AGENCY:

Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION:

Notice.

SUMMARY:

This notice establishes the data that are available from the National Plan and Provider Enumeration System (NPPES). In addition, this notice addresses who may have access to the data or may receive data from the system, the processes for requesting and receiving data, and the conditions under which data may be disclosed.

FOR FURTHER INFORMATION CONTACT:

Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:

I. Background

A. Legislative and Regulatory Background

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services (HHS) to adopt a standard unique health identifier for health care providers. On January 23, 2004, HHS published a final rule in the Federal Register that adopted the National Provider Identifier (NPI) as the standard unique health identifier for health care providers (69 FR 3434). The NPI final rule established the National Provider System (NPS) and requires, among other things, that the NPS disseminate data in response to approved requests. The NPI final rule stated that we would publish a notice in the Federal Register describing our data dissemination strategy and the process by which we would carry it out (69 FR 3456). Therefore, we are publishing this notice.

B. Operational and System Background

On July 28, 1998, in accordance with the Privacy Act of 1974, we published, in the Federal Register, a System of Records (SOR) notice for the National Provider System (NPS) (63 FR 40297). The NPS is the system, as described in the NPI final rule, that will be used to enumerate health care providers and house the information provided on health care providers' applications for NPIs. The NPS is now contained within the National Plan and Provider Enumeration System (NPPES). We are in the process of revising the Privacy Act SOR notice and will soon publish an updated SOR notice. The updated SOR notice will reflect the change from NPS to NPPES and will incorporate other changes necessitated by organizational and name changes and information contained in the NPI final rule. The updated SOR notice will also contain language that will clarify its consistency with the data dissemination policy described in this notice. (The existing SOR notice, although it is being revised, supports the data dissemination policy described in this notice.) The NPPES enumerates health care providers and houses their NPIs and information from their NPI applications/updates. The NPPES also would be capable of enumerating health plans and housing their standard unique health identifiers and information from their health plan identifier applications/updates once a standard unique health identifier for health plans has been adopted.

Covered entities under HIPAA are required to use NPIs to identify health care providers in standard transactions beginning no later than May 23, 2007 (small health plans have until May 23, 2008). (See the Standards for Electronic Transactions and Code Sets final rule published on August 17, 2000 (65 FR 50312), the Modifications to the Electronic Transaction and Code Sets final rule published on February 20, 2003 (68 FR 8381), and the NPI final rule published on January 23, 2004 (69 FR 3434)). Covered entities include health plans, health care clearinghouses, and those health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard.

The NPPES uniquely identifies health care providers by the use of an Start Printed Page 30012application process and assigns them their NPIs. The NPPES creates a record for each health care provider to whom it assigns an NPI. The records are updated when health care providers furnish updates to the NPPES.

Health care providers are categorized by the NPPES as two types: Individuals, such as physicians; and organizations, such as hospitals.

A health care provider may apply for an NPI in one of three ways: (1) By completing form CMS-10114 (NPI Application/Update Form) and mailing it to the NPI Enumerator; (2) by applying online at https://NPPES.cms.hhs.gov/;;; or (3) by having an approved organization submit its NPI application data, along with the NPI application data of many other health care providers, to the NPPES in an electronic format defined by HHS. (The NPI Application/Update Form, CMS-10114, is approved under the Paperwork Reduction Act as OMB No. 0938-0931 with an expiration date of February 29, 2008.)

Health care providers who apply online have electronic access to the information in their own NPPES records by using user identifiers and passwords they select. This access allows those health care providers to submit updates to their NPPES data electronically via the Web.

Health care providers who apply on the paper form may update their NPPES data electronically by using user identifiers and passwords they select. However, health care providers who are individuals and who submit paper applications but did not furnish SSNs in their applications must update their NPPES data by using the paper NPI Application/Update Form.

