[Federal Register: January 23, 2004 (Volume 69, Number 15)]
[Rules and Regulations]
[Page 3433-3469]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr23ja04-10]
[[Page 3433]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Part 162
HIPAA Administrative Simplification: Standard Unique Health Identifier
for Health Care Providers; Final Rule
[[Page 3434]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 162
[CMS-0045-F]
RIN 0938-AH99
HIPAA Administrative Simplification: Standard Unique Health
Identifier for Health Care Providers
AGENCY: Centers for Medicare & Medicaid Services, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule establishes the standard for a unique health
identifier for health care providers for use in the health care system
and announces the adoption of the National Provider Identifier (NPI) as
that standard. It also establishes the implementation specifications
for obtaining and using the standard unique health identifier for
health care providers. The implementation specifications set the
requirements that must be met by ``covered entities'': Health plans,
health care clearinghouses, and those health care providers who
transmit any health information in electronic form in connection with a
transaction for which the Secretary has adopted a standard (known as
``covered health care providers''). Covered entities must use the
identifier in connection with standard transactions.
The use of the NPI will improve the Medicare and Medicaid programs,
and other Federal health programs and private health programs, and the
effectiveness and efficiency of the health care industry in general, by
simplifying the administration of the health care system and enabling
the efficient electronic transmission of certain health information.
This final rule implements some of the requirements of the
Administrative Simplification subtitle F of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA).
EFFECTIVE DATE: May 23, 2005, except for the amendment to Sec.
162.610, which is effective on January 23, 2004. Health care providers
may apply for NPIs beginning on, but no earlier than, May 23, 2005.
FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.
SUPPLEMENTARY INFORMATION:
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $10. As an alternative, you can view
and photocopy the Federal Register document at most libraries
designated as Federal Depository Libraries and at many other public and
academic libraries throughout the country that receive the Federal
Register. This Federal Register document is also available from the
Federal Register online database through GPO access, a service of the
U.S. Government Printing Office. The Web site address is http://www.access.gpo.gov/nara/index.html.
This document is also available
from the Department's Web site at http://aspe.hhs.gov/admnsimp/.
I. Background
In order to administer its programs, a health plan assigns
identification numbers to its providers of health care services and its
suppliers. A health plan may be, among other things, a Federal program
such as Medicare, a State Medicaid program, or a private health plan.
The identifiers it assigns are frequently not standardized within a
single health plan or across health plans, which results in the single
health care provider having different identification numbers for each
health plan, and often having multiple billing numbers issued within
the same health plan. This complicates the health care provider's
claims submission processes and may result in the assignment of the
same identification number to different health care providers by
different health plans.
A. NPI Initiative
In July 1993, the Centers for Medicare & Medicaid Services (CMS)
(formerly the Health Care Financing Administration (HCFA)), undertook a
project to develop a health care provider identification system to meet
the needs of the Medicare and Medicaid programs and, ultimately, the
needs of a national identification system for all health care
providers. Active participants in the project represented both
government and the private sector. The project participants decided to
develop a new identifier for health care providers because existing
identifiers did not meet the criteria for national standards. The new
identifier, known as the National Provider Identifier (NPI), did not
have the limitations of the existing identifiers, and it met the
criteria that had been recommended by the Workgroup for Electronic Data
Interchange (WEDI) and the American National Standards Institute
(ANSI).
B. The Results of the NPI Initiative
As a result of the project, and before the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191,
which was enacted on August 21, 1996, required the adoption and use of
a standard unique identifier for health care providers, CMS and the
other project participants accepted the NPI as the standard unique
health identifier for health care providers. CMS decided to implement
the NPI for Medicare, and began work on developing the National
Provider System (NPS), which was intended to capture health care
provider data and be equipped with the technology necessary to maintain
and manage the data. The NPS was intended to be able to accept health
care provider data in order to uniquely identify a health care provider
and assign it an NPI. The NPS was intended to be designed so it could
be used by other Federal and State agencies, and by private health
plans, if deemed appropriate, to enumerate their health care providers
that did not participate in Medicare.
C. Legislation
The Congress included provisions to address the need for a standard
unique health identifier for health care providers and other health
care system needs in the Administrative Simplification provisions of
HIPAA. Through subtitle F of title II of that law, the Congress added
to title XI of the Social Security Act (the Act) a new part C, entitled
``Administrative Simplification.'' (Pub. L. 104-191 affects several
titles in the United States Code.) The purpose of part C is to improve
the Medicare and Medicaid programs in particular, and the efficiency
and effectiveness of the health care system in general, by encouraging
the development of a health information system through the
establishment of standards and implementation specifications to
facilitate the electronic transmission of certain health information.
Part C of title XI consists of sections 1171 through 1179 of the
Act. These sections define various terms and impose requirements on the
Secretary of the Department of Health and Human Services (HHS), health
plans, health care clearinghouses, and certain health care providers
concerning the adoption of standards and implementation specifications
relating to health
[[Page 3435]]
information. Section 1173(b) of the Act requires the Secretary to adopt
standards providing for a standard unique health identifier for each
individual, employer, health plan, and health care provider for use in
the health care system and to specify the purposes for which the
identifiers may be used. It also requires the Secretary to consider
multiple locations and specialty classifications for health care
providers in developing the standard health identifier for health care
providers. We discussed other general aspects of the HIPAA statute in
greater detail in the May 7, 1998, proposed rule (63 FR 25320).
D. Plan for Implementing Administrative Simplification Standards
On May 7, 1998, we proposed a standard unique health identifier for
health care providers and requirements concerning its implementation
(63 FR 25320). That proposed rule also set forth requirements that
health plans, health care clearinghouses, and covered health care
providers would have to meet concerning the use of the standard. On May
7, 1998, we also proposed standards for transactions and code sets (63
FR 25272). We published the final rule, entitled Health Insurance
Reform: Standards for Electronic Transactions (the Transactions Rule),
on August 17, 2000 (65 FR 50312). On May 31, 2002, in two separate
proposed rules, we published proposed modifications to the Standards
for Electronic Transactions. We published a final rule adopting
modifications to the Transactions Rule on February 20, 2003 (68 FR
8381).
On November 3, 1999, we proposed standards for privacy of
individually identifiable health information (64 FR 59918). We
published the final rule, entitled Standards for Privacy of
Individually Identifiable Health Information (the Privacy Rule), on
December 28, 2000 (65 FR 82462). On March 27, 2002, we proposed
modifications to the Privacy Rule. On August 14, 2002, we published
modifications to the Privacy standards in a final rule, entitled
``Standards for Privacy of Individually Identifiable Health
Information'' (the Privacy Rule Modifications) (67 FR 53182).
On June 16, 1998, we proposed the standard unique employer
identifier (63 FR 32784). On May 31, 2002, we published the final rule,
entitled ``Standard Unique Employer Identifier'' (67 FR 38009).
On August 12, 1998, we proposed standards for security and
electronic signatures (63 FR 43242). On February 20, 2003, we published
the final rule on security standards (the Security Rule) (68 FR 8334).
On April 17, 2003, we published an interim final rule adopting
procedures for the investigation and imposition of civil money
penalties and the conduct of hearings when the imposition of a penalty
is challenged (68 FR 18895). The interim final rule is the first
installment of a larger rule, known as the Enforcement Rule, the rest
of which is to be proposed at a later date.
We will be proposing standards for the unique health plan
identifier and claims attachments.
In the May 7, 1998, proposed rule for the standard unique health
identifier for health care providers, we proposed to add a new part 142
to title 45 of the Code of Federal Regulations (CFR) for the
administrative simplification standards and requirements. We have
decided to codify the final rules in 45 CFR part 162 instead of part
142. The Transactions Rule (65 FR 50312) explains why we made this
change and lists the subparts and sections comprising part 162. In this
final rule, we reference the proposed text using part 142, and
reference the final text using part 162.
In the Transactions Rule, we addressed (at 65 FR 50314) the
comments that were made on issues that were common to the proposed
rules on standards for electronic transactions, the standard employer
identifier, the standards for security and electronic signatures, and
the standard health care provider identifier. Those issues relate to
applicability, definitions, general effective dates, new and revised
standards, and the aggregate impact analysis. In that final rule, we
set out the general requirements in part 160 subpart A and part 162
subpart A. We refer the reader to that rule for more information on all
but our discussion of issues pertinent to the standard unique health
identifier for health care providers and the definition of health care
provider.
E. Employer Identifier Standard: Waiver of Proposed Rulemaking and
Effective Date for Uses of Employer Identifier
As stated in section I.D., ``Plan for Implementing Administrative
Simplification Standards,'' of this preamble, we published the final
rule that adopted the standard unique employer identifier on May 31,
2002 (67 FR 38009). The Employer Identifier was adopted as that
standard effective July 30, 2002. We amend Sec. 162.610 as explained
below.
We ordinarily publish a correcting amendment of proposed rulemaking
in the Federal Register and invite public comment on the correcting
amendment before its provisions can take effect. We also ordinarily
provide a delay of 30 days in the effective date of the final rule. We
can waive notice and comment procedure and the 30-day delay in the
effective date, however, if we find good cause that a notice and
comment procedure is impracticable, unnecessary, or contrary to the
public interest and we incorporate a statement in the correcting
amendment of this finding and the reasons supporting that finding.
We find that seeking public comment on and delaying the effective
date of this correcting amendment would be contrary to the public
interest. Section 1173(b)(2) of the Act requires that the standards
regarding unique health care identifiers specify the purposes for which
they may be used. Section 162.610 requires a covered entity to use the
standard unique employer identifier--the employer identification number
(EIN) assigned by the Internal Revenue Services (IRS), U.S. Department
of the Treasury--in standard transactions that require an employer
identifier. Unless Sec. 162.610 is amended to permit use of the
standard unique employer identifier for all other lawful purposes, the
Act could be read to subject covered entities that use their EIN for
other purposes to civil money penalties under section 1176 of the Act
and criminal penalties under section 1177 of the Act, a result that we
did not intend. The IRS requires any taxpayer assigned an EIN to use
the EIN as its taxpayer identifying number. Statutes and regulations
also authorize or require other Federal agencies, including the
Departments of Agriculture, Commerce, Education, Housing and Urban
Development, and Labor, to collect EINs in connection with
administering various Federal programs and laws. Since some of these
agencies may conduct transactions with covered entities or may be
covered entities in their own right, failure to promptly publish the
correcting amendment could cause conflict between Sec. 162.610 and
other statutory and regulatory directives, generating uncertainty for
covered entities and potentially disrupting the administration of other
Federal programs and laws. We believe that it is necessary to eliminate
that uncertainty and potential disruption and to do so as soon as
practicable by amending Sec. 162.610 to include as permitted uses of
the EIN all other lawful purposes. Therefore, we find good cause to
waive the notice and comment procedure and the 30-day
[[Page 3436]]
delay in the effective date as being contrary to the public interest.
II. Provisions of the Regulations and Discussion of Public Comments
Within each section of this final rule, we set forth the proposed
provision contained in the May 7, 1998, proposed rule, summarize and
respond (if appropriate) to the comments we received on the proposed
provision, and present the final provision.
It should be noted that the proposed rule contained multiple
proposed ``requirements.'' In this final rule, we replace the term
``requirement'' with the term ``implementation specification,'' where
appropriate. We do this to maintain consistency with the use of those
terms as they appear in the statute and the other published HIPAA
rules. Within the comment and response portion of this final rule, for
purposes of continuity, however, we use the term ``requirement'' when
we are referring specifically to matters from the proposed rule. In all
other instances, we use the term ``implementation specification.''
In the May 7, 1998, proposed rule, we proposed a standard unique
health identifier for health care providers. We listed the kinds of
identifying information that would be collected about each health care
provider in order to assign the identifier.
