Skip to Content

Notice

HIPAA Administrative Simplification: National Plan and Provider Enumeration System Data Dissemination

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION:

Notice.

SUMMARY:

This notice establishes the data that are available from the National Plan and Provider Enumeration System (NPPES). In addition, this notice addresses who may have access to the data or may receive data from the system, the processes for requesting and receiving data, and the conditions under which data may be disclosed.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Patricia Peyton, (410) 786-1812.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

A. Legislative and Regulatory Background

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services (HHS) to adopt a standard unique health identifier for health care providers. On January 23, 2004, HHS published a final rule in the Federal Register that adopted the National Provider Identifier (NPI) as the standard unique health identifier for health care providers (69 FR 3434). The NPI final rule established the National Provider System (NPS) and requires, among other things, that the NPS disseminate data in response to approved requests. The NPI final rule stated that we would publish a notice in the Federal Register describing our data dissemination strategy and the process by which we would carry it out (69 FR 3456). Therefore, we are publishing this notice.

B. Operational and System Background

On July 28, 1998, in accordance with the Privacy Act of 1974, we published, in the Federal Register, a System of Records (SOR) notice for the National Provider System (NPS) (63 FR 40297). The NPS is the system, as described in the NPI final rule, that will be used to enumerate health care providers and house the information provided on health care providers' applications for NPIs. The NPS is now contained within the National Plan and Provider Enumeration System (NPPES). We are in the process of revising the Privacy Act SOR notice and will soon publish an updated SOR notice. The updated SOR notice will reflect the change from NPS to NPPES and will incorporate other changes necessitated by organizational and name changes and information contained in the NPI final rule. The updated SOR notice will also contain language that will clarify its consistency with the data dissemination policy described in this notice. (The existing SOR notice, although it is being revised, supports the data dissemination policy described in this notice.) The NPPES enumerates health care providers and houses their NPIs and information from their NPI applications/updates. The NPPES also would be capable of enumerating health plans and housing their standard unique health identifiers and information from their health plan identifier applications/updates once a standard unique health identifier for health plans has been adopted.

Covered entities under HIPAA are required to use NPIs to identify health care providers in standard transactions beginning no later than May 23, 2007 (small health plans have until May 23, 2008). (See the Standards for Electronic Transactions and Code Sets final rule published on August 17, 2000 (65 FR 50312), the Modifications to the Electronic Transaction and Code Sets final rule published on February 20, 2003 (68 FR 8381), and the NPI final rule published on January 23, 2004 (69 FR 3434)). Covered entities include health plans, health care clearinghouses, and those health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard.

The NPPES uniquely identifies health care providers by the use of an Start Printed Page 30012application process and assigns them their NPIs. The NPPES creates a record for each health care provider to whom it assigns an NPI. The records are updated when health care providers furnish updates to the NPPES.

Health care providers are categorized by the NPPES as two types: Individuals, such as physicians; and organizations, such as hospitals.

A health care provider may apply for an NPI in one of three ways: (1) By completing form CMS-10114 (NPI Application/Update Form) and mailing it to the NPI Enumerator; (2) by applying online at https://NPPES.cms.hhs.gov/​; or (3) by having an approved organization submit its NPI application data, along with the NPI application data of many other health care providers, to the NPPES in an electronic format defined by HHS. (The NPI Application/Update Form, CMS-10114, is approved under the Paperwork Reduction Act as OMB No. 0938-0931 with an expiration date of February 29, 2008.)

Health care providers who apply online have electronic access to the information in their own NPPES records by using user identifiers and passwords they select. This access allows those health care providers to submit updates to their NPPES data electronically via the Web.

Health care providers who apply on the paper form may update their NPPES data electronically by using user identifiers and passwords they select. However, health care providers who are individuals and who submit paper applications but did not furnish SSNs in their applications must update their NPPES data by using the paper NPI Application/Update Form.

