Hospitals won’t be able to access HIPAA data bank

Lockout could hinder credentialing efforts

At a time when the federal government is holding hospitals more accountable than ever for the actions taken by their affiliated physician providers, making effective physician credentialing a crucial issue for all facilities, hospitals find themselves barred from accessing a new federal data bank that could represent the best single source of credentialing information.

The new Healthcare Integrity and Protection Data Bank (HIPDB), mandated by the Health Insurance Portability and Accountability Act of 1996, is supposed to complement the 10-year-old National Practitioner Data Bank (NPDB), which contains reports of medical malpractice payments, adverse licensing actions, adverse clinical privileges actions, and adverse professional society membership actions on more than 133,000 providers. The HIPDB goes a step further by listing other final adverse actions, including:

• civil judgments, with the exception of malpractice judgments, in federal or state courts related to the delivery of a health care item or service;

• federal or state criminal convictions related to the delivery of a health care item or service;

• actions by federal or state agencies responsible for the licensing and certification of health care providers;

• exclusion from participation in federal or state health care programs.

The HIPDB, which is administered by the Department of Health and Human Services’ Office of Inspector General (OIG), will have other ramifications as well, says Mark Kadzielski, the partner in charge of the West Coast health care practice of Akin, Gump, Strauss, Hauer & Feld in Los Angeles. Unlike the NPDB, the HIPDB contains federal, state, and criminal convictions at every level, including misdemeanors and infractions. That means that a misdemeanor or a no contest plea bargain that would solve a doctor’s criminal problem will now get the doctor reported to the HIPDB, where that information is accessible to health plans.

"The notion of HIPDB was to try to bring everything together under one roof," says Fay Rozovsky, JD, MPH, DFASHRM, principal of the Rozovsky Group in Richmond, VA. That’s why it’s ironic that most hospitals, which need the information to effectively vet the physicians they deal with, won’t be able to use the data bank, thanks to an odd provision in the law that established it.

OIG’s guidance specifically mentions HIPDB

"It’s a statutory requirement as to who can have access," says Sue Prophet, RRA, CCS, director of classifications and coding at the American Health Information Management Association in Chicago. "So [the OIG’s] hands were tied." Even so, Prophet finds it interesting that the OIG’s compliance guidance for hospitals contains a discussion of performing background checks on employees that specifically references HIPDB. "It says that once the database gets fully operational, hospitals should regularly request information from it as part of their employee screening process. Well, that won’t be allowed. People had assumed that when the data bank was operational, it would be another avenue to check on any final adverse actions taken against people that they are thinking of hiring. And basically, this isn’t going to be open to them."

That’s a troubling prospect to Kadzielski, who maintains that access to the data bank is crucial at a time when hospitals are being held to high corporate integrity standards. "To have information that is collected in the government data bank that may show that their physicians have a bad track record with regard to fraud and abuse and not be able to access it makes the corporate compliance process crazy," he says.

Without the database, many hospitals will be reduced to relying on physicians’ self-disclosure, Kadzielski says. "And that is usually of very limited efficacy," he notes. "Doctors don’t tell the truth about how many times they’ve had criminal convictions or debarments. But the hospitals would have no other way of accessing the information, other than by hiring a private investigator for every single member of their medical staff, which is incredibly silly and of outrageous cost."

The problem is that if hospitals don’t get their hands on the information somehow, they could, ironically, face problems with the the OIG, the very organization charged with administering the database. "They’re going to have to hope that somebody from the OIG doesn’t come around and say, how could you have this guy on your hospital staff when he has this whole list of civil judgments against him for fraud?’ Their answer will be, We didn’t know,’" says Kadzielski. And it remains to be seen whether the OIG will consider that an adequate excuse.

Hospitals could try to circumvent the access restriction by requesting information from managed care organizations, which do have access to HIPDB. That would result, however, in a strange reversal of the direction in which credentialing information typically flows. "HMOs are not prepared to deal with this," Kadzielski warns, "or to deal with the fact that they now will be the focus of all of this information and will have to make some tough decisions."

Rozovsky says it’s not clear why Congress chose to give managed care organizations and not hospitals the right to access HIPDB. "Originally, the feeling was that [HIPDB] was designed for people who otherwise were not able to avail themselves of the NPDB," she says. MCOs are only able to access NPDB if they have corrective action plans and a peer review mechanism, and of they afford due process.

Road less taken provides information

Of course, even without access to HIPDB, hospitals can pursue other avenues to get at least some of the information they need to make informed credentialing decisions, Prophet says. The most obvious is the cumulative sanction report contained on the OIG’s Web site. The report is updated regularly and lists the providers that have been excluded from participating in Medicare and Medicaid. "But that is only one part of the puzzle, and, unfortunately, there may be other things in the HIPDB that are more relevant and more pertinent to hospitals that they won’t be able to get their hands on," Kadzielski says.

Other options are available, however. Rozovsky recommends consulting the various disciplinary databases maintained by state disciplinary boards. Another resource most people don’t consider is the set of federal data banks regarding research trials. "Let’s suppose we’re talking about a community hospital that has human research trials going on," Rozovsky says. "Is anybody checking the data banks or the databases that the government has readily available, where there are people who have been debarred from receiving federal funding as principal investigators in human research for violating federal rules? That information is in the Federal Register and on various Web sites. So, the fact that hospitals don’t have access to HIPDB should not preclude them from being a little more inventive in trying legitimately to get the information they need to do the job right."

Indeed, says Rozovsky, even if Congress acts to give hospitals access to HIPDB (see related story, p. 3), due diligence would require hospitals to probe even more deeply. "You can’t just rely on one database," she says. "It comes down to the compliance plan. What does the hospital compliance plan say about walking the talk of being a truly compliant organization? What is the hospital’s role in the community with regard to promoting patient safety and a sense of trust and confidence in the hospital? You don’t stop because they put up a stop sign. I think you have to find another route."

The final rule implementing the HIPDB was published in the Federal Register Oct. 26 and took effect immediately. The data bank began receiving information in December and will begin accepting requests for reports early this year.

The final rule for the OIG’s HIPDB is available on the HHS Web site at Click on "What’s New."