[Federal Register Volume 69, Number 15 (Friday, January 23, 2004)]
[Rules and Regulations]
[Pages 3434-3469]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 04-1149]
[[Page 3433]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Part 162
HIPAA Administrative Simplification: Standard Unique Health Identifier
for Health Care Providers; Final Rule
��Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules
and Regulations��
[[Page 3434]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 162
[CMS-0045-F]
RIN 0938-AH99
HIPAA Administrative Simplification: Standard Unique Health
Identifier for Health Care Providers
AGENCY: Centers for Medicare & Medicaid Services, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule establishes the standard for a unique health
identifier for health care providers for use in the health care system
and announces the adoption of the National Provider Identifier (NPI) as
that standard. It also establishes the implementation specifications
for obtaining and using the standard unique health identifier for
health care providers. The implementation specifications set the
requirements that must be met by ``covered entities'': Health plans,
health care clearinghouses, and those health care providers who
transmit any health information in electronic form in connection with a
transaction for which the Secretary has adopted a standard (known as
``covered health care providers''). Covered entities must use the
identifier in connection with standard transactions.
The use of the NPI will improve the Medicare and Medicaid programs,
and other Federal health programs and private health programs, and the
effectiveness and efficiency of the health care industry in general, by
simplifying the administration of the health care system and enabling
the efficient electronic transmission of certain health information.
This final rule implements some of the requirements of the
Administrative Simplification subtitle F of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA).
EFFECTIVE DATE: May 23, 2005, except for the amendment to Sec.
162.610, which is effective on January 23, 2004. Health care providers
may apply for NPIs beginning on, but no earlier than, May 23, 2005.
FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.
SUPPLEMENTARY INFORMATION:
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $10. As an alternative, you can view
and photocopy the Federal Register document at most libraries
designated as Federal Depository Libraries and at many other public and
academic libraries throughout the country that receive the Federal
Register. This Federal Register document is also available from the
Federal Register online database through GPO access, a service of the
U.S. Government Printing Office. The Web site address is http://
www.access.gpo.gov/nara/index.html. This document is also available
from the Department's Web site at http://aspe.hhs.gov/admnsimp/.
I. Background
In order to administer its programs, a health plan assigns
identification numbers to its providers of health care services and its
suppliers. A health plan may be, among other things, a Federal program
such as Medicare, a State Medicaid program, or a private health plan.
The identifiers it assigns are frequently not standardized within a
single health plan or across health plans, which results in the single
health care provider having different identification numbers for each
health plan, and often having multiple billing numbers issued within
the same health plan. This complicates the health care provider's
claims submission processes and may result in the assignment of the
same identification number to different health care providers by
different health plans.
A. NPI Initiative
In July 1993, the Centers for Medicare & Medicaid Services (CMS)
(formerly the Health Care Financing Administration (HCFA)), undertook a
project to develop a health care provider identification system to meet
the needs of the Medicare and Medicaid programs and, ultimately, the
needs of a national identification system for all health care
providers. Active participants in the project represented both
government and the private sector. The project participants decided to
develop a new identifier for health care providers because existing
identifiers did not meet the criteria for national standards. The new
identifier, known as the National Provider Identifier (NPI), did not
have the limitations of the existing identifiers, and it met the
criteria that had been recommended by the Workgroup for Electronic Data
Interchange (WEDI) and the American National Standards Institute
(ANSI).
B. The Results of the NPI Initiative
As a result of the project, and before the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191,
which was enacted on August 21, 1996, required the adoption and use of
a standard unique identifier for health care providers, CMS and the
other project participants accepted the NPI as the standard unique
health identifier for health care providers. CMS decided to implement
the NPI for Medicare, and began work on developing the National
Provider System (NPS), which was intended to capture health care
provider data and be equipped with the technology necessary to maintain
and manage the data. The NPS was intended to be able to accept health
care provider data in order to uniquely identify a health care provider
and assign it an NPI. The NPS was intended to be designed so it could
be used by other Federal and State agencies, and by private health
plans, if deemed appropriate, to enumerate their health care providers
that did not participate in Medicare.
C. Legislation
The Congress included provisions to address the need for a standard
unique health identifier for health care providers and other health
care system needs in the Administrative Simplification provisions of
HIPAA. Through subtitle F of title II of that law, the Congress added
to title XI of the Social Security Act (the Act) a new part C, entitled
``Administrative Simplification.'' (Pub. L. 104-191 affects several
titles in the United States Code.) The purpose of part C is to improve
the Medicare and Medicaid programs in particular, and the efficiency
and effectiveness of the health care system in general, by encouraging
the development of a health information system through the
establishment of standards and implementation specifications to
facilitate the electronic transmission of certain health information.
Part C of title XI consists of sections 1171 through 1179 of the
Act. These sections define various terms and impose requirements on the
Secretary of the Department of Health and Human Services (HHS), health
plans, health care clearinghouses, and certain health care providers
concerning the adoption of standards and implementation specifications
relating to health
[[Page 3435]]
information. Section 1173(b) of the Act requires the Secretary to adopt
standards providing for a standard unique health identifier for each
individual, employer, health plan, and health care provider for use in
the health care system and to specify the purposes for which the
identifiers may be used. It also requires the Secretary to consider
multiple locations and specialty classifications for health care
providers in developing the standard health identifier for health care
providers. We discussed other general aspects of the HIPAA statute in
greater detail in the May 7, 1998, proposed rule (63 FR 25320).
D. Plan for Implementing Administrative Simplification Standards
On May 7, 1998, we proposed a standard unique health identifier for
health care providers and requirements concerning its implementation
(63 FR 25320). That proposed rule also set forth requirements that
health plans, health care clearinghouses, and covered health care
providers would have to meet concerning the use of the standard. On May
7, 1998, we also proposed standards for transactions and code sets (63
FR 25272). We published the final rule, entitled Health Insurance
Reform: Standards for Electronic Transactions (the Transactions Rule),
on August 17, 2000 (65 FR 50312). On May 31, 2002, in two separate
proposed rules, we published proposed modifications to the Standards
for Electronic Transactions. We published a final rule adopting
modifications to the Transactions Rule on February 20, 2003 (68 FR
8381).
On November 3, 1999, we proposed standards for privacy of
individually identifiable health information (64 FR 59918). We
published the final rule, entitled Standards for Privacy of
Individually Identifiable Health Information (the Privacy Rule), on
December 28, 2000 (65 FR 82462). On March 27, 2002, we proposed
modifications to the Privacy Rule. On August 14, 2002, we published
modifications to the Privacy standards in a final rule, entitled
``Standards for Privacy of Individually Identifiable Health
Information'' (the Privacy Rule Modifications) (67 FR 53182).
On June 16, 1998, we proposed the standard unique employer
identifier (63 FR 32784). On May 31, 2002, we published the final rule,
entitled ``Standard Unique Employer Identifier'' (67 FR 38009).
On August 12, 1998, we proposed standards for security and
electronic signatures (63 FR 43242). On February 20, 2003, we published
the final rule on security standards (the Security Rule) (68 FR 8334).
On April 17, 2003, we published an interim final rule adopting
procedures for the investigation and imposition of civil money
penalties and the conduct of hearings when the imposition of a penalty
is challenged (68 FR 18895). The interim final rule is the first
installment of a larger rule, known as the Enforcement Rule, the rest
of which is to be proposed at a later date.
We will be proposing standards for the unique health plan
identifier and claims attachments.
In the May 7, 1998, proposed rule for the standard unique health
identifier for health care providers, we proposed to add a new part 142
to title 45 of the Code of Federal Regulations (CFR) for the
administrative simplification standards and requirements. We have
decided to codify the final rules in 45 CFR part 162 instead of part
142. The Transactions Rule (65 FR 50312) explains why we made this
change and lists the subparts and sections comprising part 162. In this
final rule, we reference the proposed text using part 142, and
reference the final text using part 162.
In the Transactions Rule, we addressed (at 65 FR 50314) the
comments that were made on issues that were common to the proposed
rules on standards for electronic transactions, the standard employer
identifier, the standards for security and electronic signatures, and
the standard health care provider identifier. Those issues relate to
applicability, definitions, general effective dates, new and revised
standards, and the aggregate impact analysis. In that final rule, we
set out the general requirements in part 160 subpart A and part 162
subpart A. We refer the reader to that rule for more information on all
but our discussion of issues pertinent to the standard unique health
identifier for health care providers and the definition of health care
provider.
E. Employer Identifier Standard: Waiver of Proposed Rulemaking and
Effective Date for Uses of Employer Identifier
As stated in section I.D., ``Plan for Implementing Administrative
Simplification Standards,'' of this preamble, we published the final
rule that adopted the standard unique employer identifier on May 31,
2002 (67 FR 38009). The Employer Identifier was adopted as that
standard effective July 30, 2002. We amend Sec. 162.610 as explained
below.
We ordinarily publish a correcting amendment of proposed rulemaking
in the Federal Register and invite public comment on the correcting
amendment before its provisions can take effect. We also ordinarily
provide a delay of 30 days in the effective date of the final rule. We
can waive notice and comment procedure and the 30-day delay in the
effective date, however, if we find good cause that a notice and
comment procedure is impracticable, unnecessary, or contrary to the
public interest and we incorporate a statement in the correcting
amendment of this finding and the reasons supporting that finding.
We find that seeking public comment on and delaying the effective
date of this correcting amendment would be contrary to the public
interest. Section 1173(b)(2) of the Act requires that the standards
regarding unique health care identifiers specify the purposes for which
they may be used. Section 162.610 requires a covered entity to use the
standard unique employer identifier--the employer identification number
(EIN) assigned by the Internal Revenue Services (IRS), U.S. Department
of the Treasury--in standard transactions that require an employer
identifier. Unless Sec. 162.610 is amended to permit use of the
standard unique employer identifier for all other lawful purposes, the
Act could be read to subject covered entities that use their EIN for
other purposes to civil money penalties under section 1176 of the Act
and criminal penalties under section 1177 of the Act, a result that we
did not intend. The IRS requires any taxpayer assigned an EIN to use
the EIN as its taxpayer identifying number. Statutes and regulations
also authorize or require other Federal agencies, including the
Departments of Agriculture, Commerce, Education, Housing and Urban
Development, and Labor, to collect EINs in connection with
administering various Federal programs and laws. Since some of these
agencies may conduct transactions with covered entities or may be
covered entities in their own right, failure to promptly publish the
correcting amendment could cause conflict between Sec. 162.610 and
other statutory and regulatory directives, generating uncertainty for
covered entities and potentially disrupting the administration of other
Federal programs and laws. We believe that it is necessary to eliminate
that uncertainty and potential disruption and to do so as soon as
practicable by amending Sec. 162.610 to include as permitted uses of
the EIN all other lawful purposes. Therefore, we find good cause to
waive the notice and comment procedure and the 30-day
[[Page 3436]]
delay in the effective date as being contrary to the public interest.
II. Provisions of the Regulations and Discussion of Public Comments
Within each section of this final rule, we set forth the proposed
provision contained in the May 7, 1998, proposed rule, summarize and
respond (if appropriate) to the comments we received on the proposed
provision, and present the final provision.
It should be noted that the proposed rule contained multiple
proposed ``requirements.'' In this final rule, we replace the term
``requirement'' with the term ``implementation specification,'' where
appropriate. We do this to maintain consistency with the use of those
terms as they appear in the statute and the other published HIPAA
rules. Within the comment and response portion of this final rule, for
purposes of continuity, however, we use the term ``requirement'' when
we are referring specifically to matters from the proposed rule. In all
other instances, we use the term ``implementation specification.''
In the May 7, 1998, proposed rule, we proposed a standard unique
health identifier for health care providers. We listed the kinds of
identifying information that would be collected about each health care
provider in order to assign the identifier.
In addition to the requirement that health care providers use the
standard, the May 7, 1998, proposed rule also proposed other
requirements for health care providers:
[sbull] Each health care provider must obtain, by application if
necessary, an NPI.
[sbull] Each health care provider must accept and transmit NPIs
whenever required on all standard transactions it accepts or transmits
electronically.
[sbull] Each health care provider must communicate to the National
Provider System (NPS) any changes to the data elements in its record in
the NPS within 60 days of the change.
[sbull] Each health care provider may receive and use only one NPI.
An NPI is inactivated upon death or dissolution of the health care
provider.
A. General Provisions
1. Applicability
The May 7, 1998, proposed rule for the standard unique health
identifier for health care providers discussed the applicability of
HIPAA to covered entities. The proposed rule provided that section 262
(Administrative Simplification) of HIPAA applies to health plans,
health care clearinghouses, and health care providers when health care
providers electronically transmit any of the transactions to which
section 1173(a)(1) of the Act refers. Comments received with respect to
Applicability are discussed in sections II. A. 2., ``Definition of
Health Care Provider,'' and II. A. 5., ``Implementation Specifications
for Health Care Providers, Health Plans, and Health Care
Clearinghouses'' of this preamble.
2. Definition of Health Care Provider
In the Transactions Rule, we summarized the comments we received on
the definitions we proposed in the May 7, 1998, NPI proposed rule (at
63 FR 25324), with the exception of the definition of ``health care
provider.'' We codified all of the definitions in 45 CFR 160.103 and 45
CFR 162.103. Specifically, we codified the definition of ``health care
provider'' at 45 CFR 160.103. We are responding in this preamble to the
comments we received on the definition of ``health care provider,'' as
we believe that these comments present issues that are more relevant to
the standard unique health identifier for health care providers. As
appropriate, our responses refer to discussions and decisions that were
published in the Privacy Rule (65 FR 82462). This final rule does not
change the definition of ``health care provider'' at Sec. 160.103.
This final rule adds the definition of ``covered health care provider''
at Sec. 162.402.
Proposed Provisions (Sec. 142.103)
In the May 7, 1998, proposed rule, we proposed to define ``health
care provider'' as a provider of services as defined in section 1861(u)
of the Act, a provider of medical or other health services as defined
in section 1861(s) of the Act, and any other person who furnishes or
bills and is paid for health care in the normal course of business (63
FR 25325). We based the proposed definition on section 1171(3) of the
Act for the reasons we stated in the May 7, 1998, proposed rule.
Comments and Responses on the Definition of ``Health Care Provider''
Comment: We received many comments concerning the kinds of entities
that should receive NPIs. Some of these comments recommended that the
definition of a ``health care provider'' be constructed narrowly to
restrict the kinds of entities that would be eligible to receive NPIs;
others recommended that the definition be constructed broadly. Comments
did not reflect a consensus or majority view across all commenters or
even within the two groups of commenters who recommended a narrow or a
broad definition of ``health care provider.''
Commenters favoring a narrow definition of ``health care provider''
gave the following examples of entities to which NPIs should or should
not be issued:
[sbull] Only to those licensed to furnish health care.
[sbull] Only to individuals and entities that furnish health care.
[sbull] Only to billing health care providers.
[sbull] Only to licensed health care providers that furnish care,
bill, and are paid by third party payers for services.
[sbull] Not to physicians who have opted out of government medical
programs.
[sbull] Not to groups, partnerships, or corporations.
[sbull] Not to entities that bill or are paid for health care
services furnished by other health care providers. A billing or pay-to
entity should be identified by its taxpayer identifying number, not by
an NPI.
[sbull] Not to clearinghouses, administrative services only
vendors, billing services, or health care provider service locations.
Commenters favoring a broad definition of ``health care provider''
gave the following examples of entities to which NPIs should be issued:
[sbull] Any health care provider that has a taxpayer identifying
number.
[sbull] Any individual or organization, including Independent
Practice Associations and clearinghouses, that ever has custody of or
transmits a health care claim or encounter record.
[sbull] All health care provider groups.
[sbull] Each billing health care provider, health care provider
billing location, pay-to provider, performing health care provider,
health care provider service location, and health care provider
specialty.
[sbull] Each incorporated individual and ``doing business as'' name
of an organization.
[sbull] The lowest organizational level of an entity that needs to
be identified.
Response: Although there was no consensus from commenters as to
which entities should receive NPIs, several principles can be inferred.
Many commenters who favored a narrow definition of ``health care
provider'' want to simplify the current situation for health care
providers; that is, a health care provider may have many health care
provider numbers assigned by health plans for different business
functions. The health care provider numbers sometimes represent the
actual health care provider that furnishes health care, but may also
represent the health care provider's
[[Page 3437]]
service locations, corporate headquarters, specialties, pay-to
arrangements, or contracts. Those who favored a narrow definition
generally believed the NPI should represent only the health care
provider that furnishes health care.
Commenters who favored a broad definition of ``health care
provider'' recognized the many business functions and uses in health
care transactions fulfilled by health care provider numbers today.
These business functions will continue to need to be performed after
the implementation of the NPI. In order for the NPI to replace the
multiple, proprietary health care provider numbers assigned by health
plans today, the NPI must be assigned so that the business functions
can continue. Those who favored a broad definition believed that if the
NPI is not able to identify the health care provider entities that must
be identified in an electronic health care claim or equivalent
encounter information transaction, health plans will be forced to
continue to use their existing proprietary health care provider numbers
and the NPI will add to, rather than replace or simplify, health care
provider numbering systems currently in use.
The varying needs for health care provider numbers guided our
decisions on which entities would be eligible to receive NPIs. Our
general rule is that all health care providers, as we define that term
in the regulations, will be eligible to receive NPIs. We discuss this
in detail later in this section.
It is important to note that not all health care providers who are
eligible to receive NPIs will necessarily be required to comply with
the HIPAA regulations. This is because some health care providers are
not covered entities under HIPAA. The fact that a health care provider
obtains an NPI does not impose covered entity status on that health
care provider. Only those entities that (1) meet the definition of
health care provider at Sec. 160.103, and (2) transmit health
information in electronic form on their own behalf, or that use a
business associate to transmit health information in electronic form on
their behalf, in connection with a transaction for which the Secretary
has adopted a standard (a covered transaction) are health care
providers who are required to comply with the HIPAA regulations. These
health care providers are covered health care providers and are
considered ``covered entities'' under HIPAA. As noted above, we add a
definition of ``covered health care provider'' at Sec. 162.402.
The following discussion clarifies the eligibility of health care
providers to be assigned NPIs and distinguishes between those that are
covered entities under HIPAA and those that are not.
``Health care provider'' is defined in the regulations at Sec.
160.103 as follows ``Health care provider means a provider of services
as defined in section 1861(u) of the Act, 42 U.S.C. 1395X(u), a
provider of medical or health services as defined in section 1861(s) of
the Act, 42 U.S.C. 1395x(s), and any other person or organization who
furnishes, bills, or is paid for health care in the normal course of
business.'' Examples of health care providers included in this
definition are: Physicians and other practitioners; hospitals and other
institutional providers; suppliers of durable medical equipment,
supplies related to health care, prosthetics, and orthotics; pharmacies
(including on-line pharmacies) and pharmacists; and group practices.
Additional examples are health maintenance organizations that may be
considered health care providers as well as health plans if they also
provide health care.
There are individuals and organizations that furnish atypical or
nontraditional services that are indirectly health care-related, such
as taxi, home and vehicle modifications, insect control, habilitation,
and respite services. These types of services are discussed in the
Transactions Rule at 65 FR 50315. As stated in that Rule, many of these
services do not qualify as health care services because the services do
not fall within our definition of ``health care.'' An individual or
organization must determine if it provides any services that fall
within our definition of ``health care'' at Sec. 160.103. If it does
provide those services, it is considered a health care provider and
would be eligible for an NPI. If it does not, and does not provide
other services or supplies that bring it within the definition of
``health care provider,'' it would not be a health care provider under
HIPAA, and would not be eligible to receive an NPI.
The nonhealth care services of some atypical or nontraditional
service providers are reimbursed by some health plans. Nevertheless,
there is no requirement under HIPAA to use the standard transactions
when submitting electronic claims for these types of services, because
claims for these services are not claims for health care. (Health
plans, however, are free to establish their own requirements for
submitting claims in these circumstances, which means that a health
plan could require atypical and nontraditional service providers to
submit standard transactions. The health plans could not require these
entities to obtain NPIs to use in those transactions, however, because
those entities are not eligible to receive NPIs.)
There are other individuals and organizations that, in the normal
course of business, bill or receive payment for health care that is
furnished by health care providers. These individuals and organizations
may include billing services, value-added networks, and repricers.
While these entities bill for health care, we do not read the statutory
definition of ``health care provider'' as encompassing them. Rather,
they would usually be acting as agents of health care providers in
performing the billing function, or as health care clearinghouses
assuming that they perform the data translation function described in
the definition of ``health care clearinghouse'' at Sec. 160.103. The
definition of ``health care clearinghouse'' specifically lists these
entities as examples of health care clearinghouses. The health care
industry does not consider these types of entities to be health care
providers. Further, we do not believe that the Congress intended for
them to be considered as such, as the statutory definition of ``health
care provider'' refers only to ``other person furnishing health care
services or supplies'' and thus would exclude persons who only bill
for, but do not furnish, health care services or supplies. Thus, this
final rule does not include billing services and similar entities as
health care providers. Therefore, because these kinds of entities are
not health care providers, they will not be eligible for NPIs.
Comment: The Workgroup for Electronic Data Interchange (WEDI)
commented that the NPI should be the only identifier for health care
providers when the HIPAA transactions require provider identification.
WEDI suggested that, to the extent provider-payer contracts require
locations, location codes, and contract references, these should be
handled outside of the NPS. To the extent numbers associated with
providers (for example, Taxpayer Identifying Number (TIN) and Drug
Enforcement Administration (DEA) number) are required for specific
purposes other than provider identification, the HIPAA transactions
should accommodate those numbers (and qualifiers) in the appropriate
segments of the transactions.
WEDI recommended that:
[sbull] Health care providers who are individual human beings
obtain one and only one NPI for life;
[sbull] Health care providers endeavor to have only one NPI per
organization, but
[[Page 3438]]
that the final decision on how many NPIs are necessary for an
organization health care provider be left to the health care provider;
and
[sbull] At a minimum, and as the most critical criterion, the NPS
data associated with any additional NPIs that an organization decides
to obtain must not be identical to those associated with any other NPI
in use by the organization.
Some commenters supported our proposal that, if a separate physical
location of an organization health care provider, member of a chain, or
subpart of an organization health care provider needs to be separately
identified, it would be eligible to get a separate NPI. A few
commenters stated that different physical locations or subparts of an
organization health care provider should not get separate NPIs. One
commenter recommended that the NPS issue separate NPIs for separate
physical locations, members of a chain, or subparts of an organization
health care provider only if these are separately licensed or
certified. The commenter believes that the issuance of separate
licenses and certifications justifies their recognition as separate
health care providers. Another commenter recommended that the NPS issue
separate NPIs for these entities if Medicare considers the entities to
be separate health care providers. A number of large health plans
consider each physical location of a supplier of health care-related
supplies to be a separate health care provider in order to uniquely
identify it on claims to enable accurate pricing and reimbursement.
Response: We agree in concept with the recommendations made by
WEDI.
At the time we published the proposed rule and received public
comments on it, the Secretary had not yet adopted standards for any of
the HIPAA Administrative Simplification provisions. Since that time,
and as noted in section I. D., ``Plan for Implementing Administrative
Simplification Standards'' of this preamble, the Secretary has adopted
a number of Administrative Simplification standards, including the
Privacy and Security standards. The following discussion describes the
assignment of NPIs to certain organization health care providers and
the relationship, if any, of the assignment methodology to the
standards and implementation specifications adopted in the Privacy and
Security Rules.
