[Federal Register Volume 63, Number 88 (Thursday, May 7, 1998)]
[Proposed Rules]
[Pages 25320-25357]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-11692]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 142

[HCFA-0045-P]
RIN 0938-AH99


National Standard Health Care Provider Identifier

AGENCY: Health Care Financing Administration (HCFA), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This rule proposes a standard for a national health care 
provider identifier and requirements concerning its use by health 
plans, health care clearinghouses, and health care providers. The 
health plans, health care clearinghouses, and health care providers 
would use the identifier, among other uses, in connection with certain 
electronic transactions.
    The use of this identifier would improve the Medicare and Medicaid 
programs, and other Federal health programs and private health 
programs, and the effectiveness and efficiency of the health care 
industry in general, by simplifying the administration of the system 
and enabling the efficient electronic transmission of certain health 
information. It would implement some of the requirements of the 
Administrative Simplification subtitle of the Health Insurance 
Portability and Accountability Act of 1996.

DATES: Comments will be considered if we receive them at the 
appropriate address, as provided below, no later than 5 p.m. on July 6, 
1998.

ADDRESSES: Mail written comments (1 original and 3 copies) to the 
following address: Health Care Financing Administration, Department of 
Health and Human Services, Attention: HCFA-0045-P, P.O. Box 26585, 
Baltimore, MD 21207-0519.
    If you prefer, you may deliver your written comments (1 original 
and 3 copies) to one of the following addresses:

Room 309-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW., 
Washington, DC 20201, or
Room C5-09-26, 7500 Security Boulevard, Baltimore, MD 21244-1850.


[[Page 25321]]


    Comments may also be submitted electronically to the following e-
mail address: [email protected] E-mail comments should include the 
full name, postal address, and affiliation (if applicable) of the 
sender and must be submitted to the referenced address to be 
considered. All comments should be incorporated in the e-mail message 
because we may not be able to access attachments.
    Because of staffing and resource limitations, we cannot accept 
comments by facsimile (FAX) transmission. In commenting, please refer 
to file code HCFA-0045-P and the specific section or sections of the 
proposed rule. Both electronic and written comments received by the 
time and date indicated above will be available for public inspection 
as they are received, generally beginning approximately 3 weeks after 
publication of a document, in Room 309-G of the Department's offices at 
200 Independence Avenue, SW., Washington, DC, on Monday through Friday 
of each week from 8:30 a.m. to 5 p.m. (phone: (202) 690-7890). 
Electronic and legible written comments will also be posted, along with 
this proposed rule, at the following web site: http://aspe.os.dhhs.gov/
admnsimp/.
    Copies: To order copies of the Federal Register containing this 
document, send your request to: New Orders, Superintendent of 
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date 
of the issue requested and enclose a check or money order payable to 
the Superintendent of Documents, or enclose your Visa or Master Card 
number and expiration date. Credit card orders can also be placed by 
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $8. As an alternative, you can view and 
photocopy the Federal Register document at most libraries designated as 
Federal Depository Libraries and at many other public and academic 
libraries throughout the country that receive the Federal Register.
    This Federal Register document is also available from the Federal 
Register online database through GPO Access, a service of the U.S. 
Government Printing Office. Free public access is available on a Wide 
Area Information Server (WAIS) through the Internet and via 
asynchronous dial-in. Internet users can access the database by using 
the World Wide Web; the Superintendent of Documents home page address 
is http://www.access.gpo.gov/su__docs/, by using local WAIS client 
software, or by telnet to swais.access.gpo.gov, then login as guest (no 
password required). Dial-in users should use communications software 
and modem to call 202-512-1661; type swais, then login as guest (no 
password required).

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:

I. Background

[Please label written and e-mailed comments about this section with 
the subject: Background.]

    In order to administer their programs, the Department of Health and 
Human Services, other Federal agencies, State Medicaid agencies, and 
private health plans assign identification numbers to the providers of 
health care services and supplies with which they transact business. 
These various agencies and health plans, all of which we will refer to 
as health plans in this proposed rule, routinely, and independently of 
each other, assign identifiers to health care providers for program 
management and operations purposes. The identifiers are frequently not 
standardized within a single health plan or across plans. This lack of 
uniformity results in a single health care provider having different 
numbers for each program and often multiple billing numbers issued 
within the same program, significantly complicating providers' claims 
submission processes. In addition, nonstandard enumeration contributes 
to the unintentional issuance of the same identification number to 
different health care providers.
    Most health plans have to be able to coordinate benefits with other 
health plans to ensure appropriate payment. The lack of a single and 
unique identifier for each health care provider within each health plan 
and across health plans, based on the same core data, makes exchanging 
data both expensive and difficult.
    All of these factors indicate the complexities of exchanging 
information on health care providers within and among organizations and 
result in increasing numbers of claims-related problems and increasing 
costs of data processing. As we become more dependent on data 
automation and proceed in planning for health care in the future, the 
need for a universal, standard health care provider identifier becomes 
more and more evident.
    In addition to overcoming communication and coordination 
difficulties, use of a standard, unique provider identifier would 
enhance our ability to eliminate fraud and abuse in health care 
programs.
     Payments for excessive or fraudulent claims can be reduced 
by standardizing enumeration, which would facilitate sharing 
information across programs or across different parts of the same 
program.
     A health care provider's identifier would not change with 
moves or changes in specialty. This facilitates tracking of fraudulent 
health care providers over time and across geographic areas.
     A health care provider would receive only one identifier 
and would not be able to receive duplicate payments from a program by 
submitting claims under multiple provider identifiers.
     A standard identifier would facilitate access to sanction 
information.

A. National Provider Identifier Initiative

    In July 1993, the Health Care Financing Administration (HCFA) 
undertook a project to develop a provider identification system to meet 
Medicare and Medicaid needs and ultimately a national identification 
system for all health care providers to meet the needs of other users 
and programs. Representatives from the private sector and Federal and 
State agencies were invited to participate. Active participants 
included:
     Department of Defense, Office of Civilian Health and 
Medical Program of the Uniformed Services.
     Assistant Secretary for Planning and Evaluation, HHS.
     Department of Labor.
     Department of Veterans Affairs.
     Office of Personnel Management.
     Public Health Service, HHS.
     Drug Enforcement Administration
     State Medicaid agencies and health departments including 
those of Alabama, California, Maryland, Minnesota and Virginia.
     Medicare carriers and fiscal intermediaries.
     Professional and medical associations, including the 
National Council for Prescription Drug Programs.
    One of the group's first tasks was to decide whether to use an 
existing identifier or to develop a new one. They began by adopting 
criteria recommended for a unique provider identifier by the Workgroup 
for Electronic Data Interchange (WEDI), Technical Advisory Group in 
October 1993, and recommended by the American National Standards 
Institute (ANSI), Healthcare Informatics Standards Planning Panel, Task 
Group on Provider Identifiers in February 1994. The workgroup then 
examined existing identifiers and concluded that no existing identifier 
met all the criteria that had been recommended by the WEDI and ANSI 
workgroups.
    Because of the limitations of existing identifiers, the workgroup 
designed a

[[Page 25322]]

new identifier that would be in the public domain and that would 
incorporate the recommendations of the WEDI and ANSI workgroups. This 
identifier, which we call the national provider identifier, or NPI, is 
an 8-position alphanumeric identifier.

B. The Results of the NPI Initiative

    As a result of the project on the NPI, and before legislation 
required the use of the standard identifier for all health care 
providers (see section I.C. Legislation, below), HCFA and other 
participants accepted the workgroup's recommendation, and HCFA decided 
that this new identifier would be implemented in the Medicare program. 
HCFA began work on developing a national provider system (NPS) that 
would contain provider data and be equipped with the technology 
necessary to maintain and manage the data. Plans for the NPS included 
assigning the NPI and storing the data necessary to identify each 
health care provider uniquely. The NPI was designed to have no embedded 
intelligence. (That is, information about the health care provider, 
such as the type of health care provider or State where the health care 
provider is located, would not be conveyed by the NPI. This information 
was to have been recorded by the NPS in each health care provider's 
record but would not be part of the identifier.)
    The NPS was designed so that it could also be used by other Federal 
and State agencies and private health plans to enumerate their health 
care providers that do not participate in Medicare.

C. Legislation

    The Congress included provisions to address the need for a standard 
identifier and other administrative simplification issues in the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA), Public 
Law 104-191, which was enacted on August 21, 1996. Through subtitle F 
of title II of that law, the Congress added to title XI of the Social 
Security Act a new part C, entitled ``Administrative Simplification.'' 
(Public Law 104-191 affects several titles in the United States Code. 
Hereafter, we refer to the Social Security Act as the Act; we refer to 
the other laws cited in this document by their names.) The purpose of 
this part is to improve the Medicare and Medicaid programs in 
particular and the efficiency and effectiveness of the health care 
system in general by encouraging the development of a health 
information system through the establishment of standards and 
requirements to facilitate the electronic transmission of certain 
health information.
    Part C of title XI consists of sections 1171 through 1179 of the 
Act. These sections define various terms and impose several 
requirements on HHS, health plans, health care clearinghouses, and 
certain health care providers concerning electronic transmission of 
health information.
    The first section, section 1171 of the Act, establishes definitions 
for purposes of part C of title XI for the following terms: code set, 
health care clearinghouse, health care provider, health information, 
health plan, individually identifiable health information, standard, 
and standard setting organization.
    Section 1172 of the Act makes any standard adopted under part C 
applicable to (1) all health plans, (2) all health care clearinghouses, 
and (3) any health care providers that transmit any health information 
in electronic form in connection with the transactions referred to in 
section 1173(a)(1) of the Act.
    This section also contains requirements concerning standard 
setting.
     The Secretary may adopt a standard developed, adopted, or 
modified by a standard setting organization (that is, an organization 
accredited by the American National Standards Institute (ANSI)) that 
has consulted with the National Uniform Billing Committee (NUBC), the 
National Uniform Claim Committee (NUCC), WEDI, and the American Dental 
Association (ADA).
     The Secretary may also adopt a standard other than one 
established by a standard setting organization, if the different 
standard will reduce costs for health care providers and health plans, 
the different standard is promulgated through negotiated rulemaking 
procedures, and the Secretary consults with each of the above-named 
groups.
     If no standard has been adopted by any standard setting 
organization, the Secretary is to rely on the recommendations of the 
National Committee on Vital and Health Statistics (NCVHS) and consult 
with each of the above-named groups.
    In complying with the requirements of part C of title XI, the 
Secretary must rely on the recommendations of the NCVHS, consult with 
appropriate State, Federal, and private agencies or organizations, and 
publish the recommendations of the NCVHS in the Federal Register.
    Paragraph (a) of section 1173 of the Act requires that the 
Secretary adopt standards for financial and administrative 
transactions, and data elements for those transactions, to enable 
health information to be exchanged electronically. Standards are 
required for the following transactions: health claims, health 
encounter information, health claims attachments, health plan 
enrollments and disenrollments, health plan eligibility, health care 
payment and remittance advice, health plan premium payments, first 
report of injury, health claim status, and referral certification and 
authorization. In addition, the Secretary is required to adopt 
standards for any other financial and administrative transactions that 
are determined to be appropriate by the Secretary.
    Paragraph (b) of section 1173 of the Act requires the Secretary to 
adopt standards for unique health identifiers for all individuals, 
employers, health plans, and health care providers and requires further 
that the adopted standards specify for what purposes unique health 
identifiers may be used.
    Paragraphs (c) through (f) of section 1173 of the Act require the 
Secretary to establish standards for code sets for each data element 
for each health care transaction listed above, security standards for 
health care information systems, standards for electronic signatures 
(established together with the Secretary of Commerce), and standards 
for the transmission of data elements needed for the coordination of 
benefits and sequential processing of claims. Compliance with 
electronic signature standards will be deemed to satisfy both State and 
Federal requirements for written signatures with respect to the 
transactions listed in paragraph (a) of section 1173 of the Act.
    In section 1174 of the Act, the Secretary is required to adopt 
standards for all of the above transactions, except claims attachments, 
within 18 months of enactment. The standards for claims attachments 
must be adopted within 30 months of enactment. Generally, after a 
standard is established it cannot be changed during the first year 
except for changes that are necessary to permit compliance with the 
standard. Modifications to any of these standards may be made after the 
first year, but not more frequently than once every 12 months. The 
Secretary must also ensure that procedures exist for the routine 
maintenance, testing, enhancement, and expansion of code sets and that 
there are crosswalks from prior versions.
    Section 1175 of the Act prohibits health plans from refusing to 
process or delaying the processing of a transaction that is presented 
in standard format. The Act's requirements are not limited to health 
plans; however, each person to whom a standard or implementation

[[Page 25323]]

specification applies is required to comply with the standard within 24 
months (or 36 months for small health plans) of its adoption. A health 
plan or other entity may, of course, comply voluntarily before the 
effective date. Entities may comply by using a health care 
clearinghouse to transmit or receive the standard transactions. 
Compliance with modifications and implementation specifications to 
standards must be accomplished by a date designated by the Secretary. 
This date may not be earlier than 180 days after the notice of change.
    Section 1176 of the Act establishes a civil monetary penalty for 
violation of the provisions in part C of title XI of the Act, subject 
to several limitations. The Secretary is required by statute to impose 
penalties of not more than $100 per violation on any person who fails 
to comply with a standard, except that the total amount imposed on any 
one person in each calendar year may not exceed $25,000 for violations 
of one requirement. The procedural provisions in section 1128A of the 
Act, ``Civil Monetary Penalties,'' are applicable.
    Section 1177 of the Act establishes penalties for a knowing misuse 
of unique health identifiers and individually identifiable health 
information: (1) A fine of not more than $50,000 and/or imprisonment of 
not more than 1 year; (2) if misuse is ``under false pretenses,'' a 
fine of not more than $100,000 and/or imprisonment of not more than 5 
years; and (3) if misuse is with intent to sell, transfer, or use 
individually identifiable health information for commercial advantage, 
personal gain, or malicious harm, a fine of not more than $250,000 and/
or imprisonment of not more than 10 years.
    Under section 1178 of the Act, the provisions of part C of title XI 
of the Act, as well as any standards established under them, supersede 
any State law that is contrary to them. However, the Secretary may, for 
statutorily specified reasons, waive this provision.
    Finally, section 1179 of the Act makes the above provisions 
inapplicable to financial institutions or anyone acting on behalf of a 
financial institution when ``authorizing, processing, clearing, 
settling, billing, transferring, reconciling, or collecting payments 
for a financial institution.''
    (Concerning this last provision, the conference report, in its 
discussion on section 1178, states:

    ``The conferees do not intend to exclude the activities of 
financial institutions or their contractors from compliance with the 
standards adopted under this part if such activities would be 
subject to this part. However, conferees intend that this part does 
not apply to use or disclosure of information when an individual 
utilizes a payment system to make a payment for, or related to, 
health plan premiums or health care. For example, the exchange of 
information between participants in a credit card system in 
connection with processing a credit card payment for health care 
would not be covered by this part. Similarly sending a checking 
account statement to an account holder who uses a credit or debit 
card to pay for health care services, would not be covered by this 
part. However, this part does apply if a company clears health care 
claims, the health care claims activities remain subject to the 
requirements of this part.'') (H.R. Rep. No. 736, 104th Cong., 2nd 
Sess. 268-269 (1996))

D. Process for Developing National Standards

    The Secretary has formulated a 5-part strategy for developing and 
implementing the standards mandated under Part C of title XI of the 
Act:
    1. To ensure necessary interagency coordination and required 
interaction with other Federal departments and the private sector, 
establish interdepartmental implementation teams to identify and assess 
potential standards for adoption. The subject matter of the teams 
includes claims/encounters, identifiers, enrollment/eligibility, 
systems security, and medical coding/classification. Another team 
addresses cross-cutting issues and coordinates the subject matter 
teams. The teams consult with external groups such as the NCVHS' 
Workgroup on Data Standards, WEDI, ANSI's Health Informatics Standards 
Board, the NUCC, the NUBC, and the ADA. The teams are charged with 
developing regulations and other necessary documents and making 
recommendations for the various standards to the HHS' Data Council 
through its Committee on Health Data Standards. (The HHS Data Council 
is the focal point for consideration of data policy issues. It reports 
directly to the Secretary and advises the Secretary on data standards 
and privacy issues.)
    2. Develop recommendations for standards to be adopted.
    3. Publish proposed rules in the Federal Register describing the 
standards. Each proposed rule provides the public with a 60-day comment 
period.
    4. Analyze public comments and publish the final rules in the 
Federal Register.
    5. Distribute standards and coordinate preparation and distribution 
of implementation guides.
    This strategy affords many opportunities for involvement of 
interested and affected parties in standards development and adoption:
     Participate with standards development organizations.
     Provide written input to the NCVHS.
     Provide written input to the Secretary of HHS.
     Provide testimony at NCVHS' public meetings.
     Comment on the proposed rules for each of the proposed 
standards.
     Invite HHS staff to meetings with public and private 
sector organizations or meet directly with senior HHS staff involved in 
the implementation process.
    The implementation teams charged with reviewing standards for 
designation as required national standards under the statute have 
defined, with significant input from the health care industry, a set of 
principles for guiding choices for the standards to be adopted by the 
Secretary. These principles are based on direct specifications in HIPAA 
and the purpose of the law, principles that are consistent with the 
regulatory philosophy set forth in Executive Order 12866 and the 
Paperwork Reduction Act of 1995. To be designated as a HIPAA standard, 
each standard should:
    1. Improve the efficiency and effectiveness of the health care 
system by leading to cost reductions for or improvements in benefits 
from electronic health care transactions.
    2. Meet the needs of the health data standards user community, 
particularly health care providers, health plans, and health care 
clearinghouses.
    3. Be consistent and uniform with the other HIPAA standards--their 
data element definitions and codes and their privacy and security 
requirements--and, secondarily, with other private and public sector 
health data standards.
    4. Have low additional development and implementation costs 
relative to the benefits of using the standard.
    5. Be supported by an ANSI-accredited standards developing 
organization or other private or public organization that will ensure 
continuity and efficient updating of the standard over time.
    6. Have timely development, testing, implementation, and updating 
procedures to achieve administrative simplification benefits faster.
    7. Be technologically independent of the computer platforms and 
transmission protocols used in electronic transactions, except when 
they are explicitly part of the standard.
    8. Be precise and unambiguous, but as simple as possible.
    9. Keep data collection and paperwork burdens on users as low as is 
feasible.

[[Page 25324]]

    10. Incorporate flexibility to adapt more easily to changes in the 
health care infrastructure (such as new services, organizations, and 
provider types) and information technology.
    A master data dictionary providing for common data definitions 
across the standards selected for implementation under HIPAA will be 
developed and maintained. We intend for the data element definitions to 
be precise, unambiguous, and consistently applied. The transaction-
specific reports and general reports from the master data dictionary 
will be readily available to the public. At a minimum, the information 
presented will include data element names, definitions, and appropriate 
references to the transactions where they are used.
    This proposed rule would establish the standard health care 
provider identifier and is the first proposed standard under HIPAA. The 
remaining standards will be grouped, to the extent possible, by subject 
matter and audience in future regulations. We anticipate publishing 
several more separate documents to promulgate the remaining standards 
required under HIPAA.

II. Provisions of the Proposed Regulations

[Please label written and e-mailed comments about this section with 
the subject: Provisions.]

    In this proposed rule, we propose a standard health care provider 
identifier and requirements concerning its implementation. This rule 
would establish requirements that health plans, health care providers, 
and health care clearinghouses would have to meet to comply with the 
statutory requirement to use a unique identifier in electronic 
transactions.
    We propose to add a new part to title 45 of the Code of Federal 
Regulations for health plans, health care providers, and health care 
clearinghouses in general. The new part would be part 142 of title 45 
and would be titled ``Administrative Requirements.'' Subpart D would 
contain provisions specific to the NPI.

A. Applicability

    Section 262 of HIPAA applies to all health plans, all health care 
clearinghouses, and any health care providers that transmit any health 
information in electronic form in connection with transactions referred 
to in section 1173(a)(1) of the Act. Our proposed rules (at 45 CFR 
142.102) would apply to the health plans and health care clearinghouses 
as well, but we would clarify the statutory language in our regulations 
for health care providers: we would have the regulations apply to any 
health care provider only when electronically transmitting any of the 
transactions to which section 1173(a)(1) of the Act refers.
    Electronic transmissions would include transmissions using all 
media, even when the transmission is physically moved from one location 
to another using magnetic tape, disk, or CD media. Transmissions over 
the Internet (wide-open), Extranet (using Internet technology to link a 
business with information only accessible to collaborating parties), 
leased lines, dial-up lines, and private networks are all included. 
Telephone voice response and ``faxback'' systems would not be included. 
The ``HTML'' interaction between a server and a browser by which the 
elements of a transaction are solicited from a user would not be 
included, but once assembled into a transaction by the server, 
transmission of the full transaction to another corporate entity, such 
as a health plan, would be required to comply.
    Our regulations would apply to health care clearinghouses when 
transmitting transactions to, and receiving transactions from, a health 
care provider or health plan that transmits and receives standard 
transactions (as defined under ``transaction'') and at all times when 
transmitting to or receiving electronic transactions from another 
health care clearinghouse. The law would apply to each health care 
provider when transmitting or receiving any electronic transaction.
    The law applies to health plans for all transactions.
    Section 142.104 would contain the following provisions (from 
section 1175 of the Act):
    If a person desires to conduct a transaction (as defined in 
Sec. 142.103) with a health plan as a standard transaction, the 
following apply:
    (1) The health plan may not refuse to conduct the transaction as a 
standard transaction.
    (2) The health plan may not delay the transaction or otherwise 
adversely affect, or attempt to adversely affect, the person or the 
transaction on the ground that the transaction is a standard 
transaction.
    (3) The information transmitted and received in connection with the 
transaction must be in the form of standard data elements of health 
information.
    As a further requirement, we would require that a health plan that 
conducts transactions through an agent assure that the agent meets all 
the requirements of part 142 that apply to the health plan.
    Section 142.105 would state that a person or other entity may meet 
the requirements of Sec. 142.104 by either--
    (1) Transmitting and receiving standard data elements, or
    (2) Submitting nonstandard data elements to a health care 
clearinghouse for processing into standard data elements and 
transmission by the health care clearinghouse and receiving standard 
data elements through the clearinghouse.
    Health care clearinghouses would be able to accept nonstandard 
transactions for the sole purpose of translating them into standard 
transactions for sending customers and would be able to accept standard 
transactions and translate them into nonstandard formats for receiving 
customers. We would state in Sec. 142.105 that the transmission of 
nonstandard transactions, under contract, between a health plan or a 
health care provider and a health care clearinghouse would not violate 
the law.
    Transmissions within a corporate entity would not be required to 
comply with the standards. A hospital that is wholly owned by a managed 
care company would not have to use the standards to pass encounter 
information back to the home office, but it would have to use the 
standard claims transaction to submit a claim to another health plan. 
Another example might be transactions within Federal agencies and their 
contractors and between State agencies within the same State. For 
example, Medicare enters into contracts with insurance companies and 
common working file sites that process Medicare claims using government 
furnished software. There is constant communication, on a private 
network, between HCFA Central Office and the Medicare carriers, 
intermediaries and common working file sites. This communication may 
continue in nonstandard mode. However, these contractors must comply 
with the standards when exchanging any of the transactions covered by 
HIPAA with an entity outside these ``corporate'' boundaries.

B. Definitions

    Section 1171 of the Act defines several terms and our proposed 
rules would, for the most part, simply restate the law. The terms that 
we are defining in this proposed rule follow:
    1. Code set.
    We would define ``code set'' as section 1171(1) of the Act does: 
``code set'' means any set of codes used for encoding data elements, 
such as tables of terms, medical concepts, medical diagnostic codes, or 
medical procedure codes.

