HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers

Summary:

This final rule establishes the standard for a unique health identifier for health care providers for use in the health care system and announces the adoption of the National Provider Identifier (NPI) as that standard. It also establishes the implementation specifications for obtaining and using the standard unique health identifier for health care providers. The implementation specifications set the requirements that must be met by “covered entities”: Health plans, health care clearinghouses, and those health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard (known as “covered health care providers”). Covered entities must use the identifier in connection with standard transactions.

The use of the NPI will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general, by simplifying the administration of the health care system and enabling the efficient electronic transmission of certain health information. This final rule implements some of the requirements of the Administrative Simplification subtitle F of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Table of Contents

Table of Figures

For further information contact:

Patricia Peyton, (410) 786-1812.

Supplementary information:

Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by faxing to (202) 512-2250. The cost for each copy is $10. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. This Federal Register document is also available from the Federal Register online database through GPO access, a service of the U.S. Government Printing Office. The Web site address is http://www.access.gpo.gov/nara/index.html. This document is also available from the Department's Web site at http://aspe.hhs.gov/admnsimp/.

I. Background

In order to administer its programs, a health plan assigns identification numbers to its providers of health care services and its suppliers. A health plan may be, among other things, a Federal program such as Medicare, a State Medicaid program, or a private health plan. The identifiers it assigns are frequently not standardized within a single health plan or across health plans, which results in the single health care provider having different identification numbers for each health plan, and often having multiple billing numbers issued within the same health plan. This complicates the health care provider's claims submission processes and may result in the assignment of the same identification number to different health care providers by different health plans.

A. NPI Initiative

In July 1993, the Centers for Medicare Medicaid Services (CMS) (formerly the Health Care Financing Administration (HCFA)), undertook a project to develop a health care provider identification system to meet the needs of the Medicare and Medicaid programs and, ultimately, the needs of a national identification system for all health care providers. Active participants in the project represented both government and the private sector. The project participants decided to develop a new identifier for health care providers because existing identifiers did not meet the criteria for national standards. The new identifier, known as the National Provider Identifier (NPI), did not have the limitations of the existing identifiers, and it met the criteria that had been recommended by the Workgroup for Electronic Data Interchange (WEDI) and the American National Standards Institute (ANSI).

B. The Results of the NPI Initiative

As a result of the project, and before the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, which was enacted on August 21, 1996, required the adoption and use of a standard unique identifier for health care providers, CMS and the other project participants accepted the NPI as the standard unique health identifier for health care providers. CMS decided to implement the NPI for Medicare, and began work on developing the National Provider System (NPS), which was intended to capture health care provider data and be equipped with the technology necessary to maintain and manage the data. The NPS was intended to be able to accept health care provider data in order to uniquely identify a health care provider and assign it an NPI. The NPS was intended to be designed so it could be used by other Federal and State agencies, and by private health plans, if deemed appropriate, to enumerate their health care providers that did not participate in Medicare.

C. Legislation

The Congress included provisions to address the need for a standard unique health identifier for health care providers and other health care system needs in the Administrative Simplification provisions of HIPAA. Through subtitle F of title II of that law, the Congress added to title XI of the Social Security Act (the Act) a new part C, entitled “Administrative Simplification.” (Pub. L. 104-191 affects several titles in the United States Code.) The purpose of part C is to improve the Medicare and Medicaid programs in particular, and the efficiency and effectiveness of the health care system in general, by encouraging the development of a health information system through the establishment of standards and implementation specifications to facilitate the electronic transmission of certain health information.

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose requirements on the Secretary of the Department of Health and Human Services (HHS), health plans, health care clearinghouses, and certain health care providers concerning the adoption of standards and implementation specifications relating to healthinformation. Section 1173(b) of the Act requires the Secretary to adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system and to specify the purposes for which the identifiers may be used. It also requires the Secretary to consider multiple locations and specialty classifications for health care providers in developing the standard health identifier for health care providers. We discussed other general aspects of the HIPAA statute in greater detail in the May 7, 1998, proposed rule (63 FR 25320).

D. Plan for Implementing Administrative Simplification Standards

On May 7, 1998, we proposed a standard unique health identifier for health care providers and requirements concerning its implementation (63 FR 25320). That proposed rule also set forth requirements that health plans, health care clearinghouses, and covered health care providers would have to meet concerning the use of the standard. On May 7, 1998, we also proposed standards for transactions and code sets (63 FR 25272). We published the final rule, entitled Health Insurance Reform: Standards for Electronic Transactions (the Transactions Rule), on August 17, 2000 (65 FR 50312). On May 31, 2002, in two separate proposed rules, we published proposed modifications to the Standards for Electronic Transactions. We published a final rule adopting modifications to the Transactions Rule on February 20, 2003 (68 FR 8381).

On November 3, 1999, we proposed standards for privacy of individually identifiable health information (64 FR 59918). We published the final rule, entitled Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), on December 28, 2000 (65 FR 82462). On March 27, 2002, we proposed modifications to the Privacy Rule. On August 14, 2002, we published modifications to the Privacy standards in a final rule, entitled “Standards for Privacy of Individually Identifiable Health Information” (the Privacy Rule Modifications) (67 FR 53182).

On June 16, 1998, we proposed the standard unique employer identifier (63 FR 32784). On May 31, 2002, we published the final rule, entitled “Standard Unique Employer Identifier” (67 FR 38009).

On August 12, 1998, we proposed standards for security and electronic signatures (63 FR 43242). On February 20, 2003, we published the final rule on security standards (the Security Rule) (68 FR 8334).

On April 17, 2003, we published an interim final rule adopting procedures for the investigation and imposition of civil money penalties and the conduct of hearings when the imposition of a penalty is challenged (68 FR 18895). The interim final rule is the first installment of a larger rule, known as the Enforcement Rule, the rest of which is to be proposed at a later date.

We will be proposing standards for the unique health plan identifier and claims attachments.

In the May 7, 1998, proposed rule for the standard unique health identifier for health care providers, we proposed to add a new part 142 to title 45 of the Code of Federal Regulations (CFR) for the administrative simplification standards and requirements. We have decided to codify the final rules in 45 CFR part 162 instead of part 142. The Transactions Rule (65 FR 50312) explains why we made this change and lists the subparts and sections comprising part 162. In this final rule, we reference the proposed text using part 142, and reference the final text using part 162.

In the Transactions Rule, we addressed (at 65 FR 50314) the comments that were made on issues that were common to the proposed rules on standards for electronic transactions, the standard employer identifier, the standards for security and electronic signatures, and the standard health care provider identifier. Those issues relate to applicability, definitions, general effective dates, new and revised standards, and the aggregate impact analysis. In that final rule, we set out the general requirements in part 160 subpart A and part 162 subpart A. We refer the reader to that rule for more information on all but our discussion of issues pertinent to the standard unique health identifier for health care providers and the definition of health care provider.

E. Employer Identifier Standard: Waiver of Proposed Rulemaking and Effective Date for Uses of Employer Identifier

As stated in section I.D., “Plan for Implementing Administrative Simplification Standards,” of this preamble, we published the final rule that adopted the standard unique employer identifier on May 31, 2002 (67 FR 38009). The Employer Identifier was adopted as that standard effective July 30, 2002. We amend § 162.610 as explained below.

We ordinarily publish a correcting amendment of proposed rulemaking in the Federal Register and invite public comment on the correcting amendment before its provisions can take effect. We also ordinarily provide a delay of 30 days in the effective date of the final rule. We can waive notice and comment procedure and the 30-day delay in the effective date, however, if we find good cause that a notice and comment procedure is impracticable, unnecessary, or contrary to the public interest and we incorporate a statement in the correcting amendment of this finding and the reasons supporting that finding.

We find that seeking public comment on and delaying the effective date of this correcting amendment would be contrary to the public interest. Section 1173(b)(2) of the Act requires that the standards regarding unique health care identifiers specify the purposes for which they may be used. Section 162.610 requires a covered entity to use the standard unique employer identifier—the employer identification number (EIN) assigned by the Internal Revenue Services (IRS), U.S. Department of the Treasury—in standard transactions that require an employer identifier. Unless § 162.610 is amended to permit use of the standard unique employer identifier for all other lawful purposes, the Act could be read to subject covered entities that use their EIN for other purposes to civil money penalties under section 1176 of the Act and criminal penalties under section 1177 of the Act, a result that we did not intend. The IRS requires any taxpayer assigned an EIN to use the EIN as its taxpayer identifying number. Statutes and regulations also authorize or require other Federal agencies, including the Departments of Agriculture, Commerce, Education, Housing and Urban Development, and Labor, to collect EINs in connection with administering various Federal programs and laws. Since some of these agencies may conduct transactions with covered entities or may be covered entities in their own right, failure to promptly publish the correcting amendment could cause conflict between § 162.610 and other statutory and regulatory directives, generating uncertainty for covered entities and potentially disrupting the administration of other Federal programs and laws. We believe that it is necessary to eliminate that uncertainty and potential disruption and to do so as soon as practicable by amending § 162.610 to include as permitted uses of the EIN all other lawful purposes. Therefore, we find good cause to waive the notice and comment procedure and the 30-daydelay in the effective date as being contrary to the public interest.

II. Provisions of the Regulations and Discussion of Public Comments

Within each section of this final rule, we set forth the proposed provision contained in the May 7, 1998, proposed rule, summarize and respond (if appropriate) to the comments we received on the proposed provision, and present the final provision.

It should be noted that the proposed rule contained multiple proposed “requirements.” In this final rule, we replace the term “requirement” with the term “implementation specification,” where appropriate. We do this to maintain consistency with the use of those terms as they appear in the statute and the other published HIPAA rules. Within the comment and response portion of this final rule, for purposes of continuity, however, we use the term “requirement” when we are referring specifically to matters from the proposed rule. In all other instances, we use the term “implementation specification.”

In the May 7, 1998, proposed rule, we proposed a standard unique health identifier for health care providers. We listed the kinds of identifying information that would be collected about each health care provider in order to assign the identifier.

In addition to the requirement that health care providers use the standard, the May 7, 1998, proposed rule also proposed other requirements for health care providers:

• Each health care provider must obtain, by application if necessary, an NPI.

• Each health care provider must accept and transmit NPIs whenever required on all standard transactions it accepts or transmits electronically.

• Each health care provider must communicate to the National Provider System (NPS) any changes to the data elements in its record in the NPS within 60 days of the change.

• Each health care provider may receive and use only one NPI. An NPI is inactivated upon death or dissolution of the health care provider.

A. General Provisions

1. Applicability

The May 7, 1998, proposed rule for the standard unique health identifier for health care providers discussed the applicability of HIPAA to covered entities. The proposed rule provided that section 262 (Administrative Simplification) of HIPAA applies to health plans, health care clearinghouses, and health care providers when health care providers electronically transmit any of the transactions to which section 1173(a)(1) of the Act refers. Comments received with respect to Applicability are discussed in sections II. A. 2., “Definition of Health Care Provider,” and II. A. 5., “Implementation Specifications for Health Care Providers, Health Plans, and Health Care Clearinghouses” of this preamble.

2. Definition of Health Care Provider

In the Transactions Rule, we summarized the comments we received on the definitions we proposed in the May 7, 1998, NPI proposed rule (at 63 FR 25324), with the exception of the definition of “health care provider.” We codified all of the definitions in 45 CFR 160.103 and 45 CFR 162.103. Specifically, we codified the definition of “health care provider” at 45 CFR 160.103. We are responding in this preamble to the comments we received on the definition of “health care provider,” as we believe that these comments present issues that are more relevant to the standard unique health identifier for health care providers. As appropriate, our responses refer to discussions and decisions that were published in the Privacy Rule (65 FR 82462). This final rule does not change the definition of “health care provider” at § 160.103. This final rule adds the definition of “covered health care provider” at § 162.402.

Proposed Provisions (§ 142.103)

In the May 7, 1998, proposed rule, we proposed to define “health care provider” as a provider of services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes or bills and is paid for health care in the normal course of business (63 FR 25325). We based the proposed definition on section 1171(3) of the Act for the reasons we stated in the May 7, 1998, proposed rule.

Comments and Responses on the Definition of “Health Care Provider”

Comment: We received many comments concerning the kinds of entities that should receive NPIs. Some of these comments recommended that the definition of a “health care provider” be constructed narrowly to restrict the kinds of entities that would be eligible to receive NPIs; others recommended that the definition be constructed broadly. Comments did not reflect a consensus or majority view across all commenters or even within the two groups of commenters who recommended a narrow or a broad definition of “health care provider.”

Commenters favoring a narrow definition of “health care provider” gave the following examples of entities to which NPIs should or should not be issued:

• Only to those licensed to furnish health care.

• Only to individuals and entities that furnish health care.

• Only to billing health care providers.

• Only to licensed health care providers that furnish care, bill, and are paid by third party payers for services.

• Not to physicians who have opted out of government medical programs.

• Not to groups, partnerships, or corporations.

• Not to entities that bill or are paid for health care services furnished by other health care providers. A billing or pay-to entity should be identified by its taxpayer identifying number, not by an NPI.

• Not to clearinghouses, administrative services only vendors, billing services, or health care provider service locations.

Commenters favoring a broad definition of “health care provider” gave the following examples of entities to which NPIs should be issued:

• Any health care provider that has a taxpayer identifying number.

• Any individual or organization, including Independent Practice Associations and clearinghouses, that ever has custody of or transmits a health care claim or encounter record.

• All health care provider groups.

• Each billing health care provider, health care provider billing location, pay-to provider, performing health care provider, health care provider service location, and health care provider specialty.

• Each incorporated individual and “doing business as” name of an organization.

• The lowest organizational level of an entity that needs to be identified.

Response: Although there was no consensus from commenters as to which entities should receive NPIs, several principles can be inferred.

Many commenters who favored a narrow definition of “health care provider” want to simplify the current situation for health care providers; that is, a health care provider may have many health care provider numbers assigned by health plans for different business functions. The health care provider numbers sometimes represent the actual health care provider that furnishes health care, but may also represent the health care provider'sservice locations, corporate headquarters, specialties, pay-to arrangements, or contracts. Those who favored a narrow definition generally believed the NPI should represent only the health care provider that furnishes health care.

Commenters who favored a broad definition of “health care provider” recognized the many business functions and uses in health care transactions fulfilled by health care provider numbers today. These business functions will continue to need to be performed after the implementation of the NPI. In order for the NPI to replace the multiple, proprietary health care provider numbers assigned by health plans today, the NPI must be assigned so that the business functions can continue. Those who favored a broad definition believed that if the NPI is not able to identify the health care provider entities that must be identified in an electronic health care claim or equivalent encounter information transaction, health plans will be forced to continue to use their existing proprietary health care provider numbers and the NPI will add to, rather than replace or simplify, health care provider numbering systems currently in use.

The varying needs for health care provider numbers guided our decisions on which entities would be eligible to receive NPIs. Our general rule is that all health care providers, as we define that term in the regulations, will be eligible to receive NPIs. We discuss this in detail later in this section.

It is important to note that not all health care providers who are eligible to receive NPIs will necessarily be required to comply with the HIPAA regulations. This is because some health care providers are not covered entities under HIPAA. The fact that a health care provider obtains an NPI does not impose covered entity status on that health care provider. Only those entities that (1) meet the definition of health care provider at § 160.103, and (2) transmit health information in electronic form on their own behalf, or that use a business associate to transmit health information in electronic form on their behalf, in connection with a transaction for which the Secretary has adopted a standard (a covered transaction) are health care providers who are required to comply with the HIPAA regulations. These health care providers are covered health care providers and are considered “covered entities” under HIPAA. As noted above, we add a definition of “covered health care provider” at § 162.402.

The following discussion clarifies the eligibility of health care providers to be assigned NPIs and distinguishes between those that are covered entities under HIPAA and those that are not.

“Health care provider” is defined in the regulations at § 160.103 as follows “Health care provider means a provider of services as defined in section 1861(u) of the Act, 42 U.S.C. 1395X(u), a provider of medical or health services as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” Examples of health care providers included in this definition are: Physicians and other practitioners; hospitals and other institutional providers; suppliers of durable medical equipment, supplies related to health care, prosthetics, and orthotics; pharmacies (including on-line pharmacies) and pharmacists; and group practices. Additional examples are health maintenance organizations that may be considered health care providers as well as health plans if they also provide health care.

There are individuals and organizations that furnish atypical or nontraditional services that are indirectly health care-related, such as taxi, home and vehicle modifications, insect control, habilitation, and respite services. These types of services are discussed in the Transactions Rule at 65 FR 50315. As stated in that Rule, many of these services do not qualify as health care services because the services do not fall within our definition of “health care.” An individual or organization must determine if it provides any services that fall within our definition of “health care” at § 160.103. If it does provide those services, it is considered a health care provider and would be eligible for an NPI. If it does not, and does not provide other services or supplies that bring it within the definition of “health care provider,” it would not be a health care provider under HIPAA, and would not be eligible to receive an NPI.

The nonhealth care services of some atypical or nontraditional service providers are reimbursed by some health plans. Nevertheless, there is no requirement under HIPAA to use the standard transactions when submitting electronic claims for these types of services, because claims for these services are not claims for health care. (Health plans, however, are free to establish their own requirements for submitting claims in these circumstances, which means that a health plan could require atypical and nontraditional service providers to submit standard transactions. The health plans could not require these entities to obtain NPIs to use in those transactions, however, because those entities are not eligible to receive NPIs.)

There are other individuals and organizations that, in the normal course of business, bill or receive payment for health care that is furnished by health care providers. These individuals and organizations may include billing services, value-added networks, and repricers. While these entities bill for health care, we do not read the statutory definition of “health care provider” as encompassing them. Rather, they would usually be acting as agents of health care providers in performing the billing function, or as health care clearinghouses assuming that they perform the data translation function described in the definition of “health care clearinghouse” at § 160.103. The definition of “health care clearinghouse” specifically lists these entities as examples of health care clearinghouses. The health care industry does not consider these types of entities to be health care providers. Further, we do not believe that the Congress intended for them to be considered as such, as the statutory definition of “health care provider” refers only to “other person furnishing health care services or supplies” and thus would exclude persons who only bill for, but do not furnish, health care services or supplies. Thus, this final rule does not include billing services and similar entities as health care providers. Therefore, because these kinds of entities are not health care providers, they will not be eligible for NPIs.

Comment: The Workgroup for Electronic Data Interchange (WEDI) commented that the NPI should be the only identifier for health care providers when the HIPAA transactions require provider identification. WEDI suggested that, to the extent provider-payer contracts require locations, location codes, and contract references, these should be handled outside of the NPS. To the extent numbers associated with providers (for example, Taxpayer Identifying Number (TIN) and Drug Enforcement Administration (DEA) number) are required for specific purposes other than provider identification, the HIPAA transactions should accommodate those numbers (and qualifiers) in the appropriate segments of the transactions.

WEDI recommended that:

• Health care providers who are individual human beings obtain one and only one NPI for life;

• Health care providers endeavor to have only one NPI per organization, butthat the final decision on how many NPIs are necessary for an organization health care provider be left to the health care provider; and

• At a minimum, and as the most critical criterion, the NPS data associated with any additional NPIs that an organization decides to obtain must not be identical to those associated with any other NPI in use by the organization.

Some commenters supported our proposal that, if a separate physical location of an organization health care provider, member of a chain, or subpart of an organization health care provider needs to be separately identified, it would be eligible to get a separate NPI. A few commenters stated that different physical locations or subparts of an organization health care provider should not get separate NPIs. One commenter recommended that the NPS issue separate NPIs for separate physical locations, members of a chain, or subparts of an organization health care provider only if these are separately licensed or certified. The commenter believes that the issuance of separate licenses and certifications justifies their recognition as separate health care providers. Another commenter recommended that the NPS issue separate NPIs for these entities if Medicare considers the entities to be separate health care providers. A number of large health plans consider each physical location of a supplier of health care-related supplies to be a separate health care provider in order to uniquely identify it on claims to enable accurate pricing and reimbursement.

Response: We agree in concept with the recommendations made by WEDI.

At the time we published the proposed rule and received public comments on it, the Secretary had not yet adopted standards for any of the HIPAA Administrative Simplification provisions. Since that time, and as noted in section I. D., “Plan for Implementing Administrative Simplification Standards” of this preamble, the Secretary has adopted a number of Administrative Simplification standards, including the Privacy and Security standards. The following discussion describes the assignment of NPIs to certain organization health care providers and the relationship, if any, of the assignment methodology to the standards and implementation specifications adopted in the Privacy and Security Rules.

Many health care providers that are organizations (such as hospitals and chains of suppliers of health care-related supplies, pharmacies, and others) are made up of components or separate physical locations. Many of these components or separate physical locations are separately certified or licensed by States as health care providers.

• Examples of hospital components include outpatient departments, surgical centers, psychiatric units, and laboratories. These components are often separately licensed or certified by States and may exist at physical locations other than that of the hospital of which they are a component. Many health plans consider these components to be health care providers in their own right. Many of these components bill independently of the hospital of which they are a component.

• Organization health care providers that are chains generally have a corporate headquarters and a number of separate physical locations. A durable medical equipment supplier chain, for example, has a corporate headquarters and separate physical locations at which durable medical equipment is dispensed to patients. The separate physical locations are generally separately licensed or certified by States. They often operate independently of each other and usually do their own billing. Many health plans consider each separate physical location to be a health care provider itself; and many of these health plans, including Medicare, reimburse for these items based on the geographic location where the items are dispensed to patients and not on the geographic location of the corporate headquarters.

