Download:
pdf |
pdfSystem of Record Notice 09-15-0054
Page 1 of 6
Health Resources & Services Administration
Explore
Search
Advanced Search
š�¬
Grants
Loans & Scholarships
Data Warehouse
HRSA Home > About HRSA
About HRSA
+ share | H � ¬
System of Record Notice 09-15-0054
SYSTEM NUMBER: 09-15-0054
SYSTEM NAME: National Practitioner Data Bank
About the Privacy
Act
Privacy Act of 1974
U.S. Department of Health and
Human Services Privacy Policy
SECURITY CLASSIFICATION: Unclassified.
SYSTEM LOCATION: A contractor operates and maintains the system through a technical
service contract for the Division of Practitioner Data Banks, Bureau of Health Professions,
Health Resources and Services Administration. This system is located at a contractor run data
center, a secure facility; the street address will not be disclosed for security reasons. The
address of the Division of Practitioner Data Banks, Bureau of Health Professions, Health
Resources and Services Administration, is Room 8-103, Parklawn Building, 5600 Fishers Lane,
Rockville, Maryland 20857.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The system collects and maintains
records pertaining to the professional competence and conduct of health care practitioners as
defined by 45 CFR 60.3 (e.g., physicians, dentists, nurses, allied health care professionals, social
workers), health care suppliers as defined by 45 CFR 60.3 (e.g., durable medical equipment
suppliers, manufactures of health care items, pharmaceutical suppliers and manufacturers),
health care providers as defined by 45 CFR 60.3 (e.g., hospitals and health plans) and health
care entities as defined by 45 CFR 60.3 (e.g., hospitals and health maintenance organizations
which are licensed by a state). The first three categories (health care practitioners, providers
and suppliers) include only individuals, or a mixture of individuals and entities.
CATEGORIES OF RECORDS IN THE SYSTEM: The system collects and maintains reports and
query history records.
Reports include: (1) medical malpractice payment reports for all health care practitioners (e.g.,
physicians, dentists, nurses, optometrists, pharmacists, podiatrists, etc.); (2) adverse licensure
and certification action reports taken by states against health care practitioners, health care
entities, providers or suppliers; (3) adverse licensure and certification action reports taken by
federal agencies against health care practitioners, providers, or suppliers; (4) adverse clinical
privileging actions reports for physicians, dentists, or other health care practitioners who may
have medical staff privileges; (5) adverse professional society membership action reports for
physicians, dentists or other health care practitioners; (6) negative actions or findings taken
against health care practitioners, health care entities, providers, or suppliers by peer review
organizations and private accreditation entities; (7) federal or state criminal convictions related
to the delivery of a health care item or service reports for health care practitioners, providers,
or suppliers; (8) civil judgments related to the delivery of a health care item or service for
health care practitioners, providers, or suppliers; (9) reports of exclusions of health care
practitioners, providers, or suppliers from participation in state or federal health care
programs; and (10) other adjudicated actions taken against health care practitioners, providers,
or suppliers by federal agencies, state agencies, or health plans. Reports may contain the
following personally-identifiable data elements and records:
1. Name
2. Work address
3. Home address
4. Social Security number or individual tax identification number (ITIN)
5. Date of birth
6. Name of each professional school attended and year of graduation
7. Professional license(s) number
https://www.hrsa.gov/about/privacyact/09150054.html
5/15/2017
�System of Record Notice 09-15-0054
Page 2 of 6
8. Field of licensure
9. Name of the state or territory in which the license is held
10. Drug Enforcement Administration (DEA) registration numbers
11. Centers for Medicare & Medicaid Services (CMS) unique practitioner identification number
(for exclusions only)
12. Names of each hospital with which the practitioner is affiliated
13. Name and address of the entity making the payment
14. Name, title, and telephone number of the official responsible for submitting the report on
behalf of the entity
15. Payment information including the date and amount of payment and whether it is for a
judgment or settlement
16. Date action occurred
17. Acts or omissions upon which the action or claim was based
18. Description of the action/omissions and injuries or illnesses upon which the action or claim
was based
19. Description of the Board action, the date of action and its effective date
20. Classification of the action/omission per reporting code
21. Court or judicial venue in which action was taken
22. Docket or court file number
23. Name of prosecuting agency or Civil Plaintiff
24. Prosecuting agency’s case number
25. Statutory offense and counts
26. Date of judgment/sentence
27. Length of sentence
28. Amount of judgment or monetary penalty
29. Restitution or other orders
30. Nature of offense on which the action was based
31. Investigative agencies involved and any case/file numbers, if known
Query histories indicate the dates that a health care practitioner’s, provider’s, supplier’s, or
entity’s report(s) were accessed/queried in the system and by whom. An individual
practitioner’s, provider’s or supplier’s report(s) and query history are available to him or her, if
he or she elects to submit a self-query. However, the query history will not include query
activity by law enforcement agencies, if any, due to the system’s exemption (described below,
under “System Exempted From Certain Provisions of the Act”).
AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Title IV of the Health Care Quality
Improvement Act of 1986 (Title IV), as amended, Section 1921 of the Social Security Act, as
amended, and Section 1128E of the Social Security Act as amended.
PURPOSE(S): The purpose of the system is to: (1) receive information such as medical
malpractice payment reports, negative peer review actions, adverse licensure or certification
actions, health care related criminal convictions, health care related civil judgments, exclusions,
adverse clinical privileging actions, and other adjudicated actions as enumerated in the
Categories of Reports, above, on all health care practitioners, suppliers, providers and entities;
(2) store such reports so that future queriers may have access to pertinent information in the
course of making important decisions related to the delivery of health care services; and (3)
disseminate such data to individuals and entities that qualify to receive the reports under the
governing statutes as authorized by the Health Care Quality Improvement Act of 1986, Section
1921 of the Social Security Act and Section 1128E of the Social Security Act to protect the public
from unfit practitioners and to prevent fraud and abuse. The system also allows practitioners,
providers, and suppliers to self-query.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF
USERS AND THE PURPOSES OF SUCH USES:
Information from this system is disclosed outside the agency for the following routine uses:
1. To hospitals requesting information such as adverse licensure actions, medical malpractice
payments or exclusions from Medicare and Medicaid programs taken against all licensed health
https://www.hrsa.gov/about/privacyact/09150054.html
5/15/2017
�System of Record Notice 09-15-0054
Page 3 of 6
care practitioners such as physicians, dentists, nurses, podiatrists, chiropractors, and
psychologists. The information is accessible to both public and private sector hospitals that can
request information concerning a physician, dentist or other health care practitioner who is on
its medical staff (courtesy or otherwise) or who has clinical privileges at the hospital, for the
purpose of: (a) screening the professional qualifications of individuals who apply for staff
positions or clinical privileges at the hospital; and (b) meeting the requirements of the Health
Care Quality Improvement Act of 1986, which prescribes that a hospital must query the NPDB
once every 2 years regarding all individuals on its medical staff or who hold clinical privileges.
2. To other health care entities, as defined in 45 CFR 60.3, to which a physician, dentist or other
health care practitioner has applied for clinical privileges or appointment to the medical staff or
who has entered or may be entering an employment or affiliation relationship. The purpose of
these disclosures is to assess the individual practitioner’s qualifications for staff appointment or
clinical privileges.
3. To a health care entity with respect to professional review activity. The purpose of these
disclosures is to aid health care entities in the conduct of professional review activities, such as
those involving determinations of whether a physician, dentist, or other health care practitioner
may be granted membership in a professional society, the conditions of such membership, or
changes to such membership; and ongoing professional review activities of the professional
performance or conduct of a physician, dentist, or other health care practitioner.
4. To a state health care practitioner and/or entity licensing or certification authority that
requests information in the course of conducting a review of all health care practitioners or
health care entities or when making licensure determinations about health care practitioners
and entities. The purpose of these disclosures is to aid the board or certification authority in
meeting its responsibility to protect the health of the population in its jurisdiction, and to assess
the qualifications of individuals seeking licenses or certifications.
5. To federal and state health care programs (and their contractors) that request information
to aid them in ensuring the integrity of their programs and the professional competence of
affiliated health care practitioners and uncovering information needed to make appropriate
decisions in the delivery of health care.