[[Page 25325]]

    2. Health care clearinghouse.
    We would define ``health care clearinghouse'' as section 1171(2) of 
the Act does, but we are adding a further, clarifying sentence. The 
statute defines a ``health care clearinghouse'' as a public or private 
entity that processes or facilitates the processing of nonstandard data 
elements of health information into standard data elements. We would 
further explain that such an entity is one that currently receives 
health care transactions from health care providers and other entities, 
translates the data from a given format into one acceptable to the 
intended recipient and forwards the processed transaction to 
appropriate health plans and other clearinghouses, as necessary, for 
further action.
    There are currently a number of private clearinghouses that perform 
these functions for health care providers. For purposes of this rule, 
we would consider billing services, repricing companies, community 
health management information systems or community health information 
systems, value-added networks, and switches performing these functions 
to be health care clearinghouses.
    3. Health care provider.
    As defined by section 1171(3) of the Act, a ``health care 
provider'' is a provider of services as defined in section 1861(u) of 
the Act, a provider of medical or other health services as defined in 
section 1861(s) of the Act, and any other person who furnishes health 
care services or supplies. Our regulations would define ``health care 
provider'' as the statute does and clarify that the definition of a 
health care provider is limited to those entities that furnish, or bill 
and are paid for, health care services in the normal course of 
business.
    The statutory definition of a health care provider is broad. 
Section 1861(u) contains the Medicare definition of a provider, which 
encompasses institutional providers such as hospitals, skilled nursing 
facilities, home health agencies, and comprehensive outpatient 
rehabilitation facilities. Section 1861(s) defines other Medicare 
facilities and practitioners, including assorted clinics and centers, 
physicians, clinical laboratories, various licensed/certified health 
care practitioners, and suppliers of durable medical equipment. The 
last portion of the definition encompasses any appropriately licensed 
or certified health care practitioners or organizations, including 
pharmacies and nursing homes and many types of therapists, technicians, 
and aides. It also includes any other individual or organization that 
furnishes health care services or supplies. We believe that an 
individual or organization that bills and is paid for health care 
services or supplies is also a health care provider for purposes of the 
statute.
    Section 1173(b)(1) of the Act requires the Secretary to adopt 
standards for unique identifiers for all health care providers. The 
definition of a ``health care provider'' at section 1171(3) includes 
all Medicare providers and ``any other person furnishing health care 
services and supplies.'' These two provisions require that provider 
identifiers may not be limited to only those health care providers that 
bill electronically or those that bill in their own right. Instead 
provider identifiers will eventually be available to all those that 
provide health services. Penalties for failure to use the correct 
identifiers, however, are limited to those that fail to use the 
identifiers or other standards in the nine designated electronic 
transactions. As we discuss under a later section in this preamble, 
III. Implementation of the NPI, we do not expect to be able to assign 
identifiers immediately to all health care providers that do not 
participate in electronic transactions.
    Our proposed definition of a health care provider would not include 
health industry workers who support the provision of health care but 
who do not provide health services, such as admissions and billing 
personnel, housekeeping staff, and orderlies.
    We describe two alternatives for defining general categories of 
health care providers for enumeration purposes. In the first, we would 
categorize health care providers as individuals, organizations, or 
groups. In the second, we would categorize health care providers as 
individuals or organizations, which would include groups. The data to 
be collected for each category of health care provider are described in 
the preamble in section IV.
B. Data Elements. We welcome your comments on whether group providers 
need to be distinguished from organization providers.
    Individuals are treated differently than organizations and groups 
because the data available to search for duplicates (for example, date 
and place of birth) are different. Organizations and groups may need to 
be treated differently from each other because it is possible that a 
group is not specifically licensed or certified to provide health care, 
whereas an organization usually is. It may, therefore, be important to 
be able to link the individual members to the group. It would not be 
possible to distinguish one category from another by looking at the 
NPI. The NPS would contain the kinds of data necessary to adequately 
categorize each health care provider.
    The categories are described as follows:
    Individual--A human being who is licensed, certified or otherwise 
authorized to perform medical services or provide medical care, 
equipment and/or supplies in the normal course of business. Examples of 
individuals are physicians, nurses, dentists, pharmacists, and physical 
therapists.
    Organization--An entity, other than an individual, that is 
licensed, certified or otherwise authorized to provide medical 
services, care, equipment or supplies in the normal course of business. 
The licensure, certification, or other recognition is granted to the 
organization entity. Individual owners, managers, or employees of the 
organization may also be certified, licensed, or otherwise recognized 
as individual health care providers in their own right. Each separate 
physical location of an organization, each member of an organization 
chain, and each subpart of an organization that needs to be identified 
would receive its own NPI. NPIs of organization providers would not be 
linked within the NPS to NPIs of other health care providers. Examples 
of organizations are hospitals, laboratories, ambulance companies, 
health maintenance organizations, and pharmacies.
    In the first alternative for categorizing health care providers, as 
described above, we would distinguish a group from an organization. We 
would define a group as follows:
    Group--An entity composed of one or more individuals (as defined 
above), generally created to provide coverage of patients' needs in 
terms of office hours, professional backup and support, or range of 
services resulting in specific billing or payment arrangements. It is 
possible that the group itself is not licensed or certified, but the 
individual(s) who compose the group are licensed, certified or 
otherwise authorized to provide health care services. The NPIs of the 
group member(s) would be linked within the NPS to the NPI of the group. 
An individual can be a member of multiple groups. Examples of groups 
are (1) two physicians practicing as a group where they bill and 
receive payment for their services as a group and (2) an incorporated 
individual billing and receiving payment as a corporation.
    The ownership of a group or organization can change if it is sold, 
consolidated, or merged, or if control changes due to stock 
acquisition. In many cases, the nature of the provider

[[Page 25326]]

itself (for example, its location, staff or types of services provided) 
is not affected. In general, the NPI of the provider should not change 
in these situations unless the change of ownership affects the nature 
of the provider. (Example: If a hospital is acquired and then converted 
to a rehabilitation center, it would need to obtain a new NPI.) There 
may also be circumstances where a new NPI should be issued. (Example: a 
physicians' group practice operating as a partnership dissolves that 
partnership and another partnership of physicians acquires and operates 
the practice.) We solicit comments on rules to be applied.
    We discuss the enumeration of health care providers in more detail, 
in III. Implementation of the NPI, later in this preamble.
    4. Health information.
    ``Health information,'' as defined in section 1171 of the Act, 
means any information, whether oral or recorded in any form or medium, 
that--
     Is created or received by a health care provider, health 
plan, public health authority, employer, life insurer, school or 
university, or health care clearinghouse; and
     Relates to the past, present, or future physical or mental 
health or condition of an individual; the provision of health care to 
an individual; or the past, present, or future payment for the 
provision of health care to an individual.
    We propose the same definition for our regulations.
    5. Health plan.
    We propose that a ``health plan'' be defined essentially as section 
1171 of the Act defines it. Section 1171 of the Act cross refers to 
definitions in section 2791 of the Public Health Service Act (as added 
by Public Law 104-191, 42 U.S.C. 300gg-91); we would incorporate those 
definitions as currently stated into our proposed definitions for the 
convenience of the public. We note that many of these terms are defined 
in other statutes, such as the Employee Retirement Income Security Act 
of 1974 (ERISA), Public Law 93-406, 29 U.S.C. 1002(7) and the Public 
Health Service Act. Our definitions are based on the roles of plans in 
conducting administrative transactions, and any differences should not 
be construed to affect other statutes.
    For purposes of implementing the provisions of administrative 
simplification, a ``health plan'' would be an individual or group 
health plan that provides, or pays the cost of, medical care. This 
definition includes, but is not limited to, the 13 types of plans 
listed in the statute. On the other hand, plans such as property and 
casualty insurance plans and workers compensation plans, which may pay 
health care costs in the course of administering nonhealth care 
benefits, are not considered to be health plans in the proposed 
definition of health plan. Of course, these plans may voluntarily adopt 
these standards for their own business needs. At some future time, the 
Congress may choose to expressly include some or all of these plans in 
the list of health plans that must comply with the standards.
    Health plans often carry out their business functions through 
agents, such as plan administrators (including third party 
administrators), entities that are under ``administrative services 
only'' (ASO) contracts, claims processors, and fiscal agents. These 
agents may or may not be health plans in their own right; for example, 
a health plan may act as another health plan's agent as another line of 
business. As stated earlier, a health plan that conducts HIPAA 
transactions through an agent is required to assure that the agent 
meets all HIPAA requirements that apply to the plan itself.
    ``Health plan'' includes the following, singly or in combination:
    a. ``Group health plan'' (as currently defined by section 2791(a) 
of the Public Health Service Act). A group health plan is a plan that 
has 50 or more participants (as the term ``participant'' is currently 
defined by section 3(7) of ERISA) or is administered by an entity other 
than the employer that established and maintains the plan. This 
definition includes both insured and self-insured plans. We define 
``participant'' separately below.
    Section 2791(a)(1) of the Public Health Service Act defines ``group 
health plan'' as an employee welfare benefit plan (as currently defined 
in section 3(1) of ERISA) to the extent that the plan provides medical 
care, including items and services paid for as medical care, to 
employees or their dependents directly or through insurance, or 
otherwise.
    It should be noted that group health plans that have fewer than 50 
participants and that are administered by the employer would be 
excluded from this definition and would not be subject to the 
administrative simplification provisions of HIPAA.
    b. ``Health insurance issuer'' (as currently defined by section 
2791(b) of the Public Health Service Act).
    Section 2791(b)(2) of the Public Health Service Act currently 
defines a ``health insurance issuer'' as an insurance company, 
insurance service, or insurance organization that is licensed to engage 
in the business of insurance in a State and is subject to State law 
that regulates insurance.
    c. ``Health maintenance organization'' (as currently defined by 
section 2791(b) of the Public Health Service Act).
    Section 2791(b) of the Public Health Service Act currently defines 
a ``health maintenance organization'' as a Federally qualified health 
maintenance organization, an organization recognized as such under 
State law, or a similar organization regulated for solvency under State 
law in the same manner and to the same extent as such a health 
maintenance organization. These organizations may include preferred 
provider organizations, provider sponsored organizations, independent 
practice associations, competitive medical plans, exclusive provider 
organizations, and foundations for medical care.
    d. Part A or Part B of the Medicare program (title XVIII of the 
Act).
    e. The Medicaid program (title XIX of the Act).
    f. A ``Medicare supplemental policy'' as defined under section 
1882(g)(1) of the Act.
    Section 1882(g)(1) of the Act defines a ``Medicare supplemental 
policy'' as a health insurance policy that a private entity offers a 
Medicare beneficiary to provide payment for expenses incurred for 
services and items that are not reimbursed by Medicare because of 
deductible, coinsurance, or other limitations under Medicare. The 
statutory definition of a Medicare supplemental policy excludes a 
number of plans that are generally considered to be Medicare 
supplemental plans, such as health plans for employees and former 
employees and for members and former members of trade associations and 
unions. A number of these health plans may be included under the 
definitions of ``group health plan'' or ``health insurance issuer'', as 
defined in a. and b. above.
    g. A ``long-term care policy,'' including a nursing home fixed-
indemnity policy. A ``long-term care policy'' is considered to be a 
health plan regardless of how comprehensive it is. We recognize the 
long-term care insurance segment of the industry is largely unautomated 
and we welcome comments regarding the impact of HIPAA on the long-term 
care segment.
    h. An employee welfare benefit plan or any other arrangement that 
is established or maintained for the purpose of offering or providing 
health benefits to the employees of two or more employers. This 
includes plans and other arrangements that are referred to as multiple 
employer welfare

[[Page 25327]]

arrangements (``MEWAs'') as defined in section 3(40) of ERISA.
    i. The health care program for active military personnel under 
title 10 of the United States Code.
    j. The veterans health care program under chapter 17 of title 38 of 
the United States Code.
    This health plan primarily furnishes medical care through hospitals 
and clinics administered by the Department of Veterans Affairs for 
veterans with a service-connected disability that is compensable. 
Veterans with non-service-connected disabilities (and no other health 
benefit plan) may receive health care under this health plan to the 
extent resources and facilities are available.
    k. The Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
    CHAMPUS primarily covers services furnished by civilian medical 
providers to dependents of active duty members of the uniformed 
services and retirees and their dependents under age 65.
    l. The Indian Health Service program under the Indian Health Care 
Improvement Act (25 U.S.C. 1601 et seq.).
    This program furnishes services, generally through its own health 
care providers, primarily to persons who are eligible to receive 
services because they are of American Indian or Alaskan Native descent.
    m. The Federal Employees Health Benefits Program under 5 U.S.C. 
chapter 89.
    This program consists of health insurance plans offered to active 
and retired Federal employees and their dependents. Depending on the 
health plan, the services may be furnished on a fee-for-service basis 
or through a health maintenance organization.
    (Note: Although section 1171(5)(M) of the Act refers to the 
``Federal Employees Health Benefit Plan,'' this and any other rules 
adopting administrative simplification standards will use the correct 
name, the Federal Employees Health Benefits Program. One health plan 
does not cover all Federal employees; there are over 350 health plans 
that provide health benefits coverage to Federal employees, retirees, 
and their eligible family members. Therefore, we will use the correct 
name, the Federal Employees Health Benefits Program, to make clear that 
the administrative simplification standards apply to all health plans 
that participate in the Program.)
    n. Any other individual or group health plan, or combination 
thereof, that provides or pays for the cost of medical care.
    We would include a fourteenth category of health plan in addition 
to those specifically named in HIPAA, as there are health plans that do 
not readily fit into the other categories but whose major purpose is 
providing health benefits. The Secretary would determine which of these 
plans are health plans for purposes of title II of HIPAA. This category 
would include the Medicare Plus Choice plans that will become available 
as a result of section 1855 of the Act as amended by section 4001 of 
the Balanced Budget Act of 1997 (Public Law 105-33) to the extent that 
these health plans do not fall under any other category.
    6. Medical care.
    ``Medical care,'' which is used in the definition of health plan, 
would be defined as current section 2791 of the Public Health Service 
Act defines it: the diagnosis, cure, mitigation, treatment, or 
prevention of disease, or amounts paid for the purpose of affecting any 
body structure or function of the body; amounts paid for transportation 
primarily for and essential to these items; and amounts paid for 
insurance covering the items and the transportation specified in this 
definition.
    7. Participant.
    We would define the term ``participant'' as section 3(7) of ERISA 
currently defines it: a ``participant'' is any employee or former 
employee of an employer, or any member or former member of an employee 
organization, who is or may become eligible to receive a benefit of any 
type from an employee benefit plan that covers employees of such an 
employer or members of such organizations, or whose beneficiaries may 
be eligible to receive any such benefits. An ``employee'' would include 
an individual who is treated as an employee under section 401(c)(1) of 
the Internal Revenue Code of 1986 (26 U.S.C. 401(c)(1)).
    8. Small health plan.
    We would define a ``small health plan'' as a group health plan with 
fewer than 50 participants.
    The HIPAA does not define a ``small health plan'' but instead 
leaves the definition to be determined by the Secretary. The Conference 
Report suggests that the appropriate definition of a ``small health 
plan'' is found in current section 2791(a) of the Public Health Service 
Act, which is a group health plan with fewer than 50 participants. We 
would also define small individual health plans as those with fewer 
than 50 participants.
    9. Standard.
    Section 1171 of the Act defines ``standard,'' when used with 
reference to a data element of health information or a transaction 
referred to in section 1173(a)(1) of the Act, as any such data element 
or transaction that meets each of the standards and implementation 
specifications adopted or established by the Secretary with respect to 
the data element or transaction under sections 1172 through 1174 of the 
Act.
    Under our definition, a standard would be a set of rules for a set 
of codes, data elements, transactions, or identifiers promulgated 
either by an organization accredited by the American National Standards 
Institute or HHS for the electronic transmission of health information.
    10. Transaction.
    ``Transaction'' would mean the exchange of information between two 
parties to carry out financial and administrative activities related to 
health care. A transaction would be any of the transactions listed in 
section 1173(a)(2) of the Act and any determined appropriate by the 
Secretary in accordance with section 1173(a)(1)(B) of the Act. We 
present them below in the order in which we propose to list them in the 
regulations text to this document and in the regulations document for 
proposed standards for these transactions that we will publish later.
    A ``transaction'' would mean any of the following:
    a. Health claims or equivalent encounter information.
    This transaction may be used to submit health care claim billing 
information, encounter information, or both, from health care providers 
to health plans, either directly or via intermediary billers and claims 
clearinghouses.
    b. Health care payment and remittance advice.
    This transaction may be used by a health plan to make a payment to 
a financial institution for a health care provider (sending payment 
only), to send an explanation of benefits or a remittance advice 
directly to a health care provider (sending data only), or to make 
payment and send an explanation of benefits remittance advice to a 
health care provider via a financial institution (sending both payment 
and data).
    c. Coordination of benefits.
    This transaction can be used to transmit health care claims and 
billing payment information between health plans with different payment 
responsibilities where coordination of benefits is required or between 
health plans and regulatory agencies to monitor the rendering, billing, 
and/or

[[Page 25328]]

payment of health care services within a specific health care/insurance 
industry segment.
    In addition to the nine electronic transactions specified in 
section 1173(a)(2) of the Act, section 1173(f) directs the Secretary to 
adopt standards for transferring standard data elements among health 
plans for coordination of benefits and sequential processing of claims. 
This particular provision does not state that these should be standards 
for electronic transfer of standard data elements among health plans. 
However, we believe that the Congress, when writing this provision, 
intended for these standards to apply to the electronic form of 
transactions for coordination of benefits and sequential processing of 
claims. The Congress expressed its intent on these matters generally in 
section 1173(a)(1)(B), where the Secretary is directed to adopt ``other 
financial and administrative transactions . . . consistent with the 
goals of improving the operation of the health care system and reducing 
administrative costs''. Adoption of a standard for electronic 
transmission of standard data elements among health plans for 
coordination of benefits and sequential processing of claims would 
serve these goals expressed by the Congress.
    d. Health claim status.
    This transaction may be used by health care providers and 
recipients of health care products or services (or their authorized 
agents) to request the status of a health care claim or encounter from 
a health plan.
    e. Enrollment and disenrollment in a health plan.
    This transaction may be used to establish communication between the 
sponsor of a health benefit and the health plan. It provides enrollment 
data, such as subscriber and dependents, employer information, and 
primary care health care provider information. The sponsor is the 
backer of the coverage, benefit, or product. A sponsor can be an 
employer, union, government agency, association, or insurance company. 
The health plan refers to an entity that pays claims, administers the 
insurance product or benefit, or both.
    f. Eligibility for a health plan.
    This transaction may be used to inquire about the eligibility, 
coverage, or benefits associated with a benefit plan, employer, plan 
sponsor, subscriber, or a dependent under the subscriber's policy. It 
also can be used to communicate information about or changes to 
eligibility, coverage, or benefits from information sources (such as 
insurers, sponsors, and health plans) to information receivers (such as 
physicians, hospitals, third party administrators, and government 
agencies).
    g. Health plan premium payments.
    This transaction may be used by, for example, employers, employees, 
unions, and associations to make and keep track of payments of health 
plan premiums to their health insurers. This transaction may also be 
used by a health care provider, acting as liaison for the beneficiary, 
to make payment to a health insurer for coinsurance, copayments, and 
deductibles.
    h. Referral certification and authorization.
    This transaction may be used to transmit health care service 
referral information between primary care health care providers, health 
care providers furnishing services, and health plans. It can also be 
used to obtain authorization for certain health care services from a 
health plan.
    i. First report of injury.
    This transaction may be used to report information pertaining to an 
injury, illness, or incident to entities interested in the information 
for statistical, legal, claims, and risk management processing 
requirements.
    j. Health claims attachments.
    This transaction may be used to transmit health care service 
information, such as subscriber, patient, demographic, diagnosis, or 
treatment data for the purpose of a request for review, certification, 
notification, or reporting the outcome of a health care services 
review.
    k. Other transactions as the Secretary may prescribe by regulation.
    Under section 1173(a)(1)(B) of the Act, the Secretary shall adopt 
standards, and data elements for those standards, for other financial 
and administrative transactions deemed appropriate by the Secretary. 
These transactions would be consistent with the goals of improving the 
operation of the health care system and reducing administrative costs.

C. Effective Dates--General

    In general, any given standard would be effective 24 months after 
the effective date (36 months for small health plans) of the final rule 
for that standard. Because there are other standards to be established 
than those in this proposed rule, we specify the date for a given 
standard under the subpart for that standard.
    If HHS adopts a modification to an implementation specification or 
a standard, the implementation date of the modification would be no 
earlier than the 180th day following the adoption of the modification. 
HHS would determine the actual date, taking into account the time 
needed to comply due to the nature and extent of the modification. HHS 
would be able to extend the time for compliance for small health plans. 
This provision would be at Sec. 142.106.
    The law does not address scheduling of implementation of the 
standards; it gives only a date by which all concerned must comply. As 
a result, any of the health plans, health care clearinghouses, and 
health care providers may implement a given standard earlier than the 
date specified in the subpart created for that standard. We realize 
that this may create some problems temporarily, as early implementers 
would have to be able to continue using old standards until the new 
ones must, by law, be in place.
    At the WEDI Healthcare Leadership Summit held on August 15, 1997, 
it was recommended that health care providers not be required to use 
any of the standards during the first year after the adoption of the 
standard. However, willing trading partners could implement any or all 
of the standards by mutual agreement at any time during the 2-year 
implementation phase (3-year implementation phase for small health 
plans). In addition, it was recommended that a health plan give its 
health care providers at least 6 months notice before requiring them to 
use a given standard.
    We welcome comments specifically on early implementation as to the 
extent to which it would cause problems and how any problems might be 
alleviated.

D. NPI Standard

[Please label written and e-mailed comments about this section with 
the subject: NPI STANDARD.]

    Section 142.402, Provider identifier standard, would contain the 
national health care provider identifier standard. There is no 
recognized standard for health care provider identification as defined 
in the law. (That is, there is no standard that has been developed, 
adopted, or modified by a standard setting organization after 
consultation with the NUBC, NUCC, WEDI, and the ADA.) Therefore, we 
would designate a new standard.
    We are proposing as the standard the national provider identifier 
(NPI), which would be maintained by HCFA. As discussed under the 
Background section earlier in this preamble, the NPI is an 8-position 
alphanumeric identifier. It includes as the 8th position a numeric 
check digit to assist in identifying erroneous or invalid NPIs. The 
check digit is a recognized International Standards Organization [ISO] 
standard. The check digit algorithm must be computed from an all-
numeric base

[[Page 25329]]

number. Therefore, any alpha characters that may be part of the NPI are 
translated to specific numerics before the calculation of the check 
digit. The NPI format would allow for the creation of approximately 20 
billion unique identifiers.
    The 8-position alphanumeric format was chosen over a longer 
numeric-only format in order to keep the identifier as short as 
possible while providing for an identifier pool that would serve the 
industry's needs for a long time. However, we recognize that some 
health care providers and health plans might have difficulty in the 
short term in accommodating alphabetic characters. Therefore, we 
propose to issue numeric-only identifiers first and to introduce 
alphabetic characters starting with the first position of the NPI. This 
would afford additional time for health care providers and health plans 
to accommodate the alphabetic characters.
    1. Selection criteria.
    Each individual implementation team weighted the criteria described 
in section I.D., Process for Developing National Standards, in terms of 
the standard it was addressing. As we assessed the various options for 
a provider identifier against the criteria, it became apparent that 
many of the criteria would be satisfied by all of the provider 
identifier candidates. Consequently, we concentrated on the four 
criteria (1, 2, 3, and 10) that were not satisfied by all of the 
options. These criteria are described below in the specific context of 
the provider identifier.
    #1. Improve the efficiency and effectiveness of the health care 
system.
    In order to be integrated into electronic transactions efficiently, 
standard provider identifiers must be easily accessible. Health plans 
must be able to obtain identifiers and other key data easily in order 
to use the identifier in electronic transactions. Existing health care 
provider files have to be converted to the new standard. In addition, 
health care providers will need to know other health care providers' 
identifiers (for example, a hospital needs the identifiers of all 
physicians who perform services in the facility). To meet this 
criterion, we believe the identifier should not be proprietary; that 
is, it should be possible to communicate identifiers freely as needed. 
Moreover, the issuer must be able to reliably issue each health care 
provider only one identifier and to issue each identifier only once.
    #2. Meet the needs of the health data standards user community.
    The identifier must be comprehensive. It must accommodate all 
health care provider types or must be capable of being expanded to do 
so. Based on our definition of ``health care provider'', this includes 
individual health care providers who are employed by other health care 
providers and alternative practitioners who may not be currently 
recognized by health plans. The identifier must have the capacity to 
enumerate health care providers for many years without reuse of 
previously-assigned identifiers. To meet this criterion, we believe 
that, over time, the identifier must be capable of uniquely identifying 
at least 100 million entities.
    #3. Be consistent and uniform with other HIPAA and other private 
and public sector health data standards in providing for privacy and 
confidentiality.
    Confidentiality of certain health care provider data must be 
maintained. Certain data elements (for example, social security number 
and date of birth) needed to enumerate an individual health care 
provider reliably should not be made available to the public.
    #10. Incorporate flexibility to adapt more easily to changes.
    To meet this criterion, the identifier must be intelligence-free 
(the identifier itself should not contain any information about the 
health care provider). Intelligence in the identifier would require 
issuing a new identifier if there is a change in that information. For 
example, an identifier containing a State code would no longer be 
accurate if the health care provider moves to another State.
    2. Candidate identifiers.
    We assessed a number of candidate identifiers to see if they met 
the four specific criteria discussed above. We first assessed the 
identifiers listed in the inventory of standards prepared for the 
Secretary by the Health Informatics Standards Board. Those standards 
are the unique physician identification number (UPIN), which is issued 
by HCFA; the health industry number (HIN), which is issued by the 
Health Industry Business Communications Council; the National 
Association of Boards of Pharmacy (NABP) number, which is issued by the 
National Council for Prescription Drug Programs in cooperation with the 
NABP; and the national provider identifier (NPI), which is being 
developed by HCFA.
    Unique physician identification numbers are currently issued to 
physicians, limited license practitioners, group practices, and certain 
noninstitutional providers (for example, ambulance companies). These 
numbers are issued to health care providers through Medicare carriers, 
and generally only Medicare providers have them. The unique physician 
identification number is used to identify ordering, performing, 
referring, and attending health care providers in Medicare claims 
processing. The computer system that generates the numbers is 
maintained by HCFA and is able to detect duplicate health care 
providers. The unique physician identification number is in the public 
domain and could be made widely accessible to health care providers and 
health plans. These numbers do contain intelligence (the first position 
designates a provider type, e.g., physician) and are only six positions 
long, which would not be able to accommodate a sufficient number of 
future health care providers. The unique physician identification 
number does not meet criteria 2 and 10.
    The health industry number is used for contract administration in 
the health industry supply chain, as a prescriber identifier for claims 
processing, and for market analysis. It consists of a base 7-position 
alpha-numeric identifier and a 2-position alpha-numeric suffix 
identifying the location of the prescriber. The suffix contains 
intelligence. Health industry numbers can enumerate individual 
prescribers as well as institutional providers. They are issued via a 
proprietary system maintained by the Health Industry Business 
Communications Council, which permits subscriptions to the database by 
data re-sellers and others. In addition, it does not collect sufficient 
data for thorough duplicate checking of individuals. The health 
industry number does not meet criteria 1, 3, and 10.
    The National Association of Boards of Pharmacy number is a 7-digit 
numeric identifier assigned to licensed pharmacies. It is used to 
identify pharmacies to various payers. Its first two digits denote the 
State, the next four positions are assigned sequentially, and the last 
position is a check digit. We cannot assess data accessibility or 
privacy and confidentiality at this time because of the very limited 
applicability of the number. A 7-digit numeric identifier would not 
yield a sufficient quantity of identifiers, and there is intelligence 
in the number. This number does not meet criteria 2 and 10.
    The NPI is intended to be a universal identifier, which can be used 
to enumerate all types of health care providers, and the supporting 
data structure incorporates a comprehensive list of provider types 
developed by an ANSI Accredited Standards Committee X12N workgroup. It 
is an intelligence-free 8-position alpha-numeric identifier, with the 
eighth position being a check digit, allowing for approximately 20

