May 19, 2016

QUESTION:        Our hospital is registered with the National Practitioner Data Bank (“NPDB”).  We would like to designate as an authorized agent for NPDB querying purposes a credentials verification organization (“CVO”) with which we have recently started working.  How do we go about doing this?

ANSWER:           The NPDB explicitly permits the practice of eligible entities, including hospitals, designating authorized agents, such as CVOs, to query on their behalf.  However, according to the NPDB Guidebook, an authorized agent must, itself, register with the NPDB and comply with all the registration requirements.  Often, CVOs act as authorized agents for a number of eligible entities.  Nonetheless, the CVO must query the NPDB separately for each eligible entity they represent.  Moreover, the CVO is not permitted to share results of a query for one eligible entity with another eligible entity.

After the CVO registers with the NPDB, your hospital will have to designate the CVO as its authorized agent.  This is a relatively simple process that can be done electronically by accessing this web address:  https://www.npdb.hrsa.gov/hcorg/howToDesignateAnAuthorizedAgent.jsp.  Finally, as a part of designating the CVO as an authorized agent to query the NPDB on behalf of your hospital, you will have to create a written agreement between your hospital and the CVO.  The NPDB Guidebook does not identify any required elements for this written agreement, but the NPDB website provides recommendations for what should be included in the agreement.  According to the NPDB website, the agreement should confirm the following:  (1) the authorized agent is authorized to conduct business in the relevant state; (2) the authorized agent’s facilities are capable of maintaining the security and confidentiality of NPDB reporting and query responses; (3) the authorized agent is prohibited from using querying responses for any purpose other than that for which the disclosure was made; and (4) the agent understands that sanctions can be taken if information is requested, used, or disclosed in violation of NPDB provisions.