HIPAA Administrative Simplification: National Plan and Provider Enumeration System Data Dissemination, 30011-30014 [07-2651]

Agencies

• Centers for Medicare & Medicaid Services
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 72, Number 103 (Wednesday, May 30, 2007)]
[Notices]
[Pages 30011-30014]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-2651]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

[CMS-6060-N]
RIN 0938-AN71


HIPAA Administrative Simplification: National Plan and Provider 
Enumeration System Data Dissemination

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice establishes the data that are available from the 
National Plan and Provider Enumeration System (NPPES). In addition, 
this notice addresses who may have access to the data or may receive 
data from the system, the processes for requesting and receiving data, 
and the conditions under which data may be disclosed.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:

I. Background

A. Legislative and Regulatory Background

    The Administrative Simplification provisions of the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA) required 
the Secretary of Health and Human Services (HHS) to adopt a standard 
unique health identifier for health care providers. On January 23, 
2004, HHS published a final rule in the Federal Register that adopted 
the National Provider Identifier (NPI) as the standard unique health 
identifier for health care providers (69 FR 3434). The NPI final rule 
established the National Provider System (NPS) and requires, among 
other things, that the NPS disseminate data in response to approved 
requests. The NPI final rule stated that we would publish a notice in 
the Federal Register describing our data dissemination strategy and the 
process by which we would carry it out (69 FR 3456). Therefore, we are 
publishing this notice.

B. Operational and System Background

    On July 28, 1998, in accordance with the Privacy Act of 1974, we 
published, in the Federal Register, a System of Records (SOR) notice 
for the National Provider System (NPS) (63 FR 40297). The NPS is the 
system, as described in the NPI final rule, that will be used to 
enumerate health care providers and house the information provided on 
health care providers' applications for NPIs. The NPS is now contained 
within the National Plan and Provider Enumeration System (NPPES). We 
are in the process of revising the Privacy Act SOR notice and will soon 
publish an updated SOR notice. The updated SOR notice will reflect the 
change from NPS to NPPES and will incorporate other changes 
necessitated by organizational and name changes and information 
contained in the NPI final rule. The updated SOR notice will also 
contain language that will clarify its consistency with the data 
dissemination policy described in this notice. (The existing SOR 
notice, although it is being revised, supports the data dissemination 
policy described in this notice.) The NPPES enumerates health care 
providers and houses their NPIs and information from their NPI 
applications/updates. The NPPES also would be capable of enumerating 
health plans and housing their standard unique health identifiers and 
information from their health plan identifier applications/updates once 
a standard unique health identifier for health plans has been adopted.
    Covered entities under HIPAA are required to use NPIs to identify 
health care providers in standard transactions beginning no later than 
May 23, 2007 (small health plans have until May 23, 2008). (See the 
Standards for Electronic Transactions and Code Sets final rule 
published on August 17, 2000 (65 FR 50312), the Modifications to the 
Electronic Transaction and Code Sets final rule published on February 
20, 2003 (68 FR 8381), and the NPI final rule published on January 23, 
2004 (69 FR 3434)). Covered entities include health plans, health care 
clearinghouses, and those health care providers who transmit any health 
information in electronic form in connection with a transaction for 
which the Secretary has adopted a standard.
    The NPPES uniquely identifies health care providers by the use of 
an

[[Page 30012]]

application process and assigns them their NPIs. The NPPES creates a 
record for each health care provider to whom it assigns an NPI. The 
records are updated when health care providers furnish updates to the 
NPPES.
    Health care providers are categorized by the NPPES as two types: 
Individuals, such as physicians; and organizations, such as hospitals.
    A health care provider may apply for an NPI in one of three ways: 
(1) By completing form CMS-10114 (NPI Application/Update Form) and 
mailing it to the NPI Enumerator; (2) by applying online at https://
NPPES.cms.hhs.gov/; or (3) by having an approved organization submit 
its NPI application data, along with the NPI application data of many 
other health care providers, to the NPPES in an electronic format 
defined by HHS. (The NPI Application/Update Form, CMS-10114, is 
approved under the Paperwork Reduction Act as OMB No. 0938-0931 with an 
expiration date of February 29, 2008.)
    Health care providers who apply online have electronic access to 
the information in their own NPPES records by using user identifiers 
and passwords they select. This access allows those health care 
providers to submit updates to their NPPES data electronically via the 
Web.
    Health care providers who apply on the paper form may update their 
NPPES data electronically by using user identifiers and passwords they 
select. However, health care providers who are individuals and who 
submit paper applications but did not furnish SSNs in their 
applications must update their NPPES data by using the paper NPI 
Application/Update Form.
    A health care provider may have its NPI application data submitted 
by a HHS-approved organization if the organization offers this service 
and the health care provider gives permission for the NPI application 
data to be submitted by the organization. An organization, once it is 
approved to do so, submits to the NPPES the health care provider's NPI 
application data, along with the NPI application data of many other 
health care providers who have also agreed to this service. The NPI 
application data are submitted to the NPPES for enumeration 
electronically in a format defined by HHS. The NPPES processes the NPI 
application data and makes available to the organization the NPIs that 
were assigned to the health care providers. If NPIs were not assigned 
to all of the health care providers, HHS indicates to the organization 
why NPIs were not assigned. This process is known as electronic file 
interchange (EFI) for bulk enumeration. Information about EFI can be 
found at https://www.cms.hhs.gov/NationalProvIdentStand/. Health care 
providers who are assigned NPIs via this process may update their own 
NPPES data electronically via the Web using user identifiers and 
passwords they select. The approved organizations may offer to submit 
updates to the health care providers' NPPES data on behalf of the 
health care providers, and may do so if the health care providers 
agree. The updates are sent to the NPPES in an electronic format 
defined by HHS. Information on the format of EFI files is available at 
https://NPPES.cms.hhs.gov. The EFI process became available on May 1, 
2006.