[[Page 25330]]

billion possible identifiers. The NPI would not be proprietary and 
would be widely available to the industry. The system that would 
enumerate health care providers would be maintained by HCFA, and data 
would therefore be safeguarded under the Privacy Act (5 U.S.C 552a). 
The system would also incorporate extensive search and duplicate 
checking routines into the enumeration process. The NPI meets all four 
of these criteria.
    In addition, we examined the social security number issued by the 
Social Security Administration, the DEA number issued by the Drug 
Enforcement Administration, the employer identification number issued 
by the Internal Revenue Service, and the national supplier 
clearinghouse number issued by the Medicare program and used to 
identify suppliers of durable medical equipment and other suppliers. 
Neither the social security number nor the DEA number meets the 
accessibility test. The use of the social security number by Federal 
agencies is protected by the Privacy Act, and the DEA number must 
remain confidential in order to fulfill its intended function of 
monitoring controlled substances. The employer identification number 
does not meet the comprehensiveness test, because some individual 
health care providers do not qualify for one. The length of the 
national supplier clearinghouse number is 10 positions; to expand it 
would make it too long. Also, it is not intelligence-free, since the 
first portion of the identifier links health care providers together 
into business entities. The last four positions are reserved for 
subentities, leaving only the first six positions to enumerate unique 
health care provider entities.
    Based on this analysis, we recommend the NPI be designated as the 
standard identifier for health care providers. It is the only candidate 
identifier that meets all four of the criteria above. In addition, the 
NPI would be supported by HCFA to assure continuity. As discussed in 
section VII. of this preamble, on collection of information 
requirements, the data collection and paperwork burdens on users would 
be minimal, and the NPI can be used in other standard transactions 
under the HIPAA. In addition, as discussed in sections III.B., 
Enumerators, and IX., Impact Analysis, implementation costs per health 
care provider and per health plan would be relatively low, and we would 
develop implementation procedures. The NPI would be platform and 
protocol independent, and the structure of the identifier has been 
precisely stated. The NPI is not fully operational, but it is 
undergoing testing at this time, and comprehensive testing will be 
completed before the identifier is implemented.
    3. Consultations.
    In the development of the NPI, we consulted with many 
organizations, including those that the legislation requires (section 
1172(c)(3)(B) of the Act). Subsequently, the NPI has been endorsed by 
several government and private organizations:
    a. The NCVHS endorsed the NPI in a Federal Register notice on July 
24, 1997 (62 FR 39844).
    b. The NUBC endorsed the NPI in August 1996.
    c. The ADA indicated its support, in concept, of the development of 
a unique, singular, national provider identifier for all health care 
providers in December 1996.
    d. The NUCC supported the establishment of the NPI in January 1997, 
subject to the following issues being fully addressed:
     The business needs and rationale for each identifier be 
clearly established for health care, in both the private and government 
sectors, as part of the identifier definition process.
     The scope and nature of, and the rationale for, the 
entities subject to enumeration be clearly defined.
     All issues arising out of the health care industry's 
review of the proposed identifier, including any ambiguities in the law 
or proposed rule, be acknowledged and addressed.
     Distribution of identifier products/maintenance to health 
care providers, payers and employers be low cost and efficient. There 
should be no cost to have a number assigned to an individual health 
care provider or business.
    e. WEDI indicated support for ``the general concept of the NPI as 
satisfying the national provider identifier requirement of HIPAA'' in a 
May 1997 letter to the Secretary. WEDI further stated that the NPI is 
equal to or better than alternative identifiers, but noted that it 
cannot provide an unqualified opinion until operational and technical 
details are disclosed in this regulation.
    f. The State of Minnesota endorsed the NPI in Minnesota Statutes 
Section 62J.54, dated February 1996.
    g. The Massachusetts Health Data Consortium's Affiliated Health 
Information Networks of New England endorsed the NPI as the standard 
provider locator for electronic data interchange in March 1996.
    h. The USA Registration Committee approved the NPI as an 
International Standards Organization card issuer identifier in August 
1996, for use on magnetic cards.
    i. The National Council for Prescription Drug Programs indicated 
support for the NPI effort in an October 1996 letter to the Secretary.

E. Requirements

[Please label written and e-mailed comments about this section with 
the subject: Requirements.]

    1. Health plans.
    In Sec. 142.404, Requirements: Health plans, we would require 
health plans to accept and transmit, directly or via a health care 
clearinghouse, the NPI on all standard transactions wherever required. 
Federal agencies and States may place additional requirements on their 
health plans.
    2. Health care clearinghouses.
    We would require in Sec. 142.406, Requirements: Health care 
clearinghouses, that each health care clearinghouse use the NPI 
wherever an electronic transaction requires it.
    3. Health care providers.
    In Sec. 142.408, Requirements: Health care providers, we would 
require each health care provider that needs an NPI for HIPAA 
transactions to obtain, by application if necessary, an NPI and to use 
the NPI wherever required on all standard transactions that it directly 
transmits or accepts. The process by which health care providers will 
apply for and obtain NPIs has not yet been established. This proposed 
rule (in section III., Implementation of the NPI) presents 
implementation options by which health care providers will apply for 
and obtain NPIs. We are seeking comments on the options, and welcome 
other options for consideration. In one of the options we are 
presenting, we anticipate that the initial enumeration of health care 
providers that are already enrolled in Medicare, other Federal programs 
named as health plans, and Medicaid would be done by those health 
plans. Those health care providers would not have to apply for NPIs but 
would instead have their NPIs issued automatically. Non-Federal and 
non-Medicaid providers would need to apply for NPIs to a Federally-
directed registry for initial enumeration. The information that will be 
needed in order to issue an NPI to a health care provider is discussed 
in this preamble in section IV. Data. Depending on the implementation 
option selected, Federal and Medicaid health care providers may not 
need to provide this information because it would already be available 
to the entities that would be enumerating them. In one of the options, 
health care providers would be assigned their NPIs in the course of 
enrolling in the Federal health plan or in Medicaid. Both options may 
require, to some degree, the

[[Page 25331]]

development of an application to be used in applying for an NPI.
    We would require each health care provider that has an NPI to 
forward updates to the data in the database to an NPI enumerator within 
60 days of the date the change occurs. We are soliciting comments on 
whether these updates should be applicable to all the data elements 
proposed to be included in the national provider file (NPF) or only to 
those data elements that are critical for enumeration. For example, we 
would like to know whether the addition of a credential should be 
required to be reported within the 60-day period, or whether such 
updates should be limited to name or address changes or other data 
elements that are required to enumerate a health care provider.

F. Effective Dates of the NPI

    Health plans would be required to comply with our requirements as 
follows:
    1. Each health plan that is not a small health plan would have to 
comply with the requirements of Secs. 142.104 and 142.404 no later than 
24 months after the effective date of the final rule.
    2. Each small health plan would have to comply with the 
requirements of Secs. 142.104 and 142.404 no later than 36 months after 
the effective date of the final rule.
    3. If HHS adopts a modification to a standard or implementation 
specification, the implementation date of the modification would be no 
earlier than the 180th day following the adoption of the modification. 
HHS would determine the actual date, taking into account the time 
needed to comply due to the nature and extent of the modification. HHS 
would be able to extend the time for compliance for small health plans.
    Health care clearinghouses and affected health care providers would 
have to begin using the NPI no later than 24 months after the effective 
date of the final rule.
    Failure to comply with standards may result in monetary penalties. 
The Secretary is required by statute to impose penalties of not more 
than $100 per violation on any person who fails to comply with a 
standard, except that the total amount imposed on any one person in 
each calendar year may not exceed $25,000 for violations of one 
requirement. We will propose enforcement procedures in a future Federal 
Register document once the industry has more experience with using the 
standards.

III. Implementation of the NPI

[Please label written and e-mailed comments about this section with 
the subject: Implementation.]

A. The National Provider System

    We would implement the NPI through a central electronic enumerating 
system, the national provider system (NPS). This system would be a 
comprehensive, uniform system for identifying and uniquely enumerating 
health care providers at the national level, not unlike the process now 
used to issue social security numbers. HCFA would exercise overall 
responsibility for oversight and management of the system. Health care 
providers would not interact directly with the NPS.
    The process of identifying and uniquely enumerating health care 
providers is separate from the process health plans follow in enrolling 
health care providers in their health programs. Even with the advent of 
assignment of NPIs by the NPS, health plans would still have to follow 
their own procedures for receiving and verifying information from 
health care providers that apply to them for enrollment in their health 
programs. Unique enumeration is less expensive than plan enrollment 
because it does not require as much information to be collected, 
edited, and verified. We welcome comments on the cost of provider 
enrollment in a health plan.
    NPIs would be issued by one or more organizations to which we refer 
in this preamble as ``enumerators.'' The functions we foresee being 
carried out by enumerators are presented in section B. Enumerators in 
this preamble. The NPS would edit the data, checking for consistency, 
formatting addresses, and validating the social security number. It 
would then search the database to determine whether the health care 
provider already has an NPI. If so, that NPI would be displayed. If 
not, an NPI would be assigned. If the health care provider is similar 
(but not identical) to an already-enumerated health care provider, the 
information would be passed back to the enumerator for further 
analysis. Enumerators would also communicate NPIs back to the health 
care providers and maintain the NPS database. The number of enumerators 
would be limited in the interest of data quality and consistency.
    Because the Medicare program maintains files on more health care 
providers than any other health care program in the country, we 
envision using data from those files to initially populate the NPF that 
is being built by the NPS and would be accessed by the enumerator(s). 
The data we are considering for inclusion in this file are described in 
section IV. Data in this preamble.

B. Enumerators

    The enumerator(s) would carry out the following functions: assist 
health care providers and answer questions; accept the application for 
an NPI; validate as many of the data elements as possible at the point 
of application to assure the submitted data are accurate and the 
application is authentic; enter the data into the NPS to obtain an NPI 
for the health care provider; research cases where there is a possible 
match to a health care provider already enumerated; notify the health 
care provider of the assigned NPI; and enter updated data into the NPS 
when notified by the health care provider. Some of these functions 
would not be necessary if the enumerator(s) is an entity that enrolls 
health care providers in its own health plan and would be enumerating 
health care providers at the time they are enrolling in the entity's 
health plan. For example, if a Federal health plan is an enumerator, 
some of the functions listed above would not have to be performed 
separately from what the health plan would do in its regular business.
    The major issue related to the operation of this process is 
determining who the enumerator(s) will be.
    1. Possible enumerators.
    We had several choices in deciding who should enumerate health care 
providers. There are advantages and disadvantages to each of these 
choices:
     A registry:
    A central registry operated under Federal direction would enumerate 
all health care providers. The Federally-directed registry could be a 
single physical entity or could be a number of agents controlled by a 
single entity and operating under common procedures and oversight.
    For: The process would be consistent; centralized operation would 
assure consistent data quality; the concept of a registry is easy to 
understand (single source for identifiers).
    Against: The cost of creating a new entity rather than enumerating 
as part of existing functions (for example, plan enrollment) would be 
greater than having existing entities enumerate; there would be 
redundant data required for enumeration and enrollment in a health 
plan.
     Private organization(s):
    A private organization(s) that meets certain selection criteria and 
performance standards, which would post a surety bond related to the 
number

[[Page 25332]]

of health care providers enumerated could enumerate health care 
providers.
    For: The organization(s) would operate in a consistent manner under 
uniform requirements and standards; failure to maintain prescribed 
requirements and standards could result in penalties which could 
include suspension or debarment from being an enumerator.
    Against: A large number of private enumerators would compromise the 
quality of work and be difficult to manage; the administrative work 
required to set up arrangements for a private enumerator(s) may be 
significant; the cost of creating a new entity rather than enumerating 
as part of existing functions (for example, plan enrollment) would be 
greater than having existing entities enumerate; there might be 
redundant data required for enumeration and enrollment in a health 
plan; the legality of privatization would need to be researched.
     Federal health plans and Medicaid State agencies:
    Federal programs named as health plans and Medicaid State agencies 
would enumerate all health care providers. (As stated earlier under the 
definition of ``health plan'', the Federal Employees Health Benefits 
Program is comprised of numerous health plans, rather than just one, 
and does not deal directly with health care providers that are not also 
health plans. Thus, the program would not enumerate health care 
providers but would still require the NPI to be used.)
    For: These health plans already assign numbers to their health care 
providers; a large percentage of health care providers do business with 
Federal health plans and Medicaid State agencies; there would be no 
appreciable costs for these health plans to enumerate as part of their 
enrollment process; a small number of enumerators would assure 
consistent data quality.
    Against: Not all health care providers do business with any of 
these health plans; there would be the question of which health plan 
would enumerate the health care provider that participates in more than 
one; we estimate that approximately 5 percent of the State Medicaid 
agencies may decline to take on this additional task.
     Designated State agency:
    The Governor of each State would designate an agency to be 
responsible for enumerating health care providers within the State. The 
agency might be the State Medicaid agency, State licensing board, 
health department, or some other organization. Each State would have 
the flexibility to develop its most workable approach.
    For: This choice would cover all health care providers; there would 
be a single source of enumeration in each State; States could devise 
the least expensive mechanisms (for example, assign NPI during 
licensing); license renewal cycles would assure periodic checks on data 
accuracy.
    Against: This choice would place an unfunded workload on States; 
States may decline to designate an agency; there may be insufficient 
funding to support the costs the States would incur; State licensing 
agencies may not collect enough information during licensing to ensure 
uniqueness across States; States may not be uniform in their 
definitions of ``providers.''
     Professional organizations or training programs:
    We would enlist professional organizations to enumerate their 
members and/or enable professional schools to enumerate their students.
    For: Individuals could be enumerated at the beginning of their 
careers; most health care providers either attend a professional school 
or belong to an organization.
    Against: Not all health care providers are affiliated with an 
organization or school; this choice would result in many enumerators 
and thus potentially lower the data quality; schools would not be in a 
position to update data once the health care provider has graduated; 
the choice would place an unfunded workload on schools and/or 
organizations.
     Health plans:
    Health plans in general would have access to the NPS to enumerate 
any of their health care providers.
    For: Most health care providers do business with one or more health 
plans; there would be a relatively low cost for health plans to 
enumerate as part of enrollment; this choice would eliminate the need 
for redundant data.
    Against: Not all health care providers are affiliated with a health 
plan; this choice would be confusing for the health care provider in 
determining which health plan would enumerate when the health care 
provider is enrolled in multiple health plans; there would be a very 
large number of enumerators and thus potentially serious data quality 
problems; the choice would place unfunded workload on health plans.
     Combinations:
    We also considered using combinations of these choices to maximize 
advantages and minimize disadvantages.
    2. Options:
    If private organizations, as enumerators, could charge health care 
providers a fee for obtaining NPIs, this enumeration option would be 
attractive and more preferable than the other choices or combinations, 
as it would offer a way to fund the enumeration function. In 
researching the legality of this approach, however, we were advised 
that we do not have the authority to (1) charge health care providers a 
fee for obtaining NPIs, or (2) license private organizations that could 
charge health care providers for NPIs. For these reasons, we chose not 
to recommend private organizations as enumerators.
    The two most viable options are described below. We solicit input 
on these options, as well as on alternate solutions.
    Option 1: Registry enumeration of all health care providers.
    All health care providers would apply directly to a Federally-
directed registry for an identifier. The registry, while under Federal 
direction, would probably be operated by an agent or contractor. This 
option is favored by some health plans, which believe that a single 
entity should be given the task of enumerating health care providers 
and maintaining the database for the sake of consistency. It would also 
be the simplest option for health care providers, since enumeration 
activities would be carried out for all health care providers by a 
single entity. The major drawback to this option is the high cost of 
establishing a registry large enough to process enumeration and update 
requests for the 1.2 million current and 30,000 new (annually) health 
care providers that conduct HIPAA transactions. The costs of this 
option are discussed in section J.2.d., Enumerators, in the impact 
analysis in this Federal Register document. The statute did not provide 
a funding mechanism for the enumeration/update process. Federal funds, 
if available, could support the registry. We seek comments on funding 
mechanisms for the registry.
    This option does not offer a clear possibility for funding some of 
the costs associated with the operation and maintenance of the NPS as 
it becomes national in scope (that is, as the NPS enumerates health 
care providers that are not Medicare providers). We solicit comments on 
appropriate methods for funding the NPS under this option.
    Option 2: A combination of Federal programs named as health plans, 
Medicaid State agencies, and a Federally-directed registry.
    Federal health plans and Medicaid State agencies would enumerate 
their own health care providers. Each health care provider 
participating in more than one health plan could choose the health

[[Page 25333]]

plan by which it wishes to be enumerated. All other health care 
providers would be enumerated by a Federally-directed registry. These 
latter health care providers would apply directly to the registry for 
an identifier.
    The number of enumerators, and the number of health care providers 
per enumerator, would be small enough that each enumerator would be 
able to carefully validate data received from and about each of its 
health care providers. Moreover, enumerators (aside from the registry) 
would be dealing with their own health care providers, an advantage 
both in terms of cost equity and data quality. This option recognizes 
the fact that Federal plans and Medicaid State agencies already assign 
identifiers to their health care providers for their own programmatic 
purposes. It would standardize those existing processes and, in some 
cases, may increase the amount of data collected or validation 
performed. We have concluded that the cost of concurrently enumerating 
and enrolling a Medicare or Medicaid provider is essentially the same 
as the cost of enrollment alone because of the high degree of 
redundancy between the processes. While there would probably be 
additional costs initially, they would be offset by savings in other 
areas (e.g., there would be a simplified, more efficient coordination 
of benefits; a health care provider would only have to be enumerated 
once; there would be no need to maintain more than one provider number 
for each health care provider; and there would be no need to maintain 
more than one enumeration system).
    The Federal Government is responsible for 75 percent of Medicaid 
State agency costs to enumerate and update health care providers. 
Because we believe that, on average, the costs incurred by Medicaid 
State agencies in enumerating and updating their own health care 
providers to be relatively low and offset by savings, there are no 
tangible costs involved.
    Allowing these health plans to continue to enumerate their health 
care providers would reduce the registry workload and its operating 
costs. We estimate that approximately 85 percent of billing health care 
providers transact business with a Medicaid State agency or a Federal 
health plan. We estimate that 5 percent of Medicaid State agencies may 
decline to enumerate their health care providers. If so, that work 
would have to be absorbed by the registry. This expense could be offset 
by the discontinuation of the UPIN registry, which is currently 
maintained with Federal funds. The costs of this option are discussed 
in section J.2.d., Enumerators, of the impact analysis.
    We welcome comments on the number of health care providers that 
would deal directly with a registry under this option and on 
alternative ways to enumerate them.
    This option does not offer a clear possibility for funding some of 
the costs associated with the operation and maintenance of the NPS as 
it becomes national in scope (that is, as the NPS enumerates health 
care providers that are not Medicare providers). We solicit comments on 
appropriate methods for funding the NPS under this option.
    We believe that option 2 is the most advantageous and the least 
costly. Option 1 is the simplest for health care providers to 
understand but has a significant Federal budgetary impact. Option 2 
takes advantage of existing expertise and processes to enumerate the 
majority of health care providers. This reduces the cost of the 
registry in option 2 to a point where it would be largely offset by 
savings from eliminating redundant enumeration processes.
    3. Fees and costs.
    Because the statute did not provide a funding mechanism for the 
enumeration process, Federal funds, if available, would be required to 
finance this function. We seek comment on any burden that various 
financing options might impose on the industry.
    We welcome comments on possible ways to reduce the costs of 
enumeration.
    While the NPS has been developed to date by HCFA with Federal 
funds, issues remain as to sources of future funding as the NPS becomes 
national in use. We welcome your comments on sources for this funding.
    4. Enumeration phases.
    We intend to implement the NPI in phases because the number of 
potential health care providers to be enumerated is too large to 
enumerate at one time, regardless of the number of enumerators. We 
describe in a., b., and c. below how the process would work if option 2 
were selected and in d. below how implementation of option 1 would 
differ.
    a. Health care providers that participate in Medicare (including 
physicians and other suppliers that furnish items and services covered 
by Medicare) would be enumerated first because, as the managing entity, 
HCFA has data readily available for all Medicare providers. Health care 
providers that are already enrolled in Medicare at the time of 
implementation would be enumerated based on existing Medicare provider 
databases that have already been reviewed and validated. These health 
care providers would not have to request an NPI--they would 
automatically receive one. After this initial enumeration, new and non-
Medicare health care providers not yet enumerated that wish to 
participate in Medicare would receive an NPI as a part of the 
enrollment process.
    b. Medicaid and non-Medicare Federal health plans that need to 
enumerate their health care providers would follow a similar process, 
based on a mutually agreed-upon timetable. Those health plans' existing 
prevalidated databases could be used to avoid requiring large numbers 
of health care providers to apply for NPIs. If a health care provider 
were already enumerated by Medicare, that NPI would be communicated to 
the second program. After the initial enumeration, new health care 
providers that wish to participate in Medicaid or a Federal health plan 
other than Medicare would receive an NPI as a part of that enrollment 
process. Health care providers that transact business with more than 
one such health plan could be enumerated by any one of those health 
plans. This phase would be completed within 2 years after the effective 
date of the final rule.
    c. A health care provider that does not transact any business with 
Federal health plans or Medicaid but that does conduct electronically 
any of the transactions stipulated in HIPAA (for example, submits 
claims electronically to a private health plan) would be enumerated via 
a Federally-directed registry. This enumeration would be done 
concurrently with the enumeration described in b., above. Health care 
providers would apply to the registry for an NPI.
    After the first two phases of enumeration (that is, enumeration of 
health care providers enrolled or enrolling in Federal health plans or 
Medicaid or health care providers that do not conduct business with any 
of those plans but that conduct any of the HIPAA transactions 
electronically), the health care providers remaining would be those 
that do not conduct electronically any of the transactions specified in 
HIPAA. We refer to these health care providers as ``non-HIPAA-
transaction health care providers.'' The non-HIPAA-transaction health 
care providers would not be enumerated in the first two phases of 
enumeration. We do not intend to enumerate these health care providers 
until all health care providers requiring NPIs by statute are 
enumerated and funds are available. In some cases, these health care 
providers may wish to be enumerated even though

[[Page 25334]]

they do not conduct electronic transactions. Health plans may prefer to 
use the NPI for all health care providers, whether or not they submit 
transactions electronically, for the sake of processing efficiency. In 
addition, some health care providers may wish to be enumerated even 
though they conduct no designated transactions and are not affiliated 
with any health plan. Additional research is required on the time table 
and method by which non-HIPAA-transaction health care providers would 
be enumerated.
    d. If option 1 were selected, the Federally-directed registry would 
enumerate all health care providers. With a single enumeration point 
(although it could consist of several agents controlled by a single 
entity, as stated earlier), we would envision enumeration taking place 
in the following phases: Medicare providers; Medicaid providers and 
other non-Medicare Federal providers; health care providers that do not 
transact any business with the aforementioned plans but that process 
electronically any of the transactions stipulated in HIPAA; and all 
other health care providers (i.e., non-HIPAA-transaction health care 
providers).

