System name: Healthcare Integrity and Protection Data Bank (HIPDB), HHS/OIG.
Security classification: None.
System location: The HIPDB will always be operated and maintained by a contractor. The SRA Corporation (the Contractor) currently operates and maintains the HIPDB under contract with the Bureau of Health Professions (BHPr), Health Resources and Services Administration (HRSA) who,
under a memorandum of understanding with the Office of Inspector General (OIG), will operate the system. Records are found at the following address: Healthcare Integrity and Protection Data Bank,
4350 Fairs Lakes Court North, Suite 400, Fairfax, Virginia 22033. The program will publish any changes in the location of the system in the Federal Register.
Categories of individuals covered by the system: The system of records will cover the following categories of individuals:
- Health care practitioners, including physicians, dentists, and all other health care practitioners (such as nurses, optometrists, pharmacists, and podiatrists), licensed or otherwise authorized by a State to provide health care services.
- Health care suppliers who furnish or provide access to health care services, supplies, items or ancillary services (including, but not limited to, individuals who deliver health care services and are not required to obtain State licensure or authorization, durable medical equipment suppliers and manufacturers; pharmaceutical suppliers and manufacturers; health record services which prepare and store medical, dental and other patient records; health data suppliers; and billing and transportation service suppliers), and any individual under contract to provide health care supplies, items or ancillary services, and any individual providing health benefits whether directly, or indirectly through insurance, reimbursements or otherwise (including insurance producers, such as agents, brokers, and solicitors).
These individuals must be the subject of the following final adverse actions: (1) Civil judgments in Federal or State court related to the delivery of a health care item or service; (2) Federal or State criminal convictions related to the delivery of a health care item or service; (3) actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or practitioners; (4) exclusion from participation in Federal or State health care programs; and (5) other adjudicated actions or decisions, such as the removal of a physician from a health plan network via an adjudicated action.
Categories of records in the system:
This system will contain the following types of records:
1. Information on an individual who is the subject of a civil judgment or criminal conviction related to the delivery of a health care item or service includes—
2. Full name; other name(s) used, if known; Social Security number; date of birth; gender; home address; occupation; organization name and type, if known; work address, if known; National Provider Identifier (NPI) (when issued by HCFA); Unique Physician Identification number(s), if known; Drug Enforcement Administration (DEA) registration number(s), if known; name of each professional school attended and the year of graduation, if known; for each professional license, certification or registration: the license, certification, or registration number, the field of licensure, certification, or registration, and the name of the State or Territory in which the license, certification or registration is held, if known;
- With respect to the judgment/sentence: The court or judicial venue in which action was taken; docket or court file number; name of the primary prosecuting agency or Civil Plaintiff; prosecuting agency's case number; statutory offense and counts; date of judgment/sentence; length of the sentence; amount of judgment, restitution or other orders; nature of offense upon which the action was based; description of acts or omissions and injuries upon which the action was used; investigative agencies involved, if known, and investigative agencies' case/file number, if known; whether such action is on appeal; and
- With respect to the reporting entity: Name; title; address, and telephone number of the reporting entity.
3. Information on an individual who is the subject of a licensure action taken by Federal or State licensing and certification agencies, an adjudicated action or decision, or an individual excluded from participation in a Federal or State health care program. This information includes—
- Full name; other name(s) used, if known; Social Security number or Federal Employer Identification number; date of birth; date of death, if deceased; gender; home address; occupation; organization name and type, if known; work address, if known; physician specialty,
if applicable; NPI (when issued by HCFA); Unique Physician Identification number(s), if known; DEA registration number(s), if known; name of each professional school attended and the year of
graduation, if known; for each professional license, certification or registration: The license, certification, or registration number, the field of licensure, certification, or registration, and the name of the State or Territory in which the license, certification or registration is held, if known;
- With respect to final adverse action: A description of the acts or omissions or other reason for the action; date the action was taken, its effective date and duration; classification of the action in accordance with a reporting code adopted by the Secretary; amount of monetary penalty, assessment or restitution, and name of the office or program that took the adverse action; and
- With respect to the reporting entity: Name; title; address, and telephone number of the reporting entity.
4. Inquiry file includes copies of all inquiries received by the HIPDB.
Authority for maintenance of the system: Section 1128E(b)(5) of the Social Security Act (the Act) authorizes the collection and maintenance of records of civil judgments against a health care provider, supplier or practitioner in Federal or State court related to the delivery of a health care item or service; Federal or State criminal convictions against a health care provider, supplier or practitioner related to the delivery of a health care item or service; actions by Federal or State agencies responsible for the licensing and certification of health care providers, suppliers or practitioners; exclusion of a health care provider, supplier or practitioner from participation in Federal or State health care programs; and any other adjudicated actions or decisions established by the Secretary in regulation (45 CFR part 61).
The purposes of the system are to:
1. Receive from Government agencies and health plans information on certain final adverse actions (excluding settlements in which no findings of liability have been made) taken against health care
providers, suppliers, or practitioners; and
2. Disseminate such data to Government agencies and health plans, as authorized by the Act. A government agency includes, but is not limited to (1) the Department of Justice; (2) the Department of Health and Human Services; (3) any other Federal agency that either administers or
provides payment for the delivery of health care services (including, but not limited to, the Department of Defense and the Department of Veterans Affairs); (4) State law enforcement agencies; (5) State Medicaid Fraud Control Units; and (6) other Federal or State agencies responsible for the licensing and certification of health care providers, suppliers, or licensed health care practitioners.