Many health care providers that are organizations (such as
hospitals and chains of suppliers of health care-related supplies,
pharmacies, and others) are made up of components or separate physical
locations. Many of these components or separate physical locations are
separately certified or licensed by States as health care providers.
[sbull] Examples of hospital components include outpatient
departments, surgical centers, psychiatric units, and laboratories.
These components are often separately licensed or certified by States
and may exist at physical locations other than that of the hospital of
which they are a component. Many health plans consider these components
to be health care providers in their own right. Many of these
components bill independently of the hospital of which they are a
component.
[sbull] Organization health care providers that are chains
generally have a corporate headquarters and a number of separate
physical locations. A durable medical equipment supplier chain, for
example, has a corporate headquarters and separate physical locations
at which durable medical equipment is dispensed to patients. The
separate physical locations are generally separately licensed or
certified by States. They often operate independently of each other and
usually do their own billing. Many health plans consider each separate
physical location to be a health care provider itself; and many of
these health plans, including Medicare, reimburse for these items based
on the geographic location where the items are dispensed to patients
and not on the geographic location of the corporate headquarters.
An entity that meets certain Federal statutory implementation
specifications and regulations is eligible to participate in the
Medicare program. Our definition of ``health care provider'' at Sec.
160.103 includes those eligible to participate in Medicare as described
in Federal statute (that is, in Sec. 1861(s) and Sec. 1861(u) of the
Social Security Act). These entities, according to Federal statute and
regulations, must be issued their own identification numbers in order
to bill and receive payments from Medicare. The Federal statutes and
regulations similarly affect the Medicaid program.
Health care providers that are covered entities (see the definition
at Sec. 160.103) are required to comply with this final rule. Thus,
while all health care providers (as defined in Sec. 160.103) are
eligible to be assigned NPIs and may, therefore, obtain NPIs, health
care providers that are covered entities must obtain NPIs. As mentioned
earlier in this section, a health care provider that is not a covered
entity and which has been assigned an NPI does not become a covered
entity as a result of NPI assignment.
We refer to the components and separate physical locations
described in the bulleted examples above as ``subparts'' of
organization health care providers.
We use the term ``subpart'' to avoid confusion with the term
``health care component'' in the Privacy and Security Rules. We discuss
terms and concepts in the Privacy and Security Rules later in this
section.
Section 1173(b)(1) of the Act provides that the Secretary ``shall
take into account multiple uses for identifiers and multiple locations
and specialty classifications for health care providers.'' This
language indicates that Congress realized that certain health care
providers operate at multiple locations and/or provide multiple types
of health care services, and intended that the identifier standard take
these variations in circumstance into account. We accommodate this
language by requiring covered health care providers to obtain NPIs for
subparts of their organizations that would otherwise meet the tests for
being a covered health care provider themselves if they were separate
legal entities, and permitting health care providers to obtain NPIs for
subparts that do not meet these tests but otherwise qualify for
assignment of an NPI. For example, a subpart may qualify for assignment
of an NPI based on such factors as the subpart having a location and
licensure separate from the organization health care provider of which
it is a subpart. Licensure is often indicative of specialty (Healthcare
Provider Taxonomy) classification. Thus, the assignment scheme created
by this final rule provides flexibility in addressing the varied
circumstances of health care providers, as Congress intended.
A ``subpart'' described in this final rule may differ from a
``health care component'' described in the Privacy and Security Rules.
Therefore, it is appropriate to discuss these concepts and their
relationship, if any, to the assignment of NPIs as established by this
final rule.
Standards and implementation specifications for the Privacy and
Security standards fall under part 164--Security and Privacy, of 45
CFR, whereas the implementation specifications for the standard unique
health identifier for health care providers (and for the other
identifiers mandated by HIPAA) are within part 162--Administrative
Implementation Specifications, of 45 CFR. The broad concepts of
ownership, control, and structure of covered entities are relevant
[[Page 3439]]
to determining the scope of, and defining responsibility for,
implementing the Privacy and Security standards; therefore, we
addressed those concepts in those rules. On the other hand, the
concepts of ownership, control, and structure are of no significant
value or importance in determining the health care providers that may
be eligible to obtain NPIs, which is why those concepts are not
discussed in this final rule.
The term ``hybrid entity'' is defined in part 164, which is
applicable to the Privacy and Security Rules, and may be a factor in
determining responsibility for the implementation of the Privacy and
Security standards and implementation specifications. It is defined in
Sec. 164.103 and is discussed in the Privacy Rule at 65 FR 82502. It
is possible that an organization health care provider may be a hybrid
entity and, as such, may designate health care components for purposes
of implementing the Privacy and Security Rules. It is possible and,
indeed, likely that subparts as described earlier in this preamble may
be health care components of a hybrid entity. It is also possible that
the subparts may not align precisely with the designated health care
components. There is no necessary correlation between what is a subpart
and what is a health care component, and there need not be because, as
stated above, the nature and function of the Privacy and Security
standards differ from those of the health care provider identifier
standard. The level of assignment of NPIs must be adequate to enumerate
entities that meet the definition of ``health care provider'' at Sec.
160.103. It is, therefore, possible that a designated health care
component may in essence be assigned multiple NPIs if the health care
component is made up of multiple health care providers or subparts, as
described earlier.
The term ``organized health care arrangement'' is discussed in the
Security and Privacy Rules and is defined at Sec. 160.103. It is
possible that subparts that are also health care components may elect
to come together to form an organized health care arrangement. Whether
or not subparts participate in an organized health care arrangement for
purposes of implementing the Privacy or Security standards has no
effect on their eligibility to be assigned NPIs.
It must be kept in mind, with respect to the subparts as described
in this preamble, that the organization health care provider is a legal
entity and is the covered entity under HIPAA if it (or a subpart or
component) transmits health information in electronic form (or uses a
business associate to do so) in connection with a covered transaction.
The subparts are simply parts of the legal entity. The legal entity--
the covered entity--is ultimately responsible for complying with the
HIPAA rules and for ensuring that its subparts and/or health care
components are in compliance. The organization health care provider, of
which the subpart is a part, is responsible for ensuring that the
subpart complies with the implementation specifications in this final
rule. The organization health care provider is responsible for
determining if its subpart or subparts must be assigned NPIs, as
discussed above in this section of the preamble. The organization
health care provider is also responsible for applying for NPIs for its
subparts or for instructing its subparts to apply for NPIs themselves.
(That is, it is not necessary that an application for an NPI be made by
the organization health care provider on behalf of its subpart.)
Comment: Some commenters expressed concern that the professional
claim or equivalent encounter information transaction be able to
accommodate address or location information associated with billing,
pay-to, and furnishing health care providers.
Response: The ASC X12N 837 Health Care Claim: Professional, adopted
in the Transactions Rule, accommodates addresses for all these
entities.
Comment: Some commenters stated their desire for an identifier to
represent each service address, for the purpose of reporting the
location of service on a professional health care claim.
Response: We believe that the location of service can properly be
reported by use of data elements in the standard professional health
care claim or equivalent encounter information transaction. The address
where service was furnished (if different from the billing or pay-to
provider's address and if not at the patient's home) is accommodated in
the X12N 837 Professional Claim in the Service Facility Location loop.
For these reasons, we do not believe a health care provider identifier
needs to be assigned to every address at which a service can be
provided. If health plans need service location data in addition to the
data that are accommodated in the standard health care claim
transaction, they should notify the organization responsible for that
transaction (see Sec. 162.910 and Sec. 162.1102).
Comment: Several commenters named specific kinds of practitioners
or entities that should be eligible to receive NPIs. These commenters
cited practitioners who write prescriptions, home health housekeepers,
long-term care providers, providers of home health services, meals on
wheels, and transportation.
Response: Entities that do not furnish health care, and do not meet
the definition of health care provider, will not be eligible to receive
NPIs. A title does not necessarily indicate that an entity does or does
not furnish health care. Entities who are unsure as to whether they are
health care providers should check the definition of ``health care'' in
Sec. 160.103 to determine whether the kinds of services they furnish
are health care services.
Comment: Some commenters stated that billing services should not
receive NPIs. None of these commenters gave a definition or criteria to
distinguish billing services from entities that would be eligible to be
assigned NPIs. Other commenters stated that these definitions and
criteria would be difficult to apply.
Response: As stated earlier in this section, billing services do
not meet our regulatory definition of health care provider and,
therefore, will not be eligible for NPIs. Generally, the health care
provider that furnished health care is the ``Billing provider'' on the
X12N 837 transaction and would identify itself with an NPI. If a
billing service needs to be identified as the ``Billing provider,'' it
would identify itself with either an Employer Identification Number
(EIN) or a Social Security Number (SSN).
Comment: Several commenters noted that the term ``medical care'' in
our descriptions of individual and organization health care providers
should be replaced with the term ``health care.'' They were concerned
that one could construe ``medical care'' to mean only care that was
physician-supplied or physician-authorized.
Response: We agree with the comment and have replaced the term
``medical care'' with ``health care'' in our discussion of individual
and organization health care providers.
Comment: A majority of commenters stated that the NPS should not
distinguish between organization health care providers and group health
care providers. The NPS should collect the same data for both. A few
other commenters suggested a definition for group, but did not suggest
that different data should be collected for a group health care
provider than for an organization health care provider.
Response: As described in the proposed rule (at 63 FR 25325), group
health care providers are entities composed of one or more individuals
(members), generally created to provide coverage of patients' needs in
terms of office hours, professional backup and
[[Page 3440]]
support, or range of services resulting in specific billing or payment
arrangements. Organization health care providers are health care
providers who are not individual health care providers (that is, health
care providers who are human beings). Examples of organization health
care providers are hospitals, pharmacies, and nursing homes. For
purposes of this rule, we consider group health care providers to be
organization health care providers. There is additional information
about these health care providers in section II.C.1.(d) of this
preamble.
We agree with the majority of commenters that the NPS should
collect the same data for group and organization health care providers.
Because the same data are collected, there is no need for separate
definitions of group and organization health care providers for NPI
enumeration purposes.
Comment: Several commenters suggested that an NPI suffix or sub-
identifier (sub-ID) be used to identify physical locations or subparts
of a health care provider. Two commenters suggested that we explore the
need for an electronic data interchange (EDI) identifier for
transaction routing.
Response: We considered allowing each health care provider, if it
so chose, to establish sub-IDs under its NPI. The health care provider
might use the sub-IDs for different physical locations, subparts, EDI
transaction routing, or other purposes. We decided not to establish
sub-IDs because our decisions regarding which entities would be
eligible to receive NPIs (including separate physical locations and
subparts of certain kinds of organization health care providers)
obviate the need for them. Sub-IDs may be useful as a later
implementation feature that would support EDI routing or other
purposes. We will consider an expansion at a later time to include
them, if we determine that they would be beneficial.
Comment: Many commenters stated that all health care providers
should be able to obtain NPIs, whether they conduct health care
transactions electronically or on paper. Some commenters stated that
health care providers that do not conduct any of the transactions named
in HIPAA should be able to obtain NPIs.
Response: All health care providers--as we define that term--may
obtain NPIs. Only covered health care providers are required to obtain
and use NPIs in standard transactions.
Comment: Many commenters stated that NPIs should be mandatory for
paper and fax transactions, as well as electronic.
Response: In the May 7, 1998, proposed rule, we did not propose to
apply this standard to paper transactions. Therefore, we focus on
standards for electronic transactions. Most of the paper forms
currently in use today cannot accommodate all of the data content
included in the standard transactions. This does not prevent health
plans from requiring for paper transactions the same data, including
identifiers, as are required by the HIPAA regulations for electronic
transactions.
Final Provisions (Sec. 160.103)
As defined by section 1171(3) of the Act, a ``health care
provider'' is a provider of services as defined in section 1861(u) of
the Act, a provider of medical or other health services as defined in
section 1861(s) of the Act, and any other person who furnishes health
care services or supplies. Section 160.103 defines ``health care
provider'' as the statute does and clarifies that the definition of a
``health care provider'' includes any other person or organization that
furnishes, bills, or is paid for health care in the normal course of
business.
Section 1173(b)(1) of the Act requires the Secretary to adopt
standards providing for a standard unique health identifier for each
health care provider, and to take into account multiple uses,
locations, and specialty classifications for health care providers. All
health care providers who meet our definition of ``health care
provider'' at Sec. 160.103, regardless of whether they conduct
transactions electronically or on paper or conduct any covered
transactions will be eligible to apply for health care provider
identifiers.
We define ``covered health care provider'' at Sec. 162.402.
Subparts of organization health care providers, as described earlier in
this section, may be assigned NPIs.
Registered nurses, dental hygienists, and technicians are examples
of entities who furnish health care but who do not necessarily conduct
covered transactions. They are eligible to receive NPIs because they
are health care providers.
We define two categories of health care providers for enumeration
purposes. A data element, the ``Entity type code,'' in the NPS record
for each health care provider will indicate the appropriate category.
[sbull] NPIs with an ``Entity type code'' of 1 will be issued to
health care providers who are individual human beings. Examples of
health care providers with an ``Entity type code'' of 1 are physicians,
dentists, nurses, chiropractors, pharmacists, and physical therapists.
[sbull] NPIs with an ``Entity type code'' of 2 will be issued to
health care providers other than individual human beings, that is,
organizations. Examples of health care provider organizations with an
``Entity type code'' of 2 are: hospitals; home health agencies;
clinics; nursing homes; residential treatment centers; laboratories;
ambulance companies; group practices; health maintenance organizations;
suppliers of durable medical equipment, supplies related to health
care, prosthetics, and orthotics; and pharmacies.
Entities that participate in the Medicare program and many that
participate in the Medicaid program are eligible for NPIs. (Note,
however, our discussion of atypical and nontraditional service
providers earlier in this section.) Many subparts of organization
health care providers (as discussed earlier in this section) are
eligible to be assigned NPIs, and an NPI must be obtained for, or by,
them if they would be considered a covered health care provider if they
were a separate legal entity. By definition, subparts are not
themselves legal entities; the legal entity is the organization health
care provider of which they are a subpart. Organization health care
provider subparts--because they too are organizations--will be issued
NPIs with ``Entity type code'' of 2.
We do not consider individuals who are health care providers (that
is, they meet our definition of ``health care provider'' at Sec.
160.103) and who are members or employees of an organization health
care provider to be ``subparts'' of those organization health care
providers, as described earlier in this section. Individuals who are
health care providers are legal entities in their own right. The
eligibility for an ``Entity type code 1'' NPI of an individual who is a
health care provider and a member or an employee of an organization
health care provider is not dependent on a decision by the organization
health care provider as to whether or not an NPI should be obtained
for, or by, that individual. The eligibility for an ``Entity type code
1'' NPI of a health care provider who is an individual is separate and
apart from that individual's membership or employment by an
organization health care provider. If such an individual is a covered
health care provider, he or she is required to obtain an NPI. An
example of the above discussion is a physician who is a member of a
group practice. Both are health care providers and, therefore, both may
apply for NPIs, but the physician would receive an
[[Page 3441]]
``Entity type code 1'' NPI, while the group practice would receive an
``Entity type code 2'' NPI. If either is a covered health care
provider, that covered health care provider must apply for an NPI.
``Entity type code'' determinations will be made according to the
following:
[sbull] An individual human being furnishes health care. The
described individual is a health care provider and will be assigned an
NPI with an ``Entity type code'' of 1.
[sbull] An organization furnishes health care. The described
organization is a health care provider and will be assigned an NPI with
an ``Entity type code'' of 2.
[sbull] An organization health care provider subpart, as described
earlier in this section, is a health care provider and will be assigned
an NPI with an ``Entity type code'' of 2.
Hereafter in this preamble, we include these subparts in our
references to health care providers unless there is a reason to
distinguish them.
An NPI will be used to identify the health care provider on a
health care claim or equivalent encounter information transaction. If
an organization health care provider consists of subparts that are
identified with their own unique NPIs, a health plan may decide to
enroll none, one, or a limited number of them (and to use only the
NPI(s) of the one(s) it enrolls). A health plan may not require a
health care provider or a subpart of an organization health care
provider that has an NPI to obtain another NPI for any purpose. Links
among the various NPI types may be made and maintained by health plans
and other users of the NPS data, but will not be maintained in the NPS.
The data to be collected by the NPS for health care providers are
described in section II. C. 2. of this preamble, ``Data Elements and
Data Dissemination.'' The NPS will capture data elements for health
care providers with an ``Entity type code'' of 1 (individuals) that are
different from those that it will capture for those with an ``Entity
type code'' of 2 (organizations) because the data available to search
for duplicates (for example, date and place of birth) are different.
The NPS will ensure the uniqueness of the NPI by assigning only one NPI
to a health care provider with a distinct string of data in the NPS.
The NPS will contain the kinds of data necessary to adequately
categorize each entity to which it assigns an NPI. An NPI will be a
lasting identifier for the health care provider to which it has been
assigned. For health care providers with an ``Entity type code'' of 1,
the NPI will be a permanent identifier, assigned for life, unless
circumstances justify deactivation, such as a health care provider who
finds that his or her NPI has been used fraudulently by another entity.
In that situation, the health provider can apply, and will be eligible,
for a new NPI, and the previously assigned NPI will be deactivated. For
health care providers with an ``Entity type code'' of 2, the NPI will
also be considered permanent, except in certain situations such as when
a health care provider does not wish to continue an association with a
previously used NPI, or when a health care provider's NPI has been used
fraudulently by another. In those situations, the health care provider
that holds the NPI can apply, and be eligible for, a new NPI, and the
previously assigned NPI will be deactivated. A new NPI will not be
required for change of ownership, change from partnership to
corporation, or change in the State where an organization health care
provider is incorporated; indeed, ownership and incorporation
information will not be contained in the NPS. A new NPI will not be
required when there is a change in an organization health care
provider's name, Employer Identification Number, address, Healthcare
Provider Taxonomy classification, State of licensure, or State license
number. Instead, the health care provider will supply that information
to the NPS and the data in the NPS about these entities will be
updated. After a corporate merger, the surviving organization may
continue to use its NPI. A health care provider's NPI will not be
deactivated if that health care provider is sanctioned or barred from
one or more health plans. When an organization health care provider is
disbanded, the organization health care provider's NPI will be
deactivated. If a previously deactivated organization health care
provider is later reactivated, its previous NPI will be reactivated.
3. NPI Standard
Proposed Provisions (Sec. 142.402(a))
The May 7, 1998, proposed rule (at 63 FR 25328) described our
proposal for the standard health care provider identifier. We proposed
the NPI standard as an 8-position alphanumeric identifier. It would
include as the 8th position a numeric check digit to assist in
identifying erroneous or invalid NPIs. The check digit would be a
recognized International Standards Organization (ISO) standard. The
check digit algorithm would be computed from an all-numeric base
number. Therefore, any alpha characters that may be part of the NPI
would be translated to a specific numeric before the calculation of the
check digit. The NPI format would allow for the creation of
approximately 20 billion unique identifiers. It would be an
intelligence-free identifier. In the May 7, 1998 proposed rule, we also
proposed the type of data included in the file containing identifying
information for each health care provider.
In addition to the description of the NPI standard, this section of
the May 7, 1998, proposed rule discussed several other points on which
we received comments:
We noted that we proposed the 8-position alphanumeric format rather
than a longer numeric-only format in order to keep the identifier as
short as possible while providing for an identifier pool that would
serve the industry's needs for a long time.
We listed selection criteria for the standard and discussed
candidate identifiers, including the National Association of Boards of
Pharmacy number, the Social Security Number, and the Employer
Identification Number.
We noted that the USA Registration Committee approved the NPI as an
International Standards Organization card issuer identifier in August
1996 for use on standard health identification cards.
Comments and Responses on the NPI Standard
Comment: Several commenters on the format of the NPI expressed
general support for our proposal or specific support for an 8-position
alphanumeric identifier. Very few of these commenters gave a reason for
support of the 8-position alphanumeric format. A strong majority of
commenters recommended instead that the NPI be a 10-position numeric
identifier, because a 10-position identifier would yield an adequate
pool of identifiers and would not exceed the length permitted for
identifiers in the standard transactions proposed under HIPAA. A few
other commenters recommended a 9-position numeric identifier. Several
commenters who favored a numeric identifier stated that if additional
capacity for NPIs were needed in the future, additional numeric digits
should be added at that time. Commenters who preferred a numeric
identifier were very specific in listing its advantages. They stated
that a numeric identifier--
[sbull] Is more quickly and accurately keyed in data-entry
applications;
[sbull] Is more easily used in telephone keypad applications;
[sbull] Does not require translation before application of the
check digit algorithm,
[[Page 3442]]
and thus uses the full ability of the check digit algorithm to detect
keying errors;
[sbull] Is compatible with ISO identification card standards for a
card issuer identifier (discussed below), while an alphanumeric
identifier is not; and
[sbull] Will require less change for systems that currently use a
numeric identifier.
Response: We find the stated advantages of a 10-position numeric
identifier convincing. We have revised proposed Sec. 142.402 (now
Sec. 162.406(a)) to provide that the NPI will be a 10-position numeric
identifier, with the 10th position being an ISO standard check digit.
The use of a 10-digit numeric NPI and our initial assignment strategy
will allow for 200 million unique NPIs. We estimate 200 million NPIs
would last approximately 200 years, allowing for health care provider
growth, as discussed later in the preamble of this final rule in
section V.D., ``Specific Impact of the NPI.'' If additional capacity
for NPIs is needed in the future, additional numeric digits will be
added to the identifier at that time. A modification to the NPI format
would be accomplished through rulemaking. A 10-position numeric
identifier is specified in Sec. 162.406(a).
Comment: Some commenters asked that we clarify how the NPI would
appear when used as a card issuer identifier on a standard health care
identification card. Commenters also asked that we clarify any
modification made to the check digit algorithm to allow the NPI to be
used as a card issuer identifier.
Response: In December 1997, an American National Standard for a
Uniform Healthcare Identification Card was approved by the National
Committee for Information Technology Standards (NCITS), which is a
standards-developing organization accredited by the American National
Standards Institute. The specification for this standard, NCITS.284, is
available from the American National Standards Institute, 11 West 42nd
Street, New York, New York 10036. One identifier field on the standard
health care identification card is the card issuer identifier. A card
issuer identifier is an identifier for an entity that issues a health
care identification card. In most cases, the entity issuing a health
care identification card would be a health plan; in some cases,
however, the entity could be a health care provider. We note that,
under HIPAA, health care providers are neither required to issue health
care identification cards, nor to use the NCITS.284 standard card. The
NCITS.284 standard requires that the first five digits of the card
issuer identifier be ``80840,'' where the initial two digits, 80,
signify health applications, the next three digits, 840, signify United
States. The remainder of the card issuer identifier identifies the
entity that issued the card. In August 1996, the USA Registration
Committee, a standards-developing organization accredited by the
American National Standards Institute, approved the NPI as an
identifier for a card issuer for use on a standard health care
identification card. If the NPI is used to identify the card issuer on
a card that complies with NCITS.284, the card issuer identifier would
consist of 15 positions as follows: ``80840,'' signifying health
applications in the United States, followed by the 10-position NPI (the
9-position identifier portion of the NPI, followed by the NPI check
digit).
