HIPAA Administrative Simplification: National Plan and Provider Enumeration System Data Dissemination, 30011-30014 [07-2651]

Download as PDF Federal Register / Vol. 72, No. 103 / Wednesday, May 30, 2007 / Notices the provisions of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I), and (f). Exemption is appropriate to avoid compromise of ongoing investigations, disclosure of the identity of confidential sources and unwarranted invasions of personal privacy of third parties. By the Commission. Bryant L. VanBrakle, Secretary. [FR Doc. E7–10381 Filed 5–29–07; 8:45 am] BILLING CODE 6730–01–P FEDERAL RESERVE SYSTEM up to 100 percent of the voting shares of Doral Financial Corporation, and Doral Bank, both of San Juan, Puerto Rico. In connection with this application, Applicant also has applied to acquire Doral Bank, FSB, New York, New York, and thereby engage in operating a savings association, pursuant to section 225.28(b)(4)(ii) of Regulation Y. Board of Governors of the Federal Reserve System, May 24, 2007. Jennifer J. Johnson, Secretary of the Board. [FR Doc. E7–10319 Filed 5–29–07; 8:45 am] BILLING CODE 6210–01–S sroberts on PROD1PC70 with NOTICES Formations of, Acquisitions by, and Mergers of Bank Holding Companies The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR Part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The application also will be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Additional information on all bank holding companies may be obtained from the National Information Center website at www.ffiec.gov/nic/. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than June 14, 2007. A. Federal Reserve Bank of New York (Anne MacEwen, Bank Applications Officer) 33 Liberty Street, New York, New York 10045-0001: 1. Doral Holdings Delaware, LLC, Doral Holdings, LP, and Doral GP Ltd., all of New York, New York; to become bank holding companies by acquiring VerDate Aug<31>2005 19:13 May 29, 2007 Jkt 211001 DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare & Medicaid Services [CMS–6060–N] RIN 0938–AN71 HIPAA Administrative Simplification: National Plan and Provider Enumeration System Data Dissemination Centers for Medicare & Medicaid Services (CMS), HHS. ACTION: Notice. AGENCY: SUMMARY: This notice establishes the data that are available from the National Plan and Provider Enumeration System (NPPES). In addition, this notice addresses who may have access to the data or may receive data from the system, the processes for requesting and receiving data, and the conditions under which data may be disclosed. FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786–1812. SUPPLEMENTARY INFORMATION: I. Background A. Legislative and Regulatory Background The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services (HHS) to adopt a standard unique health identifier for health care providers. On January 23, 2004, HHS published a final rule in the Federal Register that adopted the National Provider Identifier (NPI) as the standard unique health identifier for health care providers (69 FR 3434). The NPI final rule established the National Provider System (NPS) and requires, among other things, that the NPS disseminate data in response to PO 00000 Frm 00070 Fmt 4703 Sfmt 4703 30011 approved requests. The NPI final rule stated that we would publish a notice in the Federal Register describing our data dissemination strategy and the process by which we would carry it out (69 FR 3456). Therefore, we are publishing this notice. B. Operational and System Background On July 28, 1998, in accordance with the Privacy Act of 1974, we published, in the Federal Register, a System of Records (SOR) notice for the National Provider System (NPS) (63 FR 40297). The NPS is the system, as described in the NPI final rule, that will be used to enumerate health care providers and house the information provided on health care providers’ applications for NPIs. The NPS is now contained within the National Plan and Provider Enumeration System (NPPES). We are in the process of revising the Privacy Act SOR notice and will soon publish an updated SOR notice. The updated SOR notice will reflect the change from NPS to NPPES and will incorporate other changes necessitated by organizational and name changes and information contained in the NPI final rule. The updated SOR notice will also contain language that will clarify its consistency with the data dissemination policy described in this notice. (The existing SOR notice, although it is being revised, supports the data dissemination policy described in this notice.) The NPPES enumerates health care providers and houses their NPIs and information from their NPI applications/updates. The NPPES also would be capable of enumerating health plans and housing their standard unique health identifiers and information from their health plan identifier applications/updates once a standard unique health identifier for health plans has been adopted. Covered entities under HIPAA are required to use NPIs to identify health care providers in standard transactions beginning no later than May 23, 2007 (small health plans have until May 23, 2008). (See the Standards for Electronic Transactions and Code Sets final rule published on August 17, 2000 (65 FR 50312), the Modifications to the Electronic Transaction and Code Sets final rule published on February 20, 2003 (68 FR 8381), and the NPI final rule published on January 23, 2004 (69 FR 3434)). Covered entities include health plans, health care clearinghouses, and those health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard. The NPPES uniquely identifies health care providers by the use of an E:\FR\FM\30MYN1.SGM 30MYN1 30012 Federal Register / Vol. 72, No. 103 / Wednesday, May 30, 2007 / Notices application process and assigns them their NPIs. The NPPES creates a record for each health care provider to whom it assigns an NPI. The records are updated when health care providers furnish updates to the NPPES. Health care providers are categorized by the NPPES as two types: Individuals, such as physicians; and organizations, such as hospitals. A health care provider may apply for an NPI in one of three ways: (1) By completing form CMS–10114 (NPI Application/Update Form) and mailing it to the NPI Enumerator; (2) by applying online at https:// NPPES.cms.hhs.gov/; or (3) by having an approved organization submit its NPI application data, along with the NPI application data of many other health care providers, to the NPPES in an electronic format defined by HHS. (The NPI Application/Update Form, CMS– 10114, is