office of Inspector General, Department of Health and Human Services, Attention: OIG-61-N, Room 5246, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201. Because of staffing and resource limitations, we cannot accept comments by facsimile (FAX) transmission. In commenting, please refer to file code OIG-61-N. FOR FURTHER INFORMATION CONTACT: Rick Burguieres, Investigative Policy and [[Page 7654]] Information Management Staff, Office of Investigations, Office of Inspector General, (202) 205-5200. SUPPLEMENTARY INFORMATION: 1. Establishment of the Healthcare Integrity and Protection Data Bank Section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. 104-191, requires the Department of Justice and the Secretary, acting through the OIG, to establish a new health care fraud and abuse control program to combat health care fraud and abuse (section 1128C of the Act). Among the major steps in this program is the establishment of a national data bank to receive and disclose certain final adverse actions against health care providers, suppliers, or practitioners, as required by section 1128E of the Act, in accordance with section 221(a) of HIPAA. The Act specifically directs the Secretary, acting through the OIG, to maintain a data base of such final adverse actions. The data bank, known as the Healthcare Integrity and Protection Data Bank (HIPDB), will contain the following types of information: (1) Civil judgments against a health care provider, supplier, or practitioner in Federal or State court related to the delivery of a health care item or service; (2) Federal or State criminal convictions against a health care provider, supplier, or practitioner related to the delivery of a health care item or service; (3) final adverse actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers or practitioners; (4) exclusion of a health care provider, supplier or practitioner from participation in Federal or State health care programs; and (5) any other adjudicated actions or decisions that the Secretary establishes by regulation. Settlements in which no findings or admissions of liability have been made would be excluded from reporting. However, any final adverse action that emanates from such settlements, and that would otherwise be reportable under the statute, would be reportable to the data bank. Final adverse actions would be reported, regardless of whether such actions are being appealed by the subject of the report. Proposed regulations setting forth the policy and procedures for implementing the new HIPDB were published in the Federal Register on October 30, 1998 (63 FR 58341). 2. Privacy Act Number No. 09-90-0103. 3. Categories of Eligible Users of the System Groups that have access to this new data bank system include Federal and State government agencies; health plans; and self queries from health care suppliers, providers and practitioners. For purposes of the HIPDB: A government agency includes, but is not limited to: (1) The Department of Justice; (2) the Department of Health and Human Services; (3) any other Federal agency that either administers or provides payment for the delivery of health care services (including, but not limited to, the Department of Defense and the Department of Veterans Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud Control Units; and (6) other Federal or State agencies responsible for the licensing and certification of health care providers, suppliers or licensed health care practitioners. Health plan means a plan, program or organization that provides health benefits, whether directly or through insurance, reimbursement or otherwise, and includes, but is not limited to: (1) A policy of health insurance; (2) a contract of a service benefit organization; (3) a membership agreement with a health maintenance organization or other prepaid health plan; (4) a plan, program or agreement established, maintained or made available by an employer or group of employers, a practitioner, provider or supplier group, third-party administrator, integrated health care delivery system, employee welfare association, public service group or organization, or professional association; and (5) an insurance company, insurance service, self-insured employer or insurance organization which is licensed to engage in the business of selling health care insurance in a State and which is subject to State law which regulates health insurance. 4. Routine Uses of Records in the System of Records Information in this system of records is considered confidential and disclosed only for the purpose for which it was provided. Appropriate uses of the information would include the prevention of fraud and abuse activities, decisions about hiring or retaining employees who may be reported to the system of records, and improving the quality of patient care. For example, a record from this system of records may be disclosed to a Federal or State law enforcement agency during a criminal, civil or administrative investigation of a health care practitioner, provider or supplier. A record from this system of records also may be disclosed to a Federal agency, in response to its request, concerning (1) the hiring or retention of a health care practitioner, provider or supplier, (2) the reporting of an investigation of a health care practitioner, provider, or supplier or (3) the letting of a contract, or the issuance of a license or certification to a health care practitioner, provider or supplier, to the extent that the record is relevant and necessary to the requesting agency's decision on the matter. 