We note that the initial five digits ``80840'' would be required
with the NPI only when the NPI is used as a card issuer identifier on a
standard health care identification card. However, in order that any
NPI could potentially be used as a component of the card issuer
identifier on a standard health care identification card, the NPI check
digit calculation must always be performed as though the NPI is
preceded by ``80840.'' This is easily accomplished by including a
constant in the check digit calculation when the NPI is used without
this prefix. The NPI check digit is calculated using the ISO standard
Luhn check digit algorithm, a modulus 10 ``double-add-double''
algorithm. The specification for calculation of the NPI check digit
will be made available on the CMS Web site (http://www.cms.hhs.gov).
The specification will explain how to compute the check digit and how
to verify an NPI using the check digit, both when the ``80840'' prefix
is present and when it is not.
Comment: A strong majority of commenters supported our proposal
that the NPI be intelligence-free. A few commenters stated that an
intelligence-free identifier would not meet their needs because their
systems use the facility provider type, which is coded as part of the
identifier in some current systems.
Response: If the NPI were to include intelligence, that is, coded
information about the health care provider, as part of the identifier,
a new NPI would have to be issued any time the coded information about
the health care provider changed. This would undermine the lasting
nature of the NPI. For this reason we agree with the large majority of
commenters that the NPI not contain intelligence about the health care
provider.
Comment: A small number of commenters stated that the Taxpayer
Identifying Number (TIN) should be selected, or reconsidered, as the
standard unique health identifier for health care providers.
Response: The TIN is the identifier under which the health care
provider reports a United States tax return to the Internal Revenue
Service (IRS). It can be an SSN, assigned by the Social Security
Administration, or an IRS Individual Taxpayer Identification Number
(ITIN), assigned by the IRS, or an EIN, assigned by the IRS. A large
number of commenters on the ``Data'' section of the May 7, 1998, NPI
proposed rule stated their opposition to dissemination of the SSN
except in strictly controlled situations that fully comply with the
Privacy Act. Use of the SSN or the TIN as the standard unique health
identifier for health care providers would require the wide
dissemination and use of the SSN or TIN in the HIPAA transactions under
conditions that would not be protected by the Privacy Act. The majority
of commenters did not support the use of the SSN as the standard unique
health identifier for health care providers for individuals.
Comment: The National Council for Prescription Drug Programs
requested that we make several clarifications regarding our reference
to the National Association of Boards of Pharmacy (NABP) number, which
we discussed as a candidate identifier in the May 7, 1998, proposed
rule.
Response: As requested, we note that the NABP number has been
renamed the National Council for Prescription Drug Programs (NCPDP)
Provider Number. In 1997, the NCPDP and the NABP mutually severed the
contract made in 1977. The NCPDP has full responsibility for
maintenance of the pharmacy file. The NCPDP Provider Number is issued
solely by NCPDP. All references to the NABP number should be changed
instead to the NCPDP Provider Number.
Comment: A small number of commenters stated that the proposed NPI
would not meet one or more of the selection criteria for standards or
would not be consistent with the law because it would not reduce the
administrative costs of providing and paying for health care. These
kinds of comments cited the high costs of developing and operating a
new system for health care provider enumeration.
Response: Elsewhere in this preamble, we discuss how the collection
of health care provider data and the enumeration of health care
providers can be satisfactorily accomplished with the NPI and how those
associated costs can be kept to a minimum. We acknowledge
[[Page 3443]]
that organizations will incur costs in the move to a standard
enumeration process. After the initial implementation, however, we
believe that the costs will diminish significantly, and that long-term
use of a standard identifier will be cost-effective.
Final Provisions (Sec. 162.406(a))
We are adopting the NPI format of an all-numeric identifier, 10
positions in length, with an ISO standard check-digit in the 10th
position (Sec. 162.406(a)). The NPI will not contain intelligence
about the health care provider. This format and our assignment strategy
will allow for at least 200 million unique NPIs.
4. Effective Date and Compliance Dates
Proposed Provisions (Sec. 142.410)
The May 7, 1998, proposed rule proposed the compliance dates for
the standard unique health identifier for health care providers.
The May 7, 1998, proposed rule proposed that:
[sbull] Each health plan that is not a small health plan must
comply with the requirements of Sec. 142.104 and Sec. 142.404 by 24
months after the effective date of the final rule.
[sbull] Each small health plan must comply with the requirements of
Sec. 142.104 and Sec. 142.404 by 36 months after the effective date
of the final rule.
[sbull] Each health care clearinghouse and health care provider
must begin using the NPI by 24 months after the effective date of the
final rule.
Comments and Responses on Effective Date and Compliance Dates
Comment: An overwhelming number of commenters requested that there
be an extended period of time between the publication of the NPI final
rule and the date the implementation period for the NPI would begin.
Commenters stated that their resources were fully committed to
millennium issues and that those resources could not be used to address
the numerous changes needed to implement the NPI until after the
millennium work was satisfactorily completed. Some commenters asked
that we publish the final rule on Standards for Electronic Transactions
before any of the other rules.
Response: Work on the millennium is complete. Many commenters are
undoubtedly expending resources at this time in implementing the HIPAA
Privacy Rule (65 FR 82462 and 67 FR 53182), the Transactions Rule (65
FR 50312 and 68 FR 8381), the Security Rule (68 FR 8334) and the
Employer Identifier Rule (67 FR 38009). The reader should note that we
published the Transactions Rule (65 FR 50312) before any of the other
HIPAA final rules. The National Provider System (NPS) will be a large,
complex system. Its development cannot be finalized until publication
of this final rule. The NPS must operate efficiently and be capable of
performing many operations. It must undergo testing to ensure proper
operation of all functions and must pass a variety of stress tests. To
ensure adequate time for completion of system development and testing,
we set the effective date of this final rule to be 16 months after
publication in the Federal Register. Covered entities will need to be
in compliance no later than 24 months after the effective date (36
months for small health plans). While the purpose of this extended
effective date is to allow HHS sufficient time for NPS development and
testing, it will also permit health care entities sufficient time to
accommodate changes needed in order to implement the NPI.
Final Provisions (Sec. 162.404)
We set the effective date and compliance dates as follows:
a. Effective date of this final rule. The effective date of the NPI
is May 23, 2005. The effective date of this final rule marks the
beginning of the implementation period for the NPI.
b. Compliance dates of the NPI. We adopt the requirement that
covered entities (except small health plans) must obtain an NPI and
must use the NPI in standard transactions no later than May 23, 2007.
Small health plans must do so no later than May 23, 2008.
If the Secretary adopts a modification to this standard, the
compliance date of the modification would be no earlier than the 180th
day following the adoption of the modification. The Secretary would
determine the actual date, taking into account the time needed to
comply due to the nature and extent of the modification. The Secretary
would be able to extend the time for compliance with any modification
by small health plans by rulemaking, if he determines that an extension
is appropriate.
5. Implementation Specifications for Health Care Providers, Health
Plans, and Health Care Clearinghouses
Proposed Provisions (Sec. 142.404, Sec. 142.406, and Sec. 142.408)
In section II. E., ``Requirements,'' of the preamble of the May 7,
1998, proposed rule (63 FR 25330), we discussed the requirements that
health plans, health care clearinghouses, and covered health care
providers would have to meet in implementing the NPI. The proposed
regulation text, in Sec. 142.404, stated that health plans would be
required to accept and transmit, directly or through a health care
clearinghouse, the NPI on all standard transactions wherever required.
The proposed regulation text, in Sec. 142.406, stated that health care
clearinghouses would be required to use the NPI wherever a standard
electronic transaction requires it.
The preamble of the May 7, 1998, proposed rule (63 FR 25330)
states: ``In Sec. 142.408, Requirements: Health care providers, we
would require each health care provider that needs an NPI for HIPAA
transactions to obtain, by application if necessary, an NPI * * *''
Section 142.408(a) of the proposed regulation text states: ``Each
health care provider must obtain, by application if necessary, a
national provider identifier.'' The text of the proposed rule states,
in Sec. 142.408(c): ``Each health care provider must communicate any
changes to the data elements in its file in the national provider
system to an enumerator of national provider identifiers within 60 days
of the change.''
Comments and Responses on Requirements for Health Care Providers,
Health Plans, and Health Care Clearinghouses
We believe that the Congress intended that each health care
provider be eligible for an NPI and intended to authorize the Secretary
to require covered health care providers to obtain one. HIPAA requires
the adoption of a standard unique health identifier for health care
providers and directs the Secretary to specify the purposes for which
the identifier may be used. The statute sets forth the maximum amount
of time by which all covered entities must comply with the standards,
leaving discretion to the Secretary to designate compliance dates
(within the limitations of the law). We proposed in the May 7, 1998,
proposed rule, and require in this final rule, that covered entities
must be in compliance with the standards no later than 2 years (3 years
for small health plans) from the effective date of the regulation.
Thus, as of the compliance date, a covered health care provider must
have obtained and begun to use an NPI.
Comment: Some commenters recommended that all data about a health
care provider in the NPS be required to be updated; others stated that
only certain data elements should be required to be updated. Most
indicated that data needed for unique identification should be kept
current.
[[Page 3444]]
Response: In the proposed rule, the NPS was proposed to include
many data elements that we have since decided not to include. (See
section II. C. 2. of this preamble, ``Data Elements and Data
Dissemination.'') We have decided that the NPS will consist entirely of
data elements about a health care provider that are needed for
administrative (communications) purposes and for the unique
identification of the health care provider. We believe it is
appropriate and necessary for the health care providers to notify the
NPS of changes in their required NPS data, but, given limits on our
statutory authority, we can require such notification only of covered
health care providers.
Comment: We received many comments concerning the length of time a
health care provider should be allowed before it must notify the NPS of
changes to its NPS data. Most commenters thought that the 60-day period
was too long and believed a 15-to-30-day period was more appropriate.
Response: The May 7, 1998, proposed rule at Sec. 142.408(c)
proposed 60 days to allow reasonable flexibility in the time required
for a health care provider to complete a paper form (the NPI
application/update form) containing the update(s) and forward it to the
NPS. We will attempt to design the NPS to be responsive and easy to
use. We will consider a design that will allow a health care provider
(or possibly a health care provider's authorized representative (see
section II. B. 2., ``Health Care Provider Enumeration,'' of this
preamble)) to communicate the health care provider's changes directly
into the NPS over the Internet, using a secure Web-based transaction. A
paper form (the NPI application/update form) will be developed for this
same purpose and will be available from the NPS and from the CMS Web
site (http://www.cms.hhs.gov) for use by health care providers. We
realize that many health care providers may prefer to send electronic
updates if the capability exists. According to the majority of
commenters, health care providers should be required to communicate
changes in their NPS data in far less than 60 days. We agree.
Therefore, we adopt in this final rule a requirement that covered
health care providers notify the NPS of changes in their required NPS
data within 30 calendar days of the changes (Sec. 162.410(a)(4)).
Comment: Several commenters indicated that health plans will need
to know about changes in health care provider information. Commenters
did not believe it would be fair for health care providers to have to
notify both the NPS and the health plans in which they are enrolled of
changes.
Response: We agree that health plans will need to know of changes
in the data associated with their enrolled health care providers. Most
health plans collect more information about a health care provider than
the NPS will collect. Therefore, we expect that health plans will still
require health care providers to notify them of changes in this
information. The NPS will have the capability to provide listings or
reports of changes in NPS data in accordance with section II. C. 2. of
this preamble, ``Data Elements and Data Dissemination.''
Comment: Several commenters stated that the NPS should be required
to apply updates within a specified period of time after receipt of the
updated information from a health care provider.
Response: We expect that the update process will be designed in a
way that will allow the system to process updates within a reasonable
timeframe (for example, 10 business days from receipt). The volume of
updates at any given time may impact system performance. If changes are
unable to be made (for example, the health care provider furnishing
updates does not appear to match any health care provider in the NPS),
the health care provider will receive a message that will indicate why
the NPS is unable to update the record. The message will request that
the problem be resolved and the information be resubmitted.
Comment: Several commenters asked if health plans should take any
action to notify the NPS of changes to health care provider data if
they become aware of these changes.
Response: Although health plans would not be required to provide
information to the NPS to update health care provider data, we
encourage health plans to instruct and remind their enrolled health
care providers to notify the NPS of changes in their data.
Comment: There were numerous comments about penalties for non-use
of the NPI:
[sbull] If NPIs could not be assigned to covered health care
providers before the compliance date for those health care providers,
and sufficiently ahead of that time to enable the health care providers
to be capable of using the NPI in standard transactions, penalties
should not be enforced for nonuse of the NPI.
[sbull] Sufficient time should elapse to ensure adequate experience
in using the NPI before penalties are assessed.
[sbull] Financial penalties for noncompliance should not be
assessed until 1 year after the NPI compliance dates.
[sbull] The method of enforcing compliance with the standard should
be made public.
[sbull] The penalties for nonuse of a single standard and nonuse of
multiple standards should be clarified.
[sbull] When noncompliance forces nonpayment, the entity expecting
payment will resolve the issue.
Response: NPIs will be assigned to health care providers as quickly
as possible and within the parameters of the performance criteria that
are in effect. (See earlier comment and response for additional
information.) HHS is preparing, and has issued in part, a separate
regulation on enforcement of the HIPAA standards. This regulation is
expected to address all but perhaps the last concern of these
commenters. The regulation cannot place requirements on entities that
are not covered entities, and the entities involved in the situation
described in the last bullet may not be covered entities.
Comment: Many commenters suggested that (1) health care providers
not be required to use the NPI within the first year after the
effective date of its adoption, although willing trading partners could
use the NPI by mutual agreement at any time after the effective date;
and (2) health plans should give their health care providers at least 6
months' notice before requiring them to use the NPI.
Response: Upon the effective date of the adoption of this standard
(which will be 16 months after the date it is published), health care
providers may apply for NPIs. Covered entities (except for small health
plans) must begin using the NPI in standard transactions no later than
24 months after the effective date. (Small health plans have 36 months
to begin using NPIs.) These are statutory requirements that we have
incorporated into this final rule. We believe these timeframes enable
more than sufficient time for covered health care providers to become
aware of their responsibilities under this final rule, to apply for and
be assigned their NPIs, and to complete work needed to begin using
their NPIs. Applying for an NPI up to 18 months after the effective
date of the adoption of this standard will still give health care
providers 6 months before the statutory compliance date arrives. We
encourage health plans to give health care providers 6 months' notice
before requiring them to use NPIs; however, we do not require that
action by the health plans. How soon health care providers could use
NPIs would depend on when they obtained the NPIs, and health plans have
no direct control over that action.
[[Page 3445]]
We encourage all parties to work together to ensure a smooth
transition.
Final Provisions (Sec. 162.410, Sec. 162.412, Sec. 162.414)
All health care providers are eligible for NPIs.
We require each covered health care provider to obtain an NPI from
the NPS, by application if necessary, for itself and for its subparts,
if appropriate, and to use its NPI in standard transactions. Covered
health care providers must disclose their NPIs to other entities that
need those health care providers' NPIs for use in standard
transactions. Covered health care providers must communicate to the NPS
any changes in their required data elements within 30 days of the
change. If covered health care providers use business associates to
conduct standard transactions on their behalf, they must require their
business associates to use NPIs appropriately as required by the
transactions the business associates conduct on its behalf.
Situations exist in which a standard transaction must identify a
health care provider that is not a covered entity. An organization
health care provider subpart may need to be identified in a standard
transaction but the organization health care provider may not be
required to obtain an NPI for the subpart. A noncovered health care
provider may or may not have applied for and received an NPI. In the
latter case, and in the case of the subpart described above, an NPI
would not be available for use in the standard transaction. We
encourage every health care provider to apply for an NPI, and encourage
all health care providers to disclose their NPIs to any entity that
needs that health care provider's NPI for use in a standard
transaction. Obtaining NPIs and disclosing them to entities so they can
be used by those entities in standard transactions will greatly enhance
the efficiency of health care transactions throughout the health care
industry. If subparts are assigned NPIs, the covered health care
provider must ensure that the subpart's NPI is disclosed, when
requested, to any entity that needs to use the subpart's NPI in a
standard transaction.
Here are examples that illustrate the desirability for a health
care provider that is not required to be enumerated to obtain and
disclose an NPI:
(1) A pharmacy claim that is a standard transaction must include
the identifier (which, as of the compliance date, would be the NPI) of
the prescriber. Therefore, the pharmacy needs to know the NPI of the
prescriber in order to submit the pharmacy claim. The prescriber may be
a physician or other practitioner who does not conduct standard
transactions. The prescriber is encouraged to obtain an NPI so it can
be furnished to the pharmacy for the pharmacy to use on the standard
pharmacy claim.
(2) A hospital claim is a standard transaction and it may need to
identify an attending physician. The attending physician may be a
physician who does not conduct standard transactions. The physician is
encouraged to obtain an NPI so it can be furnished to the hospital for
the hospital to use on the standard institutional claim.
In the examples above, the NPI of a health care provider that is
not a covered entity is needed for inclusion in a standard transaction.
The absence of NPIs when required in those claims by the implementation
specifications may delay preparation or processing of those claims, or
both. Therefore, we strongly encourage health care providers that need
to be identified in standard transactions to obtain NPIs and make them
available to entities that need to use them in those transactions.
Under Sec. 162.410 (Implementation specifications: Health care
providers), we require each covered health care provider to:
[sbull] Obtain from the NPS, by application if necessary, an NPI
for itself and, if appropriate, for its subparts.
[sbull] Use the NPI it obtained from the NPS to identify itself in
all standard transactions that it conducts where its health care
provider identifier is required.
[sbull] Disclose its NPI, when requested, to any entity that needs
the NPI to identify that health care provider in a standard
transaction.
[sbull] Communicate to the NPS any changes to its required data
elements in the NPS within 30 days of the change.
[sbull] If it uses one or more business associates to conduct
standard transactions on its behalf, require its business associate(s)
to use its NPI and the NPIs of other health care providers
appropriately as required by the transactions the business associate(s)
conducts on its behalf. (For example, a claim for a laboratory service
will require the NPI of the laboratory and may also require the NPI of
the referring physician. If a business associate prepares the
laboratory claim, the business associate must use the laboratory's and
the referring physician's NPIs. If the business associate does not
already know the NPI of the referring physician, it may have to contact
the referring physician to obtain his or her NPI.)
[sbull] If it has been assigned NPIs for one or more subparts,
comply with the above requirements with respect to each of those NPIs.
Under Sec. 162.412 (Implementation specifications: Health plans),
we require health plans to: use the NPI of any health care provider
(including subparts of organization health care providers) that has
been assigned an NPI to identify that health care provider (or subpart)
in all standard transactions where the health care provider's (or
subpart's) identifier is required. Health plans may not require health
care providers that have been assigned NPIs to obtain additional NPIs.
Under Sec. 162.414 (Implementation specifications: Health care
clearinghouses), we require health care clearinghouses to use the NPI
of any health care provider (including subparts of organization health
care providers) that has been assigned an NPI to identify that health
care provider (or subpart) in all standard transactions where that
health care provider's (or subpart's) identifier is required.
B. Implementation of the NPI
1. The National Provider System
Proposed Provisions (Sec. 142.402)
The May 7, 1998, proposed rule (at 63 FR 25331) described the
National Provider System (NPS) as a central electronic enumerating
system. The system would be a comprehensive, uniform system for
identifying and uniquely enumerating health care providers at the
national level. The Department of Health and Human Services (HHS) would
exercise overall responsibility for oversight and management of the
system.
Comments and Responses on the National Provider System
We did not receive comments specific to our description of the NPS.
However, commenters were emphatic that the NPS be fully tested before
it began assigning NPIs, and that the system ensure that the same NPI
would not be issued to more than one health care provider. Commenters
also suggested that an option be made available by which health care
providers could apply for NPIs electronically in lieu of completing a
paper application form. This comment is addressed in section II. B. 2.
of this preamble, ``Health Care Provider Enumeration.''
Final Provisions (Sec. 162.408(a))
NPIs will be assigned to health care providers by the NPS, which
will be a central electronic enumerating system operating under Federal
direction. The
[[Page 3446]]
NPS will uniquely identify and enumerate health care providers at the
national level. The NPS may enumerate subparts of organization health
care providers.
The NPS will be designed to be easy to use. The design will employ
the latest technological advances wherever feasible for capturing
health care provider data and making information available to users.
This is discussed in section II. C. 2. of this preamble, ``Data
Elements and Data Dissemination.''
HHS will exercise overall responsibility for oversight and
management of the NPS. The NPS will include a database that will store
the identifying and administrative information about health care
providers that are assigned NPIs. The data elements comprising the NPS
are described and listed in section II. C. 2. of this preamble, ``Data
Elements and Data Dissemination.''
Identifying and uniquely enumerating health care providers for
purposes of the NPI is separate from the process that health plans
follow in enrolling health care providers in their health programs. The
NPS will assign NPIs to health care providers. However, the assignment
of the NPI will not eliminate the process that health plans follow in
receiving and verifying information from health care providers that
apply to them for enrollment in their health programs.
Health care providers will submit applications for NPIs to HHS. As
health care provider data are entered into the NPS from the
application, the NPS will check the data for consistency, standardize
addresses, and validate the Social Security Number (SSN) if the
individual applying for an NPI provides it; the NPS will validate the
date of birth only if the SSN is validated. (If a health care provider
chooses not to furnish his or her SSN when applying for an NPI, the
assignment of an NPI to that health care provider may be delayed and
additional information may be requested from that health care provider
in order to establish uniqueness.) If the NPS encounters problems in
processing the application, appropriate messages will be communicated
to the applicant. If problems are not encountered, the NPS will then
search its database to determine whether the health care provider
already has an NPI. If a health care provider has already been issued
an NPI, an appropriate message will be communicated. If not, an NPI
will be assigned. If the health care provider is similar (but not
identical) to an already-enumerated health care provider, the situation
will be investigated. Once an NPI is assigned, the health care provider
will be notified of its NPI.
2. Health Care Provider Enumeration
In section III of the preamble of the May 7, 1998, NPI proposed
rule, ``Implementation of the NPI'' (at 63 FR 25331), we asked for
comments on the entity or entities that would be responsible for
assigning NPIs to health care providers. We explained that the HIPAA
legislation did not contain a specific funding mechanism for activities
related to enumeration. We asked for comments on how the enumeration
activity and the NPS itself could be funded, and how the costs of
enumeration could be kept as low as practicable. We presented two
options for the enumeration of health care providers: (1) All health
care providers, except existing Medicare providers, would be enumerated
by a single entity. Existing Medicare providers would automatically be
enumerated and would not have to apply for NPIs; (2) Federal health
plans and Medicaid would enumerate their enrolled health care
providers, and a federally-directed registry would enumerate all
remaining health care providers. We also presented a phased approach to
enumeration and requested public comment on it. In the phased approach,
we proposed that enumeration would occur in the following order: (1)
Medicare providers; (2) Medicaid, other Federal providers, and health
care providers that do not conduct business with Federal health plans
or Medicaid but that do conduct electronically any of the transactions
specified in HIPAA; and (3) all remaining health care providers. The
May 7, 1998, proposed rule also stated that phase three would not begin
until phases one and two were completed.
Comments and Responses on Provider Enumeration
Comment: Several commenters stated that it would cost more than our
estimate of $50 to enumerate a health care provider; others believed
our estimate of $50 to be reasonable. Some commenters pointed out that
Federal and Medicaid health plans do not maintain all of the
information about health care providers that would be required to
assign NPIs; thus, if those health plans' prevalidated health care
provider files were to be used to populate the NPS, costs might exceed
$50 per health care provider in order to obtain the missing information
needed to assign NPIs. Commenters also pointed out that the cost to
enumerate an entity that furnishes atypical or nontraditional services
would exceed $50.