6. To state Medicaid Fraud Control Units that request information to assist with investigating
fraud, waste and abuse and in the prosecution of health care practitioners and providers
relating to the Medicaid programs.
7. To utilization and quality control Peer Review Organizations and those entities which are
under contract with the CMS, when they request information to protect and improve the quality
of care for Medicare beneficiaries in the course of performing quality of care reviews and other
related activities.
8. To a health care provider, supplier, or practitioner who requests information concerning
himself, herself, or itself.
9. To a health care entity that has been reported on, when the entity queries the system to
receive information concerning itself.
10. To an attorney, or an individual representing himself or herself, who has filed a medical
malpractice action or claim in a state or federal court or other adjudicative body against a
hospital, and who requests information regarding a specific physician, dentist, or other health
care practitioner who is also named in the action or claim, provided that: (a) This information
will be disclosed only upon the submission of evidence that the hospital failed to request
information from the NPDB as required by law; and (b) the information will be used solely with
respect to litigation resulting from the action or claim against the hospital. The purpose of
these disclosures is to permit an attorney (or a person representing himself or herself in a
medical malpractice action) to have information from the NPDB on a health care practitioner,
under the conditions set out in this routine use.
11. To any federal entity, employing or otherwise engaging under arrangement (e.g., such as a
contract) the services of a physician, dentist, or other health care practitioner, or having the
authority to sanction such individuals covered by a federal program, which: (a) enters into a
memorandum of understanding with HHS regarding its participation in the NPDB; (b) engages
in a professional review activity in determining an adverse action against a practitioner; and (c)
maintains a Privacy Act system of records regarding the health care practitioners it employs, or
whose services it engages under arrangement. The purpose of such disclosures is to enable
hospitals and other facilities and health care providers under the jurisdiction of federal
agencies such as the Public Health Service, HHS; the Department of Defense; the Department of
Veterans’ Affairs; the U.S. Coast Guard; and the Bureau of Prisons, Department of Justice, to
participate in the NPDB. The Health Care Quality Improvement Act of 1986 includes provisions
regarding the participation of such agencies and of the DEA.
12. To the Department of Justice in the event of litigation, for the purpose of enabling HHS to
present an effective defense, where the defendant is: (a) HHS, any component of HHS, or any
https://www.hrsa.gov/about/privacyact/09150054.html
5/15/2017
�System of Record Notice 09-15-0054
Page 4 of 6
HHS employee in his or her official capacity; (b) the United States where HHS determines that
the claim, if successful, is likely to affect directly the operation of HHS or any of its components;
or (c) any HHS employee in his or her individual capacity where the Department of Justice has
agreed to represent such employee, for example in defending a claim against the Public Health
Service based upon an individual’s mental or physical condition and alleged to have arisen
because of activities of the Public Health Service in connection with such individual; provided
that such disclosure is compatible with the purpose for which the records were collected.
13. To the contractor engaged by the agency to operate and maintain the system. Operation
and maintenance functions include but are not limited to providing continuous user availability,
developing system enhancements, upgrading hardware and software, providing information
security assurance, and performing system backups.
14. To a health plan requesting data concerning a health care provider, supplier, or practitioner
for the purposes of preventing fraud and abuse activities and/or improving the quality of
patient care, and in the context of hiring or retaining providers, suppliers and practitioners that
are the subjects of reports.
15. To federal agencies requesting data concerning a health care provider, supplier, or
physician, dentist or other practitioner for the purposes of anti-fraud and abuse activities and
investigations, audits, evaluations, inspections and prosecutions relating to the delivery of and
payment for health care in the United States and/or improving the quality of patient care, and
in the context of hiring or retaining the providers, suppliers and individuals that are the subject
of reports to the system. This would include law enforcement investigations and other law
enforcement activities.
16. To appropriate federal agencies and HHS contractors that have a need to know the
information for the purpose of assisting HHS’ efforts to respond to a suspected or confirmed
breach of the security or confidentiality of information maintained in this system of records,
and the information disclosed is relevant and necessary for that assistance.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE: Records are maintained on database servers with disk storage, optical jukebox
storage, backup tapes and printed reports.