approved under the Paperwork Reduction Act as OMB No. 0938–0931 with an expiration date of February 29, 2008.) Health care providers who apply online have electronic access to the information in their own NPPES records by using user identifiers and passwords they select. This access allows those health care providers to submit updates to their NPPES data electronically via the Web. Health care providers who apply on the paper form may update their NPPES data electronically by using user identifiers and passwords they select. However, health care providers who are individuals and who submit paper applications but did not furnish SSNs in their applications must update their NPPES data by using the paper NPI Application/Update Form. A health care provider may have its NPI application data submitted by a HHS-approved organization if the organization offers this service and the health care provider gives permission for the NPI application data to be submitted by the organization. An organization, once it is approved to do so, submits to the NPPES the health care provider’s NPI application data, along with the NPI application data of many other health care providers who have also agreed to this service. The NPI application data are submitted to the NPPES for enumeration electronically in a format defined by HHS. The NPPES processes the NPI application data and makes available to the organization the NPIs that were assigned to the health care providers. If NPIs were not assigned to all of the health care providers, HHS indicates to the organization why NPIs were not assigned. This process is known as electronic file interchange (EFI) for bulk enumeration. Information about EFI can be found at https://www.cms.hhs.gov/ NationalProvIdentStand/. Health care providers who are assigned NPIs via this process may update their own NPPES data electronically via the Web using user identifiers and passwords they select. The approved organizations may offer to submit updates to the health care providers’ NPPES data on behalf of the health care providers, and may do so if the health care providers agree. The updates are sent to the NPPES in an electronic format defined by HHS. Information on the format of EFI files is available at https://NPPES.cms.hhs.gov. The EFI process became available on May 1, 2006. II. How to Obtain NPI(s) and Other NPPES Data of Enumerated Health Care Providers A. Request the NPIs From the Health Care Providers Entities wishing to obtain the NPI of a health care provider for use in a standard transaction(s) may contact that health care provider directly and request the NPI. Health care providers who are covered entities under HIPAA (known as ‘‘covered health care providers’’) are required by the NPI final rule to disclose their NPIs to any entity that needs them for use in standard transactions (45 CFR 162.410(a)(3)). Covered organization health care providers that have subparts that have been assigned NPIs must ensure that those subparts disclose their NPIs as well (45 CFR 162.410(a)(6)). Because the NPI was adopted for use in standard transactions, enumerated health care providers who are not covered health care providers are expected, but not required, to disclose their NPIs, upon request, to any entity that needs them for use in standard transactions. B. Request the NPIs and Other NPPES Health Care Provider Data From HHS In accordance with the Freedom of Information Act (FOIA), the Privacy Act, and the CMS FOIA and Privacy Act procedures, HHS has reviewed the health care provider data elements contained in the NPPES, which are listed in the NPI final rule (69 FR 3457 through 3460). As a result of this review, HHS believes that Social Security Numbers (SSNs), Internal Revenue Service Individual Taxpayer Identification Numbers (IRS ITINs), and dates of birth (DOB) are not disclosable under FOIA and, therefore, HHS will not release these three data elements to the public, which includes HIPAA covered entities. This decision supports HHS and CMS efforts to prevent or minimize fraud and abuse in the Medicare and Medicaid programs and in the health care industry in general. HHS has determined that the remaining health care provider data elements contained in the NPPES, which are listed in the table below, are required to be disclosed under the FOIA. HHS believes that the data elements in the table below are sufficient to enable HIPAA covered entities to match health care provider records in NPPES with the health care providers for whom they have data. Anyone may request NPIs and other NPPES health care provider data from HHS under the FOIA. The NPPES data elements that HHS has determined are required to be disclosed under the FOIA are listed below. They are defined in the NPI final rule. NPPES HEALTH CARE PROVIDER DATA THAT MAY BE DISCLOSED UNDER FOIA sroberts on PROD1PC70 with NOTICES For health care providers who are individuals For health care providers who are organizations NPI (This is the provider’s NPI. If the provider has had an NPI replaced, this will be the same NPI as the Replacement NPI.). Entity Type Code: 1=Individual ....................................................................................... Replacement NPI (This is the provider’s NPI if the provider has been assigned a Replacement NPI. If the provider has never been assigned a Replacement NPI, this data element will be blank.). NPI (This is the provider’s NPI. If the provider has had an NPI replaced, this will be the same NPI as the Replacement NPI.) Entity Type Code: 2=Organization Replacement NPI (This is the provider’s NPI if the provider has been assigned a Replacement NPI. If the provider has never been assigned a Replacement NPI, this data element will be blank.) Employer Identification Number (EIN). Provider Organization Name (Legal Business Name). Provider Last Name (Legal Name) .......................................................... Provider First Name VerDate Aug<31>2005 19:13 May 29, 2007 Jkt 211001 PO 00000 Frm 00071 Fmt 4703 Sfmt 4703 E:\FR\FM\30MYN1.SGM 30MYN1 Federal Register / Vol. 72, No. 103 / Wednesday, May 30, 2007 / Notices 30013 NPPES HEALTH CARE PROVIDER DATA THAT MAY BE DISCLOSED UNDER FOIA—Continued For health care providers who are organizations For health care providers who are individuals Provider Middle Name Provider Other Last Name ....................................................................... Provider Other Last Name Type Code: 1=Former Name ................................................................................ 