Privacy Act; Exempt Record System

SUMMARY: This final rule exempts the system of records (09-15-0054, the National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners, HHS/HRSA/BHPr) for the National Practitioner Data Bank (NPDB) from certain provisions of the Privacy Act (5 U.S.C. 552a). The exemption is necessary due to the recent expansion of the NPDB under section 1921 of the Social Security Act to include the investigative materials compiled for law enforcement purposes reported to the Healthcare Integrity and Protection Data Bank (HIPDB). The system of records for the HIPDB is exempt from certain provisions of the Privacy Act (See 45 CFR 5b.11(b)(2)(ii)(F)). In order to maintain the exemption for the HIPDB investigative materials, which will now also be available through the NPDB, it is necessary to extend the same exemption to the NPDB.

EFFECTIVE DATE: The effective date of this rule is December 23, 2011.

FOR FURTHER INFORMATION CONTACT: Cynthia Grubbs, Director, Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, Parklawn Building, 5600 Fishers Lane, Room 8-103, Rockville, MD 20857; telephone number: (301) 443-2300.

SUPPLEMENTARY INFORMATION: The NPDB was established by Title IV of Public Law 99-660, the Health Care Quality Improvement Act of 1986, as amended. The NPDB is primarily an alert or flagging system intended to facilitate a comprehensive review of health care practitioners' professional credentials. On January 28, 2010, HRSA published a final rule in the Federal Register (75 FR 4656) designed to implement section 1921 of the Social Security Act (herein referred to as section 1921). Section 1921 expands the scope of the NPDB. Section 1921 requires each State to adopt a system of reporting to the Secretary certain adverse licensure actions taken against health care practitioners and health care entities by any authority of the State responsible for the licensing of such practitioners or entities. It also requires each State to report any negative action or finding that a State licensing authority, a peer review organization, or a private accreditation entity has finalized against a health care practitioner or entity. Practically speaking, section 1921 resulted in, among other consequences, the transfer of the vast majority of information contained in the HIPDB, a companion data bank, to the NPDB.

The HIPDB was created by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law (Pub. L. 104-191), which required the Secretary, acting through the Office of Inspector General (OIG) and the United States Attorney General, to establish a new health care fraud and abuse control program, to combat health care fraud and abuse. Together, the HIPDB and NPDB serve to facilitate review of health care practitioners' and entities' backgrounds.

II. Summary of the Proposed Rule

In the February 17, 2011Federal Register (76 FR 9295), HRSA published a proposed rule that would exempt the NPDB system of records from subsection (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). These exemptions are necessary to deal with the expansion of NPDB information after implementation of section 1921 on March 1, 2010. Groups that have access to the section 1921 information in the NPDB include all organizations eligible to query the NPDB under the Health Care Quality Improvement Act of 1986 (hospitals, other health care entities that conduct peer review and provide health care services, State medical or dental boards, and other health care practitioner State boards), other State licensing authorities, agencies administering Federal health care programs (including private entities administering such programs under contract), State agencies administering or supervising the administration of State health care programs, State Medicaid Fraud Control Units, certain law enforcement agencies, utilization and quality control peer review organizations (referred to as QIOs), as defined in Part B of title XI of the Social Security Act, and appropriate entities with contracts under section 1154(a)(4)(C) of the Social Security Act. Individual health care practitioners and entities can self-query.

One of the purposes of these data will be use of this information by a Federal or State government agency charged with the responsibility of investigating or prosecuting a case where there is an indication of a violation or potential violation of law, whether civil, criminal, or regulatory in nature. The information in this system may also be used in the preparation for a trial or hearing for such violation.

Specifically, this final rule now exempts the NPDB from the following subsections of the Privacy Act for the reasons set forth below:

* Subsection (c)(3). This provision requires that individuals be provided an accounting of disclosures of their records from a Privacy Act system, if requested. Providing an accounting of disclosures (i.e., an accounting of queries made by law enforcement agencies) to an individual who is the subject of an investigation could reveal the nature and scope of the investigation and could lead to the destruction or alteration of evidence, tampering with witnesses, and other evasive actions that could impede or compromise an investigation.