In addition to the requirement that health care providers use the
standard, the May 7, 1998, proposed rule also proposed other
requirements for health care providers:
[sbull] Each health care provider must obtain, by application if
necessary, an NPI.
[sbull] Each health care provider must accept and transmit NPIs
whenever required on all standard transactions it accepts or transmits
electronically.
[sbull] Each health care provider must communicate to the National
Provider System (NPS) any changes to the data elements in its record in
the NPS within 60 days of the change.
[sbull] Each health care provider may receive and use only one NPI.
An NPI is inactivated upon death or dissolution of the health care
provider.
A. General Provisions
1. Applicability
The May 7, 1998, proposed rule for the standard unique health
identifier for health care providers discussed the applicability of
HIPAA to covered entities. The proposed rule provided that section 262
(Administrative Simplification) of HIPAA applies to health plans,
health care clearinghouses, and health care providers when health care
providers electronically transmit any of the transactions to which
section 1173(a)(1) of the Act refers. Comments received with respect to
Applicability are discussed in sections II. A. 2., ``Definition of
Health Care Provider,'' and II. A. 5., ``Implementation Specifications
for Health Care Providers, Health Plans, and Health Care
Clearinghouses'' of this preamble.
2. Definition of Health Care Provider
In the Transactions Rule, we summarized the comments we received on
the definitions we proposed in the May 7, 1998, NPI proposed rule (at
63 FR 25324), with the exception of the definition of ``health care
provider.'' We codified all of the definitions in 45 CFR 160.103 and 45
CFR 162.103. Specifically, we codified the definition of ``health care
provider'' at 45 CFR 160.103. We are responding in this preamble to the
comments we received on the definition of ``health care provider,'' as
we believe that these comments present issues that are more relevant to
the standard unique health identifier for health care providers. As
appropriate, our responses refer to discussions and decisions that were
published in the Privacy Rule (65 FR 82462). This final rule does not
change the definition of ``health care provider'' at Sec. 160.103.
This final rule adds the definition of ``covered health care provider''
at Sec. 162.402.
Proposed Provisions (Sec. 142.103)
In the May 7, 1998, proposed rule, we proposed to define ``health
care provider'' as a provider of services as defined in section 1861(u)
of the Act, a provider of medical or other health services as defined
in section 1861(s) of the Act, and any other person who furnishes or
bills and is paid for health care in the normal course of business (63
FR 25325). We based the proposed definition on section 1171(3) of the
Act for the reasons we stated in the May 7, 1998, proposed rule.
Comments and Responses on the Definition of ``Health Care Provider''
Comment: We received many comments concerning the kinds of entities
that should receive NPIs. Some of these comments recommended that the
definition of a ``health care provider'' be constructed narrowly to
restrict the kinds of entities that would be eligible to receive NPIs;
others recommended that the definition be constructed broadly. Comments
did not reflect a consensus or majority view across all commenters or
even within the two groups of commenters who recommended a narrow or a
broad definition of ``health care provider.''
Commenters favoring a narrow definition of ``health care provider''
gave the following examples of entities to which NPIs should or should
not be issued:
[sbull] Only to those licensed to furnish health care.
[sbull] Only to individuals and entities that furnish health care.
[sbull] Only to billing health care providers.
[sbull] Only to licensed health care providers that furnish care,
bill, and are paid by third party payers for services.
[sbull] Not to physicians who have opted out of government medical
programs.
[sbull] Not to groups, partnerships, or corporations.
[sbull] Not to entities that bill or are paid for health care
services furnished by other health care providers. A billing or pay-to
entity should be identified by its taxpayer identifying number, not by
an NPI.
[sbull] Not to clearinghouses, administrative services only
vendors, billing services, or health care provider service locations.
Commenters favoring a broad definition of ``health care provider''
gave the following examples of entities to which NPIs should be issued:
[sbull] Any health care provider that has a taxpayer identifying
number.
[sbull] Any individual or organization, including Independent
Practice Associations and clearinghouses, that ever has custody of or
transmits a health care claim or encounter record.
[sbull] All health care provider groups.
[sbull] Each billing health care provider, health care provider
billing location, pay-to provider, performing health care provider,
health care provider service location, and health care provider
specialty.
[sbull] Each incorporated individual and ``doing business as'' name
of an organization.
[sbull] The lowest organizational level of an entity that needs to
be identified.
Response: Although there was no consensus from commenters as to
which entities should receive NPIs, several principles can be inferred.
Many commenters who favored a narrow definition of ``health care
provider'' want to simplify the current situation for health care
providers; that is, a health care provider may have many health care
provider numbers assigned by health plans for different business
functions. The health care provider numbers sometimes represent the
actual health care provider that furnishes health care, but may also
represent the health care provider's
[[Page 3437]]
service locations, corporate headquarters, specialties, pay-to
arrangements, or contracts. Those who favored a narrow definition
generally believed the NPI should represent only the health care
provider that furnishes health care.
Commenters who favored a broad definition of ``health care
provider'' recognized the many business functions and uses in health
care transactions fulfilled by health care provider numbers today.
These business functions will continue to need to be performed after
the implementation of the NPI. In order for the NPI to replace the
multiple, proprietary health care provider numbers assigned by health
plans today, the NPI must be assigned so that the business functions
can continue. Those who favored a broad definition believed that if the
NPI is not able to identify the health care provider entities that must
be identified in an electronic health care claim or equivalent
encounter information transaction, health plans will be forced to
continue to use their existing proprietary health care provider numbers
and the NPI will add to, rather than replace or simplify, health care
provider numbering systems currently in use.
The varying needs for health care provider numbers guided our
decisions on which entities would be eligible to receive NPIs. Our
general rule is that all health care providers, as we define that term
in the regulations, will be eligible to receive NPIs. We discuss this
in detail later in this section.
It is important to note that not all health care providers who are
eligible to receive NPIs will necessarily be required to comply with
the HIPAA regulations. This is because some health care providers are
not covered entities under HIPAA. The fact that a health care provider
obtains an NPI does not impose covered entity status on that health
care provider. Only those entities that (1) meet the definition of
health care provider at Sec. 160.103, and (2) transmit health
information in electronic form on their own behalf, or that use a
business associate to transmit health information in electronic form on
their behalf, in connection with a transaction for which the Secretary
has adopted a standard (a covered transaction) are health care
providers who are required to comply with the HIPAA regulations. These
health care providers are covered health care providers and are
considered ``covered entities'' under HIPAA. As noted above, we add a
definition of ``covered health care provider'' at Sec. 162.402.
The following discussion clarifies the eligibility of health care
providers to be assigned NPIs and distinguishes between those that are
covered entities under HIPAA and those that are not.
``Health care provider'' is defined in the regulations at Sec.
160.103 as follows ``Health care provider means a provider of services
as defined in section 1861(u) of the Act, 42 U.S.C. 1395X(u), a
provider of medical or health services as defined in section 1861(s) of
the Act, 42 U.S.C. 1395x(s), and any other person or organization who
furnishes, bills, or is paid for health care in the normal course of
business.'' Examples of health care providers included in this
definition are: Physicians and other practitioners; hospitals and other
institutional providers; suppliers of durable medical equipment,
supplies related to health care, prosthetics, and orthotics; pharmacies
(including on-line pharmacies) and pharmacists; and group practices.
Additional examples are health maintenance organizations that may be
considered health care providers as well as health plans if they also
provide health care.
There are individuals and organizations that furnish atypical or
nontraditional services that are indirectly health care-related, such
as taxi, home and vehicle modifications, insect control, habilitation,
and respite services. These types of services are discussed in the
Transactions Rule at 65 FR 50315. As stated in that Rule, many of these
services do not qualify as health care services because the services do
not fall within our definition of ``health care.'' An individual or
organization must determine if it provides any services that fall
within our definition of ``health care'' at Sec. 160.103. If it does
provide those services, it is considered a health care provider and
would be eligible for an NPI. If it does not, and does not provide
other services or supplies that bring it within the definition of
``health care provider,'' it would not be a health care provider under
HIPAA, and would not be eligible to receive an NPI.
The nonhealth care services of some atypical or nontraditional
service providers are reimbursed by some health plans. Nevertheless,
there is no requirement under HIPAA to use the standard transactions
when submitting electronic claims for these types of services, because
claims for these services are not claims for health care. (Health
plans, however, are free to establish their own requirements for
submitting claims in these circumstances, which means that a health
plan could require atypical and nontraditional service providers to
submit standard transactions. The health plans could not require these
entities to obtain NPIs to use in those transactions, however, because
those entities are not eligible to receive NPIs.)
There are other individuals and organizations that, in the normal
course of business, bill or receive payment for health care that is
furnished by health care providers. These individuals and organizations
may include billing services, value-added networks, and repricers.
While these entities bill for health care, we do not read the statutory
definition of ``health care provider'' as encompassing them. Rather,
they would usually be acting as agents of health care providers in
performing the billing function, or as health care clearinghouses
assuming that they perform the data translation function described in
the definition of ``health care clearinghouse'' at Sec. 160.103. The
definition of ``health care clearinghouse'' specifically lists these
entities as examples of health care clearinghouses. The health care
industry does not consider these types of entities to be health care
providers. Further, we do not believe that the Congress intended for
them to be considered as such, as the statutory definition of ``health
care provider'' refers only to ``other person furnishing health care
services or supplies'' and thus would exclude persons who only bill
for, but do not furnish, health care services or supplies. Thus, this
final rule does not include billing services and similar entities as
health care providers. Therefore, because these kinds of entities are
not health care providers, they will not be eligible for NPIs.
Comment: The Workgroup for Electronic Data Interchange (WEDI)
commented that the NPI should be the only identifier for health care
providers when the HIPAA transactions require provider identification.
WEDI suggested that, to the extent provider-payer contracts require
locations, location codes, and contract references, these should be
handled outside of the NPS. To the extent numbers associated with
providers (for example, Taxpayer Identifying Number (TIN) and Drug
Enforcement Administration (DEA) number) are required for specific
purposes other than provider identification, the HIPAA transactions
should accommodate those numbers (and qualifiers) in the appropriate
segments of the transactions.
WEDI recommended that:
[sbull] Health care providers who are individual human beings
obtain one and only one NPI for life;
[sbull] Health care providers endeavor to have only one NPI per
organization, but
[[Page 3438]]
that the final decision on how many NPIs are necessary for an
organization health care provider be left to the health care provider;
and
[sbull] At a minimum, and as the most critical criterion, the NPS
data associated with any additional NPIs that an organization decides
to obtain must not be identical to those associated with any other NPI
in use by the organization.
Some commenters supported our proposal that, if a separate physical
location of an organization health care provider, member of a chain, or
subpart of an organization health care provider needs to be separately
identified, it would be eligible to get a separate NPI. A few
commenters stated that different physical locations or subparts of an
organization health care provider should not get separate NPIs. One
commenter recommended that the NPS issue separate NPIs for separate
physical locations, members of a chain, or subparts of an organization
health care provider only if these are separately licensed or
certified. The commenter believes that the issuance of separate
licenses and certifications justifies their recognition as separate
health care providers. Another commenter recommended that the NPS issue
separate NPIs for these entities if Medicare considers the entities to
be separate health care providers. A number of large health plans
consider each physical location of a supplier of health care-related
supplies to be a separate health care provider in order to uniquely
identify it on claims to enable accurate pricing and reimbursement.
Response: We agree in concept with the recommendations made by
WEDI.
At the time we published the proposed rule and received public
comments on it, the Secretary had not yet adopted standards for any of
the HIPAA Administrative Simplification provisions. Since that time,
and as noted in section I. D., ``Plan for Implementing Administrative
Simplification Standards'' of this preamble, the Secretary has adopted
a number of Administrative Simplification standards, including the
Privacy and Security standards. The following discussion describes the
assignment of NPIs to certain organization health care providers and
the relationship, if any, of the assignment methodology to the
standards and implementation specifications adopted in the Privacy and
Security Rules.