A health care provider may have its NPI application data submitted by a HHS-approved organization if the organization offers this service and the health care provider gives permission for the NPI application data to be submitted by the organization. An organization, once it is approved to do so, submits to the NPPES the health care provider's NPI application data, along with the NPI application data of many other health care providers who have also agreed to this service. The NPI application data are submitted to the NPPES for enumeration electronically in a format defined by HHS. The NPPES processes the NPI application data and makes available to the organization the NPIs that were assigned to the health care providers. If NPIs were not assigned to all of the health care providers, HHS indicates to the organization why NPIs were not assigned. This process is known as electronic file interchange (EFI) for bulk enumeration. Information about EFI can be found at http://www.cms.hhs.gov/​NationalProvIdentStand/​. Health care providers who are assigned NPIs via this process may update their own NPPES data electronically via the Web using user identifiers and passwords they select. The approved organizations may offer to submit updates to the health care providers' NPPES data on behalf of the health care providers, and may do so if the health care providers agree. The updates are sent to the NPPES in an electronic format defined by HHS. Information on the format of EFI files is available at https://NPPES.cms.hhs.gov. The EFI process became available on May 1, 2006.

II. How to Obtain NPI(s) and Other NPPES Data of Enumerated Health Care Providers

A. Request the NPIs From the Health Care Providers

Entities wishing to obtain the NPI of a health care provider for use in a standard transaction(s) may contact that health care provider directly and request the NPI. Health care providers who are covered entities under HIPAA (known as “covered health care providers”) are required by the NPI final rule to disclose their NPIs to any entity that needs them for use in standard transactions (45 CFR 162.410(a)(3)). Covered organization health care providers that have subparts that have been assigned NPIs must ensure that those subparts disclose their NPIs as well (45 CFR 162.410(a)(6)). Because the NPI was adopted for use in standard transactions, enumerated health care providers who are not covered health care providers are expected, but not required, to disclose their NPIs, upon request, to any entity that needs them for use in standard transactions.

B. Request the NPIs and Other NPPES Health Care Provider Data From HHS

In accordance with the Freedom of Information Act (FOIA), the Privacy Act, and the CMS FOIA and Privacy Act procedures, HHS has reviewed the health care provider data elements contained in the NPPES, which are listed in the NPI final rule (69 FR 3457 through 3460). As a result of this review, HHS believes that Social Security Numbers (SSNs), Internal Revenue Service Individual Taxpayer Identification Numbers (IRS ITINs), and dates of birth (DOB) are not disclosable under FOIA and, therefore, HHS will not release these three data elements to the public, which includes HIPAA covered entities. This decision supports HHS and CMS efforts to prevent or minimize fraud and abuse in the Medicare and Medicaid programs and in the health care industry in general. HHS has determined that the remaining health care provider data elements contained in the NPPES, which are listed in the table below, are required to be disclosed under the FOIA. HHS believes that the data elements in the table below are sufficient to enable HIPAA covered entities to match health care provider records in NPPES with the health care providers for whom they have data.

Anyone may request NPIs and other NPPES health care provider data from HHS under the FOIA.

The NPPES data elements that HHS has determined are required to be disclosed under the FOIA are listed below. They are defined in the NPI final rule.