An entity that meets certain Federal statutory implementation specifications and regulations is eligible to participate in the Medicare program. Our definition of “health care provider” at § 160.103 includes those eligible to participate in Medicare as described in Federal statute (that is, in § 1861(s) and § 1861(u) of the Social Security Act). These entities, according to Federal statute and regulations, must be issued their own identification numbers in order to bill and receive payments from Medicare. The Federal statutes and regulations similarly affect the Medicaid program.

Health care providers that are covered entities (see the definition at § 160.103) are required to comply with this final rule. Thus, while all health care providers (as defined in § 160.103) are eligible to be assigned NPIs and may, therefore, obtain NPIs, health care providers that are covered entities must obtain NPIs. As mentioned earlier in this section, a health care provider that is not a covered entity and which has been assigned an NPI does not become a covered entity as a result of NPI assignment.

We refer to the components and separate physical locations described in the bulleted examples above as “subparts” of organization health care providers.

We use the term “subpart” to avoid confusion with the term “health care component” in the Privacy and Security Rules. We discuss terms and concepts in the Privacy and Security Rules later in this section.

Section 1173(b)(1) of the Act provides that the Secretary “shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers.” This language indicates that Congress realized that certain health care providers operate at multiple locations and/or provide multiple types of health care services, and intended that the identifier standard take these variations in circumstance into account. We accommodate this language by requiring covered health care providers to obtain NPIs for subparts of their organizations that would otherwise meet the tests for being a covered health care provider themselves if they were separate legal entities, and permitting health care providers to obtain NPIs for subparts that do not meet these tests but otherwise qualify for assignment of an NPI. For example, a subpart may qualify for assignment of an NPI based on such factors as the subpart having a location and licensure separate from the organization health care provider of which it is a subpart. Licensure is often indicative of specialty (Healthcare Provider Taxonomy) classification. Thus, the assignment scheme created by this final rule provides flexibility in addressing the varied circumstances of health care providers, as Congress intended.

A “subpart” described in this final rule may differ from a “health care component” described in the Privacy and Security Rules. Therefore, it is appropriate to discuss these concepts and their relationship, if any, to the assignment of NPIs as established by this final rule.

Standards and implementation specifications for the Privacy and Security standards fall under part 164—Security and Privacy, of 45 CFR, whereas the implementation specifications for the standard unique health identifier for health care providers (and for the other identifiers mandated by HIPAA) are within part 162—Administrative Implementation Specifications, of 45 CFR. The broad concepts of ownership, control, and structure of covered entities are relevantto determining the scope of, and defining responsibility for, implementing the Privacy and Security standards; therefore, we addressed those concepts in those rules. On the other hand, the concepts of ownership, control, and structure are of no significant value or importance in determining the health care providers that may be eligible to obtain NPIs, which is why those concepts are not discussed in this final rule.

The term “hybrid entity” is defined in part 164, which is applicable to the Privacy and Security Rules, and may be a factor in determining responsibility for the implementation of the Privacy and Security standards and implementation specifications. It is defined in § 164.103 and is discussed in the Privacy Rule at 65 FR 82502. It is possible that an organization health care provider may be a hybrid entity and, as such, may designate health care components for purposes of implementing the Privacy and Security Rules. It is possible and, indeed, likely that subparts as described earlier in this preamble may be health care components of a hybrid entity. It is also possible that the subparts may not align precisely with the designated health care components. There is no necessary correlation between what is a subpart and what is a health care component, and there need not be because, as stated above, the nature and function of the Privacy and Security standards differ from those of the health care provider identifier standard. The level of assignment of NPIs must be adequate to enumerate entities that meet the definition of “health care provider” at § 160.103. It is, therefore, possible that a designated health care component may in essence be assigned multiple NPIs if the health care component is made up of multiple health care providers or subparts, as described earlier.

The term “organized health care arrangement” is discussed in the Security and Privacy Rules and is defined at § 160.103. It is possible that subparts that are also health care components may elect to come together to form an organized health care arrangement. Whether or not subparts participate in an organized health care arrangement for purposes of implementing the Privacy or Security standards has no effect on their eligibility to be assigned NPIs.

It must be kept in mind, with respect to the subparts as described in this preamble, that the organization health care provider is a legal entity and is the covered entity under HIPAA if it (or a subpart or component) transmits health information in electronic form (or uses a business associate to do so) in connection with a covered transaction. The subparts are simply parts of the legal entity. The legal entity—the covered entity—is ultimately responsible for complying with the HIPAA rules and for ensuring that its subparts and/or health care components are in compliance. The organization health care provider, of which the subpart is a part, is responsible for ensuring that the subpart complies with the implementation specifications in this final rule. The organization health care provider is responsible for determining if its subpart or subparts must be assigned NPIs, as discussed above in this section of the preamble. The organization health care provider is also responsible for applying for NPIs for its subparts or for instructing its subparts to apply for NPIs themselves. (That is, it is not necessary that an application for an NPI be made by the organization health care provider on behalf of its subpart.)

Comment: Some commenters expressed concern that the professional claim or equivalent encounter information transaction be able to accommodate address or location information associated with billing, pay-to, and furnishing health care providers.

Response: The ASC X12N 837 Health Care Claim: Professional, adopted in the Transactions Rule, accommodates addresses for all these entities.

Comment: Some commenters stated their desire for an identifier to represent each service address, for the purpose of reporting the location of service on a professional health care claim.

Response: We believe that the location of service can properly be reported by use of data elements in the standard professional health care claim or equivalent encounter information transaction. The address where service was furnished (if different from the billing or pay-to provider's address and if not at the patient's home) is accommodated in the X12N 837 Professional Claim in the Service Facility Location loop. For these reasons, we do not believe a health care provider identifier needs to be assigned to every address at which a service can be provided. If health plans need service location data in addition to the data that are accommodated in the standard health care claim transaction, they should notify the organization responsible for that transaction (see§ 162.910 and § 162.1102).

Comment: Several commenters named specific kinds of practitioners or entities that should be eligible to receive NPIs. These commenters cited practitioners who write prescriptions, home health housekeepers, long-term care providers, providers of home health services, meals on wheels, and transportation.

Response: Entities that do not furnish health care, and do not meet the definition of health care provider, will not be eligible to receive NPIs. A title does not necessarily indicate that an entity does or does not furnish health care. Entities who are unsure as to whether they are health care providers should check the definition of “health care” in § 160.103 to determine whether the kinds of services they furnish are health care services.

Comment: Some commenters stated that billing services should not receive NPIs. None of these commenters gave a definition or criteria to distinguish billing services from entities that would be eligible to be assigned NPIs. Other commenters stated that these definitions and criteria would be difficult to apply.

Response: As stated earlier in this section, billing services do not meet our regulatory definition of health care provider and, therefore, will not be eligible for NPIs. Generally, the health care provider that furnished health care is the “Billing provider” on the X12N 837 transaction and would identify itself with an NPI. If a billing service needs to be identified as the “Billing provider,” it would identify itself with either an Employer Identification Number (EIN) or a Social Security Number (SSN).

Comment: Several commenters noted that the term “medical care” in our descriptions of individual and organization health care providers should be replaced with the term “health care.” They were concerned that one could construe “medical care” to mean only care that was physician-supplied or physician-authorized.

Response: We agree with the comment and have replaced the term “medical care” with “health care” in our discussion of individual and organization health care providers.

Comment: A majority of commenters stated that the NPS should not distinguish between organization health care providers and group health care providers. The NPS should collect the same data for both. A few other commenters suggested a definition for group, but did not suggest that different data should be collected for a group health care provider than for an organization health care provider.

Response: As described in the proposed rule (at 63 FR 25325), group health care providers are entities composed of one or more individuals (members), generally created to provide coverage of patients' needs in terms of office hours, professional backup andsupport, or range of services resulting in specific billing or payment arrangements. Organization health care providers are health care providers who are not individual health care providers (that is, health care providers who are human beings). Examples of organization health care providers are hospitals, pharmacies, and nursing homes. For purposes of this rule, we consider group health care providers to be organization health care providers. There is additional information about these health care providers in section II.C.1.(d) of this preamble.

We agree with the majority of commenters that the NPS should collect the same data for group and organization health care providers. Because the same data are collected, there is no need for separate definitions of group and organization health care providers for NPI enumeration purposes.

Comment: Several commenters suggested that an NPI suffix or sub-identifier (sub-ID) be used to identify physical locations or subparts of a health care provider. Two commenters suggested that we explore the need for an electronic data interchange (EDI) identifier for transaction routing.

Response: We considered allowing each health care provider, if it so chose, to establish sub-IDs under its NPI. The health care provider might use the sub-IDs for different physical locations, subparts, EDI transaction routing, or other purposes. We decided not to establish sub-IDs because our decisions regarding which entities would be eligible to receive NPIs (including separate physical locations and subparts of certain kinds of organization health care providers) obviate the need for them. Sub-IDs may be useful as a later implementation feature that would support EDI routing or other purposes. We will consider an expansion at a later time to include them, if we determine that they would be beneficial.

Comment: Many commenters stated that all health care providers should be able to obtain NPIs, whether they conduct health care transactions electronically or on paper. Some commenters stated that health care providers that do not conduct any of the transactions named in HIPAA should be able to obtain NPIs.

Response: All health care providers—as we define that term—may obtain NPIs. Only covered health care providers are required to obtain and use NPIs in standard transactions.

Comment: Many commenters stated that NPIs should be mandatory for paper and fax transactions, as well as electronic.

Response: In the May 7, 1998, proposed rule, we did not propose to apply this standard to paper transactions. Therefore, we focus on standards for electronic transactions. Most of the paper forms currently in use today cannot accommodate all of the data content included in the standard transactions. This does not prevent health plans from requiring for paper transactions the same data, including identifiers, as are required by the HIPAA regulations for electronic transactions.

Final Provisions (§ 160.103)

As defined by section 1171(3) of the Act, a “health care provider” is a provider of services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies. Section 160.103 defines “health care provider” as the statute does and clarifies that the definition of a “health care provider” includes any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Section 1173(b)(1) of the Act requires the Secretary to adopt standards providing for a standard unique health identifier for each health care provider, and to take into account multiple uses, locations, and specialty classifications for health care providers. All health care providers who meet our definition of “health care provider” at § 160.103, regardless of whether they conduct transactions electronically or on paper or conduct any covered transactions will be eligible to apply for health care provider identifiers.

We define “covered health care provider” at § 162.402. Subparts of organization health care providers, as described earlier in this section, may be assigned NPIs.

Registered nurses, dental hygienists, and technicians are examples of entities who furnish health care but who do not necessarily conduct covered transactions. They are eligible to receive NPIs because they are health care providers.

We define two categories of health care providers for enumeration purposes. A data element, the “Entity type code,” in the NPS record for each health care provider will indicate the appropriate category.

• NPIs with an “Entity type code” of 1 will be issued to health care providers who are individual human beings. Examples of health care providers with an “Entity type code” of 1 are physicians, dentists, nurses, chiropractors, pharmacists, and physical therapists.

• NPIs with an “Entity type code” of 2 will be issued to health care providers other than individual human beings, that is, organizations. Examples of health care provider organizations with an “Entity type code” of 2 are: hospitals; home health agencies; clinics; nursing homes; residential treatment centers; laboratories; ambulance companies; group practices; health maintenance organizations; suppliers of durable medical equipment, supplies related to health care, prosthetics, and orthotics; and pharmacies.

Entities that participate in the Medicare program and many that participate in the Medicaid program are eligible for NPIs. (Note, however, our discussion of atypical and nontraditional service providers earlier in this section.) Many subparts of organization health care providers (as discussed earlier in this section) are eligible to be assigned NPIs, and an NPI must be obtained for, or by, them if they would be considered a covered health care provider if they were a separate legal entity. By definition, subparts are not themselves legal entities; the legal entity is the organization health care provider of which they are a subpart. Organization health care provider subparts—because they too are organizations—will be issued NPIs with “Entity type code” of 2.

We do not consider individuals who are health care providers (that is, they meet our definition of “health care provider” at § 160.103) and who are members or employees of an organization health care provider to be “subparts” of those organization health care providers, as described earlier in this section. Individuals who are health care providers are legal entities in their own right. The eligibility for an “Entity type code 1” NPI of an individual who is a health care provider and a member or an employee of an organization health care provider is not dependent on a decision by the organization health care provider as to whether or not an NPI should be obtained for, or by, that individual. The eligibility for an “Entity type code 1” NPI of a health care provider who is an individual is separate and apart from that individual's membership or employment by an organization health care provider. If such an individual is a covered health care provider, he or she is required to obtain an NPI. An example of the above discussion is a physician who is a member of a group practice. Both are health care providers and, therefore, both may apply for NPIs, but the physician would receive an“Entity type code 1” NPI, while the group practice would receive an “Entity type code 2” NPI. If either is a covered health care provider, that covered health care provider must apply for an NPI.

“Entity type code” determinations will be made according to the following:

• An individual human being furnishes health care. The described individual is a health care provider and will be assigned an NPI with an “Entity type code” of 1.

• An organization furnishes health care. The described organization is a health care provider and will be assigned an NPI with an “Entity type code” of 2.

• An organization health care provider subpart, as described earlier in this section, is a health care provider and will be assigned an NPI with an “Entity type code” of 2.

Hereafter in this preamble, we include these subparts in our references to health care providers unless there is a reason to distinguish them.

An NPI will be used to identify the health care provider on a health care claim or equivalent encounter information transaction. If an organization health care provider consists of subparts that are identified with their own unique NPIs, a health plan may decide to enroll none, one, or a limited number of them (and to use only the NPI(s) of the one(s) it enrolls). A health plan may not require a health care provider or a subpart of an organization health care provider that has an NPI to obtain another NPI for any purpose. Links among the various NPI types may be made and maintained by health plans and other users of the NPS data, but will not be maintained in the NPS.

The data to be collected by the NPS for health care providers are described in section II. C. 2. of this preamble, “Data Elements and Data Dissemination.” The NPS will capture data elements for health care providers with an “Entity type code” of 1 (individuals) that are different from those that it will capture for those with an “Entity type code” of 2 (organizations) because the data available to search for duplicates (for example, date and place of birth) are different. The NPS will ensure the uniqueness of the NPI by assigning only one NPI to a health care provider with a distinct string of data in the NPS. The NPS will contain the kinds of data necessary to adequately categorize each entity to which it assigns an NPI. An NPI will be a lasting identifier for the health care provider to which it has been assigned. For health care providers with an “Entity type code” of 1, the NPI will be a permanent identifier, assigned for life, unless circumstances justify deactivation, such as a health care provider who finds that his or her NPI has been used fraudulently by another entity. In that situation, the health provider can apply, and will be eligible, for a new NPI, and the previously assigned NPI will be deactivated. For health care providers with an “Entity type code” of 2, the NPI will also be considered permanent, except in certain situations such as when a health care provider does not wish to continue an association with a previously used NPI, or when a health care provider's NPI has been used fraudulently by another. In those situations, the health care provider that holds the NPI can apply, and be eligible for, a new NPI, and the previously assigned NPI will be deactivated. A new NPI will not be required for change of ownership, change from partnership to corporation, or change in the State where an organization health care provider is incorporated; indeed, ownership and incorporation information will not be contained in the NPS. A new NPI will not be required when there is a change in an organization health care provider's name, Employer Identification Number, address, Healthcare Provider Taxonomy classification, State of licensure, or State license number. Instead, the health care provider will supply that information to the NPS and the data in the NPS about these entities will be updated. After a corporate merger, the surviving organization may continue to use its NPI. A health care provider's NPI will not be deactivated if that health care provider is sanctioned or barred from one or more health plans. When an organization health care provider is disbanded, the organization health care provider's NPI will be deactivated. If a previously deactivated organization health care provider is later reactivated, its previous NPI will be reactivated.

3. NPI Standard

Proposed Provisions (§ 142.402(a))

The May 7, 1998, proposed rule (at 63 FR 25328) described our proposal for the standard health care provider identifier. We proposed the NPI standard as an 8-position alphanumeric identifier. It would include as the 8th position a numeric check digit to assist in identifying erroneous or invalid NPIs. The check digit would be a recognized International Standards Organization (ISO) standard. The check digit algorithm would be computed from an all-numeric base number. Therefore, any alpha characters that may be part of the NPI would be translated to a specific numeric before the calculation of the check digit. The NPI format would allow for the creation of approximately 20 billion unique identifiers. It would be an intelligence-free identifier. In the May 7, 1998 proposed rule, we also proposed the type of data included in the file containing identifying information for each health care provider.

In addition to the description of the NPI standard, this section of the May 7, 1998, proposed rule discussed several other points on which we received comments:

We noted that we proposed the 8-position alphanumeric format rather than a longer numeric-only format in order to keep the identifier as short as possible while providing for an identifier pool that would serve the industry's needs for a long time.

We listed selection criteria for the standard and discussed candidate identifiers, including the National Association of Boards of Pharmacy number, the Social Security Number, and the Employer Identification Number.

We noted that the USA Registration Committee approved the NPI as an International Standards Organization card issuer identifier in August 1996 for use on standard health identification cards.

Comments and Responses on the NPI Standard

Comment: Several commenters on the format of the NPI expressed general support for our proposal or specific support for an 8-position alphanumeric identifier. Very few of these commenters gave a reason for support of the 8-position alphanumeric format. A strong majority of commenters recommended instead that the NPI be a 10-position numeric identifier, because a 10-position identifier would yield an adequate pool of identifiers and would not exceed the length permitted for identifiers in the standard transactions proposed under HIPAA. A few other commenters recommended a 9-position numeric identifier. Several commenters who favored a numeric identifier stated that if additional capacity for NPIs were needed in the future, additional numeric digits should be added at that time. Commenters who preferred a numeric identifier were very specific in listing its advantages. They stated that a numeric identifier—

• Is more quickly and accurately keyed in data-entry applications;

• Is more easily used in telephone keypad applications;

• Does not require translation before application of the check digit algorithm,and thus uses the full ability of the check digit algorithm to detect keying errors;

• Is compatible with ISO identification card standards for a card issuer identifier (discussed below), while an alphanumeric identifier is not; and

• Will require less change for systems that currently use a numeric identifier.

Response: We find the stated advantages of a 10-position numeric identifier convincing. We have revised proposed § 142.402 (now § 162.406(a)) to provide that the NPI will be a 10-position numeric identifier, with the 10th position being an ISO standard check digit. The use of a 10-digit numeric NPI and our initial assignment strategy will allow for 200 million unique NPIs. We estimate 200 million NPIs would last approximately 200 years, allowing for health care provider growth, as discussed later in the preamble of this final rule in section V.D., “Specific Impact of the NPI.” If additional capacity for NPIs is needed in the future, additional numeric digits will be added to the identifier at that time. A modification to the NPI format would be accomplished through rulemaking. A 10-position numeric identifier is specified in § 162.406(a).

Comment: Some commenters asked that we clarify how the NPI would appear when used as a card issuer identifier on a standard health care identification card. Commenters also asked that we clarify any modification made to the check digit algorithm to allow the NPI to be used as a card issuer identifier.

Response: In December 1997, an American National Standard for a Uniform Healthcare Identification Card was approved by the National Committee for Information Technology Standards (NCITS), which is a standards-developing organization accredited by the American National Standards Institute. The specification for this standard, NCITS.284, is available from the American National Standards Institute, 11 West 42nd Street, New York, New York 10036. One identifier field on the standard health care identification card is the card issuer identifier. A card issuer identifier is an identifier for an entity that issues a health care identification card. In most cases, the entity issuing a health care identification card would be a health plan; in some cases, however, the entity could be a health care provider. We note that, under HIPAA, health care providers are neither required to issue health care identification cards, nor to use the NCITS.284 standard card. The NCITS.284 standard requires that the first five digits of the card issuer identifier be “80840,” where the initial two digits, 80, signify health applications, the next three digits, 840, signify United States. The remainder of the card issuer identifier identifies the entity that issued the card. In August 1996, the USA Registration Committee, a standards-developing organization accredited by the American National Standards Institute, approved the NPI as an identifier for a card issuer for use on a standard health care identification card. If the NPI is used to identify the card issuer on a card that complies with NCITS.284, the card issuer identifier would consist of 15 positions as follows: “80840,” signifying health applications in the United States, followed by the 10-position NPI (the 9-position identifier portion of the NPI, followed by the NPI check digit).

We note that the initial five digits “80840” would be required with the NPI only when the NPI is used as a card issuer identifier on a standard health care identification card. However, in order that any NPI could potentially be used as a component of the card issuer identifier on a standard health care identification card, the NPI check digit calculation must always be performed as though the NPI is preceded by “80840.” This is easily accomplished by including a constant in the check digit calculation when the NPI is used without this prefix. The NPI check digit is calculated using the ISO standard Luhn check digit algorithm, a modulus 10 “double-add-double” algorithm. The specification for calculation of the NPI check digit will be made available on the CMS Web site (http://www.cms.hhs.gov). The specification will explain how to compute the check digit and how to verify an NPI using the check digit, both when the “80840” prefix is present and when it is not.