2=Professional name ......................................................................... 5=Other .............................................................................................. Provider Other First Name Provider Other Middle Name Provider Name Prefix Text Provider Name Suffix Text Provider Credential Text Provider First Line Business Mailing Address ......................................... Provider Second Line Business Mailing Address .................................... Provider Business Mailing Address City Name ....................................... Provider Business Mailing Address State Name ..................................... Provider Business Mailing Address Postal Code ..................................... Provider Business Mailing Address Country Code (If outside U.S.) ....... Provider Business Mailing Address Telephone Number ......................... Provider Business Mailing Address Fax Number .................................... Provider First Line Business Location Address ....................................... Provider Second Line Business Location Address .................................. Provider Business Location Address City Name ..................................... Provider Business Location Address State Name ................................... Provider Business Location Address Postal Code .................................. Provider Business Location Address Country Code (If outside U.S.) ..... Provider Business Location Address Telephone Number ....................... Provider Business Location Address Fax Number .................................. Healthcare Provider Taxonomy Code (Primary Taxonomy required; up to 15 may be reported). Other Provider Identifier ........................................................................... Other Provider Identifier Type Code ........................................................ Provider Enumeration Date ...................................................................... Last Update Date ..................................................................................... NPI Deactivation Reason Code ............................................................... NPI Deactivation Date .............................................................................. NPI Reactivation Date .............................................................................. Provider Gender Code Provider License Number Provider License Number State Code Provider Other Organization Name. Provider Other Organization Name Type Code: 3=Doing Business As Name. 4=Former Legal Business Name. 5=Other. Provider First Line Business Mailing Address. Provider Second Line Business Mailing Address. Provider Business Mailing Address City Name. Provider Business Mailing Address State Name. Provider Business Mailing Address Postal Code. Provider Business Mailing Address Country Code (If outside U.S.). Provider Business Mailing Address Telephone Number. Provider Business Mailing Address Fax Number. Provider First Line Business Location Address. Provider Second Line Business Location Address. Provider Business Location Address City Name. Provider Business Location Address State Name. Provider Business Location Address Postal Code. Provider Business Location Address Country Code (If outside U.S.). Provider Business Location Address Telephone Number. Provider Business Location Address Fax Number. Healthcare Provider Taxonomy Code (Primary Taxonomy required; up to 15 may be reported). Other Provider Identifier. Other Provider Identifier Type Code. Provider Enumeration Date. Last Update Date. NPI Deactivation Reason Code. NPI Deactivation Date. NPI Reactivation Date. sroberts on PROD1PC70 with NOTICES Authorized Authorized Authorized Authorized Authorized We anticipate an extraordinary demand from the health care industry for FOIA-disclosable NPPES health care provider data. Because the health care industry needs these data in order to develop linkages between legacy identifiers and NPIs that will be necessary in order to implement the NPI as required by regulation, and because health care providers need to know the NPIs of other health care providers in order to submit HIPAA-compliant health care claims transactions, there is an extreme urgency for HHS to make these data available. In order to efficiently respond, HHS will make NPPES health care provider data available on the Internet. Internet availability eliminates the need for entities to submit initial and ongoing requests for data to HHS and for HHS VerDate Aug<31>2005 19:13 May 29, 2007 Jkt 211001 Official Official Official Official Official Last Name. First Name. Middle Name. Title or Position. Telephone Number. to process and respond to each of those requests. We believe that making these data available on the Internet is the most efficient and effective means of dissemination. HHS will make the FOIA-disclosable NPPES health care provider data available in downloadable files and in a query-only database, as described below in items 1 and 2, respectively. Upon publication of this notice, HHS will announce the Internet locations of the downloadable files and the query-only database on the CMS NPI Web page (https://www.cms.hhs.gov/ NationalProvIdentStand/). At the same time, CMS will communicate that information in its provider listservs and to its business partners and other health care industry associations with whom PO 00000 Frm 00072 Fmt 4703 Sfmt 4703 CMS works on issues related to NPI implementation. The initial downloadable file and the query-only database will be available 30 days after the publication date of this notice. We remind health care providers who are covered entities under HIPAA that they are required by the NPI final rule to update their NPPES data within 30 days of the changes, and we encourage other health care providers who have been assigned NPIs to do the same. Further, prior to CMS’’ disclosure of NPPES health care provider data, we encourage health care providers who have been assigned NPIs to check the information in their NPPES records to ensure it is current. Some health care providers may wish to delete optional NPPES data that they furnished when applying for their NPIs since the E:\FR\FM\30MYN1.SGM 30MYN1 sroberts on PROD1PC70 with NOTICES 30014 Federal Register / Vol. 72, No. 103 / Wednesday, May 30, 2007 / Notices information provided in these optional fields is not required. For example, the data contained in the ‘‘Other Names’’ and ‘‘Other Provider Identifiers’’ data fields are optional. Further, a primary ‘‘Healthcare Provider Taxonomy Code’’ is required to be furnished