The Data Bank, consisting of the National Practitioner Data Bank (NPDB) and the Healthcare Integrity and Protection Data Bank (HIPDB), is a confidential information clearinghouse created by Congress to improve health care quality, protect the public, and reduce health care fraud and abuse in the U.S. See Table 1 for information on who can query and report to the Data Bank.
The Data Bank is primarily an alert or flagging system intended to facilitate a comprehensive review of the professional credentials of health care practitioners, providers, and suppliers; the information from the Data Bank should be used in conjunction with, not in replacement of, information from other sources.
The National Practitioner Data Bank (NPDB) was established by Title IV of Public Law 99-660, the Health Care Quality Improvement Act of 1986, as amended (Title IV). Final regulations governing the NPDB are codified at 45 CFR Part 60. In 1987 Congress passed Public Law 100-93, Section 5 of the Medicare and Medicaid Patient and Program Protection Act of 1987 (Section 1921 of the Social Security Act), authorizing the Government to collect information concerning sanctions taken by State licensing authorities against all health care practitioners and entities. Congress later amended Section 1921 with the Omnibus Budget Reconciliation Act of 1990, Public Law 101-508, to add “any negative action or finding by such authority, organization, or entity regarding the practitioner or entity.” Responsibility for NPDB implementation resides with the Bureau of Health Professions, Health Resources and Services Administration, U.S. Department of Health and Human Services (HHS).
Title IV is intended to improve the quality of health care by encouraging State licensing boards, hospitals, professional societies, and other health care organizations to identify and discipline those who engage in unprofessional behavior; to report medical malpractice payments; and to restrict the ability of incompetent physicians, dentists, and other health care practitioners to move from State to State without disclosure or discovery of previous medical malpractice payment and adverse action history. Adverse actions can involve licensure, clinical privileges, professional society membership, and exclusions from Medicare and Medicaid.
Section 1921 was enacted to provide protection from unfit health care practitioners to beneficiaries participating in the Social Security Act’s health care programs and to improve the anti-fraud provisions of these programs. Section 1921 expands the information collected and disseminated through the NPDB to include reports on all licensure actions taken against all health care practitioners, not just physicians and dentists, as well as health care entities. Peer Review Organizations and Private Accreditation Organizations must report any negative actions or findings taken against health care practitioners or organizations. Queriers have access to State licensure actions taken against all health care practitioners and Section 1921 provides limited querying by Quality Improvement Organizations, Federal and State Health care Programs, State Medicaid Fraud Control Units and other law enforcement agencies. Section 1921 also will allow entities new to the NPDB to access Section 1921 data through the NPDB.
The Secretary of HHS, acting through the Office of Inspector General (OIG) and the U.S. Attorney General, was directed by the Health Insurance Portability and Accountability Act of 1996, Section 221(a), Public Law 104-191, to create the Healthcare Integrity and Protection Data Bank (HIPDB) to combat fraud and abuse in health insurance and health care delivery. The HIPDB’s authorizing statute is more commonly referred to as Section 1128E of the Social Security Act. Final regulations governing the HIPDB are codified at 45 CFR Part 61.
The HIPDB is a national data collection program for the reporting and disclosure of certain final adverse actions taken against health care practitioners, providers, and suppliers. The HIPDB collects information regarding licensure and certification actions, exclusions from participation in Federal and State health care programs, health care-related criminal convictions and civil judgments, and other adjudicated actions or decisions as specified in regulation.
Confidentiality of Data Bank Information
Information reported to the Data Bank is considered confidential and shall not be disclosed except as specified in the Data Bank regulations. The HHS OIG has the authority to impose civil money penalties on those who violate the confidentiality provisions of NPDB and/or HIPDB information. Persons or organizations that receive information either directly or indirectly are subject to the confidentiality provisions and the imposition of a civil money penalty of up to $11,000 for each offense if they violate those provisions. When an authorized agent is designated to handle NPDB queries, both the initiating organization and the agent are required to maintain confidentiality in accordance with Title IV requirements.