Many health care providers that are organizations (such as
hospitals and chains of suppliers of health care-related supplies,
pharmacies, and others) are made up of components or separate physical
locations. Many of these components or separate physical locations are
separately certified or licensed by States as health care providers.
[sbull] Examples of hospital components include outpatient
departments, surgical centers, psychiatric units, and laboratories.
These components are often separately licensed or certified by States
and may exist at physical locations other than that of the hospital of
which they are a component. Many health plans consider these components
to be health care providers in their own right. Many of these
components bill independently of the hospital of which they are a
component.
[sbull] Organization health care providers that are chains
generally have a corporate headquarters and a number of separate
physical locations. A durable medical equipment supplier chain, for
example, has a corporate headquarters and separate physical locations
at which durable medical equipment is dispensed to patients. The
separate physical locations are generally separately licensed or
certified by States. They often operate independently of each other and
usually do their own billing. Many health plans consider each separate
physical location to be a health care provider itself; and many of
these health plans, including Medicare, reimburse for these items based
on the geographic location where the items are dispensed to patients
and not on the geographic location of the corporate headquarters.
An entity that meets certain Federal statutory implementation
specifications and regulations is eligible to participate in the
Medicare program. Our definition of ``health care provider'' at Sec.
160.103 includes those eligible to participate in Medicare as described
in Federal statute (that is, in Sec. 1861(s) and Sec. 1861(u) of the
Social Security Act). These entities, according to Federal statute and
regulations, must be issued their own identification numbers in order
to bill and receive payments from Medicare. The Federal statutes and
regulations similarly affect the Medicaid program.
Health care providers that are covered entities (see the definition
at Sec. 160.103) are required to comply with this final rule. Thus,
while all health care providers (as defined in Sec. 160.103) are
eligible to be assigned NPIs and may, therefore, obtain NPIs, health
care providers that are covered entities must obtain NPIs. As mentioned
earlier in this section, a health care provider that is not a covered
entity and which has been assigned an NPI does not become a covered
entity as a result of NPI assignment.
We refer to the components and separate physical locations
described in the bulleted examples above as ``subparts'' of
organization health care providers.
We use the term ``subpart'' to avoid confusion with the term
``health care component'' in the Privacy and Security Rules. We discuss
terms and concepts in the Privacy and Security Rules later in this
section.
Section 1173(b)(1) of the Act provides that the Secretary ``shall
take into account multiple uses for identifiers and multiple locations
and specialty classifications for health care providers.'' This
language indicates that Congress realized that certain health care
providers operate at multiple locations and/or provide multiple types
of health care services, and intended that the identifier standard take
these variations in circumstance into account. We accommodate this
language by requiring covered health care providers to obtain NPIs for
subparts of their organizations that would otherwise meet the tests for
being a covered health care provider themselves if they were separate
legal entities, and permitting health care providers to obtain NPIs for
subparts that do not meet these tests but otherwise qualify for
assignment of an NPI. For example, a subpart may qualify for assignment
of an NPI based on such factors as the subpart having a location and
licensure separate from the organization health care provider of which
it is a subpart. Licensure is often indicative of specialty (Healthcare
Provider Taxonomy) classification. Thus, the assignment scheme created
by this final rule provides flexibility in addressing the varied
circumstances of health care providers, as Congress intended.
A ``subpart'' described in this final rule may differ from a
``health care component'' described in the Privacy and Security Rules.
Therefore, it is appropriate to discuss these concepts and their
relationship, if any, to the assignment of NPIs as established by this
final rule.
Standards and implementation specifications for the Privacy and
Security standards fall under part 164--Security and Privacy, of 45
CFR, whereas the implementation specifications for the standard unique
health identifier for health care providers (and for the other
identifiers mandated by HIPAA) are within part 162--Administrative
Implementation Specifications, of 45 CFR. The broad concepts of
ownership, control, and structure of covered entities are relevant
[[Page 3439]]
to determining the scope of, and defining responsibility for,
implementing the Privacy and Security standards; therefore, we
addressed those concepts in those rules. On the other hand, the
concepts of ownership, control, and structure are of no significant
value or importance in determining the health care providers that may
be eligible to obtain NPIs, which is why those concepts are not
discussed in this final rule.
The term ``hybrid entity'' is defined in part 164, which is
applicable to the Privacy and Security Rules, and may be a factor in
determining responsibility for the implementation of the Privacy and
Security standards and implementation specifications. It is defined in
Sec. 164.103 and is discussed in the Privacy Rule at 65 FR 82502. It
is possible that an organization health care provider may be a hybrid
entity and, as such, may designate health care components for purposes
of implementing the Privacy and Security Rules. It is possible and,
indeed, likely that subparts as described earlier in this preamble may
be health care components of a hybrid entity. It is also possible that
the subparts may not align precisely with the designated health care
components. There is no necessary correlation between what is a subpart
and what is a health care component, and there need not be because, as
stated above, the nature and function of the Privacy and Security
standards differ from those of the health care provider identifier
standard. The level of assignment of NPIs must be adequate to enumerate
entities that meet the definition of ``health care provider'' at Sec.
160.103. It is, therefore, possible that a designated health care
component may in essence be assigned multiple NPIs if the health care
component is made up of multiple health care providers or subparts, as
described earlier.
The term ``organized health care arrangement'' is discussed in the
Security and Privacy Rules and is defined at Sec. 160.103. It is
possible that subparts that are also health care components may elect
to come together to form an organized health care arrangement. Whether
or not subparts participate in an organized health care arrangement for
purposes of implementing the Privacy or Security standards has no
effect on their eligibility to be assigned NPIs.
It must be kept in mind, with respect to the subparts as described
in this preamble, that the organization health care provider is a legal
entity and is the covered entity under HIPAA if it (or a subpart or
component) transmits health information in electronic form (or uses a
business associate to do so) in connection with a covered transaction.
The subparts are simply parts of the legal entity. The legal entity--
the covered entity--is ultimately responsible for complying with the
HIPAA rules and for ensuring that its subparts and/or health care
components are in compliance. The organization health care provider, of
which the subpart is a part, is responsible for ensuring that the
subpart complies with the implementation specifications in this final
rule. The organization health care provider is responsible for
determining if its subpart or subparts must be assigned NPIs, as
discussed above in this section of the preamble. The organization
health care provider is also responsible for applying for NPIs for its
subparts or for instructing its subparts to apply for NPIs themselves.
(That is, it is not necessary that an application for an NPI be made by
the organization health care provider on behalf of its subpart.)
Comment: Some commenters expressed concern that the professional
claim or equivalent encounter information transaction be able to
accommodate address or location information associated with billing,
pay-to, and furnishing health care providers.
Response: The ASC X12N 837 Health Care Claim: Professional, adopted
in the Transactions Rule, accommodates addresses for all these
entities.
Comment: Some commenters stated their desire for an identifier to
represent each service address, for the purpose of reporting the
location of service on a professional health care claim.
Response: We believe that the location of service can properly be
reported by use of data elements in the standard professional health
care claim or equivalent encounter information transaction. The address
where service was furnished (if different from the billing or pay-to
provider's address and if not at the patient's home) is accommodated in
the X12N 837 Professional Claim in the Service Facility Location loop.
For these reasons, we do not believe a health care provider identifier
needs to be assigned to every address at which a service can be
provided. If health plans need service location data in addition to the
data that are accommodated in the standard health care claim
transaction, they should notify the organization responsible for that
transaction (see Sec. 162.910 and Sec. 162.1102).
Comment: Several commenters named specific kinds of practitioners
or entities that should be eligible to receive NPIs. These commenters
cited practitioners who write prescriptions, home health housekeepers,
long-term care providers, providers of home health services, meals on
wheels, and transportation.
Response: Entities that do not furnish health care, and do not meet
the definition of health care provider, will not be eligible to receive
NPIs. A title does not necessarily indicate that an entity does or does
not furnish health care. Entities who are unsure as to whether they are
health care providers should check the definition of ``health care'' in
Sec. 160.103 to determine whether the kinds of services they furnish
are health care services.
Comment: Some commenters stated that billing services should not
receive NPIs. None of these commenters gave a definition or criteria to
distinguish billing services from entities that would be eligible to be
assigned NPIs. Other commenters stated that these definitions and
criteria would be difficult to apply.
Response: As stated earlier in this section, billing services do
not meet our regulatory definition of health care provider and,
therefore, will not be eligible for NPIs. Generally, the health care
provider that furnished health care is the ``Billing provider'' on the
X12N 837 transaction and would identify itself with an NPI. If a
billing service needs to be identified as the ``Billing provider,'' it
would identify itself with either an Employer Identification Number
(EIN) or a Social Security Number (SSN).
Comment: Several commenters noted that the term ``medical care'' in
our descriptions of individual and organization health care providers
should be replaced with the term ``health care.'' They were concerned
that one could construe ``medical care'' to mean only care that was
physician-supplied or physician-authorized.
Response: We agree with the comment and have replaced the term
``medical care'' with ``health care'' in our discussion of individual
and organization health care providers.
Comment: A majority of commenters stated that the NPS should not
distinguish between organization health care providers and group health
care providers. The NPS should collect the same data for both. A few
other commenters suggested a definition for group, but did not suggest
that different data should be collected for a group health care
provider than for an organization health care provider.
Response: As described in the proposed rule (at 63 FR 25325), group
health care providers are entities composed of one or more individuals
(members), generally created to provide coverage of patients' needs in
terms of office hours, professional backup and
[[Page 3440]]
support, or range of services resulting in specific billing or payment
arrangements. Organization health care providers are health care
providers who are not individual health care providers (that is, health
care providers who are human beings). Examples of organization health
care providers are hospitals, pharmacies, and nursing homes. For
purposes of this rule, we consider group health care providers to be
organization health care providers. There is additional information
about these health care providers in section II.C.1.(d) of this
preamble.
We agree with the majority of commenters that the NPS should
collect the same data for group and organization health care providers.
Because the same data are collected, there is no need for separate
definitions of group and organization health care providers for NPI
enumeration purposes.
Comment: Several commenters suggested that an NPI suffix or sub-
identifier (sub-ID) be used to identify physical locations or subparts
of a health care provider. Two commenters suggested that we explore the
need for an electronic data interchange (EDI) identifier for
transaction routing.
Response: We considered allowing each health care provider, if it
so chose, to establish sub-IDs under its NPI. The health care provider
might use the sub-IDs for different physical locations, subparts, EDI
transaction routing, or other purposes. We decided not to establish
sub-IDs because our decisions regarding which entities would be
eligible to receive NPIs (including separate physical locations and
subparts of certain kinds of organization health care providers)
obviate the need for them. Sub-IDs may be useful as a later
implementation feature that would support EDI routing or other
purposes. We will consider an expansion at a later time to include
them, if we determine that they would be beneficial.
Comment: Many commenters stated that all health care providers
should be able to obtain NPIs, whether they conduct health care
transactions electronically or on paper. Some commenters stated that
health care providers that do not conduct any of the transactions named
in HIPAA should be able to obtain NPIs.
Response: All health care providers--as we define that term--may
obtain NPIs. Only covered health care providers are required to obtain
and use NPIs in standard transactions.
Comment: Many commenters stated that NPIs should be mandatory for
paper and fax transactions, as well as electronic.
Response: In the May 7, 1998, proposed rule, we did not propose to
apply this standard to paper transactions. Therefore, we focus on
standards for electronic transactions. Most of the paper forms
currently in use today cannot accommodate all of the data content
included in the standard transactions. This does not prevent health
plans from requiring for paper transactions the same data, including
identifiers, as are required by the HIPAA regulations for electronic
transactions.
