[Federal Register: May 30, 2007 (Volume 72, Number 103)]
[Notices]
[Page 30011-30014]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr30my07-83]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
[CMS-6060-N]
RIN 0938-AN71
HIPAA Administrative Simplification: National Plan and Provider
Enumeration System Data Dissemination
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice establishes the data that are available from the
National Plan and Provider Enumeration System (NPPES). In addition,
this notice addresses who may have access to the data or may receive
data from the system, the processes for requesting and receiving data,
and the conditions under which data may be disclosed.
FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.
SUPPLEMENTARY INFORMATION:
I. Background
A. Legislative and Regulatory Background
The Administrative Simplification provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) required
the Secretary of Health and Human Services (HHS) to adopt a standard
unique health identifier for health care providers. On January 23,
2004, HHS published a final rule in the Federal Register that adopted
the National Provider Identifier (NPI) as the standard unique health
identifier for health care providers (69 FR 3434). The NPI final rule
established the National Provider System (NPS) and requires, among
other things, that the NPS disseminate data in response to approved
requests. The NPI final rule stated that we would publish a notice in
the Federal Register describing our data dissemination strategy and the
process by which we would carry it out (69 FR 3456). Therefore, we are
publishing this notice.
B. Operational and System Background
On July 28, 1998, in accordance with the Privacy Act of 1974, we
published, in the Federal Register, a System of Records (SOR) notice
for the National Provider System (NPS) (63 FR 40297). The NPS is the
system, as described in the NPI final rule, that will be used to
enumerate health care providers and house the information provided on
health care providers' applications for NPIs. The NPS is now contained
within the National Plan and Provider Enumeration System (NPPES). We
are in the process of revising the Privacy Act SOR notice and will soon
publish an updated SOR notice. The updated SOR notice will reflect the
change from NPS to NPPES and will incorporate other changes
necessitated by organizational and name changes and information
contained in the NPI final rule. The updated SOR notice will also
contain language that will clarify its consistency with the data
dissemination policy described in this notice. (The existing SOR
notice, although it is being revised, supports the data dissemination
policy described in this notice.) The NPPES enumerates health care
providers and houses their NPIs and information from their NPI
applications/updates. The NPPES also would be capable of enumerating
health plans and housing their standard unique health identifiers and
information from their health plan identifier applications/updates once
a standard unique health identifier for health plans has been adopted.
Covered entities under HIPAA are required to use NPIs to identify
health care providers in standard transactions beginning no later than
May 23, 2007 (small health plans have until May 23, 2008). (See the
Standards for Electronic Transactions and Code Sets final rule
published on August 17, 2000 (65 FR 50312), the Modifications to the
Electronic Transaction and Code Sets final rule published on February
20, 2003 (68 FR 8381), and the NPI final rule published on January 23,
2004 (69 FR 3434)). Covered entities include health plans, health care
clearinghouses, and those health care providers who transmit any health
information in electronic form in connection with a transaction for
which the Secretary has adopted a standard.
The NPPES uniquely identifies health care providers by the use of
an
[[Page 30012]]
application process and assigns them their NPIs. The NPPES creates a
record for each health care provider to whom it assigns an NPI. The
records are updated when health care providers furnish updates to the
NPPES.
Health care providers are categorized by the NPPES as two types:
Individuals, such as physicians; and organizations, such as hospitals.
A health care provider may apply for an NPI in one of three ways:
(1) By completing form CMS-10114 (NPI Application/Update Form) and
mailing it to the NPI Enumerator; (2) by applying online at https://NPPES.cms.hhs.gov/
; or (3) by having an approved organization submit
its NPI application data, along with the NPI application data of many
other health care providers, to the NPPES in an electronic format
defined by HHS. (The NPI Application/Update Form, CMS-10114, is
approved under the Paperwork Reduction Act as OMB No. 0938-0931 with an
expiration date of February 29, 2008.)
Health care providers who apply online have electronic access to
the information in their own NPPES records by using user identifiers
and passwords they select. This access allows those health care
providers to submit updates to their NPPES data electronically via the
Web.
Health care providers who apply on the paper form may update their
NPPES data electronically by using user identifiers and passwords they
select. However, health care providers who are individuals and who
submit paper applications but did not furnish SSNs in their
applications must update their NPPES data by using the paper NPI
Application/Update Form.