Response: We respond to these issues as follows:
[sbull] We agree with the comment that there may be situations
where information in addition to what is contained in existing health
care provider files will be required in order to assign NPIs. For
example, we have found that some Medicaid and Medicare provider files
do not contain all of the information required to assign an NPI.
Populating the NPS with existing files that lack certain required NPS
data elements increases the cost of enumeration because additional
resources would be needed to collect the missing information.
[sbull] Any inconsistencies or errors that are present in health
care provider files that are considered to be used to populate the NPS
would be imported into the NPS as part of that process. Resolving these
inconsistencies and errors before loading these files will require
resources and time. This will increase the cost of enumeration and
possibly slow the process.
[sbull] Where the format or structure of a health care provider
file being considered for use in populating the NPS differs from the
format or structure of the NPS, additional costs will be incurred in
attempting to conform that source file to the NPS.
[sbull] As discussed in section II. C. 2. of this preamble, ``Data
Elements and Data Dissemination,'' we are reducing the amount of health
care provider information being captured by the NPS to only that which
is required to uniquely identify and communicate with the health care
provider. Some of the information that will not be collected is the
kind that is costly to collect, such as membership in groups,
certification and school information. Not collecting these health care
provider data lowers the cost of enumeration.
[sbull] On applications for NPIs from individuals, the NPS will
verify the SSN if it is furnished on the application.
[sbull] Problems in processing the applications will have to be
resolved. This will increase the cost of enumeration.
[sbull] The NPS will be designed, wherever feasible, to take
advantage of technologies that will make its operation efficient. This
may include the use of the Internet to accept applications and updates
from health care providers. While up-front costs will be higher for
some designs, the more efficient the design and operation of the NPS,
the lower the cost of enumeration and ongoing operations.
Medicare Part B carriers indicated in comments that it costs about
$50 to enroll a health care provider in the Medicare program. This
process involves reviewing and validating a
[[Page 3447]]
paper application containing far more information than will be
collected and validated on the NPI application/update form. The NPS
will verify the SSN only if it is furnished in applying for an NPI; the
date of birth will be verified only if the SSN is furnished. The NPS
will run various edits and consistency checks and will check for
duplicate records to ensure that only one NPI is assigned to a health
care provider and that the same NPI is not assigned to more than one
health care provider. Enabling the receipt of Web-based applications
and the limited validation will make the cost of enumerating a health
care provider far less than enrolling a health care provider in a
health plan. The majority of atypical and nontraditional service
providers are not considered health care providers and, therefore,
would not be eligible for NPIs. The use of modern technology to receive
and process applications for NPIs makes it difficult if not impossible
to attach a dollar value to the enumeration of a single provider.
Implicit in enumeration are the costs of software, licenses, salaries,
training, and overhead. We estimate that the combination of all of the
above factors would reflect an average cost of enumerating a single
health care provider to be closer to $10.
Comment: The majority of commenters favored enumeration option 1,
where a single entity would enumerate all health care providers except
existing Medicare providers (who would automatically be enumerated).
(The May 7, 1998, proposed rule recommended enumeration option 2, which
would have required Federal health plans and Medicaid to enumerate
their enrolled health care providers, with a federally-directed
registry enumerating all remaining health care providers.) The
supporters of a single enumeration entity cited the following
advantages of option 1: (1) It would be less costly than multiple
enumeration entities; (2) it would ensure uniform operation of the
enumeration process, reducing inconsistencies that could lead to
duplicate assignment of NPIs; (3) it would be less confusing to health
care providers, particularly those that participate in multiple health
plans; (4) it would be a single point of contact with which to do
business and seek help and information; and (5) it would ensure
uniformity in resolving problems and would be more capable and
efficient in responding to data integrity issues that may require
investigation. Comments from Federal health plans and Medicaid State
agencies (which were the proposed enumeration entities under option 2)
stated that they preferred not to have a role as an enumerator. Some
Federal health plans anticipated that too many health care providers
would request that they handle their updates and changes. Medicaid
State agencies indicated that they would require additional Federal
funding to assume the responsibilities of enumeration.
Nonetheless, some commenters did support option 2. They stated that
having Federal health plans and Medicaid State agencies enumerate their
own health care providers had several advantages: (1) These entities
already conduct a significant amount of enumeration activity in their
health plan enrollment processes, which would bring a wealth of
experience to the NPI enumeration process; (2) much of the information
required to assign an NPI to a health care provider is already
collected by these entities; (3) fraud detection would be enhanced
because, as enumeration entities, they would have access to the data in
the NPS; and (4) the initial cost of enumerating health care providers
would be incremental to these entities, a major factor in making option
2 less costly than option 1.
Response: After analyzing all the comments and reviewing our
computations as to the costs of enumeration under both options, we have
determined that a single entity, under HHS direction, should handle the
enumeration functions. We believe that enumeration by a single entity
will be the most efficient option.
While supporters of option 2 cited several advantages, the
reluctance of the Federal health plans and Medicaid State agencies to
undertake enumeration functions was a major factor causing us to
support a single entity. Selection of option 2 would have required
those Federal health plans and Medicaid State agencies to perform
functions they were not willing to perform. Another factor in our
decision to choose option 1 was an oversight in our cost computations.
While our narrative discussion of costs indicated that prevalidated
Medicare provider files would populate the NPS under both options,
Table 5 in the Impact Analysis portion of the May 7, 1998, proposed
rule did not reflect those savings in the cost of option 1. If those
savings had been reflected, the cost of option 1 would have been less.
(Please see the next comment and response regarding Medicare provider
files.) Costs for option 2 did not include the expenses that would be
incurred by Federal health plans and Medicaid State agencies in
resolving problems found in their health care provider records that
would prevent some of those records from being loaded into the NPS for
enumeration of the health care providers. This would have increased the
cost of option 2. Had we applied both of these cost factors, both
options would cost about the same.
The use of one entity, under HHS direction, to enumerate health
care providers will ensure uniform operation of the NPS. Health care
providers will have a single contact point for applications, updates,
and questions. Problems will be resolved in a uniform manner. These
factors make a single enumerator the more efficient option.
Comment: Several commenters cautioned against loading pre-existing
health care provider files into the NPS. They indicated that any errors
present in those files would be carried undetected into the NPS.
Commenters cautioned that any data to be loaded into the NPS should be
validated, accurate, and up to date.
Response: We agree with the commenters' recommendation that
accurate, current data should be included in the NPS. After publication
of the May 7, 1998 proposed rule, we reexamined the existing Medicare
provider files in anticipation of using them to populate the NPS. Our
reexamination revealed that some mandatory NPS data elements are not
present in some of the Medicare files. In addition, data integrity
problems have been identified, and reformatting some of the Medicare
files to make them consistent with the structure of the NPS may be more
difficult than first expected. It may require considerable time to
update and reformat these files for NPS purposes.
It is important to note that we are undertaking steps to update our
existing Medicare provider files for independent business reasons. If
we find it is feasible to use updated, accurate Medicare provider files
to populate the NPS, we will do so, and we will notify the affected
Medicare providers that they will not have to apply for NPIs. The NPS
will notify the affected providers of their NPIs.
Comment: Nearly all commenters recommended that the enumeration
function and operation of the NPS be federally funded because a Federal
statute mandates the adoption and use of a standard unique health
identifier for health care providers. Many commenters stated that the
costs cannot be borne directly by health care providers or indirectly
by health care provider organizations and clearly stated that health
care providers should receive NPIs at no cost. Some stated that if fees
need to be assessed, they should come from the health plans, not the
[[Page 3448]]
health care providers, as the health plans will receive the most
benefit from the use of the standard. There was some support for the
collection of initial fees from health plans, health care
clearinghouses, and other nonprovider entities to obtain data from the
NPS; the fees would help offset the cost of maintaining the database.
Another commenter recommended that the public sector and large health
plans pay fees to a public-private sector trust organization. The fees
would represent their proportion of the total health benefit dollars;
the trust organization would administer various databases required by
the HIPAA standards (not solely the NPS). One commenter suggested
Federal funds be used initially, with the enumeration entity eventually
becoming self-sufficient.
Response: HIPAA did not provide the authority to charge health care
providers a user fee to obtain an NPI. Federal funds will support the
enumeration process and the NPS, at least initially. After the NPI is
implemented, HHS will investigate the use of other funding mechanisms.
The data dissemination process is discussed in section II.C.2., ``Data
Elements and Data Dissemination,'' of this preamble.
Comment: Some commenters supported the phases of enumeration as
described in the May 7, 1998, proposed rule. Many commenters supported
assignment of NPIs to existing Medicare providers first for these
reasons: (1) These health care providers are the majority of the health
care providers that conduct standard transactions; (2) the NPS is being
developed by HHS; and (3) Medicare provider information is already
available in HHS in the Centers for Medicare & Medicaid Services (CMS).
Many commenters stated that health care providers that do not
conduct the transactions specified in HIPAA should be enumerated at the
same time as all other health care providers--all health care providers
must be equally able to receive NPIs. Many of these commenters believed
that costly dual systems would have to be maintained (one for health
care providers with NPIs and one for those without) and confusion in
the marketplace would be created if paper processors did not also
receive NPIs within the same time frame as electronic processors.
Other commenters suggested that NPIs be issued on a first-come,
first-served basis.
Some commenters suggested enumeration phases by health care
provider type or by geographical region of the country.
Response: The NPS will be stress tested, but even successful
passage of the stress test will not enable all health care providers to
apply for and be assigned NPIs at the same time.
Covered health care providers are required to use NPIs where those
identifiers are required in standard transactions. We expect that
covered health care providers will be the first to apply for NPIs. We
estimate that, on the effective date of the NPI, approximately 2.3
million health care providers will be ready to apply for NPIs. They may
apply for NPIs beginning on the effective date, which is May 23, 2005.
Covered health care providers must begin to use their NPIs in standard
transactions no later than May 23, 2007.
We estimate that, on the effective date of the NPI, the number of
health care providers that typically do not conduct standard
transactions will be approximately 3.7 million. A few examples of these
health care providers are registered nurses employed by hospitals or
other facilities, X-ray and other technicians, and dental hygienists.
These health care providers may apply for NPIs at any time after the
effective date of this final rule. However, because there is no
requirement for these health care providers to use NPIs, we do not
expect them to apply for NPIs as soon as those that conduct standard
transactions or those that must be identified in standard transactions.
It may be determined some time after publication of this final rule
that ``bulk enumeration'' of some health care providers is feasible.
Bulk enumeration is a term used to mean mass-enumeration of a large
number of health care providers, all at one time, from a database or
file that uniquely identifies them in a way consistent with the
identification criteria in this final rule. Bulk enumeration would
eliminate the need for those health care providers to apply for NPIs.
For example, bulk enumeration might involve a specific classification
of health care providers that comprises the membership of a large
professional organization, or it could involve different
classifications of health care providers that are employed by one large
organization health care provider. In both of these examples, the
health care providers to be enumerated may or may not be covered
entities. This enumeration could occur at any time, if it is feasible.
HHS, along with the other affected entities, and working within the
requirements of the Privacy Act, will determine the feasibility of bulk
enumeration. Any health care provider that would be enumerated in this
way will be notified.
The NPS will process applications for NPIs as they are received.
It is true that some health plans may have to maintain--for
internal purposes--dual health care provider numbers: the NPI and the
number(s) issued to health care providers by the health plans
themselves. Health plans impose this burden on themselves in
accommodating their own internal operational needs. We expect that
health plans may decide to use NPIs for additional purposes beyond
those required in this final rule.
Comment: The majority of commenters made it clear that NPIs must be
assigned and the NPS fully and successfully tested well before the
compliance date.
Response: We agree. The NPS will have been fully tested before it
begins to assign NPIs. The speed of assignment of NPIs will be
dependent in part on the complete, correct, and timely submission of
the NPI applications.
Comment: Several commenters stated that the application forms for
NPIs should be retained indefinitely in a manner where the signatures
or certification statements could be verified if necessary. Commenters
stated that signatures or certification statements could be useful in
prosecuting a health care provider that knowingly requested more than
one NPI for itself.
Response: The NPI application forms will contain a statement
whereby the signer attests to the accuracy of the information on the
application. Paper applications will be maintained indefinitely for
signature or certification statement verification and audit purposes.
Applications completed electronically will be processed only if the
person completing the application attested to the accuracy of the
information by ``checking'' a designated box appearing in the on-line
application. Those electronic applications that are successfully
processed (that is, the health care provider is assigned an NPI) will
be maintained indefinitely in a manner whereby certification statements
can be verified if required.
Comment: Several commenters asked that the NPI application form be
designed to accommodate updates to health care provider data.
Response: We believe this is a good suggestion, particularly
because all of the information that will be required on the application
for an NPI will have to be updated if changes occur. Therefore, we will
attempt to design a form that can serve both application and update
purposes.
[[Page 3449]]
Final Provisions
One entity will be given enumeration functions under the direction
of HHS (option 1 as presented in the May 7, 1998, proposed rule) to
enumerate all eligible health care providers who apply for NPIs. There
are many advantages in using a single entity, which were discussed in
the comment and response section above.
The enumeration function and the development and operation of the
NPS will be federally funded, at least for the foreseeable future.
Under this final rule, health care providers will not be charged a fee
to be assigned NPIs or to update their NPS data.
If feasible, we will populate the NPS with Medicare provider files.
Health care providers will apply for NPIs, and covered health care
providers must apply for NPIs.
We will attempt to design the NPI application form in order to also
accommodate updates. The form will be available from the NPS and via
the Internet (http://www.cms.hhs.gov).
We will attempt to design the NPS so that it can receive and accept
NPI applications and updates on paper or over the Internet.
We expect that the use of modern technology to receive and process
applications for NPIs and to apply updates to the NPS records of
enumerated health care providers will greatly reduce our earlier
estimates. In addition, the limited validation by the NPS of data
reported by health care providers will further reduce NPS costs. We
discuss the cost of operating the NPS in section V, ``Regulatory Impact
Analysis,'' of this preamble.
Before enumeration begins, the NPS will be fully tested. We will
strive to ensure that the NPS functions properly and guards against
assigning the same NPI to more than one health care provider, assigning
more than one NPI to the same health care provider, and re-using NPIs
(assigning to a health care provider an NPI that had at one time been
issued to another).
Health care providers may apply for NPIs beginning on the effective
date of this final rule.
At this time, we do not expect bulk enumeration of health care
providers, except possibly of Medicare providers, as discussed earlier.
HHS will explore the feasibility of other such enumerations. If
considered feasible, the affected health care providers will be
notified and will not have to apply for NPIs.
We will consider the feasibility of allowing health care providers
to designate authorized representatives to handle their NPI
applications and updates.
Applications for NPIs and updates will be retained by HHS
indefinitely in a manner in which signatures on paper applications or
certification statements on electronic applications can be verified if
required.
We will make available as much information as possible about the
implementation of the NPI on the CMS Web site (http://www.cms.hhs.gov).
The web site will include information about the availability and
submission of the NPI application/update form.
3. Approved Uses of the NPI
The preamble of the May 7, 1998, proposed rule discussed approved
uses of the NPI. We did not receive comments that objected to those
uses.
By 24 months after the effective date of this final rule, covered
health care providers, health plans (except for small health plans),
and health care clearinghouses must use the NPI in standard
transactions. Small health plans must do so within 36 months of the
effective date. Covered health care providers must disclose their NPIs
to other entities when these entities need to include those health care
providers' NPIs in standard transactions. We encourage all other health
care providers to do the same.
The NPI may also be used for any other lawful purpose requiring the
unique identification of a health care provider. It may not be used in
any activity otherwise prohibited by law.
Examples of permissible uses include, in addition to the above, the
following:
[sbull] The NPI may be used as a cross-reference in health care
provider fraud and abuse files and other program integrity files.
[sbull] The NPI may be used to identify health care providers for
debt collection under the provisions of the Debt Collection Improvement
Act of 1996 (Pub. L. 104-134, enacted on April 26, 1996) and the
Balanced Budget Act of 1997 (Pub. L. 105-33, enacted on August 5,
1997).
[sbull] Health care providers may use their own NPIs to identify
themselves in nonstandard health care transactions and on related
correspondence.
[sbull] Health care providers may use other health care providers
NPIs to identify those other health care providers in health care
transactions and on related correspondence.
[sbull] Health plans may use NPIs in their internal health care
provider files to process transactions and in communications with
health care providers.
[sbull] Health plans may communicate NPIs to other health plans for
coordination of benefits.
[sbull] Health care clearinghouses may use NPIs in their internal
files to create and process standard transactions and in communications
with health care providers and health plans.
[sbull] NPIs may be used to identify health care providers in
patient medical records.
[sbull] NPIs may be used to identify health care providers that are
health care card issuers on health care identification cards.
We encourage health care providers that are not required to comply
with HIPAA regulations to use NPIs in the ways listed above.
4. System of Records Notice
A System of Records Notice (HHS/HCFA/OIS No. 09-70-0008) published
in the Federal Register on July 28, 1998 (63 FR 40297), listed the ways
in which data from the NPS that are protected by the Privacy Act may be
used. Few comments were received on the System of Records Notice.
We are including a summary of the comments below:
Comment: One commenter believes that the data collected to assign
NPIs to physicians should be kept to an absolute minimum. Data that are
not required for enumeration or legitimate administrative purposes
should not be collected. Data released beyond HHS must be released in
accordance with the provisions of the Privacy Act, insofar as that Act
applies to the data in question, and the Freedom of Information Act, as
appropriate. Data in addition to those which are published in the
Unique Physician Identification Number (UPIN) Directory should not be
released. Most of the data collected to enumerate an individual should
not be publicly available. Another commenter was concerned that removal
of a health care provider's record from the NPS could result in the re-
issuance of that health care provider's NPI to another health care
provider. The NPI must remain unequivocally unique and the NPS must
never re-issue a previously assigned NPI. Removal of a health care
provider's records at some point after the health care provider's death
is reasonable, as long as there are guarantees that the health care
provider's NPI will never be used by another health care provider or
re-issued to another health care provider.
Response: In section II. C. 2. of this preamble, ``Data Elements
and Data Dissemination,'' we describe the information that we expect
will be collected and stored in the NPS. The
[[Page 3450]]
requirements described in the comments we received on the NPS System of
Records Notice will be met in the design and operation of the NPS and
in the enumeration functions.
5. Summary of Effects on Various Entities
Below is a summary of how the implementation of the NPI will affect
health care providers, health plans, and health care clearinghouses.
a. Health Care Providers
At this time, bulk enumeration of health care providers is not
expected to occur. If, however, it is determined to be feasible, we
will populate the NPS with data from Medicare provider files. If bulk
enumeration were to occur, the affected health care providers would be
notified of their NPIs and would not have to apply for them. Otherwise,
in order to be assigned NPIs, covered health care providers must apply
for NPIs. (Health care providers that are not covered entities are
encouraged to apply for NPIs.) After applying for NPIs, health care
providers will be assigned and notified of their NPIs by the NPS.
Health care providers will submit a paper application or, if feasible,
will have the option of applying for NPIs via the Internet. The NPI
application/update form and information about health care provider
enumeration will be available from the CMS Web site (http://
www.cms.hhs.gov).
Covered health care providers that have been assigned NPIs must
furnish updates (changes) in their required NPS data or that of their
subparts to the NPS within 30 days of the changes; they may use the NPI
application/update form for this purpose. We recommend that health care
providers notify the health plans in which they are enrolled of any
changes at the same time they notify the NPS of these changes. (This
recommendation does not preclude health plans from requiring
notification of updates within a shorter time frame.)
We encourage health care providers who have been assigned NPIs but
who are not covered entities also to notify the NPS of changes in their
NPS data within 30 days of the changes.
Covered health care providers must use their NPIs to identify
themselves and their subparts, if appropriate, on all standard
transactions when their health care provider identifiers are required.
We encourage all health care providers and subparts that have been
assigned NPIs to do the same.
Covered health care providers must disclose their NPIs and those of
their subparts to entities that need the NPIs to identify those health
care providers in standard transactions. We encourage all health care
providers and subparts that have been assigned NPIs to do the same.
Covered health care providers must require their business
associates, if they use them to conduct standard transactions on their
behalf, to use their NPIs and the NPIs of other health care providers
and subparts appropriately as required by those transactions.
Covered health care providers that are organization health care
providers with subparts as described earlier in this preamble must
ensure that, when NPIs are assigned to subparts, either the covered
health care provider or the subpart (1) uses the NPIs of the subparts
on all standard transactions when their health care provider
identifiers are required, (2) discloses their NPIs to entities that
need the NPIs to identify those subpart(s) in standard transactions,
(3) communicates changes in required data elements of the subparts to
the NPS, and (4) requires business associates of the subparts, if they
use them to conduct standard transactions on their behalf, to use their
NPIs and the NPIs of other health care providers and subparts
appropriately as required by the transactions that the business
associates conduct on their behalf.
b. Health Plans
Health plans must use the NPI of any health care provider or
subpart that has been assigned an NPI to identify that health care
provider or subpart on all standard transactions when the NPI is
required. All plans except small health plans have 24 months from the
effective date of this final rule to implement the NPI; small health
plans have 36 months. Health plans that need NPS data in order to
create standard transactions will be able to obtain NPS data from the
NPS. (See section II. C. 2. of this preamble, ``Data Elements and Data
Dissemination.'') Use of data from the NPS in order to comply with
HIPAA requirements is a routine use as published in the NPS System of
Records Notice.
HIPAA does not prohibit a health plan from requiring its enrolled
health care providers to obtain NPIs if those health care providers are
eligible for NPIs as discussed earlier in this preamble.
c. Health care clearinghouses
Health care clearinghouses must use the NPI of any health care
provider or subpart that has been assigned an NPI to identify that
health care provider or subpart on all standard transactions when the
NPI is required. As with health plans, health care clearinghouses will
be able to obtain NPS data from the NPS.
C. Data
1. NPS Data Structures
Proposed Provisions (Sec. 142.402)
In section IV. B. of the preamble of the May 7, 1998, proposed
rule, ``Practice Addresses and Group/Organization Options,'' (63 FR
25336), we asked for public comment on some of the data structures that
would be captured in the NPS for each health care provider.
Comments and Responses on NPS Data Structure Concepts
Below are the questions as posed in the May 7, 1998, proposed rule
followed by a summary of the comments and our responses:
a. Should the NPS Capture Practice Addresses of Health Care Providers?
Comment:
Responding yes: Some commenters stated that they need to capture
the multiple practice addresses of a health care provider for their
business functions. They believe it would be best to do this once in
the health care provider's NPS record, rather than in many local
systems.
Responding no: A large majority of commenters stated that the NPS
should not capture any practice addresses or should capture only one
physical location address per NPI. Some of these commenters believed
that each location where a health care provider practices needs to be
identified, but they believed locations should receive separate
identifiers, rather than be captured as multiple addresses in the
health care provider's NPS record. Many other commenters noted that
health care provider practice addresses change frequently and that
address information will be burdensome and expensive to maintain and
will be unlikely to be maintained accurately at the national level.
They believe that, if needed, it should be collected and maintained in
local systems.
