Breadcrumb
  1. Home
  2. About HRSA
  3. Privacy Act and Systems of Records
  4. System of Record Notice 09-15-0054

System of Record Notice 09-15-0054

SYSTEM NAME AND NUMBER: National Practitioner Data Bank, 09-15-0054.

SECURITY CLASSIFICATION: Unclassified.

SYSTEM LOCATION: A contractor operates and maintains the system through a technical service contract managed by the Bureau of Health Workforce, Health Resources and Services Administration. The technical infrastructure of the system resides in a secure cloud service provider environment. Mail processing and customer service functions associated with the system are conducted at the contractor’s secure facility.

SYSTEM MANAGER AND ADDRESS: Deputy Director, Division of Business Operations, Bureau of Health Workforce, Health Resources and Services Administration, U.S. Department of Health and Human Services, 5600 Fishers Lane, Rockville, MD 20857, npdbpolicy@hrsa.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Title IV of the Health Care Quality Improvement Act of 1986, as amended (42 U.S.C. 11101–11152); Section 1128E of the Social Security Act, as amended (42 U.S.C. 1320a–7e); Section 1921 of the Social Security Act, as amended (42 U.S.C. 1396r–2); and Section 6403 of the Patient Protection and Affordable Care Act (amending 42 U.S.C. 1320a–7e and 1396r–2).

PURPOSE(S) OF THE SYSTEM: 

The purposes for which records about individuals in the National Practitioner Data Bank information technology system (NPDB IT system) are used are to: (1) receive reports containing information on medical malpractice payments and certain adverse actions, as enumerated in the Categories of Records section below, related to individual health care practitioners, suppliers, and providers; (2) store such reports so that future queriers may have access to pertinent information in the course of making important decisions related to the delivery of health care services; and (3) disseminate such data to individuals and entities that qualify to receive the reports under the governing statutes as authorized by the Health Care Quality Improvement Act of 1986, Section 1921 of the Social Security Act, and Section 1128E of the Social Security Act to protect the public from unfit practitioners and to prevent fraud and abuse. The NPDB IT system also allows individual practitioners, providers, and suppliers to self-query to access reports about them.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records in this system of records are about individual health care practitioners, providers, and suppliers, and certifying officials and administrators of eligible entities about whom information is maintained in the NPDB IT system. Health care practitioners are defined by 45 CFR 60.3 and include, for example, physicians, dentists, nurses, allied health care professionals, and social workers. Health care suppliers are defined by 45 CFR 60.3, and health care providers are defined by 45 CFR 60.3.

CATEGORIES OF RECORDS IN THE SYSTEM: The records in the NPDB IT system that are about individuals and retrieved by personal identifier are reports, subject profile records, dispute resolution case files, entity registration records, and query data. Reports include, but are not limited to: (1) identifying information, such as name, work address, etc.; (2) medical malpractice payment reports for all health care practitioners (e.g., physicians, dentists, nurses, optometrists, pharmacists, podiatrists, etc.); (3) adverse licensure and certification action reports taken by states against health care practitioners, health care entities, providers or suppliers; (4) adverse licensure and certification action reports taken by federal agencies against health care practitioners, providers, or suppliers; (5) adverse clinical privileging actions reports for physicians, dentists, or other health care practitioners who may have medical staff privileges; (6) adverse professional society membership action reports for physicians, dentists, or other health care practitioners; (7) negative actions or findings taken against health care practitioners, health care entities, providers, or suppliers by peer review organizations and private accreditation entities; (8) federal or state criminal convictions related to the delivery of a health care item or service reports for health care practitioners, providers, or suppliers; (9) civil judgments related to the delivery of a health care item or service for health care practitioners, providers, or suppliers; (10) reports of exclusions of health care practitioners, providers, or suppliers from participation in state or federal health care programs; and (11) other adjudicated actions taken against health care practitioners, providers, or suppliers by federal agencies, state agencies, or health plans.