Health plan means a plan, program or organization that provides health benefits, whether directly or through insurance, reimbursement or otherwise, and includes, but is not limited to (1) a policy of health insurance; (2) a contract of a service benefit organization; (3) a membership agreement with a health maintenance organization or other prepaid health plan; (4) a plan, program or agreement established, maintained or made available by an employer or group of employers, a practitioner, provider or supplier group, third-party administrator, integrated health care delivery system, employee welfare association, public service group or organization, or professional association; and (5) an insurance company, insurance service, self-insured employer or insurance organization which is licensed to engage in the business of selling health care insurance in a State and which is subject to State law that regulates health insurance.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
Data may be disclosed to:
1. A health plan requesting data concerning a health care provider, supplier, or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining providers, suppliers and practitioners that are the subjects of reports.
2. Government agencies, as defined in 45 CFR 61.3, requesting data concerning a health care provider, supplier or practitioner for the purposes of preventing fraud and abuse activities and/or improving the quality of patient care, and in the context of hiring or retaining the providers, suppliers and practitioners that are the subject of reports to the system. This would include law enforcement investigations and other law enforcement activities.
Storage: Records are maintained in electronic folders, on magnetic tape, and/or disks.
Retrievability: Retrieval will be by use of personal identifiers, including a unique identifier assigned by the HIPDB.
1. Authorized Users: Access to records is limited to designated employees of the Contractor and to designated HRSA and the OIG staff. The Contracting Officer's Technical Representative (COTR) and AIS Security Officers are among the HRSA staff who are authorized users. Both HRSA and the contractor maintain lists of authorized users. Other Departmental employees will have access to the records on an official “need to know'' basis.
2. Physical Safeguards: Magnetic tapes, disks, computer equipment and hard copy files are stored in areas where fire and environmental safety codes are strictly enforced. All automated and non-automated documents are protected on a 24-hour basis. Perimeter security includes intrusion alarms, random guard patrols, monitors, key/passcard/combination controls, receptionist controlled area and reception alarm button.
3. Procedural and Technical Safeguards: A password is required to access the system, and additional identification numbers and passwords to limit access to data to only authorized users. All users of personal information, in connection with the performance of their jobs, protect information from public view and from unauthorized personnel entering an unsupervised area. All authorized users will sign a nondisclosure statement. To protect the confidentiality of information contained in the system, when a person leaves or no longer has authorized duties, the Security Officer deletes his or her identification number and password, retrieves all-electronic access cards, and changes all combinations to which the departing employee had access. The system automatically logs all access to data resources.
Access to records is limited to those authorized personnel trained in accordance with the Privacy Act and automatic data processing (ADP) security procedures. The Contractor is required to assure the confidentiality safeguards of these records and to comply with all provisions of the Privacy Act. All individuals who have access to these records must have the appropriate ADP security clearances. Privacy Act and ADP system security requirements are included in the contract for the operations and maintenance of the system. In addition, the HIPDB Project Officer and the System Manager oversee compliance with these requirements. HRSA staff who are authorized users will make site visits to the Contractor's facilities to assure compliance with security and Privacy Act requirements.
The safeguards described above were established in accordance with DHHS Chapter 45-13 and supplementary Chapter PHS hf: 45-13 of the General Administration Manual, and the DHHS Information Resources Management Manual, Part 6. “ADP Systems Security.''
Retention and disposal: All records in this system are retained permanently.
System manager(s) and address: Tony Marziani, Director, Information Systems and Investigative
Support Staff, Office of Investigations, OIG, Room 5046, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201, (202) 205-5200.
Notification procedure: Exempt from certain requirements of the Act. However, an individual is informed when a record concerning himself or herself is entered into the Healthcare Integrity and Protection Data Bank.
Requests by mail: Practitioners, providers or suppliers may submit a “Request for Information Disclosure'' to the address under system location for any report on themselves. The request must contain the following: Name, address, date of birth, gender, Social Security Number, professional schools and years of graduation, and the professional license(s). For license, include: The license number, the field of licensure, the name of the State or Territory in which the license is held, and Drug Enforcement Administration registration number(s). Practitioners must sign and have notarized their requests. Submitting a request under false pretenses is a criminal offense subject to, at a minimum, a $5,000 fine under provisions of the Privacy Act.
Requests in person: Due to security considerations, the HIPDB cannot accept requests in person.
Request by telephone: Individuals may provide all of the identifying information stated above to the HIPDB Helpline operator.
Before the data request is fulfilled, the operator will return a paper copy of this information for verification, signature and notarization.
Record access procedures: Same as notification procedures. Requesters also should reasonably specify the record contents being sought.
Contesting records procedures: The HIPDB routinely mails a copy of any report filed in it to the subject. The subject may contest the accuracy of information in the HIPDB concerning himself, herself, or itself and file a dispute. To dispute the accuracy of the information, the individual must notify the HIPDB by: (1) Identifying the record involved; (2) specifying the information being contested; (3) stating the corrective action sought and reason for requesting the correction; and (4) submitting supporting justification and/or documentation to show how the record is inaccurate. At the same time, the individual must attempt to enter into discussion with the reporting entity to resolve the dispute.
Additional detail on the process of dispute resolution can be found at 45 CFR 61.15 of the HIPDB regulations.
Record source categories: Entities that have submitted records on individuals and organizations contained in the system; State Licensing Boards, including State Medical and Dental Boards, Federal and State Agencies as defined in the Act, and health plans as defined in the Act who take a final adverse action (not including settlements in which no findings of liability have been made) taken against a health care provider, supplier, or practitioner. (See PURPOSE section above)
Systems exempted from certain provisions of the act: The Secretary has exempted this system from certain provisions of the Act. In accordance with 5 U.S.C. 552a(k)(2) and 45 CFR 5b.11(b)(ii)(F), this system is exempt from subsections (c)(3), (d)(1)-(4), and (e)(4)(G) and (H) of the Privacy Act.