II. How to Obtain NPI(s) and Other NPPES Data of Enumerated Health Care 
Providers

A. Request the NPIs From the Health Care Providers

    Entities wishing to obtain the NPI of a health care provider for 
use in a standard transaction(s) may contact that health care provider 
directly and request the NPI. Health care providers who are covered 
entities under HIPAA (known as ``covered health care providers'') are 
required by the NPI final rule to disclose their NPIs to any entity 
that needs them for use in standard transactions (45 CFR 
162.410(a)(3)). Covered organization health care providers that have 
subparts that have been assigned NPIs must ensure that those subparts 
disclose their NPIs as well (45 CFR 162.410(a)(6)). Because the NPI was 
adopted for use in standard transactions, enumerated health care 
providers who are not covered health care providers are expected, but 
not required, to disclose their NPIs, upon request, to any entity that 
needs them for use in standard transactions.

B. Request the NPIs and Other NPPES Health Care Provider Data From HHS

    In accordance with the Freedom of Information Act (FOIA), the 
Privacy Act, and the CMS FOIA and Privacy Act procedures, HHS has 
reviewed the health care provider data elements contained in the NPPES, 
which are listed in the NPI final rule (69 FR 3457 through 3460). As a 
result of this review, HHS believes that Social Security Numbers 
(SSNs), Internal Revenue Service Individual Taxpayer Identification 
Numbers (IRS ITINs), and dates of birth (DOB) are not disclosable under 
FOIA and, therefore, HHS will not release these three data elements to 
the public, which includes HIPAA covered entities. This decision 
supports HHS and CMS efforts to prevent or minimize fraud and abuse in 
the Medicare and Medicaid programs and in the health care industry in 
general. HHS has determined that the remaining health care provider 
data elements contained in the NPPES, which are listed in the table 
below, are required to be disclosed under the FOIA. HHS believes that 
the data elements in the table below are sufficient to enable HIPAA 
covered entities to match health care provider records in NPPES with 
the health care providers for whom they have data.
    Anyone may request NPIs and other NPPES health care provider data 
from HHS under the FOIA.
    The NPPES data elements that HHS has determined are required to be 
disclosed under the FOIA are listed below. They are defined in the NPI 
final rule.

    NPPES Health Care Provider Data That May Be Disclosed Under FOIA
------------------------------------------------------------------------
   For health care providers who are      For health care providers who
              individuals                       are  organizations
------------------------------------------------------------------------
NPI (This is the provider's NPI. If the  NPI (This is the provider's
 provider has had an NPI replaced, this   NPI. If the provider has had
 will be the same NPI as the              an NPI replaced, this will be
 Replacement NPI.).                       the same NPI as the
                                          Replacement NPI.)
Entity Type Code:                        Entity Type Code:
    1=Individual.......................     2=Organization
Replacement NPI (This is the provider's  Replacement NPI (This is the
 NPI if the provider has been assigned    provider's NPI if the provider
 a Replacement NPI. If the provider has   has been assigned a
 never been assigned a Replacement NPI,   Replacement NPI. If the
 this data element will be blank.).       provider has never been
                                          assigned a Replacement NPI,
                                          this data element will be
                                          blank.)
                                         Employer Identification Number
                                          (EIN).
Provider Last Name (Legal Name)........  Provider Organization Name
                                          (Legal Business Name).
Provider First Name

[[Page 30013]]

