Title IV, Section 1921, and Section 1128E limit the disclosure of information in the NPDB. Information is available to certain eligible entities based on the requirements of each law.
Information on medical malpractice payments and on adverse actions related to licensure, clinical privileges, and professional society membership of physicians, dentists, and, in some cases, other health care practitioners, as well as DEA-controlled substance registration actions and exclusions from Medicare, Medicaid, and other federal health care programs (see Table A-1: Significant Laws Governing the NPDB) is available to:
As more fully described in Chapter D: Queries, with a few limited exceptions, certain adverse actions taken against health care practitioners, entities, providers, and suppliers (see Table A-1: Significant Laws Governing the NPDB) by state licensure and certification authorities, state law enforcement agencies, state Medicaid fraud control units, state agencies administering or supervising the administration of state health care programs, peer review organizations, and private accreditation organizations against health care practitioners, entities, providers, and suppliers are available to:
*NPDB regulations define "state law or fraud enforcement agency" as including but not limited to these entities.
In addition, in the case of a medical malpractice action or claim, and under specific circumstances, an attorney (or an individual representing himself or herself) may request information from the NPDB for use in litigation against a hospital, upon showing that the hospital failed to request information from the NPDB about a specific health care practitioner.
The purpose of the NPDB is to improve health care quality, protect the public, and combat health care fraud and abuse in the United States. The NPDB is primarily a flagging system that may serve to alert users that a more comprehensive review of the qualifications and background of a health care practitioner, entity, provider, or supplier may be prudent.NPDB information is intended to be used in combination with information from other sources in making determinations on employment, affiliation, clinical privileges, certification, licensure, or other decisions. NPDB information should not be used as the sole source of verification of professional credentials. The information in the NPDB should serve only to alert eligible entities that there may be a problem with the performance of a particular health care practitioner, entity, provider, or supplier.
For example, a settlement of a medical malpractice claim may occur for a variety of reasons that do not necessarily reflect negatively on the professional competence or conduct of the physician, dentist, or other health care practitioner. Thus, as specifically indicated in Title IV, a payment made in settlement of a medical malpractice action or claim should not be construed as a presumption that medical malpractice has occurred.
Immunity provisions in Title IV, Section 1921, and Section 1128E protect individuals, entities, and their authorized agents from being held liable in civil actions for reports made to the NPDB unless they have actual knowledge that the information in the report is false.
In addition, Part A of Title IV provides additional protections to encourage and support professional review activity of physicians and dentists.
Information reported to the NPDB is considered confidential and may not be disclosed except as specified in NPDB regulations at 45 CFR Part 60. The confidential receipt, storage, and disclosure of information are essential components of NPDB operations.
The NPDB maintains a comprehensive security system. Consistent with recognized standards and guidelines, the NPDB has rigorous operational, management, and technical controls that ensure the security of the system and protect data in the system. Controls are also in place to ensure that transactions over the Internet are secure and that sensitive financial and personal information is properly protected from unauthorized access.
The OIG has been delegated the authority to impose civil money penalties on those who violate the confidentiality provisions of Title IV. The civil money penalties for violating the confidentiality provisions of Title IV are to be imposed in the same manner as other civil money penalties pursuant to Section 1128A of the Social Security Act, 42 USC § 1320a-7a. Regulations governing civil money penalties under Section 1128A are set forth at 42 CFR Part 1003.
A civil money penalty can be levied for each violation of confidentiality. In any case in which it is determined that more than one party was responsible for improperly disclosing confidential information, a penalty can be imposed against each responsible individual, entity, or organization. The amount of the penalty is subject to change through regulation.
Persons or entities who receive information from the NPDB, directly or indirectly, are subject to the confidentiality provisions and the imposition of a civil monetary penalty if they violate those provisions. When authorized agents are designated to handle NPDB queries, both the entity and agents are required to maintain confidentiality in accordance with Title IV requirements.
Pursuant to the requirements of the Privacy Act of 1974 (5 USC § 552a), HHS has published a Privacy Act Systems of Record Notice (system no. 09-15-0054) describing the NPDB system of records. The NPDB system of records has been exempted from certain Privacy Act access and amendment requirements, and access and correction rights are governed by NPDB regulations.
Information reported to the NPDB is considered confidential and may not be disclosed except as permitted by law. The confidentiality provisions of 45 CFR Part 60 allow an eligible entity receiving information from the NPDB to disclose the information to others who are part of the same investigation or peer review process, as long as the information is used for the purpose for which it was provided.In those instances, everyone involved in the investigation or peer review process is subject to the confidentiality provisions of NPDB.
Examples of appropriate uses of NPDB information include:
The confidentiality provisions prohibit the release of NPDB reports except as permitted by law. These provisions do not apply to the original documents or records from which the reported information is obtained. The NPDB's confidentiality provisions do not impose any new confidentiality requirements or restrictions on those documents or records. Thus, the confidentiality provisions do not bar or restrict the release of the underlying documents, or the information itself, by the entity taking an adverse action or making a payment in settlement of a written medical malpractice complaint or claim. For instance, a state freedom of information law that requires the release of records may require the release of the records underlying an NPDB report but would not permit the release of the NPDB report itself.
Individuals or organizations that obtain information reported to the NPDB naming them as the subject of a report are permitted to share that information with whomever they choose. Statistical data that do not identify any individual or organization are available to the public for research purposes.