Synergy - March/April 2014 - 23

Ensuring Data Bank Security
At the Data Bank, security is of utmost
importance. Software has been installed
to protect against viruses, malware, and
spyware. A firewall is used to filter all
traffic and to keep malicious traffic outside
the protected environment. An intrusion
detection system monitors activity to identify
malicious or suspicious events. All data
transmissions are protected using a Secure
Socket Layer (SSL) protocol. SSL interfaces
between applications (such as browsers) and
the Transmission Control Protocol/Internet
Protocol (TCP/IP) system to provide server
authentication, client authentication, and an
encrypted communication channel between
client and server.

Data Bank users are required to protect the
confidentiality of all PII to which they have
access. This includes handling the DBIDs,
user IDs, passwords, and personal practitioner
information they use when submitting a
query or report. The confidential receipt,
storage, and disclosure of information are
essential to the Data Bank, and accountability
at all levels is important.

Responsibilities of
Authorized Agents
When an authorized agent is designated to
handle NPDB queries, both the initiating
entity and the agent are required to maintain
confidentiality. The Data Bank response to
a query submitted by an authorized agent

Data Bank regulations specify that information
received from the Data Bank must be used
solely for the purpose for which it was provided.
Additionally, the Data Bank engages in
outreach to Data Bank stakeholders about
security and confidentiality requirements,
letting them know that information must
be used for the purpose provided, such
as professional review. All external users
must acknowledge the Data Bank's Rules
of Behavior and must re-register every two
years to access the NPDB. Therefore, the
entities are informed of the confidentiality
rules they are required to abide by. The
Data Bank monitors its electronic system
and collects information on entities' use. If
an entity is suspected of not abiding by the
Rules of Behavior, the Data Bank can freeze
that entity's accounts, and it may take civil,
administrative, and criminal action.

How to Protect Personally
Identifiable Information (PII)
Please keep in mind that Data Bank
administrators and individual users are
responsible for protecting their user
IDs and passwords and preventing
unauthorized access to Data Bank
information. The first step to securing an
account is creating a good password. See
http://www.npdb.hrsa.gov/Passwords for
password specifics.

on behalf of a health care organization is
based upon two eligibility standards: (1) the
initiating health care organization must be
entitled to receive the information, and
(2) the agent must be authorized to receive
the information on behalf of that health care
organization. The agent's facilities must be
secure, ensuring the confidentiality of Data
Bank query responses.
Additionally, authorized agents cannot use
a query response on behalf of more than

one health care organization; Data Bank
regulations specify that information received
from the Data Bank must be used solely
for the purpose for which it was provided.
For example: If two different hospitals
designate the same authorized agent to
query the Data Bank on their behalf, and
both hospitals request information on the
same practitioner, the authorized agent must
query the Data Bank separately on behalf of
each hospital. The response to a Data Bank
query submitted for one hospital cannot be
disclosed to another hospital.

For More Information
The NPDB webite, www.npdb.hrsa.gov/ has
additional information about confidentiality
and other topics, including new regulations,
webinars, FAQs, and newsletter articles. The
Customer Service Center also can help with
questions and is available at 800-767-6732
(800-SOS-NPDB) or at help@npdb.hrsa.gov.
Also, if you are interested in having a Data
Bank staff member speak at an upcoming
educational activity, please submit an
Education Request. ■

Coming in the next issue of SYNERGY:
This article is the third in a series of
six concerning the Data Bank. The
next article will answer questions you
send to us about any Data Bank issues
you might have. Please send your
questions to NPDBPolicy@hrsa.gov.

The Data Bank monitors its electronic system
and collects information on entities' use. If
an entity is suspected of not abiding by the
Rules of Behavior, the Data Bank can freeze
that entity's accounts, and it may take civil,
administrative, and criminal action.

MARCH/APRIL 2014 SYNERGY

/

23
http://www.npdb.hrsa.gov/ http://www.npdb.hrsa.gov/forms/EducationRequest.pdf http://www.npdb.hrsa.gov/resources/brochures/RulesOfBehavior.pdf http://www.npdb.hrsa.gov/resources/brochures/RulesOfBehavior.pdf http://www.npdb.hrsa.gov/Passwords
Synergy - March/April 2014

Table of Contents for the Digital Edition of Synergy - March/April 2014