 
Provider Middle Name
Provider Other Last Name...............  Provider Other Organization
                                          Name.
Provider Other Last Name Type Code:      Provider Other Organization
                                          Name Type Code:
    1=Former Name......................     3=Doing Business As Name.
    2=Professional name................     4=Former Legal Business
                                             Name.
    5=Other............................     5=Other.
Provider Other First Name
Provider Other Middle Name
Provider Name Prefix Text
Provider Name Suffix Text
Provider Credential Text
Provider First Line Business Mailing     Provider First Line Business
 Address.                                 Mailing Address.
Provider Second Line Business Mailing    Provider Second Line Business
 Address.                                 Mailing Address.
Provider Business Mailing Address City   Provider Business Mailing
 Name.                                    Address City Name.
Provider Business Mailing Address State  Provider Business Mailing
 Name.                                    Address State Name.
Provider Business Mailing Address        Provider Business Mailing
 Postal Code.                             Address Postal Code.
Provider Business Mailing Address        Provider Business Mailing
 Country Code (If outside U.S.).          Address Country Code (If
                                          outside U.S.).
Provider Business Mailing Address        Provider Business Mailing
 Telephone Number.                        Address Telephone Number.
Provider Business Mailing Address Fax    Provider Business Mailing
 Number.                                  Address Fax Number.
Provider First Line Business Location    Provider First Line Business
 Address.                                 Location Address.
Provider Second Line Business Location   Provider Second Line Business
 Address.                                 Location Address.
Provider Business Location Address City  Provider Business Location
 Name.                                    Address City Name.
Provider Business Location Address       Provider Business Location
 State Name.                              Address State Name.
Provider Business Location Address       Provider Business Location
 Postal Code.                             Address Postal Code.
Provider Business Location Address       Provider Business Location
 Country Code (If outside U.S.).          Address Country Code (If
                                          outside U.S.).
Provider Business Location Address       Provider Business Location
 Telephone Number.                        Address Telephone Number.
Provider Business Location Address Fax   Provider Business Location
 Number.                                  Address Fax Number.
Healthcare Provider Taxonomy Code        Healthcare Provider Taxonomy
 (Primary Taxonomy required; up to 15     Code (Primary Taxonomy
 may be reported).                        required; up to 15 may be
                                          reported).
Other Provider Identifier..............  Other Provider Identifier.
Other Provider Identifier Type Code....  Other Provider Identifier Type
                                          Code.
Provider Enumeration Date..............  Provider Enumeration Date.
Last Update Date.......................  Last Update Date.
NPI Deactivation Reason Code...........  NPI Deactivation Reason Code.
NPI Deactivation Date..................  NPI Deactivation Date.
NPI Reactivation Date..................  NPI Reactivation Date.
Provider Gender Code
Provider License Number
Provider License Number State Code
                                         Authorized Official Last Name.
                                         Authorized Official First Name.
                                         Authorized Official Middle
                                          Name.
                                         Authorized Official Title or
                                          Position.
                                         Authorized Official Telephone
                                          Number.
------------------------------------------------------------------------

    We anticipate an extraordinary demand from the health care industry 
for FOIA-disclosable NPPES health care provider data. Because the 
health care industry needs these data in order to develop linkages 
between legacy identifiers and NPIs that will be necessary in order to 
implement the NPI as required by regulation, and because health care 
providers need to know the NPIs of other health care providers in order 
to submit HIPAA-compliant health care claims transactions, there is an 
extreme urgency for HHS to make these data available. In order to 
efficiently respond, HHS will make NPPES health care provider data 
available on the Internet. Internet availability eliminates the need 
for entities to submit initial and ongoing requests for data to HHS and 
for HHS to process and respond to each of those requests. We believe 
that making these data available on the Internet is the most efficient 
and effective means of dissemination.
    HHS will make the FOIA-disclosable NPPES health care provider data 
available in downloadable files and in a query-only database, as 
described below in items 1 and 2, respectively. Upon publication of 
this notice, HHS will announce the Internet locations of the 
downloadable files and the query-only database on the CMS NPI Web page 
(https://www.cms.hhs.gov/NationalProvIdentStand/). At the same time, CMS 
will communicate that information in its provider listservs and to its 
business partners and other health care industry associations with whom 
CMS works on issues related to NPI implementation.
    The initial downloadable file and the query-only database will be 
available 30 days after the publication date of this notice.
    We remind health care providers who are covered entities under 
HIPAA that they are required by the NPI final rule to update their 
NPPES data within 30 days of the changes, and we encourage other health 
care providers who have been assigned NPIs to do the same. Further, 
prior to CMS'' disclosure of NPPES health care provider data, we 
encourage health care providers who have been assigned NPIs to check 
the information in their NPPES records to ensure it is current. Some 
health care providers may wish to delete optional NPPES data that they 
furnished when applying for their NPIs since the