Final Provisions (Sec. 160.103)
As defined by section 1171(3) of the Act, a ``health care
provider'' is a provider of services as defined in section 1861(u) of
the Act, a provider of medical or other health services as defined in
section 1861(s) of the Act, and any other person who furnishes health
care services or supplies. Section 160.103 defines ``health care
provider'' as the statute does and clarifies that the definition of a
``health care provider'' includes any other person or organization that
furnishes, bills, or is paid for health care in the normal course of
business.
Section 1173(b)(1) of the Act requires the Secretary to adopt
standards providing for a standard unique health identifier for each
health care provider, and to take into account multiple uses,
locations, and specialty classifications for health care providers. All
health care providers who meet our definition of ``health care
provider'' at Sec. 160.103, regardless of whether they conduct
transactions electronically or on paper or conduct any covered
transactions will be eligible to apply for health care provider
identifiers.
We define ``covered health care provider'' at Sec. 162.402.
Subparts of organization health care providers, as described earlier in
this section, may be assigned NPIs.
Registered nurses, dental hygienists, and technicians are examples
of entities who furnish health care but who do not necessarily conduct
covered transactions. They are eligible to receive NPIs because they
are health care providers.
We define two categories of health care providers for enumeration
purposes. A data element, the ``Entity type code,'' in the NPS record
for each health care provider will indicate the appropriate category.
[sbull] NPIs with an ``Entity type code'' of 1 will be issued to
health care providers who are individual human beings. Examples of
health care providers with an ``Entity type code'' of 1 are physicians,
dentists, nurses, chiropractors, pharmacists, and physical therapists.
[sbull] NPIs with an ``Entity type code'' of 2 will be issued to
health care providers other than individual human beings, that is,
organizations. Examples of health care provider organizations with an
``Entity type code'' of 2 are: hospitals; home health agencies;
clinics; nursing homes; residential treatment centers; laboratories;
ambulance companies; group practices; health maintenance organizations;
suppliers of durable medical equipment, supplies related to health
care, prosthetics, and orthotics; and pharmacies.
Entities that participate in the Medicare program and many that
participate in the Medicaid program are eligible for NPIs. (Note,
however, our discussion of atypical and nontraditional service
providers earlier in this section.) Many subparts of organization
health care providers (as discussed earlier in this section) are
eligible to be assigned NPIs, and an NPI must be obtained for, or by,
them if they would be considered a covered health care provider if they
were a separate legal entity. By definition, subparts are not
themselves legal entities; the legal entity is the organization health
care provider of which they are a subpart. Organization health care
provider subparts--because they too are organizations--will be issued
NPIs with ``Entity type code'' of 2.
We do not consider individuals who are health care providers (that
is, they meet our definition of ``health care provider'' at Sec.
160.103) and who are members or employees of an organization health
care provider to be ``subparts'' of those organization health care
providers, as described earlier in this section. Individuals who are
health care providers are legal entities in their own right. The
eligibility for an ``Entity type code 1'' NPI of an individual who is a
health care provider and a member or an employee of an organization
health care provider is not dependent on a decision by the organization
health care provider as to whether or not an NPI should be obtained
for, or by, that individual. The eligibility for an ``Entity type code
1'' NPI of a health care provider who is an individual is separate and
apart from that individual's membership or employment by an
organization health care provider. If such an individual is a covered
health care provider, he or she is required to obtain an NPI. An
example of the above discussion is a physician who is a member of a
group practice. Both are health care providers and, therefore, both may
apply for NPIs, but the physician would receive an
[[Page 3441]]
``Entity type code 1'' NPI, while the group practice would receive an
``Entity type code 2'' NPI. If either is a covered health care
provider, that covered health care provider must apply for an NPI.
``Entity type code'' determinations will be made according to the
following:
[sbull] An individual human being furnishes health care. The
described individual is a health care provider and will be assigned an
NPI with an ``Entity type code'' of 1.
[sbull] An organization furnishes health care. The described
organization is a health care provider and will be assigned an NPI with
an ``Entity type code'' of 2.
[sbull] An organization health care provider subpart, as described
earlier in this section, is a health care provider and will be assigned
an NPI with an ``Entity type code'' of 2.
Hereafter in this preamble, we include these subparts in our
references to health care providers unless there is a reason to
distinguish them.
An NPI will be used to identify the health care provider on a
health care claim or equivalent encounter information transaction. If
an organization health care provider consists of subparts that are
identified with their own unique NPIs, a health plan may decide to
enroll none, one, or a limited number of them (and to use only the
NPI(s) of the one(s) it enrolls). A health plan may not require a
health care provider or a subpart of an organization health care
provider that has an NPI to obtain another NPI for any purpose. Links
among the various NPI types may be made and maintained by health plans
and other users of the NPS data, but will not be maintained in the NPS.
The data to be collected by the NPS for health care providers are
described in section II. C. 2. of this preamble, ``Data Elements and
Data Dissemination.'' The NPS will capture data elements for health
care providers with an ``Entity type code'' of 1 (individuals) that are
different from those that it will capture for those with an ``Entity
type code'' of 2 (organizations) because the data available to search
for duplicates (for example, date and place of birth) are different.
The NPS will ensure the uniqueness of the NPI by assigning only one NPI
to a health care provider with a distinct string of data in the NPS.
The NPS will contain the kinds of data necessary to adequately
categorize each entity to which it assigns an NPI. An NPI will be a
lasting identifier for the health care provider to which it has been
assigned. For health care providers with an ``Entity type code'' of 1,
the NPI will be a permanent identifier, assigned for life, unless
circumstances justify deactivation, such as a health care provider who
finds that his or her NPI has been used fraudulently by another entity.
In that situation, the health provider can apply, and will be eligible,
for a new NPI, and the previously assigned NPI will be deactivated. For
health care providers with an ``Entity type code'' of 2, the NPI will
also be considered permanent, except in certain situations such as when
a health care provider does not wish to continue an association with a
previously used NPI, or when a health care provider's NPI has been used
fraudulently by another. In those situations, the health care provider
that holds the NPI can apply, and be eligible for, a new NPI, and the
previously assigned NPI will be deactivated. A new NPI will not be
required for change of ownership, change from partnership to
corporation, or change in the State where an organization health care
provider is incorporated; indeed, ownership and incorporation
information will not be contained in the NPS. A new NPI will not be
required when there is a change in an organization health care
provider's name, Employer Identification Number, address, Healthcare
Provider Taxonomy classification, State of licensure, or State license
number. Instead, the health care provider will supply that information
to the NPS and the data in the NPS about these entities will be
updated. After a corporate merger, the surviving organization may
continue to use its NPI. A health care provider's NPI will not be
deactivated if that health care provider is sanctioned or barred from
one or more health plans. When an organization health care provider is
disbanded, the organization health care provider's NPI will be
deactivated. If a previously deactivated organization health care
provider is later reactivated, its previous NPI will be reactivated.
3. NPI Standard
Proposed Provisions (Sec. 142.402(a))
The May 7, 1998, proposed rule (at 63 FR 25328) described our
proposal for the standard health care provider identifier. We proposed
the NPI standard as an 8-position alphanumeric identifier. It would
include as the 8th position a numeric check digit to assist in
identifying erroneous or invalid NPIs. The check digit would be a
recognized International Standards Organization (ISO) standard. The
check digit algorithm would be computed from an all-numeric base
number. Therefore, any alpha characters that may be part of the NPI
would be translated to a specific numeric before the calculation of the
check digit. The NPI format would allow for the creation of
approximately 20 billion unique identifiers. It would be an
intelligence-free identifier. In the May 7, 1998 proposed rule, we also
proposed the type of data included in the file containing identifying
information for each health care provider.
In addition to the description of the NPI standard, this section of
the May 7, 1998, proposed rule discussed several other points on which
we received comments:
We noted that we proposed the 8-position alphanumeric format rather
than a longer numeric-only format in order to keep the identifier as
short as possible while providing for an identifier pool that would
serve the industry's needs for a long time.
We listed selection criteria for the standard and discussed
candidate identifiers, including the National Association of Boards of
Pharmacy number, the Social Security Number, and the Employer
Identification Number.
We noted that the USA Registration Committee approved the NPI as an
International Standards Organization card issuer identifier in August
1996 for use on standard health identification cards.
Comments and Responses on the NPI Standard
Comment: Several commenters on the format of the NPI expressed
general support for our proposal or specific support for an 8-position
alphanumeric identifier. Very few of these commenters gave a reason for
support of the 8-position alphanumeric format. A strong majority of
commenters recommended instead that the NPI be a 10-position numeric
identifier, because a 10-position identifier would yield an adequate
pool of identifiers and would not exceed the length permitted for
identifiers in the standard transactions proposed under HIPAA. A few
other commenters recommended a 9-position numeric identifier. Several
commenters who favored a numeric identifier stated that if additional
capacity for NPIs were needed in the future, additional numeric digits
should be added at that time. Commenters who preferred a numeric
identifier were very specific in listing its advantages. They stated
that a numeric identifier--
[sbull] Is more quickly and accurately keyed in data-entry
applications;
[sbull] Is more easily used in telephone keypad applications;
[sbull] Does not require translation before application of the
check digit algorithm,
[[Page 3442]]
and thus uses the full ability of the check digit algorithm to detect
keying errors;
[sbull] Is compatible with ISO identification card standards for a
card issuer identifier (discussed below), while an alphanumeric
identifier is not; and
[sbull] Will require less change for systems that currently use a
numeric identifier.
Response: We find the stated advantages of a 10-position numeric
identifier convincing. We have revised proposed Sec. 142.402 (now
Sec. 162.406(a)) to provide that the NPI will be a 10-position numeric
identifier, with the 10th position being an ISO standard check digit.
The use of a 10-digit numeric NPI and our initial assignment strategy
will allow for 200 million unique NPIs. We estimate 200 million NPIs
would last approximately 200 years, allowing for health care provider
growth, as discussed later in the preamble of this final rule in
section V.D., ``Specific Impact of the NPI.'' If additional capacity
for NPIs is needed in the future, additional numeric digits will be
added to the identifier at that time. A modification to the NPI format
would be accomplished through rulemaking. A 10-position numeric
identifier is specified in Sec. 162.406(a).
Comment: Some commenters asked that we clarify how the NPI would
appear when used as a card issuer identifier on a standard health care
identification card. Commenters also asked that we clarify any
modification made to the check digit algorithm to allow the NPI to be
used as a card issuer identifier.
Response: In December 1997, an American National Standard for a
Uniform Healthcare Identification Card was approved by the National
Committee for Information Technology Standards (NCITS), which is a
standards-developing organization accredited by the American National
Standards Institute. The specification for this standard, NCITS.284, is
available from the American National Standards Institute, 11 West 42nd
Street, New York, New York 10036. One identifier field on the standard
health care identification card is the card issuer identifier. A card
issuer identifier is an identifier for an entity that issues a health
care identification card. In most cases, the entity issuing a health
care identification card would be a health plan; in some cases,
however, the entity could be a health care provider. We note that,
under HIPAA, health care providers are neither required to issue health
care identification cards, nor to use the NCITS.284 standard card. The
NCITS.284 standard requires that the first five digits of the card
issuer identifier be ``80840,'' where the initial two digits, 80,
signify health applications, the next three digits, 840, signify United
States. The remainder of the card issuer identifier identifies the
entity that issued the card. In August 1996, the USA Registration
Committee, a standards-developing organization accredited by the
American National Standards Institute, approved the NPI as an
identifier for a card issuer for use on a standard health care
identification card. If the NPI is used to identify the card issuer on
a card that complies with NCITS.284, the card issuer identifier would
consist of 15 positions as follows: ``80840,'' signifying health
applications in the United States, followed by the 10-position NPI (the
9-position identifier portion of the NPI, followed by the NPI check
digit).