5. Public Inspection of Comments Comments will be available for public inspection March 2, 1999, in Room 5518, Office of counsel to the Inspector General, at 330 Independence Avenue, SW., Washington, DC on Monday through Friday of each week between the hours of 9 a.m. and 4 p.m., (202) 619-0089. Dated: January 7, 1999. June Gibbs Brown, Inspector General. 09-90-0103 SYSTEM NAME: Healthcare Integrity and Protection Data Bank (HIPDB), HHS/OIG. SECURITY CLASSIFICATION: None. SYSTEM LOCATION: The HIPDB will always be operated and maintained by a contractor. The SRA Corporation (the Contractor) currently operates and maintains the HIPDB under contract with the Bureau of Health Professions (BHPr), Health Resources and Services Administration (HRSA) who, under a memorandum of understanding with the Office of Inspector General (OIG), will operate the system. Records are found at the following address: Healthcare Integrity and Protection Data Bank, 4350 Fairs Lakes Court North, Suite 400, Fairfax, Virginia 22033. The program will publish any changes in the location of the system in the Federal Register. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The system of records will cover the following categories of individuals:Health care practitioners, including physicians, dentists, and all other health care practitioners (such as nurses, optometrists, pharmacists, and podiatrists), licensed or otherwise authorized by a State to provide health care services. Health care suppliers who furnish or provide access to health care services, [[Page 7655]] supplies, items or ancillary services (including, but not limited to, individuals who deliver health care services and are not required to obtain State licensure or authorization, durable medical equipment suppliers and manufacturers; pharmaceutical suppliers and manufacturers; health record services which prepare and store medical, dental and other patient records; health data suppliers; and billing and transportation service suppliers), and any individual under contract to provide health care supplies, items or ancillary services, and any individual providing health benefits whether directly, or indirectly through insurance, reimbursements or otherwise (including insurance producers, such as agents, brokers, and solicitors). These individuals must be the subject of the following final adverse actions: (1) Civil judgments in Federal or State court related to the delivery of a health care item or service; (2) Federal or State criminal convictions related to the delivery of a health care item or service; (3) actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or practitioners; (4) exclusion from participation in Federal or State health care programs; and (5) other adjudicated actions or decisions, such as the removal of a physician from a health plan network via an adjudicated action. CATEGORIES OF RECORDS IN THE SYSTEM: This system will contain the following types of records: 1. Information on an individual who is the subject of a civil judgment or criminal conviction related to the delivery of a health care item or service includes-- Full name; other name(s) used, if known; Social Security number; date of birth; gender; home address; occupation; organization name and type, if known; work address, if known; National Provider Identifier (NPI) (when issued by HCFA); Unique Physician Identification number(s), if known; Drug Enforcement Administration (DEA) registration number(s), if known; name of each professional school attended and the year of graduation, if known; for each professional license, certification or registration: the license, certification, or registration number, the field of licensure, certification, or registration, and the name of the State or Territory in which the license, certification or registration is held, if known; With respect to the judgment/sentence: The court or judicial venue in which action was taken; docket or court file number; name of the primary prosecuting agency or Civil Plaintiff; prosecuting agency's case number; statutory offense and counts; date of judgment/ sentence; length of the sentence; amount of judgment, restitution or other orders; nature of offense upon which the action was based; description of acts or omissions and injuries upon which the action was based; investigative agencies involved, if known, and investigative agencies' case/file number, if known; whether such action is on appeal; and With respect to the reporting entity: Name; title; address, and telephone number of the reporting entity. 