A health care provider may have its NPI application data submitted by a HHS-approved organization if the organization offers this service and the health care provider gives permission for the NPI application data to be submitted by the organization. An organization, once it is approved to do so, submits to the NPPES the health care provider's NPI application data, along with the NPI application data of many other health care providers who have also agreed to this service. The NPI application data are submitted to the NPPES for enumeration electronically in a format defined by HHS. The NPPES processes the NPI application data and makes available to the organization the NPIs that were assigned to the health care providers. If NPIs were not assigned to all of the health care providers, HHS indicates to the organization why NPIs were not assigned. This process is known as electronic file interchange (EFI) for bulk enumeration. Information about EFI can be found at http://www.cms.hhs.gov/​NationalProvIdentStand/​. Health care providers who are assigned NPIs via this process may update their own NPPES data electronically via the Web using user identifiers and passwords they select. The approved organizations may offer to submit updates to the health care providers' NPPES data on behalf of the health care providers, and may do so if the health care providers agree. The updates are sent to the NPPES in an electronic format defined by HHS. Information on the format of EFI files is available at https://NPPES.cms.hhs.gov. The EFI process became available on May 1, 2006.

II. How to Obtain NPI(s) and Other NPPES Data of Enumerated Health Care Providers

A. Request the NPIs From the Health Care Providers

Entities wishing to obtain the NPI of a health care provider for use in a standard transaction(s) may contact that health care provider directly and request the NPI. Health care providers who are covered entities under HIPAA (known as “covered health care providers”) are required by the NPI final rule to disclose their NPIs to any entity that needs them for use in standard transactions (45 CFR 162.410(a)(3)). Covered organization health care providers that have subparts that have been assigned NPIs must ensure that those subparts disclose their NPIs as well (45 CFR 162.410(a)(6)). Because the NPI was adopted for use in standard transactions, enumerated health care providers who are not covered health care providers are expected, but not required, to disclose their NPIs, upon request, to any entity that needs them for use in standard transactions.

B. Request the NPIs and Other NPPES Health Care Provider Data From HHS

In accordance with the Freedom of Information Act (FOIA), the Privacy Act, and the CMS FOIA and Privacy Act procedures, HHS has reviewed the health care provider data elements contained in the NPPES, which are listed in the NPI final rule (69 FR 3457 through 3460). As a result of this review, HHS believes that Social Security Numbers (SSNs), Internal Revenue Service Individual Taxpayer Identification Numbers (IRS ITINs), and dates of birth (DOB) are not disclosable under FOIA and, therefore, HHS will not release these three data elements to the public, which includes HIPAA covered entities. This decision supports HHS and CMS efforts to prevent or minimize fraud and abuse in the Medicare and Medicaid programs and in the health care industry in general. HHS has determined that the remaining health care provider data elements contained in the NPPES, which are listed in the table below, are required to be disclosed under the FOIA. HHS believes that the data elements in the table below are sufficient to enable HIPAA covered entities to match health care provider records in NPPES with the health care providers for whom they have data.

Anyone may request NPIs and other NPPES health care provider data from HHS under the FOIA.

The NPPES data elements that HHS has determined are required to be disclosed under the FOIA are listed below. They are defined in the NPI final rule.

We anticipate an extraordinary demand from the health care industry for FOIA-disclosable NPPES health care provider data. Because the health care industry needs these data in order to develop linkages between legacy identifiers and NPIs that will be necessary in order to implement the NPI as required by regulation, and because health care providers need to know the NPIs of other health care providers in order to submit HIPAA-compliant health care claims transactions, there is an extreme urgency for HHS to make these data available. In order to efficiently respond, HHS will make NPPES health care provider data available on the Internet. Internet availability eliminates the need for entities to submit initial and ongoing requests for data to HHS and for HHS to process and respond to each of those requests. We believe that making these data available on the Internet is the most efficient and effective means of dissemination.

HHS will make the FOIA-disclosable NPPES health care provider data available in downloadable files and in a query-only database, as described below in items 1 and 2, respectively. Upon publication of this notice, HHS will announce the Internet locations of the downloadable files and the query-only database on the CMS NPI Web page (http://www.cms.hhs.gov/​NationalProvIdentStand/​). At the same time, CMS will communicate that information in its provider listservs and to its business partners and other health care industry associations with whom CMS works on issues related to NPI implementation.

The initial downloadable file and the query-only database will be available 30 days after the publication date of this notice.