We note that the initial five digits ``80840'' would be required
with the NPI only when the NPI is used as a card issuer identifier on a
standard health care identification card. However, in order that any
NPI could potentially be used as a component of the card issuer
identifier on a standard health care identification card, the NPI check
digit calculation must always be performed as though the NPI is
preceded by ``80840.'' This is easily accomplished by including a
constant in the check digit calculation when the NPI is used without
this prefix. The NPI check digit is calculated using the ISO standard
Luhn check digit algorithm, a modulus 10 ``double-add-double''
algorithm. The specification for calculation of the NPI check digit
will be made available on the CMS Web site (http://www.cms.hhs.gov).
The specification will explain how to compute the check digit and how
to verify an NPI using the check digit, both when the ``80840'' prefix
is present and when it is not.
Comment: A strong majority of commenters supported our proposal
that the NPI be intelligence-free. A few commenters stated that an
intelligence-free identifier would not meet their needs because their
systems use the facility provider type, which is coded as part of the
identifier in some current systems.
Response: If the NPI were to include intelligence, that is, coded
information about the health care provider, as part of the identifier,
a new NPI would have to be issued any time the coded information about
the health care provider changed. This would undermine the lasting
nature of the NPI. For this reason we agree with the large majority of
commenters that the NPI not contain intelligence about the health care
provider.
Comment: A small number of commenters stated that the Taxpayer
Identifying Number (TIN) should be selected, or reconsidered, as the
standard unique health identifier for health care providers.
Response: The TIN is the identifier under which the health care
provider reports a United States tax return to the Internal Revenue
Service (IRS). It can be an SSN, assigned by the Social Security
Administration, or an IRS Individual Taxpayer Identification Number
(ITIN), assigned by the IRS, or an EIN, assigned by the IRS. A large
number of commenters on the ``Data'' section of the May 7, 1998, NPI
proposed rule stated their opposition to dissemination of the SSN
except in strictly controlled situations that fully comply with the
Privacy Act. Use of the SSN or the TIN as the standard unique health
identifier for health care providers would require the wide
dissemination and use of the SSN or TIN in the HIPAA transactions under
conditions that would not be protected by the Privacy Act. The majority
of commenters did not support the use of the SSN as the standard unique
health identifier for health care providers for individuals.
Comment: The National Council for Prescription Drug Programs
requested that we make several clarifications regarding our reference
to the National Association of Boards of Pharmacy (NABP) number, which
we discussed as a candidate identifier in the May 7, 1998, proposed
rule.
Response: As requested, we note that the NABP number has been
renamed the National Council for Prescription Drug Programs (NCPDP)
Provider Number. In 1997, the NCPDP and the NABP mutually severed the
contract made in 1977. The NCPDP has full responsibility for
maintenance of the pharmacy file. The NCPDP Provider Number is issued
solely by NCPDP. All references to the NABP number should be changed
instead to the NCPDP Provider Number.
Comment: A small number of commenters stated that the proposed NPI
would not meet one or more of the selection criteria for standards or
would not be consistent with the law because it would not reduce the
administrative costs of providing and paying for health care. These
kinds of comments cited the high costs of developing and operating a
new system for health care provider enumeration.
Response: Elsewhere in this preamble, we discuss how the collection
of health care provider data and the enumeration of health care
providers can be satisfactorily accomplished with the NPI and how those
associated costs can be kept to a minimum. We acknowledge
[[Page 3443]]
that organizations will incur costs in the move to a standard
enumeration process. After the initial implementation, however, we
believe that the costs will diminish significantly, and that long-term
use of a standard identifier will be cost-effective.
Final Provisions (Sec. 162.406(a))
We are adopting the NPI format of an all-numeric identifier, 10
positions in length, with an ISO standard check-digit in the 10th
position (Sec. 162.406(a)). The NPI will not contain intelligence
about the health care provider. This format and our assignment strategy
will allow for at least 200 million unique NPIs.
4. Effective Date and Compliance Dates
Proposed Provisions (Sec. 142.410)
The May 7, 1998, proposed rule proposed the compliance dates for
the standard unique health identifier for health care providers.
The May 7, 1998, proposed rule proposed that:
[sbull] Each health plan that is not a small health plan must
comply with the requirements of Sec. 142.104 and Sec. 142.404 by 24
months after the effective date of the final rule.
[sbull] Each small health plan must comply with the requirements of
Sec. 142.104 and Sec. 142.404 by 36 months after the effective date
of the final rule.
[sbull] Each health care clearinghouse and health care provider
must begin using the NPI by 24 months after the effective date of the
final rule.
Comments and Responses on Effective Date and Compliance Dates
Comment: An overwhelming number of commenters requested that there
be an extended period of time between the publication of the NPI final
rule and the date the implementation period for the NPI would begin.
Commenters stated that their resources were fully committed to
millennium issues and that those resources could not be used to address
the numerous changes needed to implement the NPI until after the
millennium work was satisfactorily completed. Some commenters asked
that we publish the final rule on Standards for Electronic Transactions
before any of the other rules.
Response: Work on the millennium is complete. Many commenters are
undoubtedly expending resources at this time in implementing the HIPAA
Privacy Rule (65 FR 82462 and 67 FR 53182), the Transactions Rule (65
FR 50312 and 68 FR 8381), the Security Rule (68 FR 8334) and the
Employer Identifier Rule (67 FR 38009). The reader should note that we
published the Transactions Rule (65 FR 50312) before any of the other
HIPAA final rules. The National Provider System (NPS) will be a large,
complex system. Its development cannot be finalized until publication
of this final rule. The NPS must operate efficiently and be capable of
performing many operations. It must undergo testing to ensure proper
operation of all functions and must pass a variety of stress tests. To
ensure adequate time for completion of system development and testing,
we set the effective date of this final rule to be 16 months after
publication in the Federal Register. Covered entities will need to be
in compliance no later than 24 months after the effective date (36
months for small health plans). While the purpose of this extended
effective date is to allow HHS sufficient time for NPS development and
testing, it will also permit health care entities sufficient time to
accommodate changes needed in order to implement the NPI.
Final Provisions (Sec. 162.404)
We set the effective date and compliance dates as follows:
a. Effective date of this final rule. The effective date of the NPI
is May 23, 2005. The effective date of this final rule marks the
beginning of the implementation period for the NPI.
b. Compliance dates of the NPI. We adopt the requirement that
covered entities (except small health plans) must obtain an NPI and
must use the NPI in standard transactions no later than May 23, 2007.
Small health plans must do so no later than May 23, 2008.
If the Secretary adopts a modification to this standard, the
compliance date of the modification would be no earlier than the 180th
day following the adoption of the modification. The Secretary would
determine the actual date, taking into account the time needed to
comply due to the nature and extent of the modification. The Secretary
would be able to extend the time for compliance with any modification
by small health plans by rulemaking, if he determines that an extension
is appropriate.
5. Implementation Specifications for Health Care Providers, Health
Plans, and Health Care Clearinghouses
Proposed Provisions (Sec. 142.404, Sec. 142.406, and Sec. 142.408)
In section II. E., ``Requirements,'' of the preamble of the May 7,
1998, proposed rule (63 FR 25330), we discussed the requirements that
health plans, health care clearinghouses, and covered health care
providers would have to meet in implementing the NPI. The proposed
regulation text, in Sec. 142.404, stated that health plans would be
required to accept and transmit, directly or through a health care
clearinghouse, the NPI on all standard transactions wherever required.
The proposed regulation text, in Sec. 142.406, stated that health care
clearinghouses would be required to use the NPI wherever a standard
electronic transaction requires it.
The preamble of the May 7, 1998, proposed rule (63 FR 25330)
states: ``In Sec. 142.408, Requirements: Health care providers, we
would require each health care provider that needs an NPI for HIPAA
transactions to obtain, by application if necessary, an NPI * * *''
Section 142.408(a) of the proposed regulation text states: ``Each
health care provider must obtain, by application if necessary, a
national provider identifier.'' The text of the proposed rule states,
in Sec. 142.408(c): ``Each health care provider must communicate any
changes to the data elements in its file in the national provider
system to an enumerator of national provider identifiers within 60 days
of the change.''
Comments and Responses on Requirements for Health Care Providers,
Health Plans, and Health Care Clearinghouses
We believe that the Congress intended that each health care
provider be eligible for an NPI and intended to authorize the Secretary
to require covered health care providers to obtain one. HIPAA requires
the adoption of a standard unique health identifier for health care
providers and directs the Secretary to specify the purposes for which
the identifier may be used. The statute sets forth the maximum amount
of time by which all covered entities must comply with the standards,
leaving discretion to the Secretary to designate compliance dates
(within the limitations of the law). We proposed in the May 7, 1998,
proposed rule, and require in this final rule, that covered entities
must be in compliance with the standards no later than 2 years (3 years
for small health plans) from the effective date of the regulation.
Thus, as of the compliance date, a covered health care provider must
have obtained and begun to use an NPI.
Comment: Some commenters recommended that all data about a health
care provider in the NPS be required to be updated; others stated that
only certain data elements should be required to be updated. Most
indicated that data needed for unique identification should be kept
current.
[[Page 3444]]
Response: In the proposed rule, the NPS was proposed to include
many data elements that we have since decided not to include. (See
section II. C. 2. of this preamble, ``Data Elements and Data
Dissemination.'') We have decided that the NPS will consist entirely of
data elements about a health care provider that are needed for
administrative (communications) purposes and for the unique
identification of the health care provider. We believe it is
appropriate and necessary for the health care providers to notify the
NPS of changes in their required NPS data, but, given limits on our
statutory authority, we can require such notification only of covered
health care providers.
Comment: We received many comments concerning the length of time a
health care provider should be allowed before it must notify the NPS of
changes to its NPS data. Most commenters thought that the 60-day period
was too long and believed a 15-to-30-day period was more appropriate.
Response: The May 7, 1998, proposed rule at Sec. 142.408(c)
proposed 60 days to allow reasonable flexibility in the time required
for a health care provider to complete a paper form (the NPI
application/update form) containing the update(s) and forward it to the
NPS. We will attempt to design the NPS to be responsive and easy to
use. We will consider a design that will allow a health care provider
(or possibly a health care provider's authorized representative (see
section II. B. 2., ``Health Care Provider Enumeration,'' of this
preamble)) to communicate the health care provider's changes directly
into the NPS over the Internet, using a secure Web-based transaction. A
paper form (the NPI application/update form) will be developed for this
same purpose and will be available from the NPS and from the CMS Web
site (http://www.cms.hhs.gov) for use by health care providers. We
realize that many health care providers may prefer to send electronic
updates if the capability exists. According to the majority of
commenters, health care providers should be required to communicate
changes in their NPS data in far less than 60 days. We agree.
Therefore, we adopt in this final rule a requirement that covered
health care providers notify the NPS of changes in their required NPS
data within 30 calendar days of the changes (Sec. 162.410(a)(4)).
Comment: Several commenters indicated that health plans will need
to know about changes in health care provider information. Commenters
did not believe it would be fair for health care providers to have to
notify both the NPS and the health plans in which they are enrolled of
changes.
Response: We agree that health plans will need to know of changes
in the data associated with their enrolled health care providers. Most
health plans collect more information about a health care provider than
the NPS will collect. Therefore, we expect that health plans will still
require health care providers to notify them of changes in this
information. The NPS will have the capability to provide listings or
reports of changes in NPS data in accordance with section II. C. 2. of
this preamble, ``Data Elements and Data Dissemination.''
Comment: Several commenters stated that the NPS should be required
to apply updates within a specified period of time after receipt of the
updated information from a health care provider.