Query histories (also called disclosure histories) indicate the dates that a health care practitioner’s, provider’s, supplier’s, or entity’s report(s) were accessed/queried in the system; by whom; and meet accounting of disclosures requirements in the Privacy Act at 5 U.S.C. 552a(c). An individual practitioner’s, provider’s, or supplier’s report(s) and disclosure history are available to them, if they elect to submit a self-query. However, consistent with the exemptions established for this system of records pursuant to 5 U.S.C. 552a (k)(2), which exempts all investigative materials (i.e., all law enforcement queries) from certain Privacy Act requirements, including the accounting of disclosures and access requirements at 5 U.S.C. 552a(c) and (d)(1)–(4), the disclosure history will not include disclosures from query activity initiated by law enforcement agencies. Subject Profile records contain data on subjects of reports, such as address, date of birth, and licensure data extracted from one or more NPDB reports. Subject profiles are used as part of the NPDB matching process to compare and score data on NPDB queries to the data on NPDB subject profile records.

Subjects of NPDB reports may initiate a dispute if they feel the NPDB report is inaccurate or not reportable. NPDB staff adjudicate each dispute based on information collected by the reporter and subject of each report according to the law and regulations. For each dispute that gets elevated to the Health Resources and Services Administration (HRSA), a case file is created containing all the documentation, correspondence, analysis, and a letter that renders a decision to keep the disputed report as is, to send the disputed report to the reporter for correction, or to void the report altogether so it is not disclosable in response to any query.

Dispute cases are occasionally needed for evidence in civil trials. Additionally, content in past cases can be used by NPDB staff as a benchmark or template to help expedite adjudication of future cases. The NPDB maintains information about individuals in entity registration records to serve two purposes: (1) to ensure that each organization identifies a representative to serve as its certifying official, the individual selected and empowered by an entity to certify the legitimacy of registration for participation in the NPDB; and (2) to establish an entity administrator at each organization who will be in charge of user management and organizational administration for NPDB matters at the organization. For both the certifying official and entity administrator, entity registration documents are required to verify each representative’s identity, prove the entity exists, and verify each representative’s affiliation with that entity.

Query data is stored to support the NPDB system, support and track user base activities, and ensure accurate matching processes. All querying activities are tracked, monitored, and stored within the NPDB system in accordance with all federal requirements. Query data includes both data submitted by registered NPDB organizations when trying to retrieve matched NPDB report records and by individual practitioners, providers, and suppliers when using the NPDB Self-Query service that provides individual practitioners, providers, and suppliers with any matched NPDB reports on themselves. Query data includes the same identifying information found in the NPDB report record and subject profile records which supports the NPDB matching and report retrieval processes.

RECORD SOURCE CATEGORIES: The records contained in the system are submitted by the following entities: (1) insurance companies and others who have made payment as a result of a malpractice action or claim; (2) state health care licensing and certification authorities; (3) federal licensing and certification agencies (e.g., the Drug Enforcement Administration); (4) peer review organizations and private accreditation entities; (5) hospitals and other health care entities (includes professional societies); (6) federal and state prosecutors and attorneys; (7) health plans; (8) federal government agencies; (9) state law and fraud enforcement agencies; and (10) individual practitioners, providers, and suppliers when providing data as part of the NPDB Self-Query process.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

Information about a subject individual is or may be disclosed from this system of records to parties outside the agency, without the individual’s consent, for the following routine uses:

