Skip Navigation HRSA - U.S Department of Health and Human Services, Health Resources and Service Administration HHS
Home
Questions
Order Publications
 
Grants Find Help Service Delivery Data Health Care Concerns About HRSA
System of Record Notice 09-15-0054
 

 

 

 

 

System name: National Practitioner Data Bank for Adverse Information on Physicians and Other Health Care Practitioners, HHS/HRSA/BHPr.

Security classification: None.

System location: The SPA Corporation (the Contractor) operates the National Practitioner Data Bank (Data Bank) under contract with the Bureau of Health Professions (BHPr), Health Resources and Services Administration (HRSA). Records are located at the following address: National Practitioner Data Bank, P0 Box 10832, Chantilly, VA 20151.

For security reasons, the street address cannot be disclosed. Categories of individuals covered by the system: Health care practitioners including physicians, dentists, and all other health care practitioners (such as nurses, optometrists, pharmacists, and podiatrists), licensed or otherwise authorized by a State to provide health care services, on whose behalf a payment has been made as a result of a malpractice action or claim; physicians and dentists who are the subject of licensure disciplinary actions; and physicians, dentists and other health care practitioners who are on medical staffs or who hold clinical privileges, or who are members of professional societies, against whom certain adverse actions have been taken as a result of a professional review action.

Categories of records in the system:

  1. For malpractice payments. Information on the physician, dentist or other licensed health care practitioner such as name; work address; home address, if known; Social Security number, if known, and obtained in accordance with section 7 of the Privacy Act of 1974; date of birth; name of each professional school attended and year of graduation; for each professional license: The license number, the field of licensure, and the name of the State or Territory in which the license is held; Drug Enforcement Administration registration number(s), if known; and name of each hospital with which the practitioner is affiliated, if known. Information on the person or entity making the payment, such as the name and address of the person or entity making the payment; and the name, title, and telephone number of the responsible official submitting the report on behalf of the entity. Information on the payments, such as the date of the occurrence of the acts or omissions upon which the action or claim was based occurred; date and amount of payment; description of the acts or omissions and injuries or illnesses upon which the action or claim was based; and classification of the acts or omission per reporting code.
  2. For State Medical or Dental Board actions. Information such as: The physician’s or dentist’s name; work address; homes address, if known; Social Security number, if known, and if obtained in accordance with section 7 of the Privacy Act of 1974; date of birth; name of each professional school attended and year of graduation; for each professional license: The license number, the field of licensure, and the name of the State or Territory in which the license is held; Drug Enforcement Administration registration number, if known; description of the acts or omission or other reasons for the action taken; description of the Board action; the date the action was taken and its effective date; and classification of the action per reporting code.
  3. For certain professional review actions. Information such as the physician’s, dentist’s or other health care practitioner’s name; work address; home address, if known; date of birth; name of each professional school attended and year of graduation; for each professional license: The license number, the field of licensure, and the names of the State or Territory in which the license is held; Drug Enforcement Administration registration number, if known; Social Security number, if known, and if obtained in accordance with section 7 of the Privacy Act of 1974; description of the acts or omissions or other reasons for clinical privilege or professional society membership loss or, if known, for surrender; and action taken, date the action was taken, and effective date the action was taken, and effective date of the action.
  4. Inquiry file. Copies of all inquiries received by the Data Bank.
  5. For 010 Medicare/Medicaid Exclusions. Under authority of section 1106(a) of the Social Security Act, 42 CFR 401.105, and routine use exception of the Privacy Act (5 U.S.C. 522a(b) (3)), HCFA will provide certain specific information on physicians, practitioners, providers, and other health care entities which the OIG has excluded from participation in and from recovering payment from the Medicare and Medicaid programs. HCFA will provide information such as the physician’s, dentist’s or other health care practitioner’s name; Social Security number (used for Data Bank matching purposes only; not disclosed to authorized queries); HCFA’s unique practitioner identifier number; date of birth; basis for exclusion; facts about the exclusion; status of exclusion; and other information as necessary to ensure proper identification.

Authority for maintenance of the system: Under the Health Care Quality Improvement Act of 1986 (the Act), as amended, section 424(b), 42 U.S.C. 11134(b), authorizes the maintenance of records of medical malpractice payments, disciplinary actions taken by Boards of Medical Examiners, and professional review actions taken by health care entities.