Response: The NPS will capture the mailing address and one physical
location address for each health care provider. Only one physical
location address will be associated with each NPI. Practice addresses
would be of limited use in the electronic matching of health care
providers. The volatility of practice address information would make
maintenance of the information burdensome and expensive. Collecting
only one physical location address minimizes the burden of data
collection and maintenance, while providing an
[[Page 3451]]
address where the health care provider can be contacted in situations
when a mailing address is insufficient. For example, a mailing address
containing a Post Office box number cannot be used for mail delivery by
other than the United States Postal Service.
b. Should the NPS Assign a Location Code to Each Practice Address in a
Health Care Provider's Record?
Comment:
Responding yes: A small number of commenters recommended that the
NPS assign location codes. Most of these commenters were health plans
that need to identify all the practice addresses of a health care
provider. They want to use location codes as pointers to these
addresses in a health care provider's NPS record.
Responding no: A large majority of commenters stated that the NPS
should collect only one physical location address of each health care
provider and should not assign location codes. If only one physical
location address is collected, there is no need to assign location
codes to distinguish multiple practice addresses. Respondents noted
several technical weaknesses of the proposed location code. They stated
that the format of the location code would allow for a lifetime maximum
of 900 location codes per health care provider, and this number may not
be adequate for health care providers with many locations. The location
code would not uniquely identify an address; different health care
providers practicing at the same address would have different location
codes for that address, resulting in complexity, rather than
simplification, for business offices that maintain data for large
numbers of health care providers.
Response: The combination of the NPI assignment strategy described
earlier in this final rule and the data elements contained in the
standard claim and equivalent encounter information transaction
eliminate the need for location codes. The NPS will not establish
location codes.
c. Should the NPS Link the NPI of a Organization Health Care Provider
That Is a Group Practice to the NPIs of the Individual Health Care
Providers Who Are Members of the Group?
Comment:
Responding yes: Some commenters responded that they need to be able
to associate organization health care providers who are group practices
with the individual members of the group. They believe this association
can most efficiently be maintained once in the NPS, rather than in many
local systems.
Responding no: A large majority of commenters noted that health
care provider membership in groups changes frequently and that this
information will be burdensome and expensive to maintain and will be
unlikely to be maintained accurately at the national level. Some health
plans recognize contractual arrangements that may not correspond to
groups. Commenters believe that, if needed, membership in groups should
be collected and maintained in local systems.
Response: We agree that the NPS should not link the NPI of an
organization health care provider that is a group practice to the NPIs
of individual health care providers who are members of the group. The
large number of members of some groups and the frequent moves of
individuals among groups would make national maintenance of group
membership burdensome and expensive. Contractual arrangements would be
impractical to maintain nationally and would most likely differ from
health plan to health plan. Most organizations that need to know group
membership and contractual arrangements prefer to maintain this
information locally, so that they can ensure its accuracy for their
business purposes.
d. Should the NPS Collect the Same Data for Organization and Group
Health Care Providers?
Comment:
Responding yes: A large majority of commenters stated that a
distinction between organization and group health care providers would
be artificial and would serve no purpose.
Responding no: Some commenters stated that organization and group
health care providers should be distinguished in the NPS. None of these
commenters suggested different data that should be collected for a
group health care provider, as opposed to an organization health care
provider. We believe that most of these comments reflect a
recommendation that group health care providers receive NPIs rather
than a recommendation that different data be collected for group health
care providers, as opposed to organization health care providers.
Response: No commenter suggested that different data be collected
for a group practice than for an organization health care provider and
a strong majority of commenters stated that the same data should be
collected. We agree that the NPS should collect the same data for group
and organization health care providers. Groups will be enumerated as
organization health care providers.
Comments and Responses on NPS Data Structure Alternatives
In the May 7, 1998, proposed rule, we presented two alternatives
for the structure of health care provider data in the NPS.
Under ``Alternative 1,'' the NPS would capture multiple practice
addresses. It would assign a location code for each practice address of
an individual or group health care provider. Organization and group
health care provider records would have different associated data in
the NPS. Group health care providers could have individuals (such as
physicians) listed as members of the group, and the NPS would link the
NPIs of group health care providers to the NPIs of the individuals that
make up the group. Under ``Alternative 2,'' the NPS would collect the
mailing address and one physical location address for a health care
provider. It would not assign location codes. It would not collect
different data for organization and group health care providers. It
would not link the NPI of an organization to the NPIs of individuals or
any other health care providers.
Comment: A majority of respondents preferred Alternative 2.
Response: The comments on the four preceding questions and on the
two alternatives indicated a strong preference for Alternative 2. We
agree with commenters that Alternative 2 will provide the data needed
to identify the health care provider at the national level. We agree
that the NPS record will be based on the data described in Alternative
2.
Final Provisions
In the ``Final Provisions'' portion of section II. A. 2. of this
preamble, ``Definition of a Health Care Provider,'' we describe the
entities that will be eligible to receive NPIs. The data structures
discussed below apply to every entity that is assigned an NPI.
The mailing address and one practice address (physical location)
will be collected by the NPS for each health care provider. One
physical location address will be associated with each NPI.
Because only one physical location address will be collected per
health care provider, location codes will not be necessary and,
therefore, will not be established by the NPS.
Group practices often have many members, and individual health care
providers often move from group to group. Maintenance of this
information on a national level would be difficult and costly. Many
health plans prefer to
[[Page 3452]]
collect and maintain this information themselves. Therefore, the NPS
will not link the NPI of a group to the NPIs of individual health care
providers who are members of that group.
The NPS will collect the same data from group health care providers
as it will collect from organization health care providers.
Group practices will be considered organization health care
providers and will be enumerated as organization health care providers.
We will design the NPS along the lines of Alternative 2 as
presented in the May 7, 1998, proposed rule.
2. Data Elements and Data Dissemination
Proposed Provisions
In the preamble of the May 7, 1998, proposed rule, in section IV,
``Data,'' we listed the data elements that we proposed to include in
the NPS. We solicited comments on the inclusion and exclusion of those
data elements and the inclusion of other data elements that the public
believed appropriate. We asked how the NPS could be designed to make it
useful, efficient, and low-cost.
In that same section, we also posed data questions and discussed
options for NPS data structures. Section II.C.1. of this preamble,
``NPS Data Structures,'' contains the comments and responses and
decisions made regarding NPS data structures. As a result of those
decisions, some data elements that were included in the list of
proposed data elements published in the May 7, 1998, proposed rule will
not, in fact, be included in the NPS database. Therefore, the
information in section II.C.1. of the preamble should be kept in mind
in reading this section.
In the preamble of the May 7, 1998, proposed rule, in section V.,
``Data Dissemination,'' we proposed two levels of dissemination of
information from the NPS:
[sbull] (1) Level I--To the entity(ies) performing the enumeration
functions. The(se) entity(ies) would have direct access to the NPS and
to all the data elements in the NPS; and
[sbull] (2) Level II--To the general public. The general public
would be able to request and receive selected data elements, excluding
those that are protected by the Privacy Act. (Requests for Privacy Act-
protected data and Freedom of Information Act (FOIA) requests would be
handled in accordance with existing HHS policies.)
The May 7, 1998, proposed rule contained a table indicating the
level of dissemination of the NPS data elements. We proposed that we
would charge fees for data and data files, but that the fees would not
exceed the costs of dissemination (63 FR 25338). We solicited comments
on the information that should be available in paper and electronic
formats and the frequency with which information should be made
available.
Comments and Responses on Data Elements and Data Dissemination
Comment: An overwhelming number of commenters said that the NPS
should contain only the data elements required to communicate with and
uniquely identify and assign an NPI to a health care provider. They
believed this information should be the kind that could effectively be
maintained at the national level, leaving the more complex and volatile
data to health plans to capture and maintain, as they currently do.
Many commenters listed the specific data elements that they recommended
we remove from the list presented in the May 7, 1998, proposed rule.
The majority of commenters believe that, as a result of the removal of
the data elements not needed for enumeration and communication, the NPS
would be easier and less expensive to maintain and would operate more
efficiently.
Response: To be valuable, the NPS must be accurate, up to date, and
meet its intended purpose in the most feasible way. The NPS must
collect information sufficient to uniquely identify a health care
provider and assign it an NPI and must collect information sufficient
to communicate with a health care provider. The data elements that we
have retained are necessary to uniquely identify and communicate with a
health care provider. Our decision to reduce the composition of the NPS
to the data elements needed for unique identification and communication
removes many of the data elements that were proposed to comprise the
NPS in the May 7, 1998, proposed rule. The comments and responses that
follow contain additional information and rationale concerning our
decision to include or exclude certain data elements.
Comment: Some commenters said that collecting but not validating
certification or school information would make that information
meaningless. Most commenters did not believe the NPS should collect
certification or school information in the first place because it would
not be useful in uniquely identifying the individual applying for an
NPI. They believe that collection and validation of this information
should continue to be done by health plans in their health care
provider enrollment processes. Most commenters supported the collection
of credential designation(s) (for example, M.D., C.S.W., and R.N.),
license number(s), and State(s), which issued the license(s) for
individual health care providers whose taxonomy classifications require
licenses.
Response: We agree with commenters that it would be costly to
collect, validate, and maintain certification and school information.
We do not believe the NPS should replicate unnecessarily the work
carried out by health plans. We agree that health plans, which do this
work now, should appropriately continue to do so. The NPS will capture
an individual health care provider's license number (if appropriate),
the State which issued the license (multiple occurrences of both data
elements), and the credential designation(s). The credential
designation(s) (called ``Provider's credential designation'' in the May
7, 1998, proposed rule) will be captured in the data element ``Provider
credential text,'' which will be a repeating field. This data element
was renamed to make it compatible with X12N HIPAA data dictionary
naming conventions and also to avoid giving the impression that the NPS
will be validating the credentials. The license number and State in
which it was issued will be useful to health plans in matching NPS
records to their health care provider files. As a result of the
decision not to collect certification and school information, the
following data elements will not be included in the NPS:
[sbull] Provider certification code;
[sbull] Provider certification (certificate) number;
[sbull] School code;
[sbull] School name;
[sbull] School city, State, country;
[sbull] School graduation year.
Comment: Commenters did not see value in the NPS capturing
``Provider's birth county name.'' They believe the State name and
country (the latter required if the health care provider was not born
in the United States) would be sufficient for identification purposes.
Response: We agree. The ``Provider's birth county name'' data
element will be excluded from the NPS.
Comment: Some commenters suggested that the ``Taxpayer Identifying
Number'' (TIN) be added to the NPS. They believed this was needed to
match NPS records to health plans' health care provider files and that
it could help in unique identification.
Response: We agree that the numbers used to report income taxes
will be
[[Page 3453]]
useful in uniquely identifying health care providers.
According to the Internal Revenue Service (IRS), three numbers
(known as ``Taxpayer Identifying Numbers,'' or TINs) may be used
(depending on circumstances) to report income taxes: (1) The Social
Security Number (SSN), assigned by the Social Security Administration
to individuals; (2) the IRS Individual Taxpayer Identification Number
(ITIN), assigned by the IRS to individuals who are not eligible to
receive Social Security Numbers; and (3) the Employer Identification
Number (EIN), assigned by the IRS to organization health care providers
(that is, health care providers that would not be assigned ``Entity
type code'' 1 NPIs). For purposes of being assigned NPIs, health care
providers will be asked voluntarily to supply their SSN or IRS ITIN (if
they are individuals who would be assigned an ``Entity type code'' 1
NPI), or will be required to supply their EIN (if they are
organizations that would be assigned ``Entity type code'' 2 NPIs).
Requesting the SSN from individual health care providers will
dictate that we include on the NPI application/update form appropriate
disclosure and Privacy Act statements.
Comment: Some commenters suggested that Medicare and Medicaid
sanction information be added to the NPS. One commenter wanted to know
where sanction data would be housed and who would maintain these data.
Response: The NPS will not contain sanction data or indicators that
sanction data exist. Sanction data were not included in the data
element list published in the May 7, 1998, proposed rule. While
maintainers of sanction databases may incorporate the NPI into their
databases to enable searches by NPI, the NPS will not house sanction
information. The Web address for the Office of Inspector General
sanctioned health care providers file is http://
exclusions.oig.hhs.gov/.
Comment: Some commenters said that ``License revoked indicator''
and ``License revoked date'' should be included in the NPS.
Response: The NPS will not capture this or similar information. The
uniqueness of the health care provider can be established without this
information. This information would more appropriately be collected by
health plans.
Comment: A number of data elements were suggested to be added to
the NPS. These included ``Owner of the provider,'' ``Practice type
control code'' (office-based, hospital-based, Federal facility
practice, and other), ``Source of information for certification,''
``Provider type,'' and ``Provider specialty code.''
Response: The May 7, 1998, proposed rule did not propose that the
NPS collect health care provider ownership information. This
information is volatile and already resides on most health plans'
health care provider enrollment files. Practice type control
information is not required to uniquely identify or classify a health
care provider for NPS purposes; therefore, it will not be included in
the NPS. ``Source of information for certification'' will not be
captured because, as explained earlier in this section, certification
information will not be collected by the NPS. The definitions of
``Provider type'' and ``Provider specialty code'' may differ from one
health plan to another; the NPS will capture the type(s),
classification(s), and area(s) of specialization as described in the
Healthcare Provider Taxonomy Code set. By capturing this information,
we take into account the specialty classifications as required by
HIPAA. The taxonomy can be viewed at this Web site: http://www.wpc-
edi.com/taxonomy/.
Comment: A commenter suggested that a health care provider's ``pay-
to address'' be added to the NPS. Another commenter stated that health
plans will use the health care provider's mailing address as the pay-to
address. Another commenter suggested that HHS consider electronic data
interchange (EDI) addresses for inclusion in the NPS.
Response: In most situations, a health care provider's ``pay-to
address'' is its mailing address. Therefore, we do not believe it is
necessary to add a ``pay-to address'' to the NPS. Because EDI addresses
are not standardized at this time, they will not be included in the
NPS. The composition of the NPS will be revised if necessary in the
future.
Comment: Several commenters suggested adding the name of the
establishing enumerator or agent and the name and telephone number of
the enumerator who made the last update to the NPS. They believe that
this information would help ensure the accuracy of the database by
preventing multiple enumerators from updating or attempting to update
the same records.
Response: As discussed in section II. B. 2. of this preamble,
``Health Care Provider Enumeration,'' there will be one entity, under
HHS direction, that will be charged with enumeration functions. The
decision to use a single enumerator renders the data elements proposed
by these commenters unnecessary. The ``Establishing enumerator/agent
number'' will not be included in the NPS.
Comment: One commenter suggested we add ``Provider status'' and
``Date of deactivation'' to the NPS.
Response: In section II. A. 2. of this preamble, ``Definition of
Health Care Provider,'' we describe the reasons why an NPI may be
deactivated. We have added to the NPS two new data elements: ``National
Provider Identifier deactivation reason code'' and ``National Provider
Identifier deactivation date.'' These data elements will capture the
information suggested by this commenter. (It should be noted that
``Provider's date of death'' will be excluded as a data element from
the NPS. Fact of death and resulting deactivation date will be captured
in the two new data elements.) We have also added a data element called
``National Provider Identifier reactivation date,'' which will capture
the date that a health care provider's NPI is reactivated.
Comment: Several commenters suggested adding ``Cross reference to
replacement NPI.'' They thought it would be important to link former
and current NPIs.
Response: In section II. A. 2. of this preamble, ``Definition of
Health Care Provider,'' we explain that an NPI is designed to last
indefinitely. There may, however, be an unusual circumstance that would
justify a health care provider's request to be issued a new, different
NPI. In these situations, the NPS will link the new, or replacement,
NPI to the previous NPI(s) of that same health care provider. (By
``same health care provider,'' we mean an entity with exactly the same
data elements, or string of NPS data.) We will add two new data
elements to the NPS: ``Replacement NPI'' and ``Previous NPI.'' Both
will be repeating fields (see ``Data Status'' preceding the National
Provider System Data Elements and Data Dissemination table). When a
user retrieves the NPS record of a health care provider, either of
those fields may contain data. (If neither field contains data, the
health care provider has had only one--its original--NPI.) The user can
then retrieve the related NPS record by requesting the record of the
NPI appearing in the ``Replacement NPI'' or the ``Previous NPI'' field,
whichever is appropriate.
Comment: One commenter suggested that ``Effective from'' and
``Effective through'' dates be added for telephone numbers and
addresses.
Response: We expect that the NPS will be designed to associate
dates with the information about a health care provider, thus creating
a history of a health care provider's record. When changes are made to
a health care provider's telephone number or address,
[[Page 3454]]
that health care provider's record will include the dates of those
changes. ``Effective from'' and ``Effective through'' dates for
telephone numbers and addresses may not hold true; there could be
unexpected situations that could cause changes to occur sooner or later
than reported. We believe it will be more accurate to include a date to
reflect each time a change is made in this information.
Comment: A commenter suggested that the On-line Survey
Certification and Reporting System (OSCAR) number be maintained after
the initial load of Medicare providers, and that the NPS include a
``Facility type'' indicator for OSCAR providers.
Response: As explained earlier in section II. B. 2. of this
preamble, ``Health Care Provider Enumeration,'' we are evaluating the
feasibility of populating the NPS with existing Medicare provider
files. If this is done, the OSCAR number, which is a Medicare-assigned
number, will be captured in the NPS automatically. Whether or not we
populate the NPS with Medicare files, the NPI application/update form
will collect health care provider identification numbers that are
assigned by certain health plans (including Medicare) and other
organizations. Health care providers that apply for NPIs will be able
to furnish these numbers (``Other provider identifier'') and to
indicate the type of number being furnished (for example, OSCAR, UPIN,
DEA, and Medicaid) (``Other provider identifier type code''), on the
NPI application/update form. These will be optional and repeating NPS
data elements. The NPS will capture as many ``Other provider
identifier'' entries and the corresponding ``Other provider identifier
type code'' entries as are reported on the NPI application/update form.
The NPS will apply changes or updates to the ``Other provider
identifier'' or ``Other provider identifier type code'' when health
care providers notify the NPS of changes to this information.
The NPS will not require a ``Facility type'' indicator for health
care providers with OSCAR numbers. It will collect the Healthcare
Provider Taxonomy Code on the NPI application/update form.
Comment: Several commenters suggested the NPS retain the health
care provider mailing and health care provider practice (provider
location) phone number, facsimile number, and electronic mail address
only during the initial assignment of NPIs, and then discontinue
maintenance of this information.
Response: These data elements are needed for communication with the
health care provider. HHS may need to communicate with a health care
provider at any time during the implementation period or after.
Therefore, these data elements will be maintained beyond the initial
assignment of NPIs. In section II. A. 5. of this preamble,
``Implementation specifications for Health Care Providers, Health
Plans, and Health Care Clearinghouses,'' we are requiring health care
providers who are covered entities to update their required NPS data,
which includes the data elements noted in the comment above, whenever
changes occur.
Comment: Many commenters suggested that several data elements be
repeated; for example: ``Provider's other name'' and ``Provider's other
name type''; ``Other provider number'' and ``Other provider number
type''; ``Provider license number'' and ``Provider license State'';
``Provider classification''; the data elements associated with schools;
and the data elements associated with credentials.
Response: The data element table appearing in the May 7, 1998,
proposed rule did not indicate repeating fields. In the National
Provider System Data Elements table at the end of this section,
repeating fields are noted as such. The NPS will contain as many
repeating fields as there is information for ``Provider other last or
other organization name'' and ``Provider other last or other
organization name type code.'' As mentioned earlier, the NPS will also
be able to accommodate multiples of other health care provider numbers
in the data element ``Other provider identifier'' and types of other
health care provider numbers in the data element ``Other provider
identifier type code.'' The NPS will accommodate multiple entries for
``Provider license number'' and ``Provider license State.'' As
explained earlier, the school information will be excluded from the
NPS. ``Provider credential text'' (for example, M.D. and D.D.S.) will
be a repeating field. These repeating fields are either optional or
situational and will not be validated.
Comment: Many commenters asked that ``Provider's race'' be removed
from the NPS. They did not believe it would be accurately reported.
They stated that there are inconsistent definitions for ``race''; they
did not understand the purpose for collecting this information.
Response: We understand and appreciate the comments stating that
the NPS should be capturing only what is needed for unique
identification of and communication with a health care provider. While
collection of race and ethnicity data could support a number of
important research activities, this information is not needed to
uniquely identify a health care provider; thus, we have concluded that
the NPS is not the appropriate vehicle for collecting this information.
Therefore, we will not collect these data elements even on an optional
basis.
Comment: Several commenters suggested that a number of other data
elements be excluded from the NPS: all user-requested data elements
(these were denoted by a ``U'' in the data element list in the May 7,
1998, proposed rule), ``Other provider number,'' ``Other provider
number type,'' ``Organization type control code,'' ``Provider
certification code,'' ``Provider certification (certificate) number,''
``Provider license number,'' ``Provider license State,'' ``School
code,'' ``School name,'' ``School city, State, country,'' ``School
graduation year,'' ``Provider classification,'' ``Date of birth,'' all
electronic mail addresses and fax numbers, ``Date of death,''
``Provider sex,'' and ``Resident/Intern code.''
Response: We stated in the previous response that ``Provider race
code'' (which was a user-requested data element in the list included in
the May 7, 1998, proposed rule) will not be retained. We discussed all
other data elements presented as user-requested data elements in the
list in the May 7, 1998, proposed rule in previous comments and
responses except for ``Organization type control code'' and ``Resident/
Intern code.'' These two latter data elements will be excluded; they
are not needed for the unique identification of or communication with a
health care provider.
Comment: Several commenters questioned the use of ``optional'' data
elements, believing that ``optional'' information will rarely be
furnished and, if it is furnished, may not be reliable and probably
would not be kept current.
Response: Certain information about health care providers that is
desirable to uniquely identify them in order to assign NPIs cannot be
required to be furnished. ``Situational'' data elements should not be
confused with ``optional'' data elements. ``Situational'' data elements
are required if a certain situation, or condition, exists. ``Optional''
data elements do not have to be supplied at all. For example,
``Provider other last or other organization name'' is optional. A
health care provider may choose not to report a former name or a
professional name. We have attempted to make as
[[Page 3455]]
few data elements as possible ``optional'' in the NPS.
Comment: Several commenters suggested that data element names,
qualifiers, and definitions be consistent with the X12N HIPAA data
dictionary.
Response: The NPS data element names, qualifiers, and definitions,
wherever possible, are mappable to those in the X12N HIPAA data
dictionary and are compatible with X12N naming conventions. We believe
the mapping capability and naming convention compatibility are
essentially what the commenters wanted and believe we have satisfied
their concerns.
Comment: Two commenters suggested that the Drug Enforcement
Administration (DEA) number be collected from health care providers
that have one.
Response: The DEA number is an example of an ``Other provider
identifier.'' The DEA number can be accommodated in this field in the
NPS. We recognize that mapping between DEA numbers and NPIs is very
important for the conversion of retail pharmacy files during NPI
implementation. Therefore, we will collect the DEA number in the
``Other provider identifier'' field if it is reported on the NPI
application/update form and will carry the fact that it is a DEA number
by setting the ``Other provider identifier type code'' to indicate
that.
Comment: Several commenters suggested that we publish a data model
and record layout or both describing in detail the data elements, field
lengths, format, repeating fields, and required and situational fields.
