General Information

Disclosure of NPDB Information

Title IV, Section 1921, and Section 1128E limit the disclosure of information in the NPDB. Information is available to certain eligible entities based on the requirements of each law.

Information on medical malpractice payments and on adverse actions related to licensure, clinical privileges, and professional society membership of physicians, dentists, and, in some cases, other health care practitioners, as well as DEA-controlled substance registration actions and exclusions from Medicare, Medicaid, and other federal health care programs (see Table A-1: Significant Laws Governing the NPDB) is available to:

• Hospitals requesting information concerning a practitioner on their medical staffs or to whom they have granted clinical privileges, or with respect to professional review activity
• Health care entities (including hospitals and professional societies) that have entered or may be entering into employment or affiliation relationships with a health care practitioner or to which the health care practitioner has applied for clinical privileges or appointment to the medical staff, or with respect to professional review activity
• Boards of medical examiners or other state licensing boards
• Health care practitioners requesting information reported to the NPDB on themselves
• Attorneys, or individuals representing themselves, upon submission of proof that a hospital failed to submit a mandatory query
• Persons or organizations requesting information in a form that does not identify any particular health care entity, physician, dentist, other practitioner, or patient

As more fully described in Chapter D: Queries, with a few limited exceptions, certain adverse actions taken against health care practitioners, entities, providers, and suppliers (see Table A-1: Significant Laws Governing the NPDB) by state licensure and certification authorities, state law enforcement agencies, state Medicaid fraud control units, state agencies administering or supervising the administration of state health care programs, peer review organizations, and private accreditation organizations against health care practitioners, entities, providers, and suppliers are available to:

• Hospitals and other health care entities (including professional societies) with respect to licensed health care practitioners who have entered (or may be entering) into employment or affiliation relationships with, or have applied for clinical privileges or appointments to the medical staffs of, such hospitals or other health care entities
• Quality improvement organizations
• State licensing and certification authorities
• State law enforcement agencies*
• State Medicaid fraud control units*
• State agencies administering or supervising the administration of state health care programs*
• Agencies administering federal health care programs (including those providing payment for health care services) and private entities administering such programs under contract
• Federal agencies responsible for the licensing and certification of health care practitioners, providers, and suppliers
• Federal law enforcement agencies and officials
• Health plans
• Health care practitioners, entities, providers, and suppliers requesting information reported to the NPDB concerning themselves
• Persons or organizations requesting information in a form that does not identify any particular individual or organization

*NPDB regulations define "state law or fraud enforcement agency" as including but not limited to these entities.

In addition, in the case of a medical malpractice action or claim, and under specific circumstances, an attorney (or an individual representing himself or herself) may request information from the NPDB for use in litigation against a hospital, upon showing that the hospital failed to request information from the NPDB about a specific health care practitioner.

Interpretation of NPDB Information

The purpose of the NPDB is to improve health care quality, protect the public, and combat health care fraud and abuse in the United States. The NPDB is primarily a flagging system that may serve to alert users that a more comprehensive review of the qualifications and background of a health care practitioner, entity, provider, or supplier may be prudent.NPDB information is intended to be used in combination with information from other sources in making determinations on employment, affiliation, clinical privileges, certification, licensure, or other decisions. NPDB information should not be used as the sole source of verification of professional credentials. The information in the NPDB should serve only to alert eligible entities that there may be a problem with the performance of a particular health care practitioner, entity, provider, or supplier.

For example, a settlement of a medical malpractice claim may occur for a variety of reasons that do not necessarily reflect negatively on the professional competence or conduct of the physician, dentist, or other health care practitioner. Thus, as specifically indicated in Title IV, a payment made in settlement of a medical malpractice action or claim should not be construed as a presumption that medical malpractice has occurred.

Civil Liability Protection

Immunity provisions in Title IV, Section 1921, and Section 1128E protect individuals, entities, and their authorized agents from being held liable in civil actions for reports made to the NPDB unless they have actual knowledge that the information in the report is false.

In addition, Part A of Title IV provides additional protections to encourage and support professional review activity of physicians and dentists.

Confidentiality and Security of NPDB Information

Information reported to the NPDB is considered confidential and may not be disclosed except as specified in NPDB regulations at 45 CFR Part 60. The confidential receipt, storage, and disclosure of information are essential components of NPDB operations.