Comment: A strong majority of commenters supported our proposal that the NPI be intelligence-free. A few commenters stated that an intelligence-free identifier would not meet their needs because their systems use the facility provider type, which is coded as part of the identifier in some current systems.

Response: If the NPI were to include intelligence, that is, coded information about the health care provider, as part of the identifier, a new NPI would have to be issued any time the coded information about the health care provider changed. This would undermine the lasting nature of the NPI. For this reason we agree with the large majority of commenters that the NPI not contain intelligence about the health care provider.

Comment: A small number of commenters stated that the Taxpayer Identifying Number (TIN) should be selected, or reconsidered, as the standard unique health identifier for health care providers.

Response: The TIN is the identifier under which the health care provider reports a United States tax return to the Internal Revenue Service (IRS). It can be an SSN, assigned by the Social Security Administration, or an IRS Individual Taxpayer Identification Number (ITIN), assigned by the IRS, or an EIN, assigned by the IRS. A large number of commenters on the “Data” section of the May 7, 1998, NPI proposed rule stated their opposition to dissemination of the SSN except in strictly controlled situations that fully comply with the Privacy Act. Use of the SSN or the TIN as the standard unique health identifier for health care providers would require the wide dissemination and use of the SSN or TIN in the HIPAA transactions under conditions that would not be protected by the Privacy Act. The majority of commenters did not support the use of the SSN as the standard unique health identifier for health care providers for individuals.

Comment: The National Council for Prescription Drug Programs requested that we make several clarifications regarding our reference to the National Association of Boards of Pharmacy (NABP) number, which we discussed as a candidate identifier in the May 7, 1998, proposed rule.

Response: As requested, we note that the NABP number has been renamed the National Council for Prescription Drug Programs (NCPDP) Provider Number. In 1997, the NCPDP and the NABP mutually severed the contract made in 1977. The NCPDP has full responsibility for maintenance of the pharmacy file. The NCPDP Provider Number is issued solely by NCPDP. All references to the NABP number should be changed instead to the NCPDP Provider Number.

Comment: A small number of commenters stated that the proposed NPI would not meet one or more of the selection criteria for standards or would not be consistent with the law because it would not reduce the administrative costs of providing and paying for health care. These kinds of comments cited the high costs of developing and operating a new system for health care provider enumeration.

Response: Elsewhere in this preamble, we discuss how the collection of health care provider data and the enumeration of health care providers can be satisfactorily accomplished with the NPI and how those associated costs can be kept to a minimum. We acknowledgethat organizations will incur costs in the move to a standard enumeration process. After the initial implementation, however, we believe that the costs will diminish significantly, and that long-term use of a standard identifier will be cost-effective.

Final Provisions (§ 162.406(a))

We are adopting the NPI format of an all-numeric identifier, 10 positions in length, with an ISO standard check-digit in the 10th position (§ 162.406(a)). The NPI will not contain intelligence about the health care provider. This format and our assignment strategy will allow for at least 200 million unique NPIs.

4. Effective Date and Compliance Dates

Proposed Provisions (§ 142.410)

The May 7, 1998, proposed rule proposed the compliance dates for the standard unique health identifier for health care providers.

The May 7, 1998, proposed rule proposed that:

• Each health plan that is not a small health plan must comply with the requirements of § 142.104 and § 142.404 by 24 months after the effective date of the final rule.

• Each small health plan must comply with the requirements of § 142.104 and § 142.404 by 36 months after the effective date of the final rule.

• Each health care clearinghouse and health care provider must begin using the NPI by 24 months after the effective date of the final rule.

Comments and Responses on Effective Date and Compliance Dates

Comment: An overwhelming number of commenters requested that there be an extended period of time between the publication of the NPI final rule and the date the implementation period for the NPI would begin. Commenters stated that their resources were fully committed to millennium issues and that those resources could not be used to address the numerous changes needed to implement the NPI until after the millennium work was satisfactorily completed. Some commenters asked that we publish the final rule on Standards for Electronic Transactions before any of the other rules.

Response: Work on the millennium is complete. Many commenters are undoubtedly expending resources at this time in implementing the HIPAA Privacy Rule (65 FR 82462 and 67 FR 53182), the Transactions Rule (65 FR 50312 and 68 FR 8381), the Security Rule (68 FR 8334) and the Employer Identifier Rule (67 FR 38009). The reader should note that we published the Transactions Rule (65 FR 50312) before any of the other HIPAA final rules. The National Provider System (NPS) will be a large, complex system. Its development cannot be finalized until publication of this final rule. The NPS must operate efficiently and be capable of performing many operations. It must undergo testing to ensure proper operation of all functions and must pass a variety of stress tests. To ensure adequate time for completion of system development and testing, we set the effective date of this final rule to be 16 months after publication in the Federal Register. Covered entities will need to be in compliance no later than 24 months after the effective date (36 months for small health plans). While the purpose of this extended effective date is to allow HHS sufficient time for NPS development and testing, it will also permit health care entities sufficient time to accommodate changes needed in order to implement the NPI.

Final Provisions (§ 162.404)

We set the effective date and compliance dates as follows:

a. Effective date of this final rule. The effective date of the NPI is May 23, 2005. The effective date of this final rule marks the beginning of the implementation period for the NPI.

b. Compliance dates of the NPI. We adopt the requirement that covered entities (except small health plans) must obtain an NPI and must use the NPI in standard transactions no later than May 23, 2007. Small health plans must do so no later than May 23, 2008.

If the Secretary adopts a modification to this standard, the compliance date of the modification would be no earlier than the 180th day following the adoption of the modification. The Secretary would determine the actual date, taking into account the time needed to comply due to the nature and extent of the modification. The Secretary would be able to extend the time for compliance with any modification by small health plans by rulemaking, if he determines that an extension is appropriate.

5. Implementation Specifications for Health Care Providers, Health Plans, and Health Care Clearinghouses

Proposed Provisions (§ 142.404, § 142.406, and § 142.408)

In section II. E., “Requirements,” of the preamble of the May 7, 1998, proposed rule (63 FR 25330), we discussed the requirements that health plans, health care clearinghouses, and covered health care providers would have to meet in implementing the NPI. The proposed regulation text, in § 142.404, stated that health plans would be required to accept and transmit, directly or through a health care clearinghouse, the NPI on all standard transactions wherever required. The proposed regulation text, in § 142.406, stated that health care clearinghouses would be required to use the NPI wherever a standard electronic transaction requires it.

The preamble of the May 7, 1998, proposed rule (63 FR 25330) states: “In § 142.408, Requirements: Health care providers, we would require each health care provider that needs an NPI for HIPAA transactions to obtain, by application if necessary, an NPI * * *” Section 142.408(a) of the proposed regulation text states: “Each health care provider must obtain, by application if necessary, a national provider identifier.” The text of the proposed rule states, in § 142.408(c): “Each health care provider must communicate any changes to the data elements in its file in the national provider system to an enumerator of national provider identifiers within 60 days of the change.”

Comments and Responses on Requirements for Health Care Providers, Health Plans, and Health Care Clearinghouses

We believe that the Congress intended that each health care provider be eligible for an NPI and intended to authorize the Secretary to require covered health care providers to obtain one. HIPAA requires the adoption of a standard unique health identifier for health care providers and directs the Secretary to specify the purposes for which the identifier may be used. The statute sets forth the maximum amount of time by which all covered entities must comply with the standards, leaving discretion to the Secretary to designate compliance dates (within the limitations of the law). We proposed in the May 7, 1998, proposed rule, and require in this final rule, that covered entities must be in compliance with the standards no later than 2 years (3 years for small health plans) from the effective date of the regulation. Thus, as of the compliance date, a covered health care provider must have obtained and begun to use an NPI.

Comment: Some commenters recommended that all data about a health care provider in the NPS be required to be updated; others stated that only certain data elements should be required to be updated. Most indicated that data needed for unique identification should be kept current.

Response: In the proposed rule, the NPS was proposed to include many data elements that we have since decided not to include. (See section II. C. 2. of this preamble, “Data Elements and Data Dissemination.”) We have decided that the NPS will consist entirely of data elements about a health care provider that are needed for administrative (communications) purposes and for the unique identification of the health care provider. We believe it is appropriate and necessary for the health care providers to notify the NPS of changes in their required NPS data, but, given limits on our statutory authority, we can require such notification only of covered health care providers.

Comment: We received many comments concerning the length of time a health care provider should be allowed before it must notify the NPS of changes to its NPS data. Most commenters thought that the 60-day period was too long and believed a 15-to-30-day period was more appropriate.

Response: The May 7, 1998, proposed rule at § 142.408(c) proposed 60 days to allow reasonable flexibility in the time required for a health care provider to complete a paper form (the NPI application/update form) containing the update(s) and forward it to the NPS. We will attempt to design the NPS to be responsive and easy to use. We will consider a design that will allow a health care provider (or possibly a health care provider's authorized representative (see section II. B. 2., “Health Care Provider Enumeration,” of this preamble)) to communicate the health care provider's changes directly into the NPS over the Internet, using a secure Web-based transaction. A paper form (the NPI application/update form) will be developed for this same purpose and will be available from the NPS and from the CMS Web site (http://www.cms.hhs.gov) for use by health care providers. We realize that many health care providers may prefer to send electronic updates if the capability exists. According to the majority of commenters, health care providers should be required to communicate changes in their NPS data in far less than 60 days. We agree. Therefore, we adopt in this final rule a requirement that covered health care providers notify the NPS of changes in their required NPS data within 30 calendar days of the changes (§ 162.410(a)(4)).

Comment: Several commenters indicated that health plans will need to know about changes in health care provider information. Commenters did not believe it would be fair for health care providers to have to notify both the NPS and the health plans in which they are enrolled of changes.

Response: We agree that health plans will need to know of changes in the data associated with their enrolled health care providers. Most health plans collect more information about a health care provider than the NPS will collect. Therefore, we expect that health plans will still require health care providers to notify them of changes in this information. The NPS will have the capability to provide listings or reports of changes in NPS data in accordance with section II. C. 2. of this preamble, “Data Elements and Data Dissemination.”

Comment: Several commenters stated that the NPS should be required to apply updates within a specified period of time after receipt of the updated information from a health care provider.

Response: We expect that the update process will be designed in a way that will allow the system to process updates within a reasonable timeframe (for example, 10 business days from receipt). The volume of updates at any given time may impact system performance. If changes are unable to be made (for example, the health care provider furnishing updates does not appear to match any health care provider in the NPS), the health care provider will receive a message that will indicate why the NPS is unable to update the record. The message will request that the problem be resolved and the information be resubmitted.

Comment: Several commenters asked if health plans should take any action to notify the NPS of changes to health care provider data if they become aware of these changes.

Response: Although health plans would not be required to provide information to the NPS to update health care provider data, we encourage health plans to instruct and remind their enrolled health care providers to notify the NPS of changes in their data.

Comment: There were numerous comments about penalties for non-use of the NPI:

• If NPIs could not be assigned to covered health care providers before the compliance date for those health care providers, and sufficiently ahead of that time to enable the health care providers to be capable of using the NPI in standard transactions, penalties should not be enforced for nonuse of the NPI.

• Sufficient time should elapse to ensure adequate experience in using the NPI before penalties are assessed.

• Financial penalties for noncompliance should not be assessed until 1 year after the NPI compliance dates.

• The method of enforcing compliance with the standard should be made public.

• The penalties for nonuse of a single standard and nonuse of multiple standards should be clarified.

• When noncompliance forces nonpayment, the entity expecting payment will resolve the issue.

Response: NPIs will be assigned to health care providers as quickly as possible and within the parameters of the performance criteria that are in effect. (See earlier comment and response for additional information.) HHS is preparing, and has issued in part, a separate regulation on enforcement of the HIPAA standards. This regulation is expected to address all but perhaps the last concern of these commenters. The regulation cannot place requirements on entities that are not covered entities, and the entities involved in the situation described in the last bullet may not be covered entities.

Comment: Many commenters suggested that (1) health care providers not be required to use the NPI within the first year after the effective date of its adoption, although willing trading partners could use the NPI by mutual agreement at any time after the effective date; and (2) health plans should give their health care providers at least 6 months' notice before requiring them to use the NPI.

Response: Upon the effective date of the adoption of this standard (which will be 16 months after the date it is published), health care providers may apply for NPIs. Covered entities (except for small health plans) must begin using the NPI in standard transactions no later than 24 months after the effective date. (Small health plans have 36 months to begin using NPIs.) These are statutory requirements that we have incorporated into this final rule. We believe these timeframes enable more than sufficient time for covered health care providers to become aware of their responsibilities under this final rule, to apply for and be assigned their NPIs, and to complete work needed to begin using their NPIs. Applying for an NPI up to 18 months after the effective date of the adoption of this standard will still give health care providers 6 months before the statutory compliance date arrives. We encourage health plans to give health care providers 6 months' notice before requiring them to use NPIs; however, we do not require that action by the health plans. How soon health care providers could use NPIs would depend on when they obtained the NPIs, and health plans have no direct control over that action.We encourage all parties to work together to ensure a smooth transition.

Final Provisions (§ 162.410, § 162.412, § 162.414)

All health care providers are eligible for NPIs.

We require each covered health care provider to obtain an NPI from the NPS, by application if necessary, for itself and for its subparts, if appropriate, and to use its NPI in standard transactions. Covered health care providers must disclose their NPIs to other entities that need those health care providers' NPIs for use in standard transactions. Covered health care providers must communicate to the NPS any changes in their required data elements within 30 days of the change. If covered health care providers use business associates to conduct standard transactions on their behalf, they must require their business associates to use NPIs appropriately as required by the transactions the business associates conduct on its behalf.

Situations exist in which a standard transaction must identify a health care provider that is not a covered entity. An organization health care provider subpart may need to be identified in a standard transaction but the organization health care provider may not be required to obtain an NPI for the subpart. A noncovered health care provider may or may not have applied for and received an NPI. In the latter case, and in the case of the subpart described above, an NPI would not be available for use in the standard transaction. We encourage every health care provider to apply for an NPI, and encourage all health care providers to disclose their NPIs to any entity that needs that health care provider's NPI for use in a standard transaction. Obtaining NPIs and disclosing them to entities so they can be used by those entities in standard transactions will greatly enhance the efficiency of health care transactions throughout the health care industry. If subparts are assigned NPIs, the covered health care provider must ensure that the subpart's NPI is disclosed, when requested, to any entity that needs to use the subpart's NPI in a standard transaction.

Here are examples that illustrate the desirability for a health care provider that is not required to be enumerated to obtain and disclose an NPI:

(1) A pharmacy claim that is a standard transaction must include the identifier (which, as of the compliance date, would be the NPI) of the prescriber. Therefore, the pharmacy needs to know the NPI of the prescriber in order to submit the pharmacy claim. The prescriber may be a physician or other practitioner who does not conduct standard transactions. The prescriber is encouraged to obtain an NPI so it can be furnished to the pharmacy for the pharmacy to use on the standard pharmacy claim.

(2) A hospital claim is a standard transaction and it may need to identify an attending physician. The attending physician may be a physician who does not conduct standard transactions. The physician is encouraged to obtain an NPI so it can be furnished to the hospital for the hospital to use on the standard institutional claim.

In the examples above, the NPI of a health care provider that is not a covered entity is needed for inclusion in a standard transaction. The absence of NPIs when required in those claims by the implementation specifications may delay preparation or processing of those claims, or both. Therefore, we strongly encourage health care providers that need to be identified in standard transactions to obtain NPIs and make them available to entities that need to use them in those transactions.

Under § 162.410 (Implementation specifications: Health care providers), we require each covered health care provider to:

• Obtain from the NPS, by application if necessary, an NPI for itself and, if appropriate, for its subparts.

• Use the NPI it obtained from the NPS to identify itself in all standard transactions that it conducts where its health care provider identifier is required.

• Disclose its NPI, when requested, to any entity that needs the NPI to identify that health care provider in a standard transaction.

• Communicate to the NPS any changes to its required data elements in the NPS within 30 days of the change.

• If it uses one or more business associates to conduct standard transactions on its behalf, require its business associate(s) to use its NPI and the NPIs of other health care providers appropriately as required by the transactions the business associate(s) conducts on its behalf. (For example, a claim for a laboratory service will require the NPI of the laboratory and may also require the NPI of the referring physician. If a business associate prepares the laboratory claim, the business associate must use the laboratory's and the referring physician's NPIs. If the business associate does not already know the NPI of the referring physician, it may have to contact the referring physician to obtain his or her NPI.)

• If it has been assigned NPIs for one or more subparts, comply with the above requirements with respect to each of those NPIs.

Under § 162.412 (Implementation specifications: Health plans), we require health plans to: use the NPI of any health care provider (including subparts of organization health care providers) that has been assigned an NPI to identify that health care provider (or subpart) in all standard transactions where the health care provider's (or subpart's) identifier is required. Health plans may not require health care providers that have been assigned NPIs to obtain additional NPIs.

Under § 162.414 (Implementation specifications: Health care clearinghouses), we require health care clearinghouses to use the NPI of any health care provider (including subparts of organization health care providers) that has been assigned an NPI to identify that health care provider (or subpart) in all standard transactions where that health care provider's (or subpart's) identifier is required.

B. Implementation of the NPI

1. The National Provider System

Proposed Provisions (§ 142.402)

The May 7, 1998, proposed rule (at 63 FR 25331) described the National Provider System (NPS) as a central electronic enumerating system. The system would be a comprehensive, uniform system for identifying and uniquely enumerating health care providers at the national level. The Department of Health and Human Services (HHS) would exercise overall responsibility for oversight and management of the system.

Comments and Responses on the National Provider System

We did not receive comments specific to our description of the NPS. However, commenters were emphatic that the NPS be fully tested before it began assigning NPIs, and that the system ensure that the same NPI would not be issued to more than one health care provider. Commenters also suggested that an option be made available by which health care providers could apply for NPIs electronically in lieu of completing a paper application form. This comment is addressed in section II. B. 2. of this preamble, “Health Care Provider Enumeration.”

Final Provisions (§ 162.408(a))

NPIs will be assigned to health care providers by the NPS, which will be a central electronic enumerating system operating under Federal direction. TheNPS will uniquely identify and enumerate health care providers at the national level. The NPS may enumerate subparts of organization health care providers.

The NPS will be designed to be easy to use. The design will employ the latest technological advances wherever feasible for capturing health care provider data and making information available to users. This is discussed in section II. C. 2. of this preamble, “Data Elements and Data Dissemination.”

HHS will exercise overall responsibility for oversight and management of the NPS. The NPS will include a database that will store the identifying and administrative information about health care providers that are assigned NPIs. The data elements comprising the NPS are described and listed in section II. C. 2. of this preamble, “Data Elements and Data Dissemination.”

Identifying and uniquely enumerating health care providers for purposes of the NPI is separate from the process that health plans follow in enrolling health care providers in their health programs. The NPS will assign NPIs to health care providers. However, the assignment of the NPI will not eliminate the process that health plans follow in receiving and verifying information from health care providers that apply to them for enrollment in their health programs.

Health care providers will submit applications for NPIs to HHS. As health care provider data are entered into the NPS from the application, the NPS will check the data for consistency, standardize addresses, and validate the Social Security Number (SSN) if the individual applying for an NPI provides it; the NPS will validate the date of birth only if the SSN is validated. (If a health care provider chooses not to furnish his or her SSN when applying for an NPI, the assignment of an NPI to that health care provider may be delayed and additional information may be requested from that health care provider in order to establish uniqueness.) If the NPS encounters problems in processing the application, appropriate messages will be communicated to the applicant. If problems are not encountered, the NPS will then search its database to determine whether the health care provider already has an NPI. If a health care provider has already been issued an NPI, an appropriate message will be communicated. If not, an NPI will be assigned. If the health care provider is similar (but not identical) to an already-enumerated health care provider, the situation will be investigated. Once an NPI is assigned, the health care provider will be notified of its NPI.

2. Health Care Provider Enumeration

In section III of the preamble of the May 7, 1998, NPI proposed rule, “Implementation of the NPI” (at 63 FR 25331), we asked for comments on the entity or entities that would be responsible for assigning NPIs to health care providers. We explained that the HIPAA legislation did not contain a specific funding mechanism for activities related to enumeration. We asked for comments on how the enumeration activity and the NPS itself could be funded, and how the costs of enumeration could be kept as low as practicable. We presented two options for the enumeration of health care providers: (1) All health care providers, except existing Medicare providers, would be enumerated by a single entity. Existing Medicare providers would automatically be enumerated and would not have to apply for NPIs; (2) Federal health plans and Medicaid would enumerate their enrolled health care providers, and a federally-directed registry would enumerate all remaining health care providers. We also presented a phased approach to enumeration and requested public comment on it. In the phased approach, we proposed that enumeration would occur in the following order: (1) Medicare providers; (2) Medicaid, other Federal providers, and health care providers that do not conduct business with Federal health plans or Medicaid but that do conduct electronically any of the transactions specified in HIPAA; and (3) all remaining health care providers. The May 7, 1998, proposed rule also stated that phase three would not begin until phases one and two were completed.