* Subsections (d)(1) through (d)(4). These provisions require that individuals be allowed to access and correct or amend their records in a Privacy Act system, if requested. Release of investigative records to an individual who is the subject of an investigation could interfere with pending or prospective law enforcement proceedings, or could reveal sensitive investigative techniques and procedures. Report subjects will have access to information on all other queries to the data bank. Report subjects are guaranteed access to, and correction rights for, substantive information reported to the NPDB. The procedures, appearing in 45 CFR part 60, use the Privacy Act access and correction procedures as a basic framework while, at the same time, providing significant additional rights (such as automatic notification to the record subject of any report filed with the data bank). Data bank subjects also have broader rights on NPDB correction procedures, including the right to file a statement of disagreement as soon as a report is filed with the data bank.

* Subsections (e)(4)(G) and (H), and (f). These provisions require that the system of records notice for a Privacy Act system provide the procedures whereby individuals can be notified at their request if the system contains records about them and can request and gain access to, and contest the content of, their records. Notifying an individual who is the subject of an investigation or a witness that a system of records contains information about him or her could reveal the nature and scope of the investigation and could result in the altering or destruction of evidence, improper influencing of witnesses, and other evasive actions that could impede or compromise an investigation. Report subjects are guaranteed access to, and correction rights for, substantive information reported to the NPDB. The same correction procedures apply (contained in 45 CFR part 60) as mentioned in the earlier bullet for subsections (d)(1) through (d)(4).

Accordingly, HRSA proposes to amend 45 CFR 5b.11(b)(2)(ii) of the HHS Privacy Act regulations by adding the following:

* A new paragraph (L) that exempts investigative materials compiled for law enforcement purposes for the National Practitioner Data Bank from requirements (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f) of the Privacy Act (5 U.S.C. 552a).

The system of records for the NPDB, which was last published in the Federal Register on October 1, 2010 (75 FR 60763), will be re-published promptly to reflect this change.

III. Summary and Response to Public Comments

The proposed rule set forth a 60-day public comment period, ending April 18, 2011. HRSA received one response from a national association representing physicians. Following are two concerns highlighted by the commenter and our responses to those concerns.

Issue #1: Commenter believes that shielding law enforcement queries from a NPDB physician subject's review would result in wasted law enforcement resources and would deny physicians due process.

Response: The restriction on revealing law enforcement queries to data bank report subjects has been in place for the last 15 years for the Healthcare Integrity and Protection Data Bank (HIPDB). Law enforcement queries constitute less than one percent of the total queries to the data bank and on average there are only 20 law enforcement queries per year. The act of querying the data bank does not deny providers due process rights or bar them from availing themselves of correction procedures, if a report is filed against them in the data bank. Law enforcement agencies are not required to notify subjects that they are under investigation and doing so would most likely compromise an investigation. The commenter additionally claims that law enforcement resources are being wasted. This claim has no evidentiary support, and HRSA feels it is best left to law enforcement officials to make this determination.

Issue #2: When commenting on the exemption of the NPDB from Privacy Act access and amendment procedures, commenter expressed support maintaining NPDB access and correction procedures so that NPDB subjects are guaranteed access to, and correction rights for, information reported to the NPDB. However, the commenter feels that shielding law enforcement queries from disclosure to physicians would hamper the physician's ability to ensure the accuracy of the information that has been reported to the NPDB.

--This is a summary of a Federal Register article originally published on the page number listed below--

Final rule.

CFR Part: "45 CFR Part 5b"

RIN Number: "RIN 0906-AA91"

Citation: "76 FR 72325"

Federal Register Page Number: "72325"

"Rules and Regulations"