NPPES Health Care Provider Data That May Be Disclosed Under FOIA

For health care providers who are individualsFor health care providers who are organizations
NPI (This is the provider's NPI. If the provider has had an NPI replaced, this will be the same NPI as the Replacement NPI.)NPI (This is the provider's NPI. If the provider has had an NPI replaced, this will be the same NPI as the Replacement NPI.)
Entity Type Code:Entity Type Code:
1=Individual2=Organization
Replacement NPI (This is the provider's NPI if the provider has been assigned a Replacement NPI. If the provider has never been assigned a Replacement NPI, this data element will be blank.)Replacement NPI (This is the provider's NPI if the provider has been assigned a Replacement NPI. If the provider has never been assigned a Replacement NPI, this data element will be blank.)
Employer Identification Number (EIN).
Provider Last Name (Legal Name)Provider Organization Name (Legal Business Name).
Provider First Name
Start Printed Page 30013
Provider Middle Name
Provider Other Last NameProvider Other Organization Name.
Provider Other Last Name Type Code:Provider Other Organization Name Type Code:
1=Former Name3=Doing Business As Name.
2=Professional name4=Former Legal Business Name.
5=Other5=Other.
Provider Other First Name
Provider Other Middle Name
Provider Name Prefix Text
Provider Name Suffix Text
Provider Credential Text
Provider First Line Business Mailing AddressProvider First Line Business Mailing Address.
Provider Second Line Business Mailing AddressProvider Second Line Business Mailing Address.
Provider Business Mailing Address City NameProvider Business Mailing Address City Name.
Provider Business Mailing Address State NameProvider Business Mailing Address State Name.
Provider Business Mailing Address Postal CodeProvider Business Mailing Address Postal Code.
Provider Business Mailing Address Country Code (If outside U.S.)Provider Business Mailing Address Country Code (If outside U.S.).
Provider Business Mailing Address Telephone NumberProvider Business Mailing Address Telephone Number.
Provider Business Mailing Address Fax NumberProvider Business Mailing Address Fax Number.
Provider First Line Business Location AddressProvider First Line Business Location Address.
Provider Second Line Business Location AddressProvider Second Line Business Location Address.
Provider Business Location Address City NameProvider Business Location Address City Name.
Provider Business Location Address State NameProvider Business Location Address State Name.
Provider Business Location Address Postal CodeProvider Business Location Address Postal Code.
Provider Business Location Address Country Code (If outside U.S.)Provider Business Location Address Country Code (If outside U.S.).
Provider Business Location Address Telephone NumberProvider Business Location Address Telephone Number.
Provider Business Location Address Fax NumberProvider Business Location Address Fax Number.
Healthcare Provider Taxonomy Code (Primary Taxonomy required; up to 15 may be reported)Healthcare Provider Taxonomy Code (Primary Taxonomy required; up to 15 may be reported).
Other Provider IdentifierOther Provider Identifier.
Other Provider Identifier Type CodeOther Provider Identifier Type Code.
Provider Enumeration DateProvider Enumeration Date.
Last Update DateLast Update Date.
NPI Deactivation Reason CodeNPI Deactivation Reason Code.
NPI Deactivation DateNPI Deactivation Date.
NPI Reactivation DateNPI Reactivation Date.
Provider Gender Code
Provider License Number
Provider License Number State Code
Authorized Official Last Name.
Authorized Official First Name.
Authorized Official Middle Name.
Authorized Official Title or Position.
Authorized Official Telephone Number.

We anticipate an extraordinary demand from the health care industry for FOIA-disclosable NPPES health care provider data. Because the health care industry needs these data in order to develop linkages between legacy identifiers and NPIs that will be necessary in order to implement the NPI as required by regulation, and because health care providers need to know the NPIs of other health care providers in order to submit HIPAA-compliant health care claims transactions, there is an extreme urgency for HHS to make these data available. In order to efficiently respond, HHS will make NPPES health care provider data available on the Internet. Internet availability eliminates the need for entities to submit initial and ongoing requests for data to HHS and for HHS to process and respond to each of those requests. We believe that making these data available on the Internet is the most efficient and effective means of dissemination.

HHS will make the FOIA-disclosable NPPES health care provider data available in downloadable files and in a query-only database, as described below in items 1 and 2, respectively. Upon publication of this notice, HHS will announce the Internet locations of the downloadable files and the query-only database on the CMS NPI Web page (http://www.cms.hhs.gov/​NationalProvIdentStand/​). At the same time, CMS will communicate that information in its provider listservs and to its business partners and other health care industry associations with whom CMS works on issues related to NPI implementation.

The initial downloadable file and the query-only database will be available 30 days after the publication date of this notice.

We remind health care providers who are covered entities under HIPAA that they are required by the NPI final rule to update their NPPES data within 30 days of the changes, and we encourage other health care providers who have been assigned NPIs to do the same. Further, prior to CMS” disclosure of NPPES health care provider data, we encourage health care providers who have been assigned NPIs to check the information in their NPPES records to ensure it is current. Some health care providers may wish to delete optional NPPES data that they furnished when applying for their NPIs since the Start Printed Page 30014information provided in these optional fields is not required. For example, the data contained in the “Other Names” and “Other Provider Identifiers” data fields are optional. Further, a primary “Healthcare Provider Taxonomy Code” is required to be furnished when applying for an NPI; however, the reporting of additional “Healthcare Provider Taxonomy Codes” (a total of 15 may be reported) is optional.