Comments and Responses on Provider Enumeration

Comment: Several commenters stated that it would cost more than our estimate of $50 to enumerate a health care provider; others believed our estimate of $50 to be reasonable. Some commenters pointed out that Federal and Medicaid health plans do not maintain all of the information about health care providers that would be required to assign NPIs; thus, if those health plans' prevalidated health care provider files were to be used to populate the NPS, costs might exceed $50 per health care provider in order to obtain the missing information needed to assign NPIs. Commenters also pointed out that the cost to enumerate an entity that furnishes atypical or nontraditional services would exceed $50.

Response: We respond to these issues as follows:

• We agree with the comment that there may be situations where information in addition to what is contained in existing health care provider files will be required in order to assign NPIs. For example, we have found that some Medicaid and Medicare provider files do not contain all of the information required to assign an NPI. Populating the NPS with existing files that lack certain required NPS data elements increases the cost of enumeration because additional resources would be needed to collect the missing information.

• Any inconsistencies or errors that are present in health care provider files that are considered to be used to populate the NPS would be imported into the NPS as part of that process. Resolving these inconsistencies and errors before loading these files will require resources and time. This will increase the cost of enumeration and possibly slow the process.

• Where the format or structure of a health care provider file being considered for use in populating the NPS differs from the format or structure of the NPS, additional costs will be incurred in attempting to conform that source file to the NPS.

• As discussed in section II. C. 2. of this preamble, “Data Elements and Data Dissemination,” we are reducing the amount of health care provider information being captured by the NPS to only that which is required to uniquely identify and communicate with the health care provider. Some of the information that will not be collected is the kind that is costly to collect, such as membership in groups, certification and school information. Not collecting these health care provider data lowers the cost of enumeration.

• On applications for NPIs from individuals, the NPS will verify the SSN if it is furnished on the application.

• Problems in processing the applications will have to be resolved. This will increase the cost of enumeration.

• The NPS will be designed, wherever feasible, to take advantage of technologies that will make its operation efficient. This may include the use of the Internet to accept applications and updates from health care providers. While up-front costs will be higher for some designs, the more efficient the design and operation of the NPS, the lower the cost of enumeration and ongoing operations.

Medicare Part B carriers indicated in comments that it costs about $50 to enroll a health care provider in the Medicare program. This process involves reviewing and validating apaper application containing far more information than will be collected and validated on the NPI application/update form. The NPS will verify the SSN only if it is furnished in applying for an NPI; the date of birth will be verified only if the SSN is furnished. The NPS will run various edits and consistency checks and will check for duplicate records to ensure that only one NPI is assigned to a health care provider and that the same NPI is not assigned to more than one health care provider. Enabling the receipt of Web-based applications and the limited validation will make the cost of enumerating a health care provider far less than enrolling a health care provider in a health plan. The majority of atypical and nontraditional service providers are not considered health care providers and, therefore, would not be eligible for NPIs. The use of modern technology to receive and process applications for NPIs makes it difficult if not impossible to attach a dollar value to the enumeration of a single provider. Implicit in enumeration are the costs of software, licenses, salaries, training, and overhead. We estimate that the combination of all of the above factors would reflect an average cost of enumerating a single health care provider to be closer to $10.

Comment: The majority of commenters favored enumeration option 1, where a single entity would enumerate all health care providers except existing Medicare providers (who would automatically be enumerated). (The May 7, 1998, proposed rule recommended enumeration option 2, which would have required Federal health plans and Medicaid to enumerate their enrolled health care providers, with a federally-directed registry enumerating all remaining health care providers.) The supporters of a single enumeration entity cited the following advantages of option 1: (1) It would be less costly than multiple enumeration entities; (2) it would ensure uniform operation of the enumeration process, reducing inconsistencies that could lead to duplicate assignment of NPIs; (3) it would be less confusing to health care providers, particularly those that participate in multiple health plans; (4) it would be a single point of contact with which to do business and seek help and information; and (5) it would ensure uniformity in resolving problems and would be more capable and efficient in responding to data integrity issues that may require investigation. Comments from Federal health plans and Medicaid State agencies (which were the proposed enumeration entities under option 2) stated that they preferred not to have a role as an enumerator. Some Federal health plans anticipated that too many health care providers would request that they handle their updates and changes. Medicaid State agencies indicated that they would require additional Federal funding to assume the responsibilities of enumeration.

Nonetheless, some commenters did support option 2. They stated that having Federal health plans and Medicaid State agencies enumerate their own health care providers had several advantages: (1) These entities already conduct a significant amount of enumeration activity in their health plan enrollment processes, which would bring a wealth of experience to the NPI enumeration process; (2) much of the information required to assign an NPI to a health care provider is already collected by these entities; (3) fraud detection would be enhanced because, as enumeration entities, they would have access to the data in the NPS; and (4) the initial cost of enumerating health care providers would be incremental to these entities, a major factor in making option 2 less costly than option 1.

Response: After analyzing all the comments and reviewing our computations as to the costs of enumeration under both options, we have determined that a single entity, under HHS direction, should handle the enumeration functions. We believe that enumeration by a single entity will be the most efficient option.

While supporters of option 2 cited several advantages, the reluctance of the Federal health plans and Medicaid State agencies to undertake enumeration functions was a major factor causing us to support a single entity. Selection of option 2 would have required those Federal health plans and Medicaid State agencies to perform functions they were not willing to perform. Another factor in our decision to choose option 1 was an oversight in our cost computations. While our narrative discussion of costs indicated that prevalidated Medicare provider files would populate the NPS under both options, Table 5 in the Impact Analysis portion of the May 7, 1998, proposed rule did not reflect those savings in the cost of option 1. If those savings had been reflected, the cost of option 1 would have been less. (Please see the next comment and response regarding Medicare provider files.) Costs for option 2 did not include the expenses that would be incurred by Federal health plans and Medicaid State agencies in resolving problems found in their health care provider records that would prevent some of those records from being loaded into the NPS for enumeration of the health care providers. This would have increased the cost of option 2. Had we applied both of these cost factors, both options would cost about the same.

The use of one entity, under HHS direction, to enumerate health care providers will ensure uniform operation of the NPS. Health care providers will have a single contact point for applications, updates, and questions. Problems will be resolved in a uniform manner. These factors make a single enumerator the more efficient option.

Comment: Several commenters cautioned against loading pre-existing health care provider files into the NPS. They indicated that any errors present in those files would be carried undetected into the NPS. Commenters cautioned that any data to be loaded into the NPS should be validated, accurate, and up to date.

Response: We agree with the commenters' recommendation that accurate, current data should be included in the NPS. After publication of the May 7, 1998 proposed rule, we reexamined the existing Medicare provider files in anticipation of using them to populate the NPS. Our reexamination revealed that some mandatory NPS data elements are not present in some of the Medicare files. In addition, data integrity problems have been identified, and reformatting some of the Medicare files to make them consistent with the structure of the NPS may be more difficult than first expected. It may require considerable time to update and reformat these files for NPS purposes.

It is important to note that we are undertaking steps to update our existing Medicare provider files for independent business reasons. If we find it is feasible to use updated, accurate Medicare provider files to populate the NPS, we will do so, and we will notify the affected Medicare providers that they will not have to apply for NPIs. The NPS will notify the affected providers of their NPIs.

Comment: Nearly all commenters recommended that the enumeration function and operation of the NPS be federally funded because a Federal statute mandates the adoption and use of a standard unique health identifier for health care providers. Many commenters stated that the costs cannot be borne directly by health care providers or indirectly by health care provider organizations and clearly stated that health care providers should receive NPIs at no cost. Some stated that if fees need to be assessed, they should come from the health plans, not thehealth care providers, as the health plans will receive the most benefit from the use of the standard. There was some support for the collection of initial fees from health plans, health care clearinghouses, and other nonprovider entities to obtain data from the NPS; the fees would help offset the cost of maintaining the database. Another commenter recommended that the public sector and large health plans pay fees to a public-private sector trust organization. The fees would represent their proportion of the total health benefit dollars; the trust organization would administer various databases required by the HIPAA standards (not solely the NPS). One commenter suggested Federal funds be used initially, with the enumeration entity eventually becoming self-sufficient.

Response: HIPAA did not provide the authority to charge health care providers a user fee to obtain an NPI. Federal funds will support the enumeration process and the NPS, at least initially. After the NPI is implemented, HHS will investigate the use of other funding mechanisms. The data dissemination process is discussed in section II.C.2., “Data Elements and Data Dissemination,” of this preamble.

Comment: Some commenters supported the phases of enumeration as described in the May 7, 1998, proposed rule. Many commenters supported assignment of NPIs to existing Medicare providers first for these reasons: (1) These health care providers are the majority of the health care providers that conduct standard transactions; (2) the NPS is being developed by HHS; and (3) Medicare provider information is already available in HHS in the Centers for Medicare Medicaid Services (CMS).

Many commenters stated that health care providers that do not conduct the transactions specified in HIPAA should be enumerated at the same time as all other health care providers—all health care providers must be equally able to receive NPIs. Many of these commenters believed that costly dual systems would have to be maintained (one for health care providers with NPIs and one for those without) and confusion in the marketplace would be created if paper processors did not also receive NPIs within the same time frame as electronic processors.

Other commenters suggested that NPIs be issued on a first-come, first-served basis.

Some commenters suggested enumeration phases by health care provider type or by geographical region of the country.

Response: The NPS will be stress tested, but even successful passage of the stress test will not enable all health care providers to apply for and be assigned NPIs at the same time.

Covered health care providers are required to use NPIs where those identifiers are required in standard transactions. We expect that covered health care providers will be the first to apply for NPIs. We estimate that, on the effective date of the NPI, approximately 2.3 million health care providers will be ready to apply for NPIs. They may apply for NPIs beginning on the effective date, which is May 23, 2005. Covered health care providers must begin to use their NPIs in standard transactions no later than May 23, 2007.

We estimate that, on the effective date of the NPI, the number of health care providers that typically do not conduct standard transactions will be approximately 3.7 million. A few examples of these health care providers are registered nurses employed by hospitals or other facilities, X-ray and other technicians, and dental hygienists. These health care providers may apply for NPIs at any time after the effective date of this final rule. However, because there is no requirement for these health care providers to use NPIs, we do not expect them to apply for NPIs as soon as those that conduct standard transactions or those that must be identified in standard transactions.

It may be determined some time after publication of this final rule that “bulk enumeration” of some health care providers is feasible. Bulk enumeration is a term used to mean mass-enumeration of a large number of health care providers, all at one time, from a database or file that uniquely identifies them in a way consistent with the identification criteria in this final rule. Bulk enumeration would eliminate the need for those health care providers to apply for NPIs. For example, bulk enumeration might involve a specific classification of health care providers that comprises the membership of a large professional organization, or it could involve different classifications of health care providers that are employed by one large organization health care provider. In both of these examples, the health care providers to be enumerated may or may not be covered entities. This enumeration could occur at any time, if it is feasible. HHS, along with the other affected entities, and working within the requirements of the Privacy Act, will determine the feasibility of bulk enumeration. Any health care provider that would be enumerated in this way will be notified.

The NPS will process applications for NPIs as they are received.

It is true that some health plans may have to maintain—for internal purposes—dual health care provider numbers: the NPI and the number(s) issued to health care providers by the health plans themselves. Health plans impose this burden on themselves in accommodating their own internal operational needs. We expect that health plans may decide to use NPIs for additional purposes beyond those required in this final rule.

Comment: The majority of commenters made it clear that NPIs must be assigned and the NPS fully and successfully tested well before the compliance date.

Response: We agree. The NPS will have been fully tested before it begins to assign NPIs. The speed of assignment of NPIs will be dependent in part on the complete, correct, and timely submission of the NPI applications.

Comment: Several commenters stated that the application forms for NPIs should be retained indefinitely in a manner where the signatures or certification statements could be verified if necessary. Commenters stated that signatures or certification statements could be useful in prosecuting a health care provider that knowingly requested more than one NPI for itself.

Response: The NPI application forms will contain a statement whereby the signer attests to the accuracy of the information on the application. Paper applications will be maintained indefinitely for signature or certification statement verification and audit purposes. Applications completed electronically will be processed only if the person completing the application attested to the accuracy of the information by “checking” a designated box appearing in the on-line application. Those electronic applications that are successfully processed (that is, the health care provider is assigned an NPI) will be maintained indefinitely in a manner whereby certification statements can be verified if required.

Comment: Several commenters asked that the NPI application form be designed to accommodate updates to health care provider data.

Response: We believe this is a good suggestion, particularly because all of the information that will be required on the application for an NPI will have to be updated if changes occur. Therefore, we will attempt to design a form that can serve both application and update purposes.

Final Provisions

One entity will be given enumeration functions under the direction of HHS (option 1 as presented in the May 7, 1998, proposed rule) to enumerate all eligible health care providers who apply for NPIs. There are many advantages in using a single entity, which were discussed in the comment and response section above.

The enumeration function and the development and operation of the NPS will be federally funded, at least for the foreseeable future. Under this final rule, health care providers will not be charged a fee to be assigned NPIs or to update their NPS data.

If feasible, we will populate the NPS with Medicare provider files.

Health care providers will apply for NPIs, and covered health care providers must apply for NPIs.

We will attempt to design the NPI application form in order to also accommodate updates. The form will be available from the NPS and via the Internet (http://www.cms.hhs.gov).

We will attempt to design the NPS so that it can receive and accept NPI applications and updates on paper or over the Internet.

We expect that the use of modern technology to receive and process applications for NPIs and to apply updates to the NPS records of enumerated health care providers will greatly reduce our earlier estimates. In addition, the limited validation by the NPS of data reported by health care providers will further reduce NPS costs. We discuss the cost of operating the NPS in section V, “Regulatory Impact Analysis,” of this preamble.

Before enumeration begins, the NPS will be fully tested. We will strive to ensure that the NPS functions properly and guards against assigning the same NPI to more than one health care provider, assigning more than one NPI to the same health care provider, and re-using NPIs (assigning to a health care provider an NPI that had at one time been issued to another).

Health care providers may apply for NPIs beginning on the effective date of this final rule.

At this time, we do not expect bulk enumeration of health care providers, except possibly of Medicare providers, as discussed earlier. HHS will explore the feasibility of other such enumerations. If considered feasible, the affected health care providers will be notified and will not have to apply for NPIs.

We will consider the feasibility of allowing health care providers to designate authorized representatives to handle their NPI applications and updates.

Applications for NPIs and updates will be retained by HHS indefinitely in a manner in which signatures on paper applications or certification statements on electronic applications can be verified if required.

We will make available as much information as possible about the implementation of the NPI on the CMS Web site (http://www.cms.hhs.gov).

The web site will include information about the availability and submission of the NPI application/update form.

3. Approved Uses of the NPI

The preamble of the May 7, 1998, proposed rule discussed approved uses of the NPI. We did not receive comments that objected to those uses.

By 24 months after the effective date of this final rule, covered health care providers, health plans (except for small health plans), and health care clearinghouses must use the NPI in standard transactions. Small health plans must do so within 36 months of the effective date. Covered health care providers must disclose their NPIs to other entities when these entities need to include those health care providers' NPIs in standard transactions. We encourage all other health care providers to do the same.

The NPI may also be used for any other lawful purpose requiring the unique identification of a health care provider. It may not be used in any activity otherwise prohibited by law.

Examples of permissible uses include, in addition to the above, the following:

• The NPI may be used as a cross-reference in health care provider fraud and abuse files and other program integrity files.

• The NPI may be used to identify health care providers for debt collection under the provisions of the Debt Collection Improvement Act of 1996 (Pub. L. 104-134, enacted on April 26, 1996) and the Balanced Budget Act of 1997 (Pub. L. 105-33, enacted on August 5, 1997).

• Health care providers may use their own NPIs to identify themselves in nonstandard health care transactions and on related correspondence.

• Health care providers may use other health care providers NPIs to identify those other health care providers in health care transactions and on related correspondence.

• Health plans may use NPIs in their internal health care provider files to process transactions and in communications with health care providers.

• Health plans may communicate NPIs to other health plans for coordination of benefits.

• Health care clearinghouses may use NPIs in their internal files to create and process standard transactions and in communications with health care providers and health plans.

• NPIs may be used to identify health care providers in patient medical records.

• NPIs may be used to identify health care providers that are health care card issuers on health care identification cards.

We encourage health care providers that are not required to comply with HIPAA regulations to use NPIs in the ways listed above.

4. System of Records Notice

A System of Records Notice (HHS/HCFA/OIS No. 09-70-0008) published in the Federal Register on July 28, 1998 (63 FR 40297), listed the ways in which data from the NPS that are protected by the Privacy Act may be used. Few comments were received on the System of Records Notice.

We are including a summary of the comments below:

Comment: One commenter believes that the data collected to assign NPIs to physicians should be kept to an absolute minimum. Data that are not required for enumeration or legitimate administrative purposes should not be collected. Data released beyond HHS must be released in accordance with the provisions of the Privacy Act, insofar as that Act applies to the data in question, and the Freedom of Information Act, as appropriate. Data in addition to those which are published in the Unique Physician Identification Number (UPIN) Directory should not be released. Most of the data collected to enumerate an individual should not be publicly available. Another commenter was concerned that removal of a health care provider's record from the NPS could result in the re-issuance of that health care provider's NPI to another health care provider. The NPI must remain unequivocally unique and the NPS must never re-issue a previously assigned NPI. Removal of a health care provider's records at some point after the health care provider's death is reasonable, as long as there are guarantees that the health care provider's NPI will never be used by another health care provider or re-issued to another health care provider.

Response: In section II. C. 2. of this preamble, “Data Elements and Data Dissemination,” we describe the information that we expect will be collected and stored in the NPS. Therequirements described in the comments we received on the NPS System of Records Notice will be met in the design and operation of the NPS and in the enumeration functions.

5. Summary of Effects on Various Entities

Below is a summary of how the implementation of the NPI will affect health care providers, health plans, and health care clearinghouses.

a. Health Care Providers

At this time, bulk enumeration of health care providers is not expected to occur. If, however, it is determined to be feasible, we will populate the NPS with data from Medicare provider files. If bulk enumeration were to occur, the affected health care providers would be notified of their NPIs and would not have to apply for them. Otherwise, in order to be assigned NPIs, covered health care providers must apply for NPIs. (Health care providers that are not covered entities are encouraged to apply for NPIs.) After applying for NPIs, health care providers will be assigned and notified of their NPIs by the NPS. Health care providers will submit a paper application or, if feasible, will have the option of applying for NPIs via the Internet. The NPI application/update form and information about health care provider enumeration will be available from the CMS Web site (http://www.cms.hhs.gov).

Covered health care providers that have been assigned NPIs must furnish updates (changes) in their required NPS data or that of their subparts to the NPS within 30 days of the changes; they may use the NPI application/update form for this purpose. We recommend that health care providers notify the health plans in which they are enrolled of any changes at the same time they notify the NPS of these changes. (This recommendation does not preclude health plans from requiring notification of updates within a shorter time frame.)

We encourage health care providers who have been assigned NPIs but who are not covered entities also to notify the NPS of changes in their NPS data within 30 days of the changes.

Covered health care providers must use their NPIs to identify themselves and their subparts, if appropriate, on all standard transactions when their health care provider identifiers are required. We encourage all health care providers and subparts that have been assigned NPIs to do the same.

Covered health care providers must disclose their NPIs and those of their subparts to entities that need the NPIs to identify those health care providers in standard transactions. We encourage all health care providers and subparts that have been assigned NPIs to do the same.

Covered health care providers must require their business associates, if they use them to conduct standard transactions on their behalf, to use their NPIs and the NPIs of other health care providers and subparts appropriately as required by those transactions.

Covered health care providers that are organization health care providers with subparts as described earlier in this preamble must ensure that, when NPIs are assigned to subparts, either the covered health care provider or the subpart (1) uses the NPIs of the subparts on all standard transactions when their health care provider identifiers are required, (2) discloses their NPIs to entities that need the NPIs to identify those subpart(s) in standard transactions, (3) communicates changes in required data elements of the subparts to the NPS, and (4) requires business associates of the subparts, if they use them to conduct standard transactions on their behalf, to use their NPIs and the NPIs of other health care providers and subparts appropriately as required by the transactions that the business associates conduct on their behalf.

b. Health Plans

Health plans must use the NPI of any health care provider or subpart that has been assigned an NPI to identify that health care provider or subpart on all standard transactions when the NPI is required. All plans except small health plans have 24 months from the effective date of this final rule to implement the NPI; small health plans have 36 months. Health plans that need NPS data in order to create standard transactions will be able to obtain NPS data from the NPS. (See section II. C. 2. of this preamble, “Data Elements and Data Dissemination.”) Use of data from the NPS in order to comply with HIPAA requirements is a routine use as published in the NPS System of Records Notice.

HIPAA does not prohibit a health plan from requiring its enrolled health care providers to obtain NPIs if those health care providers are eligible for NPIs as discussed earlier in this preamble.

c. Health care clearinghouses

Health care clearinghouses must use the NPI of any health care provider or subpart that has been assigned an NPI to identify that health care provider or subpart on all standard transactions when the NPI is required. As with health plans, health care clearinghouses will be able to obtain NPS data from the NPS.

C. Data

1. NPS Data Structures

Proposed Provisions (§ 142.402)

In section IV. B. of the preamble of the May 7, 1998, proposed rule, “Practice Addresses and Group/Organization Options,” (63 FR 25336), we asked for public comment on some of the data structures that would be captured in the NPS for each health care provider.