[[Page 30014]]

information provided in these optional fields is not required. For 
example, the data contained in the ``Other Names'' and ``Other Provider 
Identifiers'' data fields are optional. Further, a primary ``Healthcare 
Provider Taxonomy Code'' is required to be furnished when applying for 
an NPI; however, the reporting of additional ``Healthcare Provider 
Taxonomy Codes'' (a total of 15 may be reported) is optional.
    The HHS NPPES data dissemination policy is as follows:
    1. NPPES health care provider data that are required to be 
disclosed under the FOIA will be available as a downloadable file on a 
Web site.
    Section 552(a)(2)(D) of the FOIA requires agencies to make 
available by electronic means copies of records which have been 
released to any person under the FOIA and which, because of the nature 
of their subject matter, the agency determines have become or are 
likely to become the subject of subsequent requests for substantially 
the same records. We believe that the demand for NPPES health care 
provider data will be such that it will justify our making NPPES health 
care provider data that are required to be disclosed under the FOIA 
available for download by the public from an Internet Web site. The 
location of the downloadable file will be announced on the CMS NPI Web 
page (https://www.cms.hhs.gov/NationalProvIdentStand/) prior to its 
availability. Each month, an update file will also be available for 
download from the same Web site. The update file will not replace the 
initial file: The update file will contain only (1) data that are 
required to be disclosed under FOIA for health care providers who 
obtained NPIs within the prior month, and (2) updates and changes to 
the data that are required to be disclosed under the FOIA for 
enumerated health care providers that were made within the prior month. 
The first update file will be available for downloading 30 days after 
the availability of the initial file, and a new update file will be 
available for downloading each month thereafter.
    There will be no charge to download the files.
    We may decide to discontinue making these files available if we 
determine that the query-only database described in (2) below is an 
adequate replacement.
    The NPPES data elements that HHS has determined are required to be 
disclosed under FOIA and will be contained in the downloadable files 
are listed in the table above.
    2. NPPES health care provider data that HHS has determined are 
required to be disclosed under FOIA will be available in a query-only 
database on an Internet Web site.
    Section 552(a)(2)(D) of the FOIA requires agencies to make 
available by electronic means copies of records which have been 
released to any person under the FOIA and which, because of the nature 
of their subject matter, the agency determines have become or are 
likely to become the subject of subsequent requests for substantially 
the same records.
    We believe that the demand for NPPES health care provider data will 
be such that it will justify our making a query-only database 
containing NPPES health care provider data that are required to be 
disclosed under the FOIA available to the public on an Internet Web 
site. Users will be able to run simple queries online, such as queries 
by NPI and by name of health care provider.
    There will be no charge to use the query-only database.
    The NPPES data elements that HHS has determined are required to be 
disclosed under FOIA and will be available from the query-only database 
are listed in the table above.
    3. Other requests for NPPES health care provider data that HHS has 
determined are required to be disclosed under the FOIA.
    Requests for FOIA-disclosable data in formats or in media that are 
not described above, or any other custom requests, will be considered 
in accordance with the FOIA and CMS FOIA procedures and charges (see 
https://www.cms.hhs.gov/AboutWebsite/04_FOIA.asp). For example, these 
could be requests for FOIA-disclosable data for specific health care 
providers, or for health care providers in certain States or with 
certain Healthcare Provider Taxonomy Codes, or requests for FOIA-
disclosable data on CD, diskette, or paper. These requests must be 
described in detail and be submitted to the following address: Centers 
for Medicare & Medicaid Services, Office of Strategic Operations and 
Regulatory Affairs, Freedom of Information Group, Room N2-20-16, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850.
    Requests may be sent by fax to (410) 786-0474. We will not 
acknowledge, respond to, or honor requests that are made by telephone.

III. Collection of Information Requirements

    This document does not impose information collection and 
recordkeeping requirements. Consequently, it need not be reviewed by 
the Office of Management and Budget under the authority of the 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

    Authority: Sections 1171 through 1179 of the Social Security Act 
(42 U.S.C. 1320d-1320d-8), as added by section 262 of Pub. L. 104-
191. 42 CFR 162, Subpart D. (Catalog of Federal Domestic Assistance 
Program, No. 93.773, Medicare--Hospital Insurance Program; and No. 
93.774, Medicare--Supplementary Medical Insurance Program)

    Dated: August 30, 2005.
Mark B. McClellan,
Administrator, Centers for Medicare & Medicaid Services.

    Dated: February 22, 2007.
Michael O. Leavitt
Secretary, Department of Health and Human Services.
[FR Doc. 07-2651 Filed 5-23-07; 4:12 pm]
BILLING CODE 4120-01-P