  1. To hospitals requesting information such as, but not limited to, adverse licensure actions, medical malpractice payments or exclusions from Medicare and Medicaid programs taken against all licensed health care practitioners such as physicians, dentists, nurses, podiatrists, chiropractors, psychologists, and providers and suppliers. The information is accessible to both public and private sector hospitals that can request information concerning a physician, dentist, or other health care practitioner who is on its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the purpose of: (a) screening the professional qualifications of individuals who apply for staff positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health Care Quality Improvement Act of 1986, which prescribes that a hospital must query the NPDB once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.
  2. To other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist, or other health care practitioner has applied for clinical privileges or appointment to the medical staff or who has entered or may be entering an employment or affiliation relationship. The purpose of these disclosures is to assess the individual practitioner’s qualifications for staff appointment or clinical privileges.
  3. To a health care entity with respect to ‘‘professional review activity’’ (45 CFR 60.3). The purpose of these disclosures is to aid health care entities in the conduct of professional review activities, such as those involving determinations of whether a physician, dentist, or other health care practitioner may be granted membership in a professional society, the conditions of such membership, or changes to such membership; and ongoing professional review activities of the professional performance or conduct of a physician, dentist, or other health care practitioner.
  4. To a state health care practitioner and/or entity licensing or certification authority that requests information in the course of conducting a review of all health care practitioners or health care entities or when making licensure determinations about health care practitioners and entities. The purpose of these disclosures is to aid the board or certification authority in meeting its responsibility to protect the health of the population in its jurisdiction, and to assess the qualifications of individuals seeking licenses or certifications.
  5. To federal and state health care programs (and their contractors) that request information to aid them in ensuring the integrity of their programs and the professional competence of affiliated health care practitioners and uncovering information needed to make appropriate decisions in the delivery of health care.
  6. To state Medicaid Fraud Control Units that request information to assist with investigating fraud, waste, and abuse and in the prosecution of health care practitioners and providers relating to Medicaid programs.
  7. To utilization and quality control Peer Review Organizations and those entities which are under contract with the Centers for Medicare & Medicaid Services, when they request information to protect and improve the quality of care for Medicare beneficiaries in the course of performing quality of care reviews and other related activities.
  8. To a health care entity that has been reported on, when the entity queries the system to receive information concerning itself and the information is otherwise releasable to the entity (e.g., would not reveal a law enforcement investigation).
  9. To an attorney, or an individual representing themselves, who has filed a medical malpractice action or claim in a state or federal court or other adjudicative body against a hospital, and who requests information regarding a specific physician, dentist, or other health care practitioner who is also named in the action or claim, provided that: (a) this information will be disclosed only upon the submission of evidence that the hospital failed to request information from the NPDB as required by law and (b) the information will be used solely with respect to litigation resulting from the action or claim against the hospital. The purpose of these disclosures is to permit an attorney (or a person representing themselves in a medical malpractice action) to have information from the NPDB on a health care practitioner, under the conditions set out in this routine use.
  10. To any federal entity, employing or otherwise engaging under arrangement (e.g., such as a contract) the services of a physician, dentist, or other health care practitioner, or having the authority to sanction such individuals covered by a federal program, which: (a) enters into a memorandum of understanding with the U.S. Department of Health and Human Services (HHS) regarding its participation in the NPDB; (b) engages in a professional review activity in determining an adverse action against a practitioner; and (c) maintains a Privacy Act system of records regarding the health care practitioners it employs, or whose services it engages under arrangement. The purpose of such disclosures is to enable hospitals and other facilities and health care providers under the jurisdiction of federal agencies such as the Public Health Service, HHS; the Department of Defense; the Department of Veterans Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to participate in the NPDB. The Health Care Quality Improvement Act of 1986 includes provisions regarding the participation of such agencies and of the Drug Enforcement Agency.
  11. To the Department of Justice or to a court or other tribunal in the event of pending or potential litigation, for the purpose of enabling HHS to present an effective defense, where the defendant is: (a) HHS, any component of HHS, or any HHS employee in their official capacity; (b) the United States where HHS determines that the claim, if successful, is likely to affect directly the operation of HHS or any of its components; or (c) any HHS employee in their individual capacity where the Department of Justice has agreed to represent such employee, for example in defending a claim against the Public Health Service based upon an individual’s mental or physical condition alleged to have arisen because of activities of the Public Health Service in connection with such individual.
  12. To the contractor engaged by the agency to operate and maintain the system. Operation and maintenance functions include, but are not limited to, providing continuous user availability, developing system enhancements, upgrading infrastructure and software, providing information security assurance, and ensuring that timely system backups are completed.
  13. To a health plan requesting data concerning a health care provider, supplier, or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining providers, suppliers and practitioners that are the subjects of reports.
  14. To federal agencies requesting data concerning a health care provider, supplier, or physician, dentist, or other practitioner for the purposes of antifraud and abuse activities and investigations, audits, evaluations, inspections, and prosecutions relating to the delivery of and payment for health care in the United States and/or improving the quality of patient care, and in the context of hiring or retaining the providers, suppliers, and individuals that are the subject of reports to the system. This would include law enforcement investigations and other law enforcement activities.
  15. To appropriate agencies, entities, and persons when: (a) HHS suspects or has confirmed that there has been a breach of the system of records; (b) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
  16. To another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in: (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records are maintained in electronic form, using cloud storage.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Records are retrieved by any of the following personal identifiers, singly or in combination, and/or in combination with other identifying information, such as date of birth, educational information, work address, etc.:

  • Name
  • Social Security Number
  • Taxpayer Identification Number
  • Federal Employer Identification Number
  • Drug Enforcement Agency Number
  • License Number
  • Unique Physician Identification Number
  • National Provider Identifier