C. Approved Uses of the NPI

    The law requires that we specify the appropriate uses of the NPI.
    Two years after adoption of this standard (3 years for small health 
plans) the NPI must be used in the health care system in connection 
with the health-related financial and administrative transactions 
identified in section 1173(a). The NPI may also be used as a cross 
reference in health care provider fraud and abuse files and other 
program integrity files (for example, the HHS Office of the Inspector 
General sanction file). The NPI may be used to identify health care 
providers for debt collection under the provisions of the Debt 
Collection Information Act of 1996 and the Balanced Budget Act of 1997, 
and for any other lawful activity requiring individual identification 
of health care providers. It may not be used in any activity otherwise 
prohibited by law.
    Other examples of approved uses would include:
     Health care providers may use their own NPIs to identify 
themselves in health care transactions or related correspondence.
     Health care providers may use other health care providers' 
NPIs as necessary to complete health care transactions and on related 
correspondence.
     Health care providers may use their own NPIs on 
prescriptions (however, the NPI could not replace the DEA number or 
State license number where either of those numbers is required on 
prescriptions).
     Health plans may use NPIs in their internal provider files 
to process transactions and may use them on transactions and in 
communications with health care providers.
     Health plans may communicate NPIs to other health plans 
for coordination of benefits.
     Health care clearinghouses may use NPIs in their internal 
files to create and process standard transactions and in communications 
with health care providers and health plans.
     NPIs may be used to identify treating health care 
providers in patient medical records.

D. Summary of Effects on Various Entities

    We summarize here how the implementation of the NPI would affect 
health care providers, health plans, and health care clearinghouses, if 
option 2 were selected. Differences that would result from selection of 
option 1 are noted parenthetically.
    1. Health care providers.
    a. Health care providers interacting with Medicare, another Federal 
plan, or a Medicaid State agency would receive their NPIs from the NPS 
via one of those programs and would be required to use their NPIs on 
all the specified electronic transactions. Each plan would establish 
its own schedule for adopting the NPI, within the time period specified 
by the law. Whether a given plan would automatically issue the NPIs or 
require the health care providers to apply for them would be up to the 
plan. (For example, the Medicare program would issue NPIs automatically 
to its currently enrolled Medicare providers and suppliers; data on its 
future health care providers and suppliers would be collected on the 
Medicare enrollment application.) The Federal or State plan may impose 
requirements other than those stated in the regulations.
    The health care providers would be required to update any data 
collected from them by submitting changes to the plan within 60 days of 
the change. Health care providers that transact business with multiple 
plans could report changes to any one of them. (Selection of option 1 
would mean that the health care provider would obtain the NPI from, and 
report changes to, the Federally-directed registry.)
    b. Health care providers that conduct electronic transactions but 
do not do so with Federal health plans or Medicaid would receive their 
NPIs from the NPS via the Federally-directed registry and would be 
required to use their NPIs on all the specified electronic 
transactions. Each health plan would establish its own schedule for 
adopting the NPI, within the time period specified by the law. The 
health care providers would be required to update any data originally 
collected from them by submitting changes within 60 days of the date of 
the change to the Federally-directed registry.
    c. Health care providers that are not covered by the above 
categories would not be required to obtain an NPI. (These health care 
providers are the non-HIPAA-transaction health care providers as 
described in section 4.c. of section B. Enumerators earlier in this 
preamble.) They may be enumerated if they wish, depending on 
availability of funds, but they would not be issued NPIs until those 
health care providers that currently conduct electronic transactions 
have received their NPIs. As stated earlier, the timetable and method 
by which the non-HIPAA-transaction health care providers would be 
enumerated must be determined. After the non-HIPAA-transaction health 
care providers are enumerated, they would be required to update any 
data originally collected from them by submitting changes within 60 
days of the date of the change. Those providers would report their 
changes to the registry or to a Federal plan or Medicaid State agency 
with which they transact business at the time of the change.
    2. Health plans.
    a. Medicare, other Federal health plans, and Medicaid would be 
responsible for obtaining NPIs from the NPS and issuing them to their 
health care providers. They would be responsible for updating the data 
base with data supplied by their health care providers. (Selection of 
option 1 would mean that Medicare, other Federal health plans, and 
Medicaid would not enumerate health care providers or update their 
data.)
    These government health plans would establish their own schedule 
for adopting the NPI, within the time period specified by the law. They 
would be able to impose requirements on their health care providers in 
addition to, but not inconsistent with, those in our regulations.
    b. Each remaining health plan would be required to use the NPI to 
identify health care providers in electronic transactions as provided 
by the statute. Each health plan would establish its own schedule for 
adopting the NPI, within the time period specified by the law. They 
would be able to impose requirements on their health care providers in 
addition to, but not inconsistent with, those in our regulations.

[[Page 25335]]

    3. Health care clearinghouses.
    Health care clearinghouses would be required to use a health care 
provider's NPI on electronic standard transactions requiring an NPI 
that are submitted on the health care provider's behalf.

IV. Data

[Please label written and e-mailed comments about this section with 
the subject: DATA.]

A. Data Elements

    The NPS would collect and store in the NPF a variety of information 
about a health care provider, as shown in the table below. We believe 
the majority of this information is used to uniquely identify a health 
care provider; other information is used for administrative purposes. A 
few of the data elements are collected at the request of potential 
users that have been working with HCFA in designing the database prior 
to the passage of HIPAA. All of these data elements represent only a 
fraction of the information that would comprise a provider enrollment 
file. The data elements in the table, plus cease/effective/termination 
dates, switches (yes/no), indicators, and history, are being considered 
as those that would form the NPF. We have included comments, as 
appropriate. The table does not display systems maintenance or similar 
fields, or health care provider cease/effective/termination dates.

                  National Provider File Data Elements                  
------------------------------------------------------------------------
          Data elements                   Comments            Purpose   
------------------------------------------------------------------------
National Provider Identifier      8-position alpha-        I            
 (NPI).                            numeric NPI assigned                 
                                   by the NPS.                          
Provider's current name.........  For Individuals only.    I            
                                   Includes first,                      
                                   middle, and last names.              
Provider's other name...........  For Individuals only.    I            
                                   Includes first,                      
                                   middle, and last                     
                                   names. Other names                   
                                   might include maiden                 
                                   and professional names.              
Provider's legal business name..  For Groups and           I            
                                   Organizations only.                  
Provider's name suffix..........  For Individuals only.    I            
                                   Includes Jr., Sr., II,               
                                   III, IV, and V.                      
Provider's credential             For Individuals only.    I            
 designation.                      Examples are MD, DDS,                
                                   CSW, CNA, AA, NP, RNA,               
                                   PSY.                                 
Provider's Social Security        For Individuals only...  I            
 Number (SSN).                                                          
Provider's Employer               Employer Identification  I            
 Identification Number (EIN).      Number.                              
Provider's birth date...........  For Individuals only...  I            
Provider's birth State code.....  For Individuals only...  I            
Provider's birth county name....  For Individuals only...  I            
Provider's birth country name...  For Individuals only...  I            
Provider's sex..................  For Individuals only...  I            
Provider's race.................  For Individuals only...  U            
Provider's date of death........  For Individuals only...  I            
Provider's mailing address......  Includes 2 lines of      A            
                                   street address, plus                 
                                   city, State, county,                 
                                   country, 5- or 9-                    
                                   position ZIP code.                   
Provider's mailing address        .......................  A            
 telephone number.                                                      
Provider's mailing address fax    .......................  A            
 number.                                                                
Provider's mailing address e-     .......................  A            
 mail address.                                                          
Resident/Intern code............  For certain Individuals  U            
                                   only.                                
Provider enumerate date.........  Date provider was        A            
                                   enumerated (assigned                 
                                   an NPI). Assigned by                 
                                   the NPS.                             
Provider update date............  Last date provider data  A            
                                   was updated. Assigned                
                                   by the NPS.                          
Establishing enumerator/agent     Identification number    A            
 number.                           of the establishing                  
                                   enumerator.                          
Provider practice location        2-position alpha-        I            
 identifier (location code).       numeric code (location               
                                   code) assigned by the                
                                   NPS.                                 
Provider practice location name.  Title (e.g., ``doing     I            
                                   business as'' name) of               
                                   practice location.                   
Provider practice location        Includes 2 lines of      I            
 address.                          street address, plus                 
                                   city, State, county,                 
                                   country, 5- or 9-                    
                                   position ZIP code.                   
Provider's practice location      .......................  A            
 telephone number.                                                      
Provider's practice location fax  .......................  A            
 number.                                                                
Provider's practice location e-   .......................  A            
 mail address.                                                          
Provider classification.........  From Accredited          I            
                                   Standards Committee                  
                                   X12N taxonomy.                       
                                   Includes type(s),                    
                                   classification(s),                   
                                   area(s) of                           
                                   specialization.                      
Provider certification code.....  For certain Individuals  U            
                                   only.                                
Provider certification            For certain Individuals  U            
 (certificate) number.             only.                                
Provider license number.........  For certain Individuals  I            
                                   only.                                
Provider license State..........  For certain Individuals  I            
                                   only.                                
School code.....................  For certain Individuals  I            
                                   only.                                
School name.....................  For certain Individuals  I            
                                   only.                                
School city, State, country.....  For certain Individuals  U            
                                   only.                                
School graduation year..........  For certain Individuals  I            
                                   only.                                
Other provider number type......  Type of provider         I            
                                   identification number                
                                   also/formerly used by                
                                   provider: UPIN, NSC,                 
                                   OSCAR, DEA, Medicaid                 
                                   State, PIN, Payer ID.                
Other provider number...........  Other provider           I            
                                   identification number                
                                   also/formerly used by                
                                   provider.                            
Group member name...............  For Groups only. Name    I            
                                   of Individual member                 
                                   of group. Includes                   
                                   first, middle, and                   
                                   last names.                          
Group member name suffix........  For Groups only. This    I            
                                   is the Individual                    
                                   member's name suffix.                
                                   Includes Jr., Sr., II,               
                                   III, IV, and V.                      

[[Page 25336]]

                                                                        
Organization type control code..  For certain              U            
                                   Organizations only.                  
                                   Includes Government--                
                                   Federal (Military),                  
                                   Government--Federal                  
                                   (Veterans),                          
                                   Government--Federal                  
                                   (Other), Government--                
                                   State/County,                        
                                   Government--Local,                   
                                   Government--Combined                 
                                   Control, Non-                        
                                   Government--Non-                     
                                   profit, Non-                         
                                   Government--For                      
                                   Profit, and Non-                     
                                   Government--Not for                  
                                   Profit.                              
------------------------------------------------------------------------
Key:                                                                    
I--Used for the unique identification of a provider.                    
A--Used for administrative purposes.                                    
U--Included at the request of potential users (optional).               

    We need to consider the benefits of retaining all of the data 
elements shown in the table versus lowering the cost of maintaining the 
database by keeping only the minimum number of data elements needed for 
unique provider identification. We solicit input on the composition of 
the minimum set of data elements needed to uniquely identify each type 
of provider. In order to consider the inclusion or exclusion of data 
elements, we need to assess their purpose and use.
    The data elements with a purpose of ``I'' are needed to identify a 
health care provider, either in the search process (which is 
electronic) or in the investigation of health care providers designated 
as possible matches by the search process. These data elements are 
critical because unique identification is the keystone of the NPS.
    The data elements with a purpose of ``A'' are not essential to the 
identification processes mentioned above, but nonetheless are valuable. 
Certain ``A'' data elements can be used to contact a health care 
provider for clarification of information or resolution of issues 
encountered in the enumeration process and for sending written 
communications; other ``A'' data elements (e.g., Provider Enumerate 
Date, Provider Update Date, Establishing Enumerator/Agent Number) are 
used to organize and manage the data.
    Data elements with a purpose of ``U'' are collected at the request 
of potential users of the information in the system. While not used by 
the system's search process to uniquely identify a health care 
provider, Race is nevertheless valuable in the investigation of health 
care providers designated as possible matches as a result of that 
process. In addition, Race is important to the utility of the NPS as a 
statistical sampling frame. We solicit comments on the statistical 
validity of Race data. Race is collected ``as reported''; that is, it 
is not validated. It is not maintained, only stored. The cost of 
keeping this data element is virtually nil. Other data elements 
(Resident/Intern Code, Provider Certification Code and Number, and 
Organization Type Control Code) with a purpose of ``U'', while not used 
for enumeration of a health care provider, have been requested to be 
included by some members of the health care industry for reports and 
statistics. These data elements are optional and do not require 
validation; many remain constant by their nature; and the cost to store 
them is negligible.
    The data elements that we judge will be expensive to either 
validate or maintain (or both) are the license information, provider 
practice location addresses, and membership in groups. We solicit 
comments on whether these data elements are necessary for the unique 
enumeration of health care providers and whether validation or 
maintenance is required for that purpose.
    Licenses may be critical in determining uniqueness of a health care 
provider (particularly in resolving identities involving compound 
surnames) and are, therefore, considered to be essential by some. 
License information is expensive to validate initially, but not 
expensive to maintain because it does not change frequently.
    The practice location addresses can be used to aid in investigating 
possible provider matches, in converting existing provider numbers to 
NPIs, and in research involving fraud or epidemiology. Location codes, 
which are discussed in detail in section B. Practice Addresses and 
Group/Organization Options below, could be assigned by the NPS to point 
to and identify practice locations of individuals and groups. Some 
potential users felt that practice addresses changed too frequently to 
be maintained efficiently at the national level. The average Medicare 
physician has two to three addresses at which he/she practices. Group 
providers may have many more practice locations. We estimate that 5 
percent of health care providers require updates annually, and that 
addresses are one of the most frequently changing attributes. As a 
result, maintaining more than one practice address for an individual 
provider on a national scale could be burdensome and time consuming. 
Many potential users believe that practice addresses could more 
adequately be maintained at local, health-plan specific levels.
    Some potential users felt that membership in groups was useful in 
identifying health care providers. Many others, however, felt that 
these data are highly volatile and costly to maintain. These users felt 
it was unlikely that membership in groups could be satisfactorily 
maintained at the national level.
    We welcome your comments on the data elements proposed for the NPF 
and input as to the potential usefulness and tradeoffs for these 
elements such as those discussed above.
    We specifically invite comments and suggestions on how the 
enumeration process might be improved to prevent issuance of multiple 
NPIs to a health care provider.

B. Practice Addresses and Group/Organization Options

    We have had extensive consultations with health care providers, 
health plans, and members of health data standards organizations on the 
requirements for provider practice addresses and on the group and 
organization data in the NPS. (It is important to note that the NPS is 
designed to capture a health care provider's mailing address. The 
mailing address is a data element separate from the practice address, 
and, as such, is not the subject of the discussion below.) Following 
are the major questions relating to these issues:
     Should the NPS capture practice addresses of health care 
providers?
    For: Practice addresses could aid in non-electronic matching of 
health care providers and in conversion of existing provider number 
systems to NPIs. They could be useful for research specific to practice 
location; for example, involving fraud or epidemiology.
    Against: Practice addresses would be of limited use in the 
electronic identification and matching of health care providers. The 
large number of practice locations of some group

[[Page 25337]]

providers, the frequent relocation of provider offices, and the 
temporary situations under which a health care provider may practice at 
a particular location would make maintenance of practice addresses 
burdensome and expensive.
     Should the NPS assign a location code to each practice 
address in a health care provider's record? The location code would be 
a 2-position alphanumeric data element. It would be a data element in 
the NPS but would not be part of the NPI. It would point to a certain 
practice address in the health care provider's record and would be 
usable only in conjunction with that health care provider's NPI. It 
would not stand alone as a unique identifier for the address.
    For: The location code could be used to designate a specific 
practice address for the health care provider, eliminating the need to 
perform an address match each time the address is retrieved. The 
location code might be usable, in conjunction with a health care 
provider's NPI, as a designation for service location in electronic 
health transactions.
    Against: Location codes should not be created and assigned 
nationally unless required to support standard electronic health 
transactions; this requirement has not been demonstrated. The format of 
the location code would allow for a lifetime maximum of 900 location 
codes per health care provider; this number may not be adequate for 
groups with many locations. The location code would not uniquely 
identify an address; different health care providers practicing at the 
same address would have different location codes for that address, 
causing confusion for business offices that maintain data for large 
numbers of health care providers.
     Should the NPS link the NPI of a group provider to the 
NPIs of the individual providers who are members of the group?
    For: Linkage of the group NPI to individual members' NPIs would 
provide a connection from the group provider, which is possibly not 
licensed or certified, to the individual members who are licensed, 
certified or otherwise authorized to provide health care services.
    Against: The large number of members of some groups and the 
frequent moves of individuals among groups would make national 
maintenance of group membership burdensome and expensive. Organizations 
that need to know group membership prefer to maintain this information 
locally, so that they can ensure its accuracy for their purposes.
     Should the NPS collect the same data for organization and 
group providers? There would be no distinction between organization and 
group providers. Each health care provider would be categorized in the 
NPS either as an individual or as an organization. Each separate 
physical location or subpart of an organization that needed to be 
identified would receive its own NPI. The NPS would not link the NPI of 
an organization provider to the NPI of any other health care provider, 
although all organizations with the same employer identification number 
(EIN) or same name would be retrievable via a query on that EIN or 
name.
    For: The categorization of health care providers as individuals or 
organizations would provide flexibility for enumeration of integrated 
provider organizations. Eliminating the separate category of group 
providers would eliminate an artificial distinction between groups and 
organizations. It would eliminate the possibility that the same entity 
would be enumerated as both a group and an organization. It would 
eliminate any need for location codes for groups. It would allow 
enumeration at the lowest level that needs to be identified, offering 
flexibility for enumerators, health plans or other users of NPS data to 
link organization NPIs as they require in their own systems.
    Against: A single business entity could have multiple NPIs, 
corresponding to its physical locations or subparts.
    Possible Approaches:
    We present two alternatives to illustrate how answers to the 
questions posed above would affect enumeration and health care provider 
data in the NPS. Since the results would depend upon whether the health 
care provider is an individual, organization, or group, we refer the 
reader to section II.B.3., Definitions, of this preamble.
    Alternative 1:
    The NPS would capture practice addresses. It would assign a 
location code for each practice address of an individual or group 
provider. Organization and group providers would be distinguished and 
would have different associated data in the NPS. Organization providers 
could have only one location per NPI and could not have individuals 
listed as members. Group providers could have multiple locations with 
location codes per NPI and would have individuals listed as members.
    For individual providers, the NPS would capture each practice 
address and assign a corresponding location code. The NPS would link 
the NPIs of individuals who are listed as members of a group with the 
NPI of their group.
    For organization providers, the NPS would capture the single active 
practice address. It would not assign a corresponding location code.
    For group providers, the NPS would capture each practice address 
and assign a corresponding location code. The NPS would link the NPI of 
a group with the NPIs of all individuals who are listed as members of 
the group. A group location would have a different location code in the 
members' individual records and the group record.
    Alternative 2:
    The NPS would capture only one practice address for an individual 
or organization provider. It would not assign location codes. The NPS 
would not link the NPI of a group provider to the NPIs of individuals 
who are members of the group. Organization and group providers would 
not be distinguished from each other in the NPS. Each health care 
provider would be categorized as either an individual or an 
organization.
    For individual providers, the NPS would capture a single practice 
address. It would not assign a corresponding location code.
    For organization providers, each separate physical location or 
subpart that needed to be identified would receive its own NPI. The NPS 
would capture the single active practice address of the organization. 
It would not assign a corresponding location code.
    Recent consultations with health care providers, health plans, and 
members of health data standards organizations have indicated a growing 
consensus for Alternative 2 discussed above. Representatives of these 
organizations feel that Alternative 2 will provide the data needed to 
identify the health care provider at the national level, while reducing 
burdensome data maintenance associated with provider practice location 
addresses and group membership. We welcome comments on these and other 
alternatives for collection of practice location addresses and 
assignment of location codes, and on the group and organization 
provider data within the NPS.

V. Data Dissemination

[Please label written and e-mailed comments about this section with 
the subject: Dissemination.]

    We are making information from the NPS available so that the 
administrative simplification provisions of the law can be implemented 
smoothly and efficiently. In addition to the health care provider's 
name and NPI, it is important to make available other information

[[Page 25338]]

about the health care provider so that people with existing health care 
provider files can associate their health care providers with the 
appropriate NPIs. The data elements we are proposing to disseminate are 
the ones that our research has shown will be most beneficial in this 
matching process. The information needs to be disseminated to the 
widest possible audience because the NPIs would be used in a vast 
number of applications throughout the health care industry.
    We propose to charge fees for the dissemination of such items as 
data files and directories, but the fees would not exceed the costs of 
the dissemination.
    We would establish two levels of users of the data in the NPS for 
purposes of disseminating information. Some of the data that would be 
collected in order to assign NPIs would be confidential and not be 
disclosed to those without a legitimate right of access to the 
confidential data.
Level I--Enumerators
    Access to the NPS would be limited to approved enumerators for the 
system that would be specifically listed in 45 CFR part 142. We would 
publish ``routine uses'' for the data concerning individuals in a 
Privacy Act systems of records notice. The notice is being developed 
and will be available during the comment period for this proposed rule.
    Enumerators would have access to all data elements for all health 
care providers in order to accurately resolve potential duplicate 
situations (that is, the health care provider may already have been 
enumerated). Enumerators would be required to protect the privacy of 
the data in accordance with the Privacy Act.
    Enumerators would have access to the on-line NPS and would also 
receive periodic batch update files from HCFA.
Level II--The Public
    The public (which includes individuals, health care providers, 
software vendors, health plans that are not enumerators, and health 
care clearinghouses) would have access to selected data elements.
    The table below lists the data comprising the NPF, as described in 
section IV. A. Data Elements, and indicates the dissemination level 
(Level I or Level II).

