1. Home
  2. NPDB Security

NPDB Security

There are over 23,000 registered organizations. Because of the high volume of users and sensitivity of information, the NPDB requires that organizations take specific precautions to protect the confidentiality of information. Implementation of these specific measures can help prevent security breaches, which may result in civil suits and fines for violating Federal regulations. To view NPDB laws and regulations.

The Federal regulations specify NPDB requirements for the confidential receipt, storage, and disclosure of information. Each organization's Data Bank administrator is responsible for monitoring and controlling user access, which will help ensure the security of NPDB information.

It is important to follow the best practices discussed below for creating secure passwords as well as organization users' access to the NPDB. Equally important to the system's security is the proper and secure retrieval, handling, and disposal of sensitive NPDB information.

The NPDB operates on a secure Web server using the latest technology and implementation measures to provide a secure environment for querying, reporting, storing, and retrieving information.

NPDB Confidentiality

Information reported to the NPDB is considered confidential and may not be disclosed except as specified in the NPDB regulations.

To safeguard the system, the NPDB requires all organization accounts to have unique user IDs and user passwords. This rule helps protect the confidentiality of NPDB information. Each organization is assigned a Data Bank Identification Number (DBID) when they register with the NPDB. In addition, the Data Bank administrator must choose a user ID and password as part of the registration process. Once the registration is approved by the NPDB, the Administrator can assign a user ID and password to each additional employee that is authorized to query or report to the NPDB. When you sign into the system, enter your password and other information to identify yourself to the NPDB as an authorized user and, based on your entity's statutory authority and eligibility, you are granted the correct permissions to use the NPDB.

Please keep the following points in mind when using the NPDB:

  • The Data Bank administrator and the individual user are responsible for protecting their user IDs and passwords and preventing unauthorized access to NPDB information. The first step to securing your account is a good password. See How to Manage Password and User IDs for password specifics.
  • The Data Bank administrator is responsible for maintaining the organization's account and the individual user accounts.

Data Bank Administrator Responsibilities

The Data Bank administrator is the person assigned by your organization to oversee the use of the NPDB system and to create and maintain individual user accounts for other staff. If more than one person in your organization submits queries and/or reports to the NPDB, the Data Bank Administrator must establish individual user accounts. The Data Bank Administrator should never provide other users with the Data Bank Administrator's sign in information or password. To establish individual user accounts:

  1. The Data Bank administrator should sign into the NPDB.
  2. Select Administrator Options on the Select an Option page.
  3. On the Administrator Options page, Select Maintain User Accounts.
  4. On the Maintain User Account page, the Data Bank administrator may add, edit, or delete individual user accounts and specify a user ID and temporary user password for each user account established. See below for information on password security.

Passwords

The NPDB is mandated by Federal regulation to increase and scrutinize security in order to protect the confidential information stored in the NPDB.

NPDB users are required to change their passwords periodically. Password restrictions and guidelines can be found on the How to Manage User IDs and Password.

Deleting User Accounts

The Data Bank administrator is responsible for updating user accounts. If a user leaves the organization, the Data Bank administrator must delete that person's user account.

When Security is Compromised

Consider the following scenario: A Data Bank administrator shares his or her user ID and user password with another user. That user accesses the NPDB (using the Data Bank administrator's sign in information) and, at the request of a practitioner, voids all active reports previously filed by the organization on the practitioner. In this scenario, both the practitioner and the user are liable and subject to civil money penalties (42 CFR Ch. V) and penalties under other Federal statutes. However, because the user entered the Data Bank administrator's sign in and password to perform this unauthorized void transaction, the transaction will be traced to the Data Bank administrator. Avoid potentially disastrous situations by not sharing your sign in and password information.

Other Security Pointers

  • Be sure to sign out of the NPDB at the end of your session, so that unauthorized personnel cannot gain access to your sensitive information.
  • After you sign into the NPDB, on the Entity Registration Confirmation page, verify the date and time when your account was last accessed. If you notice that this date and time are incorrect, you should change your password immediately, call the NPDB Customer Service Center, and notify your Data Bank administrator.
  • Remember that improper use of NPDB information can result in a civil money penalty. By setting up passwords and using the system properly, you can help ensure NPDB security.
  • Do not share confidential NPDB documents with anyone who is not authorized to see them. Handle the reports properly - do not leave them out on printers or lying around the office. Securely store and file confidential documents.
  • After a confidential NPDB document is generated, print it and then immediately secure your files. Be sure to shred extra copies of documents that you do not intend to file.