Response: We expect that the update process will be designed in a
way that will allow the system to process updates within a reasonable
timeframe (for example, 10 business days from receipt). The volume of
updates at any given time may impact system performance. If changes are
unable to be made (for example, the health care provider furnishing
updates does not appear to match any health care provider in the NPS),
the health care provider will receive a message that will indicate why
the NPS is unable to update the record. The message will request that
the problem be resolved and the information be resubmitted.
Comment: Several commenters asked if health plans should take any
action to notify the NPS of changes to health care provider data if
they become aware of these changes.
Response: Although health plans would not be required to provide
information to the NPS to update health care provider data, we
encourage health plans to instruct and remind their enrolled health
care providers to notify the NPS of changes in their data.
Comment: There were numerous comments about penalties for non-use
of the NPI:
[sbull] If NPIs could not be assigned to covered health care
providers before the compliance date for those health care providers,
and sufficiently ahead of that time to enable the health care providers
to be capable of using the NPI in standard transactions, penalties
should not be enforced for nonuse of the NPI.
[sbull] Sufficient time should elapse to ensure adequate experience
in using the NPI before penalties are assessed.
[sbull] Financial penalties for noncompliance should not be
assessed until 1 year after the NPI compliance dates.
[sbull] The method of enforcing compliance with the standard should
be made public.
[sbull] The penalties for nonuse of a single standard and nonuse of
multiple standards should be clarified.
[sbull] When noncompliance forces nonpayment, the entity expecting
payment will resolve the issue.
Response: NPIs will be assigned to health care providers as quickly
as possible and within the parameters of the performance criteria that
are in effect. (See earlier comment and response for additional
information.) HHS is preparing, and has issued in part, a separate
regulation on enforcement of the HIPAA standards. This regulation is
expected to address all but perhaps the last concern of these
commenters. The regulation cannot place requirements on entities that
are not covered entities, and the entities involved in the situation
described in the last bullet may not be covered entities.
Comment: Many commenters suggested that (1) health care providers
not be required to use the NPI within the first year after the
effective date of its adoption, although willing trading partners could
use the NPI by mutual agreement at any time after the effective date;
and (2) health plans should give their health care providers at least 6
months' notice before requiring them to use the NPI.
Response: Upon the effective date of the adoption of this standard
(which will be 16 months after the date it is published), health care
providers may apply for NPIs. Covered entities (except for small health
plans) must begin using the NPI in standard transactions no later than
24 months after the effective date. (Small health plans have 36 months
to begin using NPIs.) These are statutory requirements that we have
incorporated into this final rule. We believe these timeframes enable
more than sufficient time for covered health care providers to become
aware of their responsibilities under this final rule, to apply for and
be assigned their NPIs, and to complete work needed to begin using
their NPIs. Applying for an NPI up to 18 months after the effective
date of the adoption of this standard will still give health care
providers 6 months before the statutory compliance date arrives. We
encourage health plans to give health care providers 6 months' notice
before requiring them to use NPIs; however, we do not require that
action by the health plans. How soon health care providers could use
NPIs would depend on when they obtained the NPIs, and health plans have
no direct control over that action.
[[Page 3445]]
We encourage all parties to work together to ensure a smooth
transition.
Final Provisions (Sec. 162.410, Sec. 162.412, Sec. 162.414)
All health care providers are eligible for NPIs.
We require each covered health care provider to obtain an NPI from
the NPS, by application if necessary, for itself and for its subparts,
if appropriate, and to use its NPI in standard transactions. Covered
health care providers must disclose their NPIs to other entities that
need those health care providers' NPIs for use in standard
transactions. Covered health care providers must communicate to the NPS
any changes in their required data elements within 30 days of the
change. If covered health care providers use business associates to
conduct standard transactions on their behalf, they must require their
business associates to use NPIs appropriately as required by the
transactions the business associates conduct on its behalf.
Situations exist in which a standard transaction must identify a
health care provider that is not a covered entity. An organization
health care provider subpart may need to be identified in a standard
transaction but the organization health care provider may not be
required to obtain an NPI for the subpart. A noncovered health care
provider may or may not have applied for and received an NPI. In the
latter case, and in the case of the subpart described above, an NPI
would not be available for use in the standard transaction. We
encourage every health care provider to apply for an NPI, and encourage
all health care providers to disclose their NPIs to any entity that
needs that health care provider's NPI for use in a standard
transaction. Obtaining NPIs and disclosing them to entities so they can
be used by those entities in standard transactions will greatly enhance
the efficiency of health care transactions throughout the health care
industry. If subparts are assigned NPIs, the covered health care
provider must ensure that the subpart's NPI is disclosed, when
requested, to any entity that needs to use the subpart's NPI in a
standard transaction.
Here are examples that illustrate the desirability for a health
care provider that is not required to be enumerated to obtain and
disclose an NPI:
(1) A pharmacy claim that is a standard transaction must include
the identifier (which, as of the compliance date, would be the NPI) of
the prescriber. Therefore, the pharmacy needs to know the NPI of the
prescriber in order to submit the pharmacy claim. The prescriber may be
a physician or other practitioner who does not conduct standard
transactions. The prescriber is encouraged to obtain an NPI so it can
be furnished to the pharmacy for the pharmacy to use on the standard
pharmacy claim.
(2) A hospital claim is a standard transaction and it may need to
identify an attending physician. The attending physician may be a
physician who does not conduct standard transactions. The physician is
encouraged to obtain an NPI so it can be furnished to the hospital for
the hospital to use on the standard institutional claim.
In the examples above, the NPI of a health care provider that is
not a covered entity is needed for inclusion in a standard transaction.
The absence of NPIs when required in those claims by the implementation
specifications may delay preparation or processing of those claims, or
both. Therefore, we strongly encourage health care providers that need
to be identified in standard transactions to obtain NPIs and make them
available to entities that need to use them in those transactions.
Under Sec. 162.410 (Implementation specifications: Health care
providers), we require each covered health care provider to:
[sbull] Obtain from the NPS, by application if necessary, an NPI
for itself and, if appropriate, for its subparts.
[sbull] Use the NPI it obtained from the NPS to identify itself in
all standard transactions that it conducts where its health care
provider identifier is required.
[sbull] Disclose its NPI, when requested, to any entity that needs
the NPI to identify that health care provider in a standard
transaction.
[sbull] Communicate to the NPS any changes to its required data
elements in the NPS within 30 days of the change.
[sbull] If it uses one or more business associates to conduct
standard transactions on its behalf, require its business associate(s)
to use its NPI and the NPIs of other health care providers
appropriately as required by the transactions the business associate(s)
conducts on its behalf. (For example, a claim for a laboratory service
will require the NPI of the laboratory and may also require the NPI of
the referring physician. If a business associate prepares the
laboratory claim, the business associate must use the laboratory's and
the referring physician's NPIs. If the business associate does not
already know the NPI of the referring physician, it may have to contact
the referring physician to obtain his or her NPI.)
[sbull] If it has been assigned NPIs for one or more subparts,
comply with the above requirements with respect to each of those NPIs.
Under Sec. 162.412 (Implementation specifications: Health plans),
we require health plans to: use the NPI of any health care provider
(including subparts of organization health care providers) that has
been assigned an NPI to identify that health care provider (or subpart)
in all standard transactions where the health care provider's (or
subpart's) identifier is required. Health plans may not require health
care providers that have been assigned NPIs to obtain additional NPIs.
Under Sec. 162.414 (Implementation specifications: Health care
clearinghouses), we require health care clearinghouses to use the NPI
of any health care provider (including subparts of organization health
care providers) that has been assigned an NPI to identify that health
care provider (or subpart) in all standard transactions where that
health care provider's (or subpart's) identifier is required.
B. Implementation of the NPI
1. The National Provider System
Proposed Provisions (Sec. 142.402)
The May 7, 1998, proposed rule (at 63 FR 25331) described the
National Provider System (NPS) as a central electronic enumerating
system. The system would be a comprehensive, uniform system for
identifying and uniquely enumerating health care providers at the
national level. The Department of Health and Human Services (HHS) would
exercise overall responsibility for oversight and management of the
system.
Comments and Responses on the National Provider System
We did not receive comments specific to our description of the NPS.
However, commenters were emphatic that the NPS be fully tested before
it began assigning NPIs, and that the system ensure that the same NPI
would not be issued to more than one health care provider. Commenters
also suggested that an option be made available by which health care
providers could apply for NPIs electronically in lieu of completing a
paper application form. This comment is addressed in section II. B. 2.
of this preamble, ``Health Care Provider Enumeration.''
Final Provisions (Sec. 162.408(a))
NPIs will be assigned to health care providers by the NPS, which
will be a central electronic enumerating system operating under Federal
direction. The
[[Page 3446]]
NPS will uniquely identify and enumerate health care providers at the
national level. The NPS may enumerate subparts of organization health
care providers.
The NPS will be designed to be easy to use. The design will employ
the latest technological advances wherever feasible for capturing
health care provider data and making information available to users.
This is discussed in section II. C. 2. of this preamble, ``Data
Elements and Data Dissemination.''
HHS will exercise overall responsibility for oversight and
management of the NPS. The NPS will include a database that will store
the identifying and administrative information about health care
providers that are assigned NPIs. The data elements comprising the NPS
are described and listed in section II. C. 2. of this preamble, ``Data
Elements and Data Dissemination.''
Identifying and uniquely enumerating health care providers for
purposes of the NPI is separate from the process that health plans
follow in enrolling health care providers in their health programs. The
NPS will assign NPIs to health care providers. However, the assignment
of the NPI will not eliminate the process that health plans follow in
receiving and verifying information from health care providers that
apply to them for enrollment in their health programs.
Health care providers will submit applications for NPIs to HHS. As
health care provider data are entered into the NPS from the
application, the NPS will check the data for consistency, standardize
addresses, and validate the Social Security Number (SSN) if the
individual applying for an NPI provides it; the NPS will validate the
date of birth only if the SSN is validated. (If a health care provider
chooses not to furnish his or her SSN when applying for an NPI, the
assignment of an NPI to that health care provider may be delayed and
additional information may be requested from that health care provider
in order to establish uniqueness.) If the NPS encounters problems in
processing the application, appropriate messages will be communicated
to the applicant. If problems are not encountered, the NPS will then
search its database to determine whether the health care provider
already has an NPI. If a health care provider has already been issued
an NPI, an appropriate message will be communicated. If not, an NPI
will be assigned. If the health care provider is similar (but not
identical) to an already-enumerated health care provider, the situation
will be investigated. Once an NPI is assigned, the health care provider
will be notified of its NPI.
2. Health Care Provider Enumeration
In section III of the preamble of the May 7, 1998, NPI proposed
rule, ``Implementation of the NPI'' (at 63 FR 25331), we asked for
comments on the entity or entities that would be responsible for
assigning NPIs to health care providers. We explained that the HIPAA
legislation did not contain a specific funding mechanism for activities
related to enumeration. We asked for comments on how the enumeration
activity and the NPS itself could be funded, and how the costs of
enumeration could be kept as low as practicable. We presented two
options for the enumeration of health care providers: (1) All health
care providers, except existing Medicare providers, would be enumerated
by a single entity. Existing Medicare providers would automatically be
enumerated and would not have to apply for NPIs; (2) Federal health
plans and Medicaid would enumerate their enrolled health care
providers, and a federally-directed registry would enumerate all
remaining health care providers. We also presented a phased approach to
enumeration and requested public comment on it. In the phased approach,
we proposed that enumeration would occur in the following order: (1)
Medicare providers; (2) Medicaid, other Federal providers, and health
care providers that do not conduct business with Federal health plans
or Medicaid but that do conduct electronically any of the transactions
specified in HIPAA; and (3) all remaining health care providers. The
May 7, 1998, proposed rule also stated that phase three would not begin
until phases one and two were completed.