A matching algorithm uses these identifiers to match queries to the subjects of NPDB reports.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: The records are maintained and disposed of in accordance with National Archives and Records Administration approved disposition schedule DAA–0512–2017–0002, available at: https://www.archives.gov/files/records-mgmt/rcs/schedules/departments/department-of-health-and-human-services/rg-0512/daa-0512-2017-0002_sf115.pdf (PDF - 507 KB), which provides the following disposition periods:

  • Item 1.1 NPDB reports; item 2.1 query transactions; and item 1.3 NPDB subject profile records: Cutoff at the end of each calendar year and destroy 75 years after cutoff (unless needed longer for legal or business purposes).
  • Item 4.1 NPDB dispute resolution case files: Cutoff at the close of the case and destroy 50 years after cutoff.
  • Item 5.1 Entity registration records: Cutoff 50 years after the last (most recent) registration renewal and destroy 50 years after cutoff (unless longer retention is authorized).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards conform to the HHS and HRSA Information Security and Privacy Program. Information is safeguarded in accordance with applicable laws, rules, and policies, including the HHS Information Security and Privacy documents, all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A–130, Managing Information as a Strategic Resource.

  • Administrative Safeguards: Authorized users include organizational users, such as government and contractor personnel, who support the NPDB. Organizational users (HRSA users and their contractors) are required to obtain favorable adjudication to hold a public trust position. Government and contractor personnel who support the NPDB must attend annual security training and sign the Rules of Behavior annually. Authorized users are given role-based access to the system on a limited need-to-know basis. All physical and logical access to the system is removed upon termination of employment. Non-organizational users, who are responsible for meeting NPDB reporting and/or querying requirements to the NPDB, are responsible for determining their eligibility to access the NPDB through a self-certification process that requires completing an Entity Registration process. All nonorganizational users must re-register every 2 years to access the NPDB. The registration process consists of an electronic authentication process where each user needs to prove their identity and organizational affiliation based on requirements in the NIST SP 800–63 Digital Identity Guidelines.
    Other administrative safeguards include system authorization that is required every 3 years which authorizes operation of the system based on acceptable risks. Through a continuous monitoring process, security assessments of the security controls implemented are conducted annually to verify compliance with all required controls. In addition, a Risk Assessment is conducted, at least annually, based on NIST SP 800–30 Risk Management Guide for Information Technology Systems guidance. Any weaknesses identified during the assessment are documented in the Plan of Actions and Milestones and monitored to effectively reduce risks and vulnerabilities to an acceptable level in accordance with HHS and HRSA policies.
  • Technical Safeguards: Technical safeguards include firewalls, network intrusion detection, host-based intrusion detection and file integrity monitoring, user identification, data loss prevention, and passwords restrictions. All web-based traffic is encrypted using 256-bit SSL and all network traffic is encrypted internally. All encryption used in the system meets FIPS 140–2 validation requirements. All NIST 800–53 rev 4 control families and Plastic Card Industry Data Security Standard control families selected and implemented are verified by third party auditors.
  • Physical Safeguards: At the NPDB Operations site, safeguards are in place 24 hours a day, 7 days a week and include picture identification badges, badge reader-controlled access, security guard monitoring, and fire and environmental safety controls. The cloud service provider provides physical safeguards to all its data centers. Physical access to the cloud service provider environment is logged, monitored, and retained. Physical access is controlled at building ingress points by professional security staff using surveillance, detection systems, and other electronic means. Authorized staff use multi-factor authentication mechanisms to access data centers. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to the cloud service provider’s 24/7 operations center for immediate logging, analysis, and response.

RECORD ACCESS PROCEDURES:

Although this system of records is exempt from the Privacy Act access requirement, the exemption is limited to law enforcement query records and is discretionary. Notwithstanding the access exemption, an individual record subject (individual health care practitioner, provider, or supplier) may seek access to any records about that individual in the NPDB. Access requests will be governed by NPDB-specific access provisions in 45 CFR 60.18 and 60.19.