Purpose(s): The purposes of the system are to (1) Receive from insurance companies and others making payments as a result of malpractice actions or claims, State Medical and Dental Boards, and health care entities, information pertaining to the professional performance or conduct of physicians, dentists and other licensed health care practitioners; and (2) disseminate such data to health care entities, to State professional licensing boards, and to others as authorized by the Act.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

Data may be disclosed to:

  1. A hospital requesting data concerning a physician, dentist or other health care practitioner who is on its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the purpose of: (a) Screening the professional qualifications of individuals who apply for staff positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health Care Quality Improvement Act of 1986, which also prescribes that a hospital must query the Bank once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.
  2. Other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist or other health care practitioner has applied for clinical privileges or appointment to the medical staff or who has entered or may be entering an employment or affiliation relationship. The purpose of these disclosures is to identify individuals whose professional conduct may be unsatisfactory.
  3. A health care entity with respect to professional review activity. The purpose of these disclosures is to aid health care entities in the conduct of professional review activities, such as those involving determinations of whether a physician, dentist, or other health care practitioner may be granted membership in a professional society; the conditions of such membership, or of changes to such membership; and ongoing professional review activities conducted by a health care entity which provides health care services, of the professional performance or professional conduct of a physician, dentist, or other health care practitioner.
  4. A State professional licensing board conducting a review of an individual. The purpose of these disclosures is to aid the board in meeting its responsibility to protect the health of the population in its jurisdiction, by identifying individuals whose professional performance or professional conduct may be unsatisfactory.
  5. An attorney, or individual representing himself or herself, who has filed a medical malpractice action or claim in a State or Federal court or other adjudicative body against a hospital, and who requests information regarding a specific physician, dentist, or other health care practitioner who is also named in the action or claim provided that (a) This information will be disclosed only upon the submission of evidence that the hospital failed to request information from the Bank as required by law, and (b) the information will be used solely with respect to litigation resulting from the action or claim against the hospital. The purpose of these disclosures is to permit an attorney (or a person representing himself or herself in a medical malpractice action) to have information from the Bank on a health care practitioner, under the conditions set out in this routine use.
  6. Any Federal entity, employing or otherwise engaging under arrangement (e.g., such as a contract) the services of a physician, dentist, or other health care practitioner, or having the authority to sanction such practitioners covered by a Federal program, which (a) Enters into a memorandum of understanding with HHS regarding its participation in the Bank; (b) engages in a professional review activity in determining an adverse action against a practitioner; and (c) maintains a Privacy Act system of records regarding the health care practitioners it employs, or whose services it engages under arrangement. The purpose of such disclosures is to enable hospitals and other facilities and health care providers under the jurisdiction of Federal agencies such as the Public Health Service, HHS; the Department of Defense; the Department of Veterans’ Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to participate in the Bank. The Health Care Quality Improvement Act of 1986 includes provisions regarding the participation of such agencies. and of the Federal Drug Enforcement Administration, in the Bank.
  7. In the event of litigation where the defendant is (a) The Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to affect directly the operation of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the Department of Justice has agreed to represent such employee, for example in defending a claim against the Public Health Service based upon an individual’s mental or physical condition and alleged to have arisen because of activities of the Public Health Service in connection with such individual, disclosures may be made to the Department of Justice to enable the Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

  • Storage: Records are maintained in electronic folders, on magnetic tape, and/or disks.
  • Retrievability: Retrieval will be by use of personal identifiers, including a unique identifier assigned by the Data Bank.
  • Safeguards:

    1. Authorized Users: Access to records is limited to designated employees of the Contractor and to designated HRSA staff. The Data Bank Project Director and Manager of Operations are among the Contractor’s employees who are authorized users. The Contracting Officer’s Technical Representative (COTR) and AIS Security Officer are among the HRSA staff who are authorized users. Both HRSA and the contractor maintain lists of authorized users.
    2. Physical Safeguards: Magnetic tapes, disks, computer equipment, and hard copy files are stored in areas where fire and environmental safety codes are strictly enforced. All automated and nonautomated documents are protected on a 24-hour basis. Perimeter security includes intrusion alarms, random guard patrols, monitors, key/passcard/combination controls, receptionist controlled area, and reception alarm button.
    3. Procedural and Technical Safeguards: A password is required to access the system, and additional identification numbers and passwords, to limit access to data to only authorized users. All users of personal information, in connection with the performance of their jobs, protect information from public view and from unauthorized personnel entering an unsupervised area. All authorized users will sign a nondisclosure statement. To protect the confidentiality of information contained in the system, when a person leaves or no longer has authorized duties, the Security Officer deletes his or her identification number and password, retrieves all-electronic access cards, and changes all combinations to which the departing employee had access. The system automatically logs all access to data resources.
      Access to records is limited to those authorized personnel trained in accordance with the Privacy Act and ADP security procedures. The Contractor is required to assure the confidentiality safeguards of these records and to comply with all provisions of the Privacy Act. All individuals who have access to these records must have the appropriate ADP security clearances. Privacy Act and ADP system security requirements are included in the contract with the SPA Corporation. In addition, the Data Bank Project Officer and the System Manager oversee compliance with these requirements. HRSA staff who are authorized users will make site visits to the Contractor’s facilities to assure compliance with security and Privacy Act requirements. The safeguards described above were established in accordance with DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the General Administration Manual, and the DHHS Information Resources Management Manual, Part 6. “ADP Systems Security."