when applying for an NPI; however, the reporting of additional ‘‘Healthcare Provider Taxonomy Codes’’ (a total of 15 may be reported) is optional. The HHS NPPES data dissemination policy is as follows: 1. NPPES health care provider data that are required to be disclosed under the FOIA will be available as a downloadable file on a Web site. Section 552(a)(2)(D) of the FOIA requires agencies to make available by electronic means copies of records which have been released to any person under the FOIA and which, because of the nature of their subject matter, the agency determines have become or are likely to become the subject of subsequent requests for substantially the same records. We believe that the demand for NPPES health care provider data will be such that it will justify our making NPPES health care provider data that are required to be disclosed under the FOIA available for download by the public from an Internet Web site. The location of the downloadable file will be announced on the CMS NPI Web page (https://www.cms.hhs.gov/ NationalProvIdentStand/) prior to its availability. Each month, an update file will also be available for download from the same Web site. The update file will not replace the initial file: The update file will contain only (1) data that are required to be disclosed under FOIA for health care providers who obtained NPIs within the prior month, and (2) updates and changes to the data that are required to be disclosed under the FOIA for enumerated health care providers that were made within the prior month. The first update file will be available for downloading 30 days after the availability of the initial file, and a new update file will be available for downloading each month thereafter. There will be no charge to download the files. We may decide to discontinue making these files available if we determine that the query-only database described in (2) below is an adequate replacement. The NPPES data elements that HHS has determined are required to be disclosed under FOIA and will be contained in the downloadable files are listed in the table above. 2. NPPES health care provider data that HHS has determined are required to be disclosed under FOIA will be VerDate Aug<31>2005 19:13 May 29, 2007 Jkt 211001 available in a query-only database on an Paperwork Reduction Act of 1995 (44 Internet Web site. U.S.C. 3501 et seq.). Section 552(a)(2)(D) of the FOIA Authority: Sections 1171 through 1179 of requires agencies to make available by the Social Security Act (42 U.S.C. 1320d– electronic means copies of records 1320d–8), as added by section 262 of Pub. L. which have been released to any person 104–191. 42 CFR 162, Subpart D. (Catalog of Federal Domestic Assistance Program, No. under the FOIA and which, because of 93.773, Medicare—Hospital Insurance the nature of their subject matter, the Program; and No. 93.774, Medicare— agency determines have become or are Supplementary Medical Insurance Program) likely to become the subject of Dated: August 30, 2005. subsequent requests for substantially the same records. Mark B. McClellan, We believe that the demand for Administrator, Centers for Medicare & NPPES health care provider data will be Medicaid Services. such that it will justify our making a Dated: February 22, 2007. query-only database containing NPPES Michael O. Leavitt health care provider data that are required to be disclosed under the FOIA Secretary, Department of Health and Human Services. available to the public on an Internet [FR Doc. 07–2651 Filed 5–23–07; 4:12 pm] Web site. Users will be able to run BILLING CODE 4120–01–P simple queries online, such as queries by NPI and by name of health care provider. DEPARTMENT OF HEALTH AND There will be no charge to use the HUMAN SERVICES query-only database. The NPPES data elements that HHS Food and Drug Administration has determined are required to be disclosed under FOIA and will be [Docket No. 2007N–0208] available from the query-only database Interim Melamine and Melamine are listed in the table above. Analogues Safety/Risk Assessment; 3. Other requests for NPPES health Availability care provider data that HHS has determined are required to be disclosed AGENCY: Food and Drug Administration, under the FOIA. HHS Requests for FOIA-disclosable data in ACTION: Notice. formats or in media that are not described above, or any other custom SUMMARY: The Food and Drug requests, will be considered in Administration (FDA) is announcing the accordance with the FOIA and CMS availability of a document entitled, FOIA procedures and charges (see ‘‘Interim Melamine and Melamine https://www.cms.hhs.gov/AboutWebsite/ Analogues Safety/Risk Assessment.’’ 04_FOIA.asp). For example, these could The interim safety/risk assessment be requests for FOIA-disclosable data for describes the risk to human health specific health care providers, or for associated with eating pork, chicken, health care providers in certain States or fish, and eggs from animals that were with certain Healthcare Provider inadvertently fed animal feed that Taxonomy Codes, or requests for FOIAcontained melamine and its analogues disclosable data on CD, diskette, or (cyanuric acid, ammelide and paper. These requests must be described ammeline). FDA is seeking public in detail and be submitted to the comment on the interim safety/risk following address: Centers for Medicare assessment to assist the agency and the & Medicaid Services, Office of Strategic Food Safety and Inspection Service Operations and Regulatory Affairs, (FSIS) at the U. S. Department of Freedom of Information Group, Room Agriculture (USDA) in the ongoing N2–20–16, 7500 Security Boulevard, investigation of contaminated vegetable Baltimore, Maryland 21244–1850. protein products imported from China Requests may be sent by fax to (410) that were mislabeled as ‘‘wheat gluten’’ 786–0474. We will not acknowledge, and ‘‘rice protein concentrate,’’ and respond to, or honor requests that are ensuring the safety of the U.S. food made by telephone. supply. III. Collection of Information DATES: Comments on the interim safety/ Requirements risk assessment must be submitted by June 29, 2007. This document does not impose information collection and ADDRESSES: Submit written comments recordkeeping requirements. to the Division of Dockets Management Consequently, it need not be reviewed (HFA–305), Food and Drug by the Office of Management and Administration, 5630 Fishers Lane, rm. Budget under the authority of the 1061, Rockville, MD 20852. Submit PO 00000 Frm 00073 Fmt 4703 Sfmt 4703 E:\FR\FM\30MYN1.SGM 30MYN1

