The Data Bank

The Data Bank, consisting of the National Practitioner Data Bank (NPDB) and the Healthcare Integrity and Protection Data Bank (HIPDB), is a confidential information clearinghouse created by Congress to improve healthcare quality, protect the public, and reduce healthcare fraud and abuse in the U.S. See Table 1 for information on who can query and report to the Data Bank.

Background

The Data Bank is primarily an alert or flagging system intended to facilitate a comprehensive review of the professional credentials of health care practitioners, providers, and suppliers; the information from the Data Bank should be used in conjunction with, not in replacement of, information from other sources.

NPDB

The National Practitioner Data Bank (NPDB) was established by Title IV of Public Law 99-660, the Health Care Quality Improvement Act of 1986, as amended (Title IV). Final regulations governing the NPDB are codified at 45 CFR Part 60. In 1987 Congress passed Public Law 100-93, Section 5 of the Medicare and Medicaid Patient and Program Protection Act of 1987 (Section 1921 of the Social Security Act), authorizing the Government to collect information concerning sanctions taken by State licensing authorities against all health care practitioners and entities. Congress later amended Section 1921 with the Omnibus Budget Reconciliation Act of 1990, Public Law 101-508, to add “any negative action or finding by such authority, organization, or entity regarding the practitioner or entity.” Responsibility for NPDB implementation resides with the Bureau of Health Professions, Health Resources and Services Administration, U.S. Department of Health and Human Services (HHS).

Title IV is intended to improve the quality of health care by encouraging State licensing boards, hospitals, professional societies, and other healthcare organizations to identify and discipline those who engage in unprofessional behavior; to report medical malpractice payments; and to restrict the ability of incompetent physicians, dentists, and other health care practitioners to move from State to State without disclosure or discovery of previous medical malpractice payment and adverse action history. Adverse actions can involve licensure, clinical privileges, professional society membership, and exclusions from Medicare and Medicaid.

Section 1921 was enacted to provide protection from unfit healthcare practitioners to beneficiaries participating in the Social Security Act’s healthcare programs and to improve the anti-fraud provisions of these programs. Section 1921 expands the information collected and disseminated through the NPDB to include reports on all licensure actions taken against all health care practitioners, not just physicians and dentists, as well as health care entities. Peer Review Organizations and Private Accreditation Organizations must report any negative actions or findings taken against healthcare practitioners or organizations. Queriers have access to State licensure actions taken against all health care practitioners and Section 1921 provides limited querying by Quality Improvement Organizations, Federal and State Health care Programs, State Medicaid Fraud Control Units, and other law enforcement agencies. Section 1921 also will allow entities new to the NPDB to access Section 1921 data through the NPDB.

HIPDB

The Secretary of HHS, acting through the Office of Inspector General (OIG) and the U.S. Attorney General, was directed by the Health Insurance Portability and Accountability Act of 1996, Section 221(a), Public Law 104-191, to create the Healthcare Integrity and Protection Data Bank (HIPDB) to combat fraud and abuse in health insurance and health care delivery. The HIPDB’s authorizing statute is more commonly referred to as Section 1128E of the Social Security Act. Final regulations governing the HIPDB are codified at 45 CFR Part 61.

The HIPDB is a national data collection program for the reporting and disclosure of certain final adverse actions taken against healthcare practitioners, providers, and suppliers. The HIPDB collects information regarding licensure and certification actions, exclusions from participation in Federal and State healthcare programs, healthcare-related criminal convictions and civil judgments, and other adjudicated actions or decisions as specified in the regulation.

Confidentiality of Data Bank Information

Information reported to the Data Bank is considered confidential and shall not be disclosed except as specified in the Data Bank regulations. The HHS OIG has the authority to impose civil money penalties on those who violate the confidentiality provisions of NPDB and/or HIPDB information. Persons or organizations that receive information either directly or indirectly are subject to confidentiality provisions and the imposition of a civil money penalty of up to $11,000 for each offense if they violate those provisions. When an authorized agent is designated to handle NPDB queries, both the initiating organization and the agent are required to maintain confidentiality by Title IV requirements.

The confidential receipt, storage, and disclosure of information is an essential ingredient of Data Bank operations. A comprehensive security system has been designed to prevent manipulation of and access to data by unauthorized staff or external sources. The facility in which the Data Bank is housed meets HHS security specifications, and each member of the Data Bank staff has undergone an in-depth background security investigation.

The Privacy Act of 1974, 5 USC §552a, as amended, protects the contents of Federal systems of records, such as those contained in the NPDB and the HIPDB, from disclosure without the subject’s consent, unless the disclosure is for routine use of the system of records as published annually in the Federal Register. The limited access provision of the Health Care Quality Improvement Act of 1986, as amended, supersedes the disclosure requirements of the Freedom of Information Act (FOIA), 5 USC §552, as amended.

The confidentiality provisions of Title IV do not prohibit an eligible organization from receiving information from the NPDB to disclose it further, as long as it is used to carry out a professional review activity within the organization. For example, a hospital may disclose the information it receives from the NPDB to hospital officials responsible for reviewing a practitioner’s application for a medical staff appointment or clinical privileges. In this case, both the hospital personnel who receive the information and the hospital officials who subsequently review it during the employment process are subject to the confidentiality provisions of Title IV.