We remind health care providers who are covered entities under HIPAA that they are required by the NPI final rule to update their NPPES data within 30 days of the changes, and we encourage other health care providers who have been assigned NPIs to do the same. Further, prior to CMS” disclosure of NPPES health care provider data, we encourage health care providers who have been assigned NPIs to check the information in their NPPES records to ensure it is current. Some health care providers may wish to delete optional NPPES data that they furnished when applying for their NPIs since the Start Printed Page 30014information provided in these optional fields is not required. For example, the data contained in the “Other Names” and “Other Provider Identifiers” data fields are optional. Further, a primary “Healthcare Provider Taxonomy Code” is required to be furnished when applying for an NPI; however, the reporting of additional “Healthcare Provider Taxonomy Codes” (a total of 15 may be reported) is optional.

The HHS NPPES data dissemination policy is as follows:

1. NPPES health care provider data that are required to be disclosed under the FOIA will be available as a downloadable file on a Web site.

Section 552(a)(2)(D) of the FOIA requires agencies to make available by electronic means copies of records which have been released to any person under the FOIA and which, because of the nature of their subject matter, the agency determines have become or are likely to become the subject of subsequent requests for substantially the same records. We believe that the demand for NPPES health care provider data will be such that it will justify our making NPPES health care provider data that are required to be disclosed under the FOIA available for download by the public from an Internet Web site. The location of the downloadable file will be announced on the CMS NPI Web page (http://www.cms.hhs.gov/​NationalProvIdentStand/​) prior to its availability. Each month, an update file will also be available for download from the same Web site. The update file will not replace the initial file: The update file will contain only (1) data that are required to be disclosed under FOIA for health care providers who obtained NPIs within the prior month, and (2) updates and changes to the data that are required to be disclosed under the FOIA for enumerated health care providers that were made within the prior month. The first update file will be available for downloading 30 days after the availability of the initial file, and a new update file will be available for downloading each month thereafter.

There will be no charge to download the files.

We may decide to discontinue making these files available if we determine that the query-only database described in (2) below is an adequate replacement.

The NPPES data elements that HHS has determined are required to be disclosed under FOIA and will be contained in the downloadable files are listed in the table above.

2. NPPES health care provider data that HHS has determined are required to be disclosed under FOIA will be available in a query-only database on an Internet Web site.

Section 552(a)(2)(D) of the FOIA requires agencies to make available by electronic means copies of records which have been released to any person under the FOIA and which, because of the nature of their subject matter, the agency determines have become or are likely to become the subject of subsequent requests for substantially the same records.

We believe that the demand for NPPES health care provider data will be such that it will justify our making a query-only database containing NPPES health care provider data that are required to be disclosed under the FOIA available to the public on an Internet Web site. Users will be able to run simple queries online, such as queries by NPI and by name of health care provider.

There will be no charge to use the query-only database.

The NPPES data elements that HHS has determined are required to be disclosed under FOIA and will be available from the query-only database are listed in the table above.

3. Other requests for NPPES health care provider data that HHS has determined are required to be disclosed under the FOIA.

Requests for FOIA-disclosable data in formats or in media that are not described above, or any other custom requests, will be considered in accordance with the FOIA and CMS FOIA procedures and charges (see http://www.cms.hhs.gov/​AboutWebsite/​04_​FOIA.asp). For example, these could be requests for FOIA-disclosable data for specific health care providers, or for health care providers in certain States or with certain Healthcare Provider Taxonomy Codes, or requests for FOIA-disclosable data on CD, diskette, or paper. These requests must be described in detail and be submitted to the following address: Centers for Medicare Medicaid Services, Office of Strategic Operations and Regulatory Affairs, Freedom of Information Group, Room N2-20-16, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

Requests may be sent by fax to (410) 786-0474. We will not acknowledge, respond to, or honor requests that are made by telephone.

III. Collection of Information Requirements

This document does not impose information collection and recordkeeping requirements. Consequently, it need not be reviewed by the Office of Management and Budget under the authority of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

Authority: Sections 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d-1320d-8), as added by section 262 of Pub. L. 104-191. 42 CFR 162, Subpart D. (Catalog of Federal Domestic Assistance Program, No. 93.773, Medicare—Hospital Insurance Program; and No. 93.774, Medicare—Supplementary Medical Insurance Program)