Comments and Responses on NPS Data Structure Concepts

Below are the questions as posed in the May 7, 1998, proposed rule followed by a summary of the comments and our responses:

a. Should the NPS Capture Practice Addresses of Health Care Providers?

Comment:

Responding yes: Some commenters stated that they need to capture the multiple practice addresses of a health care provider for their business functions. They believe it would be best to do this once in the health care provider's NPS record, rather than in many local systems.

Responding no: A large majority of commenters stated that the NPS should not capture any practice addresses or should capture only one physical location address per NPI. Some of these commenters believed that each location where a health care provider practices needs to be identified, but they believed locations should receive separate identifiers, rather than be captured as multiple addresses in the health care provider's NPS record. Many other commenters noted that health care provider practice addresses change frequently and that address information will be burdensome and expensive to maintain and will be unlikely to be maintained accurately at the national level. They believe that, if needed, it should be collected and maintained in local systems.

Response: The NPS will capture the mailing address and one physical location address for each health care provider. Only one physical location address will be associated with each NPI. Practice addresses would be of limited use in the electronic matching of health care providers. The volatility of practice address information would make maintenance of the information burdensome and expensive. Collecting only one physical location address minimizes the burden of data collection and maintenance, while providing anaddress where the health care provider can be contacted in situations when a mailing address is insufficient. For example, a mailing address containing a Post Office box number cannot be used for mail delivery by other than the United States Postal Service.

b. Should the NPS Assign a Location Code to Each Practice Address in a Health Care Provider's Record?

Comment:

Responding yes: A small number of commenters recommended that the NPS assign location codes. Most of these commenters were health plans that need to identify all the practice addresses of a health care provider. They want to use location codes as pointers to these addresses in a health care provider's NPS record.

Responding no: A large majority of commenters stated that the NPS should collect only one physical location address of each health care provider and should not assign location codes. If only one physical location address is collected, there is no need to assign location codes to distinguish multiple practice addresses. Respondents noted several technical weaknesses of the proposed location code. They stated that the format of the location code would allow for a lifetime maximum of 900 location codes per health care provider, and this number may not be adequate for health care providers with many locations. The location code would not uniquely identify an address; different health care providers practicing at the same address would have different location codes for that address, resulting in complexity, rather than simplification, for business offices that maintain data for large numbers of health care providers.

Response: The combination of the NPI assignment strategy described earlier in this final rule and the data elements contained in the standard claim and equivalent encounter information transaction eliminate the need for location codes. The NPS will not establish location codes.

c. Should the NPS Link the NPI of a Organization Health Care Provider That Is a Group Practice to the NPIs of the Individual Health Care Providers Who Are Members of the Group?

Comment:

Responding yes: Some commenters responded that they need to be able to associate organization health care providers who are group practices with the individual members of the group. They believe this association can most efficiently be maintained once in the NPS, rather than in many local systems.

Responding no: A large majority of commenters noted that health care provider membership in groups changes frequently and that this information will be burdensome and expensive to maintain and will be unlikely to be maintained accurately at the national level. Some health plans recognize contractual arrangements that may not correspond to groups. Commenters believe that, if needed, membership in groups should be collected and maintained in local systems.

Response: We agree that the NPS should not link the NPI of an organization health care provider that is a group practice to the NPIs of individual health care providers who are members of the group. The large number of members of some groups and the frequent moves of individuals among groups would make national maintenance of group membership burdensome and expensive. Contractual arrangements would be impractical to maintain nationally and would most likely differ from health plan to health plan. Most organizations that need to know group membership and contractual arrangements prefer to maintain this information locally, so that they can ensure its accuracy for their business purposes.

d. Should the NPS Collect the Same Data for Organization and Group Health Care Providers?

Comment:

Responding yes: A large majority of commenters stated that a distinction between organization and group health care providers would be artificial and would serve no purpose.

Responding no: Some commenters stated that organization and group health care providers should be distinguished in the NPS. None of these commenters suggested different data that should be collected for a group health care provider, as opposed to an organization health care provider. We believe that most of these comments reflect a recommendation that group health care providers receive NPIs rather than a recommendation that different data be collected for group health care providers, as opposed to organization health care providers.

Response: No commenter suggested that different data be collected for a group practice than for an organization health care provider and a strong majority of commenters stated that the same data should be collected. We agree that the NPS should collect the same data for group and organization health care providers. Groups will be enumerated as organization health care providers.

Comments and Responses on NPS Data Structure Alternatives

In the May 7, 1998, proposed rule, we presented two alternatives for the structure of health care provider data in the NPS.

Under “Alternative 1,” the NPS would capture multiple practice addresses. It would assign a location code for each practice address of an individual or group health care provider. Organization and group health care provider records would have different associated data in the NPS. Group health care providers could have individuals (such as physicians) listed as members of the group, and the NPS would link the NPIs of group health care providers to the NPIs of the individuals that make up the group. Under “Alternative 2,” the NPS would collect the mailing address and one physical location address for a health care provider. It would not assign location codes. It would not collect different data for organization and group health care providers. It would not link the NPI of an organization to the NPIs of individuals or any other health care providers.

Comment: A majority of respondents preferred Alternative 2.

Response: The comments on the four preceding questions and on the two alternatives indicated a strong preference for Alternative 2. We agree with commenters that Alternative 2 will provide the data needed to identify the health care provider at the national level. We agree that the NPS record will be based on the data described in Alternative 2.

Final Provisions

In the “Final Provisions” portion of section II. A. 2. of this preamble, “Definition of a Health Care Provider,” we describe the entities that will be eligible to receive NPIs. The data structures discussed below apply to every entity that is assigned an NPI.

The mailing address and one practice address (physical location) will be collected by the NPS for each health care provider. One physical location address will be associated with each NPI.

Because only one physical location address will be collected per health care provider, location codes will not be necessary and, therefore, will not be established by the NPS.

Group practices often have many members, and individual health care providers often move from group to group. Maintenance of this information on a national level would be difficult and costly. Many health plans prefer tocollect and maintain this information themselves. Therefore, the NPS will not link the NPI of a group to the NPIs of individual health care providers who are members of that group.

The NPS will collect the same data from group health care providers as it will collect from organization health care providers.

Group practices will be considered organization health care providers and will be enumerated as organization health care providers.

We will design the NPS along the lines of Alternative 2 as presented in the May 7, 1998, proposed rule.

2. Data Elements and Data Dissemination

Proposed Provisions

In the preamble of the May 7, 1998, proposed rule, in section IV, “Data,” we listed the data elements that we proposed to include in the NPS. We solicited comments on the inclusion and exclusion of those data elements and the inclusion of other data elements that the public believed appropriate. We asked how the NPS could be designed to make it useful, efficient, and low-cost.

In that same section, we also posed data questions and discussed options for NPS data structures. Section II.C.1. of this preamble, “NPS Data Structures,” contains the comments and responses and decisions made regarding NPS data structures. As a result of those decisions, some data elements that were included in the list of proposed data elements published in the May 7, 1998, proposed rule will not, in fact, be included in the NPS database. Therefore, the information in section II.C.1. of the preamble should be kept in mind in reading this section.

In the preamble of the May 7, 1998, proposed rule, in section V., “Data Dissemination,” we proposed two levels of dissemination of information from the NPS:

• (1) Level I—To the entity(ies) performing the enumeration functions. The(se) entity(ies) would have direct access to the NPS and to all the data elements in the NPS; and

• (2) Level II—To the general public. The general public would be able to request and receive selected data elements, excluding those that are protected by the Privacy Act. (Requests for Privacy Act-protected data and Freedom of Information Act (FOIA) requests would be handled in accordance with existing HHS policies.)

The May 7, 1998, proposed rule contained a table indicating the level of dissemination of the NPS data elements. We proposed that we would charge fees for data and data files, but that the fees would not exceed the costs of dissemination (63 FR 25338). We solicited comments on the information that should be available in paper and electronic formats and the frequency with which information should be made available.

Comments and Responses on Data Elements and Data Dissemination

Comment: An overwhelming number of commenters said that the NPS should contain only the data elements required to communicate with and uniquely identify and assign an NPI to a health care provider. They believed this information should be the kind that could effectively be maintained at the national level, leaving the more complex and volatile data to health plans to capture and maintain, as they currently do. Many commenters listed the specific data elements that they recommended we remove from the list presented in the May 7, 1998, proposed rule. The majority of commenters believe that, as a result of the removal of the data elements not needed for enumeration and communication, the NPS would be easier and less expensive to maintain and would operate more efficiently.

Response: To be valuable, the NPS must be accurate, up to date, and meet its intended purpose in the most feasible way. The NPS must collect information sufficient to uniquely identify a health care provider and assign it an NPI and must collect information sufficient to communicate with a health care provider. The data elements that we have retained are necessary to uniquely identify and communicate with a health care provider. Our decision to reduce the composition of the NPS to the data elements needed for unique identification and communication removes many of the data elements that were proposed to comprise the NPS in the May 7, 1998, proposed rule. The comments and responses that follow contain additional information and rationale concerning our decision to include or exclude certain data elements.

Comment: Some commenters said that collecting but not validating certification or school information would make that information meaningless. Most commenters did not believe the NPS should collect certification or school information in the first place because it would not be useful in uniquely identifying the individual applying for an NPI. They believe that collection and validation of this information should continue to be done by health plans in their health care provider enrollment processes. Most commenters supported the collection of credential designation(s) (for example, M.D., C.S.W., and R.N.), license number(s), and State(s), which issued the license(s) for individual health care providers whose taxonomy classifications require licenses.

Response: We agree with commenters that it would be costly to collect, validate, and maintain certification and school information. We do not believe the NPS should replicate unnecessarily the work carried out by health plans. We agree that health plans, which do this work now, should appropriately continue to do so. The NPS will capture an individual health care provider's license number (if appropriate), the State which issued the license (multiple occurrences of both data elements), and the credential designation(s). The credential designation(s) (called “Provider's credential designation” in the May 7, 1998, proposed rule) will be captured in the data element “Provider credential text,” which will be a repeating field. This data element was renamed to make it compatible with X12N HIPAA data dictionary naming conventions and also to avoid giving the impression that the NPS will be validating the credentials. The license number and State in which it was issued will be useful to health plans in matching NPS records to their health care provider files. As a result of the decision not to collect certification and school information, the following data elements will not be included in the NPS:

• Provider certification code;

• Provider certification (certificate) number;

• School code;

• School name;

• School city, State, country;

• School graduation year.

Comment: Commenters did not see value in the NPS capturing “Provider's birth county name.” They believe the State name and country (the latter required if the health care provider was not born in the United States) would be sufficient for identification purposes.

Response: We agree. The “Provider's birth county name” data element will be excluded from the NPS.

Comment: Some commenters suggested that the “Taxpayer Identifying Number” (TIN) be added to the NPS. They believed this was needed to match NPS records to health plans' health care provider files and that it could help in unique identification.

Response: We agree that the numbers used to report income taxes will beuseful in uniquely identifying health care providers.

According to the Internal Revenue Service (IRS), three numbers (known as “Taxpayer Identifying Numbers,” or TINs) may be used (depending on circumstances) to report income taxes: (1) The Social Security Number (SSN), assigned by the Social Security Administration to individuals; (2) the IRS Individual Taxpayer Identification Number (ITIN), assigned by the IRS to individuals who are not eligible to receive Social Security Numbers; and (3) the Employer Identification Number (EIN), assigned by the IRS to organization health care providers (that is, health care providers that would not be assigned “Entity type code” 1 NPIs). For purposes of being assigned NPIs, health care providers will be asked voluntarily to supply their SSN or IRS ITIN (if they are individuals who would be assigned an “Entity type code” 1 NPI), or will be required to supply their EIN (if they are organizations that would be assigned “Entity type code” 2 NPIs).

Requesting the SSN from individual health care providers will dictate that we include on the NPI application/update form appropriate disclosure and Privacy Act statements.

Comment: Some commenters suggested that Medicare and Medicaid sanction information be added to the NPS. One commenter wanted to know where sanction data would be housed and who would maintain these data.

Response: The NPS will not contain sanction data or indicators that sanction data exist. Sanction data were not included in the data element list published in the May 7, 1998, proposed rule. While maintainers of sanction databases may incorporate the NPI into their databases to enable searches by NPI, the NPS will not house sanction information. The Web address for the Office of Inspector General sanctioned health care providers file is http://exclusions.oig.hhs.gov/.

Comment: Some commenters said that “License revoked indicator” and “License revoked date” should be included in the NPS.

Response: The NPS will not capture this or similar information. The uniqueness of the health care provider can be established without this information. This information would more appropriately be collected by health plans.

Comment: A number of data elements were suggested to be added to the NPS. These included “Owner of the provider,” “Practice type control code” (office-based, hospital-based, Federal facility practice, and other), “Source of information for certification,” “Provider type,” and “Provider specialty code.”

Response: The May 7, 1998, proposed rule did not propose that the NPS collect health care provider ownership information. This information is volatile and already resides on most health plans' health care provider enrollment files. Practice type control information is not required to uniquely identify or classify a health care provider for NPS purposes; therefore, it will not be included in the NPS. “Source of information for certification” will not be captured because, as explained earlier in this section, certification information will not be collected by the NPS. The definitions of “Provider type” and “Provider specialty code” may differ from one health plan to another; the NPS will capture the type(s), classification(s), and area(s) of specialization as described in the Healthcare Provider Taxonomy Code set. By capturing this information, we take into account the specialty classifications as required by HIPAA. The taxonomy can be viewed at this Web site:http://www.wpc-edi.com/taxonomy/.

Comment: A commenter suggested that a health care provider's “pay-to address” be added to the NPS. Another commenter stated that health plans will use the health care provider's mailing address as the pay-to address. Another commenter suggested that HHS consider electronic data interchange (EDI) addresses for inclusion in the NPS.

Response: In most situations, a health care provider's “pay-to address” is its mailing address. Therefore, we do not believe it is necessary to add a “pay-to address” to the NPS. Because EDI addresses are not standardized at this time, they will not be included in the NPS. The composition of the NPS will be revised if necessary in the future.

Comment: Several commenters suggested adding the name of the establishing enumerator or agent and the name and telephone number of the enumerator who made the last update to the NPS. They believe that this information would help ensure the accuracy of the database by preventing multiple enumerators from updating or attempting to update the same records.

Response: As discussed in section II. B. 2. of this preamble, “Health Care Provider Enumeration,” there will be one entity, under HHS direction, that will be charged with enumeration functions. The decision to use a single enumerator renders the data elements proposed by these commenters unnecessary. The “Establishing enumerator/agent number” will not be included in the NPS.

Comment: One commenter suggested we add “Provider status” and “Date of deactivation” to the NPS.

Response: In section II. A. 2. of this preamble, “Definition of Health Care Provider,” we describe the reasons why an NPI may be deactivated. We have added to the NPS two new data elements: “National Provider Identifier deactivation reason code” and “National Provider Identifier deactivation date.” These data elements will capture the information suggested by this commenter. (It should be noted that “Provider's date of death” will be excluded as a data element from the NPS. Fact of death and resulting deactivation date will be captured in the two new data elements.) We have also added a data element called “National Provider Identifier reactivation date,” which will capture the date that a health care provider's NPI is reactivated.

Comment: Several commenters suggested adding “Cross reference to replacement NPI.” They thought it would be important to link former and current NPIs.

Response: In section II. A. 2. of this preamble, “Definition of Health Care Provider,” we explain that an NPI is designed to last indefinitely. There may, however, be an unusual circumstance that would justify a health care provider's request to be issued a new, different NPI. In these situations, the NPS will link the new, or replacement, NPI to the previous NPI(s) of that same health care provider. (By “same health care provider,” we mean an entity with exactly the same data elements, or string of NPS data.) We will add two new data elements to the NPS: “Replacement NPI” and “Previous NPI.” Both will be repeating fields (see “Data Status” preceding the National Provider System Data Elements and Data Dissemination table). When a user retrieves the NPS record of a health care provider, either of those fields may contain data. (If neither field contains data, the health care provider has had only one—its original—NPI.) The user can then retrieve the related NPS record by requesting the record of the NPI appearing in the “Replacement NPI” or the “Previous NPI” field, whichever is appropriate.

Comment: One commenter suggested that “Effective from” and “Effective through” dates be added for telephone numbers and addresses.

Response: We expect that the NPS will be designed to associate dates with the information about a health care provider, thus creating a history of a health care provider's record. When changes are made to a health care provider's telephone number or address,that health care provider's record will include the dates of those changes. “Effective from” and “Effective through” dates for telephone numbers and addresses may not hold true; there could be unexpected situations that could cause changes to occur sooner or later than reported. We believe it will be more accurate to include a date to reflect each time a change is made in this information.

Comment: A commenter suggested that the On-line Survey Certification and Reporting System (OSCAR) number be maintained after the initial load of Medicare providers, and that the NPS include a “Facility type” indicator for OSCAR providers.

Response: As explained earlier in section II. B. 2. of this preamble, “Health Care Provider Enumeration,” we are evaluating the feasibility of populating the NPS with existing Medicare provider files. If this is done, the OSCAR number, which is a Medicare-assigned number, will be captured in the NPS automatically. Whether or not we populate the NPS with Medicare files, the NPI application/update form will collect health care provider identification numbers that are assigned by certain health plans (including Medicare) and other organizations. Health care providers that apply for NPIs will be able to furnish these numbers (“Other provider identifier”) and to indicate the type of number being furnished (for example, OSCAR, UPIN, DEA, and Medicaid) (“Other provider identifier type code”), on the NPI application/update form. These will be optional and repeating NPS data elements. The NPS will capture as many “Other provider identifier” entries and the corresponding “Other provider identifier type code” entries as are reported on the NPI application/update form. The NPS will apply changes or updates to the “Other provider identifier” or “Other provider identifier type code” when health care providers notify the NPS of changes to this information.

The NPS will not require a “Facility type” indicator for health care providers with OSCAR numbers. It will collect the Healthcare Provider Taxonomy Code on the NPI application/update form.

Comment: Several commenters suggested the NPS retain the health care provider mailing and health care provider practice (provider location) phone number, facsimile number, and electronic mail address only during the initial assignment of NPIs, and then discontinue maintenance of this information.

Response: These data elements are needed for communication with the health care provider. HHS may need to communicate with a health care provider at any time during the implementation period or after. Therefore, these data elements will be maintained beyond the initial assignment of NPIs. In section II. A. 5. of this preamble, “Implementation specifications for Health Care Providers, Health Plans, and Health Care Clearinghouses,” we are requiring health care providers who are covered entities to update their required NPS data, which includes the data elements noted in the comment above, whenever changes occur.

Comment: Many commenters suggested that several data elements be repeated; for example: “Provider's other name” and “Provider's other name type”; “Other provider number” and “Other provider number type”; “Provider license number” and “Provider license State”; “Provider classification”; the data elements associated with schools; and the data elements associated with credentials.

Response: The data element table appearing in the May 7, 1998, proposed rule did not indicate repeating fields. In the National Provider System Data Elements table at the end of this section, repeating fields are noted as such. The NPS will contain as many repeating fields as there is information for “Provider other last or other organization name” and “Provider other last or other organization name type code.” As mentioned earlier, the NPS will also be able to accommodate multiples of other health care provider numbers in the data element “Other provider identifier” and types of other health care provider numbers in the data element “Other provider identifier type code.” The NPS will accommodate multiple entries for “Provider license number” and “Provider license State.” As explained earlier, the school information will be excluded from the NPS. “Provider credential text” (for example, M.D. and D.D.S.) will be a repeating field. These repeating fields are either optional or situational and will not be validated.

Comment: Many commenters asked that “Provider's race” be removed from the NPS. They did not believe it would be accurately reported. They stated that there are inconsistent definitions for “race”; they did not understand the purpose for collecting this information.

Response: We understand and appreciate the comments stating that the NPS should be capturing only what is needed for unique identification of and communication with a health care provider. While collection of race and ethnicity data could support a number of important research activities, this information is not needed to uniquely identify a health care provider; thus, we have concluded that the NPS is not the appropriate vehicle for collecting this information. Therefore, we will not collect these data elements even on an optional basis.

Comment: Several commenters suggested that a number of other data elements be excluded from the NPS: all user-requested data elements (these were denoted by a “U” in the data element list in the May 7, 1998, proposed rule), “Other provider number,” “Other provider number type,” “Organization type control code,” “Provider certification code,” “Provider certification (certificate) number,” “Provider license number,” “Provider license State,” “School code,” “School name,” “School city, State, country,” “School graduation year,” “Provider classification,” “Date of birth,” all electronic mail addresses and fax numbers, “Date of death,” “Provider sex,” and “Resident/Intern code.”

Response: We stated in the previous response that “Provider race code” (which was a user-requested data element in the list included in the May 7, 1998, proposed rule) will not be retained. We discussed all other data elements presented as user-requested data elements in the list in the May 7, 1998, proposed rule in previous comments and responses except for “Organization type control code” and “Resident/Intern code.” These two latter data elements will be excluded; they are not needed for the unique identification of or communication with a health care provider.

Comment: Several commenters questioned the use of “optional” data elements, believing that “optional” information will rarely be furnished and, if it is furnished, may not be reliable and probably would not be kept current.

