System of Record Notice 09-15-0054
SYSTEM NUMBER: 09-15-0054
SYSTEM NAME: National Practitioner Data Bank
SECURITY CLASSIFICATION: Unclassified.
SYSTEM LOCATION: A contractor operates and maintains the system through a technical service contract for the Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration. This system is located at a contractor run data center, a secure facility; the street address will not be disclosed for security reasons. The address of the Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, is Room 8-103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The system collects and maintains records pertaining to the professional competence and conduct of health care practitioners as defined by 45 CFR 60.3 (e.g., physicians, dentists, nurses, allied health care professionals, social workers), health care suppliers as defined by 45 CFR 60.3 (e.g., durable medical equipment suppliers, manufactures of health care items, pharmaceutical suppliers and manufacturers), health care providers as defined by 45 CFR 60.3 (e.g., hospitals and health plans) and health care entities as defined by 45 CFR 60.3 (e.g., hospitals and health maintenance organizations which are licensed by a state). The first three categories (health care practitioners, providers and suppliers) include only individuals, or a mixture of individuals and entities.
CATEGORIES OF RECORDS IN THE SYSTEM: The system collects and maintains reports and query history records.
Reports include: (1) medical malpractice payment reports for all health care practitioners (e.g., physicians, dentists, nurses, optometrists, pharmacists, podiatrists, etc.); (2) adverse licensure and certification action reports taken by states against health care practitioners, health care entities, providers or suppliers; (3) adverse licensure and certification action reports taken by federal agencies against health care practitioners, providers, or suppliers; (4) adverse clinical privileging actions reports for physicians, dentists, or other health care practitioners who may have medical staff privileges; (5) adverse professional society membership action reports for physicians, dentists or other health care practitioners; (6) negative actions or findings taken against health care practitioners, health care entities, providers, or suppliers by peer review organizations and private accreditation entities; (7) federal or state criminal convictions related to the delivery of a health care item or service reports for health care practitioners, providers, or suppliers; (8) civil judgments related to the delivery of a health care item or service for health care practitioners, providers, or suppliers; (9) reports of exclusions of health care practitioners, providers, or suppliers from participation in state or federal health care programs; and (10) other adjudicated actions taken against health care practitioners, providers, or suppliers by federal agencies, state agencies, or health plans. Reports may contain the following personally-identifiable data elements and records:
- Work address
- Home address
- Social Security number or individual tax identification number (ITIN)
- Date of birth
- Name of each professional school attended and year of graduation
- Professional license(s) number
- Field of licensure
- Name of the state or territory in which the license is held
- Drug Enforcement Administration (DEA) registration numbers
- Centers for Medicare & Medicaid Services (CMS) unique practitioner identification number (for exclusions only)
- Names of each hospital with which the practitioner is affiliated
- Name and address of the entity making the payment
- Name, title, and telephone number of the official responsible for submitting the report on behalf of the entity
- Payment information including the date and amount of payment and whether it is for a judgment or settlement
- Date action occurred
- Acts or omissions upon which the action or claim was based
- Description of the action/omissions and injuries or illnesses upon which the action or claim was based
- Description of the Board action, the date of action and its effective date
- Classification of the action/omission per reporting code
- Court or judicial venue in which action was taken
- Docket or court file number
- Name of prosecuting agency or Civil Plaintiff
- Prosecuting agency’s case number
- Statutory offense and counts
- Date of judgment/sentence
- Length of sentence
- Amount of judgment or monetary penalty
- Restitution or other orders
- Nature of offense on which the action was based
- Investigative agencies involved and any case/file numbers, if known
Query histories indicate the dates that a health care practitioner’s, provider’s, supplier’s, or entity’s report(s) were accessed/queried in the system and by whom. An individual practitioner’s, provider’s or supplier’s report(s) and query history are available to him or her, if he or she elects to submit a self-query. However, the query history will not include query activity by law enforcement agencies, if any, due to the system’s exemption (described below, under “System Exempted From Certain Provisions of the Act”).
AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Title IV of the Health Care Quality Improvement Act of 1986 (Title IV), as amended, Section 1921 of the Social Security Act, as amended, and Section 1128E of the Social Security Act as amended.