      Dissemination of Information From the National Provider File      
------------------------------------------------------------------------
                                  Dissemination                         
        Data elements                 level               Comments      
------------------------------------------------------------------------
National Provider Identifier   I and II..........  8-position alpha-    
 (NPI).                                             numeric NPI assigned
                                                    by the NPS.         
Provider's current name......  I and II..........  For Individuals only.
                                                    Includes first,     
                                                    middle, and last    
                                                    names.              
Provider's other name........  I and II..........  For Individuals only.
                                                    Includes first,     
                                                    middle, and last    
                                                    names. Other names  
                                                    might include maiden
                                                    and professional    
                                                    names.              
Provider's legal business      I and II..........  For Groups and       
 name.                                              Organizations only. 
Provider's name suffix.......  I and II..........  For Individuals only.
                                                    Includes Jr., Sr.,  
                                                    II, III, IV, and V. 
Provider's credential          I and II..........  For Individuals only.
 designation.                                       Examples are MD,    
                                                    DDS, CSW, CNA, AA,  
                                                    NP, RNA, PSY.       
Provider's Social Security     I only............  For Individuals only.
 Number (SSN).                                                          
Provider's Employer            I only............  Employer             
 Identification Number (EIN).                       Identification      
                                                    Number.             
Provider's birth date........  I only............  For Individuals only.
Provider's birth State code..  I only............  For Individuals only.
Provider's birth county name.  I only............  For Individuals only.
Provider's birth country name  I only............  For Individuals only.
Provider's sex...............  I only............  For Individuals only.
Provider's race..............  I only............  For Individuals only.
Provider's date of death.....  I only............  For Individuals only.
Provider's mailing address...  I and II..........  Includes 2 lines of  
                                                    street address, plus
                                                    city, State, county,
                                                    country, 5- or 9-   
                                                    position ZIP code.  
Provider's mailing address     I only.             .....................
 telephone number.                                                      
Provider's mailing address     I only.             .....................
 fax number.                                                            
Provider's mailing address e-  I only.             .....................
 mail address.                                                          
Resident/Intern code.........  I and II..........  For certain          
                                                    Individuals only.   
Provider enumerate date......  I and II..........  Date provider was    
                                                    enumerated (assigned
                                                    an NPI). Assigned by
                                                    the NPS.            
Provider update date.........  I and II..........  Last date provider   
                                                    data was updated.   
                                                    Assigned by the NPS.
Establishing enumerator/agent  I only............  Identification number
 number.                                            of the establishing 
                                                    enumerator.         
Provider practice location     I and II..........  2-position alpha-    
 identifier (location code).                        numeric code        
                                                    (location code)     
                                                    assigned by the NPS.
Provider practice location     I and II..........  Title (e.g., ``doing 
 name.                                              business as'' name) 
                                                    of practice         
                                                    location.           
Provider practice location     I and II..........  Includes 2 lines of  
 address.                                           street address, plus
                                                    city, State, county,
                                                    country, 5- or 9-   
                                                    position ZIP code.  
Provider's practice location   I only.             .....................
 telephone number.                                                      
Provider's practice location   I only.             .....................
 fax number.                                                            
Provider's practice location   I only.             .....................
 e-mail address.                                                        
Provider classification......  I and II..........  From Accredited      
                                                    Standards Committee 
                                                    X12N taxonomy.      
                                                    Includes type(s),   
                                                    classification(s),  
                                                    area(s) of          
                                                    specialization.     
Provider certification code..  I only............  For certain          
                                                    Individuals only.   
Provider certification         I only............  For certain          
 (certificate) number.                              Individuals only.   
Provider license number......  I only............  For certain          
                                                    Individuals only.   
Provider license State.......  I only............  For certain          
                                                    Individuals only.   
School code..................  I only............  For certain          
                                                    Individuals only.   
School name..................  I only............  For certain          
                                                    Individuals only.   
School city, State, country..  I only............  For certain          
                                                    Individuals only.   
School graduation year.......  I only............  For certain          
                                                    Individuals only.   

[[Page 25339]]

                                                                        
Other provider number type...  I and II..........  Type of provider     
                                                    identification      
                                                    number also/formerly
                                                    used by provider:   
                                                    UPIN, NSC, OSCAR,   
                                                    DEA, Medicaid State,
                                                    PIN, Payer ID.      
Other provider number........  I and II..........  Other provider       
                                                    identification      
                                                    number also/formerly
                                                    used by provider.   
Group member name............  I and II..........  For Groups only. Name
                                                    of Individual member
                                                    of group. Includes  
                                                    first, middle, and  
                                                    last names.         
Group member name suffix.....  I and II..........  For Groups only. This
                                                    is the Individual   
                                                    member's name       
                                                    suffix. Includes    
                                                    Jr., Sr., II, III,  
                                                    IV, and V.          
Organization type control      I and II..........  For certain          
 code.                                              Organizations only. 
                                                    Includes Government--
                                                    Federal (Military), 
                                                    Government--Federal 
                                                    (Veterans),         
                                                    Government--Federal 
                                                    (Other), Government--
                                                    State/County,       
                                                    Government--Local,  
                                                    Government--Combined
                                                    Control, Non-       
                                                    Government--Non-    
                                                    profit, Non-        
                                                    Government--For     
                                                    Profit, and Non-    
                                                    Government--Not for 
                                                    Profit.             
------------------------------------------------------------------------

    Clearly, the access to the public data would have to be electronic 
in order to support the more frequent users. We are asking for comments 
on exactly what should be available in hardcopy, what types of 
electronic formats are necessary (for example, diskette, CD ROM, tape, 
cartridge, and via Internet), and frequency of update. We anticipate 
making these data as widely available as feasible. We note that the 
UPIN Directory (currently available to the public) would be 
discontinued and replaced with a similar document or electronic file 
once the NPS is in place.
    We initially envisioned limiting access to the second level to 
health plans and other entities involved in electronic transactions and 
adding a third level of access, which would make a more abbreviated 
data set available to the general public. This was in keeping with the 
past policy of not disclosing physicians' practice addresses. Recent 
court decisions and our broader goal of beneficiary education caused us 
to choose a broader data dissemination strategy. We welcome comments on 
this point.

VI. New and Revised Standards

[Please label written and e-mailed comments about this section with 
the subject: Revisions.]

    To encourage innovation and promote development, we intend to 
develop a process that would allow an organization to request a 
revision or replacement to any adopted standard or standards.
    An organization could request a revision or replacement to an 
adopted standard by requesting a waiver from the Secretary of Health 
and Human Services to test a revised or new standard. The organization 
must, at a minimum, demonstrate that the revised or new standard offers 
an improvement over the adopted standard. If the organization presents 
sufficient documentation that supports testing of a revised or new 
standard, we want to be able to grant the organization a temporary 
waiver to test while remaining in compliance with the law. The waiver 
would be applicable to standards that could change over time; for 
example, transaction standards. We do not intend to establish a process 
that would allow an organization to avoid using any adopted standard.
    We would welcome comments on the following: (1) How we should 
establish this process, (2) the length of time a proposed standard 
should be tested before we decide whether to adopt it, (3) whether we 
should solicit public comments before implementing a change in a 
standard, and (4) other issues and recommendations we should consider 
in developing this process.
    Following is one possible process:
     Any organization that wishes to revise or replace an 
adopted standard must submit its waiver request to an HHS evaluation 
committee (not currently established or defined). The organization must 
do the following for each standard it wishes to revise or replace:
    + Provide a detailed explanation, no more than 10 pages in length, 
of how the revision or replacement would be a clear improvement over 
the current standard in terms of the principles listed in section I.D., 
Process for developing national standards, of this preamble.
    + Provide specifications and technical capabilities on the revised 
or new standard, including any additional system requirements.
    + An explanation, no more than 5 pages in length, of how the 
organization intends to test the standard.
     The committee's evaluation would, at a minimum, be based 
on the following:
    + A cost-benefit analysis.
    + An assessment of whether the proposed revision or replacement 
demonstrates a clear improvement to an existing standard.
    + The extent and length of time of the waiver.
     The evaluation committee would inform the organization 
requesting the waiver within 30 working days of the committee's 
decision on the waiver request. If the committee decides to grant a 
waiver, the notification may include the following:
    + Committee comments such as the following:

--The length of time for which the waiver applies if it differs from 
the waiver request.
--The sites the committee believes are appropriate for testing if they 
differ from the waiver request.
--Any pertinent information regarding the conditions of an approved 
waiver.

     Any organization that receives a waiver would be required 
to submit a report containing the results of the study, no later than 3 
months after the study is completed.
     The committee would evaluate the report and determine 
whether the benefits of the proposed revision or new standard 
significantly outweigh the disadvantages of implementing it and make a 
recommendation to the Secretary.

VII. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:

[[Page 25340]]

     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.

Section 142.408(a), (c)  Requirements: Health Care Providers

    In summary, each health care provider would be required to obtain, 
by application if necessary, a national provider identifier and 
communicate any changes to the data elements in its file in the 
national provider system to an enumerator of national provider 
identifiers within 60 days of the change.
    Discussion:
    We are especially interested in receiving comments on the possible 
methods of managing the provider enumeration process. Given the 
multitude of possible methods associated with managing the enumeration 
process, we are unable to provide an accurate burden estimate at this 
time. Below is the repeated provider identifier enumeration discussion, 
from section II., Provisions of Proposed Regulations, E. Requirements, 
3. Health care providers, of this preamble.
    The process by which health care providers will apply for and 
obtain NPIs has not yet been established. This proposed rule (in 
section III., Implementation of the NPI) presents implementation 
options by which health care providers would apply for and obtain NPIs. 
We are seeking comments on the options and welcome other options for 
consideration.
    In one of the options we are presenting, we anticipate that the 
initial enumeration of health care providers that are already enrolled 
in Medicare, other Federal programs named as health plans, and Medicaid 
would be done by those health plans. Those health care providers would 
not have to apply for NPIs but would instead have their NPIs issued 
automatically. Non-Federal and non-Medicaid providers would need to 
apply for NPIs to a Federally-directed registry for initial 
enumeration. The information that would be needed in order to issue an 
NPI to a health care provider is discussed in this preamble in section 
IV., Data. Depending on the implementation option selected, Federal and 
Medicaid health care providers may not need to provide this information 
because it would already be available to the entities that would be 
enumerating them. In one of the options, health care providers would be 
assigned their NPIs in the course of enrolling in the Federal health 
plan or in Medicaid. Both options may require, to some degree, the 
development of an application to be used in applying for an NPI.
    We would require each health care provider that has an NPI to 
forward updates to the data in the database to an NPI enumerator within 
60 days of the date the change occurs. We are soliciting comments on 
whether these updates should be applicable to all the data elements 
proposed to be included in the NPF or only to those data elements that 
are critical for enumeration. For example, we would like to know 
whether the addition of a credential should be required to be reported 
within the 60-day period or whether such updates should be limited to 
name or address changes or other data elements that are required to 
enumerate a health care provider.
    Given the multitude of possible methods of implementing the 
enumeration process we are soliciting public comment on each of the 
following issues, before we submit a copy of this document to the 
Office of Management and Budget (OMB) for its review of these 
information collection requirements.

Sections 142.404 and 142.408(b)  Requirements: Health Plans and 
Requirements: Health Care Providers

    In summary, each health plan would be required to accept and 
transmit, either directly or via a health care clearinghouse, the NPI 
of any health care provider required in any standard transaction. Also, 
each health care provider must use NPIs wherever required on all 
standard transactions it accepts or transmits directly.
    Discussion:
    The emerging and increasing use of health care EDI standards and 
transactions raises the issue of the applicability of the PRA. The 
question arises whether a regulation that adopts an EDI standard used 
to exchange certain information constitutes an information collection 
subject to the PRA. However, for the purpose of soliciting useful 
public comment we provide the following burden estimates.
    In particular, the initial burden on the estimated 4 million health 
plans and 1.2 million health care providers to modify their current 
computer systems software would be 2 hours/$60 per entity, for a total 
burden of 10.4 million hours/$312 million. While this burden estimate 
may appear low, on average, we believe it to be accurate. This is based 
on the assumption that these and the other burden calculations 
associated with HIPAA administrative simplification systems 
modifications may overlap. This average also takes into consideration 
that (1) this standard may not be used by several of the entities 
included in the estimate, (2) this standard may already be in use by 
several of the entities included in the estimate, (3) modifications may 
be performed in an aggregate manner during the course of routine 
business and/or, (4) modifications may be made by contractors, such as 
practice management vendors, in a single effort for a multitude of 
affected entities.
    We invite public comment on the issues discussed above. If you 
comment on these information collection and recordkeeping requirements, 
please e-mail comments to JB[email protected] (Attn:HCFA-0045) or mail 
copies directly to the following:

Health Care Financing Administration, Office of Information Services, 
Information Technology Investment Management Group, Division of HCFA 
Enterprise Standards, Room C2-26-17, 7500 Security Boulevard, 
Baltimore, MD 21244-1850. Attn: John Burke HCFA-0045.
      and,
Office of Information and Regulatory Affairs, Office of Management and 
Budget, Room 10235, New Executive Office Building, Washington, DC 
20503, Attn: Allison Herron Eydt, HCFA Desk Officer.

VIII. Response to Comments

    Because of the large number of items of correspondence we normally 
receive on Federal Register documents published for comment, we are not 
able to acknowledge or respond to them individually. We will consider 
all comments we receive by the date and time specified in the DATES 
section of this preamble, and, if we proceed with a subsequent 
document, we will respond to the comments in the preamble to that 
document.

IX. Impact Analysis

A. Executive Summary

    The costs of implementing the standards specified in the statute 
are primarily one-time or short-term costs related to conversion. These 
costs include system conversion/upgrade costs, start-up costs of 
automation, training costs, and costs associated with implementation 
problems. These costs will be incurred during the first three years of 
implementation. The benefits of EDI include reduction in manual data 
entry, elimination of postal service delays, elimination of the costs

[[Page 25341]]

associated with the use of paper forms, and the enhanced ability of 
participants in the market to interact with each other.
    In our analysis, we have used the most conservative figures 
available and have taken into account the effects of the existing trend 
toward electronic health care transactions. Based on this analysis, we 
have determined that the benefits attributable to the implementation of 
administrative simplification will accrue almost immediately but will 
not exceed costs for health care providers and health plans until after 
the third year of implementation. After the third year, the benefits 
will continue to accrue into fourth year and beyond. The total net 
savings for the period 1998-2002 will be $1.5 billion (a net savings of 
$1.7 billion for health plans, and a net cost of $.2 billion for health 
care providers). The single year net savings for the year 2002 will be 
$3.1 billion ($1.6 billion for plans and $1.5 billion for providers).

B. Introduction

    We assessed several strategies for determining the impact of the 
various standards that the Secretary will designate under the statute. 
We could attempt to analyze the costs and savings of each individual 
standard independently or we could analyze the costs and savings of all 
the standards in the aggregate. We chose to base our analysis on the 
aggregate impact of all the standards. Assessing the cost of 
implementing each standard independently would yield inflated costs. 
The statute gives health care providers and health plans 24 months (36 
months for small health plans) to implement each standard after it is 
designated. This will give the industry flexibility in determining the 
most cost-effective way of implementing the standards. A health plan 
may decide to implement more than one standard at a time or to combine 
implementation of a standard with other system changes dictated by its 
own business needs. As a result, overall estimates will be more 
accurate than individual estimates.
    Assessing the benefits of implementing each standard independently 
would also be inaccurate. While each individual standard is beneficial, 
the standards as a whole have a synergistic effect on savings. For 
example, the combination of the standard health plan identifier and 
standard claim format would improve the coordination of benefits 
process to a much greater extent than either standard individually. 
Clearly, the costs and benefits described in this impact analysis are 
dependent upon all of the rules being published at roughly the same 
time.
    It is difficult to assess the costs and benefits of such a sweeping 
change with no historical experience. Moreover, we do not yet know 
enough about the issues and options related to the standards that are 
still being developed to be able to discuss them here. Our analysis, as 
a result, will be primarily qualitative and somewhat general. In order 
to address that shortcoming, we have added a section discussing 
specific issues related to the provider identifier standard. In each 
subsequent regulation, we will, if appropriate, include a section 
discussing the specifics of the standard or standards being designated 
in the regulation. In addition, we will update this analysis to reflect 
any additional cost/benefit information that we receive from the public 
during the comment period for the proposed rule. We solicit comments on 
this approach and on our assumptions and conclusions.

C. Overall Cost/Benefit Analysis

    In order to assess the impact of the HIPAA administrative 
simplification provisions, it is important to understand current 
industry practices. A 1993 study by Lewin-VHI (1, p. 4) estimated that 
administrative costs comprised 17 percent of total health expenditures. 
Paperwork inefficiencies are a component of those costs, as are the 
inefficiencies caused by the more than 400 different data transmission 
formats currently in use. Industry groups such as ANSI ASC X12N have 
developed standards for EDI transactions, which are used by some health 
plans and health care providers. However, migration to these recognized 
standards has been hampered by the inability to develop a concerted 
approach, and even ``standard'' formats such as the Uniform Bill (UB-
92), the standard Medicare hospital claim form (which is used by most 
hospitals, skilled nursing facilities, and home health agencies for 
inpatient and outpatient claims) are customized by plans and health 
care providers.
    Several reports have made estimates of the costs and/or benefits of 
implementing electronic data interchange (EDI) standards. In assessing 
the impact of the HIPAA administrative simplification provisions, the 
Congressional Budget Office reported that:

    ``The direct cost of the mandates in Title II of the bill would 
be negligible. Health plans (and those providers who choose to 
submit claims electronically) would be required to modify their 
computer software to incorporate new standards as they are adopted 
or modified. . . . Uniform standards would generate offsetting 
savings for plans and providers by simplifying the claims process 
and coordination of benefits.'' (page 4 of the Estimate of Costs of 
Private Sector Mandates)

    The most extensive industry analysis of the effects of EDI 
standards was developed by WEDI in 1993, which built upon a similar 
1992 report. The WEDI report used an extensive amount of information 
and analysis to develop its estimates, including data from a number of 
EDI pilot projects. The report included a number of electronic 
transactions that are not covered by HIPAA, such as materials 
management. The report projected implementation costs ranging between 
$5.3 billion and $17.3 billion (3, p. 9-4) and annual savings for the 
transactions covered by HIPAA ranging from $8.9 billion and $20.5 
billion (3, pp. 9-5 and 9-6). Lewin estimated that the data standards 
proposed in the Healthcare Simplification and Uniformity Act of 1993 
would save from 2.0 to 3.9 percent of administrative costs annually 
($2.6 to $5.2 billion based on 1991 costs) (1, p. 12). A 1995 study 
commissioned by the New Jersey Legislature estimated yearly savings of 
$760 million in New Jersey alone, related to EDI claims processing, 
reducing claims rejection, performing eligibility checks, decreasing 
accounts receivable, and other potential EDI applications (4, p. 316)
    We have drawn heavily on the WEDI report for many of our estimates. 
However, our conclusions differ, especially in the area of savings, for 
a number of reasons. The WEDI report was intended to assess the savings 
from a totally EDI environment, which HIPAA does not mandate. Health 
care providers may still choose to conduct HIPAA transactions on paper. 
In addition, a significant amount of movement toward EDI has been made 
(especially in the claims area) since 1993, and it is reasonable to 
assume that EDI would have continued to grow at some rate even without 
HIPAA. In order to assess the true impact of the legislation and these 
regulations, we cannot claim that all subsequent benefits are 
attributable to HIPAA.

D. Implementation Costs

    The costs of implementing the standards specified in the statute 
are primarily one-time or short-term costs related to conversion. They 
can be characterized as follows:
    1. System Conversion/Upgrade--Health care providers and health 
plans will incur costs to convert existing software to utilize the 
standards. Health plans and large health care providers generally have 
their own information systems, which they maintain with in-

[[Page 25342]]

house or contract support. Small health care providers are more likely 
to use off-the-shelf software developed and maintained by a vendor. 
Examples of software changes include the ability to generate and accept 
transactions using the standard (for example, claims, remittance 
advices) and converting or crosswalking current provider files and 
medical code sets to chosen standards. However, health care providers 
have considerable flexibility in determining how and when to accomplish 
these changes. One alternative to a complete system redesign would be 
to purchase a translator that reformats existing system outputs into 
standard transaction formats. A health plan or health care provider 
could also decide to implement two or more related standards at once or 
to implement one or more standards during a software upgrade. We expect 
that each health care provider's and health plan's situation will 
differ and that each will select a cost-effective implementation 
scheme. Many health care providers use billing agents or claims 
clearinghouses to facilitate EDI. (Although we discuss billing agents 
and claims clearinghouses as separate entities in this impact analysis, 
billing agents are considered to be the same as clearinghouses for 
purposes of administrative simplification.) Those entities would also 
have to reprogram to accommodate standards. We would expect these costs 
to be passed on to health care providers in the form of fee increases 
or to be absorbed as a cost of doing business.
    2. Start-up Cost of Automation--The legislation does not require 
health care providers to conduct transactions electronically. Those who 
do not currently have electronic capabilities would have to purchase 
and implement hardware and software and train staff to use it in order 
to benefit from EDI. However, this is likely to be less costly once 
standards are in place, because there will be more vendors supporting 
the standard.
    3. Training--Health care provider and health plan personnel will 
require training on use of the various standard identifiers, formats, 
and code sets. For the most part this will be directed toward 
administrative personnel, but training in new code sets would be 
required for clinical staff as well.
    4. Implementation problems--The implementation of any industry-wide 
standards will inevitably introduce additional complexity as health 
plans and health care providers struggle to re-establish communication 
and process transactions using the new formats, identifiers, and code 
sets. This is likely to result in a temporary increase in rejected 
transactions, manual exception processing, payment delays, and requests 
for additional information.
    While the majority of costs are one-time costs related to 
implementation, there are also on-going costs associated with 
administrative simplification. Health care providers and health plans 
may incur on-going costs to subscribe to or purchase documentation and 
implementation guides related to code sets and standard formats as well 
as health plan and provider identifier directories or data files. These 
entities may already be incurring some of these costs, and the costs 
under HIPAA would be incremental. We will be pursuing low-cost 
distribution options to keep these costs as low as possible.
    In addition, EDI could affect cash flow throughout the health 
insurance industry. Electronic claims reach the health plan faster and 
can be processed faster. This has the potential to improve health care 
providers' cash flow situations while decreasing health plans' earnings 
on cash reserves.
    The only known impact on individuals and employers (other than 
those that function as health plans) is the need to obtain an 
identifier.

E. Benefits of Increased Use of EDI for Health Care Transactions

    Some of the benefits attributable to increased EDI can be readily 
quantified, while others are more intangible. For example, it is easy 
to compute the savings in postage from EDI claims, but attributing a 
dollar value to processing efficiencies is difficult. In fact, the 
latter may not result in lower costs to health care providers or health 
plans but may be categorized as cost avoidance, rather than savings. 
For example, a health care provider may find that its billing office 
staff can be reduced from four clerks to three after standards are 
implemented. The health care provider could decide to reduce the staff 
size, to reduce the billing office staff and hire additional clinical 
personnel, or to retain the staff and assign new duties to them. Only 
the first option results in a ``savings'' (i.e., fewer total dollars 
spent) for the health care provider or the health care industry. 
However, all three options allow health care providers to reduce 
administrative costs associated with billing. We are considering these 
to be benefits for purposes of this analysis because it is consistent 
with the way the industry views them.
    The benefits of EDI to industry in general are well documented in 
the literature. One of the most significant benefits of EDI is the 
reduction in manual data entry. The paper processing of business 
transactions requires manual data entry at the point in which the data 
are received and entered into a system. For example, the data on a 
paper health care transaction from a health care provider to a health 
plan have to be manually entered into the health plan's business 
system. If the patient has more than one health plan, the second health 
plan would also have to manually enter the data into its system if it 
cannot receive the information electronically. The potential for 
repeated keying of information transmitted via paper results in 
increased labor as well as significant opportunities for keying errors. 
EDI allows for direct data transmission between computer systems, which 
reduces the need to rekey data.
    Another problem with paper-based transactions is that these 
documents are mostly mailed. Normal delivery times of mailings can vary 
anywhere from one to several days for normal first class mail. To ship 
paper documents more quickly can be expensive. While bulk mailings can 
reduce some costs, paper mailings remain costly. Using postal services 
can also lead to some uncertainty as to whether the transaction was 
received, unless more expensive certified mail options are pursued. A 
benefit of EDI is that the capability exists for the sender of the 
transaction to receive an electronic acknowledgment once the data is 
opened by the recipient. Also, because EDI involves direct computer to 
computer data transmission, the associated delays with postal services 
are eliminated. With EDI, communication service providers such as value 
added networks function as electronic post offices and provide 24-hour 
service. Value added networks deliver data instantaneously to the 
receiver's electronic mailbox.
    In addition to mailing time delays, there are other significant 
costs in using paper forms. These include the costs of maintaining an 
inventory of forms, typing data onto forms, addressing envelopes, and 
the cost of postage. The use of paper also requires significant staff 
resources to receive and store the paper during normal processing. The 
paper must be organized to permit easy retrieval if necessary.

F. The Role of Standards in Increasing the Efficiency of EDI

    There has been a steady increase in use of EDI in the health care 
market since 1993, and we predict that there would be some continued 
growth, even without national standards. However, we believe the upward 
trend in EDI health care transactions will be enhanced by having 
national standards

[[Page 25343]]

in place. Because national standards are not in place today, there 
continues to be a proliferation of proprietary formats in the health 
care industry. Proprietary formats are those that are unique to an 
individual business. Due to proprietary formats, business partners that 
wish to exchange information via EDI must agree on which formats to 
use. Since most health care providers do business with a number of 
plans, they must produce EDI transactions in many different formats. 
For small health care providers, this is a significant disincentive for 
converting to EDI.
    National standards would allow for common formats and translations 
of electronic information that would be understandable to both the 
sender and receiver. If national standards were in place, there would 
be no need to determine what format a trading partner was using. 
Standards also reduce software development and maintenance costs that 
are required for converting proprietary formats. The basic costs of 
maintaining unique formats are the human resources spent converting 
data or in personally contacting entities to gather the data because of 
incompatible formats. These costs are reflected in increased office 
overhead, and a reliance on paper and third party vendors as well as 
communication delays and general administrative hassle. Health care 
transaction standards will improve the efficiency of the EDI market and 
will help further persuade reluctant industry partners to choose EDI 
over traditional mail services.
    The statute directs the Secretary to establish standards and sets 
out the timetable for doing so. The Secretary must designate a standard 
for each of the specified transactions and identifiers but does have 
the discretion to designate alternate standards (for example, both a 
flat file and X12N format for a particular transaction). We have chosen 
to designate a single standard for each identifier and transaction. On 
the surface, allowing alternate standards would seem to be a more 
flexible approach, permitting health care providers and health plans to 
choose which standard best fits their business needs. In reality, 
health plans and health care providers generally conduct EDI with 
multiple partners. Since the choice of a standard transaction format is 
a bilateral decision between the sender and receiver, most health plans 
and health care providers would need to support all of the designated 
standards for the transaction in order to meet the needs of all of 
their trading partners. Single standards will maximize net benefits and 
minimize ongoing confusion.
    Health care providers and health plans have a great deal of 
flexibility in how and when they will implement standards. The statute 
specifies dates by which health plans will have adopted standards, but 
within that time period health plans can determine when and in which 
order they will implement standards. Health care providers have the 
flexibility to determine when it is cost-effective for them to convert 
to EDI. Health plans and health care providers have a wide range of 
vendors and technologies from which to choose in implementing standards 
and can choose to utilize a health care clearinghouse to produce 
standard transactions. Implementation options for transactions will be 
the subject of more detailed analysis in a subsequent regulation.