A health care provider may have its NPI application data submitted
by a HHS-approved organization if the organization offers this service
and the health care provider gives permission for the NPI application
data to be submitted by the organization. An organization, once it is
approved to do so, submits to the NPPES the health care provider's NPI
application data, along with the NPI application data of many other
health care providers who have also agreed to this service. The NPI
application data are submitted to the NPPES for enumeration
electronically in a format defined by HHS. The NPPES processes the NPI
application data and makes available to the organization the NPIs that
were assigned to the health care providers. If NPIs were not assigned
to all of the health care providers, HHS indicates to the organization
why NPIs were not assigned. This process is known as electronic file
interchange (EFI) for bulk enumeration. Information about EFI can be
found at http://www.cms.hhs.gov/NationalProvIdentStand/. Health care
providers who are assigned NPIs via this process may update their own
NPPES data electronically via the Web using user identifiers and
passwords they select. The approved organizations may offer to submit
updates to the health care providers' NPPES data on behalf of the
health care providers, and may do so if the health care providers
agree. The updates are sent to the NPPES in an electronic format
defined by HHS. Information on the format of EFI files is available at
https://NPPES.cms.hhs.gov. The EFI process became available on May 1,
2006.
II. How to Obtain NPI(s) and Other NPPES Data of Enumerated Health Care
Providers
A. Request the NPIs From the Health Care Providers
Entities wishing to obtain the NPI of a health care provider for
use in a standard transaction(s) may contact that health care provider
directly and request the NPI. Health care providers who are covered
entities under HIPAA (known as ``covered health care providers'') are
required by the NPI final rule to disclose their NPIs to any entity
that needs them for use in standard transactions (45 CFR
162.410(a)(3)). Covered organization health care providers that have
subparts that have been assigned NPIs must ensure that those subparts
disclose their NPIs as well (45 CFR 162.410(a)(6)). Because the NPI was
adopted for use in standard transactions, enumerated health care
providers who are not covered health care providers are expected, but
not required, to disclose their NPIs, upon request, to any entity that
needs them for use in standard transactions.
B. Request the NPIs and Other NPPES Health Care Provider Data From HHS
In accordance with the Freedom of Information Act (FOIA), the
Privacy Act, and the CMS FOIA and Privacy Act procedures, HHS has
reviewed the health care provider data elements contained in the NPPES,
which are listed in the NPI final rule (69 FR 3457 through 3460). As a
result of this review, HHS believes that Social Security Numbers
(SSNs), Internal Revenue Service Individual Taxpayer Identification
Numbers (IRS ITINs), and dates of birth (DOB) are not disclosable under
FOIA and, therefore, HHS will not release these three data elements to
the public, which includes HIPAA covered entities. This decision
supports HHS and CMS efforts to prevent or minimize fraud and abuse in
the Medicare and Medicaid programs and in the health care industry in
general. HHS has determined that the remaining health care provider
data elements contained in the NPPES, which are listed in the table
below, are required to be disclosed under the FOIA. HHS believes that
the data elements in the table below are sufficient to enable HIPAA
covered entities to match health care provider records in NPPES with
the health care providers for whom they have data.
Anyone may request NPIs and other NPPES health care provider data
from HHS under the FOIA.
The NPPES data elements that HHS has determined are required to be
disclosed under the FOIA are listed below. They are defined in the NPI
final rule.
NPPES Health Care Provider Data That May Be Disclosed Under FOIA
------------------------------------------------------------------------
For health care providers who are For health care providers who
individuals are organizations
------------------------------------------------------------------------
NPI (This is the provider's NPI. If the NPI (This is the provider's
provider has had an NPI replaced, this NPI. If the provider has had
will be the same NPI as the an NPI replaced, this will be
Replacement NPI.). the same NPI as the
Replacement NPI.)
Entity Type Code: Entity Type Code:
1=Individual....................... 2=Organization
Replacement NPI (This is the provider's Replacement NPI (This is the
NPI if the provider has been assigned provider's NPI if the provider
a Replacement NPI. If the provider has has been assigned a
never been assigned a Replacement NPI, Replacement NPI. If the
this data element will be blank.). provider has never been
assigned a Replacement NPI,
this data element will be
blank.)
Employer Identification Number
(EIN).
Provider Last Name (Legal Name)........ Provider Organization Name
(Legal Business Name).
Provider First Name
[[Page 30013]]
Provider Middle Name
Provider Other Last Name............... Provider Other Organization
Name.