PURPOSE(S): The purpose of the system is to: (1) receive information such as medical malpractice payment reports, negative peer review actions, adverse licensure or certification actions, health care related criminal convictions, health care related civil judgments, exclusions, adverse clinical privileging actions, and other adjudicated actions as enumerated in the Categories of Reports, above, on all health care practitioners, suppliers, providers and entities; (2) store such reports so that future queriers may have access to pertinent information in the course of making important decisions related to the delivery of health care services; and (3) disseminate such data to individuals and entities that qualify to receive the reports under the governing statutes as authorized by the Health Care Quality Improvement Act of 1986, Section 1921 of the Social Security Act and Section 1128E of the Social Security Act to protect the public from unfit practitioners and to prevent fraud and abuse. The system also allows practitioners, providers, and suppliers to self-query.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
Information from this system is disclosed outside the agency for the following routine uses:
1. To hospitals requesting information such as adverse licensure actions, medical malpractice payments or exclusions from Medicare and Medicaid programs taken against all licensed health care practitioners such as physicians, dentists, nurses, podiatrists, chiropractors, and psychologists. The information is accessible to both public and private sector hospitals that can request information concerning a physician, dentist or other health care practitioner who is on its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the purpose of: (a) screening the professional qualifications of individuals who apply for staff positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health Care Quality Improvement Act of 1986, which prescribes that a hospital must query the NPDB once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.
2. To other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist or other health care practitioner has applied for clinical privileges or appointment to the medical staff or who has entered or may be entering an employment or affiliation relationship. The purpose of these disclosures is to assess the individual practitioner’s qualifications for staff appointment or clinical privileges.
3. To a health care entity with respect to professional review activity. The purpose of these disclosures is to aid health care entities in the conduct of professional review activities, such as those involving determinations of whether a physician, dentist, or other health care practitioner may be granted membership in a professional society, the conditions of such membership, or changes to such membership; and ongoing professional review activities of the professional performance or conduct of a physician, dentist, or other health care practitioner.
4. To a state health care practitioner and/or entity licensing or certification authority that requests information in the course of conducting a review of all health care practitioners or health care entities or when making licensure determinations about health care practitioners and entities. The purpose of these disclosures is to aid the board or certification authority in meeting its responsibility to protect the health of the population in its jurisdiction, and to assess the qualifications of individuals seeking licenses or certifications.
5. To federal and state health care programs (and their contractors) that request information to aid them in ensuring the integrity of their programs and the professional competence of affiliated health care practitioners and uncovering information needed to make appropriate decisions in the delivery of health care.
6. To state Medicaid Fraud Control Units that request information to assist with investigating fraud, waste and abuse and in the prosecution of health care practitioners and providers relating to the Medicaid programs.
7. To utilization and quality control Peer Review Organizations and those entities which are under contract with the CMS, when they request information to protect and improve the quality of care for Medicare beneficiaries in the course of performing quality of care reviews and other related activities.
8. To a health care provider, supplier, or practitioner who requests information concerning himself, herself, or itself.
9. To a health care entity that has been reported on, when the entity queries the system to receive information concerning itself.
10. To an attorney, or an individual representing himself or herself, who has filed a medical malpractice action or claim in a state or federal court or other adjudicative body against a hospital, and who requests information regarding a specific physician, dentist, or other health care practitioner who is also named in the action or claim, provided that: (a) This information will be disclosed only upon the submission of evidence that the hospital failed to request information from the NPDB as required by law; and (b) the information will be used solely with respect to litigation resulting from the action or claim against the hospital. The purpose of these disclosures is to permit an attorney (or a person representing himself or herself in a medical malpractice action) to have information from the NPDB on a health care practitioner, under the conditions set out in this routine use.
11. To any federal entity, employing or otherwise engaging under arrangement (e.g., such as a contract) the services of a physician, dentist, or other health care practitioner, or having the authority to sanction such individuals covered by a federal program, which: (a) enters into a memorandum of understanding with HHS regarding its participation in the NPDB; (b) engages in a professional review activity in determining an adverse action against a practitioner; and (c) maintains a Privacy Act system of records regarding the health care practitioners it employs, or whose services it engages under arrangement. The purpose of such disclosures is to enable hospitals and other facilities and health care providers under the jurisdiction of federal agencies such as the Public Health Service, HHS; the Department of Defense; the Department of Veterans’ Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to participate in the NPDB. The Health Care Quality Improvement Act of 1986 includes provisions regarding the participation of such agencies and of the DEA.