2. Information on an individual who is the subject of a licensure action taken by Federal or State licensing and certification agencies, an adjudicated action or decision, or an individual excluded from participation in a Federal or State health care program. This information includes-- Full name; other name(s) used, if known; Social Security number or Federal Employer Identification number; date of birth; date of death, if deceased; gender; home address; occupation; organization name and type, if known; work address, if known; physician specialty, if applicable; NPI (when issued by HCFA); Unique Physician Identification number(s), if known; DEA registration number(s), if known; name of each professional school attended and the year of graduation, if known; for each professional license, certification or registration: The license, certification, or registration number, the field of licensure, certification, or registration, and the name of the State or Territory in which the license, certification or registration is held, if known; With respect to final adverse action: A description of the acts or omissions or other reason for the action; date the action was taken, its effective date and duration; classification of the action in accordance with a reporting code adopted by the Secretary; amount of monetary penalty, assessment or restitution, and name of the office or program that took the adverse action; and With respect to the reporting entity: Name; title; address, and telephone number of the reporting entity. 3. Inquiry file includes copies of all inquiries received by the HIPDB. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Section 1128E(b)(5) of the Social Security Act (the Act) authorizes the collection and maintenance of records of civil judgments against a health care provider, supplier or practitioner in Federal or State court related to the delivery of a health care item or service; Federal or State criminal convictions against a health care provider, supplier or practitioner related to the delivery of a health care item or service; actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers or practitioners; exclusion of a health care provider, supplier or practitioner from participation in Federal or State health care programs; and any other adjudicated actions or decisions established by the Secretary in regulation (45 CFR part 61). PURPOSE(S): The purposes of the system are to: 1. Receive from Government agencies and health plans information on certain final adverse actions (excluding settlements in which no findings of liability have been made) taken against health care providers, suppliers, or practitioners; and 2. Disseminate such data to Government agencies and health plans, as authorized by the Act. A government agency includes, but is not limited to (1) the Department of Justice; (2) the Department of Health and Human Services; (3) any other Federal agency that either administers or provides payment for the delivery of health care services (including, but not limited to, the Department of Defense and the Department of Veterans Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud Control Units; and (6) other Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or licensed health care practitioners. Health plan means a plan, program or organization that provides health benefits, whether directly or through insurance, reimbursement or otherwise, and includes, but is not limited to (1) a policy of health insurance; (2) a contract of a service benefit organization; (3) a membership agreement with a health maintenance organization or other prepaid health plan; (4) a plan, program or agreement established, maintained or made available by an employer or group of employers, a practitioner, provider or supplier group, third-party administrator, integrated health care delivery system, employee welfare association, public service group or organization, or professional association; and (5) an insurance company, insurance service, self-insured employer or insurance organization which is licensed to engage in the business of selling health care insurance in a State and which is [[Page 7656]] subject to State law that regulates health insurance. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: Data may be disclosed to: 1. A health plan requesting data concerning a health care provider, supplier, or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining providers, suppliers and practitioners that are the subjects of reports. 2. Government agencies, as defined in 45 CFR 61.3, requesting data concerning a health care provider, supplier or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining the providers, suppliers and practitioners that are the subject of reports to the system. This would include law enforcement investigations and other law enforcement activities. STORAGE: Records are maintained in electronic folders, on magnetic tape, and/or disks. RETRIEVABILITY: Retrieval will be by use of personal identifiers, including a unique identifier assigned by the HIPDB. SAFEGUARDS: 1. Authorized Users: Access to records is limited to designated employees of the Contractor and to designated HRSA and the OIG staff. The Contracting Officer's Technical Representative (COTR) and AIS Security Officers are among the HRSA staff who are authorized users. Both HRSA and the contractor maintain lists of authorized users. Other Departmental employees will have access to the records on an official ``need to know'' basis. 2. Physical Safeguards: Magnetic tapes, disks, computer equipment and hard copy files are stored in areas where fire and environmental safety codes are strictly enforced. All automated and non-automated documents are protected on a 24-hour basis. Perimeter security includes intrusion alarms, random guard patrols, monitors, key/passcard/ combination controls, receptionist controlled area and reception alarm button. 