RETRIEVABILITY: Records are retrieved by name, date of birth, Social Security Number,
educational information, and license number. The matching algorithm uses these data
elements to match reports to the subject.
SAFEGUARDS:
1. Authorized users include internal users such as government and contractor personnel who
support the NPDB. Users are required to obtain favorable adjudication for a Level 5 Position of
Public Trust. Government and contractor personnel who support the NPDB must attend
security training, sign a Non-Disclosure Agreement, and sign the Rules of Behavior, which is
renewed annually. Users are given role-based access to the system on a limited need-to-know
basis. All physical and logical access to the system is removed upon termination of
employment. External users, who are responsible for meeting NPDB reporting and/or querying
requirements to the NPDB, are responsible for determining their eligibility to access the NPDB
through a self-certification process which requires completing an Entity Registration form. All
external users must acknowledge the Rules of Behavior. All external users must re-register
every two years to access the NPDB. The registration process consists of an electronic
authentication process where each user needs to prove his or her identity and organizational
affiliation based on requirements in National Institute of Standards and Technology (NIST) SP
800-63-1. Both HRSA and the contractor maintain lists of authorized users.
2. Physical safeguards involve physical controls that are in place 24 hours a day/7 days a week
such as identification badge access, cipher locks, locked hardware cages, man trap with
biometric hand scanner, security guard monitoring, and closed circuit TV. All sites are protected
with fire and environmental safety controls.
3. Technical safeguards include firewalls, network intrusion detection, host-based intrusion
detection and file integrity monitoring, user identification, database activity monitoring, data
loss prevention and passwords restrictions. All web-based traffic is encrypted using 128 bit SSL
and all network traffic is encrypted internally.
4. Administrative safeguards involve certification and accreditation that is required every three
years, which authorizes operation of the system based on acceptable risk. Security
assessments are conducted continuously throughout the year to verify compliance with all
required controls.
RETENTION AND DISPOSAL OF RECORDS: HRSA is working with the National Archive and
Records Administration (NARA) to determine the appropriate retention period for electronic
https://www.hrsa.gov/about/privacyact/09150054.html
5/15/2017
�System of Record Notice 09-15-0054
Page 5 of 6
records. The records require long-term retention. Pending finalization of an appropriate
disposition schedule with the National Archives and Records Administration (NARA), the records
are being retained indefinitely.
SYSTEM MANAGER AND ADDRESS: Director, Division of Practitioner Data Banks, Bureau of
Health Professions, Health Resources and Services Administration, Room 8-103, Parklawn
Building, 5600 Fishers Lane, Rockville, Maryland 20857.
NOTIFICATION PROCEDURE Currently, an individual report subject is notified via U.S. mail
when a report concerning him or her is submitted to the NPDB via Subject Notification
Document (SND). This procedure is unchanged by the exemption published for the system.
RECORD ACCESS PROCEDURES: Although this system is exempt from the Privacy Act access
requirement, the exemption is limited and discretionary. An individual report subject may seek
access to his or her records in the NPDB by submitting a self-query request form on-line. The
requests are submitted over the web using the Integrated Query and Reporting Service (IQRS),
Query and Reporting Extensible Markup Language Service (QRXS), Interface Control Document
(ICD) Transfer Program (ITP) or the Continuous Query. Self-query, as described previously, may
be initiated via the electronic system and is completed using the conventional mail system.
Requesters, including self-queriers, will receive an accounting of disclosures that have been
made of their records, if any. The exemption will prevent law enforcement query activity from
being disclosed to the health care practitioner in response to a self-query. Notwithstanding the
access exemption, a practitioner may request access to his or her full query history (i.e.,
including law enforcement query activity, if any), by submitting a written request to the System
Manager identified above and following the same procedures indicated under “Notification
Procedure.” The request will be processed pursuant to the agency’s discretionary access
authority under 45 CFR 5b.11(d).
REQUESTS BY MAIL: Practitioners may submit a “Request for Information Disclosure” to the
address under system location for any report on themselves. The request must contain the
following: name, address, date of birth, gender, Social Security Number (optional), professional
schools and years of graduation, and the professional license(s). For license, include: the
license number, the field of licensure, the name of the state or territory in which the license is
held, and DEA registration number(s). The practitioner must submit a signed and notarized
self-query request.