Provider Other Last Name Type Code: Provider Other Organization
Name Type Code:
1=Former Name...................... 3=Doing Business As Name.
2=Professional name................ 4=Former Legal Business
Name.
5=Other............................ 5=Other.
Provider Other First Name
Provider Other Middle Name
Provider Name Prefix Text
Provider Name Suffix Text
Provider Credential Text
Provider First Line Business Mailing Provider First Line Business
Address. Mailing Address.
Provider Second Line Business Mailing Provider Second Line Business
Address. Mailing Address.
Provider Business Mailing Address City Provider Business Mailing
Name. Address City Name.
Provider Business Mailing Address State Provider Business Mailing
Name. Address State Name.
Provider Business Mailing Address Provider Business Mailing
Postal Code. Address Postal Code.
Provider Business Mailing Address Provider Business Mailing
Country Code (If outside U.S.). Address Country Code (If
outside U.S.).
Provider Business Mailing Address Provider Business Mailing
Telephone Number. Address Telephone Number.
Provider Business Mailing Address Fax Provider Business Mailing
Number. Address Fax Number.
Provider First Line Business Location Provider First Line Business
Address. Location Address.
Provider Second Line Business Location Provider Second Line Business
Address. Location Address.
Provider Business Location Address City Provider Business Location
Name. Address City Name.
Provider Business Location Address Provider Business Location
State Name. Address State Name.
Provider Business Location Address Provider Business Location
Postal Code. Address Postal Code.
Provider Business Location Address Provider Business Location
Country Code (If outside U.S.). Address Country Code (If
outside U.S.).
Provider Business Location Address Provider Business Location
Telephone Number. Address Telephone Number.
Provider Business Location Address Fax Provider Business Location
Number. Address Fax Number.
Healthcare Provider Taxonomy Code Healthcare Provider Taxonomy
(Primary Taxonomy required; up to 15 Code (Primary Taxonomy
may be reported). required; up to 15 may be
reported).
Other Provider Identifier.............. Other Provider Identifier.
Other Provider Identifier Type Code.... Other Provider Identifier Type
Code.
Provider Enumeration Date.............. Provider Enumeration Date.
Last Update Date....................... Last Update Date.
NPI Deactivation Reason Code........... NPI Deactivation Reason Code.
NPI Deactivation Date.................. NPI Deactivation Date.
NPI Reactivation Date.................. NPI Reactivation Date.
Provider Gender Code
Provider License Number
Provider License Number State Code
Authorized Official Last Name.
Authorized Official First Name.
Authorized Official Middle
Name.
Authorized Official Title or
Position.
Authorized Official Telephone
Number.
------------------------------------------------------------------------
We anticipate an extraordinary demand from the health care industry
for FOIA-disclosable NPPES health care provider data. Because the
health care industry needs these data in order to develop linkages
between legacy identifiers and NPIs that will be necessary in order to
implement the NPI as required by regulation, and because health care
providers need to know the NPIs of other health care providers in order
to submit HIPAA-compliant health care claims transactions, there is an
extreme urgency for HHS to make these data available. In order to
efficiently respond, HHS will make NPPES health care provider data
available on the Internet. Internet availability eliminates the need
for entities to submit initial and ongoing requests for data to HHS and
for HHS to process and respond to each of those requests. We believe
that making these data available on the Internet is the most efficient
and effective means of dissemination.
HHS will make the FOIA-disclosable NPPES health care provider data
available in downloadable files and in a query-only database, as
described below in items 1 and 2, respectively. Upon publication of
this notice, HHS will announce the Internet locations of the
downloadable files and the query-only database on the CMS NPI Web page
(http://www.cms.hhs.gov/NationalProvIdentStand/). At the same time, CMS
will communicate that information in its provider listservs and to its
business partners and other health care industry associations with whom
CMS works on issues related to NPI implementation.
The initial downloadable file and the query-only database will be
available 30 days after the publication date of this notice.
We remind health care providers who are covered entities under
HIPAA that they are required by the NPI final rule to update their
NPPES data within 30 days of the changes, and we encourage other health
care providers who have been assigned NPIs to do the same. Further,
prior to CMS'' disclosure of NPPES health care provider data, we
encourage health care providers who have been assigned NPIs to check
the information in their NPPES records to ensure it is current. Some
health care providers may wish to delete optional NPPES data that they
furnished when applying for their NPIs since the
[[Page 30014]]
information provided in these optional fields is not required. For
example, the data contained in the ``Other Names'' and ``Other Provider
Identifiers'' data fields are optional. Further, a primary ``Healthcare
Provider Taxonomy Code'' is required to be furnished when applying for
an NPI; however, the reporting of additional ``Healthcare Provider
Taxonomy Codes'' (a total of 15 may be reported) is optional.