3. Procedural and Technical Safeguards: A password is required to access the system, and additional identification numbers and passwords to limit access to data to only authorized users. All users of personal information, in connection with the performance of their jobs, protect information from public view and from unauthorized personnel entering an unsupervised area. All authorized users will sign a nondisclosure statement. To protect the confidentiality of information contained in the system, when a person leaves or no longer has authorized duties, the Security Officer deletes his or her identification number and password, retrieves all-electronic access cards, and changes all combinations to which the departing employee had access. The system automatically logs all access to data resources. Access to records is limited to those authorized personnel trained in accordance with the Privacy Act and automatic data processing (ADP) security procedures. The Contractor is required to assure the confidentiality safeguards of these records and to comply with all provisions of the Privacy Act. All individuals who have access to these records must have the appropriate ADP security clearances. Privacy Act and ADP system security requirements are included in the contract for the operations and maintenance of the system. In addition, the HIPDB Project Officer and the System Manager oversee compliance with these requirements. HRSA staff who are authorized users will make site visits to the Contractor's facilities to assure compliance with security and Privacy Act requirements. The safeguards described above were established in accordance with DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the General Administration Manual, and the DHHS Information Resources Management Manual, Part 6. ``ADP Systems Security.'' RETENTION AND DISPOSAL: All records in this system are retained permanently. SYSTEM MANAGER(s) AND ADDRESS: Tony Marziani, Director, Information Systems and Investigative Support Staff, Office of Investigations, OIG, Room 5046, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201, (202) 205-5200. NOTIFICATION PROCEDURES: Exempt from certain requirements of the Act. However, an individual is informed when a record concerning himself or herself is entered into the Healthcare Integrity and Protection Data Bank. Requests by mail: Practitioners, providers or suppliers may submit a ``Request for Information Disclosure'' to the address under system location for any report on themselves. The request must contain the following: Name, address, date of birth, gender, Social Security Number, professional schools and years of graduation, and the professional license(s). For license, include: The license number, the field of licensure, the name of the State or Territory in which the license is held, and Drug Enforcement Administration registration number(s). Practitioners must sign and have notarized their requests. Submitting a request under false pretenses is a criminal offense subject to, at a minimum, a $5,000 fine under provisions of the Privacy Act. Requests in person: Due to security considerations, the HIPDB cannot accept requests in person. Request by telephone: Individuals may provide all of the identifying information stated above to the HIPDB Helpline operator. Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization. RECORD ACCESS PROCEDURES: Same as notification procedures. Requesters also should reasonably specify the record contents being sought. CONTESTING RECORDS PROCEDURES: The HIPDB routinely mails a copy of any report filed in it to the subject. The subject may contest the accuracy of information in the HIPDB concerning himself, herself, or itself and file a dispute. To dispute the accuracy of the information, the individual must notify the HIPDB by: (1) Identifying the record involved; (2) specifying the information being contested; (3) stating the corrective action sought and reason for requesting the correction; and (4) submitting supporting justification and/or documentation to show how the record is inaccurate. At the same time, the individual must attempt to enter into discussion with the reporting entity to resolve the dispute. Additional detail on the process of dispute resolution can be found at 45 CFR 61.15 of the HIPDB regulations. RECORD SOURCE CATEGORIES: Entities that have submitted records on individuals and organizations contained in the system; State Licensing Boards, including State Medical and Dental Boards, Federal and State Agencies as defined in the Act, and health plans as defined in the Act who take a final adverse action (not including settlements in which no findings of liability have been made) [[Page 7657]] taken against a health care provider, supplier, or practitioner. (See PURPOSE section above) SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: The Secretary has exempted this system from certain provisions of the Act. In accordance with 5 U.S.C. 552a(k)(2) and 45 CFR 5b.11(b)(ii)(F), this system is exempt from subsections (c)(3), (d)(1)- (4), and (e)(4)(G) and (H) of the Privacy Act. [FR Doc. 99-3568 Filed 2-12-99; 8:45 am] BILLING CODE 4160-15-P