Comments and Responses on Provider Enumeration
Comment: Several commenters stated that it would cost more than our
estimate of $50 to enumerate a health care provider; others believed
our estimate of $50 to be reasonable. Some commenters pointed out that
Federal and Medicaid health plans do not maintain all of the
information about health care providers that would be required to
assign NPIs; thus, if those health plans' prevalidated health care
provider files were to be used to populate the NPS, costs might exceed
$50 per health care provider in order to obtain the missing information
needed to assign NPIs. Commenters also pointed out that the cost to
enumerate an entity that furnishes atypical or nontraditional services
would exceed $50.
Response: We respond to these issues as follows:
[sbull] We agree with the comment that there may be situations
where information in addition to what is contained in existing health
care provider files will be required in order to assign NPIs. For
example, we have found that some Medicaid and Medicare provider files
do not contain all of the information required to assign an NPI.
Populating the NPS with existing files that lack certain required NPS
data elements increases the cost of enumeration because additional
resources would be needed to collect the missing information.
[sbull] Any inconsistencies or errors that are present in health
care provider files that are considered to be used to populate the NPS
would be imported into the NPS as part of that process. Resolving these
inconsistencies and errors before loading these files will require
resources and time. This will increase the cost of enumeration and
possibly slow the process.
[sbull] Where the format or structure of a health care provider
file being considered for use in populating the NPS differs from the
format or structure of the NPS, additional costs will be incurred in
attempting to conform that source file to the NPS.
[sbull] As discussed in section II. C. 2. of this preamble, ``Data
Elements and Data Dissemination,'' we are reducing the amount of health
care provider information being captured by the NPS to only that which
is required to uniquely identify and communicate with the health care
provider. Some of the information that will not be collected is the
kind that is costly to collect, such as membership in groups,
certification and school information. Not collecting these health care
provider data lowers the cost of enumeration.
[sbull] On applications for NPIs from individuals, the NPS will
verify the SSN if it is furnished on the application.
[sbull] Problems in processing the applications will have to be
resolved. This will increase the cost of enumeration.
[sbull] The NPS will be designed, wherever feasible, to take
advantage of technologies that will make its operation efficient. This
may include the use of the Internet to accept applications and updates
from health care providers. While up-front costs will be higher for
some designs, the more efficient the design and operation of the NPS,
the lower the cost of enumeration and ongoing operations.
Medicare Part B carriers indicated in comments that it costs about
$50 to enroll a health care provider in the Medicare program. This
process involves reviewing and validating a
[[Page 3447]]
paper application containing far more information than will be
collected and validated on the NPI application/update form. The NPS
will verify the SSN only if it is furnished in applying for an NPI; the
date of birth will be verified only if the SSN is furnished. The NPS
will run various edits and consistency checks and will check for
duplicate records to ensure that only one NPI is assigned to a health
care provider and that the same NPI is not assigned to more than one
health care provider. Enabling the receipt of Web-based applications
and the limited validation will make the cost of enumerating a health
care provider far less than enrolling a health care provider in a
health plan. The majority of atypical and nontraditional service
providers are not considered health care providers and, therefore,
would not be eligible for NPIs. The use of modern technology to receive
and process applications for NPIs makes it difficult if not impossible
to attach a dollar value to the enumeration of a single provider.
Implicit in enumeration are the costs of software, licenses, salaries,
training, and overhead. We estimate that the combination of all of the
above factors would reflect an average cost of enumerating a single
health care provider to be closer to $10.
Comment: The majority of commenters favored enumeration option 1,
where a single entity would enumerate all health care providers except
existing Medicare providers (who would automatically be enumerated).
(The May 7, 1998, proposed rule recommended enumeration option 2, which
would have required Federal health plans and Medicaid to enumerate
their enrolled health care providers, with a federally-directed
registry enumerating all remaining health care providers.) The
supporters of a single enumeration entity cited the following
advantages of option 1: (1) It would be less costly than multiple
enumeration entities; (2) it would ensure uniform operation of the
enumeration process, reducing inconsistencies that could lead to
duplicate assignment of NPIs; (3) it would be less confusing to health
care providers, particularly those that participate in multiple health
plans; (4) it would be a single point of contact with which to do
business and seek help and information; and (5) it would ensure
uniformity in resolving problems and would be more capable and
efficient in responding to data integrity issues that may require
investigation. Comments from Federal health plans and Medicaid State
agencies (which were the proposed enumeration entities under option 2)
stated that they preferred not to have a role as an enumerator. Some
Federal health plans anticipated that too many health care providers
would request that they handle their updates and changes. Medicaid
State agencies indicated that they would require additional Federal
funding to assume the responsibilities of enumeration.
Nonetheless, some commenters did support option 2. They stated that
having Federal health plans and Medicaid State agencies enumerate their
own health care providers had several advantages: (1) These entities
already conduct a significant amount of enumeration activity in their
health plan enrollment processes, which would bring a wealth of
experience to the NPI enumeration process; (2) much of the information
required to assign an NPI to a health care provider is already
collected by these entities; (3) fraud detection would be enhanced
because, as enumeration entities, they would have access to the data in
the NPS; and (4) the initial cost of enumerating health care providers
would be incremental to these entities, a major factor in making option
2 less costly than option 1.
Response: After analyzing all the comments and reviewing our
computations as to the costs of enumeration under both options, we have
determined that a single entity, under HHS direction, should handle the
enumeration functions. We believe that enumeration by a single entity
will be the most efficient option.
While supporters of option 2 cited several advantages, the
reluctance of the Federal health plans and Medicaid State agencies to
undertake enumeration functions was a major factor causing us to
support a single entity. Selection of option 2 would have required
those Federal health plans and Medicaid State agencies to perform
functions they were not willing to perform. Another factor in our
decision to choose option 1 was an oversight in our cost computations.
While our narrative discussion of costs indicated that prevalidated
Medicare provider files would populate the NPS under both options,
Table 5 in the Impact Analysis portion of the May 7, 1998, proposed
rule did not reflect those savings in the cost of option 1. If those
savings had been reflected, the cost of option 1 would have been less.
(Please see the next comment and response regarding Medicare provider
files.) Costs for option 2 did not include the expenses that would be
incurred by Federal health plans and Medicaid State agencies in
resolving problems found in their health care provider records that
would prevent some of those records from being loaded into the NPS for
enumeration of the health care providers. This would have increased the
cost of option 2. Had we applied both of these cost factors, both
options would cost about the same.
The use of one entity, under HHS direction, to enumerate health
care providers will ensure uniform operation of the NPS. Health care
providers will have a single contact point for applications, updates,
and questions. Problems will be resolved in a uniform manner. These
factors make a single enumerator the more efficient option.
Comment: Several commenters cautioned against loading pre-existing
health care provider files into the NPS. They indicated that any errors
present in those files would be carried undetected into the NPS.
Commenters cautioned that any data to be loaded into the NPS should be
validated, accurate, and up to date.
Response: We agree with the commenters' recommendation that
accurate, current data should be included in the NPS. After publication
of the May 7, 1998 proposed rule, we reexamined the existing Medicare
provider files in anticipation of using them to populate the NPS. Our
reexamination revealed that some mandatory NPS data elements are not
present in some of the Medicare files. In addition, data integrity
problems have been identified, and reformatting some of the Medicare
files to make them consistent with the structure of the NPS may be more
difficult than first expected. It may require considerable time to
update and reformat these files for NPS purposes.
It is important to note that we are undertaking steps to update our
existing Medicare provider files for independent business reasons. If
we find it is feasible to use updated, accurate Medicare provider files
to populate the NPS, we will do so, and we will notify the affected
Medicare providers that they will not have to apply for NPIs. The NPS
will notify the affected providers of their NPIs.
Comment: Nearly all commenters recommended that the enumeration
function and operation of the NPS be federally funded because a Federal
statute mandates the adoption and use of a standard unique health
identifier for health care providers. Many commenters stated that the
costs cannot be borne directly by health care providers or indirectly
by health care provider organizations and clearly stated that health
care providers should receive NPIs at no cost. Some stated that if fees
need to be assessed, they should come from the health plans, not the
[[Page 3448]]
health care providers, as the health plans will receive the most
benefit from the use of the standard. There was some support for the
collection of initial fees from health plans, health care
clearinghouses, and other nonprovider entities to obtain data from the
NPS; the fees would help offset the cost of maintaining the database.
Another commenter recommended that the public sector and large health
plans pay fees to a public-private sector trust organization. The fees
would represent their proportion of the total health benefit dollars;
the trust organization would administer various databases required by
the HIPAA standards (not solely the NPS). One commenter suggested
Federal funds be used initially, with the enumeration entity eventually
becoming self-sufficient.
Response: HIPAA did not provide the authority to charge health care
providers a user fee to obtain an NPI. Federal funds will support the
enumeration process and the NPS, at least initially. After the NPI is
implemented, HHS will investigate the use of other funding mechanisms.
The data dissemination process is discussed in section II.C.2., ``Data
Elements and Data Dissemination,'' of this preamble.
Comment: Some commenters supported the phases of enumeration as
described in the May 7, 1998, proposed rule. Many commenters supported
assignment of NPIs to existing Medicare providers first for these
reasons: (1) These health care providers are the majority of the health
care providers that conduct standard transactions; (2) the NPS is being
developed by HHS; and (3) Medicare provider information is already
available in HHS in the Centers for Medicare & Medicaid Services (CMS).
Many commenters stated that health care providers that do not
conduct the transactions specified in HIPAA should be enumerated at the
same time as all other health care providers--all health care providers
must be equally able to receive NPIs. Many of these commenters believed
that costly dual systems would have to be maintained (one for health
care providers with NPIs and one for those without) and confusion in
the marketplace would be created if paper processors did not also
receive NPIs within the same time frame as electronic processors.
Other commenters suggested that NPIs be issued on a first-come,
first-served basis.
Some commenters suggested enumeration phases by health care
provider type or by geographical region of the country.
Response: The NPS will be stress tested, but even successful
passage of the stress test will not enable all health care providers to
apply for and be assigned NPIs at the same time.
Covered health care providers are required to use NPIs where those
identifiers are required in standard transactions. We expect that
covered health care providers will be the first to apply for NPIs. We
estimate that, on the effective date of the NPI, approximately 2.3
million health care providers will be ready to apply for NPIs. They may
apply for NPIs beginning on the effective date, which is May 23, 2005.
Covered health care providers must begin to use their NPIs in standard
transactions no later than May 23, 2007.
We estimate that, on the effective date of the NPI, the number of
health care providers that typically do not conduct standard
transactions will be approximately 3.7 million. A few examples of these
health care providers are registered nurses employed by hospitals or
other facilities, X-ray and other technicians, and dental hygienists.
These health care providers may apply for NPIs at any time after the
effective date of this final rule. However, because there is no
requirement for these health care providers to use NPIs, we do not
expect them to apply for NPIs as soon as those that conduct standard
transactions or those that must be identified in standard transactions.
It may be determined some time after publication of this final rule
that ``bulk enumeration'' of some health care providers is feasible.
Bulk enumeration is a term used to mean mass-enumeration of a large
number of health care providers, all at one time, from a database or
file that uniquely identifies them in a way consistent with the
identification criteria in this final rule. Bulk enumeration would
eliminate the need for those health care providers to apply for NPIs.
For example, bulk enumeration might involve a specific classification
of health care providers that comprises the membership of a large
professional organization, or it could involve different
classifications of health care providers that are employed by one large
organization health care provider. In both of these examples, the
health care providers to be enumerated may or may not be covered
entities. This enumeration could occur at any time, if it is feasible.
HHS, along with the other affected entities, and working within the
requirements of the Privacy Act, will determine the feasibility of bulk
enumeration. Any health care provider that would be enumerated in this
way will be notified.
The NPS will process applications for NPIs as they are received.