G. Cost/Benefit Tables

    The tables below illustrate the costs for health plans and health 
care providers to implement the standards and the savings that will 
occur over time as a result of the HIPAA administrative simplification 
provisions. All estimates are stated in 1998 dollars--no adjustment has 
been made for present value.
    The tables are extracted from a report prepared by our actuaries, 
who analyzed the impact of the HIPAA administrative simplification 
provisions. Using standard actuarial principles, they utilized data 
from a wide range of industry sources as a base for their estimates but 
revised them as needed to precisely reflect the impact of the 
legislation. For example, the number of health care providers and 
percentage of EDI transactions were adjusted to reflect expected 1998 
levels. Where data were not available (for example, the percentage of 
EDI billing for hospices), estimates were developed based on 
assumptions. Where data from multiple sources were in conflict, the 
various sources were considered in developing an independent estimate. 
These processes are complex and are described in detail in the 
actuaries' report, both in narrative form and in footnotes to tables. 
The report is too voluminous to publish here, and it is not feasible to 
describe the processes used to arrive at each and every number. We are 
presenting here the data that are most critical to assessing the impact 
of HIPAA administrative simplification provisions and a general 
description of the processes used to develop those data. The full 
actuarial report is available for inspection at the HCFA document room 
and at the following web site: http://aspe.os.dhhs.gov/admnsimp/.
    The costs are based on estimates for the cost of a moderately 
complex set of software upgrades. The range of costs that health plans 
and health care providers will incur is quite large and is based on 
such factors as the size and complexity of the existing systems, 
ability to implement using existing low-cost translator software, and 
reliance on health care clearinghouses to create standard transactions. 
The cost of a moderately complex upgrade represents a reasonable 
midpoint in this range. In addition, we assume that health plans and 
health care providers with existing EDI systems will incur 
implementation costs related to manual operations to make those 
processes compatible with the EDI systems. For example, manual 
processes may be converted to recognize standard identifiers or to 
produce paper remittance advices that contain the same data elements as 
the EDI standard transaction. We have estimated those costs to equal 50 
percent of the upgrade cost. Health care providers that do not have 
existing EDI systems will also incur some costs due to HIPAA, even if 
they choose not to implement EDI for all of the HIPAA transactions. For 
example, a health care provider may have to change accounting practices 
in order to process the revised paper remittance advice discussed 
above. Health plans must accept HIPAA transactions via EDI, but not all 
health plans will be called upon to accept all HIPAA transactions. For 
example, some health plans process only dental claims, while others 
process claims for institutional and noninstitutional services. We have 
assumed the average cost for non-EDI health care providers and health 
plans to be half that of already-automated health care providers and 
health plans.
    Savings are based on the estimated increase in EDI attributable to 
the HIPAA administrative simplification provisions, multiplied by a per 
transaction savings for each type of transaction. Our estimates are 
much lower than those included in the WEDI report, primarily because we 
only recognize savings that would not have occurred without the 
legislation. While some industry estimates of gross savings (not net of 
costs) have been as high as $32.8 billion over five years, we believed 
it was important to utilize the most conservative assumptions possible. 
It is important to view these estimates as an attempt to furnish a 
realistic context rather than as precise budgetary predictions. Our 
estimates also do not include any benefits attributable to qualitative 
aspects of Administrative simplification, because of the lack of 
reliable data. (For example, we do not

[[Page 25344]]

attempt to put a dollar value on improved public health practices that 
will result from implementation of standard identifiers.) We strongly 
encourage comments on how to quantitatively and qualitatively measure 
the efficiencies realized as a result of the HIPAA administrative 
simplification standards.
    More detailed information regarding data sources and assumptions is 
provided in the explanations for the specific tables.
    Table 1 below shows estimated costs and savings for health plans. 
The number of entities is based on the WEDI report, Department of Labor 
data, and various trade publications trended forward to 1998. The cost 
per health plan for software upgrades is based on the WEDI report, 
which estimated a range of costs required to implement a fully capable 
EDI environment. The high-end estimates ranged from two to ten times 
higher than the low-end estimates. We have used the lower end of the 
estimates in most cases because, as explained above, HIPAA does not 
require as extensive changes as envisioned by WEDI. The estimated 
percentages of health plans that accept electronic billing are based on 
reports in the 1997 edition of Faulkner & Gray's Health Data Directory 
(5). The total cost for each type of health plan is the sum of the cost 
for EDI and non-EDI plans. Cost for EDI plans is computed as follows:

Total Entities  x  EDI %  x  Average Upgrade Cost  x  1.5

(Note: As described above, the cost of changing manual processes is 
estimated to be half the cost of system changes.)

    Cost for non-EDI plans is computed as follows:

Total entities  x  (1 x EDI %)  x  Average Upgrade Cost  x  .5

(Note: As described above, cost to non-EDI health care providers is 
assumed to be half the cost of systems changes.)

    The $3.9 billion in savings is derived from Table 4, and represents 
savings to health plans for the first five years of implementation. The 
assumptions related to these savings are contained in the explanation 
to Table 4. The savings have been apportioned to each type of health 
plan based on the ratio of that health plan type's cost to the cost to 
all health plans. For example, a plan type that incurs ten percent of 
the costs would be assigned ten percent of the savings. We acknowledge 
that this is an imprecise method for allocating savings. We have not 
been able to identify a reliable method for allocating savings to 
specific types of health plans but nonetheless believed that it was 
important to present costs and savings together in order to provide a 
sense of how the HIPAA administrative simplification provisions would 
affect various entities.

                             Table 1.--Health Plan Implementation Costs and Savings                             
                                            [in Millions--1998-2002]                                            
----------------------------------------------------------------------------------------------------------------
                                          Number of                     Percent   Total cost (in    Savings (in 
             Type of plan                   plans       Average cost      EDI        millions)       millions)  
----------------------------------------------------------------------------------------------------------------
Large commercials....................             250      $1,000,000        .90            $350            $620
Smaller commercials..................             400         500,000        .50             200             354
Blue Cross/Blue Shield...............              75       1,000,000        .90             106             188
Third-party administered.............             750         500,000        .50             375             665
HMO/PPO..............................           1,500         250,000        .50             375             665
Self-administered....................          16,000          50,000        .25             600           1,063
Other employer plans.................       3,900,000             100        .00             195             345
    Total............................  ..............  ..............  .........          $2,201          $3,900
----------------------------------------------------------------------------------------------------------------

    Table 2 illustrates the costs and savings attributable to various 
types of health care providers.
    The number of entities (practices, not individual health care 
providers) is based on the 1992 Census of Services, the 1996 
Statistical Abstract of the United States, and the American Medical 
Association survey of group practices trended forward to 1998. 
Estimated percentages of EDI billing are based on the 1997 edition of 
Faulkner & Gray's Health Data Directory or are actuarial estimates.
    The cost of software upgrades for personal computers (PCS) is based 
on reports on the cost of software upgrades to translate and 
communicate standardized claims forms. The low end is used for smaller 
practices and the high end for larger practices with PCS. The estimate 
for mainframe upgrade packages is twice the upper end for PCS. The cost 
per upgrade for facilities is ours after considering estimates by WEDI 
and estimates of the cost of new software packages in the literature. 
The estimates fall within the range of the WEDI estimates, but that 
range is quite large. For example, WEDI estimates the cost for a large 
hospital upgrade would be from $50,000 to $500,000. For an explanation 
of the method for computing Total Cost, see the explanation for Table 
1.
    The $3.4 billion in savings is derived from Table 4 and represents 
savings to health care providers for the first five years of 
implementation. We have included them here to provide a sense of how 
the HIPAA administrative simplification provisions would affect various 
entities. As in Table 1, the savings have been apportioned to each type 
of health care provider based on the ratio of that health care provider 
type's cost to the cost to all health care providers.

                         Table 2.--Health Care Provider Implementation Costs and Savings                        
                                            [In millions--1998-2002]                                            
----------------------------------------------------------------------------------------------------------------
                                          Number of                     Percent   Total cost (in    Savings (in 
           Type of provider               providers     Average cost      EDI        millions)       millions)  
----------------------------------------------------------------------------------------------------------------
Hospitals <100 beds..................           2,850        $100,000        .86            $388            $369
Hospitals 100+ beds..................           3,150         250,000        .86           1,071           1,019
Nursing facility <100 beds...........          27,351          10,000        .50             274             260
Nursing facility 100+ beds...........           8,369          20,000        .50             167             159

[[Page 25345]]

                                                                                                                
Home health agency...................          10,608          10,000        .75             133             126
Hospice..............................           1,191          10,000        .10               7               7
Dialysis facility....................           1,211          10,000        .75              15              14
Specialty outpatient.................           7,175          10,000        .75              90              85
Pharmacy.............................          70,100           4,000        .85             379             360
Medical labs.........................           9,000           4,000        .85              49              46
Dental labs..........................           8,000           1,500        .50              12              11
DME..................................         116,800           1,500        .50             175             167
Physicians solo and groups <3........         337,000           1,500        .20             354             337
Physicians groups 3+ with mainframe..          17,000           8,000        .75             170             162
Physicians groups 3+ with PCS........          15,000           4,000        .40              54              51
Physicians groups 3+ no automation...           2,000               0        .00               0               0
Osteopaths...........................          35,600           1,500        .10              32              30
Dentists.............................         147,000           1,500        .14             141             134
Podiatrists..........................           8,400           1,500        .05               7               6
Chiropractors........................          29,000           1,500        .05              24              23
Optometrists.........................          18,200           1,500        .05              14              14
Other professionals..................          23,600           1,500        .05              20              19
                                      --------------------------------------------------------------------------
    Total............................  ..............  ..............  .........           3,574           3,400
----------------------------------------------------------------------------------------------------------------

    Table 3 shows the estimates we used to determine the portion of EDI 
increase attributable to the HIPAA administrative simplification 
provisions. The proportion of claims that would be processed 
electronically even without HIPAA is assumed to grow at the same rate 
from 1998 through 2002 as it did from 1992 to 1996, except that the 
rate for hospitals, which is already high, is assumed to grow at one 
percent annually instead of the two percent that was observed from 
1992-1996. The proportion of ``other'' provider claims is high because 
it includes pharmacies that generate large volumes of claims and have a 
high rate of electronic billing.
    The increase attributable to HIPAA is highly uncertain and is 
critical to the savings estimate. Our actuary arrived at these 
estimates based on an analysis of the current EDI environment. Because 
the rate of growth in electronic billing is already high, there is not 
much room for added growth. On the other hand, much of the increase 
that has already occurred is attributable to Medicare and Medicaid; 
private insurers and third party administrators still have fairly low 
rates of electronic billing and may benefit significantly from 
standardization.

                   Table 3.--Percent Growth in EDI Claims Attributable to HIPAA as Provisions                   
                                                  [Cumulative]                                                  
----------------------------------------------------------------------------------------------------------------
                                                     1998         1999         2000         2001         2002   
                Type of Provider                  (percent)    (percent)    (percent)    (percent)    (percent) 
----------------------------------------------------------------------------------------------------------------
Physician:                                                                                                      
    Percent before HIPAA.......................           45           50           55           60           65
    Percent after HIPAA........................           45           52           59           66           73
                                                ----------------------------------------------------------------
    Difference.................................  ...........            2            4            6            8
                                                ----------------------------------------------------------------
Hospital:                                                                                                       
    Percent before HIPAA.......................           86           87           88           89           90
    Percent after HIPAA........................           86           88           89           91           92
                                                ----------------------------------------------------------------
    Difference.................................  ...........            1            1            2            2
                                                ----------------------------------------------------------------
Other:                                                                                                          
    Percent before HIPAA.......................           75           76           77           78           79
    Percent after HIPAA........................           75           78           81           84           87
    Difference.................................  ...........            2            4            6            8
----------------------------------------------------------------------------------------------------------------

    Table 4 shows the annual costs, savings, and net savings over a 
five-year implementation period. We assume that the costs will be 
incurred within the first three years, since the statute requires 
health plans other than small health plans to implement within 24 
months and small health plans to implement within 36 months. As each 
health plan implements a standard, health care providers that conduct 
electronic transactions with that health plan would also implement the 
standard. We assume that no savings would accrue in the first year, 
because not enough health plans and health care providers would have 
implemented the standards. Savings would increase as more health plans 
and health care providers implement, exceeding costs in the fourth 
year. At that point, the majority of health plans and health care 
providers will have implemented the

[[Page 25346]]

standards, and costs will decrease and benefits will increase as a 
result.
    The savings per claim processed electronically instead of manually 
is based on the lower end of the range estimated by WEDI. We have used 
$1 per claim for health plans and physicians, and $.75 per claim for 
hospitals and other health care providers. These estimates are based on 
surveys of health care providers and health plans. Savings per EDI 
claim are computed by multiplying the per claim savings times the 
number of EDI claims attributed to HIPAA. The total number of EDI 
claims is used in computing the savings to health plans, while the 
savings for specific health care provider groups is computed using only 
the number of EDI claims generated by that group (for example, savings 
to physicians is computed using only physician EDI claims).
    WEDI also estimated savings resulting from other HIPAA 
transactions. The savings per transaction was higher than the savings 
from electronic billing, but the number of transactions was much 
smaller. Our estimates for transactions other than claims were derived 
by assuming a number of transactions and a savings per transaction 
relative to those assumed for the savings for electronic billing (see 
table 4a). In general our assumptions are close to those used by WEDI. 
One major difference is that we derived the number of enrollment/
disenrollment transactions from Department of Labor statistics. We used 
their estimate of the number of events requiring a certificate to be 
issued, which includes such actions as starting or leaving a firm, 
children ``aging out'' of coverage and death of policyholder. That 
estimate is about 45 million events. We used WEDI's estimate that the 
savings per transaction is about half that of billing transactions.
    We also assumed that savings could be expected from simplifications 
in manual claims. The basic assumption is that the savings are ten 
percent (per transaction) of those that are projected for conversion to 
electronic billing. However, it is also assumed that the standards only 
gradually allow health care providers and health plans to abandon old 
forms and identifiers because of the many relationships that have been 
established with other entities that will require a period of overlap.

                                         Table 4.--Five-Year Net Savings                                        
                                            [in billions of dollars]                                            
----------------------------------------------------------------------------------------------------------------
             Costs and savings                 1998        1999        2000        2001       2002       Total  
----------------------------------------------------------------------------------------------------------------
Costs:                                                                                                          
    Provider..............................        1.3         1.3         1.1         0.0        0.0        3.6 
    Plan..................................        0.8         0.8         0.7         0.0        0.0        2.2 
                                           ---------------------------------------------------------------------
        Total.............................        2.0         2.0         1.7         0.0        0.0        5.8 
                                           =====================================================================
Savings From Claims Processing:                                                                                 
    Provider..............................        0.0         0.1         0.3         0.4        0.6        1.4 
    Plan..................................        0.0         0.1         0.2         0.4        0.5        1.2 
                                           ---------------------------------------------------------------------
        Total.............................        0.0         0.2         0.5         0.8        1.1        2.6 
                                           =====================================================================
Savings from Other Transactions:                                                                                
    Provider..............................        0.0         0.2         0.4         0.7        1.1        2.4 
    Plan..................................        0.0         0.2         0.4         0.6        0.8        2.0 
                                           ---------------------------------------------------------------------
        Total.............................        0.0         0.3         0.8         1.2        1.8        4.1 
                                           =====================================================================
Savings From Manual Transactions:                                                                               
    Provider..............................        0.0         0.0         0.1         0.1        0.1        0.3 
    Plan..................................        0.0         0.0         0.1         0.1        0.1        0.3 
                                           ---------------------------------------------------------------------
        Total.............................        0.0         0.1         0.1         0.2        0.2        0.6 
                                           =====================================================================
Total Savings:                                                                                                  
    Provider..............................       (1.3)       (1.0)       (0.5)        1.0        1.5       (0.2)
    Plan..................................       (0.8)       (0.5)        0.0         1.2        1.6        1.7 
                                           ---------------------------------------------------------------------
        Total.............................       (2.0)       (1.4)       (0.3)        2.2        3.1        1.5 
----------------------------------------------------------------------------------------------------------------

    Note: Figures do not total due to rounding.

    Table 4a shows the savings per nonclaim transaction as a multiple 
of claims savings per transaction and the ratio of transactions to 
number of claims. These values were used to determine the savings for 
nonclaims transactions.

      Table 4a.--Relative Savings and Volume of Other Transactions      
------------------------------------------------------------------------
                   Transaction                       Savings    Volume  
------------------------------------------------------------------------
Claim............................................        1.0        1.0 
Claims inquiry...................................        4.0        0.5 
Remittance advice................................        1.5        0.10
Coordination of benefits.........................        0.5        0.10
Eligibility inquiry..............................        0.5        0.05
Enrollment/disenrollment.........................        0.5        0.01
Referral.........................................        0.1        0.10
------------------------------------------------------------------------

H. Qualitative Impacts of Administrative Simplification

    Administration simplification produces more than hard-dollar 
savings. There are also qualitative benefits that

[[Page 25347]]

are less tangible, but nevertheless important. These changes become 
possible when data can be more easily integrated across entities. WEDI 
suggests in its 1993 report that there will be a ``ripple-effect'' of 
implementing an EDI infrastructure on the whole health care delivery 
system in that there would be a reduction in duplicate medical 
procedures and processes as a patient is handled by a continuum of 
health care providers during an episode of care. WEDI also suggests 
that there will be a reduction in the exposure to health care fraud as 
security controls on electronic transactions will prevent unauthorized 
access to financial data.
    We also believe that having standards in place would reduce 
administrative burden and improve job satisfaction. For example, fewer 
administrative staff would be required to translate procedural codes, 
since a common set of codes would be used. All codes used in these 
transactions will be standardized, eliminating different values for 
data elements (for example, place of service).
    Administrative simplification would promote the accuracy, 
reliability and usefulness of the information shared. For example, 
today there are any number of claims formats and identifiers in use. We 
estimate that there are over 400 variations of electronic formats for 
claims transactions alone. As we noted earlier, these variations make 
it difficult for parties to exchange information electronically. At a 
minimum, it requires data to be translated from the sender's own format 
to the different formats specified by each intended receiver. Also, 
since industry has taken different approaches to uniquely identifying 
patients, health care providers and health plans (based on their 
individual business needs and preferences), it has become difficult to 
develop methods to compare services across health care providers and 
health plans. This mixed approach to enumeration has made it extremely 
difficult for health care researchers to do comparative analysis across 
settings and over time, and complicates identification of individuals 
for public health and epidemiologic purposes.
    Administrative simplification greatly enhances the sharing of data 
both within entities and across entities. It facilitates the 
coordination of benefit information by having in place a standardized 
set of data that is known to all parties, along with standardized name 
and address information that tells where to route transactions. Today, 
health care providers are reluctant to file claims to multiple health 
plans on the behalf of the patient because information about a 
patient's eligibility in a health plan is difficult to verify. 
Additionally, identifying information about health plans is not 
standardized or centralized for easy access. Most claims filed by 
patients today are submitted in hardcopy. We anticipate that more 
health care providers will file claims and coordinate benefits on the 
patient's behalf once standard identifiers are adopted and this 
information is made available electronically.

I. Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (RFA) of 1980, Public Law 96-354, 
requires us to prepare a regulatory flexibility analysis if the 
Secretary certifies that a proposed regulation would have a significant 
economic impact on a substantial number of small entities. In the 
health care sector, a small entity is one with less than $5 million in 
annual revenues. Nonprofit organizations are considered small entities; 
however, individuals and States are not included in the definition of a 
small entity. We have attempted to estimate the number of small 
entities and provide a general discussion of the effects of the 
statute. We request comments and additional information about our 
estimates and discussion.
    All nonprofit Blue Cross-Blue Shield Plans are considered small 
entities. Two percent of the approximately 3.9 million employer health 
plans are considered small businesses. All doctors of osteopathy, 
dentists, podiatrists, chiropractors, and solo and group physicians' 
offices with fewer than three physicians are considered small entities. 
Forty percent of group practices with 3 or more physicians and 90 
percent of optometrist practices are considered small entities. 
Seventy-five percent of all pharmacies, medical laboratories, dental 
laboratories and durable medical equipment suppliers are assumed to be 
small entities.
    We found the best source for information about the health data 
information industry to be Faulkner & Gray's Health Data Dictionary. 
This publication is the most comprehensive we found of its kind. The 
information in this directory is gathered by Faulkner & Gray editors 
and researchers who called all of the more than 3,000 organizations 
that are listed in the book to elicit information about their 
operations. It is important to note that some businesses are listed as 
more than one type of business entity. That is because in reporting the 
information, companies could list themselves as up to three different 
types of entities. For example, some businesses listed themselves as 
both practice management vendors as well as claims software vendors 
because their practice management software was ``EDI enabled.''
    All the statistics referencing Faulkner & Gray's come from the 1996 
edition of its Health Data Dictionary. It lists 100 third party claims 
processors, which includes health care clearinghouses (5-33). Faulkner 
& Gray define third party claims processors as entities under contract 
that take electronic and paper health care claims data from health care 
providers and billing companies that prepare bills on a health care 
provider's behalf. The third party claims processor acts as a conduit 
to health plans; it batches claims and routes transactions to the 
appropriate health plan in a form that expedites payment.
    Of the 100 third party processors/clearinghouses listed in this 
publication, seven processed more that 20 million electronic 
transactions per month. Another 14 handled 2 million or more 
transactions per month and another 29 handled over a million electronic 
transactions per month. The remaining 50 entities listed processed less 
than a million electronic transactions per month. We believe that 
almost all of these entities have annual revenues of under $5 million 
and would therefore be considered small entities by our definition.
    Another entity that is involved in the electronic transmission of 
health care transactions is the value added network. Value added 
networks are involved in the electronic transmission of data over 
telecommunication lines. We include value added networks in the 
definition of a health care clearinghouse. Faulkner & Gray list 23 
value added networks that handle health care transactions (5, p. 544). 
After further discussion, the editors clarified that only 8 of the 23 
would be considered ``pure'' value added networks. We believe that all 
of these companies have annual revenues of over $5 million.
    A billing company is another entity involved in the electronic 
routing of health care transactions. It works primarily with physicians 
either in office or hospital-based settings. Billing companies, in 
effect, take over the office administrative functions for a physician; 
they take information such as copies of medical notes and records and 
prepare claim forms that are then forwarded to an insurer for payment. 
Billing companies may also handle the receipt of payments, including 
posting payment to the patient's record on behalf of the health care 
provider. They can be located within or outside of the physician's 
practice setting.
    The International Billing Association is a trade association 
representing