The NPDB maintains a comprehensive security system. Consistent with recognized standards and guidelines, the NPDB has rigorous operational, management, and technical controls that ensure the security of the system and protect data in the system. Controls are also in place to ensure that transactions over the Internet are secure and that sensitive financial and personal information is properly protected from unauthorized access.

Civil Money Penalties

The OIG has been delegated the authority to impose civil money penalties on those who violate the confidentiality provisions of Title IV. The civil money penalties for violating the confidentiality provisions of Title IV are to be imposed in the same manner as other civil money penalties pursuant to Section 1128A of the Social Security Act, 42 USC § 1320a-7a. Regulations governing civil money penalties under Section 1128A are set forth at 42 CFR Part 1003.

A civil money penalty can be levied for each violation of confidentiality. In any case in which it is determined that more than one party was responsible for improperly disclosing confidential information, a penalty can be imposed against each responsible individual, entity, or organization. The amount of the penalty is subject to change through regulation.

Persons or entities who receive information from the NPDB, directly or indirectly, are subject to the confidentiality provisions and the imposition of a civil monetary penalty if they violate those provisions. When authorized agents are designated to handle NPDB queries, both the entity and agents are required to maintain confidentiality in accordance with Title IV requirements.

The Privacy Act

Pursuant to the requirements of the Privacy Act of 1974 (5 USC § 552a), HHS has published a Privacy Act Systems of Record Notice (system no. 09-15-0054) describing the NPDB system of records. The NPDB system of records has been exempted from certain Privacy Act access and amendment requirements, and access and correction rights are governed by NPDB regulations.

Appropriate Use of NPDB Information

Information reported to the NPDB is considered confidential and may not be disclosed except as permitted by law. The confidentiality provisions of 45 CFR Part 60 allow an eligible entity receiving information from the NPDB to disclose the information to others who are part of the same investigation or peer review process, as long as the information is used for the purpose for which it was provided.In those instances, everyone involved in the investigation or peer review process is subject to the confidentiality provisions of NPDB.

Examples of appropriate uses of NPDB information include:

• A hospital may disclose the information it receives from the NPDB to hospital officials responsible for reviewing a practitioner's application for a medical staff appointment or clinical privileges. In this case, both the hospital officials who receive the information and the hospital officials who subsequently review it during the employment process are subject to the confidentiality provisions.
• In some instances private accreditation organization surveyors require evidence of compliance with the NPDB querying requirements. Generally, a private accreditation organization cannot view any document that a health care entity has obtained from the NPDB that shows the confidential results of an NPDB query (e.g., an NPDB report or the query response document). The Query History page that is returned with the results of a query history search does not include confidential information and generally is sufficient evidence that a query has been performed.
• If the health care entity being reviewed is using Continuous Query, the private accreditation organization may be provided with a printed or electronic copy of the Manage Continuous Query Subjects list, which lists all enrolled health care practitioners and the latest disclosure date for all reports disclosed after initial enrollment. This list may be compared with the Continuous Query Report Disclosures list, which provides the names of the enrolled health care practitioners, the types of reports, the report disclosure date, whether the report was reviewed, and the date and name of the person who reviewed the report. In these instances, the private accreditation organization personnel who review the information are subject to the confidentiality provisions of the NPDB.
• A health plan may disclose the information it received from the NPDB to health plan officials responsible for reviewing a health care practitioner's application for affiliation. In this case, both the health plan personnel who receive the information and the health plan officials who subsequently review it during the employment process are subject to the confidentiality provisions of the NPDB.

The confidentiality provisions prohibit the release of NPDB reports except as permitted by law. These provisions do not apply to the original documents or records from which the reported information is obtained. The NPDB's confidentiality provisions do not impose any new confidentiality requirements or restrictions on those documents or records. Thus, the confidentiality provisions do not bar or restrict the release of the underlying documents, or the information itself, by the entity taking an adverse action or making a payment in settlement of a written medical malpractice complaint or claim. For instance, a state freedom of information law that requires the release of records may require the release of the records underlying an NPDB report but would not permit the release of the NPDB report itself.

Individuals or organizations that obtain information reported to the NPDB naming them as the subject of a report are permitted to share that information with whomever they choose. Statistical data that do not identify any individual or organization are available to the public for research purposes.