REQUESTS IN PERSON: Due to security considerations, the NPDB cannot accept requests in
person.
REQUESTS BY TELEPHONE: Practitioners may provide all of the identifying information stated
above to the NPDB Customer Service Center operator. Before the data request is fulfilled, the
operator will return a paper copy of this information for verification, signature and notarization.
PENALTIES FOR VIOLATION: Submitting a request under false pretenses is a criminal offense
and subject to a civil monetary penalty of up to $11,000 for each violation. 42 C.F.R. § 1003.103
(c).
CONTESTING RECORD PROCEDURES: Because of the system’s exemption, the procedures for
disputing an NPDB report will not apply to law enforcement query history information that is
exempt from access, and all amendment requests will be governed by the procedures at 45 CFR
60.21. The NPDB routinely mails a copy of any report filed in it to the subject individual. A
subject individual may contest the accuracy of information in the NPDB concerning himself or
herself and file a dispute. To dispute the accuracy of the information, the individual must
contact the NPDB and the reporting entity to: (1) request that the reporting entity file a
correction to the report; and (2) request the information be entered into a “disputed” status and
submit a statement regarding the basis for the inaccuracy of the information in the report. If
the reporting entity declines to change the disputed report or takes no actions, the subject may
request that the Secretary of HHS review the disputed report. In order to seek a review, the
subject must: (1) provide written documentation containing clear and brief factual information
regarding the information of the report; (2) submit supporting documentation or justification
substantiating that the reporting entity’s information is inaccurate; and (3) submit proof that
the subject individual has attempted to resolve the disagreement with the reporting entity but
was unsuccessful. The Department can only determine whether the report was legally required
to be filed and whether the report accurately depicts the action taken and the reporter’s basis
for action. Additional detail on the process of dispute resolution can be found at 45 CFR 60.21
of the NPDB regulations.
RECORD SOURCE CATEGORIES: The records contained in the system are submitted by the
following entities: (1) insurance companies and others who have made payment as a result of a
malpractice action or claim; (2) state health care licensing and certification authorities; (3)
https://www.hrsa.gov/about/privacyact/09150054.html
5/15/2017
�System of Record Notice 09-15-0054
Page 6 of 6
federal licensing and certification agencies (e.g., DEA); (4) peer review organizations and private
accreditation entities; (5) hospitals and other health care entities (includes professional
societies); (6) federal and state prosecutors and attorneys; (7) health plans; (8) federal
government agencies; and (9) state law and fraud enforcement agencies.
SYSTEM EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
The Secretary has exempted law enforcement query records in this system from certain
provisions of the Privacy Act. In accordance with 5 USC 552a(k)(2) and 45 CFR 5b.11(b)(2)(ii)(L),
with respect to law enforcement query records, this system is exempt from subsections (c)(3),
(d)(1)-(4), (e)(4)(G) and (H), and (f) of 5 USC 552a. See 76 FR 72325, published November 23,
2011, adding NPDB as an exempt system.
Last Reviewed: March 2016
About HRSA
Stay Connected
◾ Leadership & Org Chart
Health Center
◾ Budget
Si
up
fo
em
up
◾ Strategic Plan
◾ Working at HRSA
◾ About HRSA
Contact Us
|
Viewers & Players
Act
|
Find Health Services
|
Privacy Policy
|
Disclaimers
|
U.S. Department of Health and Human Services
Accessibility
|
HIV Medical Care and
Treatment
|
USA.gov
Freedom of Information Act
|
|
EEO/No Fear
Whitehouse.gov
Language Assistance Available
Español
繁體中文
Tiếng Việt
한국어
Tagalog
Русский
اﻟﻌرﺑﻳﺔ
Kreyòl Ayisyen
Français
Polski
Português
Italiano
Deutsch
日本語
ﻓﺎرﺳﯽ
English
https://www.hrsa.gov/about/privacyact/09150054.html
5/15/2017
�
| File Type | application/pdf |
| File Title | https://www.hrsa.gov/about/privacyact/09150054.html |
| Author | EBowman |
| File Modified | 2017-05-15 |
| File Created | 2017-05-15 |