Response: The data element table in this preamble includes an
indication of ``required,'' ``optional,'' or ``situational'' for each
data element, and repeating data elements are noted as such. More
detailed information, as requested in the comment, will be posted to
the CMS Web site (http://www.cms.hhs.gov) when it becomes available
during the NPS design.
Comment: Several commenters said an audit trail of NPI updates is
needed for qualified users. This would indicate which enumerator
updated which fields.
Response: The NPS will construct an audit trail. We expect that the
audit trail would include the date a change was made, the old value,
the new value, and the initiator of the change. As stated in section
II. B. 2. of this preamble, ``Health Care Provider Enumeration,'' there
will not be multiple enumerators. The NPS will contain a date (``Last
update date'') that will indicate when a change was made to a health
care provider's record. Extracts containing NPS changes will be made
available in HHS-determined format and media to satisfy requests from
approved users (see later discussion in this section of the data
dissemination strategy).
Comment: Several Medicaid State agencies suggested that the
Healthcare Provider Taxonomy Code set contain all health care provider
types and specialties needed by Medicaid plans. Another commenter asked
that the code set reflect services provided by pharmacists. Another
stated that the code set did not contain a category for pain medicine.
Several other commenters said the taxonomy code set is inconsistent.
Response: Until recently, this code set was maintained through an
open process by the National Healthcare Provider Taxonomy Committee for
use in Accredited Standards Committee X12N standard transactions. It is
now maintained through an open process by the National Uniform Claim
Committee. The Web site at which the code set is available is http://
www.wpc-edi.com/taxonomy/. The web site contains information on how
changes to the code set can be requested. (Note: Pharmacy service
providers and physicians whose specialization is ``Pain Medicine'' are
included in the code set.) Comment: Several commenters suggested that
the NPS contain a feature whereby the Healthcare Provider Taxonomy Code
set classifications will be available for selection when applying for
an NPI.
Response: We will consider this comment in the design of the NPI
application/update form.
Comment: Many commenters supported the creation of an industry-wide
forum to determine the data element content, identify the mandatory and
optional data elements, and determine the data dissemination
requirements of the NPS. They recommended that WEDI foster such a
group.
Response: WEDI is named in the Act as an external group with which
the Secretary must consult in certain circumstances in standards
development. To address these issues, WEDI formed several workgroups,
which consisted of representatives from every aspect of the health care
industry. Following the workgroups' meetings, WEDI supplied HHS with
comments on NPS data, data dissemination, and other issues,
supplementing the comments WEDI provided to HHS during the public
comment period. We have considered these comments in developing this
final rule.
Comment: Most commenters did not favor the two-level data
dissemination approach presented in the May 7, 1998, proposed rule but
favored instead a three-level approach:
[sbull] Commenters agreed that only the entity performing the
enumeration functions and HHS should have access to the entire NPS.
[sbull] Commenters did not want Privacy Act restrictions violated
but believe that our approach denied health plans and certain other
health care industry entities information that they needed in order to
process HIPAA transactions, while it gave the general public an
excessive--and unnecessary--amount of information. They said that
health plans and other health care industry entities required certain
Privacy Act-protected data in order to accurately match their health
care provider files with NPS data to effectively implement HIPAA
requirements. Many suggested that health plans and health care
clearinghouses be permitted to obtain copies of the database and
periodic update files so that they can maintain files that are
continually consistent with the NPS. Some commenters suggested an on-
line query and response system be developed for health plans to verify
a health care provider's NPI. Others wanted electronic transactions
designed that could be sent to the NPS with a response returned. These
transactions might request all available data, regional data, new
records only, and updated records only. Some commenters suggested that
health plans have batch and interactive access capabilities to the NPS,
stating that health plans will require daily batch updates of new and
changed records, particularly during the implementation period. Some
suggested that changed records be available for electronic download
daily and weekly, and monthly by CD ROM and diskette. Still others
preferred that health care entities receive data through the Internet
with secure identifiers.
[sbull] One commenter stated the NPS data should be used strictly
for enumeration and that no NPS data should be made available to the
public. This commenter recommended that the public and others obtain
NPIs from the health care providers themselves, not from the NPS. Some
commenters believe it inappropriate for the general public to look to
the NPS as the source of any but the most general types of information
about health care providers. Some commenters expressed concern that
public release of too much information (particularly, full addresses)
could subject health care providers to receipt of junk mail and other
unsolicited materials.
[sbull] Commenters recommended that agreements be signed by anyone
receiving NPS data to ensure the
[[Page 3456]]
information released would not be used for marketing or mailing list
generation or sold or transferred to another entity.
[sbull] Several commenters stated that personally identifiable data
about health care providers, contained in the NPS, should be available
to researchers for clinical and financial outcomes analyses after
appropriate agreements are signed.
[sbull] One commenter suggested read-only access to the NPS data
for all users.
[sbull] Several commenters stated that the data dissemination
policy should be consistent with the routine uses of NPS data as
published in the NPS System of Records Notice (63 FR 40297).
[sbull] The three dissemination levels suggested by commenters
were:
[sbull] Level 1--Available to HHS and the entity with which HHS
contracts to perform the enumeration functions.
[sbull] Level 2--Available to health plans and certain other health
care industry entities that require certain Privacy-Act protected data
to match their health care provider files to NPS data.
[sbull] Level 3--Available to the general public.
Response: In order to keep costs low, we must make the NPS data
dissemination strategy as efficient and uncomplicated as possible. The
number of formats and access options will need to be limited.
We view the NPS as a health care provider identification and
enumeration system, capturing the information required to perform those
functions and disseminating information needed by health plans and
other entities to effectively carry out the provisions of HIPAA. We
agree with the majority of commenters who stated that health plans and
certain other health care industry entities require NPS data, including
some data that are protected by the Privacy Act, in order to
effectively conduct HIPAA transactions. (Privacy Act-protected data are
those that reveal or could reveal the identity of a specific individual
when used alone or in combination with or linked to one or more data
elements.)
Comment: Some commenters suggested that a health care provider be
able to access its own NPS data through the Internet to ensure its
accuracy and to facilitate updating the information.
Response: This comment will be considered in the design of the NPS;
if it is determined to be feasible, this access will be made available.
Comment: Several commenters supported charging reasonable fees or
subscription rates for web-based data access options; for example, HHS
could charge an annual subscription fee for unlimited downloads and a
different subscription fee for monthly downloads. Some commenters asked
if on-line access charges would be based on time or on a per file
access basis.
Some commenters believed that usage fees should not be limited to
the cost of producing the data but should be linked to the costs and
value of establishing and using the NPS.
Many commenters stated that the enumerator(s) should not have to
pay for NPS data.
One commenter, who had suggested the enumerator be a public and
private sector trust, suggested that dissemination fees be established
and administered by the public and private sector trust.
Response: The design of the NPS will facilitate making information
available in an efficient manner, which will involve the use of the
Internet. We are reviewing the issue of charging fees, and intend to
consider charging fees to the extent our authority permits.
Final Provisions (Sec. 162.408(b) and (f))
The NPS Data Elements Table lists the data elements that we expect
to collect about a health care provider and which will be included in
the National Provider System (NPS). The data element table is not
intended to be used for data design purposes. During NPS design and
development, the names and attributes of the data elements may be
revised. We are including this listing to show readers the kind of
information that we expect will be collected about health care
providers or that will be NPS-generated (for example, the NPI) about
health care providers. The table does not include systems maintenance
or similar fields.
Description of the information contained in each column of this
table:
Data Element Name: The name of the data element residing in the
NPS.
Description: The definition of the data element and related
information.
Data Status: The instruction for furnishing the information being
requested in the data element. The abbreviations used in this column
are as follows:
Required (R): Required for NPI assignment. NPS-generated (NG):
Generated or assigned by the NPS. Optional (O): Not required for NPI
assignment. Situational (S): If a certain condition exists, the data
element is required. Otherwise, it is not required. Repeat (RPT):
Indicates that the data element is a repeating field. A repeating field
is one that can accommodate more than one separate entry. Each separate
entry must meet the edits, if any, designated for that data element.
Data Condition: Describes the condition(s) under which a
``Situational'' data element must be furnished. NOTE: The abbreviation
NA means ``not applicable.''
Entity Types: The ``Entity type codes'' to which the data element
applies. See the description of the data element ``Entity type code''
in the table.
Use: The purpose for which the information is being collected or
will be used.
I: The data element supports the unique identification of a health
care provider.
A: The data element supports administrative implementation
specifications.
Dissemination of data from the NPS is a complex process. It must be
responsive to requests from covered entities for NPS information that
they need in order to comply with HIPAA. We expect a high volume of
such requests, primarily from health plans, once NPIs begin to be
assigned. At the same time, the dissemination process must ensure
compliance with the provisions of the Privacy Act, the Freedom of
Information Act, the Electronic FOIA Amendments of 1996, and other
applicable regulations and authorities, and must be consistent with the
NPS System of Records Notice, which was published on July 28, 1998.
We expect to make routinely available, via the Internet and on
paper, HHS-formatted data sets that will contain general identifying
information, including the NPI, of enumerated organization health care
providers and subparts of such health care providers (as described
earlier in this preamble).
Because of complexities that are inherent in disseminating data
from the NPS, it is necessary to eliminate from the NPS Data Elements
Table the column that, in the proposed rule, indicated the data
dissemination level. Our data dissemination strategy and the process by
which it will be carried out will be described in detail at a later
date and published in a notice in the Federal Register.
[[Page 3457]]
NPS Data Elements
----------------------------------------------------------------------------------------------------------------
Data condition
Data element name Description Data status (situational status Entity Use
only) types
----------------------------------------------------------------------------------------------------------------
National Provider Indentifier 10-position all- NG NA................. 1, 2........ I
(NPI). numeric
identification
number assigned by
the NPS to
uniquely identify
a health care
provider.
Entity type code (type of health Code describing the R NA................. 1, 2........ A
care provider assigned an NPI). type of health
care provider that
is being assigned
an NPI. Codes are
1 = (Person):
individual human
being who
furnishes health
care; 2 = (Non-
person): entity
other than an
individual human
being that
furnishes health
care (for example,
hospital, SNF,
hospital subunit,
pharmacy, or HMO).
Replacement National Provider The most recent NPI NG Required if 1, 2........ I
Identifier. issued by the NPS S provider has been
to this provider. RPT issued a
Issuance of a replacement NPI.
Replacement NPI by
the NPS would be
an unusual
circumstance in
which the provider
requested a new,
different NPI for
a valid reason.
Issuance of a
Replacement NPI is
different from NPI
deactivation and
NPI reactivation.
Previous National Provider The NPI that had NG Required if 1, 2........ I
Identifier. previously been S provider
issued to this RPT previously had
provider. been issued a
different NPI.
Provider Social Security Number The SSN assigned by O NA................. 1........... I
(SSN). the Social
Security
Administration
(SSA) to the
individual being
identified.
Provider IRS Individual Taxpayer The taxpayer O NA................. 1........... I
Identification Number (IRS identifying number
ITIN). assigned by the
IRS (to
individuals who
are not eligible
to be assigned
SSNs) to the
individual being
identified.
Provider Employer Identification The Employer S Required if the 2........... I
Number (EIN). Identification provider has an
Number (EIN), EIN.
assigned by the
IRS, of the
provider being
identified.
Provider last name or The last name of R NA................. 1, 2........ I
organization name. the provider (if
an individual) or
the name of the
organization
provider. If the
provider is an
individual, this
is the legal name.
If the provider is
an organization,
this is the legal
business name.
Provider first name............. The first name of S Required if the 1........... I
the provider, if provider's NPI is
the provider is an Entity type code =
individual. 1.
Provider middle name............ The middle name of S Required if the 1........... I
the provider, if provider's NPI is
the provider is an Entity type code =
individual. 1 and the provider
has a middle name.
Provider other last or other Other last name by O NA................. 1, 2........ I
organization name. which the provider RPT
being identified
is or has been
known (if an
individual) or
other name by
which the
organization
provider is or has
been known.
Provider other last or other Code identifying S Required if 1, 2........ I
organization name type code. the type of other RPT ``Provider other
name. Codes are: 1 last or other
= former name; 2 = organization
professional name; name'' contains
3 = doing business data. Codes 1-2
as (d/b/a) name; 4 apply to
= former legal individuals; codes
business name; 5 = 3-4 apply to
other. organizations;
code 5 applies to
both.
Provider other first name....... Other first name by S Required if 1........... I
which the provider RPT ``Provider other
being identified last or
is or has been organization
known (if an name'' contains
individual). This data and the
may be the same as provider's NPI is
the ``Provider Entity type code =
first name'' if 1.
the provider is or
has been known by
a different last
name only.
Provider other middle name...... Other middle name S Required if 1........... I
by which the RPT ``Provider other
provider being last or
identified is or organization
has been known (if name'' contains
an individual). data, the provider
This may be the NPI is Entity type
same as the code = 1, and the
``Provider middle provider has a
name'' if the middle name.
provider is or has
been known by a
different last
name only.
Provider name prefix text....... The name prefix or O NA................. 1........... I
salutation of the
provider if the
provider is an
individual; for
example, Mr.,
Mrs., or Corporal.
[[Page 3458]]
Provider name suffix text....... The name suffix of O NA................. 1........... I
the provider if
the provider is an
individual. The
name suffix is a
``generation-
related'' suffix,
such as Jr., Sr.,
II, III, IV, or V.
Provider credential text........ The abbreviations O NA................. 1........... I
for professional
degrees or
credentials used
or held by the
provider, if the
provider is an
individual.
Examples are MD,
DDS, CSW, CNA, AA,
NP, RNA, or PSY.
These credential
designations will
not be verified by
NPS.
Provider first line mailing The first line R NA................. 1, 2........ A
address. mailing address of
the provider being
identified. This
data element may
contain the same
information as
``Provider first
line location
address''.
Provider second line mailing The second line S Required if it 1, 2........ A
address. mailing address of exists.
the provider being
identified. This
data element may
contain the same
information as
``Provider second
line location
address''.
Provider mailing address State The State or S Required if the 1, 2........ A
name. Province name in address has no
the mailing State code but
address of the contains a State
provider being or Province name.
identified. This
data element may
contain the same
information as
``Provider
location address
State name''.
Provider mailing address postal The postal ZIP or S Required if the 1, 2........ A
code. zone code in the address is inside
mailing address of the United States
the provider being or has an
identified. NOTE: associated postal
ZIP code plus 4- code.
digit extension,
if available. This
data element may
contain the same
information as
``Provider
location address
postal code''.
Provider mailing address country The country code in S Required if address 1, 2........ A
code. the mailing is outside the
address of the United States.
provider being
identified. This
data element may
contain the same
information as
``Provider
location address
country code''.
Provider mailing address The telephone S Required if 1, 2........ A
telephone number. number associated provider mailing
with mailing address has a
address of the telephone.
provider being
identified. This
data element may
contain the same
information as
``Provider
location address
telephone number''.
Provider mailing address fax The fax number O NA................. 1, 2........ A
number. associated with
the mailing
address of the
provider being
identified. This
data element may
contain the same
information as
``Provider
location address
fax number''.
Provider first line location The first line R NA................. 1, 2........ A
address. location address
of the provider
being identified.
For providers with
more than one
physical location,
this is the
primary location.
This address
cannot include a
Post Office box.
Provider second line location The second line S Required if it 1, 2........ A
address. location address exists.
of the provider
being identified.
For providers with
more than one
physical location,
this is the
primary location.
This address
cannot include a
Post Office box.
Provider location address city The city name in R NA................. 1, 2........ A
name. the location
address of the
provider being
identified.
Provider location address State The State code in S Required if address 1, 2........ A
code. the location of is inside the
the provider being United States or
identified. has an associated
State code.
Provider location address State The State or S Required if the 1, 2........ A
name. Province name in address has no
the location State code but
address of the contains a State
provider being or Province name.
identified.
Provider location address postal The postal ZIP or S Required if the 1, 2........ A
code. zone code in the address is inside
location address the United States
of the provider or has an
being identified. associated postal
NOTE: ZIP code code.
plus 4-digit
extension, if
available.
Provider location address The country code in S Required if address 1, 2........ A
country code. the location is outside the
address of the United States.
provider being
identified.
[[Page 3459]]
Provider location address The telephone R NA................. 1, 2........ A
telephone number. number associated
with the location
address of the
provider being
identified.
Provider location address fax The fax number O NA................. 1, 2........ A
number. associated with
the location
address of the
provider being
identified.
Provider taxonomy code.......... Code designating R NA................. 1, 2........ I
the provider type, RPT
classification,
and
specialization.
Codes are from the
Healthcare
Provider Taxonomy
code list. The NPS
will associate
these data with
the license data
for providers with
Entity type code =
1.
Other provider identifier....... Additional number O NA................. 1, 2........ I
currently or RPT
formerly used as
an identifier for
the provider being
identified. This
data element will
be captured from
the NPI
application/update
form.
Other provider identifier type Code indicating the O NA................. 1, 2........ I
code. type of identifier RPT
currently or
formerly used by
the provider being
identified. The
codes may reflect
UPIN, NSC, OSCAR,
DEA, Medicaid
State or PIN
identification
numbers. This data
element will be
captured from the
NPI application/
update form.
Provider enumeration date....... The date the NG NA................. 1, 2........ A
provider was
assigned a unique
identifier
(assigned an NPI).
Last update date................ The date that a NG NA................. 1, 2........ A
record was last
updated or changed.
NPI deactivation reason code.... The reason that the S Required if NPI has 1, 2........ A
provider's NPI was been deactivated.
deactivated in the
NPS. Codes are: 1
= death of entity
type ``1''
provider; 2 =
entity type ``2''
provider
disbandment; 3 =
fraud. 4 = other
(for example,
retirement).
NPI deactivation date........... The date that the S Required if ``NPI 1, 2........ A
provider's NPI was deactivation
deactivated in the code'' contains
NPS. data.
NPI reactivation date........... The date that the NG NA................. 1, 2........ A
provider's NPI was
reactivated in the
NPS.
Provider birth date............. The date of birth S Required if the 1........... I
of the individual provider's NPI is
being identified. Entity type code =
1.
Provider birth State code....... The code S Required if born in 1........... I
representing the United States.
State in which the
individual being
identified was
born. X12N code
lists and names
will be used for
this element.
Provider birth country code..... The code S Required if country 1........... I
representing the is other than
country in which United States.
the individual
being identified
was born.
Provider gender code............ The code S Required if the 1........... I
designating the provider's NPI is
provider's gender Entity type code =
if the provider is 1.
a person.
Provider license number......... The license number S Required for 1, 2........ I
issued to the RPT certain ``Provider
provider being taxonomy codes.''.
identified. The
NPS can
accommodate
multiple license
numbers for
multiple
specialties and
for multiple
States. The NPS
will associate
this data element
with ``provider
taxonomy code''.
Provider license number State The code S Required if 1, 2........ I
code. representing the RPT ``Provider license
State that issued number'' contains
the license to the data.
provider being
identified. This
field can
accommodate
multiple States.
It is associated
with ``provider
license number.
Authorized official last name... The last name of R ................... 2........... I
the person
authorized to
submit the NPI
application or to
change NPS data
for a health care
provider.
Authorized official first name.. The first name of R ................... 2........... I
the authorized
official.
Authorized official middle name. The middle name of S Required if the 2........... I
the authorized authorized
official. official has a
middle name.
Authorized official title or The title or S Required if the 2........... I
position. position of the authorized
authorized official has a
official. title or position.
Authorized official telephone The 10-position R ................... 2........... I
number. telephone number
of the authorized
official.
Contact person last name........ The last name of R ................... 1, 2........ I
the person to be
contacted if there
are questions
about the NPI
application or
changes in NPS
data.
[[Page 3460]]
Contact person first name....... The first name of R ................... 1, 2........ I
the contact person.
Contact person middle name...... The middle name of S Required if the 1, 2........ I
the contact person. contact person has
a middle name.
Contact person name suffix text. The name suffix of O NA................. 1, 2........ I
the contact person
(for example, Jr.,
Sr., II, III, IV,
or V).
Contact person credential text.. The abbreviations O NA................. 1, 2........ I
for professional
degrees or
credentials used
or held by the
contact person.
Examples are M.D.,
R.N., or PhD.
Contact person title or position The title or S Required if the 1, 2........ I
position of the contact person has
contact person. a title or
position.
Contact person telephone number. The 10-position R ................... 1, 2........ I
telephone number
of the contact
person.
Contact person mailing address The electronic mail S Required if the 1, 2........ I
electronic mail identifier. address associated contact person has
with the mailing an electronic mail
address of the identifier
contact person. associated with
the mailing
address of the
contact person.
----------------------------------------------------------------------------------------------------------------
D. New and Revised Standards
Comments and responses on new and revised standards can be found in
the Transactions Rule (65 FR 50343). Generally, we may modify a
standard after the standard has been in effect for at least a year,
unless we determine a modification is necessary sooner in order to
permit compliance with the standard. The Secretary may not require
compliance with a modification until at least 180 days after the
modification is adopted. We will consider requests for modifications to
the standard unique health identifier for health care providers.
III. Summary of Revisions to Regulations Text
We added a definition for ``Covered health care provider'' at Sec.
162.402. In addition to the changes discussed above, minor
organizational or conforming changes were made to other sections of the
regulations text.
IV. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), agencies are
required to provide a 30-day notice in the Federal Register and solicit
public comment on a collection of information requirement submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the PRA requires that we
solicit comment on the following issues:
[sbull] Whether the information collection is necessary and useful
to carry out the proper functions of the agency.
[sbull] The accuracy of the agency's estimate of the information
collection burden.
[sbull] The quality, utility, and clarity of the information to be
collected.
[sbull] Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
Sec. 162.410(a)(1) Through (a)(6) Implementation Specifications:
Health Care Providers
A health care provider who is a covered entity must obtain, by
application if necessary, an NPI from the NPS and must use the NPI it
obtained to identify itself on all standard transactions where its
provider identifier is required. A covered health care provider must
ensure that its subpart(s), if assigned an NPI(s), does the same. A
covered health care provider must disclose its NPI, when requested, to
any entity that needs the NPI to identify that health care provider in
a standard transaction. A covered health care provider must ensure that
its subpart(s), if assigned an NPI(s), does the same. A covered health
care provider that has been assigned an NPI must notify the NPS of any
changes in its required data within 30 days of the change. A covered
health care provider must ensure that its subpart(s), if assigned an
NPI(s), does the same. A covered health care provider that uses one or
more business associates to conduct standard transactions on its behalf
must require its business associates to use its NPI and other NPIs
appropriately on standard transactions that the business associate
conducts on its behalf. A covered health care provider must ensure that
its subpart(s), if assigned an NPI(s), and if the subpart(s) uses one
or more business associates to conduct standard transactions, does the
same.
Sec. 162.412 Implementation Specifications: Health Plans
A health plan must use the NPI of any health care provider or
subpart in any standard transaction that requires the standard unique
health identifier for health care providers. A health plan may not
require a health care provider that has been assigned an NPI to obtain
an additional NPI.
Sec. 162.414 Implementation Specifications: Health Care Clearinghouses
A health care clearinghouse must obtain and use the NPI of any
health care provider or subpart in any standard transaction that
requires the standard unique identifier for health care providers.
Applicability of the PRA to the Requirements
The emerging and increasing uses of health care EDI standards and
transactions have raised the issue of the applicability of the PRA. The
Office of Management and Budget (OMB) has determined that this
regulatory requirement (which mandates that the private sector disclose
information and do so in a particular format) constitutes an agency-
sponsored third-party disclosure as defined under the PRA.