It is true that some health plans may have to maintain--for
internal purposes--dual health care provider numbers: the NPI and the
number(s) issued to health care providers by the health plans
themselves. Health plans impose this burden on themselves in
accommodating their own internal operational needs. We expect that
health plans may decide to use NPIs for additional purposes beyond
those required in this final rule.
Comment: The majority of commenters made it clear that NPIs must be
assigned and the NPS fully and successfully tested well before the
compliance date.
Response: We agree. The NPS will have been fully tested before it
begins to assign NPIs. The speed of assignment of NPIs will be
dependent in part on the complete, correct, and timely submission of
the NPI applications.
Comment: Several commenters stated that the application forms for
NPIs should be retained indefinitely in a manner where the signatures
or certification statements could be verified if necessary. Commenters
stated that signatures or certification statements could be useful in
prosecuting a health care provider that knowingly requested more than
one NPI for itself.
Response: The NPI application forms will contain a statement
whereby the signer attests to the accuracy of the information on the
application. Paper applications will be maintained indefinitely for
signature or certification statement verification and audit purposes.
Applications completed electronically will be processed only if the
person completing the application attested to the accuracy of the
information by ``checking'' a designated box appearing in the on-line
application. Those electronic applications that are successfully
processed (that is, the health care provider is assigned an NPI) will
be maintained indefinitely in a manner whereby certification statements
can be verified if required.
Comment: Several commenters asked that the NPI application form be
designed to accommodate updates to health care provider data.
Response: We believe this is a good suggestion, particularly
because all of the information that will be required on the application
for an NPI will have to be updated if changes occur. Therefore, we will
attempt to design a form that can serve both application and update
purposes.
[[Page 3449]]
Final Provisions
One entity will be given enumeration functions under the direction
of HHS (option 1 as presented in the May 7, 1998, proposed rule) to
enumerate all eligible health care providers who apply for NPIs. There
are many advantages in using a single entity, which were discussed in
the comment and response section above.
The enumeration function and the development and operation of the
NPS will be federally funded, at least for the foreseeable future.
Under this final rule, health care providers will not be charged a fee
to be assigned NPIs or to update their NPS data.
If feasible, we will populate the NPS with Medicare provider files.
Health care providers will apply for NPIs, and covered health care
providers must apply for NPIs.
We will attempt to design the NPI application form in order to also
accommodate updates. The form will be available from the NPS and via
the Internet (http://www.cms.hhs.gov).
We will attempt to design the NPS so that it can receive and accept
NPI applications and updates on paper or over the Internet.
We expect that the use of modern technology to receive and process
applications for NPIs and to apply updates to the NPS records of
enumerated health care providers will greatly reduce our earlier
estimates. In addition, the limited validation by the NPS of data
reported by health care providers will further reduce NPS costs. We
discuss the cost of operating the NPS in section V, ``Regulatory Impact
Analysis,'' of this preamble.
Before enumeration begins, the NPS will be fully tested. We will
strive to ensure that the NPS functions properly and guards against
assigning the same NPI to more than one health care provider, assigning
more than one NPI to the same health care provider, and re-using NPIs
(assigning to a health care provider an NPI that had at one time been
issued to another).
Health care providers may apply for NPIs beginning on the effective
date of this final rule.
At this time, we do not expect bulk enumeration of health care
providers, except possibly of Medicare providers, as discussed earlier.
HHS will explore the feasibility of other such enumerations. If
considered feasible, the affected health care providers will be
notified and will not have to apply for NPIs.
We will consider the feasibility of allowing health care providers
to designate authorized representatives to handle their NPI
applications and updates.
Applications for NPIs and updates will be retained by HHS
indefinitely in a manner in which signatures on paper applications or
certification statements on electronic applications can be verified if
required.
We will make available as much information as possible about the
implementation of the NPI on the CMS Web site (http://www.cms.hhs.gov).
The web site will include information about the availability and
submission of the NPI application/update form.
3. Approved Uses of the NPI
The preamble of the May 7, 1998, proposed rule discussed approved
uses of the NPI. We did not receive comments that objected to those
uses.
By 24 months after the effective date of this final rule, covered
health care providers, health plans (except for small health plans),
and health care clearinghouses must use the NPI in standard
transactions. Small health plans must do so within 36 months of the
effective date. Covered health care providers must disclose their NPIs
to other entities when these entities need to include those health care
providers' NPIs in standard transactions. We encourage all other health
care providers to do the same.
The NPI may also be used for any other lawful purpose requiring the
unique identification of a health care provider. It may not be used in
any activity otherwise prohibited by law.
Examples of permissible uses include, in addition to the above, the
following:
[sbull] The NPI may be used as a cross-reference in health care
provider fraud and abuse files and other program integrity files.
[sbull] The NPI may be used to identify health care providers for
debt collection under the provisions of the Debt Collection Improvement
Act of 1996 (Pub. L. 104-134, enacted on April 26, 1996) and the
Balanced Budget Act of 1997 (Pub. L. 105-33, enacted on August 5,
1997).
[sbull] Health care providers may use their own NPIs to identify
themselves in nonstandard health care transactions and on related
correspondence.
[sbull] Health care providers may use other health care providers
NPIs to identify those other health care providers in health care
transactions and on related correspondence.
[sbull] Health plans may use NPIs in their internal health care
provider files to process transactions and in communications with
health care providers.
[sbull] Health plans may communicate NPIs to other health plans for
coordination of benefits.
[sbull] Health care clearinghouses may use NPIs in their internal
files to create and process standard transactions and in communications
with health care providers and health plans.
[sbull] NPIs may be used to identify health care providers in
patient medical records.
[sbull] NPIs may be used to identify health care providers that are
health care card issuers on health care identification cards.
We encourage health care providers that are not required to comply
with HIPAA regulations to use NPIs in the ways listed above.
4. System of Records Notice
A System of Records Notice (HHS/HCFA/OIS No. 09-70-0008) published
in the Federal Register on July 28, 1998 (63 FR 40297), listed the ways
in which data from the NPS that are protected by the Privacy Act may be
used. Few comments were received on the System of Records Notice.
We are including a summary of the comments below:
Comment: One commenter believes that the data collected to assign
NPIs to physicians should be kept to an absolute minimum. Data that are
not required for enumeration or legitimate administrative purposes
should not be collected. Data released beyond HHS must be released in
accordance with the provisions of the Privacy Act, insofar as that Act
applies to the data in question, and the Freedom of Information Act, as
appropriate. Data in addition to those which are published in the
Unique Physician Identification Number (UPIN) Directory should not be
released. Most of the data collected to enumerate an individual should
not be publicly available. Another commenter was concerned that removal
of a health care provider's record from the NPS could result in the re-
issuance of that health care provider's NPI to another health care
provider. The NPI must remain unequivocally unique and the NPS must
never re-issue a previously assigned NPI. Removal of a health care
provider's records at some point after the health care provider's death
is reasonable, as long as there are guarantees that the health care
provider's NPI will never be used by another health care provider or
re-issued to another health care provider.
Response: In section II. C. 2. of this preamble, ``Data Elements
and Data Dissemination,'' we describe the information that we expect
will be collected and stored in the NPS. The
[[Page 3450]]
requirements described in the comments we received on the NPS System of
Records Notice will be met in the design and operation of the NPS and
in the enumeration functions.
5. Summary of Effects on Various Entities
Below is a summary of how the implementation of the NPI will affect
health care providers, health plans, and health care clearinghouses.
a. Health Care Providers
At this time, bulk enumeration of health care providers is not
expected to occur. If, however, it is determined to be feasible, we
will populate the NPS with data from Medicare provider files. If bulk
enumeration were to occur, the affected health care providers would be
notified of their NPIs and would not have to apply for them. Otherwise,
in order to be assigned NPIs, covered health care providers must apply
for NPIs. (Health care providers that are not covered entities are
encouraged to apply for NPIs.) After applying for NPIs, health care
providers will be assigned and notified of their NPIs by the NPS.
Health care providers will submit a paper application or, if feasible,
will have the option of applying for NPIs via the Internet. The NPI
application/update form and information about health care provider
enumeration will be available from the CMS Web site (http://www.cms.hhs.gov
).
Covered health care providers that have been assigned NPIs must
furnish updates (changes) in their required NPS data or that of their
subparts to the NPS within 30 days of the changes; they may use the NPI
application/update form for this purpose. We recommend that health care
providers notify the health plans in which they are enrolled of any
changes at the same time they notify the NPS of these changes. (This
recommendation does not preclude health plans from requiring
notification of updates within a shorter time frame.)
We encourage health care providers who have been assigned NPIs but
who are not covered entities also to notify the NPS of changes in their
NPS data within 30 days of the changes.
Covered health care providers must use their NPIs to identify
themselves and their subparts, if appropriate, on all standard
transactions when their health care provider identifiers are required.
We encourage all health care providers and subparts that have been
assigned NPIs to do the same.
Covered health care providers must disclose their NPIs and those of
their subparts to entities that need the NPIs to identify those health
care providers in standard transactions. We encourage all health care
providers and subparts that have been assigned NPIs to do the same.
Covered health care providers must require their business
associates, if they use them to conduct standard transactions on their
behalf, to use their NPIs and the NPIs of other health care providers
and subparts appropriately as required by those transactions.
Covered health care providers that are organization health care
providers with subparts as described earlier in this preamble must
ensure that, when NPIs are assigned to subparts, either the covered
health care provider or the subpart (1) uses the NPIs of the subparts
on all standard transactions when their health care provider
identifiers are required, (2) discloses their NPIs to entities that
need the NPIs to identify those subpart(s) in standard transactions,
(3) communicates changes in required data elements of the subparts to
the NPS, and (4) requires business associates of the subparts, if they
use them to conduct standard transactions on their behalf, to use their
NPIs and the NPIs of other health care providers and subparts
appropriately as required by the transactions that the business
associates conduct on their behalf.
b. Health Plans
Health plans must use the NPI of any health care provider or
subpart that has been assigned an NPI to identify that health care
provider or subpart on all standard transactions when the NPI is
required. All plans except small health plans have 24 months from the
effective date of this final rule to implement the NPI; small health
plans have 36 months. Health plans that need NPS data in order to
create standard transactions will be able to obtain NPS data from the
NPS. (See section II. C. 2. of this preamble, ``Data Elements and Data
Dissemination.'') Use of data from the NPS in order to comply with
HIPAA requirements is a routine use as published in the NPS System of
Records Notice.
HIPAA does not prohibit a health plan from requiring its enrolled
health care providers to obtain NPIs if those health care providers are
eligible for NPIs as discussed earlier in this preamble.
c. Health care clearinghouses
Health care clearinghouses must use the NPI of any health care
provider or subpart that has been assigned an NPI to identify that
health care provider or subpart on all standard transactions when the
NPI is required. As with health plans, health care clearinghouses will
be able to obtain NPS data from the NPS.
C. Data
1. NPS Data Structures
Proposed Provisions (Sec. 142.402)
In section IV. B. of the preamble of the May 7, 1998, proposed
rule, ``Practice Addresses and Group/Organization Options,'' (63 FR
25336), we asked for public comment on some of the data structures that
would be captured in the NPS for each health care provider.
Comments and Responses on NPS Data Structure Concepts
Below are the questions as posed in the May 7, 1998, proposed rule
followed by a summary of the comments and our responses:
a. Should the NPS Capture Practice Addresses of Health Care Providers?
Comment:
Responding yes: Some commenters stated that they need to capture
the multiple practice addresses of a health care provider for their
business functions. They believe it would be best to do this once in
the health care provider's NPS record, rather than in many local
systems.
Responding no: A large majority of commenters stated that the NPS
should not capture any practice addresses or should capture only one
physical location address per NPI. Some of these commenters believed
that each location where a health care provider practices needs to be
identified, but they believed locations should receive separate
identifier