Response: Certain information about health care providers that is desirable to uniquely identify them in order to assign NPIs cannot be required to be furnished. “Situational” data elements should not be confused with “optional” data elements. “Situational” data elements are required if a certain situation, or condition, exists. “Optional” data elements do not have to be supplied at all. For example, “Provider other last or other organization name” is optional. A health care provider may choose not to report a former name or a professional name. We have attempted to make asfew data elements as possible “optional” in the NPS.

Comment: Several commenters suggested that data element names, qualifiers, and definitions be consistent with the X12N HIPAA data dictionary.

Response: The NPS data element names, qualifiers, and definitions, wherever possible, are mappable to those in the X12N HIPAA data dictionary and are compatible with X12N naming conventions. We believe the mapping capability and naming convention compatibility are essentially what the commenters wanted and believe we have satisfied their concerns.

Comment: Two commenters suggested that the Drug Enforcement Administration (DEA) number be collected from health care providers that have one.

Response: The DEA number is an example of an “Other provider identifier.” The DEA number can be accommodated in this field in the NPS. We recognize that mapping between DEA numbers and NPIs is very important for the conversion of retail pharmacy files during NPI implementation. Therefore, we will collect the DEA number in the “Other provider identifier” field if it is reported on the NPI application/update form and will carry the fact that it is a DEA number by setting the “Other provider identifier type code” to indicate that.

Comment: Several commenters suggested that we publish a data model and record layout or both describing in detail the data elements, field lengths, format, repeating fields, and required and situational fields.

Response: The data element table in this preamble includes an indication of “required,” “optional,” or “situational” for each data element, and repeating data elements are noted as such. More detailed information, as requested in the comment, will be posted to the CMS Web site (http://www.cms.hhs.gov) when it becomes available during the NPS design.

Comment: Several commenters said an audit trail of NPI updates is needed for qualified users. This would indicate which enumerator updated which fields.

Response: The NPS will construct an audit trail. We expect that the audit trail would include the date a change was made, the old value, the new value, and the initiator of the change. As stated in section II. B. 2. of this preamble, “Health Care Provider Enumeration,” there will not be multiple enumerators. The NPS will contain a date (“Last update date”) that will indicate when a change was made to a health care provider's record. Extracts containing NPS changes will be made available in HHS-determined format and media to satisfy requests from approved users (see later discussion in this section of the data dissemination strategy).

Comment: Several Medicaid State agencies suggested that the Healthcare Provider Taxonomy Code set contain all health care provider types and specialties needed by Medicaid plans. Another commenter asked that the code set reflect services provided by pharmacists. Another stated that the code set did not contain a category for pain medicine. Several other commenters said the taxonomy code set is inconsistent.

Response: Until recently, this code set was maintained through an open process by the National Healthcare Provider Taxonomy Committee for use in Accredited Standards Committee X12N standard transactions. It is now maintained through an open process by the National Uniform Claim Committee. The Web site at which the code set is available is http://www.wpc-edi.com/taxonomy/. The web site contains information on how changes to the code set can be requested. (Note: Pharmacy service providers and physicians whose specialization is “Pain Medicine” are included in the code set.)Comment: Several commenters suggested that the NPS contain a feature whereby the Healthcare Provider Taxonomy Code set classifications will be available for selection when applying for an NPI.

Response: We will consider this comment in the design of the NPI application/update form.

Comment: Many commenters supported the creation of an industry-wide forum to determine the data element content, identify the mandatory and optional data elements, and determine the data dissemination requirements of the NPS. They recommended that WEDI foster such a group.

Response: WEDI is named in the Act as an external group with which the Secretary must consult in certain circumstances in standards development. To address these issues, WEDI formed several workgroups, which consisted of representatives from every aspect of the health care industry. Following the workgroups' meetings, WEDI supplied HHS with comments on NPS data, data dissemination, and other issues, supplementing the comments WEDI provided to HHS during the public comment period. We have considered these comments in developing this final rule.

Comment: Most commenters did not favor the two-level data dissemination approach presented in the May 7, 1998, proposed rule but favored instead a three-level approach:

• Commenters agreed that only the entity performing the enumeration functions and HHS should have access to the entire NPS.

• Commenters did not want Privacy Act restrictions violated but believe that our approach denied health plans and certain other health care industry entities information that they needed in order to process HIPAA transactions, while it gave the general public an excessive—and unnecessary—amount of information. They said that health plans and other health care industry entities required certain Privacy Act-protected data in order to accurately match their health care provider files with NPS data to effectively implement HIPAA requirements. Many suggested that health plans and health care clearinghouses be permitted to obtain copies of the database and periodic update files so that they can maintain files that are continually consistent with the NPS. Some commenters suggested an on-line query and response system be developed for health plans to verify a health care provider's NPI. Others wanted electronic transactions designed that could be sent to the NPS with a response returned. These transactions might request all available data, regional data, new records only, and updated records only. Some commenters suggested that health plans have batch and interactive access capabilities to the NPS, stating that health plans will require daily batch updates of new and changed records, particularly during the implementation period. Some suggested that changed records be available for electronic download daily and weekly, and monthly by CD ROM and diskette. Still others preferred that health care entities receive data through the Internet with secure identifiers.

• One commenter stated the NPS data should be used strictly for enumeration and that no NPS data should be made available to the public. This commenter recommended that the public and others obtain NPIs from the health care providers themselves, not from the NPS. Some commenters believe it inappropriate for the general public to look to the NPS as the source of any but the most general types of information about health care providers. Some commenters expressed concern that public release of too much information (particularly, full addresses) could subject health care providers to receipt of junk mail and other unsolicited materials.

• Commenters recommended that agreements be signed by anyone receiving NPS data to ensure theinformation released would not be used for marketing or mailing list generation or sold or transferred to another entity.

• Several commenters stated that personally identifiable data about health care providers, contained in the NPS, should be available to researchers for clinical and financial outcomes analyses after appropriate agreements are signed.

• One commenter suggested read-only access to the NPS data for all users.

• Several commenters stated that the data dissemination policy should be consistent with the routine uses of NPS data as published in the NPS System of Records Notice (63 FR 40297).

• The three dissemination levels suggested by commenters were:

• Level 1—Available to HHS and the entity with which HHS contracts to perform the enumeration functions.

• Level 2—Available to health plans and certain other health care industry entities that require certain Privacy-Act protected data to match their health care provider files to NPS data.

• Level 3—Available to the general public.

Response: In order to keep costs low, we must make the NPS data dissemination strategy as efficient and uncomplicated as possible. The number of formats and access options will need to be limited.

We view the NPS as a health care provider identification and enumeration system, capturing the information required to perform those functions and disseminating information needed by health plans and other entities to effectively carry out the provisions of HIPAA. We agree with the majority of commenters who stated that health plans and certain other health care industry entities require NPS data, including some data that are protected by the Privacy Act, in order to effectively conduct HIPAA transactions. (Privacy Act-protected data are those that reveal or could reveal the identity of a specific individual when used alone or in combination with or linked to one or more data elements.)

Comment: Some commenters suggested that a health care provider be able to access its own NPS data through the Internet to ensure its accuracy and to facilitate updating the information.

Response: This comment will be considered in the design of the NPS; if it is determined to be feasible, this access will be made available.

Comment: Several commenters supported charging reasonable fees or subscription rates for web-based data access options; for example, HHS could charge an annual subscription fee for unlimited downloads and a different subscription fee for monthly downloads. Some commenters asked if on-line access charges would be based on time or on a per file access basis.

Some commenters believed that usage fees should not be limited to the cost of producing the data but should be linked to the costs and value of establishing and using the NPS.

Many commenters stated that the enumerator(s) should not have to pay for NPS data.

One commenter, who had suggested the enumerator be a public and private sector trust, suggested that dissemination fees be established and administered by the public and private sector trust.

Response: The design of the NPS will facilitate making information available in an efficient manner, which will involve the use of the Internet. We are reviewing the issue of charging fees, and intend to consider charging fees to the extent our authority permits.

Final Provisions (§ 162.408(b) and (f))

The NPS Data Elements Table lists the data elements that we expect to collect about a health care provider and which will be included in the National Provider System (NPS). The data element table is not intended to be used for data design purposes. During NPS design and development, the names and attributes of the data elements may be revised. We are including this listing to show readers the kind of information that we expect will be collected about health care providers or that will be NPS-generated (for example, the NPI) about health care providers. The table does not include systems maintenance or similar fields.

Description of the information contained in each column of this table:

Data Element Name: The name of the data element residing in the NPS.

Description: The definition of the data element and related information.

Data Status: The instruction for furnishing the information being requested in the data element. The abbreviations used in this column are as follows:

Required (R): Required for NPI assignment. NPS-generated (NG): Generated or assigned by the NPS. Optional (O): Not required for NPI assignment. Situational (S): If a certain condition exists, the data element is required. Otherwise, it is not required. Repeat (RPT): Indicates that the data element is a repeating field. A repeating field is one that can accommodate more than one separate entry. Each separate entry must meet the edits, if any, designated for that data element.

Data Condition: Describes the condition(s) under which a “Situational” data element must be furnished. NOTE: The abbreviation NA means “not applicable.”

Entity Types: The “Entity type codes” to which the data element applies. See the description of the data element “Entity type code” in the table.

Use: The purpose for which the information is being collected or will be used.

I: The data element supports the unique identification of a health care provider.

A: The data element supports administrative implementation specifications.

Dissemination of data from the NPS is a complex process. It must be responsive to requests from covered entities for NPS information that they need in order to comply with HIPAA. We expect a high volume of such requests, primarily from health plans, once NPIs begin to be assigned. At the same time, the dissemination process must ensure compliance with the provisions of the Privacy Act, the Freedom of Information Act, the Electronic FOIA Amendments of 1996, and other applicable regulations and authorities, and must be consistent with the NPS System of Records Notice, which was published on July 28, 1998.

We expect to make routinely available, via the Internet and on paper, HHS-formatted data sets that will contain general identifying information, including the NPI, of enumerated organization health care providers and subparts of such health care providers (as described earlier in this preamble).

Because of complexities that are inherent in disseminating data from the NPS, it is necessary to eliminate from the NPS Data Elements Table the column that, in the proposed rule, indicated the data dissemination level. Our data dissemination strategy and the process by which it will be carried out will be described in detail at a later date and published in a notice in the Federal Register.

NPS Data Elements
Data element nameDescriptionDatastatus Data condition(situational status only) Entitytypes Use
National Provider Indentifier (NPI) 10-position all-numeric identification number assigned by the NPS to uniquely identify a health care provider NG NA 1, 2 I
Entity type code (type of health care provider assigned an NPI) Code describing the type of health care provider that is being assigned an NPI. Codes are 1 = (Person): individual human being who furnishes health care; 2 = (Non-person): entity other than an individual human being that furnishes health care (for example, hospital, SNF, hospital subunit, pharmacy, or HMO) R NA 1, 2 A
Replacement National Provider Identifier The most recent NPI issued by the NPS to this provider. Issuance of a Replacement NPI by the NPS would be an unusual circumstance in which the provider requested a new, different NPI for a valid reason. Issuance of a Replacement NPI is different from NPI deactivation and NPI reactivation NGS RPT Required if provider has been issued a replacement NPI 1, 2 I
Previous National Provider Identifier The NPI that had previously been issued to this provider NGS RPT Required if provider previously had been issued a different NPI 1, 2 I
Provider Social Security Number (SSN) The SSN assigned by the Social Security Administration (SSA) to the individual being identified O NA 1 I
Provider IRS Individual Taxpayer Identification Number (IRS ITIN) The taxpayer identifying number assigned by the IRS (to individuals who are not eligible to be assigned SSNs) to the individual being identified O NA 1 I
Provider Employer Identification Number (EIN) The Employer Identification Number (EIN), assigned by the IRS, of the provider being identified S Required if the provider has an EIN 2 I
Provider last name or organization name The last name of the provider (if an individual) or the name of the organization provider. If the provider is an individual, this is the legal name. If the provider is an organization, this is the legal business name R NA 1, 2 I
Provider first name The first name of the provider, if the provider is an individual S Required if the provider's NPI is Entity type code = 1 1 I
Provider middle name The middle name of the provider, if the provider is an individual S Required if the provider's NPI is Entity type code = 1 and the provider has a middle name 1 I
Provider other last or other organization name Other last name by which the provider being identified is or has been known (if an individual) or other name by which the organization provider is or has been known ORPT NA 1, 2 I
Provider other last or other organization name type code Code identifying the type of other name. Codes are: 1 = former name; 2 = professional name; 3 = doing business as (d/b/a) name; 4 = former legal business name; 5 = other SRPT Required if “Provider other last or other organization name” contains data. Codes 1-2 apply to individuals; codes 3-4 apply to organizations; code 5 applies to both 1, 2 I
Provider other first name Other first name by which the provider being identified is or has been known (if an individual). This may be the same as the “Provider first name” if the provider is or has been known by a different last name only SRPT Required if “Provider other last or organization name” contains data and the provider's NPI is Entity type code = 1 1 I
Provider other middle name Other middle name by which the provider being identified is or has been known (if an individual). This may be the same as the “Provider middle name” if the provider is or has been known by a different last name only SRPT Required if “Provider other last or organization name” contains data, the provider NPI is Entity type code = 1, and the provider has a middle name 1 I
Provider name prefix text The name prefix or salutation of the provider if the provider is an individual; for example, Mr., Mrs., or Corporal O NA 1 I
Provider name suffix text The name suffix of the provider if the provider is an individual. The name suffix is a “generation-related” suffix, such as Jr., Sr., II, III, IV, or V O NA 1 I
Provider credential text The abbreviations for professional degrees or credentials used or held by the provider, if the provider is an individual. Examples are MD, DDS, CSW, CNA, AA, NP, RNA, or PSY. These credential designations will not be verified by NPS O NA 1 I
Provider first line mailing address The first line mailing address of the provider being identified. This data element may contain the same information as “Provider first line location address” R NA 1, 2 A
Provider second line mailing address The second line mailing address of the provider being identified. This data element may contain the same information as “Provider second line location address” S Required if it exists 1, 2 A
Provider mailing address State name The State or Province name in the mailing address of the provider being identified. This data element may contain the same information as “Provider location address State name” S Required if the address has no State code but contains a State or Province name 1, 2 A
Provider mailing address postal code The postal ZIP or zone code in the mailing address of the provider being identified. NOTE: ZIP code plus 4-digit extension, if available. This data element may contain the same information as “Provider location address postal code” S Required if the address is inside the United States or has an associated postal code 1, 2 A
Provider mailing address country code The country code in the mailing address of the provider being identified. This data element may contain the same information as “Provider location address country code” S Required if address is outside the United States 1, 2 A
Provider mailing address telephone number The telephone number associated with mailing address of the provider being identified. This data element may contain the same information as “Provider location address telephone number” S Required if provider mailing address has a telephone 1, 2 A
Provider mailing address fax number The fax number associated with the mailing address of the provider being identified. This data element may contain the same information as “Provider location address fax number” O NA 1, 2 A
Provider first line location address The first line location address of the provider being identified. For providers with more than one physical location, this is the primary location. This address cannot include a Post Office box R NA 1, 2 A
Provider second line location address The second line location address of the provider being identified. For providers with more than one physical location, this is the primary location. This address cannot include a Post Office box S Required if it exists 1, 2 A
Provider location address city name The city name in the location address of the provider being identified R NA 1, 2 A
Provider location address State code The State code in the location of the provider being identified S Required if address is inside the United States or has an associated State code 1, 2 A
Provider location address State name The State or Province name in the location address of the provider being identified S Required if the address has no State code but contains a State or Province name 1, 2 A
Provider location address postal code The postal ZIP or zone code in the location address of the provider being identified. NOTE: ZIP code plus 4-digit extension, if available S Required if the address is inside the United States or has an associated postal code 1, 2 A
Provider location address country code The country code in the location address of the provider being identified S Required if address is outside the United States 1, 2 A
Provider location address telephone number The telephone number associated with the location address of the provider being identified R NA 1, 2 A
Provider location address fax number The fax number associated with the location address of the provider being identified O NA 1, 2 A
Provider taxonomy code Code designating the provider type, classification, and specialization. Codes are from the Healthcare Provider Taxonomy code list. The NPS will associate these data with the license data for providers with Entity type code = 1 RRPT NA 1, 2 I
Other provider identifier Additional number currently or formerly used as an identifier for the provider being identified. This data element will be captured from the NPI application/update form ORPT NA 1, 2 I
Other provider identifier type code Code indicating the type of identifier currently or formerly used by the provider being identified. The codes may reflect UPIN, NSC, OSCAR, DEA, Medicaid State or PIN identification numbers. This data element will be captured from the NPI application/update form ORPT NA 1, 2 I
Provider enumeration date The date the provider was assigned a unique identifier (assigned an NPI) NG NA 1, 2 A
Last update date The date that a record was last updated or changed NG NA 1, 2 A
NPI deactivation reason code The reason that the provider's NPI was deactivated in the NPS. Codes are: 1 = death of entity type “1” provider; 2 = entity type “2” provider disbandment; 3 = fraud. 4 = other (for example, retirement) S Required if NPI has been deactivated 1, 2 A
NPI deactivation date The date that the provider's NPI was deactivated in the NPS S Required if “NPI deactivation code” contains data 1, 2 A
NPI reactivation date The date that the provider's NPI was reactivated in the NPS NG NA 1, 2 A
Provider birth date The date of birth of the individual being identified S Required if the provider's NPI is Entity type code = 1 1 I
Provider birth State code The code representing the State in which the individual being identified was born. X12N code lists and names will be used for this element S Required if born in United States 1 I
Provider birth country code The code representing the country in which the individual being identified was born S Required if country is other than United States 1 I
Provider gender code The code designating the provider's gender if the provider is a person S Required if the provider's NPI is Entity type code = 1 1 I
Provider license number The license number issued to the provider being identified. The NPS can accommodate multiple license numbers for multiple specialties and for multiple States. The NPS will associate this data element with “provider taxonomy code” SRPT Required for certain “Provider taxonomy codes.” 1, 2 I
Provider license number State code The code representing the State that issued the license to the provider being identified. This field can accommodate multiple States. It is associated with “provider license number SRPT Required if “Provider license number” contains data 1, 2 I
Authorized official last name The last name of the person authorized to submit the NPI application or to change NPS data for a health care provider R 2 I
Authorized official first name The first name of the authorized official R 2 I
Authorized official middle name The middle name of the authorized official S Required if the authorized official has a middle name 2 I
Authorized official title or position The title or position of the authorized official S Required if the authorized official has a title or position 2 I
Authorized official telephone number The 10-position telephone number of the authorized official R 2 I
Contact person last name The last name of the person to be contacted if there are questions about the NPI application or changes in NPS data R 1, 2 I
Contact person first name The first name of the contact person R 1, 2 I
Contact person middle name The middle name of the contact person S Required if the contact person has a middle name 1, 2 I
Contact person name suffix text The name suffix of the contact person (for example, Jr., Sr., II, III, IV, or V) O NA 1, 2 I
Contact person credential text The abbreviations for professional degrees or credentials used or held by the contact person. Examples are M.D., R.N., or PhD O NA 1, 2 I
Contact person title or position The title or position of the contact person S Required if the contact person has a title or position 1, 2 I
Contact person telephone number The 10-position telephone number of the contact person R 1, 2 I
Contact person mailing address electronic mail identifier The electronic mail address associated with the mailing address of the contact person S Required if the contact person has an electronic mail identifier associated with the mailing address of the contact person 1, 2 I

D. New and Revised Standards

Comments and responses on new and revised standards can be found in the Transactions Rule (65 FR 50343). Generally, we may modify a standard after the standard has been in effect for at least a year, unless we determine a modification is necessary sooner in order to permit compliance with the standard. The Secretary may not require compliance with a modification until at least 180 days after the modification is adopted. We will consider requests for modifications to the standard unique health identifier for health care providers.

III. Summary of Revisions to Regulations Text

We added a definition for “Covered health care provider” at § 162.402. In addition to the changes discussed above, minor organizational or conforming changes were made to other sections of the regulations text.

IV. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 30-day notice in the Federal Register and solicit public comment on a collection of information requirement submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment on the following issues:

• Whether the information collection is necessary and useful to carry out the proper functions of the agency.

• The accuracy of the agency's estimate of the information collection burden.

• The quality, utility, and clarity of the information to be collected.

• Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

§ 162.410(a)(1) Through (a)(6)Implementation Specifications: Health Care Providers

A health care provider who is a covered entity must obtain, by application if necessary, an NPI from the NPS and must use the NPI it obtained to identify itself on all standard transactions where its provider identifier is required. A covered health care provider must ensure that its subpart(s), if assigned an NPI(s), does the same. A covered health care provider must disclose its NPI, when requested, to any entity that needs the NPI to identify that health care provider in a standard transaction. A covered health care provider must ensure that its subpart(s), if assigned an NPI(s), does the same. A covered health care provider that has been assigned an NPI must notify the NPS of any changes in its required data within 30 days of the change. A covered health care provider must ensure that its subpart(s), if assigned an NPI(s), does the same. A covered health care provider that uses one or more business associates to conduct standard transactions on its behalf must require its business associates to use its NPI and other NPIs appropriately on standard transactions that the business associate conducts on its behalf. A covered health care provider must ensure that its subpart(s), if assigned an NPI(s), and if the subpart(s) uses one or more business associates to conduct standard transactions, does the same.