12. To the Department of Justice in the event of litigation, for the purpose of enabling HHS to present an effective defense, where the defendant is: (a) HHS, any component of HHS, or any HHS employee in his or her official capacity; (b) the United States where HHS determines that the claim, if successful, is likely to affect directly the operation of HHS or any of its components; or (c) any HHS employee in his or her individual capacity where the Department of Justice has agreed to represent such employee, for example in defending a claim against the Public Health Service based upon an individual’s mental or physical condition and alleged to have arisen because of activities of the Public Health Service in connection with such individual; provided that such disclosure is compatible with the purpose for which the records were collected.
13. To the contractor engaged by the agency to operate and maintain the system. Operation and maintenance functions include but are not limited to providing continuous user availability, developing system enhancements, upgrading hardware and software, providing information security assurance, and performing system backups.
14. To a health plan requesting data concerning a health care provider, supplier, or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining providers, suppliers and practitioners that are the subjects of reports.
15. To federal agencies requesting data concerning a health care provider, supplier, or physician, dentist or other practitioner for the purposes of anti-fraud and abuse activities and investigations, audits, evaluations, inspections and prosecutions relating to the delivery of and payment for health care in the United States and/or improving the quality of patient care, and in the context of hiring or retaining the providers, suppliers and individuals that are the subject of reports to the system. This would include law enforcement investigations and other law enforcement activities.
16. To appropriate federal agencies and HHS contractors that have a need to know the information for the purpose of assisting HHS’ efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE: Records are maintained on database servers with disk storage, optical jukebox storage, backup tapes and printed reports.
RETRIEVABILITY: Records are retrieved by name, date of birth, Social Security Number, educational information, and license number. The matching algorithm uses these data elements to match reports to the subject.
1. Authorized users include internal users such as government and contractor personnel who support the NPDB. Users are required to obtain favorable adjudication for a Level 5 Position of Public Trust. Government and contractor personnel who support the NPDB must attend security training, sign a Non-Disclosure Agreement, and sign the Rules of Behavior, which is renewed annually. Users are given role-based access to the system on a limited need-to-know basis. All physical and logical access to the system is removed upon termination of employment. External users, who are responsible for meeting NPDB reporting and/or querying requirements to the NPDB, are responsible for determining their eligibility to access the NPDB through a self-certification process which requires completing an Entity Registration form. All external users must acknowledge the Rules of Behavior. All external users must re-register every two years to access the NPDB. The registration process consists of an electronic authentication process where each user needs to prove his or her identity and organizational affiliation based on requirements in National Institute of Standards and Technology (NIST) SP 800-63-1. Both HRSA and the contractor maintain lists of authorized users.
2. Physical safeguards involve physical controls that are in place 24 hours a day/7 days a week such as identification badge access, cipher locks, locked hardware cages, man trap with biometric hand scanner, security guard monitoring, and closed circuit TV. All sites are protected with fire and environmental safety controls.
3. Technical safeguards include firewalls, network intrusion detection, host-based intrusion detection and file integrity monitoring, user identification, database activity monitoring, data loss prevention and passwords restrictions. All web-based traffic is encrypted using 128 bit SSL and all network traffic is encrypted internally.
4. Administrative safeguards involve certification and accreditation that is required every three years, which authorizes operation of the system based on acceptable risk. Security assessments are conducted continuously throughout the year to verify compliance with all required controls.
RETENTION AND DISPOSAL OF RECORDS: HRSA is working with the National Archive and Records Administration (NARA) to determine the appropriate retention period for electronic records. The records require long-term retention. Pending finalization of an appropriate disposition schedule with the National Archives and Records Administration (NARA), the records are being retained indefinitely.
SYSTEM MANAGER AND ADDRESS: Director, Division of Practitioner Data Banks, Bureau of Health Professions, Health Resources and Services Administration, Room 8-103, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.
NOTIFICATION PROCEDURE Currently, an individual report subject is notified via U.S. mail when a report concerning him or her is submitted to the NPDB via Subject Notification Document (SND). This procedure is unchanged by the exemption published for the system.