HIPAA requires the Secretary to adopt standards that have been
developed, adopted, or modified by a standard setting organization,
unless there is no such standard, or unless a different standard would
substantially reduce administrative costs. OMB has concluded that the
scope of its review under the PRA would include the review and approval
of our decision to adopt or reject an established industry standard,
based on the HIPAA criterion of whether a different standard would
[[Page 3461]]
substantially reduce administrative costs. For example, if OMB
concluded under the PRA that a different standard would substantially
reduce administrative costs as compared to an established industry
standard, we would be required to reconsider our decision under the
HIPAA standards. We would be required to make a new determination of
whether it is appropriate to adopt an established industry standard or
whether we should enter into negotiated rulemaking to develop an
alternative standard (section 1172(c)(2)(A) of the Act).
The burden associated with the requirements of this final rule,
which is subject to the PRA, is the initial one-time burden on health
care providers who are covered entities to apply for an NPI and later,
as necessary, to furnish updates, and on the covered entities
identified above to modify their current processes to implement the
NPI. However, the burden associated with the routine or ongoing use of
the NPI is exempt from the PRA as defined in 5 CFR 1320.3(b)(2).
Based on the assumption that the burden associated with systems
modifications that need to be made to implement the NPI may overlap
with the systems modifications needed to implement other HIPAA
standards, and the fact that the NPI will replace the use of multiple
identifiers, resulting in a reduction of burden, commenters should take
into consideration when drafting comments that: (1) One or more of
these current identifiers may not be used; (2) systems modifications
may be performed in an aggregate manner during the course of routine
business; and/or (3) systems modifications may be made by contractors
such as practice management vendors, in a single effort for a multitude
of affected entities.
PRA Burden on Covered Health Care Providers
A health care provider that is a covered entity must obtain, by
application if necessary, an NPI from the NPS. It must use its NPI to
identify itself on all standard transactions that it conducts where its
provider identifier is required. In addition, the covered health care
provider must communicate to the NPS any changes to its required NPS
data elements within 30 days of the change. To comply with these
requirements, these health care providers will complete the NPI
application/update form. This form serves two purposes: it enables a
covered health care provider to apply for an NPI and to furnish updates
to the NPS. Application for an NPI is considered to be a one-time
action: an NPI is considered a permanent identifier for a health care
provider. (See section II. A. 2., of this preamble, ``Definition of
Health Care Provider,'' for a discussion of the permanent nature of the
NPI.) Most covered health care providers will not have to furnish
updates in a given year; we estimate, based on information in the
Medicare program, that approximately 12.6 percent of those health care
providers will need to complete and submit the NPI application/update
form in a given year. Below are our estimates for the annual burden
hours associated with these requirements.
Applications for NPIs: Estimated Annualized Burden
Notes: (1) Existing health care providers that are covered entities
would be able to apply for NPIs over a 2-year period. For the estimated
annualized burden, we have divided the number of these health care
providers by 2 to estimate the annual burden. (2) Applying for an NPI
is a one-time burden on a health care provider. In future years, this
burden would apply only to new health care providers that are covered
entities. (3) The number of health care providers will increase by 1.56
percent annually. This is not a ``net'' percentage; it represents
strictly the percentage of new health care providers coming into
business annually. (4) We estimate it will take 20 minutes to complete
the application/update form. (5) We estimate an hourly rate of $10.87,
rounded to $11, for office staff to complete the application/update
form.
New health care providers come into business every year. The first
two years would have increases of 36,124 and 37,251 in new covered
health care providers, respectively. The number of new covered health
care providers is 1.56 percent of the number of existing health care
providers in the previous year.
Updates of NPS Data: Estimated Annualized Burden
Notes: (1) We estimate that 12.6 percent of covered health care
providers would need to furnish updates in a given year. The number of
health care providers needing to update their data in any year is a
percentage of the number of health care providers. (2) A health care
provider that is a covered entity that does not have changes to its NPI
data would not furnish updates and would, therefore, experience no
burden. (3) We estimate it will take 10 minutes to complete the
application/update form. (4) We estimate an hourly rate of $10.87,
rounded to $11, for office staff to complete the application/update
form.
In FY 2007, we estimate there will be 1,157,821 covered health care
providers to be assigned NPIs. One could argue that no updates will
need to be made in FY 2007 because no covered health care provider
would have been enumerated prior to FY 2007. (Note: No health care
provider is required to have an NPI before 2007.) However, for FY 2007,
we have factored in updates by adding 12.6 percent of the 1,157,821
covered health care providers to represent--in a worst case scenario--a
full year's worth of updates if the full 12.6 percent of the enumerated
covered health care providers needed to provide updates within that
same year.
Table 1 below shows the estimated annualized burden for the PRA.
Table 1.--Paperwork Reduction Act Estimated Annualized Burden. Estimated Annualized Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year 2007 2008 2009 2010 2011 Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost (Burden Hours for Total Providers)................. $5,419,027 $5,641,062 $183,050 $192,798 $204,079 $11,640,015
Cost (Update Hours)..................................... $670,165 $719,050 $759,519 $800,337 $847,167 $3,796,237
-----------------------------------------------------------------------------------------------
Total Annualized Cost............................... $6,089,192 $6,360,111 $942,568 $993,135 $1,051,246 $15,436,252
--------------------------------------------------------------------------------------------------------------------------------------------------------
If feasible, to further reduce burden and plan for compliance with
the Government Paperwork Elimination Act, we are considering the
acceptance of applications and updates electronically over the
Internet. We explicitly solicit comment on how we might conduct this
activity in the most efficient and effective manner, while ensuring the
integrity, authenticity, privacy, and security of health care provider
information.
[[Page 3462]]
As required by section 3504(h) of the Paperwork Reduction Act of
1995, we have submitted a copy of this document to the Office of
Management and Budget (OMB) for its review of these information
collection requirements. If you comment on these information collection
and recordkeeping requirements, please e-mail comments to Paperwork@
cms.hhs.gov (Attn: CMS-0045-F) or mail copies directly to the following
two addresses:
Centers for Medicare & Medicaid Services, Office of Strategic
Operations and Regulatory Affairs, Regulations Development and
Issuances Group, Room C5-14-03, 7500 Security Boulevard, Baltimore, MD
21244-1850, Attn: James Bossenmeyer, CMS-0045-F;
and
Office of Information and Regulatory Affairs, Office of Management and
Budget, Room 10235, New Executive Office Building, Washington, DC
20503, Attn: Brenda Aguilar, CMS-0045-F, CMS Desk Officer.
V. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this final rule as required by
Executive Order 12866 (September 1993, Regulatory Planning and Review),
the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-
354), section 1102(b) of the Social Security Act, the Unfunded Mandates
Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.
Executive Order 12866 (as amended by Executive Order 13258, which
merely reassigns responsibility of duties) directs agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). A
regulatory impact analysis (RIA) must be prepared for major rules with
economically significant effects (costs plus savings equal $100 million
or more in any one year). We consider this final rule to be a major
rule, as it will have an impact of over $100 million on the economy.
This impact analysis shows a net savings of $526 million over a 5-year
period.
The RFA requires agencies to analyze options for regulatory relief
of small businesses. For purposes of the RFA, nonprofit organizations
are considered small entities. Small government jurisdictions with a
population of less than 50,000 are considered small entities.
Individuals and States are not considered small entities. Most
hospitals and most other providers and suppliers are small entities,
either by nonprofit status or by having annual revenues of less than
the threshold published in regulations by the Small Business
Administration (SBA).
Effective October 1, 2000, the SBA no longer used the Standard
Industrial Classification (SIC) System to categorize businesses and
establish size standards, and began using industries defined by the new
North American Industry Classification System (NAICS). The NAICS made
several important changes to the Health Care industries listed in the
SIC System: it revised terminology, established a separate category
(Health Care and Social Assistance) under which many health care
providers are located, and increased the number of Health Care
industries to 30 NAICS industries from 19 Health Services SIC
industries.
On November 17, 2000, the SBA published a final rule, which was
effective on December 18, 2000, in which the SBA adopted new size
standards, ranging from $5 million to $25 million, for 19 Health Care
industries and retained the existing $5 million size standard for the
remaining 11 Health Care industries. The revisions were made to more
appropriately define the size of businesses in these industries that
SBA believes should be eligible for Federal small business assistance
programs.
On August 13, 2002, the SBA published a final rule that was
effective on October 1, 2002. The final rule amended the existing SBA
size standards by incorporating OMB's 2002 modifications to the NAICS
into its table of small business size standards. The final rule did not
affect industries that are considered covered entities by this final
rule.
On September 6, 2002, the SBA published a final rule (effective
October 1, 2002) that corrected the August 13, 2002, final rule. The
final rule corrected errors in the August 13, 2002, final rule and
contained a new table of size standards to clearly identify size
standards by millions of dollars and by number of employees. Some of
those revisions in size standards affected some of the entities that
are considered covered entities under this final rule. For example, the
SBA revisions increased the annual revenues for offices of physicians
to $8.5 million (other practitioners' offices' revenues remained at $6
million) and increased the small business size standard for hospitals
to $29 million in annual revenues.
The regulatory flexibility analysis for this final rule is linked
to the aggregate regulatory flexibility analysis for all the
Administrative Simplification standards that appeared in the
Transactions Rule (65 FR 50312), published on August 17, 2000, which
predated the SBA changes noted above. In addition, all HIPAA
regulations published to date have used the SBA size standards that
existed at the time of the publication of the Transactions Rule.
Because the SBA size standard changes predate the effective date of
this final rule, we are using the current SBA small business size
standards for the regulatory flexibility analysis for this final rule.
Although the SBA has raised the small business size standards, the
revised size standards have no effect on the cost and benefit analysis
for this final rule. The revised standards simply increase the number
of health care providers that are classified as small businesses.
Although the SBA revisions changed the size standard for health plans
by increasing from $5 million to $6 million in annual revenues the
small business size standard, this change has a minimal effect on this
final rule. Because all HIPAA administrative simplification regulations
permit small health plans an additional year in which to comply with
the implementation specifications and requirements, a greater number of
small health plans would have the additional year, due to the SBA size
standard revisions.
While each standard may not have a significant impact on a
substantial number of small businesses, the combined effects of all the
standards are likely to have a significant effect on a substantial
number of small businesses. However, this final rule will affect small
businesses, such as small health care providers, health plans, and
health care clearinghouses, in much the same way as it affects large
businesses.
Small businesses that are covered entities must meet the provisions
of this final rule and implement the standard unique health care
provider identifier standard. The requirements placed on small health
care providers, health care clearinghouses, and health plans would be
consistent with the complexity of their operations. Small health plans
have an additional year in which to comply. A more detailed analysis of
the impact on small businesses is part of the impact analysis that we
published on August 17, 2000 (65 FR 50312), for all the HIPAA
standards.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to
[[Page 3463]]
the provisions of section 604 of the RFA. For purposes of section
1102(b) of the Act, we define a small rural hospital as a hospital that
is located outside of a Metropolitan Statistical Area and has fewer
than 100 beds. This final rule will have no more significant impact on
small rural hospitals than it will have on other small health care
providers.
Section 202 of the Unfunded Mandates Reform Act (UMRA) of 1995 (2
U.S.C. 1532) requires that agencies assess anticipated costs and
benefits before issuing any rule that may result in expenditure in any
one year by State, local, or tribal governments, in the aggregate, or
by the private sector, of $110 million. This final rule establishes a
Federal private sector mandate and is a significant regulatory action
within the meaning of section 202 of UMRA. We have included the
statements to address the anticipated effects of this final rule under
section 202 of UMRA.
This standard applies to State and local governments in their roles
as covered entities. Covered entities must implement the requirements
in this final rule; thus, this final rule imposes unfunded mandates on
them. Further discussion of this issue is found in the previously
published impact analysis for all Administrative Simplification
standards (65 FR 50312).
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a final rule that imposes
substantial direct requirement costs on State and local governments,
preempts State law, or otherwise has Federalism implications. The
proposed rule that proposed the NPI as the standard unique health
identifier for health care providers was published prior to the signing
of that Executive Order. We could not solicit comments on the effect of
Executive Order 13132 on the adoption of the health care provider
identifier standard.
This final rule will have a substantial effect on State and local
governments to the extent that those entities are covered entities. As
early as 1993, CMS (then the Health Care Financing Administration) led
a workgroup whose goal was to develop a provider identification system
for all health care providers. The system was intended to meet the
needs of the Medicare and Medicaid programs, and eventually other
programs. State Medicaid agencies in Alabama, California, Minnesota,
Virginia and Maryland participated in this effort, along with
representatives from the private sector and several other Federal
agencies. The first task of the workgroup was to decide if an existing
identifier could be used or if a new one needed to be developed. The
workgroup developed criteria for a unique provider identifier, examined
existing identifiers, and concluded that a new identifier needed to be
developed. The workgroup developed the NPI, and we proposed the NPI as
the standard unique health identifier for health care providers in the
proposed rule.
States continue to hold memberships on the National Uniform Claim
Committee and the National Uniform Billing Committee, and continue to
be represented in the X12N and Health Level Seven standards development
organization workgroups and committees. As a result, States have in the
past, and continue to have, input into the development of new standards
and the modification of existing standards.
As stated in the previously published impact analysis in 65 FR
50312, we do not have sufficient information to provide estimates of
the impact of the administrative simplification standards on local
governments.
In complying with the requirements of part C of title XI, the
Secretary established interdepartmental implementation teams who
consulted with appropriate State and Federal agencies and private
organizations. These external groups included the NCVHS's Subcommittee
on Standards and Security, the Workgroup for Electronic Data
Interchange (WEDI), the National Uniform Claim Committee (NUCC), the
National Uniform Billing Committee (NUBC), and the American Dental
Association (ADA). The teams also received comments on the May 7, 1998,
proposed regulation from a variety of organizations, including State
Medicaid agencies and other Federal agencies.
We received comments from State agencies and from entities that
conduct transactions with State agencies. Many of the comments referred
to the costs to State and local governments of implementing the HIPAA
standards. We believe that these costs will be offset by future savings
(see the impact analysis of 65 FR 50350).
Other comments regarding States reflected the need for
clarification as to when State agencies were subject to the standards.
B. Anticipated Effects
The Regulatory Flexibility Act of 1980 considers all 31 nonprofit
Blue Cross-Blue Shield Health Plans to be small businesses.
Additionally, 28 percent of HMOs are considered small businesses
because of their nonprofit status. Doctors of osteopathy, dentistry,
podiatry, as well as chiropractors, and solo and group physicians'
offices with fewer than three physicians, are considered small
businesses. Forty percent of group practices with three or more
physicians and 100 percent of optometrist practices are considered
small businesses. Seventy-two percent of all pharmacies, 88 percent of
medical laboratories, 100 percent of dental laboratories, and 90
percent of durable medical equipment suppliers are assumed to be small
businesses as well.
This analysis required that we use data and statistics about
various entities that operate in the health data information industry.
We believe the best source for information about the health data
information industry is Faulkner & Gray's Health Data Directory. This
publication is the most comprehensive data directory of its kind that
we could find. The information in this directory is gathered by
Faulkner & Gray editors and researchers who called all of the more than
3,000 organizations that are listed in the book in order to elicit
information about their operations. Some businesses are listed as more
than one type of business entity because, in reporting the information,
companies could list themselves to be as many as three different types
of entities. For example, some businesses listed themselves as both
practice management vendors and claims software vendors because their
practice management software was ``EDI enabled.''
All the statistics referencing Faulkner & Gray's come from the 2000
edition of its Health Data Directory. It lists 78 claims
clearinghouses, which, according to the Health Data Directory are
entities that generally take electronic and paper health care claims
data from health care providers and billing companies that prepare
bills on a health care provider's behalf. The claims clearinghouse acts
as a conduit for health plans; its activities may include batching
claims and routing transactions to the appropriate health plan in a
form that expedites payment.
Of the 78 claims clearinghouses listed in this publication, eight
processed more than 20 million electronic transactions per month.
Another 15 handled 2 million or more transactions per month and another
4 handled over a million electronic transactions per month. The
remaining 39 entities listed in the data dictionary processed fewer
than a million electronic transactions per month. Almost all of these
entities have annual revenues of under $6 million and would therefore
be considered small entities.
Software system vendors provide computer software applications
support
[[Page 3464]]
to health care clearinghouses, billing companies, and health care
providers. In particular, they work with health care providers'
practice management and health information systems. These businesses
provide integrated software applications for such services as accounts
receivable management, electronic claims submission (patient billing),
recordkeeping, patient charting, practice analysis, and patient
scheduling. Some software vendors also provide applications that
translate information on paper and information in electronic records
having no standard formats into standard electronic formats that are
acceptable to health plans.
Faulkner & Gray lists 78 physician practice management vendors and
suppliers, 76 hospital information systems vendors and suppliers, 140
software vendors and suppliers for claims-related transactions, and 20
translation vendors (now known as Interface Engines/Integration Tools).
We were unable to determine the number of these entities with revenues
over $6 million, but we assume most of these businesses would be
considered small entities.
The costs of implementing the NPI are primarily one-time or short-
term costs related to conversion. These costs are characterized as
follows: software conversion, cost of automation, training,
implementation, and cost of documentation and implementation guides.
As stated earlier in this final rule, health care providers will
not be charged for obtaining an NPI. Covered health care providers will
have to apply for NPIs and will have to furnish updates to the NPS when
their required data changes. (However, if health care providers are
enumerated through the bulk enumeration process described earlier in
this preamble, they will not have to apply for NPIs, and they will be
notified of their NPIs. Those that are covered health care providers
will have to furnish updates to the NPS when their required data
changes and will have to ensure that their subparts, if assigned NPIs
via bulk enumeration or otherwise, do the same. These burden estimates
are discussed in section IV, ``Collection of Information
Requirements,'' of this preamble.) In addition, covered health care
providers will have to bear the costs of converting to the NPI, as will
health plans and health care clearinghouses. Health plans, health care
clearinghouses, and covered health care providers are required to
implement the NPI. Most of these entities meet the SBA's definition of
small entities.
Health plans, health care clearinghouses, and health care providers
who are covered entities must use NPIs in standard transactions and
must make the necessary changes and conversions in order to do so.
Conversion will require training for staff and will require changes to
documentation, procedures, records, and software. Some covered health
care providers that do not already do so may choose to use the services
of software system vendors, billing companies, and/or health care
clearinghouses to facilitate the transition to the NPI. While there may
be up-front costs associated with some of the required changes, the
fact that only one health care provider number (the NPI) will be used
in standard transactions will simplify business, improve efficiency,
and create savings. The format of the NPI (all numeric) will facilitate
telephone keypad entry; the check-digit in the 10th position will
detect keying and data entry errors; and the lack of intelligence built
into the NPI will eliminate the need to issue a new health care
provider number (and maintain records of such issuances) whenever
changes occur that would impact that intelligence.
After being assigned NPIs, covered health care providers will have
to furnish the NPS with updates to their required NPS data in the NPS
within 30 days of the changes. It is very likely that the NPS data will
duplicate some of the information that health care providers furnish to
health plans when they enroll in health plans (although health plans
traditionally collect far more information about a health care provider
than the NPS will collect). Because health care providers must keep
health plans apprised of updates to their data, the requirement that
covered health care providers apprise the NPS of updates should not be
a significant burden on those health care providers.
The extended effective date of the NPI should allow sufficient time
for health plans, health care clearinghouses, and health care providers
who are covered entities to implement the changes needed to accommodate
the NPI.
Lastly, HIPAA gives small health plans an extra year (36 months
instead of 24 months from the effective date) in which to implement the
NPI.
The May 7, 1998, proposed rule for the National Provider Identifier
(NPI) contained a cost-benefit analysis based on the aggregate impact
of all the HIPAA administrative simplification standards for electronic
data interchange (EDI). The Comment/Response section related to the
proposed aggregate analysis, and a final aggregate impact analysis, are
contained in the Transactions Rule at 65 FR 50345. We address the
specific impact of the NPI in section V.D. of this preamble, ``Specific
Impact of the NPI.''
C. Alternatives Considered
Guiding Principles for Standard Selection
As explained in the May 7, 1998, proposed rule (at 63 FR 25323),
the implementation teams charged with designating standards under the
statute defined, with significant input from the health care industry,
a set of common criteria for evaluating potential standards. These
criteria are based on direct specifications in HIPAA, the purpose of
the law, and principles that support the regulatory philosophy set
forth in Executive Order 12866 of September 30, 1993, and the Paperwork
Reduction Act of 1995. These criteria also support and are consistent
with the principles of the Paperwork Reduction Act of 1995. In order to
be designated as a standard, a proposed standard should:
[sbull] Improve the efficiency and effectiveness of the health care
system by leading to cost reductions for or improvements in benefits
from electronic HIPAA health care transactions. This principle supports
the regulatory goals of cost-effectiveness and avoidance of burden.
[sbull] Meet the needs of the health data standards user community,
particularly health care providers, health plans, and health care
clearinghouses. This principle supports the regulatory goal of cost-
effectiveness.
[sbull] Be consistent and uniform with the other HIPAA standards--
their data element definitions and codes and their privacy and security
implementation specifications--and, secondarily, with other private and
public sector health data standards. This principle supports the
regulatory goals of consistency and avoidance of incompatibility, and
it establishes a performance objective for the standard.
[sbull] Have low additional development and implementation costs
relative to the benefits of using the standard. This principle supports
the regulatory goals of cost-effectiveness and avoidance of burden.
[sbull] Be supported by an ANSI-accredited standards developing
organization or other private or public organization that will ensure
continuity and efficient updating of the standard over time. This
principle supports the regulatory goal of predictability.
[sbull] Have timely development, testing, implementation, and
updating procedures to achieve administrative
[[Page 3465]]
simplification benefits faster. This principle establishes a
performance objective for the standard.
[sbull] Be technologically independent of the computer platforms
and transmission protocols used in HIPAA health transactions, except
when they are explicitly part of the standard. This principle
establishes a performance objective for the standard and supports the
regulatory goal of flexibility.
[sbull] Be precise and unambiguous, but as simple as possible. This
principle supports the regulatory goals of predictability and
simplicity.
[sbull] Keep data collection and paperwork burdens on users as low
as is feasible. This principle supports the regulatory goals of cost-
effectiveness and avoidance of duplication and burden.
[sbull] Incorporate flexibility to adapt more easily to changes in
the health care infrastructure (such as new services, organizations,
and health care provider types) and information technology. This
principle supports the regulatory goals of flexibility and
encouragement of innovation.
We assessed the various candidates for a health care provider
identifier against the principles listed above, with the overall goal
of achieving the maximum benefit for the least cost. We found that the
NPI met all the principles and that no other candidate identifier met
all the principles, or even those principles supporting the regulatory
goal of cost-effectiveness. We received comments suggesting that we
consider or reconsider the Taxpayer Identifying Number or the Social
Security Number for individual health care providers and the Employer
Identification Number for organizations as the standard unique health
identifier for health care providers. We responded to these comments in
section II. A. 3. of this preamble, ``NPI Standard.''
One possible alternative in the development of the identifier was
to allow intelligence to be included in it. We rejected this
alternative on qualitative grounds because it meant that individuals
might get more than one identifier in their lifetimes. Cost
considerations also contributed to our decision.