The confidentiality provisions do not apply to the original documents or records from which the reported information is obtained. The NPDB’s confidentiality provisions do not impose any new confidentiality requirements or restrictions on those documents or records. Thus, these confidentiality provisions do not bar or restrict the release of the original documents or records, or the information itself, by the organization taking the adverse action or making the payment in settlement of a written medical malpractice complaint or claim. For example, if a hospital that reported an adverse action against a physician under the provisions of Title IV receives a subpoena for the underlying records, it may not refuse to provide the requested documents because Title IV bars the release of the records or information.

The enabling statutes for the Data Bank do not allow disclosure to the general public. The general public may not request information that identifies a particular healthcare practitioner, provider, or supplier from the NPDB or the HIPDB.

Data Bank Security

As previously stated, information reported to the Data Bank is confidential. Safeguarding that confidential information includes proper and secure retrieval, handling, and disposal of the information. Taking the following actions helps to ensure Data Bank security.

  • Every registered healthcare organization must have a unique Data Bank Identification Number (DBID) and password. All individual users within the organization must also use the organization’s DBID and have their user ID and password. To learn more, see Manage User IDs and Passwords.
  • Sign out of the Data Bank after each session to keep unauthorized personnel from gaining access to you or your organization’s sensitive information.
  • After signing in to the Data Bank, verify the date and time when last accessed. If incorrect, change your password immediately, call the Customer Service Center (800-767-6732), and notify your organization’s Data Bank Administrator.
  • Do not share confidential Data Bank documents with anyone not authorized to see them. Also, handle the reports properly – do not leave them in plain sight at the office. Securely store and file the documents.
  • Refer to About Management Tools for more details on Data Bank Administrator and user accounts.

Table 1. The Data Bank at a Glance
NPDB HIPDB
Background
The National Practitioner Data Bank was established under Title IV of Public Law 99-660, the Health Care Quality Improvement Act of 1986, and is expanded by Section 1921, as amended by section 5(b) of the Medicare and Medicaid Patient and Program Protection Act of 1987, and as amended by the Omnibus Budget Reconciliation Act of 1990. NPDB is an information clearinghouse to collect and releases all licensure actions taken against all healthcare practitioners and healthcare entities, as well as any negative actions or findings taken against healthcare practitioners or organizations by Peer Review Organizations and Private Accreditation Organizations. The Healthcare Integrity and Protection Data Bank was established under Section 1128E of the Social Security Act as added by Section 221(A) of the Health Insurance Portability and Accountability Act of 1996. HIPDB was implemented to combat fraud and abuse in health insurance and health care delivery and to promote quality care. HIPDB alerts users that a more comprehensive review of past actions by a practitioner, provider, or supplier may be prudent.
Who Reports?
  • Medical malpractice payers
  • State health care practitioner licensing and certification authorities (including medical and dental boards)
  • Hospitals
  • Other healthcare entities with formal peer review (HMOs, group practices, managed care organizations)
  • Professional societies with formal peer review
  • State entity licensing and certification authorities
  • Peer review organizations
  • Private accreditation organizations
  • Federal and State Government agencies
  • Health plans
What Information is Available?
  • Medical malpractice payments (all health care practitioners)
  • Any adverse licensure actions (all practitioners or entities)
    • revocation, reprimand, censure, suspension, probation
    • any dismissal or closure of the proceedings because of the practitioner or entity surrendering the license or leaving the State or jurisdiction
    • any other loss of license
  • Adverse clinical privileging actions
  • Adverse professional society membership actions
  • Any negative action or finding by a State licensing or certification authority
  • Peer review the organization’s negative actions or finding against a healthcare practitioner or entity
  • Private accreditation organization negative actions or findings against a health care practitioner or entity
  • Licensing and certification actions
    • Revocation, suspension, censure, reprimand, probation
    • Any other loss of license – or right to apply for or renew – a license of the provider, supplier, or practitioner, whether by voluntary surrender, non-renewal, or otherwise
    • Any negative action or finding by a Federal or State licensing and certification agency that is publicly available information
    • Civil judgments (healthcare-related)
  • Criminal convictions (healthcare-related)
  • Exclusions from Federal or State health care programs
  • Other adjudicated actions or decisions (formal or official actions, availability of due process mechanism, and based on acts or omissions that affect or could affect the payment, provision, or delivery of a health care item or service)
Who Can Query?
  • Hospitals
  • Other healthcare entities, with formal peer review
  • Professional societies with formal peer review
  • State health care practitioner licensing and certification authorities (including medical and dental boards)
  • State entity licensing and certification authorities*
  • Agencies or contractors administering Federal health care programs*
  • State agencies administering State health care programs*
  • State Medicaid Fraud Units*
  • U.S. Comptroller General*
  • U.S. Attorney General and other law enforcement*
  • Health care practitioners (self-query)
  • Plaintiff’s attorney/pro se plaintiffs (under limited circumstances)**
  • Quality Improvement Organizations*
  • Researchers (statistical data only)

* eligible to receive only those reports authorized by Section 1921.
** eligible to receive only those reports authorized by HCQIA.
  • Federal and State Government agencies
  • Health plans
  • Health care practitioners/providers/suppliers (self-query)
  • Researchers (statistical data only)
Who Cannot Query? 
The Data Bank is prohibited by law from disclosing information on a specific practitioner, provider, or supplier to a member of the general public. However, persons or organizations can request information in a form that does not identify any particular organization or practitioner.