Agencies

[Federal Register Volume 72, Number 103 (Wednesday, May 30, 2007)]
[Notices]
[Pages 30011-30014]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-2651]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

[CMS-6060-N]
RIN 0938-AN71


HIPAA Administrative Simplification: National Plan and Provider 
Enumeration System Data Dissemination

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice establishes the data that are available from the 
National Plan and Provider Enumeration System (NPPES). In addition, 
this notice addresses who may have access to the data or may receive 
data from the system, the processes for requesting and receiving data, 
and the conditions under which data may be disclosed.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:

I. Background

A. Legislative and Regulatory Background

    The Administrative Simplification provisions of the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA) required 
the Secretary of Health and Human Services (HHS) to adopt a standard 
unique health identifier for health care providers. On January 23, 
2004, HHS published a final rule in the Federal Register that adopted 
the National Provider Identifier (NPI) as the standard unique health 
identifier for health care providers (69 FR 3434). The NPI final rule 
established the National Provider System (NPS) and requires, among 
other things, that the NPS disseminate data in response to approved 
requests. The NPI final rule stated that we would publish a notice in 
the Federal Register describing our data dissemination strategy and the 
process by which we would carry it out (69 FR 3456). Therefore, we are 
publishing this notice.

B. Operational and System Background

    On July 28, 1998, in accordance with the Privacy Act of 1974, we 
published, in the Federal Register, a System of Records (SOR) notice 
for the National Provider System (NPS) (63 FR 40297). The NPS is the 
system, as described in the NPI final rule, that will be used to 
enumerate health care providers and house the information provided on 
health care providers' applications for NPIs. The NPS is now contained 
within the National Plan and Provider Enumeration System (NPPES). We 
are in the process of revising the Privacy Act SOR notice and will soon 
publish an updated SOR notice. The updated SOR notice will reflect the 
change from NPS to NPPES and will incorporate other changes 
necessitated by organizational and name changes and information 
contained in the NPI final rule. The updated SOR notice will also 
contain language that will clarify its consistency with the data 
dissemination policy described in this notice. (The existing SOR 
notice, although it is being revised, supports the data dissemination 
policy described in this notice.) The NPPES enumerates health care 
providers and houses their NPIs and information from their NPI 
applications/updates. The NPPES also would be capable of enumerating 
health plans and housing their standard unique health identifiers and 
information from their health plan identifier applications/updates once 
a standard unique health identifier for health plans has been adopted.
    Covered entities under HIPAA are required to use NPIs to identify 
health care providers in standard transactions beginning no later than 
May 23, 2007 (small health plans have until May 23, 2008). (See the 
Standards for Electronic Transactions and Code Sets final rule 
published on August 17, 2000 (65 FR 50312), the Modifications to the 
Electronic Transaction and Code Sets final rule published on February 
20, 2003 (68 FR 8381), and the NPI final rule published on January 23, 
2004 (69 FR 3434)). Covered entities include health plans, health care 
clearinghouses, and those health care providers who transmit any health 
information in electronic form in connection with a transaction for 
which the Secretary has adopted a standard.
    The NPPES uniquely identifies health care providers by the use of 
an