If intelligence were built into the identifier, the operating cost
of the enumeration system would rise for several reasons. First,
additional information would need to be collected and verified so that
the intelligence in the identifier would be accurate. Secondly, new
identifiers for individuals and organizations would need to be assigned
because the embedded intelligence would change.
The cost to health plans would also increase. First, their systems
might need to be adapted to use the intelligence in the identifier.
Secondly, they would have to keep track of the more frequent changes in
identifiers, and revise their processes accordingly.
An intelligent identifier would also be more expensive for health
care providers. They would have to reapply for identifiers if the
information in the intelligence changed. Additionally, they would have
to revise their systems to change their identifiers every time they
changed.
These quantitative reasons support our choice not to include
intelligence in the identifier.
Need to Convert
Because there is no standard health care provider identifier in
widespread use throughout the industry, adopting any of the candidate
identifiers would require covered entities to convert to the new
standard. In the case of the NPI, covered entities will have to convert
because this identifier is not in use presently. As we pointed out in
the May 7, 1998, proposed rule in our analysis of the candidates, even
the identifiers that are in use are not used for all purposes or for
all health care provider classifications. The selection of the NPI does
not impose a greater burden on the industry than the nonselected
candidates, and presents significant advantages in terms of cost-
effectiveness, universality, uniqueness, and flexibility.
Complexity of Conversion
Some existing health care provider identifier systems assign
multiple identifiers to a single health care provider in order to
distinguish the multiple identities the health care provider has in the
system. For example, in these systems, the health care provider may
have a different identifier to represent each contract or provider
agreement, practice location, and specialty or health care provider
classification. Since the NPI is a unique identifier for a health care
provider, it will not distinguish these multiple identities. Systems
that need to distinguish these identities will need to use data other
than the NPI to do so. The change to using other data will add
complexity to the conversion to the NPI (or to any other standard
health care provider identifier), but it is necessary in order to
achieve the goal of unique identification of the health care provider.
The complexity of the conversion will also be significantly
affected by the degree to which health plans' processing systems
currently rely on intelligent identifiers. For example, a health plan
may route claims to different processing routines based on the type of
health care provider by keying on a health care provider type code
included in the identifier. Converting from one unintelligent
identifier to another is less complex than modifying software logic to
obtain needed information from other data elements. However, the use of
an unintelligent identifier is required in order to meet the guiding
principle of ensuring flexibility.
Specific technology limitations of existing systems could affect
the complexity of conversion. For example, some existing health care
provider data systems use a telephone keypad to enter data. Data entry
of alpha characters is inconvenient in these systems.
Comments were strong in suggesting that the NPI be an all-numeric
identifier, be 10 positions in length, and include a check-digit in the
10th position. (See section II. A. 3. of this preamble, ``NPI
Standard,'' for a full description of comments on the characteristics
of the identifier.) As stated in that section, in response to comments,
we changed the format of the NPI to an all-numeric number, 10 positions
in length, with a check-digit in the 10th position. There will be no
intelligence about the health care provider in the number. This format
satisfies the comments for easier data entry and the need for a number
that will be short enough to fit into most existing data formats.
The selection of the NPI does not impose a greater burden on the
industry than the nonselected candidates.
D. Specific Impact of the National Provider Identifier
In the May 7, 1998, proposed rule (at 63 FR 25349), we included a
section that related to the specific impact of the health care provider
identifier. That section of the proposed rule also indicated the
Federal, State, and private costs associated with the enumeration
options set out in the proposed rule.
Proposed Provisions
The May 7, 1998, proposed rule for the National Provider Identifier
(NPI) contained a cost-benefit analysis based on the aggregate impact
of all the HIPAA administrative simplification standards for electronic
data interchange (EDI). The response to comments on the proposed
aggregate analysis is contained in the Transactions Rule (at 65 FR
50345). The Transactions Rule also includes an updated impact analysis
(at 65 FR 50350).
[[Page 3466]]
One section of the impact analysis that was published in the May 7,
1998, proposed rule for the NPI (at 63 FR 25351) contained a discussion
of the costs of enumerating health care providers under each of the two
enumeration options that were described in the proposed rule. Table 5,
entitled ``Enumeration Costs: Federal, State, and Private,'' was
included in this part of the impact analysis in the proposed rule. This
table compared the costs for each of the two proposed enumeration
options. Below we respond to the comments received about that part of
the impact analysis.
Comments and Responses on the Specific Impact of the National Provider
Identifier
Comment: One commenter stated that the pharmacy industry will not
see huge gains in the standardization of the NPI for prescriber and
pharmacy because de facto standard identifiers exist for these two
provider types.
Response: We agree that the pharmacy industry may not realize the
benefits from standardization of health care provider numbers as
quickly as other segments of the health care industry because the
pharmacy industry already uses numbers to identify health care
providers and pharmacies. However, once NPIs are assigned to health
care providers and once the entire health care industry begins to use
the NPI, we believe the pharmacy industry will see the benefits of
replacing its de facto standards with the national standard. The Drug
Enforcement Administration (DEA) number was established by the DEA to
identify those who prescribe or store controlled substances. It is the
pharmacy industry's de facto identifier for prescribers. In developing
the NPI, we considered several existing identifiers as candidates for
the national health care provider identifier. One of those considered
was the DEA number. However, the use of the DEA number as a national
health care provider identifier does not fit the scope for which the
DEA number was established. In addition, the DEA number is not
available to all health care providers and, as a result, would not be
appropriate as the national health care provider identifier. The
National Council for Prescription Drug Programs (NCPDP) provider
number, formerly called the National Association of Boards of Pharmacy
(NABP) number, is the pharmacy industry's de facto identifier for
pharmacies. This number was also considered a candidate for the
national health care provider identifier, but did not meet two of the
criteria deemed necessary for a standard identifier: it would not yield
a sufficient number of identifiers and it contained intelligence.
Comment: Several commenters suggested revisions to our definitions
of ``HIPAA-transaction health care provider'' and ``non-HIPAA-
transaction health care provider.'' They found the terms confusing.
Response: We agree and do not use those terms in this final rule.
Comment: One commenter asked that we insert the word ``costs''
after ``start-up'' and ``outyear'' in Table 5 headings and definitions.
Response: This comment is not applicable, as we do not include
Table 5 in this final rule. We refer the reader to the discussion under
``Final Provisions'' in this section.
Comment: One commenter stated that we did not factor in atypical
service providers that are exclusive to the Medicaid program.
Response: The Medicaid program's atypical and nontraditional
service providers were included in Table 5 in the May 7, 1998, proposed
rule. However, as explained in section II. A. 2, ``Definition of Health
Care Provider'' in this preamble, most of them do not meet our
definition of health care provider. Therefore, they are not included in
our analyses in this final rule.
Comment: Several commenters stated the estimate that 5 percent of
health care providers participating in Federal health plans and
Medicaid would have updates each year is conservative and that the
number is more like 12 to 15 percent. Another commenter believes it to
be even higher.
Response: We have not seen documentation that would convince us our
estimate was incorrect at the time the May 7, 1998, proposed rule was
published. In the proposed rule, we estimated that 5 percent of the
health care providers who are covered entities that conduct business
with Federal health plans or Medicaid would require updates each year,
and that 15 percent of the remaining health care providers that are
covered entities (those that do business only with private insurers)
would require updates each year. In general, health plans (including
Federal health plans and Medicaid) collect more information from their
enrolled health care providers than the NPS will collect when a health
care provider applies for an NPI. Thus, there is more information
subject to change for health care providers that are enrolled in a
health plan. This fact could explain why health plans sometimes have a
greater percentage of updates than what we estimated for NPI purposes
in the proposed rule, and could have been the basis on which the
comment was made. The proposed rule did not include calculations for
updates for health care providers who are not covered entities; we
would expect that percentage would not exceed 15 percent. We computed
the weighted average of the percentages of health care providers that
would require updates that were used in the proposed rule (using 15
percent for these health care providers). We have concluded that
approximately 12.6 percent of all existing health care providers will
have updates each year.
Comment: Several commenters said that erroneous assumptions were
used in stating that the costs to Federal health plans (including
Medicare) and Medicaid would be zero for enumerating their own health
care providers. The costs would be substantial.
Response: We acknowledge that there would have been costs to
Medicaid State agencies and to Federal health plans in manipulating and
reformatting their health care provider files and transferring them to
CMS for loading into the NPS. There would also have been ongoing costs
to Medicaid State agencies and other Federal health plans to obtain
NPIs for their health care providers under option 2. In manipulating
and reformatting the files, problems could be discovered in some of the
health care provider records that would require investigation and
resolution. The costs of investigating and resolving these problems
were not recognized earlier and, therefore, were not considered in the
May 7, 1998, proposed rule.
Comment: One commenter stated that the costs for option 1 as shown
in Table 5 did not reflect the savings that would have accrued by
preloading Medicare provider files into the NPS.
Response: While the narrative portion of the impact analysis did
mention that Medicare provider files would be preloaded into the NPS
under both options 1 and 2, the commenter is correct in that this was
not reflected in Table 5 for option 1. However, as stated earlier in
this preamble, Medicare provider files will be loaded into the NPS only
if it is feasible to do so.
Final Provisions
We stated in the May 7, 1998, proposed rule that we cannot
determine the specific economic impact of the NPI (and individually,
each HIPAA administrative simplification standard may not have a
significant impact). The overall impact analysis (65 FR 50355) made it
clear that, collectively, all the standards will have a significant
impact of over $100 million on the economy.
[[Page 3467]]
The implementation costs and benefits of the NPI were factored into
that overall impact analysis.
However, that impact analysis used certain assumptions that have
not been realized. For example, it was assumed that all of the HIPAA
standards would be issued and effective at about the same time, so that
covered entities would be making their system changes at one time. For
various reasons, standards have been issued and effective over a much
longer period of time than expected. For example, the transaction and
code set standards were published in 2000 and must be implemented by
October 2003. Security standards are to be implemented by April 2005,
and the NPI must be used by 2007.
Because the compliance dates cover such an extended period of time,
we will estimate part of the overall cost and savings for health plans
and health care providers that can be attributed to the NPI. We
continue to use the impact analysis previously referenced as the set of
total costs and savings.
Because the standards for transactions and codes sets, the employer
identifier, and security have already been published, we assume that
covered entities have already made significant system investments.
Because they were aware that the NPI was an upcoming standard, they may
have also made some accommodations in their systems to be able to use
the NPI when it is assigned. The NPI has already been identified as a
future identifier in the implementation specifications for the
transaction standards.
There will still be costs and savings related to the implementation
of the NPI by health plans and health care providers. These will,
however, be small in comparison to those for transaction standards and
security. The NPI affects only a small part of the system and business
processes for any covered entity.
We estimate that the NPI would entail 10 percent of the costs and 5
percent of the savings for health plans. Health plans would need to
make some system changes from their current identifiers to the NPI.
They would save in not having to maintain a system of identifiers that
exist today. We would estimate that for health care providers, the NPI
would represent 5 percent of the costs and 10 percent of the savings.
Health care providers need only to substitute the NPI for their current
identifier(s). They reap greater savings by not having to keep track of
separate identifiers for each health plan and possibly for each
location, address, or contractual arrangement. (However, as noted
earlier in this preamble, health plans may require health care
providers to use identifiers other than the NPI for uses other than
standard transactions.)
Looking at the overall impact analysis, while 2007 is the initial
year for using the NPI, it would be the analogous to the first year of
the overall impact analysis, in which most of the costs are incurred.
Using the figures from above, we make the following estimates for 2007:
Table 2.--Costs of Implementing the NPI in 2007
[In millions of dollars, rounded to the nearest million]
------------------------------------------------------------------------
------------------------------------------------------------------------
Health Plans:
2002 Cost from Impact Analysis............................... -146
2002 Savings................................................. 24
2007 Net for NPI for Health Plans............................ -122
Health Care Providers:
2002 Cost from Impact Analysis............................... -79
2002 Savings................................................. 61
2007 Net for NPI for Health Care Providers................... -18
------------------------------------------------------------------------
Note: The figures in Table 2 have been adjusted to reflect
dollars expressed for 2007.
We perform the same calculations for the next 4 years. This yields
the following results:
Table 3.--Costs of Implementing the NPI, 2007-2011
[In millions of dollars, rounded to the nearest million]
----------------------------------------------------------------------------------------------------------------
Year 2007 2008 2009 2010 2011 Total
----------------------------------------------------------------------------------------------------------------
Health Plan Costs................. 146 146 134 0 0 426
Health Plan Savings............... 24 49 73 91 103 341
Provider Costs.................... 73 73 67 0 0 213
NPI Application and Update Costs.. 6 6 1 1 1 15
Provider Savings.................. 61 122 183 219 256 840
Net Savings....................... -140 -55 54 309 358 526
NPS Costs......................... 91 9 9 9 9 128
----------------------------------------------------------------------------------------------------------------
Note: The figures in Table 3 have been adjusted to reflect
dollars expressed for each year.
All costs of NPS development and operation (which include the costs
of enumerating health care providers and maintaining their information
in the NPS, and the costs of disseminating NPS data to the health care
industry and others, as appropriate) are Federal costs. As mentioned
earlier in this preamble, HHS will contract for system development and
for the enumeration, update, and data dissemination activities. We
estimate the following costs for operations of the National Provider
System (NPS), keeping in mind that the NPS will enumerate both covered
and noncovered health care providers, and that health care providers
are not being charged for obtaining NPIs.
E. Affected Entities
Health Care Providers
Health care providers and subparts, as appropriate, will apply for
NPIs. Health care providers that are covered entities must begin to use
NPIs in standard transactions no later than 24 months after the
effective date of this regulation; and they must ensure that their
subparts, if assigned NPIs, do the same. Covered health care providers
that need to be identified on standard transactions must disclose their
NPIs, upon request, to entities that are required to use those health
care providers' NPIs on standard transactions. Covered health care
providers must ensure that their subparts, if assigned NPIs, do the
same. Any negative impact on health care providers generally would be
related to the initial implementation period. They would incur
implementation costs for converting systems, especially those that
generate electronic claims, from current health care provider
identifiers to the NPI. Some health care providers would incur those
costs directly and others would incur them in the form of fee increases
from billing associates and health care clearinghouses.
Covered health care providers will have to use their NPIs on
standard claims transactions and any other standard transactions that
they conduct; they will have to ensure that their
[[Page 3468]]
subparts, if assigned NPIs, do the same. They will also have to obtain
and use the NPIs of other health care providers if those NPIs are
needed on those transactions. If covered health care providers'
subparts are assigned NPIs, the covered health care providers must
ensure that their subparts do the same. This will be a more significant
implementation workload for larger organization health care providers,
such as hospitals, that will have to capture the NPIs for each health
care provider practicing in the hospital if those health care providers
need to be identified on hospital claims. However, these health care
providers are accustomed to maintaining these types of data. Some
health care providers will need access to the NPIs of other health care
providers in order to identify those health care providers on standard
transactions. In this regard, we encourage all health care providers to
obtain NPIs and, when requested, to disclose their NPIs to covered
entities that need them for inclusion on health care transactions. Some
health care providers, particularly ones that do not do business with
large health plans, may be resistant to obtaining NPIs and providing
data about themselves to a national database.
Claims processing and timely payments to health care providers
could possibly be affected as health plans transition to the NPI. We
encourage health plans to conduct outreach efforts in order to minimize
disruptions in claims processing and timely payment.
Covered health care providers are required to also furnish updates
to their required NPS data within 30 days of the changes. Covered
health care providers must ensure that their subparts, if assigned
NPIs, do the same. (We encourage other health care providers to do the
same.) The vast majority of health plans issue identifiers to the
health care providers with which they conduct business in order to
facilitate the electronic processing of claims and other transactions.
The information that health care providers must supply in order to
receive an NPI is significantly less than the information most health
plans require from a health care provider in order to enroll in a
health plan. We will attempt to make the processes of obtaining NPIs
and updating NPS data as easy as possible for health care providers,
reducing duplication of effort wherever possible and making the
processes as automated as possible. Neither the statute nor this final
rule requires charging health care providers (or their subparts) to
receive NPIs.
After the compliance date, health care providers will no longer
have to keep track of and use different identifiers with different
health plans when conducting standard transactions. This should
simplify health care provider billing systems and processes and reduce
administrative expenses. A standard identifier should facilitate and
simplify coordination of benefits, resulting in faster, more accurate
payments.
Health Plans
HIPAA does not prohibit health plans from requiring their enrolled
health care providers to obtain NPIs.
Health plans will have to modify their systems to use the NPI. This
conversion will have a one-time cost impact on Federal, State, and
private health plans and is likely to be more costly for health plans
with complex systems that rely on intelligent provider numbers.
Disruption of claims processing and payment delays could result.
However, health plans will be able to schedule their implementation of
the NPI and other standards in a manner that best fits their needs, as
long as they meet the deadlines specified in this and the other final
rules that implement the administrative simplification provisions. Upon
the NPI compliance dates, health plans' coordination of benefits
activities should be greatly simplified because all health plans will
use a unique standard health care provider identifier for each health
care provider. In addition, utilization review and other payment
safeguard activities will be facilitated, since health care providers
would use only one identifier and could be easily tracked over time and
across geographic areas. Health plans currently assign their own
identification numbers to health care providers as part of their
enrollment procedures, and this practice would no longer be necessary.
Existing enumeration systems maintained by Federal health programs
could be phased out, and savings would result. Health care
clearinghouses will face impacts (both positive and negative) similar
to those experienced by health plans. However, implementation will
likely be more complex, because health care clearinghouses deal with
many health care providers and health plans. Health care providers that
are not covered entities that do not wish to apply for NPIs will
necessitate the need for health care clearinghouses to accommodate
health care provider identifiers in addition to the NPI.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
List of Subjects in 45 CFR Part 162
Administrative practice and procedure, Electronic transactions,
Health facilities, Health insurance, Hospitals, Incorporation by
reference, Medicare, Medicaid, Reporting and recordkeeping reports.
0
For the reasons set forth in the preamble, 45 CFR subchapter C part 162
is amended as follows:
PART 162--ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation continues to read as follows:
Authority: Secs. 1171 through 1179 of the Social Security Act
(42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat.
2033-2034 (42 U.S.C. 1320d-2 (note)).
0
2. A new subpart D is added to read as follows:
Subpart D--Standard Unique Health Identifier for Health Care Providers
Sec.
162.402 Definitions.
162.404 Compliance dates of the implementation of the standard
unique health identifier for health care providers.
162.406 Standard unique health identifier for health care providers.
162.408 National Provider System.
162.410 Implementation specifications: Health care providers.
162.412 Implementation specifications: Health plans.
162.414 Implementation specifications: Health care clearinghouses.
Subpart D--Standard Unique Health Identifier for Health Care
Providers
Sec. 162.402 Definitions.
Covered health care provider means a health care provider that
meets the definition at paragraph (3) of the definition of ``covered
entity'' at Sec. 160.103 of this subchapter.
Sec. 162.404 Compliance dates of the implementation of the standard
unique health identifier for health care providers.
(a) Health care providers. A covered health care provider must
comply with the implementation specifications in Sec. 162.410 no later
than May 23, 2007.
(b) Health plans. A health plan must comply with the implementation
specifications in Sec. 162.412 no later than one of the following
dates:
(1) A health plan that is not a small health plan--May 23, 2007.
(2) A small health plan--May 23, 2008.
(c) Health care clearinghouses. A health care clearinghouse must
comply with the implementation specifications in Sec. 162.414 no later
than May 23, 2007.
[[Page 3469]]
Sec. 162.406 Standard unique health identifier for health care
providers.
(a) Standard. The standard unique health identifier for health care
providers is the National Provider Identifier (NPI). The NPI is a 10-
position numeric identifier, with a check digit in the 10th position,
and no intelligence about the health care provider in the number.
(b) Required and permitted uses for the NPI.
(1) The NPI must be used as stated in Sec. 162.410, Sec. 162.412,
and Sec. 162.414.
(2) The NPI may be used for any other lawful purpose.
Sec. 162.408 National Provider System.
National Provider System. The National Provider System (NPS) shall
do the following:
(a) Assign a single, unique NPI to a health care provider, provided
that--
(1) The NPS may assign an NPI to a subpart of a health care
provider in accordance with paragraph (g); and
(2) The Secretary has sufficient information to permit the
assignment to be made.
(b) Collect and maintain information about each health care
provider that has been assigned an NPI and perform tasks necessary to
update that information.
(c) If appropriate, deactivate an NPI upon receipt of appropriate
information concerning the dissolution of the health care provider that
is an organization, the death of the health care provider who is an
individual, or other circumstances justifying deactivation.
(d) If appropriate, reactivate a deactivated NPI upon receipt of
appropriate information.
(e) Not assign a deactivated NPI to any other health care provider.
(f) Disseminate NPS information upon approved requests.
(g) Assign an NPI to a subpart of a health care provider on request
if the identifying data for the subpart are unique.
Sec. 162.410 Implementation specifications: Health care providers.
(a) A covered entity that is a covered health care provider must:
(1) Obtain, by application if necessary, an NPI from the National
Provider System (NPS) for itself or for any subpart of the covered
entity that would be a covered health care provider if it were a
separate legal entity. A covered entity may obtain an NPI for any other
subpart that qualifies for the assignment of an NPI.
(2) Use the NPI it obtained from the NPS to identify itself on all
standard transactions that it conducts where its health care provider
identifier is required.
(3) Disclose its NPI, when requested, to any entity that needs the
NPI to identify that covered health care provider in a standard
transaction.
(4) Communicate to the NPS any changes in its required data
elements in the NPS within 30 days of the change.
(5) If it uses one or more business associates to conduct standard
transactions on its behalf, require its business associate(s) to use
its NPI and other NPIs appropriately as required by the transactions
that the business associate(s) conducts on its behalf.
(6) If it has been assigned NPIs for one or more subparts, comply
with the requirements of paragraphs (a)(2) through (a)(5) of this
section with respect to each of those NPIs.
(b) A health care provider that is not a covered entity may obtain,
by application if necessary, an NPI from the NPS.
Sec. 162.412 Implementation specifications: Health plans.
(a) A health plan must use the NPI of any health care provider (or
subpart(s), if applicable) that has been assigned an NPI to identify
that health care provider on all standard transactions where that
health care provider's identifier is required.
(b) A health plan may not require a health care provider that has
been assigned an NPI to obtain an additional NPI.
Sec. 162.414 Implementation specifications: Health care
clearinghouses.
A health care clearinghouse must use the NPI of any health care
provider (or subpart(s), if applicable) that has been assigned an NPI
to identify that health care provider on all standard transactions
where that health care provider's identifier is required.
Subpart F--Standard Unique Employer Identifier
0
3. In Sec. 162.610, paragraph (c) is added to read as follows:
Sec. 162.610 Implementation specifications for covered entities.
* * * * *
(c) Required and permitted uses for the Employer Identifier.
(1) The Employer Identifier must be used as stated in Sec.
162.610(b).
(2) The Employer Identifier may be used for any other lawful
purpose.
Authority: Secs. 1171 through 1179 of the Social Security Act
(42 U.S.C. 1320d--1320d-8), as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat.
2033-2034 (42 U.S.C. 1320d-2 (note)).
(Catalog of Federal Domestic Assistance Program No. 93.774,
Medicare--Supplementary Medical Insurance Program.)
Dated: October 16, 2003.
Tommy G. Thompson,
Secretary.
[FR Doc. 04-1149 Filed 1-22-04; 8:45 am]
BILLING CODE 4120-01-P