[[Page 25348]]

billing companies. The International Billing Association estimated that 
there are approximately 4500 billing companies currently in business in 
the United States. The International Billing Association's estimates 
are based on the name and address of actual billing companies that it 
compiled in developing its mailing list. We believe all of the 4500 
billing companies known to be in business have revenues under $5 
million annually.
    Software system vendors provide computer software applications 
support to health care clearinghouses, billing companies, and health 
care providers. They particularly work with health care providers' 
practice management and health information systems. These businesses 
provide integrated software applications for such services as accounts 
receivable management, electronic claims submission (patient billing), 
record keeping, patient charting, practice analysis and patient 
scheduling. Some software vendors are also involved in providing 
applications for translating paper and nonstandard computer documents 
into standardized formats that are acceptable to health plans.
    Faulkner & Gray list 104 physician practice management vendors and 
suppliers (5, p. 520), 105 hospital information systems vendors and 
suppliers (5, p. 444), 134 software vendors and suppliers for claims-
related transactions (5, p. 486), and 28 translation vendors (5, p. 
534). We were unable to determine the number of these entities with 
revenues over $5 million, but we assume most of these businesses would 
be considered small entities under our definition.
    As discussed earlier in this analysis, the cost of implementing the 
standards specified in the statute are primarily one-time or short-term 
costs related to conversion. They were characterized as follows: 
software conversion, cost of automation, training, implementation 
problems, and cost of documentation and implementation guides. Rather 
than repeat that information here, we refer you to the beginning of 
this impact analysis.
1. Health care Providers and Health Plans
    As a result of standard data format and content, health care 
providers and health plans that wish to do business electronically 
could do so knowing that whatever capital outlays they make are 
worthwhile, with some certainty of return on investment. This is 
because entities that exchange electronic health care transactions 
would be required to receive and send transactions in the same standard 
formats using the same health care provider and health plan 
identifiers. We believe this will be an incentive to small physicians' 
offices to convert from paper to EDI. In a 1996 Office of the Inspector 
General study entitled ``Encouraging Physicians to Use Paperless 
Claims,'' the Office of the Inspector General and HCFA agreed that over 
$36 million in annual Medicare claims processing savings could be 
achieved if all health care providers submitting 50 or more Medicare 
claims per month submitted them electronically. Establishment of EDI 
standards will make it financially beneficial for many small health 
care providers to convert to electronic claim submissions, because all 
health plans would accept the same formats.
    Additionally, we believe that those health care providers that 
currently use health care clearinghouses and billing agencies will see 
costs stabilize and potentially some cost reduction. This would result 
from the increased efficiency that health care clearinghouses and 
billing companies will realize from being able to more easily link with 
health care industry business partners.
2. Third Party Vendors
    Third party vendors include third party processors/clearinghouses 
(including value added networks), billing companies, and software 
system vendors. While the market for third party vendors will change as 
a result of standardization, these changes will be positive to the 
industry and its customers over the long term. However, the short term/
one time costs discussed above will apply to the third party vendor 
community.
a. Clearinghouses and Billing Companies
    As noted above, health care clearinghouses are entities that take 
health care transactions, convert them into standardized formats 
acceptable to the receiver, and forward them on to the insurer. Billing 
companies take on the administrative functions of a physician's office. 
The market for clearinghouse and billing company services will 
definitely be affected by the HIPAA administrative simplification 
provisions; however there appears to be some debate on how the market 
for these services will be affected.
    It is likely that competition among health care clearinghouses and 
billing companies will increase over time. This is because standards 
would reduce some of the technical limitations that currently inhibit 
health care providers from conducting their own EDI. For example, by 
eliminating the requirement to maintain several different claims 
standards for different trading partners, health care providers will be 
able to more easily link themselves directly to health plans. This 
could negatively affect the market for health care clearinghouses and 
system vendors that do translation services; however, standards should 
increase the efficiency in which health care clearinghouses operate by 
allowing them to more easily link to multiple health plans. The 
increased efficiency in operations resulting from standards could, in 
effect, lower their overhead costs as well as attract new health care 
clearinghouse customers to offset any loss in market share that they 
might experience.
    Another potential area of change is that brought about through 
standardized code sets. Standards would lower costs and break down 
logistical barriers that discouraged some health care providers from 
doing their own coding and billing. As a result, some health care 
providers may choose an in-house transaction system rather than using a 
billing company as a means of exercising more control over information. 
Conversely, health care clearinghouses may acquire some short-term 
increase in business from those health care providers that are 
automated but do not use the selected standards. These health care 
providers would hire health care clearinghouses to take data from the 
nonstandard formats they are using and convert them into the 
appropriate standards. Generally, we would also expect health care 
clearinghouses to identify opportunities to add value to transaction 
processing and to find new business opportunities, either in marketing 
promotional materials or in training health care providers on the new 
transaction sets. Standards would increase the efficiency of health 
care clearinghouses, which could in turn drive costs for these services 
down. Health care clearinghouses may be able to operate more 
efficiently or at a lower cost based on their ability to gain market 
share. Some small billing companies may be consumed by health care 
clearinghouses that may begin offering billing services to augment 
their health care clearinghouse activities. However, most health care 
providers that use billing companies would probably continue to do so 
because of the comprehensive and personalized services these companies 
offer.
    Value added networks do not manipulate data but rather transmit 
data in its native form over telecommunication lines. We anticipate

[[Page 25349]]

that the demand for value added network services would increase as 
additional health care providers and health plans move to electronic 
data exchange. Standards would eliminate the need for data to be 
reformatted, which would allow health care providers to purchase value 
added network services individually rather than as a component of the 
full range of clearinghouse services.
b. Software Vendors
    As noted above, software vendors provide computer software 
applications support to health care clearinghouses and health care 
providers. They particularly work with health care providers' practice 
management and health information systems. We believe these entities 
would be affected positively, at least in the short term. The 
implementation of administrative simplification would enhance their 
business opportunities as they would be involved in developing 
computerized software solutions that would allow for health care 
providers and other entities that exchange health care data to 
integrate the new transaction set into their existing systems. They may 
also be involved in developing software solutions to manage the 
crosswalk of existing health care provider and health plan identifiers 
to the national provider identifier and health plan identifier 
(PAYERID) until such time as all entities have implemented the 
identifiers.

J. Unfunded Mandates

    We have identified costs to the private sector to implement these 
standards. Although these costs are unfunded, we expect that they will 
be offset by subsequent savings as detailed in this impact analysis.
    Most costs will occur in the first 3 years following the adoption 
of the HIPAA standards, with savings to health care providers and 
health plans exceeding costs in the fourth year. Five-year costs of 
implementing the HIPAA standards are estimated at $ 5.8 billion for 
health care providers and health plans combined. Savings to these 
entities over the same period in electronic claims processing, other 
electronic transactions (e.g., enrollments and disenrollments), and 
manual transactions are estimated at $ 7.3 billion, for a net savings 
of $ 1.5 billion in 5 years.
    The costs to State and local governments and tribal organizations 
are also unfunded, but we do not have sufficient information to provide 
estimates of the impact of these standards on those entities. Several 
State Medicaid agencies have estimated that it would cost $1 million 
per state to implement all the HIPAA standards. However, the 
Congressional Budget Office analysis stated that ``States are already 
in the forefront in administering the Medicaid program electronically; 
the only costs--which should not be significant--would involve bringing 
the software and computer systems for the Medicaid programs into 
compliance with the new standards.'' The report went on to point out 
that Medicaid State agencies have the option to compensate by reducing 
other expenditures and that other State and local government agencies 
are likely to incur less in the way of costs since most of them will 
have fewer enrollees. Moreover, the Federal government pays a portion 
of the cost of converting State Medicaid Management Information Systems 
(MMIS) as Federal Financial Participation--75 percent for system 
maintenance changes and 90 percent for new software (if approved). Many 
States are in the process of changing systems as they convert many of 
the current functions in the move to enroll Medicaid beneficiaries in 
managed care.

K. Specific Impact of Provider Identifier

    This is the portion of the impact analysis that relates 
specifically to the standard that is the subject of this regulation--
the health care provider identifier. This section describes specific 
impacts that relate to the provider identifiers. However, as we 
indicated in the introduction to this impact analysis, we do not intend 
to associate costs and savings to specific standards. In addition, this 
section assesses the relative cost impact of the various identifier 
options and implementation options set out in the regulation.
    Although we cannot determine the specific economic impact of the 
standard being proposed in this rule (and individually each standard 
may not have a significant impact), the overall impact analysis makes 
clear that, collectively, all the standards will have a significant 
impact of over $100 million on the economy. Also, while each standard 
may not have a significant impact on a substantial number of small 
entities, the combined effects of all the proposed standards may have a 
significant effect on a substantial number of small entities. 
Therefore, the following impact analysis should be read in conjunction 
with the overall impact analysis.
    In accordance with the provisions of Executive Order 12866, this 
proposed rule was reviewed by the Office of Management and Budget.
    1. Affected entities.
    a. Health care providers.
    Health care providers that conduct electronic transactions with 
health plans would have to begin to use the NPI in those transactions. 
Health care providers that are indirectly involved in electronic 
transactions (for example, by submitting a paper claim that the health 
plan transmits electronically to a secondary payer) may also use the 
NPI. Any negative impact on these health care providers generally would 
be related to the initial implementation period. They would incur 
implementation costs for converting systems, especially those that 
generate electronic claims, from current provider identifiers to the 
NPI. Some health care providers would incur those costs directly and 
others would incur them in the form of fee increases from billing 
agents and health care clearinghouses.
    Health care providers not only would have to include their own NPI 
on claims, but they would also have to obtain and use NPIs of other 
health care providers (for example, for referring and ordering). This 
would be a more significant implementation workload for larger 
institutional health care providers, such as hospitals, that would have 
to obtain the NPIs for each physician practicing in the hospital. 
However, these health care providers are accustomed to maintaining 
these types of data. There would also be a potential for disruption of 
claims processes and timely payments during a particular health plan's 
transition to the NPI. Some health care providers that do not do 
business with government programs may be resistant to obtaining an NPI 
and providing data about themselves that would be stored in a national 
database.
    Health care providers would also have to obtain an NPI and report 
changes in pertinent data. Under one of the enumeration options 
presented in this preamble, current Medicare providers will receive 
their NPIs automatically, and other health care providers may be 
enumerated in this manner to the extent that appropriate valid data 
files are available. New health care providers would have to apply for 
an NPI. This does not impose a new burden on health care providers. The 
vast majority of health plans issue identifiers to the health care 
providers with whom they transact business in order to facilitate the 
electronic processing of claims and other transactions. The information 
that health care providers must supply in order to receive an NPI is 
significantly less than the information most health plans require to 
enroll a health care provider. There would be no new cost

[[Page 25350]]

burden; the statute does not support our charging health care providers 
to receive an NPI.
    After implementation, health care providers would no longer have to 
keep track of and use different identifiers for different insurers. 
This would simplify provider billing systems and processes and reduce 
administrative expenses. A standard identifier would facilitate and 
simplify coordination of benefits, resulting in faster, more accurate 
payments. Under option 2 of the enumeration options, (see section 
IX.K.2.d. of this preamble, on enumerators), many health care providers 
(all those doing business with Medicare) would receive their NPIs 
automatically and would be able to report changes in the data contained 
in the NPS to a single place and have the changes made available to 
many health plans.
    b. Health plans.
    Health plans that engage in electronic commerce would have to 
modify their systems to use the NPI. This conversion would have a one-
time cost impact on Federal, State, and private health plans alike and 
is likely to be more costly for health plans with complex systems that 
rely on intelligent provider numbers. Disruption of claims processing 
and payment delays could result. However, health plans would be able to 
schedule their implementation of the NPI and other standards in a 
manner that best fits their needs, as long as they meet the deadlines 
specified in the legislation.
    Once the NPI has been implemented, health plans' coordination of 
benefits activities would be greatly simplified because all health 
plans would use the same health care provider identifier. In addition, 
utilization review and other payment safeguard activities would be 
facilitated, since health care providers would not be able to use 
multiple identifiers and could be easily tracked over time and across 
geographic areas. Health plans currently assign their own 
identification numbers to health care providers as part of their 
enrollment procedures, and this would no longer be necessary. Existing 
enumeration systems maintained by Federal health programs would be 
phased out, and savings would result.
    c. Health care clearinghouses.
    Health care clearinghouses would face impacts (both positive and 
negative) similar to those experienced by health plans. However, 
implementation would likely be more complex, because health care 
clearinghouses deal with many health care providers and health plans 
and would have to accommodate both old and new health care provider 
identifiers until all health plans with which they deal have converted.
    2. Effects of Various Options.
    a. Guiding Principles for Standard Selection.
    The implementation teams charged with designating standards under 
the statute have defined, with significant input from the health care 
industry, a set of common criteria for evaluating potential standards. 
These criteria are based on direct specifications in the HIPAA, the 
purpose of the law, and principles that support the regulatory 
philosophy set forth in Executive Order 12866 of September 30, 1993, 
and the Paperwork Reduction Act of 1995. These criteria also support 
and are consistent with the principles of the Paperwork Reduction Act 
of 1995. In order to be designated as a standard, a proposed standard 
should:
     Improve the efficiency and effectiveness of the health 
care system by leading to cost reductions for or improvements in 
benefits from electronic HIPAA health care transactions. This principle 
supports the regulatory goals of cost-effectiveness and avoidance of 
burden.
     Meet the needs of the health data standards user 
community, particularly health care providers, health plans, and health 
care clearinghouses. This principle supports the regulatory goal of 
cost-effectiveness.
     Be consistent and uniform with the other HIPAA standards--
their data element definitions and codes and their privacy and security 
requirements--and, secondarily, with other private and public sector 
health data standards. This principle supports the regulatory goals of 
consistency and avoidance of incompatibility, and it establishes a 
performance objective for the standard.
     Have low additional development and implementation costs 
relative to the benefits of using the standard. This principle supports 
the regulatory goals of cost-effectiveness and avoidance of burden.
     Be supported by an ANSI-accredited standards developing 
organization or other private or public organization that will ensure 
continuity and efficient updating of the standard over time. This 
principle supports the regulatory goal of predictability.
     Have timely development, testing, implementation, and 
updating procedures to achieve administrative simplification benefits 
faster. This principle establishes a performance objective for the 
standard.
     Be technologically independent of the computer platforms 
and transmission protocols used in HIPAA health transactions, except 
when they are explicitly part of the standard. This principle 
establishes a performance objective for the standard and supports the 
regulatory goal of flexibility.
     Be precise and unambiguous, but as simple as possible. 
This principle supports the regulatory goals of predictability and 
simplicity.
     Keep data collection and paperwork burdens on users as low 
as is feasible. This principle supports the regulatory goals of cost-
effectiveness and avoidance of duplication and burden.
     Incorporate flexibility to adapt more easily to changes in 
the health care infrastructure (such as new services, organizations, 
and provider types) and information technology. This principle supports 
the regulatory goals of flexibility and encouragement of innovation.
    We assessed the various candidates for a provider identifier 
against the principles listed above, with the overall goal of achieving 
the maximum benefit for the least cost. We found that the NPI met all 
the principles, but no other candidate identifier met all the 
principles, or even those principles supporting the regulatory goal of 
cost-effectiveness. We are assessing the costs and benefits of the NPI, 
but we did not assess the costs and benefits of other identifier 
candidates, because they did not meet the guiding principles. We invite 
your comments on the costs and benefits of the alternative candidate 
NPI options for the various market segments.
b. Need To Convert
    Because there is no standard provider identifier in widespread use 
throughout the industry, adopting any of the candidate identifiers 
would require most health care providers, health plans and health care 
clearinghouses to convert to the new standard. In the case of the NPI, 
all health care providers would have to convert because this identifier 
is not in use presently. As we pointed out in our analysis of the 
candidates, even the identifiers that are in use are not used for all 
purposes or for all provider types. The selection of the NPI does not 
impose a greater burden on the industry than the nonselected 
candidates, and presents significant advantages in terms of cost-
effectiveness, universality, uniqueness and flexibility.
c. Complexity of Conversion
    Some existing provider identifier systems assign multiple 
identifiers to a single health care provider in order to distinguish 
the multiple identities the health care provider has in the system. For 
example, in these systems, the health care provider may have a

[[Page 25351]]

different identifier to represent each ``pay-to'' identity, contract or 
provider agreement, practice location, and specialty or provider type. 
Since the NPI is a unique identifier for each health care provider, it 
would not distinguish these multiple identities. Systems that need to 
distinguish these identities would need to use data other than the NPI 
to do so. The change to use other data would add complexity to the 
conversion to the NPI or to any other standard provider identifier, but 
it is necessary in order to achieve the goal of unique identification 
of the health care provider.
    The complexity of the conversion would also be significantly 
affected by the degree to which health plans' processing systems 
currently rely on intelligent identifiers. For example, a health plan 
may route claims to different processing routines based on the type of 
health care provider by keying on a provider type code included in the 
identifier. Converting from one unintelligent identifier to another is 
less complex than modifying software logic to obtain needed information 
from other data elements. However, the use of an unintelligent 
identifier is required in order to meet the guiding principle of 
assuring flexibility.
    Specific technology limitations of existing systems could affect 
the complexity of conversion. For example, some existing provider data 
systems use a telephone keypad to enter data. Data entry of alpha 
characters is inconvenient in these systems. In order to mitigate this 
inconvenience, we would implement the NPI by initially assigning 
numeric NPIs. After all numeric possibilities have been exhausted, we 
would introduce alpha characters in one position at a time. This 
implementation strategy would allow additional time for systems with 
technology limitations to overcome conversion difficulties.
    In general, the shorter the identifier, the easier it is to 
implement. It is more likely that a shorter identifier, such as the 
NPI, would fit into existing data formats.
    The selection of the NPI does not impose a greater burden on the 
industry than the nonselected candidates.
d. Enumerators
    Based on the analysis discussed earlier in the preamble, we assess 
the two most viable combinations of choices for the entities that would 
enumerate health care providers. We do not assess choices that permit 
large numbers of enumerators (for example, all health plans, 
educational institutions, professional associations) because these 
choices do not satisfy the critical programmatic requirements of 
maintaining a high degree of data quality and consistency and 
minimizing confusion for health care providers.
    No matter which of the two enumeration options is chosen, certain 
costs and impacts would not vary.
     We assume that the NPS would be used in both options to 
generate NPIs and serve as the central enumeration system and database. 
We began to develop the NPS for Medicare use, and this effort, which 
was funded by HCFA, is now nearing completion. As the NPS becomes 
national in scope, we estimate that the cost of maintaining the NPS 
software, hardware, and telecommunications, and operating a Help Desk 
to deal with user questions, would cost approximately $10.4 million 
over the first three years of operation and approximately $2.9 million 
per year thereafter. Roughly half of these costs are attributable to 
telecommunications expenses. This analysis presumes the availability of 
Federal funds to support the development and operations of the NPS. 
However, we are seeking comments on how the NPS could be funded once it 
becomes national.
     We further assume that, in both options, the same 
implementation strategy of loading the NPS database using health plans' 
existing prevalidated files will be utilized to the extent possible. 
This would reduce costs by not repeating the process of soliciting, 
receiving, controlling, validating and keying applications from health 
care providers that have already been enumerated by a trusted source. 
For example, we would use existing Medicare provider files to initially 
load the NPS database. The majority of work to reformat and edit these 
files has already been completed.
    We estimate that approximately 1.2 million current health care 
providers and 30,000 new health care providers annually would require 
NPIs because they conduct HIPAA transactions.
    An additional 3 million health care providers (120,000 new health 
care providers annually) do not conduct HIPAA transactions, but they 
may choose to be enumerated at some future time. We refer to these 
health care providers as ``non-HIPAA-transaction health care 
providers'' (see section 4. Enumeration Phases of this preamble). These 
health care providers would be primarily individual practitioners such 
as registered nurses and pharmacists who perform services in 
institutions and whose services are not billed by the institution. More 
research is required on the time frame and process for enumerating 
these health care providers.
    Based on Medicare carriers' costs, we have estimated that the 
average cost to enumerate a health care provider should not exceed $50. 
Enumeration activities would include assisting health care providers 
and answering questions, accepting the application for an NPI; 
validating as many of the data elements as possible at the point of 
application to assure the submitted data are accurate and the 
application is authentic; entering the data into the NPS to obtain an 
NPI for the health care provider; researching cases where there is a 
possible match to a health care provider already enumerated; notifying 
the health care provider of the assigned NPI; and entering updated data 
into the NPS when notified by the health care provider. The cost of 
processing a data update is not known, and for purposes of this 
analysis we are assuming an average cost of $10 per update transaction, 
and that 5 percent per year of these health care providers on file 
would have updated data. However, we estimate that approximately 15 
percent of health care providers that do not conduct business with 
Federal health plans or Medicaid would require updates each year. These 
health care providers may be unfamiliar with the terminology for some 
of the information they need to provide in order to be enumerated; 
thus, they may need to correct errors they could have made in 
completing the applications for NPIs or may have a need to change some 
of that information for other reasons. The per transaction cost would 
be lower if practice location addresses and membership in groups were 
not collected (see section IV., Data, and section IX.E., Maintenance of 
the Database, of this preamble) and if enumerators were already 
validating data as part of their own enrollment processes. The number 
of updates would also be affected by the practice location and group 
membership issues because these data are more volatile than demographic 
data (see IV., Data, and IX.E., Maintenance of the Database, of this 
preamble).
    For a similarly sized commercial numbering system that uniquely 
identifies corporations and assigns unique identifiers, we have 
received independent estimates from Dun & Bradstreet (D&B) of $7 per 
enumeration and $3 per update. The D&B estimates are based on the cost 
of assigning and maintaining the Data Universal Numbering System (D-U-
N-S) number. The D-U-N-S number is a nine-digit, non-indicative number 
assigned to each record in D&B's file. It uses a modulus

[[Page 25352]]

10 check digit in the ninth position. Over 47 million D-U-N-S numbers 
have been assigned, worldwide, with 22 million attributed to locations 
in the United States. D&B uses the D-U-N-S number to enumerate 
businesses, including commercial sites, sole proprietorships, cottage 
industries, educational institutions, not-for-profits, and government 
entities, but does not maintain records on private individuals. D&B 
estimates an average cost of $7 to add a record to its database and 
assign it a unique record identifier. To establish a record and ensure 
uniqueness, D&B requires the entity's legal name, any ``doing business 
as'' names, physical address, telephone number, chief executive, date 
started, line of business, number of employees and relationship(s) with 
other business entities. D&B runs a daily computer process to audit all 
records added during the day and extracts any that may be duplicates 
for research by an analyst. Updates to each record are estimated at 
approximately $3 but can run as high as $30 per year for very robust 
database entries, some of which contain 1500 different data elements.
    The D&B estimates may be understated for our purposes because the 
four to six data elements used to uniquely identify the enumerated 
corporations do not require verification. We welcome comments on which 
data elements are required to uniquely identify health care providers 
(individuals, groups, and organizations), on whether verification of 
the data is necessary for purposes of enumeration, and on estimates of 
the cost to enumerate and update that minimum data set. We understand 
that the cost would be lower if the number and complexity of the data 
elements were reduced, but this cost must be balanced against the level 
of confidence that can be placed in the uniqueness of the health care 
providers identified. Specific consideration of these tradeoffs in 
submitted comments will be very helpful.
    The $50 estimated average cost to enumerate a health care provider 
is an upper limit. The cost would decrease significantly if the second 
data alternative is selected (see section IV.B., Practice Addresses and 
Group/Organization Options, of this preamble). Under this alternative, 
the NPS would capture only one practice address for an individual or 
organization provider. It would not assign location codes. The NPS 
would not link the NPI of a group provider to the NPIs of individuals 
who are members of the group. Costs would decrease because we would 
collect significantly less data at the time of enumeration, and the 
data that would be collected would not need to be updated very 
frequently. Recent consultations with the industry reveal a growing 
consensus for this alternative.
    Table 5 below provides estimates as to the cost of each enumeration 
option for start-up and outyear, with Federal, State, and private 
costs, for HIPAA-transaction and non-HIPAA-transaction health care 
providers, and the Federal costs of the NPS. We define ``start-up'' as 
the first 3 years during which the NPS becomes operational nationally 
and the bulk of the health care providers requiring NPIs are 
enumerated. ``Outyear'' would be each subsequent year, in which the 
majority of actions would be enumerations of new health care providers 
and provider updates. Assumptions follow the table.