The confidential receipt, storage, and disclosure of information is an essential ingredient of Data Bank operations. A comprehensive security system has been designed to prevent manipulation of and access to the data by unauthorized staff or external sources. The facility in which the Data Bank is housed meets HHS security specifications, and each member of the Data Bank staff has undergone an in-depth background security investigation.
The Privacy Act of 1974, 5 USC §552a, as amended, protects the contents of Federal systems of records, such as those contained in the NPDB and the HIPDB, from disclosure without the subject’s consent, unless the disclosure is for a routine use of the system of records as published annually in the Federal Register. The limited access provision of the Health Care Quality Improvement Act of 1986, as amended, supersedes the disclosure requirements of the Freedom of Information Act (FOIA), 5 USC §552, as amended.
The confidentiality provisions of Title IV do not prohibit an eligible organization receiving information from the NPDB to disclose it further, as long as it is used for the purpose of carrying out a professional review activity within the organization. For example, a hospital may disclose the information it receives from the NPDB to hospital officials responsible for reviewing a practitioner’s application for a medical staff appointment or clinical privileges. In this case, both the hospital personnel who receive the information and the hospital officials who subsequently review it during the employment process are subject to the confidentiality provisions of Title IV.
The confidentiality provisions do not apply to the original documents or records from which the reported information is obtained. The NPDB’s confidentiality provisions do not impose any new confidentiality requirements or restrictions on those documents or records. Thus, these confidentiality provisions do not bar or restrict the release of the original documents or records, or the information itself, by the organization taking the adverse action or making the payment in settlement of a written medical malpractice complaint or claim. For example, if a hospital that reported an adverse action against a physician pursuant to the provisions of Title IV receives a subpoena for the underlying records, it may not refuse to provide the requested documents on the grounds that Title IV bars the release of the records or information.
The enabling statutes for the Data Bank do not allow disclosure to the general public. The general public may not request information that identifies a particular health care practitioner, provider, or supplier from the NPDB or the HIPDB.
Data Bank Security
As previously stated, information reported to the Data Bank is confidential. Safeguarding that confidential information includes proper and secure retrieval, handling, and disposal of the information. Taking the following actions helps to ensure Data Bank security.
- Every registered health care organization must have a unique Data Bank Identification number (DBID) and password. All individual users within the organization must also use the organization DBID and have their own user ID and password. To learn more, see Manage User IDs and Passwords.
- Sign out of the Data Bank after each session to keep unauthorized personnel from gaining access to you or your organization’s sensitive information.
- After signing in to the Data Bank, verify the date and time when last accessed. If incorrect, change your password immediately, call the Customer Service Center (800-767-6732), and notify your organization’s Data Bank Administrator.
- Do not share confidential Data Bank documents with anyone not authorized to see them. Also, handle the reports properly – do not leave them in plain sight at the office. Securely store and file the documents.
- Refer to About Management Tools for more details on Data Bank Administrator and user accounts.
|The National Practitioner Data Bank was established under Title IV of Public Law 99-660, the Health Care Quality Improvement Act of 1986, and is expanded by Section 1921, as amended by section 5(b) of the Medicare and Medicaid Patient and Program Protection Act of 1987, and as amended by the Omnibus Budget Reconciliation Act of 1990. NPDB is an information clearinghouse to collect and release all licensure actions taken against all health care practitioners and health care entities, as well as any negative actions or findings taken against health care practitioners or organizations by Peer Review Organizations and Private Accreditation Organizations.||The Healthcare Integrity and Protection Data Bank was established under section 1128E of the Social Security Act as added by Section 221(A) of the Health Insurance Portability and Accountability Act of 1996. HIPDB was implemented to combat fraud and abuse in health insurance and health care delivery and to promote quality care. HIPDB alerts users that a more comprehensive review of past actions by a practitioner, provider or supplier may be prudent.|
|What Information is Available?|
|Who Can Query?|
* eligible to receive only those reports authorized by Section 1921.
|Who Cannot Query?|
|The Data Bank is prohibited by law from disclosing information on a specific practitioner, provider, or supplier to a member of the general public. However, persons or organizations can request information in a form that does not identify any particular organization or practitioner.|