Retention and disposal:

  1. Project Director’s Subject File-- significant documents associated with the creation and maintenance of the Data Bank, such as essential policy documents, regulations, and handbooks. Authorized disposition is permanent. Cut off superseded materials annually. Transfer to the WNRC in 5-year blocks when 5 years old. Transfer to the National Archives 5 years thereafter. Annual accumulation is less than one cubic foot. Amount on hand is less than one cubic foot.
  2. Source Documents--reporting and query forms. Authorized disposition is temporary. Destroy hardcopy forms after conversion to microfilm when no longer needed for administrative purposes. Dispose of microfilm and diskettes in contractor office space when no longer needed to support the reconstruction of, or serve as a backup to, the Master File, whichever is later.
  3. Master file and associated documentation. Authorized disposition is not authorized. Maintain until NARA and HP.SA agree on a disposition. Data may be cut off annually. As the data and documentation remain unscheduled, maintenance and storage procedures shall conform with the provisions laid out in 36 CFR
    1234.28.
  4. General administrative records associated with the establishment and maintenance of the Data Bank, both at the contractor and at HRSA. Authorized disposition is temporary. Destroy when no longer needed for administrative purposes.

System manager(s) and address:

  • Director, Division of Quality Assurance, Bureau of Health Professions, Health Resources and Services Administration, Room 8A-55, Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

Notification procedure: An individual is informed when a record concerning himself or herself is entered into the Data Bank, with the exception of HCFA exclusion reports.

Requests by mail: Practitioners may submit a “Request for Information Disclosure’’ to the address under system location for any report on themselves. The request must contain the following: Name, address, date of birth, gender, Social Security Number (optional), professional schools and years of graduation, and the professional license(s). For license, include: The license number, the field of licensure, the name of the State or Territory in which the license is held, and Drug Enforcement Administration registration number(s) Practitioners must sign and have notarized their requests. Submitting a request under false pretenses is a criminal offense subject to, at a minimum, a $5,000 fine under provisions of the Privacy Act, and to a $10,000 fine under provisions of the Health Care Quality Improvement Act of 1986.

Requests in person: Due to security considerations, the Data Bank cannot accept requests in person.

Request by telephone: Practitioners may provide all of the identifying information stated above to the Data Bank Helpline operator. Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization.

Record access procedures: Same as notification procedures. Requesters will receive an accounting of disclosure that has been made of their records, if any.

Contesting record procedures: The Data Bank routinely mails a copy of any report filed (other than those filed by HCFA) in it to the subject individual. Any record subject may contest the accuracy of information in the Data Bank (except information filed by HCFA) concerning himself or herself and file a dispute. To dispute the accuracy of the information, the individual must notify the Data Bank by:

  1. Identifying the record involved;
  2. specifying the information being contested;
  3. stating the corrective action sought and reason for requesting the correcting; and
  4. submitting supporting justification and/or documentation to show how the record is inaccurate. At the same time, the individual must notify the reporting entity, in writing.

Additional detail on the process of dispute resolution can be found at 45 CFR part 60 under Sec. 60.14 of the Data Bank regulations.

Record source categories: Entities that have submitted records on individuals contained in the system; insurance companies and others who have made payment as a result of a malpractice action or claim; State Medical Boards; State Boards of Dentistry; State Licensing Boards; hospitals and other health care entities as defined in the Act; the Drug Enforcement Administration; and Federal entities which employ health practitioners or which have authority to sanction such practitioners covered by a Federal program.

Systems exempted from certain provisions of the act: None.