                            Table 5.--Enumeration Costs: Federal, State, and Private                            
----------------------------------------------------------------------------------------------------------------
                                 Enumeration Costs: Federal, State, and Private                                 
-----------------------------------------------------------------------------------------------------------------
                                                  Start-up costs   Outyear costs  Start-up costs   Outyear costs
                                                      HIPAA-          HIPAA-        non-HIPAA-      non-HIPAA-  
                    Costs to:                       transaction     transaction     transaction     transaction 
                                                     providers       providers       providers       providers  
----------------------------------------------------------------------------------------------------------------
                                               OPTION 1--REGISTRY                                               
----------------------------------------------------------------------------------------------------------------
Federal for NPS.................................      10,400,000       2,900,000  ..............  ..............
Federal for non-HIPAA-transaction health care                                                                   
 providers......................................  ..............  ..............     165,000,000       7,500,000
Federal.........................................      64,560,000       2,280,000  ..............  ..............
State...........................................               0               0  ..............  ..............
Private.........................................               0               0  ..............  ..............
                                                 ---------------------------------------------------------------
    Total.......................................      74,960,000       5,180,000  ..............  ..............
----------------------------------------------------------------------------------------------------------------
     OPTION 2--COMBINATION OF FEDERAL HEALTH PLANS, MEDICAID STATE AGENCIES, AND FEDERALLY-DIRECTED REGISTRY    
----------------------------------------------------------------------------------------------------------------
Federal for NPS.................................      10,400,000       2,900,000  ..............  ..............
Federal for non-HIPAA-transaction health care                                                                   
 providers......................................  ..............  ..............     165,000,000       7,500,000
Federal (if all Medicaid State agencies                                                                         
 participate)...................................       9,990,000         495,000  ..............  ..............
Federal (if 5% of Medicaid State agencies                                                                       
 decline to participate)........................      10,310,000         505,000  ..............  ..............
State (if all Medicaid State agencies                                                                           
 participate)...................................               0               0  ..............  ..............
State (if 5% of Medicaid State agencies decline                                                                 
 to participate)................................               0               0  ..............  ..............
Private.........................................               0               0  ..............  ..............
                                                 ---------------------------------------------------------------
    Total (if all Medicaid State agencies                                                                       
     participate)...............................      20,390,000       3,395,000  ..............  ..............
                                                 ===============================================================
    Total (if 5% of Medicaid State agencies                                                                     
     decline to participate)....................      20,710,000       3,405,000  ..............  ..............
----------------------------------------------------------------------------------------------------------------

Assumptions

1. Definitions
    a. ``HIPAA-transaction health care provider'' means a health care 
provider that we would require to have an NPI; that is, a health care 
provider that must be identified in the transactions specified in 
HIPAA.
    b. ``Non-HIPAA-transaction health care provider'' means a health 
care provider that we would not require to have an NPI.
    c. ``Start-up'' means the first 3 years in which the NPS becomes 
operational nationally and the bulk of the health care providers 
requiring NPIs are enumerated. It is the sum of the cost of enumerating 
existing health care providers in the first year plus the

[[Page 25353]]

annual cost of enumerating new and updating existing health care 
providers for the 2 subsequent years.
    d. ``Outyear'' means each subsequent year in which the majority of 
actions would be enumerating new health care providers and updating 
existing ones. It is the sum of the cost of enumerating new health care 
providers plus the cost of updating existing health care providers.
    2. The cost to enumerate a health care provider that is not 
enrolled or enrolling in a Federal health plan (e.g., Medicare, 
CHAMPUS) or Medicaid is estimated to be $50. (See Assumption 4.)
    3. The cost to update information on a health care provider that is 
not enrolled or enrolling in a Federal health plan (e.g., Medicare, 
CHAMPUS) or Medicaid is estimated to be $10. (See Assumption 4.)
    4. The cost to Federal health plans (e.g., Medicare, CHAMPUS) and 
Medicaid to enumerate or update their own health care providers is 
relatively small as these health plans must collect the same 
information to enroll or update the health care providers in their own 
programs. Possible up-front costs to these health plans and Medicaid 
would be offset by simpler, more efficient coordination of benefits, 
elimination of the need to maintain multiple enumeration systems, and 
elimination of the need to maintain other provider numbers. The Federal 
Government pays 75 percent of Medicaid State agencies' costs to 
enumerate and update health care providers. Because all of these costs 
are relatively small and would be offset by savings, they are 
considered to be $0 (zero).
    5. This analysis presumes the availability of Federal funds to 
support the registry.
    6. It is estimated that 5 percent of existing HIPAA-transaction 
health care providers that conduct business with Federal health plans 
or Medicaid require updates annually; 15 percent of the remaining 
HIPAA-transaction health care providers require updates annually.
    7. It is estimated that 5 percent of Medicaid State agencies may 
decline to participate in enumerating/updating their health care 
providers. The registry would enumerate/update that 5 percent.
    8. Non-HIPAA-transaction health care providers would not be 
enumerated in the initial phases of enumeration. These costs are 
estimated to be $165,000,000 for start-up and $7,500,000 for outyear. 
The registry would enumerate/update these health care providers only if 
funds are available.
    Option 1 calls for all 1.2 million HIPAA-transaction health care 
providers to be enumerated by a Federally-directed registry. The one-
time cost for the registry to assign NPIs to existing HIPAA-transaction 
health care providers would depend on the extent to which existing 
files could be used. The cost could be as high as $60 million (1.2 
million health care providers  x  $50) or as low as $9 million (see 
option 2). The low estimate assumes that prevalidated provider files 
are available for 100 percent of all Federal and Medicaid providers. 
The annual outyear cost would be $2.1 million (30,000 new health care 
providers  x  $50 plus 60,000 updates  x  $10). The Federal health 
plans and Medicaid State agencies would no longer have to assign their 
own identifiers, which would result in some savings, but they would 
still incur costs related to provider enrollment activities that would 
duplicate Federally-directed registry functions (for example, duplicate 
collection and verification of some information).
    Option 2 calls for enumeration of HIPAA-transaction health care 
providers to be performed by a combination of Federal programs named as 
health plans, Medicaid State agencies, and a Federally-directed 
registry. This registry would enumerate non-Federal, non-Medicaid 
providers. All enumerators would receive, validate, and enter 
application data into the NPS and would communicate with health care 
providers. Data files would be available from a central source. The 
registry would utilize the NPS and would be operated under Federal 
oversight but could, if appropriate, be contracted out.
    Medicare, Medicaid, CHAMPUS, and the Department of Veterans Affairs 
already assign identifiers to health care providers with whom they 
conduct business. They would simply begin to use the NPS to issue NPIs 
instead of using their own systems to assign the identifiers they now 
use. Initially, these Federal health plans and Medicaid may incur up-
front costs in issuing NPIs; however, these additional costs would be 
offset by savings from the fact that each health care provider would 
only have to be enumerated once; multiple enumeration systems would not 
have to be maintained; other provider numbers would not have to be 
maintained; and coordination of benefits would be simpler and more 
efficient. We estimate that approximately 5 percent of Medicaid State 
agencies may decline to participate (that is, they would not enumerate 
and update their health care providers). These health care providers 
would need to be enumerated and updated by the Federally-directed 
registry; however, that cost would be offset by savings realized by the 
discontinuance of UPIN assignment and maintenance of the UPIN registry. 
We estimate that approximately 85 percent of the health care providers 
that conduct HIPAA transactions would be enumerated in this manner (75 
percent by Federal health plans, 10 percent by Medicaid). Additional 
costs, if any, to enumerate these health care providers or update their 
data would be insignificant.
    The remaining 15 percent of health care providers that conduct 
HIPAA transactions (180,000) would be enumerated by a Federally-
directed registry. The one-time cost of enumerating these health care 
providers would be $9 million (180,000 health care providers  x  $50). 
The cost of enumerating 4,500 new health care providers would be 
$225,000 per year, and the cost to process 27,000 updates would be 
$270,000, for a total registry cost of $495,000 per outyear.
    Based on the cost estimates in this analysis, option 1 is 
considerably more expensive than option 2. We believe option 2 to be 
preferable to option 1 in that Federal programs and Medicaid State 
agencies would enumerate and update their own health care providers. 
The enumeration functions of the 5 percent of Medicaid State agencies 
that may decline to enumerate and update their own health care 
providers would fall to the Federally-directed registry.
    The initial and ongoing cost of developing, implementing and 
operating the NPS would be borne by the Federal government, depending 
on the availability of funds; some of this cost could be offset by 
ceasing current enumeration systems like Medicare's UPIN registry.
    The previous analysis relates only to health care providers that 
are required to have an NPI to perform HIPAA transactions. The 
remaining health care providers would not be required to obtain an NPI 
but could do so if they wished to have one for other reasons. We 
indicated in the Implementation section of this preamble that we would 
not issue NPIs to these health care providers until the health care 
providers that needed NPIs to conduct any of the electronic 
transactions specified in HIPAA had been enumerated. The cost of 
enumerating the approximately 3 million non-HIPAA-transaction health 
care providers could be as high as $150 million (3 million health care 
providers  x  $50). We are soliciting comments on sources of 
information on non-HIPAA-transaction health care providers. We cannot 
provide a realistic estimate of the cost of enumerating these health 
care providers without this additional input.

[[Page 25354]]

e. Maintenance of the Database
    Another cost implication is the maintenance of the database being 
developed by the NPS. (We discuss this cost implication in more detail 
in section IV. Data but believe the general discussion should be 
repeated here in the impact analysis as well.) That database, known as 
the National Provider File (NPF), is currently being designed to 
contain the data elements shown in the table entitled, ``National 
Provider File Data Elements'' in section IV. Data, A. Data Elements, 
earlier in this preamble. The majority of the information is used to 
uniquely identify a health care provider; other information is used for 
administrative purposes. A few of the data elements are collected at 
the request of potential users that have been working with HCFA in 
designing the database prior to the passage of HIPAA. All of these data 
elements represent only a fraction of the information that would 
comprise a provider enrollment file. The data elements shown in the 
``National Provider File Data Elements'' table earlier in the preamble, 
plus cease/effective/termination dates, switches (yes/no), indicators, 
and history, are being considered as those that would form the NPF. The 
table includes appropriate comments. The table does not display systems 
maintenance or similar fields, or health care provider cease/effective/
termination dates.
    We need to consider the benefits of retaining all of the data 
elements shown in the table versus lowering the cost of maintaining the 
database by keeping only the minimum number of data elements needed for 
unique provider identification. We solicit input on the composition of 
the minimum set of data elements needed to uniquely identify each type 
of health care provider. In order to consider the inclusion or 
exclusion of data elements, we need to assess their purpose and use.
    The data elements in the table with a purpose of ``I'' are being 
proposed to identify a health care provider, either in the search 
process (which is electronic) or in the investigation of health care 
providers designated as possible matches by the search process. These 
data elements are critical because unique identification is the 
keystone of the NPS.
    The data elements in the table with a purpose of ``A'' are not 
essential to the identification processes mentioned above, but they 
nonetheless are valuable. Certain ``A'' data elements can be used to 
contact a health care provider for clarification of information or 
resolution of issues encountered in the enumeration process and for 
sending written communications; other ``A'' data elements (e.g., 
Provider Enumerate Date, Provider Update Date, Establishing Enumerator/
Agent Number) are used to organize and manage the data.
    The data elements in the table with a purpose of ``U'' are 
collected at the request of potential users of the information in the 
system. While not used by the system's search process to uniquely 
identify a health care provider, Race (with a purpose of ``U'') is 
nevertheless valuable in the investigation of health care providers 
designated as possible matches as a result of that process. In 
addition, Race is important to the utility of the NPS as a statistical 
sampling frame. Race is collected ``as reported''; that is, it is not 
validated. It is not maintained, only stored. The cost of keeping this 
data element is virtually nil. Other data elements (Resident/Intern 
Code, Provider Certification Code and Number, and Organization Type 
Control Code) with a purpose of ``U'', while not used for enumeration 
of a health care provider, have been requested to be included by some 
members of the health care industry for reports and statistics. These 
data elements are optional and do not require validation; many remain 
constant by their nature; and the cost to store them is negligible.
    The data elements that we judge will be expensive to either 
validate or maintain (or both) are the license information, provider 
practice location addresses, and membership in groups. We solicit 
comments on whether these data elements are necessary for the unique 
enumeration of health care providers and whether validation or 
maintenance is required for that purpose.
    Licenses may be critical in determining uniqueness of a health care 
provider (particularly in resolving identifies involving compound 
surnames) and are, therefore, considered to be essential by some. 
License information is expensive to validate initially, but it is not 
expensive to maintain because it does not change frequently.
    The practice location addresses can be used to aid in investigating 
possible provider matches, in converting existing provider numbers to 
NPIs, and in research involving fraud or epidemiology. Location codes, 
which are discussed in detail in section B. Practice Addresses and 
Group/Organization Options of this preamble, could be assigned by the 
NPS to point to and identify practice locations of individuals and 
groups. Some potential users felt that practice addresses changed too 
frequently to be maintained efficiently at the national level. The 
average Medicare physician has two to three addresses at which he or 
she practices. Group providers may have many more practice locations. 
We estimate that 5 percent of health care providers require updates 
annually and that addresses are one of the most frequently changing 
attributes. As a result, maintaining more than one practice address for 
an individual provider on a national scale could be burdensome and time 
consuming. Many potential users believe that practice addresses could 
more adequately be maintained at local, health-plan specific levels.
    Some potential users felt that membership in groups was useful in 
identifying health care providers. Many others, however, felt that 
these data are highly volatile and costly to maintain. These users felt 
it was unlikely that membership in groups could be satisfactorily 
maintained at the national level.
    We welcome comments on the data elements proposed for the NPF and 
input as to the potential usefulness and tradeoffs for these elements 
such as those discussed above.

References

    1. Dobson, Allen, Ph.D. and Bergheiser, Matthew; ``Reducing 
Administrative Costs in a Pluralistic Delivery System through 
Automation;'' Lewin-VHI Report prepared for the Healthcare Financial 
Management Association; 1993.
    2. Congressional Budget Office; ``Federal Cost Estimate for H.R. 
3070;'' 1996.
    3. Workgroup for Electronic Data Interchange; ``Report,'' 1993.
    4. ``Electronic Network Solution for Rising Healthcare Costs;'' 
New Jersey Institute of Technology and Thomas Edison State College, 
1995.
    5. Faulkner & Gray's Health Data Directory, 1997 Edition; Kurt 
T. Peters, Publisher (also earlier editions).

List of Subjects in 45 CFR Part 142

    Administrative practice and procedure, Health facilities, Health 
insurance, Hospitals, Medicare, Medicaid.
    Accordingly, 45 CFR subtitle A, subchapter B, would be amended by 
adding Part 142 to read as follows:

    Note to Reader: This proposed rule and another proposed rule 
found elsewhere in this Federal Register are two of several proposed 
rules that are being published to implement the administrative 
simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996. We propose to establish a new 45 CFR 
Part 142. Proposed Subpart A--General Provisions is exactly the same 
in each rule unless we have added new sections or definitions to 
incorporate

[[Page 25355]]

additional general information. The subparts that follow relate to 
the specific provisions announced separately in each proposed rule. 
When we publish the first final rule, each subsequent final rule 
will revise or add to the text that is set out in the first final 
rule.

PART 142--ADMINISTRATIVE REQUIREMENTS

Subpart A--General Provisions

Sec.

142.101  Statutory basis and purpose.
142.102  Applicability.
142.103  Definitions.
142.104  General requirements for health plans.
142.105  Compliance using a health care clearinghouse.
142.106  Effective date of a modification to a standard or 
implementation specification.

Subparts B--C [Reserved]

Subpart D--National Provider Identifier Standard

142.402  National provider identifier standard.
142.404  Requirements: Health plans.
142.406  Requirements: Health care clearinghouses.
142.408  Requirements: Health care providers.
142.410  Effective dates of the initial implementation of the 
national provider identifier standard.

    Authority: Sections 1173 and 1175 of the Social Security Act (42 
U.S.C. 1320d-2 and 1320d-4).

Subpart A--General Provisions


Sec. 142.101  Statutory basis and purpose.

    Sections 1171 through 1179 of the Social Security Act, as added by 
section 262 of the Health Insurance Portability and Accountability Act 
of 1996, require HHS to adopt national standards for the electronic 
exchange of health information in the health care system. The purpose 
of these sections is to promote administrative simplification.


Sec. 142.102  Applicability.

    (a) The standards adopted or designated under this part apply, in 
whole or in part, to the following:
    (1) A health plan.
    (2) A health care clearinghouse when doing the following:
    (i) Transmitting a standard transaction (as defined in 
Sec. 142.103) to a health care provider or health plan.
    (ii) Receiving a standard transaction from a health care provider 
or health plan.
    (iii) Transmitting and receiving the standard transactions when 
interacting with another health care clearinghouse.
    (3) A health care provider when transmitting an electronic 
transaction as defined in Sec. 142.103.
    (b) Means of compliance are stated in greater detail in 
Sec. 142.105.


Sec. 142.103  Definitions.

    For purposes of this part, the following definitions apply:
    Code set means any set of codes used for encoding data elements, 
such as tables of terms, medical concepts, medical diagnostic codes, or 
medical procedure codes.
    Health care clearinghouse means a public or private entity that 
processes or facilitates the processing of nonstandard data elements of 
health information into standard data elements. The entity receives 
health care transactions from health care providers, health plans, 
other entities, or other clearinghouses, translates the data from a 
given format into one acceptable to the intended recipient, and 
forwards the processed transaction to the appropriate recipient. 
Billing services, repricing companies, community health management 
information systems, community health information systems, and ``value-
added'' networks and switches that perform these functions are 
considered to be health care clearinghouses for purposes of this part.
    Health care provider means a provider of services as defined in 
section 1861(u) of the Social Security Act, a provider of medical or 
other health services as defined in section 1861(s) of the Social 
Security Act, and any other person who furnishes or bills and is paid 
for health care services or supplies in the normal course of business.
    Health information means any information, whether oral or recorded 
in any form or medium, that--
    (1) Is created or received by a health care provider, health plan, 
public health authority, employer, life insurer, school or university, 
or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental 
health or condition of an individual, the provision of health care to 
an individual, or the past, present, or future payment for the 
provision of health care to an individual.
    Health plan means an individual or group plan that provides, or 
pays the cost of, medical care. Health plan includes the following, 
singly or in combination:
    (1) Group health plan. A group health plan is an employee welfare 
benefit plan (as currently defined in section 3(1) of the Employee 
Retirement Income and Security Act of 1974, 29 U.S.C. 1002(1)), 
including insured and self-insured plans, to the extent that the plan 
provides medical care, including items and services paid for as medical 
care, to employees or their dependents directly or through insurance, 
or otherwise, and
    (i) Has 50 or more participants; or
    (ii) Is administered by an entity other than the employer that 
established and maintains the plan.
    (2) Health insurance issuer. A health insurance issuer is an 
insurance company, insurance service, or insurance organization that is 
licensed to engage in the business of insurance in a State and is 
subject to State law that regulates insurance.
    (3) Health maintenance organization. A health maintenance 
organization is a Federally qualified health maintenance organization, 
an organization recognized as a health maintenance organization under 
State law, or a similar organization regulated for solvency under State 
law in the same manner and to the same extent as such a health 
maintenance organization.
    (4) Part A or Part B of the Medicare program under title XVIII of 
the Social Security Act.
    (5) The Medicaid program under title XIX of the Social Security 
Act.
    (6) A Medicare supplemental policy (as defined in section 
1882(g)(1) of the Social Security Act).
    (7) A long-term care policy, including a nursing home fixed-
indemnity policy.
    (8) An employee welfare benefit plan or any other arrangement that 
is established or maintained for the purpose of offering or providing 
health benefits to the employees of two or more employers.
    (9) The health care program for active military personnel under 
title 10 of the United States Code.
    (10) The veterans health care program under 38 U.S.C., chapter 17.
    (11) The Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
    (12) The Indian Health Service program under the Indian Health Care 
Improvement Act (25 U.S.C. 1601 et seq.).
    (13) The Federal Employees Health Benefits Program under 5 U.S.C. 
chapter 89.
    (14) Any other individual or group health plan, or combination 
thereof, that provides or pays for the cost of medical care.
    Medical care means the diagnosis, cure, mitigation, treatment, or 
prevention of disease, or amounts paid for the purpose of affecting any 
body structure or function of the body; amounts paid for transportation 
primarily for and essential to these items; and amounts paid for 
insurance covering the items and the

[[Page 25356]]

transportation specified in this definition.
    Participant means any employee or former employee of an employer, 
or any member or former member of an employee organization, who is or 
may become eligible to receive a benefit of any type from an employee 
benefit plan that covers employees of that employer or members of such 
an organization, or whose beneficiaries may be eligible to receive any 
of these benefits. ``Employee'' includes an individual who is treated 
as an employee under section 401(c)(1) of the Internal Revenue Code of 
1986 (26 U.S.C. 401(c)(1)).
    Small health plan means a group health plan or individual health 
plan with fewer than 50 participants.
    Standard means a set of rules for a set of codes, data elements, 
transactions, or identifiers promulgated either by an organization 
accredited by the American National Standards Institute or HHS for the 
electronic transmission of health information.
    Transaction means the exchange of information between two parties 
to carry out financial and administrative activities related to health 
care. It includes the following:

(1) Health claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health claims status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions as the Secretary may prescribe by regulation.


Sec. 142.104  General requirements for health plans.

    If a person conducts a transaction (as defined in Sec. 142.103) 
with a health plan as a standard transaction, the following apply:
    (a) The health plan may not refuse to conduct the transaction as a 
standard transaction.
    (b) The health plan may not delay the transaction or otherwise 
adversely affect, or attempt to adversely affect, the person or the 
transaction on the ground that the transaction is a standard 
transaction.
    (c) The health information transmitted and received in connection 
with the transaction must be in the form of standard data elements of 
health information.
    (d) A health plan that conducts transactions through an agent must 
assure that the agent meets all the requirements of this part that 
apply to the health plan.


Sec. 142.105  Compliance using a health care clearinghouse.

    (a) Any person or other entity subject to the requirements of this 
part may meet the requirements to accept and transmit standard 
transactions by either--
    (1) Transmitting and receiving standard data elements, or
    (2) Submitting nonstandard data elements to a health care 
clearinghouse for processing into standard data elements and 
transmission by the health care clearinghouse and receiving standard 
data elements through the health care clearinghouse.
    (b) The transmission, under contract, of nonstandard data elements 
between a health plan or a health care provider and its agent health 
care clearinghouse is not a violation of the requirements of this part.


Sec. 142.106  Effective date of a modification to a standard or 
implementation specification.

    HHS may modify a standard or implementation specification after the 
first year in which HHS requires the standard or implementation 
specification to be used, but not more frequently than once every 12 
months. If HHS adopts a modification to a standard or implementation 
specification, the implementation date of the modified standard or 
implementation specification may be no earlier than 180 days following 
the adoption of the modification. HHS determines the actual date, 
taking into account the time needed to comply due to the nature and 
extent of the modification. HHS may extend the time for compliance for 
small health plans.

Subpart B-C--[Reserved]

Subpart D--National Provider Identifier Standard


Sec. 142.402  National provider identifier standard.

    (a) The provider identifier standard that must be used under this 
subpart is the national provider identifier, which is supported by the 
Health Care Financing Administration. The national provider identifier 
is an 8-position alphanumeric identifier, which includes as the eighth 
position a check digit.
    (b) The file containing identifying information for each health 
care provider for its national provider identifier includes the 
following information:
    (1) The national provider identifier.
    (2) Other identifiers, such as the social security number 
(optional), employer identification number for some provider types, and 
identifying numbers from other health programs, if applicable.
    (3) Provider names.
    (4) Addresses and associated practice location codes.
    (5) Demographics (date of birth, State/country of birth, date of 
death if applicable, race (optional), sex).
    (6) Provider type(s), classification(s), area(s) of specialization.
    (7) Education for certain provider types, State licensure for 
certain provider types (optional), and board certification (optional 
for some classifications).


Sec. 142.404  Requirements: Health plans.

    Each health plan must accept and transmit the national provider 
identifier of any health care provider that must be identified by the 
national provider identifier in any standard transaction.


Sec. 142.406  Requirements: Health care clearinghouses.

    Each health care clearinghouse must use the national provider 
identifier of any health care provider that must be identified by the 
national provider identifier in any standard transaction.


Sec. 142.408  Requirements: Health care providers.

    (a) Each health care provider must obtain, by application if 
necessary, a national provider identifier.
    (b) Each health care provider must accept and transmit national 
provider identifiers wherever required on all transactions it accepts 
or transmits electronically.
    (c) Each health care provider must communicate any changes to the 
data elements in its file in the national provider system to an 
enumerator of national provider identifiers within 60 days of the 
change.
    (d) Each health care provider may receive and use only one national 
provider identifier. Upon dissolution of a health care provider that is 
a corporation or a partnership, or upon the death of a health care 
provider who is an individual, the national provider identifier is 
inactivated.


Sec. 142.410  Effective dates of the initial implementation of the 
national provider identifier standard.

    (a) Health plans. (1) Each health plan that is not a small health 
plan must comply with the requirements of Secs. 142.104 and 142.404 by 
(24 months after the effective date of the final rule in the Federal 
Register).
    (2) Each small health plan must comply with the requirements of

[[Page 25357]]

Sec. Sec. 142.104 and 142.404 by (36 months after the effective date of 
the final rule in the Federal Register).
    (b) Health care clearinghouses and health care providers. Each 
health care clearinghouse and health care provider must begin using the 
standard specified in Sec. 142.402 by (24 months after the effective 
date of the final rule in the Federal Register).

    Authority: Sections 1173 and 1175 of the Social Security Act (42 
U.S.C. 1320d-2 and 1320d-4).

    Dated: March 27, 1998.
Donna E. Shalala,
Secretary.
[FR Doc. 98-11692 Filed 5-1-98; 9:05 am]
BILLING CODE 4120-01-P