§ 162.412Implementation Specifications: Health Plans

A health plan must use the NPI of any health care provider or subpart in any standard transaction that requires the standard unique health identifier for health care providers. A health plan may not require a health care provider that has been assigned an NPI to obtain an additional NPI.

§ 162.414Implementation Specifications: Health Care Clearinghouses

A health care clearinghouse must obtain and use the NPI of any health care provider or subpart in any standard transaction that requires the standard unique identifier for health care providers.

Applicability of the PRA to the Requirements

The emerging and increasing uses of health care EDI standards and transactions have raised the issue of the applicability of the PRA. The Office of Management and Budget (OMB) has determined that this regulatory requirement (which mandates that the private sector disclose information and do so in a particular format) constitutes an agency-sponsored third-party disclosure as defined under the PRA.

HIPAA requires the Secretary to adopt standards that have been developed, adopted, or modified by a standard setting organization, unless there is no such standard, or unless a different standard would substantially reduce administrative costs. OMB has concluded that the scope of its review under the PRA would include the review and approval of our decision to adopt or reject an established industry standard, based on the HIPAA criterion of whether a different standard wouldsubstantially reduce administrative costs. For example, if OMB concluded under the PRA that a different standard would substantially reduce administrative costs as compared to an established industry standard, we would be required to reconsider our decision under the HIPAA standards. We would be required to make a new determination of whether it is appropriate to adopt an established industry standard or whether we should enter into negotiated rulemaking to develop an alternative standard (section 1172(c)(2)(A) of the Act).

The burden associated with the requirements of this final rule, which is subject to the PRA, is the initial one-time burden on health care providers who are covered entities to apply for an NPI and later, as necessary, to furnish updates, and on the covered entities identified above to modify their current processes to implement the NPI. However, the burden associated with the routine or ongoing use of the NPI is exempt from the PRA as defined in 5 CFR 1320.3(b)(2).

Based on the assumption that the burden associated with systems modifications that need to be made to implement the NPI may overlap with the systems modifications needed to implement other HIPAA standards, and the fact that the NPI will replace the use of multiple identifiers, resulting in a reduction of burden, commenters should take into consideration when drafting comments that: (1) One or more of these current identifiers may not be used; (2) systems modifications may be performed in an aggregate manner during the course of routine business; and/or (3) systems modifications may be made by contractors such as practice management vendors, in a single effort for a multitude of affected entities.

PRA Burden on Covered Health Care Providers

A health care provider that is a covered entity must obtain, by application if necessary, an NPI from the NPS. It must use its NPI to identify itself on all standard transactions that it conducts where its provider identifier is required. In addition, the covered health care provider must communicate to the NPS any changes to its required NPS data elements within 30 days of the change. To comply with these requirements, these health care providers will complete the NPI application/update form. This form serves two purposes: it enables a covered health care provider to apply for an NPI and to furnish updates to the NPS. Application for an NPI is considered to be a one-time action: an NPI is considered a permanent identifier for a health care provider. (See section II. A. 2., of this preamble, “Definition of Health Care Provider,” for a discussion of the permanent nature of the NPI.) Most covered health care providers will not have to furnish updates in a given year; we estimate, based on information in the Medicare program, that approximately 12.6 percent of those health care providers will need to complete and submit the NPI application/update form in a given year. Below are our estimates for the annual burden hours associated with these requirements.

Applications for NPIs: Estimated Annualized Burden

Notes:(1) Existing health care providers that are covered entities would be able to apply for NPIs over a 2-year period. For the estimated annualized burden, we have divided the number of these health care providers by 2 to estimate the annual burden. (2) Applying for an NPI is a one-time burden on a health care provider. In future years, this burden would apply only to new health care providers that are covered entities. (3) The number of health care providers will increase by 1.56 percent annually. This is not a “net” percentage; it represents strictly the percentage of new health care providers coming into business annually. (4) We estimate it will take 20 minutes to complete the application/update form. (5) We estimate an hourly rate of $10.87, rounded to $11, for office staff to complete the application/update form.

New health care providers come into business every year. The first two years would have increases of 36,124 and 37,251 in new covered health care providers, respectively. The number of new covered health care providers is 1.56 percent of the number of existing health care providers in the previous year.

Updates of NPS Data: Estimated Annualized Burden

Notes:(1) We estimate that 12.6 percent of covered health care providers would need to furnish updates in a given year. The number of health care providers needing to update their data in any year is a percentage of the number of health care providers. (2) A health care provider that is a covered entity that does not have changes to its NPI data would not furnish updates and would, therefore, experience no burden. (3) We estimate it will take 10 minutes to complete the application/update form. (4) We estimate an hourly rate of $10.87, rounded to $11, for office staff to complete the application/update form.

In FY 2007, we estimate there will be 1,157,821 covered health care providers to be assigned NPIs. One could argue that no updates will need to be made in FY 2007 because no covered health care provider would have been enumerated prior to FY 2007. (Note: No health care provider is required to have an NPI before 2007.) However, for FY 2007, we have factored in updates by adding 12.6 percent of the 1,157,821 covered health care providers to represent—in a worst case scenario—a full year's worth of updates if the full 12.6 percent of the enumerated covered health care providers needed to provide updates within that same year.

Table 1 below shows the estimated annualized burden for the PRA.

Table 1.—Paperwork Reduction Act Estimated Annualized Burden. Estimated Annualized Burden
Year20072008200920102011Total
Cost (Burden Hours for Total Providers) $5,419,027 $5,641,062 $183,050 $192,798 $204,079 $11,640,015
Cost (Update Hours) $670,165 $719,050 $759,519 $800,337 $847,167 $3,796,237
Total Annualized Cost $6,089,192 $6,360,111 $942,568 $993,135 $1,051,246 $15,436,252

If feasible, to further reduce burden and plan for compliance with the Government Paperwork Elimination Act, we are considering the acceptance of applications and updates electronically over the Internet. We explicitly solicit comment on how we might conduct this activity in the most efficient and effective manner, while ensuring the integrity, authenticity, privacy, and security of health care provider information.

As required by section 3504(h) of the Paperwork Reduction Act of 1995, we have submitted a copy of this document to the Office of Management and Budget (OMB) for its review of these information collection requirements. If you comment on these information collection and recordkeeping requirements, please e-mail comments to Paperwork@ cms.hhs.gov(Attn: CMS-0045-F) or mail copies directly to the following two addresses:

Centers for Medicare Medicaid Services, Office of Strategic Operations and Regulatory Affairs, Regulations Development and Issuances Group, Room C5-14-03, 7500 Security Boulevard, Baltimore, MD 21244-1850, Attn: James Bossenmeyer, CMS-0045-F;

and

Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, Attn: Brenda Aguilar, CMS-0045-F, CMS Desk Officer.

V. Regulatory Impact Analysis

A. Overall Impact

We have examined the impacts of this final rule as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.

Executive Order 12866 (as amended by Executive Order 13258, which merely reassigns responsibility of duties) directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects (costs plus savings equal $100 million or more in any one year). We consider this final rule to be a major rule, as it will have an impact of over $100 million on the economy. This impact analysis shows a net savings of $526 million over a 5-year period.

The RFA requires agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, nonprofit organizations are considered small entities. Small government jurisdictions with a population of less than 50,000 are considered small entities. Individuals and States are not considered small entities. Most hospitals and most other providers and suppliers are small entities, either by nonprofit status or by having annual revenues of less than the threshold published in regulations by the Small Business Administration (SBA).

Effective October 1, 2000, the SBA no longer used the Standard Industrial Classification (SIC) System to categorize businesses and establish size standards, and began using industries defined by the new North American Industry Classification System (NAICS). The NAICS made several important changes to the Health Care industries listed in the SIC System: it revised terminology, established a separate category (Health Care and Social Assistance) under which many health care providers are located, and increased the number of Health Care industries to 30 NAICS industries from 19 Health Services SIC industries.

On November 17, 2000, the SBA published a final rule, which was effective on December 18, 2000, in which the SBA adopted new size standards, ranging from $5 million to $25 million, for 19 Health Care industries and retained the existing $5 million size standard for the remaining 11 Health Care industries. The revisions were made to more appropriately define the size of businesses in these industries that SBA believes should be eligible for Federal small business assistance programs.

On August 13, 2002, the SBA published a final rule that was effective on October 1, 2002. The final rule amended the existing SBA size standards by incorporating OMB's 2002 modifications to the NAICS into its table of small business size standards. The final rule did not affect industries that are considered covered entities by this final rule.

On September 6, 2002, the SBA published a final rule (effective October 1, 2002) that corrected the August 13, 2002, final rule. The final rule corrected errors in the August 13, 2002, final rule and contained a new table of size standards to clearly identify size standards by millions of dollars and by number of employees. Some of those revisions in size standards affected some of the entities that are considered covered entities under this final rule. For example, the SBA revisions increased the annual revenues for offices of physicians to $8.5 million (other practitioners' offices' revenues remained at $6 million) and increased the small business size standard for hospitals to $29 million in annual revenues.

The regulatory flexibility analysis for this final rule is linked to the aggregate regulatory flexibility analysis for all the Administrative Simplification standards that appeared in the Transactions Rule (65 FR 50312), published on August 17, 2000, which predated the SBA changes noted above. In addition, all HIPAA regulations published to date have used the SBA size standards that existed at the time of the publication of the Transactions Rule. Because the SBA size standard changes predate the effective date of this final rule, we are using the current SBA small business size standards for the regulatory flexibility analysis for this final rule. Although the SBA has raised the small business size standards, the revised size standards have no effect on the cost and benefit analysis for this final rule. The revised standards simply increase the number of health care providers that are classified as small businesses. Although the SBA revisions changed the size standard for health plans by increasing from $5 million to $6 million in annual revenues the small business size standard, this change has a minimal effect on this final rule. Because all HIPAA administrative simplification regulations permit small health plans an additional year in which to comply with the implementation specifications and requirements, a greater number of small health plans would have the additional year, due to the SBA size standard revisions.

While each standard may not have a significant impact on a substantial number of small businesses, the combined effects of all the standards are likely to have a significant effect on a substantial number of small businesses. However, this final rule will affect small businesses, such as small health care providers, health plans, and health care clearinghouses, in much the same way as it affects large businesses.

Small businesses that are covered entities must meet the provisions of this final rule and implement the standard unique health care provider identifier standard. The requirements placed on small health care providers, health care clearinghouses, and health plans would be consistent with the complexity of their operations. Small health plans have an additional year in which to comply. A more detailed analysis of the impact on small businesses is part of the impact analysis that we published on August 17, 2000 (65 FR 50312), for all the HIPAA standards.

In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform tothe provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area and has fewer than 100 beds. This final rule will have no more significant impact on small rural hospitals than it will have on other small health care providers.

Section 202 of the Unfunded Mandates Reform Act (UMRA) of 1995 (2 U.S.C. 1532) requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditure in any one year by State, local, or tribal governments, in the aggregate, or by the private sector, of $110 million. This final rule establishes a Federal private sector mandate and is a significant regulatory action within the meaning of section 202 of UMRA. We have included the statements to address the anticipated effects of this final rule under section 202 of UMRA.

This standard applies to State and local governments in their roles as covered entities. Covered entities must implement the requirements in this final rule; thus, this final rule imposes unfunded mandates on them. Further discussion of this issue is found in the previously published impact analysis for all Administrative Simplification standards (65 FR 50312).

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. The proposed rule that proposed the NPI as the standard unique health identifier for health care providers was published prior to the signing of that Executive Order. We could not solicit comments on the effect of Executive Order 13132 on the adoption of the health care provider identifier standard.

This final rule will have a substantial effect on State and local governments to the extent that those entities are covered entities. As early as 1993, CMS (then the Health Care Financing Administration) led a workgroup whose goal was to develop a provider identification system for all health care providers. The system was intended to meet the needs of the Medicare and Medicaid programs, and eventually other programs. State Medicaid agencies in Alabama, California, Minnesota, Virginia and Maryland participated in this effort, along with representatives from the private sector and several other Federal agencies. The first task of the workgroup was to decide if an existing identifier could be used or if a new one needed to be developed. The workgroup developed criteria for a unique provider identifier, examined existing identifiers, and concluded that a new identifier needed to be developed. The workgroup developed the NPI, and we proposed the NPI as the standard unique health identifier for health care providers in the proposed rule.

States continue to hold memberships on the National Uniform Claim Committee and the National Uniform Billing Committee, and continue to be represented in the X12N and Health Level Seven standards development organization workgroups and committees. As a result, States have in the past, and continue to have, input into the development of new standards and the modification of existing standards.

As stated in the previously published impact analysis in 65 FR 50312, we do not have sufficient information to provide estimates of the impact of the administrative simplification standards on local governments.

In complying with the requirements of part C of title XI, the Secretary established interdepartmental implementation teams who consulted with appropriate State and Federal agencies and private organizations. These external groups included the NCVHS's Subcommittee on Standards and Security, the Workgroup for Electronic Data Interchange (WEDI), the National Uniform Claim Committee (NUCC), the National Uniform Billing Committee (NUBC), and the American Dental Association (ADA). The teams also received comments on the May 7, 1998, proposed regulation from a variety of organizations, including State Medicaid agencies and other Federal agencies.

We received comments from State agencies and from entities that conduct transactions with State agencies. Many of the comments referred to the costs to State and local governments of implementing the HIPAA standards. We believe that these costs will be offset by future savings (see the impact analysis of 65 FR 50350).

Other comments regarding States reflected the need for clarification as to when State agencies were subject to the standards.

B. Anticipated Effects

The Regulatory Flexibility Act of 1980 considers all 31 nonprofit Blue Cross-Blue Shield Health Plans to be small businesses. Additionally, 28 percent of HMOs are considered small businesses because of their nonprofit status. Doctors of osteopathy, dentistry, podiatry, as well as chiropractors, and solo and group physicians' offices with fewer than three physicians, are considered small businesses. Forty percent of group practices with three or more physicians and 100 percent of optometrist practices are considered small businesses. Seventy-two percent of all pharmacies, 88 percent of medical laboratories, 100 percent of dental laboratories, and 90 percent of durable medical equipment suppliers are assumed to be small businesses as well.

This analysis required that we use data and statistics about various entities that operate in the health data information industry.

We believe the best source for information about the health data information industry is Faulkner Gray's Health Data Directory. This publication is the most comprehensive data directory of its kind that we could find. The information in this directory is gathered by Faulkner Gray editors and researchers who called all of the more than 3,000 organizations that are listed in the book in order to elicit information about their operations. Some businesses are listed as more than one type of business entity because, in reporting the information, companies could list themselves to be as many as three different types of entities. For example, some businesses listed themselves as both practice management vendors and claims software vendors because their practice management software was “EDI enabled.”

All the statistics referencing Faulkner Gray's come from the 2000 edition of its Health Data Directory. It lists 78 claims clearinghouses, which, according to the Health Data Directory are entities that generally take electronic and paper health care claims data from health care providers and billing companies that prepare bills on a health care provider's behalf. The claims clearinghouse acts as a conduit for health plans; its activities may include batching claims and routing transactions to the appropriate health plan in a form that expedites payment.

Of the 78 claims clearinghouses listed in this publication, eight processed more than 20 million electronic transactions per month. Another 15 handled 2 million or more transactions per month and another 4 handled over a million electronic transactions per month. The remaining 39 entities listed in the data dictionary processed fewer than a million electronic transactions per month. Almost all of these entities have annual revenues of under $6 million and would therefore be considered small entities.

Software system vendors provide computer software applications supportto health care clearinghouses, billing companies, and health care providers. In particular, they work with health care providers' practice management and health information systems. These businesses provide integrated software applications for such services as accounts receivable management, electronic claims submission (patient billing), recordkeeping, patient charting, practice analysis, and patient scheduling. Some software vendors also provide applications that translate information on paper and information in electronic records having no standard formats into standard electronic formats that are acceptable to health plans.

Faulkner Gray lists 78 physician practice management vendors and suppliers, 76 hospital information systems vendors and suppliers, 140 software vendors and suppliers for claims-related transactions, and 20 translation vendors (now known as Interface Engines/Integration Tools). We were unable to determine the number of these entities with revenues over $6 million, but we assume most of these businesses would be considered small entities.

The costs of implementing the NPI are primarily one-time or short-term costs related to conversion. These costs are characterized as follows: software conversion, cost of automation, training, implementation, and cost of documentation and implementation guides.

As stated earlier in this final rule, health care providers will not be charged for obtaining an NPI. Covered health care providers will have to apply for NPIs and will have to furnish updates to the NPS when their required data changes. (However, if health care providers are enumerated through the bulk enumeration process described earlier in this preamble, they will not have to apply for NPIs, and they will be notified of their NPIs. Those that are covered health care providers will have to furnish updates to the NPS when their required data changes and will have to ensure that their subparts, if assigned NPIs via bulk enumeration or otherwise, do the same. These burden estimates are discussed in section IV, “Collection of Information Requirements,” of this preamble.) In addition, covered health care providers will have to bear the costs of converting to the NPI, as will health plans and health care clearinghouses. Health plans, health care clearinghouses, and covered health care providers are required to implement the NPI. Most of these entities meet the SBA's definition of small entities.

Health plans, health care clearinghouses, and health care providers who are covered entities must use NPIs in standard transactions and must make the necessary changes and conversions in order to do so. Conversion will require training for staff and will require changes to documentation, procedures, records, and software. Some covered health care providers that do not already do so may choose to use the services of software system vendors, billing companies, and/or health care clearinghouses to facilitate the transition to the NPI. While there may be up-front costs associated with some of the required changes, the fact that only one health care provider number (the NPI) will be used in standard transactions will simplify business, improve efficiency, and create savings. The format of the NPI (all numeric) will facilitate telephone keypad entry; the check-digit in the 10th position will detect keying and data entry errors; and the lack of intelligence built into the NPI will eliminate the need to issue a new health care provider number (and maintain records of such issuances) whenever changes occur that would impact that intelligence.

After being assigned NPIs, covered health care providers will have to furnish the NPS with updates to their required NPS data in the NPS within 30 days of the changes. It is very likely that the NPS data will duplicate some of the information that health care providers furnish to health plans when they enroll in health plans (although health plans traditionally collect far more information about a health care provider than the NPS will collect). Because health care providers must keep health plans apprised of updates to their data, the requirement that covered health care providers apprise the NPS of updates should not be a significant burden on those health care providers.

The extended effective date of the NPI should allow sufficient time for health plans, health care clearinghouses, and health care providers who are covered entities to implement the changes needed to accommodate the NPI.

Lastly, HIPAA gives small health plans an extra year (36 months instead of 24 months from the effective date) in which to implement the NPI.

The May 7, 1998, proposed rule for the National Provider Identifier (NPI) contained a cost-benefit analysis based on the aggregate impact of all the HIPAA administrative simplification standards for electronic data interchange (EDI). The Comment/Response section related to the proposed aggregate analysis, and a final aggregate impact analysis, are contained in the Transactions Rule at 65 FR 50345. We address the specific impact of the NPI in section V.D. of this preamble, “Specific Impact of the NPI.”

C. Alternatives Considered

Guiding Principles for Standard Selection

As explained in the May 7, 1998, proposed rule (at 63 FR 25323), the implementation teams charged with designating standards under the statute defined, with significant input from the health care industry, a set of common criteria for evaluating potential standards. These criteria are based on direct specifications in HIPAA, the purpose of the law, and principles that support the regulatory philosophy set forth in Executive Order 12866 of September 30, 1993, and the Paperwork Reduction Act of 1995. These criteria also support and are consistent with the principles of the Paperwork Reduction Act of 1995. In order to be designated as a standard, a proposed standard should:

• Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic HIPAA health care transactions. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden.

• Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses. This principle supports the regulatory goal of cost-effectiveness.

• Be consistent and uniform with the other HIPAA standards—their data element definitions and codes and their privacy and security implementation specifications—and, secondarily, with other private and public sector health data standards. This principle supports the regulatory goals of consistency and avoidance of incompatibility, and it establishes a performance objective for the standard.

• Have low additional development and implementation costs relative to the benefits of using the standard. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden.

• Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time. This principle supports the regulatory goal of predictability.

• Have timely development, testing, implementation, and updating procedures to achieve administrativesimplification benefits faster. This principle establishes a performance objective for the standard.

• Be technologically independent of the computer platforms and transmission protocols used in HIPAA health transactions, except when they are explicitly part of the standard. This principle establishes a performance objective for the standard and supports the regulatory goal of flexibility.

• Be precise and unambiguous, but as simple as possible. This principle supports the regulatory goals of predictability and simplicity.

• Keep data collection and paperwork burdens on users as low as is feasible. This principle supports the regulatory goals of cost-effectiveness and avoidance of duplication and burden.

• Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and health care provider types) and information technology. This principle supports the regulatory goals of flexibility and encouragement of innovation.

We assessed the various candidates for a health care provider identifier against the principles listed above, with the overall goal of achieving the maximum benefit for the least cost. We found that the NPI met all the principles and that no other candidate identifier met all the principles, or even those principles supporting the regulatory goal of cost-effectiveness. We received comments suggesting that we consider or reconsider the Taxpayer Identifying Number or the Social Security Number for individual health care providers and the Employer Identification Number for organizations as the standard unique health identifier for health care providers. We responded to these comments in section II. A. 3. of this preamble, “NPI Standard.”