[[Page 30012]]

application process and assigns them their NPIs. The NPPES creates a 
record for each health care provider to whom it assigns an NPI. The 
records are updated when health care providers furnish updates to the 
NPPES.
    Health care providers are categorized by the NPPES as two types: 
Individuals, such as physicians; and organizations, such as hospitals.
    A health care provider may apply for an NPI in one of three ways: 
(1) By completing form CMS-10114 (NPI Application/Update Form) and 
mailing it to the NPI Enumerator; (2) by applying online at https://
NPPES.cms.hhs.gov/; or (3) by having an approved organization submit 
its NPI application data, along with the NPI application data of many 
other health care providers, to the NPPES in an electronic format 
defined by HHS. (The NPI Application/Update Form, CMS-10114, is 
approved under the Paperwork Reduction Act as OMB No. 0938-0931 with an 
expiration date of February 29, 2008.)
    Health care providers who apply online have electronic access to 
the information in their own NPPES records by using user identifiers 
and passwords they select. This access allows those health care 
providers to submit updates to their NPPES data electronically via the 
Web.
    Health care providers who apply on the paper form may update their 
NPPES data electronically by using user identifiers and passwords they 
select. However, health care providers who are individuals and who 
submit paper applications but did not furnish SSNs in their 
applications must update their NPPES data by using the paper NPI 
Application/Update Form.
    A health care provider may have its NPI application data submitted 
by a HHS-approved organization if the organization offers this service 
and the health care provider gives permission for the NPI application 
data to be submitted by the organization. An organization, once it is 
approved to do so, submits to the NPPES the health care provider's NPI 
application data, along with the NPI application data of many other 
health care providers who have also agreed to this service. The NPI 
application data are submitted to the NPPES for enumeration 
electronically in a format defined by HHS. The NPPES processes the NPI 
application data and makes available to the organization the NPIs that 
were assigned to the health care providers. If NPIs were not assigned 
to all of the health care providers, HHS indicates to the organization 
why NPIs were not assigned. This process is known as electronic file 
interchange (EFI) for bulk enumeration. Information about EFI can be 
found at https://www.cms.hhs.gov/NationalProvIdentStand/. Health care 
providers who are assigned NPIs via this process may update their own 
NPPES data electronically via the Web using user identifiers and 
passwords they select. The approved organizations may offer to submit 
updates to the health care providers' NPPES data on behalf of the 
health care providers, and may do so if the health care providers 
agree. The updates are sent to the NPPES in an electronic format 
defined by HHS. Information on the format of EFI files is available at 
https://NPPES.cms.hhs.gov. The EFI process became available on May 1, 
2006.

II. How to Obtain NPI(s) and Other NPPES Data of Enumerated Health Care 
Providers

A. Request the NPIs From the Health Care Providers

    Entities wishing to obtain the NPI of a health care provider for 
use in a standard transaction(s) may contact that health care provider 
directly and request the NPI. Health care providers who are covered 
entities under HIPAA (known as ``covered health care providers'') are 
required by the NPI final rule to disclose their NPIs to any entity 
that needs them for use in standard transactions (45 CFR 
162.410(a)(3)). Covered organization health care providers that have 
subparts that have been assigned NPIs must ensure that those subparts 
disclose their NPIs as well (45 CFR 162.410(a)(6)). Because the NPI was 
adopted for use in standard transactions, enumerated health care 
providers who are not covered health care providers are expected, but 
not required, to disclose their NPIs, upon request, to any entity that 
needs them for use in standard transactions.

B. Request the NPIs and Other NPPES Health Care Provider Data From HHS

    In accordance with the Freedom of Information Act (FOIA), the 
Privacy Act, and the CMS FOIA and Privacy Act procedures, HHS has 
reviewed the health care provider data elements contained in the NPPES, 
which are listed in the NPI final rule (69 FR 3457 through 3460). As a 
result of this review, HHS believes that Social Security Numbers 
(SSNs), Internal Revenue Service Individual Taxpayer Identification 
Numbers (IRS ITINs), and dates of birth (DOB) are not disclosable under 
FOIA and, therefore, HHS will not release these three data elements to 
the public, which includes HIPAA covered entities. This decision 
supports HHS and CMS efforts to prevent or minimize fraud and abuse in 
the Medicare and Medicaid programs and in the health care industry in 
general. HHS has determined that the remaining health care provider 
data elements contained in the NPPES, which are listed in the table 
below, are required to be disclosed under the FOIA. HHS believes that 
the data elements in the table below are sufficient to enable HIPAA 
covered entities to match health care provider records in NPPES with 
the health care providers for whom they have data.
    Anyone may request NPIs and other NPPES health care provider data 
from HHS under the FOIA.
    The NPPES data elements that HHS has determined are required to be 
disclosed under the FOIA are listed below. They are defined in the NPI 
final rule.