The HHS NPPES data dissemination policy is as follows:

1. NPPES health care provider data that are required to be disclosed under the FOIA will be available as a downloadable file on a Web site.

Section 552(a)(2)(D) of the FOIA requires agencies to make available by electronic means copies of records which have been released to any person under the FOIA and which, because of the nature of their subject matter, the agency determines have become or are likely to become the subject of subsequent requests for substantially the same records. We believe that the demand for NPPES health care provider data will be such that it will justify our making NPPES health care provider data that are required to be disclosed under the FOIA available for download by the public from an Internet Web site. The location of the downloadable file will be announced on the CMS NPI Web page (http://www.cms.hhs.gov/​NationalProvIdentStand/​) prior to its availability. Each month, an update file will also be available for download from the same Web site. The update file will not replace the initial file: The update file will contain only (1) data that are required to be disclosed under FOIA for health care providers who obtained NPIs within the prior month, and (2) updates and changes to the data that are required to be disclosed under the FOIA for enumerated health care providers that were made within the prior month. The first update file will be available for downloading 30 days after the availability of the initial file, and a new update file will be available for downloading each month thereafter.

There will be no charge to download the files.

We may decide to discontinue making these files available if we determine that the query-only database described in (2) below is an adequate replacement.

The NPPES data elements that HHS has determined are required to be disclosed under FOIA and will be contained in the downloadable files are listed in the table above.

2. NPPES health care provider data that HHS has determined are required to be disclosed under FOIA will be available in a query-only database on an Internet Web site.

Section 552(a)(2)(D) of the FOIA requires agencies to make available by electronic means copies of records which have been released to any person under the FOIA and which, because of the nature of their subject matter, the agency determines have become or are likely to become the subject of subsequent requests for substantially the same records.

We believe that the demand for NPPES health care provider data will be such that it will justify our making a query-only database containing NPPES health care provider data that are required to be disclosed under the FOIA available to the public on an Internet Web site. Users will be able to run simple queries online, such as queries by NPI and by name of health care provider.

There will be no charge to use the query-only database.

The NPPES data elements that HHS has determined are required to be disclosed under FOIA and will be available from the query-only database are listed in the table above.

3. Other requests for NPPES health care provider data that HHS has determined are required to be disclosed under the FOIA.

Requests for FOIA-disclosable data in formats or in media that are not described above, or any other custom requests, will be considered in accordance with the FOIA and CMS FOIA procedures and charges (see http://www.cms.hhs.gov/​AboutWebsite/​04_​FOIA.asp). For example, these could be requests for FOIA-disclosable data for specific health care providers, or for health care providers in certain States or with certain Healthcare Provider Taxonomy Codes, or requests for FOIA-disclosable data on CD, diskette, or paper. These requests must be described in detail and be submitted to the following address: Centers for Medicare & Medicaid Services, Office of Strategic Operations and Regulatory Affairs, Freedom of Information Group, Room N2-20-16, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

Requests may be sent by fax to (410) 786-0474. We will not acknowledge, respond to, or honor requests that are made by telephone.

III. Collection of Information Requirements

This document does not impose information collection and recordkeeping requirements. Consequently, it need not be reviewed by the Office of Management and Budget under the authority of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

Start Authority

Authority: Sections 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d-1320d-8), as added by section 262 of Pub. L. 104-191. 42 CFR 162, Subpart D. (Catalog of Federal Domestic Assistance Program, No. 93.773, Medicare—Hospital Insurance Program; and No. 93.774, Medicare—Supplementary Medical Insurance Program)

End Authority Start Signature

Dated: August 30, 2005.

Mark B. McClellan,

Administrator, Centers for Medicare & Medicaid Services.

End Signature Start Signature

Dated: February 22, 2007.

Michael O. Leavitt

Secretary, Department of Health and Human Services.

End Signature End Supplemental Information

[FR Doc. 07-2651 Filed 5-23-07; 4:12 pm]

BILLING CODE 4120-01-P