One possible alternative in the development of the identifier was to allow intelligence to be included in it. We rejected this alternative on qualitative grounds because it meant that individuals might get more than one identifier in their lifetimes. Cost considerations also contributed to our decision.

If intelligence were built into the identifier, the operating cost of the enumeration system would rise for several reasons. First, additional information would need to be collected and verified so that the intelligence in the identifier would be accurate. Secondly, new identifiers for individuals and organizations would need to be assigned because the embedded intelligence would change.

The cost to health plans would also increase. First, their systems might need to be adapted to use the intelligence in the identifier. Secondly, they would have to keep track of the more frequent changes in identifiers, and revise their processes accordingly.

An intelligent identifier would also be more expensive for health care providers. They would have to reapply for identifiers if the information in the intelligence changed. Additionally, they would have to revise their systems to change their identifiers every time they changed.

These quantitative reasons support our choice not to include intelligence in the identifier.

Need to Convert

Because there is no standard health care provider identifier in widespread use throughout the industry, adopting any of the candidate identifiers would require covered entities to convert to the new standard. In the case of the NPI, covered entities will have to convert because this identifier is not in use presently. As we pointed out in the May 7, 1998, proposed rule in our analysis of the candidates, even the identifiers that are in use are not used for all purposes or for all health care provider classifications. The selection of the NPI does not impose a greater burden on the industry than the nonselected candidates, and presents significant advantages in terms of cost-effectiveness, universality, uniqueness, and flexibility.

Complexity of Conversion

Some existing health care provider identifier systems assign multiple identifiers to a single health care provider in order to distinguish the multiple identities the health care provider has in the system. For example, in these systems, the health care provider may have a different identifier to represent each contract or provider agreement, practice location, and specialty or health care provider classification. Since the NPI is a unique identifier for a health care provider, it will not distinguish these multiple identities. Systems that need to distinguish these identities will need to use data other than the NPI to do so. The change to using other data will add complexity to the conversion to the NPI (or to any other standard health care provider identifier), but it is necessary in order to achieve the goal of unique identification of the health care provider.

The complexity of the conversion will also be significantly affected by the degree to which health plans' processing systems currently rely on intelligent identifiers. For example, a health plan may route claims to different processing routines based on the type of health care provider by keying on a health care provider type code included in the identifier. Converting from one unintelligent identifier to another is less complex than modifying software logic to obtain needed information from other data elements. However, the use of an unintelligent identifier is required in order to meet the guiding principle of ensuring flexibility.

Specific technology limitations of existing systems could affect the complexity of conversion. For example, some existing health care provider data systems use a telephone keypad to enter data. Data entry of alpha characters is inconvenient in these systems.

Comments were strong in suggesting that the NPI be an all-numeric identifier, be 10 positions in length, and include a check-digit in the 10th position. (See section II. A. 3. of this preamble, “NPI Standard,” for a full description of comments on the characteristics of the identifier.) As stated in that section, in response to comments, we changed the format of the NPI to an all-numeric number, 10 positions in length, with a check-digit in the 10th position. There will be no intelligence about the health care provider in the number. This format satisfies the comments for easier data entry and the need for a number that will be short enough to fit into most existing data formats.

The selection of the NPI does not impose a greater burden on the industry than the nonselected candidates.

D. Specific Impact of the National Provider Identifier

In the May 7, 1998, proposed rule (at 63 FR 25349), we included a section that related to the specific impact of the health care provider identifier. That section of the proposed rule also indicated the Federal, State, and private costs associated with the enumeration options set out in the proposed rule.

Proposed Provisions

The May 7, 1998, proposed rule for the National Provider Identifier (NPI) contained a cost-benefit analysis based on the aggregate impact of all the HIPAA administrative simplification standards for electronic data interchange (EDI). The response to comments on the proposed aggregate analysis is contained in the Transactions Rule (at 65 FR 50345). The Transactions Rule also includes an updated impact analysis (at 65 FR 50350).

One section of the impact analysis that was published in the May 7, 1998, proposed rule for the NPI (at 63 FR 25351) contained a discussion of the costs of enumerating health care providers under each of the two enumeration options that were described in the proposed rule. Table 5, entitled “Enumeration Costs: Federal, State, and Private,” was included in this part of the impact analysis in the proposed rule. This table compared the costs for each of the two proposed enumeration options. Below we respond to the comments received about that part of the impact analysis.

Comments and Responses on the Specific Impact of the National Provider Identifier

Comment: One commenter stated that the pharmacy industry will not see huge gains in the standardization of the NPI for prescriber and pharmacy because de facto standard identifiers exist for these two provider types.

Response: We agree that the pharmacy industry may not realize the benefits from standardization of health care provider numbers as quickly as other segments of the health care industry because the pharmacy industry already uses numbers to identify health care providers and pharmacies. However, once NPIs are assigned to health care providers and once the entire health care industry begins to use the NPI, we believe the pharmacy industry will see the benefits of replacing its de facto standards with the national standard. The Drug Enforcement Administration (DEA) number was established by the DEA to identify those who prescribe or store controlled substances. It is the pharmacy industry's de facto identifier for prescribers. In developing the NPI, we considered several existing identifiers as candidates for the national health care provider identifier. One of those considered was the DEA number. However, the use of the DEA number as a national health care provider identifier does not fit the scope for which the DEA number was established. In addition, the DEA number is not available to all health care providers and, as a result, would not be appropriate as the national health care provider identifier. The National Council for Prescription Drug Programs (NCPDP) provider number, formerly called the National Association of Boards of Pharmacy (NABP) number, is the pharmacy industry's de facto identifier for pharmacies. This number was also considered a candidate for the national health care provider identifier, but did not meet two of the criteria deemed necessary for a standard identifier: it would not yield a sufficient number of identifiers and it contained intelligence.

Comment: Several commenters suggested revisions to our definitions of “HIPAA-transaction health care provider” and “non-HIPAA-transaction health care provider.” They found the terms confusing.

Response: We agree and do not use those terms in this final rule.

Comment: One commenter asked that we insert the word “costs” after “start-up” and “outyear” in Table 5 headings and definitions.

Response: This comment is not applicable, as we do not include Table 5 in this final rule. We refer the reader to the discussion under “Final Provisions” in this section.

Comment: One commenter stated that we did not factor in atypical service providers that are exclusive to the Medicaid program.

Response: The Medicaid program's atypical and nontraditional service providers were included in Table 5 in the May 7, 1998, proposed rule. However, as explained in section II. A. 2, “Definition of Health Care Provider” in this preamble, most of them do not meet our definition of health care provider. Therefore, they are not included in our analyses in this final rule.

Comment: Several commenters stated the estimate that 5 percent of health care providers participating in Federal health plans and Medicaid would have updates each year is conservative and that the number is more like 12 to 15 percent. Another commenter believes it to be even higher.

Response: We have not seen documentation that would convince us our estimate was incorrect at the time the May 7, 1998, proposed rule was published. In the proposed rule, we estimated that 5 percent of the health care providers who are covered entities that conduct business with Federal health plans or Medicaid would require updates each year, and that 15 percent of the remaining health care providers that are covered entities (those that do business only with private insurers) would require updates each year. In general, health plans (including Federal health plans and Medicaid) collect more information from their enrolled health care providers than the NPS will collect when a health care provider applies for an NPI. Thus, there is more information subject to change for health care providers that are enrolled in a health plan. This fact could explain why health plans sometimes have a greater percentage of updates than what we estimated for NPI purposes in the proposed rule, and could have been the basis on which the comment was made. The proposed rule did not include calculations for updates for health care providers who are not covered entities; we would expect that percentage would not exceed 15 percent. We computed the weighted average of the percentages of health care providers that would require updates that were used in the proposed rule (using 15 percent for these health care providers). We have concluded that approximately 12.6 percent of all existing health care providers will have updates each year.

Comment: Several commenters said that erroneous assumptions were used in stating that the costs to Federal health plans (including Medicare) and Medicaid would be zero for enumerating their own health care providers. The costs would be substantial.

Response: We acknowledge that there would have been costs to Medicaid State agencies and to Federal health plans in manipulating and reformatting their health care provider files and transferring them to CMS for loading into the NPS. There would also have been ongoing costs to Medicaid State agencies and other Federal health plans to obtain NPIs for their health care providers under option 2. In manipulating and reformatting the files, problems could be discovered in some of the health care provider records that would require investigation and resolution. The costs of investigating and resolving these problems were not recognized earlier and, therefore, were not considered in the May 7, 1998, proposed rule.

Comment: One commenter stated that the costs for option 1 as shown in Table 5 did not reflect the savings that would have accrued by preloading Medicare provider files into the NPS.

Response: While the narrative portion of the impact analysis did mention that Medicare provider files would be preloaded into the NPS under both options 1 and 2, the commenter is correct in that this was not reflected in Table 5 for option 1. However, as stated earlier in this preamble, Medicare provider files will be loaded into the NPS only if it is feasible to do so.

Final Provisions

We stated in the May 7, 1998, proposed rule that we cannot determine the specific economic impact of the NPI (and individually, each HIPAA administrative simplification standard may not have a significant impact). The overall impact analysis (65 FR 50355) made it clear that, collectively, all the standards will have a significant impact of over $100 million on the economy.The implementation costs and benefits of the NPI were factored into that overall impact analysis.

However, that impact analysis used certain assumptions that have not been realized. For example, it was assumed that all of the HIPAA standards would be issued and effective at about the same time, so that covered entities would be making their system changes at one time. For various reasons, standards have been issued and effective over a much longer period of time than expected. For example, the transaction and code set standards were published in 2000 and must be implemented by October 2003. Security standards are to be implemented by April 2005, and the NPI must be used by 2007.

Because the compliance dates cover such an extended period of time, we will estimate part of the overall cost and savings for health plans and health care providers that can be attributed to the NPI. We continue to use the impact analysis previously referenced as the set of total costs and savings.

Because the standards for transactions and codes sets, the employer identifier, and security have already been published, we assume that covered entities have already made significant system investments. Because they were aware that the NPI was an upcoming standard, they may have also made some accommodations in their systems to be able to use the NPI when it is assigned. The NPI has already been identified as a future identifier in the implementation specifications for the transaction standards.

There will still be costs and savings related to the implementation of the NPI by health plans and health care providers. These will, however, be small in comparison to those for transaction standards and security. The NPI affects only a small part of the system and business processes for any covered entity.

We estimate that the NPI would entail 10 percent of the costs and 5 percent of the savings for health plans. Health plans would need to make some system changes from their current identifiers to the NPI. They would save in not having to maintain a system of identifiers that exist today. We would estimate that for health care providers, the NPI would represent 5 percent of the costs and 10 percent of the savings. Health care providers need only to substitute the NPI for their current identifier(s). They reap greater savings by not having to keep track of separate identifiers for each health plan and possibly for each location, address, or contractual arrangement. (However, as noted earlier in this preamble, health plans may require health care providers to use identifiers other than the NPI for uses other than standard transactions.)

Looking at the overall impact analysis, while 2007 is the initial year for using the NPI, it would be the analogous to the first year of the overall impact analysis, in which most of the costs are incurred. Using the figures from above, we make the following estimates for 2007:

Table 2.—Costs of Implementing the NPI in 2007
[In millions of dollars, rounded to the nearest million]
Health Plans:
2002 Cost from Impact Analysis −146
2002 Savings 24
2007 Net for NPI for Health Plans −122
Health Care Providers:
2002 Cost from Impact Analysis −79
2002 Savings 61
2007 Net for NPI for Health Care Providers −18

Note:

The figures in Table 2 have been adjusted to reflect dollars expressed for 2007.

We perform the same calculations for the next 4 years. This yields the following results:

Table 3.—Costs of Implementing the NPI, 2007-2011
Year20072008200920102011Total
[In millions of dollars, rounded to the nearest million]
Health Plan Costs 146 146 134 0 0 426
Health Plan Savings 24 49 73 91 103 341
Provider Costs 73 73 67 0 0 213
NPI Application and Update Costs 6 6 1 1 1 15
Provider Savings 61 122 183 219 256 840
Net Savings −140 −55 54 309 358 526
NPS Costs 91 9 9 9 9 128

Note:

The figures in Table 3 have been adjusted to reflect dollars expressed for each year.

All costs of NPS development and operation (which include the costs of enumerating health care providers and maintaining their information in the NPS, and the costs of disseminating NPS data to the health care industry and others, as appropriate) are Federal costs. As mentioned earlier in this preamble, HHS will contract for system development and for the enumeration, update, and data dissemination activities. We estimate the following costs for operations of the National Provider System (NPS), keeping in mind that the NPS will enumerate both covered and noncovered health care providers, and that health care providers are not being charged for obtaining NPIs.

E. Affected Entities

Health Care Providers

Health care providers and subparts, as appropriate, will apply for NPIs. Health care providers that are covered entities must begin to use NPIs in standard transactions no later than 24 months after the effective date of this regulation; and they must ensure that their subparts, if assigned NPIs, do the same. Covered health care providers that need to be identified on standard transactions must disclose their NPIs, upon request, to entities that are required to use those health care providers' NPIs on standard transactions. Covered health care providers must ensure that their subparts, if assigned NPIs, do the same. Any negative impact on health care providers generally would be related to the initial implementation period. They would incur implementation costs for converting systems, especially those that generate electronic claims, from current health care provider identifiers to the NPI. Some health care providers would incur those costs directly and others would incur them in the form of fee increases from billing associates and health care clearinghouses.

Covered health care providers will have to use their NPIs on standard claims transactions and any other standard transactions that they conduct; they will have to ensure that theirsubparts, if assigned NPIs, do the same. They will also have to obtain and use the NPIs of other health care providers if those NPIs are needed on those transactions. If covered health care providers' subparts are assigned NPIs, the covered health care providers must ensure that their subparts do the same. This will be a more significant implementation workload for larger organization health care providers, such as hospitals, that will have to capture the NPIs for each health care provider practicing in the hospital if those health care providers need to be identified on hospital claims. However, these health care providers are accustomed to maintaining these types of data. Some health care providers will need access to the NPIs of other health care providers in order to identify those health care providers on standard transactions. In this regard, we encourage all health care providers to obtain NPIs and, when requested, to disclose their NPIs to covered entities that need them for inclusion on health care transactions. Some health care providers, particularly ones that do not do business with large health plans, may be resistant to obtaining NPIs and providing data about themselves to a national database.

Claims processing and timely payments to health care providers could possibly be affected as health plans transition to the NPI. We encourage health plans to conduct outreach efforts in order to minimize disruptions in claims processing and timely payment.

Covered health care providers are required to also furnish updates to their required NPS data within 30 days of the changes. Covered health care providers must ensure that their subparts, if assigned NPIs, do the same. (We encourage other health care providers to do the same.) The vast majority of health plans issue identifiers to the health care providers with which they conduct business in order to facilitate the electronic processing of claims and other transactions. The information that health care providers must supply in order to receive an NPI is significantly less than the information most health plans require from a health care provider in order to enroll in a health plan. We will attempt to make the processes of obtaining NPIs and updating NPS data as easy as possible for health care providers, reducing duplication of effort wherever possible and making the processes as automated as possible. Neither the statute nor this final rule requires charging health care providers (or their subparts) to receive NPIs.

After the compliance date, health care providers will no longer have to keep track of and use different identifiers with different health plans when conducting standard transactions. This should simplify health care provider billing systems and processes and reduce administrative expenses. A standard identifier should facilitate and simplify coordination of benefits, resulting in faster, more accurate payments.

Health Plans

HIPAA does not prohibit health plans from requiring their enrolled health care providers to obtain NPIs.

Health plans will have to modify their systems to use the NPI. This conversion will have a one-time cost impact on Federal, State, and private health plans and is likely to be more costly for health plans with complex systems that rely on intelligent provider numbers. Disruption of claims processing and payment delays could result. However, health plans will be able to schedule their implementation of the NPI and other standards in a manner that best fits their needs, as long as they meet the deadlines specified in this and the other final rules that implement the administrative simplification provisions. Upon the NPI compliance dates, health plans' coordination of benefits activities should be greatly simplified because all health plans will use a unique standard health care provider identifier for each health care provider. In addition, utilization review and other payment safeguard activities will be facilitated, since health care providers would use only one identifier and could be easily tracked over time and across geographic areas. Health plans currently assign their own identification numbers to health care providers as part of their enrollment procedures, and this practice would no longer be necessary. Existing enumeration systems maintained by Federal health programs could be phased out, and savings would result. Health care clearinghouses will face impacts (both positive and negative) similar to those experienced by health plans. However, implementation will likely be more complex, because health care clearinghouses deal with many health care providers and health plans. Health care providers that are not covered entities that do not wish to apply for NPIs will necessitate the need for health care clearinghouses to accommodate health care provider identifiers in addition to the NPI.

In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

List of subjects in 45 cfr part 162

Administrative practice and procedure, Electronic transactions, Health facilities, Health insurance, Hospitals, Incorporation by reference, Medicare, Medicaid, Reporting and recordkeeping reports.

For the reasons set forth in the preamble, 45 CFR subchapter C part 162 is amended as follows:

Part 162—administrative requirements

1. The authority citation continues to read as follows:

Authority:

Secs. 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

2. A new subpart D is added to read as follows:

Subpart d—standard unique health identifier for health care providers

Sec. 162.402 162.404 162.406 162.408 162.410 162.412 162.414

Subpart d—standard unique health identifier for health care providers

§ 162.402

Covered health care provider means a health care provider that meets the definition at paragraph (3) of the definition of “covered entity” at § 160.103 of this subchapter.

§ 162.404

(a)Health care providers. A covered health care provider must comply with the implementation specifications in § 162.410 no later than May 23, 2007.

(b)Health plans. A health plan must comply with the implementation specifications in § 162.412 no later than one of the following dates:

(1) A health plan that is not a small health plan—May 23, 2007.

(2) A small health plan—May 23, 2008.

(c)Health care clearinghouses. A health care clearinghouse must comply with the implementation specifications in § 162.414 no later than May 23, 2007.

§ 162.406

(a)Standard. The standard unique health identifier for health care providers is the National Provider Identifier (NPI). The NPI is a 10-position numeric identifier, with a check digit in the 10th position, and no intelligence about the health care provider in the number.

(b)Required and permitted uses for the NPI.

(1) The NPI must be used as stated in § 162.410, § 162.412, and § 162.414.

(2) The NPI may be used for any other lawful purpose.

§ 162.408

National Provider System. The National Provider System (NPS) shall do the following:

(a) Assign a single, unique NPI to a health care provider, provided that—

(1) The NPS may assign an NPI to a subpart of a health care provider in accordance with paragraph (g); and

(2) The Secretary has sufficient information to permit the assignment to be made.

(b) Collect and maintain information about each health care provider that has been assigned an NPI and perform tasks necessary to update that information.

(c) If appropriate, deactivate an NPI upon receipt of appropriate information concerning the dissolution of the health care provider that is an organization, the death of the health care provider who is an individual, or other circumstances justifying deactivation.

(d) If appropriate, reactivate a deactivated NPI upon receipt of appropriate information.

(e) Not assign a deactivated NPI to any other health care provider.

(f) Disseminate NPS information upon approved requests.

(g) Assign an NPI to a subpart of a health care provider on request if the identifying data for the subpart are unique.

§ 162.410

(a) A covered entity that is a covered health care provider must:

(1) Obtain, by application if necessary, an NPI from the National Provider System (NPS) for itself or for any subpart of the covered entity that would be a covered health care provider if it were a separate legal entity. A covered entity may obtain an NPI for any other subpart that qualifies for the assignment of an NPI.

(2) Use the NPI it obtained from the NPS to identify itself on all standard transactions that it conducts where its health care provider identifier is required.

(3) Disclose its NPI, when requested, to any entity that needs the NPI to identify that covered health care provider in a standard transaction.

(4) Communicate to the NPS any changes in its required data elements in the NPS within 30 days of the change.

(5) If it uses one or more business associates to conduct standard transactions on its behalf, require its business associate(s) to use its NPI and other NPIs appropriately as required by the transactions that the business associate(s) conducts on its behalf.

(6) If it has been assigned NPIs for one or more subparts, comply with the requirements of paragraphs (a)(2) through (a)(5) of this section with respect to each of those NPIs.

(b) A health care provider that is not a covered entity may obtain, by application if necessary, an NPI from the NPS.

§ 162.412

(a) A health plan must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required.

(b) A health plan may not require a health care provider that has been assigned an NPI to obtain an additional NPI.

§ 162.414

A health care clearinghouse must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required.

Subpart f—standard unique employer identifier

3. In § 162.610, paragraph (c) is added to read as follows: § 162.610 * * * * *

(c) Required and permitted uses for the Employer Identifier.

(1) The Employer Identifier must be used as stated in § 162.610(b).

(2) The Employer Identifier may be used for any other lawful purpose.

Authority:

Secs. 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d—1320d-8), as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

(Catalog of Federal Domestic Assistance Program No. 93.774, Medicare—Supplementary Medical Insurance Program.)

Dated: October 16, 2003. Tommy G. Thompson,

Secretary.

References

Loading most recent entriesloading

Feedback