    NPPES Health Care Provider Data That May Be Disclosed Under FOIA
------------------------------------------------------------------------
   For health care providers who are      For health care providers who
              individuals                       are  organizations
------------------------------------------------------------------------
NPI (This is the provider's NPI. If the  NPI (This is the provider's
 provider has had an NPI replaced, this   NPI. If the provider has had
 will be the same NPI as the              an NPI replaced, this will be
 Replacement NPI.).                       the same NPI as the
                                          Replacement NPI.)
Entity Type Code:                        Entity Type Code:
    1=Individual.......................     2=Organization
Replacement NPI (This is the provider's  Replacement NPI (This is the
 NPI if the provider has been assigned    provider's NPI if the provider
 a Replacement NPI. If the provider has   has been assigned a
 never been assigned a Replacement NPI,   Replacement NPI. If the
 this data element will be blank.).       provider has never been
                                          assigned a Replacement NPI,
                                          this data element will be
                                          blank.)
                                         Employer Identification Number
                                          (EIN).
Provider Last Name (Legal Name)........  Provider Organization Name
                                          (Legal Business Name).
Provider First Name

[[Page 30013]]

 
Provider Middle Name
Provider Other Last Name...............  Provider Other Organization
                                          Name.
Provider Other Last Name Type Code:      Provider Other Organization
                                          Name Type Code:
    1=Former Name......................     3=Doing Business As Name.
    2=Professional name................     4=Former Legal Business
                                             Name.
    5=Other............................     5=Other.
Provider Other First Name
Provider Other Middle Name
Provider Name Prefix Text
Provider Name Suffix Text
Provider Credential Text
Provider First Line Business Mailing     Provider First Line Business
 Address.                                 Mailing Address.
Provider Second Line Business Mailing    Provider Second Line Business
 Address.                                 Mailing Address.
Provider Business Mailing Address City   Provider Business Mailing
 Name.                                    Address City Name.
Provider Business Mailing Address State  Provider Business Mailing
 Name.                                    Address State Name.
Provider Business Mailing Address        Provider Business Mailing
 Postal Code.                             Address Postal Code.
Provider Business Mailing Address        Provider Business Mailing
 Country Code (If outside U.S.).          Address Country Code (If
                                          outside U.S.).
Provider Business Mailing Address        Provider Business Mailing
 Telephone Number.                        Address Telephone Number.
Provider Business Mailing Address Fax    Provider Business Mailing
 Number.                                  Address Fax Number.
Provider First Line Business Location    Provider First Line Business
 Address.                                 Location Address.
Provider Second Line Business Location   Provider Second Line Business
 Address.                                 Location Address.
Provider Business Location Address City  Provider Business Location
 Name.                                    Address City Name.
Provider Business Location Address       Provider Business Location
 State Name.                              Address State Name.
Provider Business Location Address       Provider Business Location
 Postal Code.                             Address Postal Code.
Provider Business Location Address       Provider Business Location
 Country Code (If outside U.S.).          Address Country Code (If
                                          outside U.S.).
Provider Business Location Address       Provider Business Location
 Telephone Number.                        Address Telephone Number.
Provider Business Location Address Fax   Provider Business Location
 Number.                                  Address Fax Number.
Healthcare Provider Taxonomy Code        Healthcare Provider Taxonomy
 (Primary Taxonomy required; up to 15     Code (Primary Taxonomy
 may be reported).                        required; up to 15 may be
                                          reported).
Other Provider Identifier..............  Other Provider Identifier.
Other Provider Identifier Type Code....  Other Provider Identifier Type
                                          Code.
Provider Enumeration Date..............  Provider Enumeration Date.
Last Update Date.......................  Last Update Date.
NPI Deactivation Reason Code...........  NPI Deactivation Reason Code.
NPI Deactivation Date..................  NPI Deactivation Date.
NPI Reactivation Date..................  NPI Reactivation Date.
Provider Gender Code
Provider License Number
Provider License Number State Code
                                         Authorized Official Last Name.
                                         Authorized Official First Name.
                                         Authorized Official Middle
                                          Name.
                                         Authorized Official Title or
                                          Position.
                                         Authorized Official Telephone
                                          Number.
------------------------------------------------------------------------

    We anticipate an extraordinary demand from the health care industry 
for FOIA-disclosable NPPES health care provider data. Because the 
health care industry needs these data in order to develop linkages 
between legacy identifiers and NPIs that will be necessary in order to 
implement the NPI as required by regulation, and because health care 
providers need to know the NPIs of other health care providers in order 
to submit HIPAA-compliant health care claims transactions, there is an 
extreme urgency for HHS to make these data available. In order to 
efficiently respond, HHS will make NPPES health care provider data 
available on the Internet. Internet availability eliminates the need 
for entities to submit initial and ongoing requests for data to HHS and 
for HHS to process and respond to each of those requests. We believe 
that making these data available on the Internet is the most efficient 
and effective means of dissemination.
    HHS will make the FOIA-disclosable NPPES health care provider data 
available in downloadable files and in a query-only database, as 
described below in items 1 and 2, respectively. Upon publication of 
this notice, HHS will announce the Internet locations of the 
downloadable files and the query-only database on the CMS NPI Web page 
(https://www.cms.hhs.gov/NationalProvIdentStand/). At the same time, CMS 
will communicate that information in its provider listservs and to its 
business partners and other health care industry associations with whom 
CMS works on issues related to NPI implementation.
    The initial downloadable file and the query-only database will be 
available 30 days after the publication date of this notice.
    We remind health care providers who are covered entities under 
HIPAA that they are required by the NPI final rule to update their 
NPPES data within 30 days of the changes, and we encourage other health 
care providers who have been assigned NPIs to do the same. Further, 
prior to CMS'' disclosure of NPPES health care provider data, we 
encourage health care providers who have been assigned NPIs to check 
the information in their NPPES records to ensure it is current. Some 
health care providers may wish to delete optional NPPES data that they 
furnished when applying for their NPIs since the