The HHS NPPES data dissemination policy is as follows:
1. NPPES health care provider data that are required to be
disclosed under the FOIA will be available as a downloadable file on a
Web site.
Section 552(a)(2)(D) of the FOIA requires agencies to make
available by electronic means copies of records which have been
released to any person under the FOIA and which, because of the nature
of their subject matter, the agency determines have become or are
likely to become the subject of subsequent requests for substantially
the same records. We believe that the demand for NPPES health care
provider data will be such that it will justify our making NPPES health
care provider data that are required to be disclosed under the FOIA
available for download by the public from an Internet Web site. The
location of the downloadable file will be announced on the CMS NPI Web
page (http://www.cms.hhs.gov/NationalProvIdentStand/) prior to its
availability. Each month, an update file will also be available for
download from the same Web site. The update file will not replace the
initial file: The update file will contain only (1) data that are
required to be disclosed under FOIA for health care providers who
obtained NPIs within the prior month, and (2) updates and changes to
the data that are required to be disclosed under the FOIA for
enumerated health care providers that were made within the prior month.
The first update file will be available for downloading 30 days after
the availability of the initial file, and a new update file will be
available for downloading each month thereafter.
There will be no charge to download the files.
We may decide to discontinue making these files available if we
determine that the query-only database described in (2) below is an
adequate replacement.
The NPPES data elements that HHS has determined are required to be
disclosed under FOIA and will be contained in the downloadable files
are listed in the table above.
2. NPPES health care provider data that HHS has determined are
required to be disclosed under FOIA will be available in a query-only
database on an Internet Web site.
Section 552(a)(2)(D) of the FOIA requires agencies to make
available by electronic means copies of records which have been
released to any person under the FOIA and which, because of the nature
of their subject matter, the agency determines have become or are
likely to become the subject of subsequent requests for substantially
the same records.
We believe that the demand for NPPES health care provider data will
be such that it will justify our making a query-only database
containing NPPES health care provider data that are required to be
disclosed under the FOIA available to the public on an Internet Web
site. Users will be able to run simple queries online, such as queries
by NPI and by name of health care provider.
There will be no charge to use the query-only database.
The NPPES data elements that HHS has determined are required to be
disclosed under FOIA and will be available from the query-only database
are listed in the table above.
3. Other requests for NPPES health care provider data that HHS has
determined are required to be disclosed under the FOIA.
Requests for FOIA-disclosable data in formats or in media that are
not described above, or any other custom requests, will be considered
in accordance with the FOIA and CMS FOIA procedures and charges (see
http://www.cms.hhs.gov/AboutWebsite/04_FOIA.asp). For example, these
could be requests for FOIA-disclosable data for specific health care
providers, or for health care providers in certain States or with
certain Healthcare Provider Taxonomy Codes, or requests for FOIA-
disclosable data on CD, diskette, or paper. These requests must be
described in detail and be submitted to the following address: Centers
for Medicare & Medicaid Services, Office of Strategic Operations and
Regulatory Affairs, Freedom of Information Group, Room N2-20-16, 7500
Security Boulevard, Baltimore, Maryland 21244-1850.
Requests may be sent by fax to (410) 786-0474. We will not
acknowledge, respond to, or honor requests that are made by telephone.
III. Collection of Information Requirements
This document does not impose information collection and
recordkeeping requirements. Consequently, it need not be reviewed by
the Office of Management and Budget under the authority of the
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
Authority: Sections 1171 through 1179 of the Social Security Act
(42 U.S.C. 1320d-1320d-8), as added by section 262 of Pub. L. 104-
191. 42 CFR 162, Subpart D. (Catalog of Federal Domestic Assistance
Program, No. 93.773, Medicare--Hospital Insurance Program; and No.
93.774, Medicare--Supplementary Medical Insurance Program)
Dated: August 30, 2005.
Mark B. McClellan,
Administrator, Centers for Medicare & Medicaid Services.
Dated: February 22, 2007.
Michael O. Leavitt
Secretary, Department of Health and Human Services.
[FR Doc. 07-2651 Filed 5-23-07; 4:12 pm]
BILLING CODE 4120-01-P