RECORD ACCESS PROCEDURES: Although this system is exempt from the Privacy Act access requirement, the exemption is limited and discretionary. An individual report subject may seek access to his or her records in the NPDB by submitting a self-query request form on-line. The requests are submitted over the web using the Integrated Query and Reporting Service (IQRS), Query and Reporting Extensible Markup Language Service (QRXS), Interface Control Document (ICD) Transfer Program (ITP) or the Continuous Query. Self-query, as described previously, may be initiated via the electronic system and is completed using the conventional mail system. Requesters, including self-queriers, will receive an accounting of disclosures that have been made of their records, if any. The exemption will prevent law enforcement query activity from being disclosed to the health care practitioner in response to a self-query. Notwithstanding the access exemption, a practitioner may request access to his or her full query history (i.e., including law enforcement query activity, if any), by submitting a written request to the System Manager identified above and following the same procedures indicated under “Notification Procedure.” The request will be processed pursuant to the agency’s discretionary access authority under 45 CFR 5b.11(d).
REQUESTS BY MAIL: Practitioners may submit a “Request for Information Disclosure” to the address under system location for any report on themselves. The request must contain the following: name, address, date of birth, gender, Social Security Number (optional), professional schools and years of graduation, and the professional license(s). For license, include: the license number, the field of licensure, the name of the state or territory in which the license is held, and DEA registration number(s). The practitioner must submit a signed and notarized self-query request.
REQUESTS IN PERSON: Due to security considerations, the NPDB cannot accept requests in person.
REQUESTS BY TELEPHONE: Practitioners may provide all of the identifying information stated above to the NPDB Customer Service Center operator. Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization.
PENALTIES FOR VIOLATION: Submitting a request under false pretenses is a criminal offense and subject to a civil monetary penalty of up to $11,000 for each violation. 42 C.F.R. § 1003.103(c).
CONTESTING RECORD PROCEDURES: Because of the system’s exemption, the procedures for disputing an NPDB report will not apply to law enforcement query history information that is exempt from access, and all amendment requests will be governed by the procedures at 45 CFR 60.21. The NPDB routinely mails a copy of any report filed in it to the subject individual. A subject individual may contest the accuracy of information in the NPDB concerning himself or herself and file a dispute. To dispute the accuracy of the information, the individual must contact the NPDB and the reporting entity to: (1) request that the reporting entity file a correction to the report; and (2) request the information be entered into a “disputed” status and submit a statement regarding the basis for the inaccuracy of the information in the report. If the reporting entity declines to change the disputed report or takes no actions, the subject may request that the Secretary of HHS review the disputed report. In order to seek a review, the subject must: (1) provide written documentation containing clear and brief factual information regarding the information of the report; (2) submit supporting documentation or justification substantiating that the reporting entity’s information is inaccurate; and (3) submit proof that the subject individual has attempted to resolve the disagreement with the reporting entity but was unsuccessful. The Department can only determine whether the report was legally required to be filed and whether the report accurately depicts the action taken and the reporter’s basis for action. Additional detail on the process of dispute resolution can be found at 45 CFR 60.21 of the NPDB regulations.
RECORD SOURCE CATEGORIES: The records contained in the system are submitted by the following entities: (1) insurance companies and others who have made payment as a result of a malpractice action or claim; (2) state health care licensing and certification authorities; (3) federal licensing and certification agencies (e.g., DEA); (4) peer review organizations and private accreditation entities; (5) hospitals and other health care entities (includes professional societies); (6) federal and state prosecutors and attorneys; (7) health plans; (8) federal government agencies; and (9) state law and fraud enforcement agencies.
SYSTEM EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
The Secretary has exempted law enforcement query records in this system from certain provisions of the Privacy Act. In accordance with 5 USC 552a(k)(2) and 45 CFR 5b.11(b)(2)(ii)(L), with respect to law enforcement query records, this system is exempt from subsections (c)(3), (d)(1)-(4), (e)(4)(G) and (H), and (f) of 5 USC 552a. See 76 FR 72325, published November 23, 2011, adding NPDB as an exempt system.
Last Reviewed: March 2016