[[Page 30014]]

information provided in these optional fields is not required. For 
example, the data contained in the ``Other Names'' and ``Other Provider 
Identifiers'' data fields are optional. Further, a primary ``Healthcare 
Provider Taxonomy Code'' is required to be furnished when applying for 
an NPI; however, the reporting of additional ``Healthcare Provider 
Taxonomy Codes'' (a total of 15 may be reported) is optional.
    The HHS NPPES data dissemination policy is as follows:
    1. NPPES health care provider data that are required to be 
disclosed under the FOIA will be available as a downloadable file on a 
Web site.
    Section 552(a)(2)(D) of the FOIA requires agencies to make 
available by electronic means copies of records which have been 
released to any person under the FOIA and which, because of the nature 
of their subject matter, the agency determines have become or are 
likely to become the subject of subsequent requests for substantially 
the same records. We believe that the demand for NPPES health care 
provider data will be such that it will justify our making NPPES health 
care provider data that are required to be disclosed under the FOIA 
available for download by the public from an Internet Web site. The 
location of the downloadable file will be announced on the CMS NPI Web 
page (https://www.cms.hhs.gov/NationalProvIdentStand/) prior to its 
availability. Each month, an update file will also be available for 
download from the same Web site. The update file will not replace the 
initial file: The update file will contain only (1) data that are 
required to be disclosed under FOIA for health care providers who 
obtained NPIs within the prior month, and (2) updates and changes to 
the data that are required to be disclosed under the FOIA for 
enumerated health care providers that were made within the prior month. 
The first update file will be available for downloading 30 days after 
the availability of the initial file, and a new update file will be 
available for downloading each month thereafter.
    There will be no charge to download the files.
    We may decide to discontinue making these files available if we 
determine that the query-only database described in (2) below is an 
adequate replacement.
    The NPPES data elements that HHS has determined are required to be 
disclosed under FOIA and will be contained in the downloadable files 
are listed in the table above.
    2. NPPES health care provider data that HHS has determined are 
required to be disclosed under FOIA will be available in a query-only 
database on an Internet Web site.
    Section 552(a)(2)(D) of the FOIA requires agencies to make 
available by electronic means copies of records which have been 
released to any person under the FOIA and which, because of the nature 
of their subject matter, the agency determines have become or are 
likely to become the subject of subsequent requests for substantially 
the same records.
    We believe that the demand for NPPES health care provider data will 
be such that it will justify our making a query-only database 
containing NPPES health care provider data that are required to be 
disclosed under the FOIA available to the public on an Internet Web 
site. Users will be able to run simple queries online, such as queries 
by NPI and by name of health care provider.
    There will be no charge to use the query-only database.
    The NPPES data elements that HHS has determined are required to be 
disclosed under FOIA and will be available from the query-only database 
are listed in the table above.
    3. Other requests for NPPES health care provider data that HHS has 
determined are required to be disclosed under the FOIA.
    Requests for FOIA-disclosable data in formats or in media that are 
not described above, or any other custom requests, will be considered 
in accordance with the FOIA and CMS FOIA procedures and charges (see 
https://www.cms.hhs.gov/AboutWebsite/04_FOIA.asp). For example, these 
could be requests for FOIA-disclosable data for specific health care 
providers, or for health care providers in certain States or with 
certain Healthcare Provider Taxonomy Codes, or requests for FOIA-
disclosable data on CD, diskette, or paper. These requests must be 
described in detail and be submitted to the following address: Centers 
for Medicare & Medicaid Services, Office of Strategic Operations and 
Regulatory Affairs, Freedom of Information Group, Room N2-20-16, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850.
    Requests may be sent by fax to (410) 786-0474. We will not 
acknowledge, respond to, or honor requests that are made by telephone.

III. Collection of Information Requirements

    This document does not impose information collection and 
recordkeeping requirements. Consequently, it need not be reviewed by 
the Office of Management and Budget under the authority of the 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

    Authority: Sections 1171 through 1179 of the Social Security Act 
(42 U.S.C. 1320d-1320d-8), as added by section 262 of Pub. L. 104-
191. 42 CFR 162, Subpart D. (Catalog of Federal Domestic Assistance 
Program, No. 93.773, Medicare--Hospital Insurance Program; and No. 
93.774, Medicare--Supplementary Medical Insurance Program)

    Dated: August 30, 2005.
Mark B. McClellan,
Administrator, Centers for Medicare & Medicaid Services.

    Dated: February 22, 2007.
Michael O. Leavitt
Secretary, Department of Health and Human Services.
[FR Doc. 07-2651 Filed 5-23-07; 4:12 pm]
BILLING CODE 4120-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.