  • Information Available by Self-Query: Individuals may generally access records about them over the web by registering to use the NPDB web application(s) and submitting an on-line form (also known as a self-query) or viewing a specific report on-line after being notified via U.S. mail that a report has been submitted to the NPDB and paying a fee. Report subjects will receive, with their self-query response, an accounting of disclosures that have been made of report records about them, if any, excluding any disclosures that were made in response to law enforcement queries (consistent with 5 U.S.C. 552a(c)(3) and the access exemption established for this system of records).
  • Requests by Electronic Transmission: Alternatively, individuals may submit a written request for records about them, electronically, to the NPDB website. The request must include the same identifying information listed in "Requests by Mail," below and requires paying a fee. For identity verification purposes, the request can be notarized, then mailed to the NPDB address specified in "Requests by Mail" below or uploaded to the NPDB website for processing. Qualified practitioners can also use Experian Precise ID for online identity proofing as an alternative to the paper-based notarization process. Output is delivered via U.S. mail or returned online.
  • Requests by Mail: As an alternative to making a request by self-query or by electronic transmission, individuals may submit a "Request for Information Disclosure" to the NPDB, P.O. Box 10832, Chantilly, VA 20153–0832 for any report about them. The request must contain the following identifying information: name, address, date of birth, Social Security Number (optional), professional schools and years of graduation, and the professional license(s). For license requests, the following must be included: the license number, the field of licensure, the name of the state or territory in which the license is held and, if applicable, Drug Enforcement Administration registration number(s). The practitioner must submit the completed form, signed and notarized, and pay a fee, before the self query request will be fulfilled.
  • Requests in Person: Due to security considerations, the NPDB cannot accept requests in person.
  • Requests by Telephone: As an alternative to self-query, electronic transmission, or mail, individuals may make an access request by telephone, by providing all of the applicable identifying information listed pertaining to them in "Requests by Mail" above to the NPDB Customer Service Center operator. The NPDB Customer Service Center operator will complete the form and mail it to the practitioner for verification. Once verified, the practitioner must submit the completed form, signed and notarized, and pay a fee, before the self-query request will be fulfilled.

CONTESTING RECORD PROCEDURES: Because of the system of records’ exemptions (described in the below "Exemptions" section), the procedures for disputing an NPDB report will not apply to law enforcement query history information that is exempt from access. All amendment requests will be governed by NPDB-specific amendment provisions in 45 CFR 60.21.

The NPDB mails (based on the address provided in the report) or emails (based on the email address provided by the subject) a notification of any report filed in it to the subject individual. A subject individual may contest the accuracy of information in the NPDB and file a dispute. To dispute the accuracy of the information, the individual must contact the NPDB and the reporting entity to: (1) request that the reporting entity file a correction to the report and (2) request the information be entered into a "disputed" status and submit a statement regarding the basis for the inaccuracy of the information in the report. If the reporting entity declines to change the disputed report or takes no action, the subject may request that the Secretary of HHS review the disputed report. To seek a review, the subject must: (1) provide written documentation containing clear and brief factual information regarding the information of the report, (2) submit supporting documentation or justification substantiating that the reporting entity’s information is inaccurate, and (3) submit proof that the subject individual has attempted to resolve the disagreement with the reporting entity but was unsuccessful. HHS can only determine whether the report was legally required to be filed and whether the report accurately depicts the action taken and the reporter’s basis for action. Additional detail on the process of dispute resolution can be found in the NPDB regulations, at 45 CFR 60.21.

NOTIFICATION PROCEDURE: An individual report subject is notified via U.S. mail or email when a report concerning that individual is submitted to the NPDB via Subject Notification Document; however, the mail or email address may not be current. A subject individual may make a notification request, inquiring whether the system of records contains a record about them, in the same manner specified in the ‘‘Record Access Procedures’’ section, above, for making an access request. This procedure is unchanged by the exemption published for the system of records. The procedure is governed by NPDB-specific provisions in 45 CFR 60.18 and 60.19. 

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

The Secretary has exempted law enforcement query records in this system of records from certain provisions of the Privacy Act. In accordance with 5 U.S.C. 552a(k)(2) and 45 CFR 5b.11(b)(2)(ii)(L), with respect to law enforcement query records, this system of records is exempt from subsections (c)(3), (d)(1)–(4), (e)(4)(G) and (H), and (f) of 5 U.S.C. 552a. See 76 FR 72325 (Nov. 23, 2011).

HISTORY: 78 FR 47322 (Aug. 5, 2013), 83 FR 6591 (Feb. 14, 2018).

Date Last Reviewed: