[Federal Register Volume 69, Number 15 (Friday, January 23, 2004)]
[Rules and Regulations]
[Pages 3434-3469]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-1149]



[[Page 3433]]

-----------------------------------------------------------------------

Part II





Department of Health and Human Services





-----------------------------------------------------------------------



Office of the Secretary



-----------------------------------------------------------------------



45 CFR Part 162



HIPAA Administrative Simplification: Standard Unique Health Identifier 
for Health Care Providers; Final Rule

  Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules 
and Regulations  

[[Page 3434]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 162

[CMS-0045-F]
RIN 0938-AH99


HIPAA Administrative Simplification: Standard Unique Health 
Identifier for Health Care Providers

AGENCY: Centers for Medicare & Medicaid Services, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule establishes the standard for a unique health 
identifier for health care providers for use in the health care system 
and announces the adoption of the National Provider Identifier (NPI) as 
that standard. It also establishes the implementation specifications 
for obtaining and using the standard unique health identifier for 
health care providers. The implementation specifications set the 
requirements that must be met by ``covered entities'': Health plans, 
health care clearinghouses, and those health care providers who 
transmit any health information in electronic form in connection with a 
transaction for which the Secretary has adopted a standard (known as 
``covered health care providers''). Covered entities must use the 
identifier in connection with standard transactions.
    The use of the NPI will improve the Medicare and Medicaid programs, 
and other Federal health programs and private health programs, and the 
effectiveness and efficiency of the health care industry in general, by 
simplifying the administration of the health care system and enabling 
the efficient electronic transmission of certain health information. 
This final rule implements some of the requirements of the 
Administrative Simplification subtitle F of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA).

EFFECTIVE DATE: May 23, 2005, except for the amendment to Sec.  
162.610, which is effective on January 23, 2004. Health care providers 
may apply for NPIs beginning on, but no earlier than, May 23, 2005.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:
    Copies: To order copies of the Federal Register containing this 
document, send your request to: New Orders, Superintendent of 
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date 
of the issue requested and enclose a check or money order payable to 
the Superintendent of Documents, or enclose your Visa or Master Card 
number and expiration date. Credit card orders can also be placed by 
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $10. As an alternative, you can view 
and photocopy the Federal Register document at most libraries 
designated as Federal Depository Libraries and at many other public and 
academic libraries throughout the country that receive the Federal 
Register. This Federal Register document is also available from the 
Federal Register online database through GPO access, a service of the 
U.S. Government Printing Office. The Web site address is http://www.access.gpo.gov/nara/index.html. This document is also available 
from the Department's Web site at http://aspe.hhs.gov/admnsimp/.

I. Background

    In order to administer its programs, a health plan assigns 
identification numbers to its providers of health care services and its 
suppliers. A health plan may be, among other things, a Federal program 
such as Medicare, a State Medicaid program, or a private health plan. 
The identifiers it assigns are frequently not standardized within a 
single health plan or across health plans, which results in the single 
health care provider having different identification numbers for each 
health plan, and often having multiple billing numbers issued within 
the same health plan. This complicates the health care provider's 
claims submission processes and may result in the assignment of the 
same identification number to different health care providers by 
different health plans.

A. NPI Initiative

    In July 1993, the Centers for Medicare & Medicaid Services (CMS) 
(formerly the Health Care Financing Administration (HCFA)), undertook a 
project to develop a health care provider identification system to meet 
the needs of the Medicare and Medicaid programs and, ultimately, the 
needs of a national identification system for all health care 
providers. Active participants in the project represented both 
government and the private sector. The project participants decided to 
develop a new identifier for health care providers because existing 
identifiers did not meet the criteria for national standards. The new 
identifier, known as the National Provider Identifier (NPI), did not 
have the limitations of the existing identifiers, and it met the 
criteria that had been recommended by the Workgroup for Electronic Data 
Interchange (WEDI) and the American National Standards Institute 
(ANSI).

B. The Results of the NPI Initiative

    As a result of the project, and before the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, 
which was enacted on August 21, 1996, required the adoption and use of 
a standard unique identifier for health care providers, CMS and the 
other project participants accepted the NPI as the standard unique 
health identifier for health care providers. CMS decided to implement 
the NPI for Medicare, and began work on developing the National 
Provider System (NPS), which was intended to capture health care 
provider data and be equipped with the technology necessary to maintain 
and manage the data. The NPS was intended to be able to accept health 
care provider data in order to uniquely identify a health care provider 
and assign it an NPI. The NPS was intended to be designed so it could 
be used by other Federal and State agencies, and by private health 
plans, if deemed appropriate, to enumerate their health care providers 
that did not participate in Medicare.

C. Legislation

    The Congress included provisions to address the need for a standard 
unique health identifier for health care providers and other health 
care system needs in the Administrative Simplification provisions of 
HIPAA. Through subtitle F of title II of that law, the Congress added 
to title XI of the Social Security Act (the Act) a new part C, entitled 
``Administrative Simplification.'' (Pub. L. 104-191 affects several 
titles in the United States Code.) The purpose of part C is to improve 
the Medicare and Medicaid programs in particular, and the efficiency 
and effectiveness of the health care system in general, by encouraging 
the development of a health information system through the 
establishment of standards and implementation specifications to 
facilitate the electronic transmission of certain health information.
    Part C of title XI consists of sections 1171 through 1179 of the 
Act. These sections define various terms and impose requirements on the 
Secretary of the Department of Health and Human Services (HHS), health 
plans, health care clearinghouses, and certain health care providers 
concerning the adoption of standards and implementation specifications 
relating to health

[[Page 3435]]

information. Section 1173(b) of the Act requires the Secretary to adopt 
standards providing for a standard unique health identifier for each 
individual, employer, health plan, and health care provider for use in 
the health care system and to specify the purposes for which the 
identifiers may be used. It also requires the Secretary to consider 
multiple locations and specialty classifications for health care 
providers in developing the standard health identifier for health care 
providers. We discussed other general aspects of the HIPAA statute in 
greater detail in the May 7, 1998, proposed rule (63 FR 25320).

D. Plan for Implementing Administrative Simplification Standards

    On May 7, 1998, we proposed a standard unique health identifier for 
health care providers and requirements concerning its implementation 
(63 FR 25320). That proposed rule also set forth requirements that 
health plans, health care clearinghouses, and covered health care 
providers would have to meet concerning the use of the standard. On May 
7, 1998, we also proposed standards for transactions and code sets (63 
FR 25272). We published the final rule, entitled Health Insurance 
Reform: Standards for Electronic Transactions (the Transactions Rule), 
on August 17, 2000 (65 FR 50312). On May 31, 2002, in two separate 
proposed rules, we published proposed modifications to the Standards 
for Electronic Transactions. We published a final rule adopting 
modifications to the Transactions Rule on February 20, 2003 (68 FR 
8381).
    On November 3, 1999, we proposed standards for privacy of 
individually identifiable health information (64 FR 59918). We 
published the final rule, entitled Standards for Privacy of 
Individually Identifiable Health Information (the Privacy Rule), on 
December 28, 2000 (65 FR 82462). On March 27, 2002, we proposed 
modifications to the Privacy Rule. On August 14, 2002, we published 
modifications to the Privacy standards in a final rule, entitled 
``Standards for Privacy of Individually Identifiable Health 
Information'' (the Privacy Rule Modifications) (67 FR 53182).
    On June 16, 1998, we proposed the standard unique employer 
identifier (63 FR 32784). On May 31, 2002, we published the final rule, 
entitled ``Standard Unique Employer Identifier'' (67 FR 38009).
    On August 12, 1998, we proposed standards for security and 
electronic signatures (63 FR 43242). On February 20, 2003, we published 
the final rule on security standards (the Security Rule) (68 FR 8334).
    On April 17, 2003, we published an interim final rule adopting 
procedures for the investigation and imposition of civil money 
penalties and the conduct of hearings when the imposition of a penalty 
is challenged (68 FR 18895). The interim final rule is the first 
installment of a larger rule, known as the Enforcement Rule, the rest 
of which is to be proposed at a later date.
    We will be proposing standards for the unique health plan 
identifier and claims attachments.
    In the May 7, 1998, proposed rule for the standard unique health 
identifier for health care providers, we proposed to add a new part 142 
to title 45 of the Code of Federal Regulations (CFR) for the 
administrative simplification standards and requirements. We have 
decided to codify the final rules in 45 CFR part 162 instead of part 
142. The Transactions Rule (65 FR 50312) explains why we made this 
change and lists the subparts and sections comprising part 162. In this 
final rule, we reference the proposed text using part 142, and 
reference the final text using part 162.
    In the Transactions Rule, we addressed (at 65 FR 50314) the 
comments that were made on issues that were common to the proposed 
rules on standards for electronic transactions, the standard employer 
identifier, the standards for security and electronic signatures, and 
the standard health care provider identifier. Those issues relate to 
applicability, definitions, general effective dates, new and revised 
standards, and the aggregate impact analysis. In that final rule, we 
set out the general requirements in part 160 subpart A and part 162 
subpart A. We refer the reader to that rule for more information on all 
but our discussion of issues pertinent to the standard unique health 
identifier for health care providers and the definition of health care 
provider.

E. Employer Identifier Standard: Waiver of Proposed Rulemaking and 
Effective Date for Uses of Employer Identifier

    As stated in section I.D., ``Plan for Implementing Administrative 
Simplification Standards,'' of this preamble, we published the final 
rule that adopted the standard unique employer identifier on May 31, 
2002 (67 FR 38009). The Employer Identifier was adopted as that 
standard effective July 30, 2002. We amend Sec.  162.610 as explained 
below.
    We ordinarily publish a correcting amendment of proposed rulemaking 
in the Federal Register and invite public comment on the correcting 
amendment before its provisions can take effect. We also ordinarily 
provide a delay of 30 days in the effective date of the final rule. We 
can waive notice and comment procedure and the 30-day delay in the 
effective date, however, if we find good cause that a notice and 
comment procedure is impracticable, unnecessary, or contrary to the 
public interest and we incorporate a statement in the correcting 
amendment of this finding and the reasons supporting that finding.
    We find that seeking public comment on and delaying the effective 
date of this correcting amendment would be contrary to the public 
interest. Section 1173(b)(2) of the Act requires that the standards 
regarding unique health care identifiers specify the purposes for which 
they may be used. Section 162.610 requires a covered entity to use the 
standard unique employer identifier--the employer identification number 
(EIN) assigned by the Internal Revenue Services (IRS), U.S. Department 
of the Treasury--in standard transactions that require an employer 
identifier. Unless Sec.  162.610 is amended to permit use of the 
standard unique employer identifier for all other lawful purposes, the 
Act could be read to subject covered entities that use their EIN for 
other purposes to civil money penalties under section 1176 of the Act 
and criminal penalties under section 1177 of the Act, a result that we 
did not intend. The IRS requires any taxpayer assigned an EIN to use 
the EIN as its taxpayer identifying number. Statutes and regulations 
also authorize or require other Federal agencies, including the 
Departments of Agriculture, Commerce, Education, Housing and Urban 
Development, and Labor, to collect EINs in connection with 
administering various Federal programs and laws. Since some of these 
agencies may conduct transactions with covered entities or may be 
covered entities in their own right, failure to promptly publish the 
correcting amendment could cause conflict between Sec.  162.610 and 
other statutory and regulatory directives, generating uncertainty for 
covered entities and potentially disrupting the administration of other 
Federal programs and laws. We believe that it is necessary to eliminate 
that uncertainty and potential disruption and to do so as soon as 
practicable by amending Sec.  162.610 to include as permitted uses of 
the EIN all other lawful purposes. Therefore, we find good cause to 
waive the notice and comment procedure and the 30-day

[[Page 3436]]

delay in the effective date as being contrary to the public interest.

II. Provisions of the Regulations and Discussion of Public Comments

    Within each section of this final rule, we set forth the proposed 
provision contained in the May 7, 1998, proposed rule, summarize and 
respond (if appropriate) to the comments we received on the proposed 
provision, and present the final provision.
    It should be noted that the proposed rule contained multiple 
proposed ``requirements.'' In this final rule, we replace the term 
``requirement'' with the term ``implementation specification,'' where 
appropriate. We do this to maintain consistency with the use of those 
terms as they appear in the statute and the other published HIPAA 
rules. Within the comment and response portion of this final rule, for 
purposes of continuity, however, we use the term ``requirement'' when 
we are referring specifically to matters from the proposed rule. In all 
other instances, we use the term ``implementation specification.''
    In the May 7, 1998, proposed rule, we proposed a standard unique 
health identifier for health care providers. We listed the kinds of 
identifying information that would be collected about each health care 
provider in order to assign the identifier.
    In addition to the requirement that health care providers use the 
standard, the May 7, 1998, proposed rule also proposed other 
requirements for health care providers:
    [sbull] Each health care provider must obtain, by application if 
necessary, an NPI.
    [sbull] Each health care provider must accept and transmit NPIs 
whenever required on all standard transactions it accepts or transmits 
electronically.
    [sbull] Each health care provider must communicate to the National 
Provider System (NPS) any changes to the data elements in its record in 
the NPS within 60 days of the change.
    [sbull] Each health care provider may receive and use only one NPI. 
An NPI is inactivated upon death or dissolution of the health care 
provider.

A. General Provisions

1. Applicability
    The May 7, 1998, proposed rule for the standard unique health 
identifier for health care providers discussed the applicability of 
HIPAA to covered entities. The proposed rule provided that section 262 
(Administrative Simplification) of HIPAA applies to health plans, 
health care clearinghouses, and health care providers when health care 
providers electronically transmit any of the transactions to which 
section 1173(a)(1) of the Act refers. Comments received with respect to 
Applicability are discussed in sections II. A. 2., ``Definition of 
Health Care Provider,'' and II. A. 5., ``Implementation Specifications 
for Health Care Providers, Health Plans, and Health Care 
Clearinghouses'' of this preamble.
2. Definition of Health Care Provider
    In the Transactions Rule, we summarized the comments we received on 
the definitions we proposed in the May 7, 1998, NPI proposed rule (at 
63 FR 25324), with the exception of the definition of ``health care 
provider.'' We codified all of the definitions in 45 CFR 160.103 and 45 
CFR 162.103. Specifically, we codified the definition of ``health care 
provider'' at 45 CFR 160.103. We are responding in this preamble to the 
comments we received on the definition of ``health care provider,'' as 
we believe that these comments present issues that are more relevant to 
the standard unique health identifier for health care providers. As 
appropriate, our responses refer to discussions and decisions that were 
published in the Privacy Rule (65 FR 82462). This final rule does not 
change the definition of ``health care provider'' at Sec.  160.103. 
This final rule adds the definition of ``covered health care provider'' 
at Sec.  162.402.

Proposed Provisions (Sec.  142.103)

    In the May 7, 1998, proposed rule, we proposed to define ``health 
care provider'' as a provider of services as defined in section 1861(u) 
of the Act, a provider of medical or other health services as defined 
in section 1861(s) of the Act, and any other person who furnishes or 
bills and is paid for health care in the normal course of business (63 
FR 25325). We based the proposed definition on section 1171(3) of the 
Act for the reasons we stated in the May 7, 1998, proposed rule.
Comments and Responses on the Definition of ``Health Care Provider''
    Comment: We received many comments concerning the kinds of entities 
that should receive NPIs. Some of these comments recommended that the 
definition of a ``health care provider'' be constructed narrowly to 
restrict the kinds of entities that would be eligible to receive NPIs; 
others recommended that the definition be constructed broadly. Comments 
did not reflect a consensus or majority view across all commenters or 
even within the two groups of commenters who recommended a narrow or a 
broad definition of ``health care provider.''
    Commenters favoring a narrow definition of ``health care provider'' 
gave the following examples of entities to which NPIs should or should 
not be issued:
    [sbull] Only to those licensed to furnish health care.
    [sbull] Only to individuals and entities that furnish health care.
    [sbull] Only to billing health care providers.
    [sbull] Only to licensed health care providers that furnish care, 
bill, and are paid by third party payers for services.
    [sbull] Not to physicians who have opted out of government medical 
programs.
    [sbull] Not to groups, partnerships, or corporations.
    [sbull] Not to entities that bill or are paid for health care 
services furnished by other health care providers. A billing or pay-to 
entity should be identified by its taxpayer identifying number, not by 
an NPI.
    [sbull] Not to clearinghouses, administrative services only 
vendors, billing services, or health care provider service locations.
    Commenters favoring a broad definition of ``health care provider'' 
gave the following examples of entities to which NPIs should be issued:
    [sbull] Any health care provider that has a taxpayer identifying 
number.
    [sbull] Any individual or organization, including Independent 
Practice Associations and clearinghouses, that ever has custody of or 
transmits a health care claim or encounter record.
    [sbull] All health care provider groups.
    [sbull] Each billing health care provider, health care provider 
billing location, pay-to provider, performing health care provider, 
health care provider service location, and health care provider 
specialty.
    [sbull] Each incorporated individual and ``doing business as'' name 
of an organization.
    [sbull] The lowest organizational level of an entity that needs to 
be identified.
    Response: Although there was no consensus from commenters as to 
which entities should receive NPIs, several principles can be inferred.
    Many commenters who favored a narrow definition of ``health care 
provider'' want to simplify the current situation for health care 
providers; that is, a health care provider may have many health care 
provider numbers assigned by health plans for different business 
functions. The health care provider numbers sometimes represent the 
actual health care provider that furnishes health care, but may also 
represent the health care provider's

[[Page 3437]]

service locations, corporate headquarters, specialties, pay-to 
arrangements, or contracts. Those who favored a narrow definition 
generally believed the NPI should represent only the health care 
provider that furnishes health care.
    Commenters who favored a broad definition of ``health care 
provider'' recognized the many business functions and uses in health 
care transactions fulfilled by health care provider numbers today. 
These business functions will continue to need to be performed after 
the implementation of the NPI. In order for the NPI to replace the 
multiple, proprietary health care provider numbers assigned by health 
plans today, the NPI must be assigned so that the business functions 
can continue. Those who favored a broad definition believed that if the 
NPI is not able to identify the health care provider entities that must 
be identified in an electronic health care claim or equivalent 
encounter information transaction, health plans will be forced to 
continue to use their existing proprietary health care provider numbers 
and the NPI will add to, rather than replace or simplify, health care 
provider numbering systems currently in use.
    The varying needs for health care provider numbers guided our 
decisions on which entities would be eligible to receive NPIs. Our 
general rule is that all health care providers, as we define that term 
in the regulations, will be eligible to receive NPIs. We discuss this 
in detail later in this section.
    It is important to note that not all health care providers who are 
eligible to receive NPIs will necessarily be required to comply with 
the HIPAA regulations. This is because some health care providers are 
not covered entities under HIPAA. The fact that a health care provider 
obtains an NPI does not impose covered entity status on that health 
care provider. Only those entities that (1) meet the definition of 
health care provider at Sec.  160.103, and (2) transmit health 
information in electronic form on their own behalf, or that use a 
business associate to transmit health information in electronic form on 
their behalf, in connection with a transaction for which the Secretary 
has adopted a standard (a covered transaction) are health care 
providers who are required to comply with the HIPAA regulations. These 
health care providers are covered health care providers and are 
considered ``covered entities'' under HIPAA. As noted above, we add a 
definition of ``covered health care provider'' at Sec.  162.402.
    The following discussion clarifies the eligibility of health care 
providers to be assigned NPIs and distinguishes between those that are 
covered entities under HIPAA and those that are not.
    ``Health care provider'' is defined in the regulations at Sec.  
160.103 as follows ``Health care provider means a provider of services 
as defined in section 1861(u) of the Act, 42 U.S.C. 1395X(u), a 
provider of medical or health services as defined in section 1861(s) of 
the Act, 42 U.S.C. 1395x(s), and any other person or organization who 
furnishes, bills, or is paid for health care in the normal course of 
business.'' Examples of health care providers included in this 
definition are: Physicians and other practitioners; hospitals and other 
institutional providers; suppliers of durable medical equipment, 
supplies related to health care, prosthetics, and orthotics; pharmacies 
(including on-line pharmacies) and pharmacists; and group practices. 
Additional examples are health maintenance organizations that may be 
considered health care providers as well as health plans if they also 
provide health care.
    There are individuals and organizations that furnish atypical or 
nontraditional services that are indirectly health care-related, such 
as taxi, home and vehicle modifications, insect control, habilitation, 
and respite services. These types of services are discussed in the 
Transactions Rule at 65 FR 50315. As stated in that Rule, many of these 
services do not qualify as health care services because the services do 
not fall within our definition of ``health care.'' An individual or 
organization must determine if it provides any services that fall 
within our definition of ``health care'' at Sec.  160.103. If it does 
provide those services, it is considered a health care provider and 
would be eligible for an NPI. If it does not, and does not provide 
other services or supplies that bring it within the definition of 
``health care provider,'' it would not be a health care provider under 
HIPAA, and would not be eligible to receive an NPI.
    The nonhealth care services of some atypical or nontraditional 
service providers are reimbursed by some health plans. Nevertheless, 
there is no requirement under HIPAA to use the standard transactions 
when submitting electronic claims for these types of services, because 
claims for these services are not claims for health care. (Health 
plans, however, are free to establish their own requirements for 
submitting claims in these circumstances, which means that a health 
plan could require atypical and nontraditional service providers to 
submit standard transactions. The health plans could not require these 
entities to obtain NPIs to use in those transactions, however, because 
those entities are not eligible to receive NPIs.)
    There are other individuals and organizations that, in the normal 
course of business, bill or receive payment for health care that is 
furnished by health care providers. These individuals and organizations 
may include billing services, value-added networks, and repricers. 
While these entities bill for health care, we do not read the statutory 
definition of ``health care provider'' as encompassing them. Rather, 
they would usually be acting as agents of health care providers in 
performing the billing function, or as health care clearinghouses 
assuming that they perform the data translation function described in 
the definition of ``health care clearinghouse'' at Sec.  160.103. The 
definition of ``health care clearinghouse'' specifically lists these 
entities as examples of health care clearinghouses. The health care 
industry does not consider these types of entities to be health care 
providers. Further, we do not believe that the Congress intended for 
them to be considered as such, as the statutory definition of ``health 
care provider'' refers only to ``other person furnishing health care 
services or supplies'' and thus would exclude persons who only bill 
for, but do not furnish, health care services or supplies. Thus, this 
final rule does not include billing services and similar entities as 
health care providers. Therefore, because these kinds of entities are 
not health care providers, they will not be eligible for NPIs.
    Comment: The Workgroup for Electronic Data Interchange (WEDI) 
commented that the NPI should be the only identifier for health care 
providers when the HIPAA transactions require provider identification. 
WEDI suggested that, to the extent provider-payer contracts require 
locations, location codes, and contract references, these should be 
handled outside of the NPS. To the extent numbers associated with 
providers (for example, Taxpayer Identifying Number (TIN) and Drug 
Enforcement Administration (DEA) number) are required for specific 
purposes other than provider identification, the HIPAA transactions 
should accommodate those numbers (and qualifiers) in the appropriate 
segments of the transactions.
    WEDI recommended that:
    [sbull] Health care providers who are individual human beings 
obtain one and only one NPI for life;
    [sbull] Health care providers endeavor to have only one NPI per 
organization, but

[[Page 3438]]

that the final decision on how many NPIs are necessary for an 
organization health care provider be left to the health care provider; 
and
    [sbull] At a minimum, and as the most critical criterion, the NPS 
data associated with any additional NPIs that an organization decides 
to obtain must not be identical to those associated with any other NPI 
in use by the organization.
    Some commenters supported our proposal that, if a separate physical 
location of an organization health care provider, member of a chain, or 
subpart of an organization health care provider needs to be separately 
identified, it would be eligible to get a separate NPI. A few 
commenters stated that different physical locations or subparts of an 
organization health care provider should not get separate NPIs. One 
commenter recommended that the NPS issue separate NPIs for separate 
physical locations, members of a chain, or subparts of an organization 
health care provider only if these are separately licensed or 
certified. The commenter believes that the issuance of separate 
licenses and certifications justifies their recognition as separate 
health care providers. Another commenter recommended that the NPS issue 
separate NPIs for these entities if Medicare considers the entities to 
be separate health care providers. A number of large health plans 
consider each physical location of a supplier of health care-related 
supplies to be a separate health care provider in order to uniquely 
identify it on claims to enable accurate pricing and reimbursement.
    Response: We agree in concept with the recommendations made by 
WEDI.
    At the time we published the proposed rule and received public 
comments on it, the Secretary had not yet adopted standards for any of 
the HIPAA Administrative Simplification provisions. Since that time, 
and as noted in section I. D., ``Plan for Implementing Administrative 
Simplification Standards'' of this preamble, the Secretary has adopted 
a number of Administrative Simplification standards, including the 
Privacy and Security standards. The following discussion describes the 
assignment of NPIs to certain organization health care providers and 
the relationship, if any, of the assignment methodology to the 
standards and implementation specifications adopted in the Privacy and 
Security Rules.
    Many health care providers that are organizations (such as 
hospitals and chains of suppliers of health care-related supplies, 
pharmacies, and others) are made up of components or separate physical 
locations. Many of these components or separate physical locations are 
separately certified or licensed by States as health care providers.
    [sbull] Examples of hospital components include outpatient 
departments, surgical centers, psychiatric units, and laboratories. 
These components are often separately licensed or certified by States 
and may exist at physical locations other than that of the hospital of 
which they are a component. Many health plans consider these components 
to be health care providers in their own right. Many of these 
components bill independently of the hospital of which they are a 
component.
    [sbull] Organization health care providers that are chains 
generally have a corporate headquarters and a number of separate 
physical locations. A durable medical equipment supplier chain, for 
example, has a corporate headquarters and separate physical locations 
at which durable medical equipment is dispensed to patients. The 
separate physical locations are generally separately licensed or 
certified by States. They often operate independently of each other and 
usually do their own billing. Many health plans consider each separate 
physical location to be a health care provider itself; and many of 
these health plans, including Medicare, reimburse for these items based 
on the geographic location where the items are dispensed to patients 
and not on the geographic location of the corporate headquarters.
    An entity that meets certain Federal statutory implementation 
specifications and regulations is eligible to participate in the 
Medicare program. Our definition of ``health care provider'' at Sec.  
160.103 includes those eligible to participate in Medicare as described 
in Federal statute (that is, in Sec.  1861(s) and Sec.  1861(u) of the 
Social Security Act). These entities, according to Federal statute and 
regulations, must be issued their own identification numbers in order 
to bill and receive payments from Medicare. The Federal statutes and 
regulations similarly affect the Medicaid program.
    Health care providers that are covered entities (see the definition 
at Sec.  160.103) are required to comply with this final rule. Thus, 
while all health care providers (as defined in Sec.  160.103) are 
eligible to be assigned NPIs and may, therefore, obtain NPIs, health 
care providers that are covered entities must obtain NPIs. As mentioned 
earlier in this section, a health care provider that is not a covered 
entity and which has been assigned an NPI does not become a covered 
entity as a result of NPI assignment.
    We refer to the components and separate physical locations 
described in the bulleted examples above as ``subparts'' of 
organization health care providers.
    We use the term ``subpart'' to avoid confusion with the term 
``health care component'' in the Privacy and Security Rules. We discuss 
terms and concepts in the Privacy and Security Rules later in this 
section.
    Section 1173(b)(1) of the Act provides that the Secretary ``shall 
take into account multiple uses for identifiers and multiple locations 
and specialty classifications for health care providers.'' This 
language indicates that Congress realized that certain health care 
providers operate at multiple locations and/or provide multiple types 
of health care services, and intended that the identifier standard take 
these variations in circumstance into account. We accommodate this 
language by requiring covered health care providers to obtain NPIs for 
subparts of their organizations that would otherwise meet the tests for 
being a covered health care provider themselves if they were separate 
legal entities, and permitting health care providers to obtain NPIs for 
subparts that do not meet these tests but otherwise qualify for 
assignment of an NPI. For example, a subpart may qualify for assignment 
of an NPI based on such factors as the subpart having a location and 
licensure separate from the organization health care provider of which 
it is a subpart. Licensure is often indicative of specialty (Healthcare 
Provider Taxonomy) classification. Thus, the assignment scheme created 
by this final rule provides flexibility in addressing the varied 
circumstances of health care providers, as Congress intended.
    A ``subpart'' described in this final rule may differ from a 
``health care component'' described in the Privacy and Security Rules. 
Therefore, it is appropriate to discuss these concepts and their 
relationship, if any, to the assignment of NPIs as established by this 
final rule.
    Standards and implementation specifications for the Privacy and 
Security standards fall under part 164--Security and Privacy, of 45 
CFR, whereas the implementation specifications for the standard unique 
health identifier for health care providers (and for the other 
identifiers mandated by HIPAA) are within part 162--Administrative 
Implementation Specifications, of 45 CFR. The broad concepts of 
ownership, control, and structure of covered entities are relevant

[[Page 3439]]

to determining the scope of, and defining responsibility for, 
implementing the Privacy and Security standards; therefore, we 
addressed those concepts in those rules. On the other hand, the 
concepts of ownership, control, and structure are of no significant 
value or importance in determining the health care providers that may 
be eligible to obtain NPIs, which is why those concepts are not 
discussed in this final rule.
    The term ``hybrid entity'' is defined in part 164, which is 
applicable to the Privacy and Security Rules, and may be a factor in 
determining responsibility for the implementation of the Privacy and 
Security standards and implementation specifications. It is defined in 
Sec.  164.103 and is discussed in the Privacy Rule at 65 FR 82502. It 
is possible that an organization health care provider may be a hybrid 
entity and, as such, may designate health care components for purposes 
of implementing the Privacy and Security Rules. It is possible and, 
indeed, likely that subparts as described earlier in this preamble may 
be health care components of a hybrid entity. It is also possible that 
the subparts may not align precisely with the designated health care 
components. There is no necessary correlation between what is a subpart 
and what is a health care component, and there need not be because, as 
stated above, the nature and function of the Privacy and Security 
standards differ from those of the health care provider identifier 
standard. The level of assignment of NPIs must be adequate to enumerate 
entities that meet the definition of ``health care provider'' at Sec.  
160.103. It is, therefore, possible that a designated health care 
component may in essence be assigned multiple NPIs if the health care 
component is made up of multiple health care providers or subparts, as 
described earlier.
    The term ``organized health care arrangement'' is discussed in the 
Security and Privacy Rules and is defined at Sec.  160.103. It is 
possible that subparts that are also health care components may elect 
to come together to form an organized health care arrangement. Whether 
or not subparts participate in an organized health care arrangement for 
purposes of implementing the Privacy or Security standards has no 
effect on their eligibility to be assigned NPIs.
    It must be kept in mind, with respect to the subparts as described 
in this preamble, that the organization health care provider is a legal 
entity and is the covered entity under HIPAA if it (or a subpart or 
component) transmits health information in electronic form (or uses a 
business associate to do so) in connection with a covered transaction. 
The subparts are simply parts of the legal entity. The legal entity--
the covered entity--is ultimately responsible for complying with the 
HIPAA rules and for ensuring that its subparts and/or health care 
components are in compliance. The organization health care provider, of 
which the subpart is a part, is responsible for ensuring that the 
subpart complies with the implementation specifications in this final 
rule. The organization health care provider is responsible for 
determining if its subpart or subparts must be assigned NPIs, as 
discussed above in this section of the preamble. The organization 
health care provider is also responsible for applying for NPIs for its 
subparts or for instructing its subparts to apply for NPIs themselves. 
(That is, it is not necessary that an application for an NPI be made by 
the organization health care provider on behalf of its subpart.)
    Comment: Some commenters expressed concern that the professional 
claim or equivalent encounter information transaction be able to 
accommodate address or location information associated with billing, 
pay-to, and furnishing health care providers.
    Response: The ASC X12N 837 Health Care Claim: Professional, adopted 
in the Transactions Rule, accommodates addresses for all these 
entities.
    Comment: Some commenters stated their desire for an identifier to 
represent each service address, for the purpose of reporting the 
location of service on a professional health care claim.
    Response: We believe that the location of service can properly be 
reported by use of data elements in the standard professional health 
care claim or equivalent encounter information transaction. The address 
where service was furnished (if different from the billing or pay-to 
provider's address and if not at the patient's home) is accommodated in 
the X12N 837 Professional Claim in the Service Facility Location loop. 
For these reasons, we do not believe a health care provider identifier 
needs to be assigned to every address at which a service can be 
provided. If health plans need service location data in addition to the 
data that are accommodated in the standard health care claim 
transaction, they should notify the organization responsible for that 
transaction (see Sec.  162.910 and Sec.  162.1102).
    Comment: Several commenters named specific kinds of practitioners 
or entities that should be eligible to receive NPIs. These commenters 
cited practitioners who write prescriptions, home health housekeepers, 
long-term care providers, providers of home health services, meals on 
wheels, and transportation.
    Response: Entities that do not furnish health care, and do not meet 
the definition of health care provider, will not be eligible to receive 
NPIs. A title does not necessarily indicate that an entity does or does 
not furnish health care. Entities who are unsure as to whether they are 
health care providers should check the definition of ``health care'' in 
Sec.  160.103 to determine whether the kinds of services they furnish 
are health care services.
    Comment: Some commenters stated that billing services should not 
receive NPIs. None of these commenters gave a definition or criteria to 
distinguish billing services from entities that would be eligible to be 
assigned NPIs. Other commenters stated that these definitions and 
criteria would be difficult to apply.
    Response: As stated earlier in this section, billing services do 
not meet our regulatory definition of health care provider and, 
therefore, will not be eligible for NPIs. Generally, the health care 
provider that furnished health care is the ``Billing provider'' on the 
X12N 837 transaction and would identify itself with an NPI. If a 
billing service needs to be identified as the ``Billing provider,'' it 
would identify itself with either an Employer Identification Number 
(EIN) or a Social Security Number (SSN).
    Comment: Several commenters noted that the term ``medical care'' in 
our descriptions of individual and organization health care providers 
should be replaced with the term ``health care.'' They were concerned 
that one could construe ``medical care'' to mean only care that was 
physician-supplied or physician-authorized.
    Response: We agree with the comment and have replaced the term 
``medical care'' with ``health care'' in our discussion of individual 
and organization health care providers.
    Comment: A majority of commenters stated that the NPS should not 
distinguish between organization health care providers and group health 
care providers. The NPS should collect the same data for both. A few 
other commenters suggested a definition for group, but did not suggest 
that different data should be collected for a group health care 
provider than for an organization health care provider.
    Response: As described in the proposed rule (at 63 FR 25325), group 
health care providers are entities composed of one or more individuals 
(members), generally created to provide coverage of patients' needs in 
terms of office hours, professional backup and

[[Page 3440]]

support, or range of services resulting in specific billing or payment 
arrangements. Organization health care providers are health care 
providers who are not individual health care providers (that is, health 
care providers who are human beings). Examples of organization health 
care providers are hospitals, pharmacies, and nursing homes. For 
purposes of this rule, we consider group health care providers to be 
organization health care providers. There is additional information 
about these health care providers in section II.C.1.(d) of this 
preamble.
    We agree with the majority of commenters that the NPS should 
collect the same data for group and organization health care providers. 
Because the same data are collected, there is no need for separate 
definitions of group and organization health care providers for NPI 
enumeration purposes.
    Comment: Several commenters suggested that an NPI suffix or sub-
identifier (sub-ID) be used to identify physical locations or subparts 
of a health care provider. Two commenters suggested that we explore the 
need for an electronic data interchange (EDI) identifier for 
transaction routing.
    Response: We considered allowing each health care provider, if it 
so chose, to establish sub-IDs under its NPI. The health care provider 
might use the sub-IDs for different physical locations, subparts, EDI 
transaction routing, or other purposes. We decided not to establish 
sub-IDs because our decisions regarding which entities would be 
eligible to receive NPIs (including separate physical locations and 
subparts of certain kinds of organization health care providers) 
obviate the need for them. Sub-IDs may be useful as a later 
implementation feature that would support EDI routing or other 
purposes. We will consider an expansion at a later time to include 
them, if we determine that they would be beneficial.
    Comment: Many commenters stated that all health care providers 
should be able to obtain NPIs, whether they conduct health care 
transactions electronically or on paper. Some commenters stated that 
health care providers that do not conduct any of the transactions named 
in HIPAA should be able to obtain NPIs.
    Response: All health care providers--as we define that term--may 
obtain NPIs. Only covered health care providers are required to obtain 
and use NPIs in standard transactions.
    Comment: Many commenters stated that NPIs should be mandatory for 
paper and fax transactions, as well as electronic.
    Response: In the May 7, 1998, proposed rule, we did not propose to 
apply this standard to paper transactions. Therefore, we focus on 
standards for electronic transactions. Most of the paper forms 
currently in use today cannot accommodate all of the data content 
included in the standard transactions. This does not prevent health 
plans from requiring for paper transactions the same data, including 
identifiers, as are required by the HIPAA regulations for electronic 
transactions.

Final Provisions (Sec.  160.103)

    As defined by section 1171(3) of the Act, a ``health care 
provider'' is a provider of services as defined in section 1861(u) of 
the Act, a provider of medical or other health services as defined in 
section 1861(s) of the Act, and any other person who furnishes health 
care services or supplies. Section 160.103 defines ``health care 
provider'' as the statute does and clarifies that the definition of a 
``health care provider'' includes any other person or organization that 
furnishes, bills, or is paid for health care in the normal course of 
business.
    Section 1173(b)(1) of the Act requires the Secretary to adopt 
standards providing for a standard unique health identifier for each 
health care provider, and to take into account multiple uses, 
locations, and specialty classifications for health care providers. All 
health care providers who meet our definition of ``health care 
provider'' at Sec.  160.103, regardless of whether they conduct 
transactions electronically or on paper or conduct any covered 
transactions will be eligible to apply for health care provider 
identifiers.
    We define ``covered health care provider'' at Sec.  162.402. 
Subparts of organization health care providers, as described earlier in 
this section, may be assigned NPIs.
    Registered nurses, dental hygienists, and technicians are examples 
of entities who furnish health care but who do not necessarily conduct 
covered transactions. They are eligible to receive NPIs because they 
are health care providers.
    We define two categories of health care providers for enumeration 
purposes. A data element, the ``Entity type code,'' in the NPS record 
for each health care provider will indicate the appropriate category.
    [sbull] NPIs with an ``Entity type code'' of 1 will be issued to 
health care providers who are individual human beings. Examples of 
health care providers with an ``Entity type code'' of 1 are physicians, 
dentists, nurses, chiropractors, pharmacists, and physical therapists.
    [sbull] NPIs with an ``Entity type code'' of 2 will be issued to 
health care providers other than individual human beings, that is, 
organizations. Examples of health care provider organizations with an 
``Entity type code'' of 2 are: hospitals; home health agencies; 
clinics; nursing homes; residential treatment centers; laboratories; 
ambulance companies; group practices; health maintenance organizations; 
suppliers of durable medical equipment, supplies related to health 
care, prosthetics, and orthotics; and pharmacies.
    Entities that participate in the Medicare program and many that 
participate in the Medicaid program are eligible for NPIs. (Note, 
however, our discussion of atypical and nontraditional service 
providers earlier in this section.) Many subparts of organization 
health care providers (as discussed earlier in this section) are 
eligible to be assigned NPIs, and an NPI must be obtained for, or by, 
them if they would be considered a covered health care provider if they 
were a separate legal entity. By definition, subparts are not 
themselves legal entities; the legal entity is the organization health 
care provider of which they are a subpart. Organization health care 
provider subparts--because they too are organizations--will be issued 
NPIs with ``Entity type code'' of 2.
    We do not consider individuals who are health care providers (that 
is, they meet our definition of ``health care provider'' at Sec.  
160.103) and who are members or employees of an organization health 
care provider to be ``subparts'' of those organization health care 
providers, as described earlier in this section. Individuals who are 
health care providers are legal entities in their own right. The 
eligibility for an ``Entity type code 1'' NPI of an individual who is a 
health care provider and a member or an employee of an organization 
health care provider is not dependent on a decision by the organization 
health care provider as to whether or not an NPI should be obtained 
for, or by, that individual. The eligibility for an ``Entity type code 
1'' NPI of a health care provider who is an individual is separate and 
apart from that individual's membership or employment by an 
organization health care provider. If such an individual is a covered 
health care provider, he or she is required to obtain an NPI. An 
example of the above discussion is a physician who is a member of a 
group practice. Both are health care providers and, therefore, both may 
apply for NPIs, but the physician would receive an

[[Page 3441]]

``Entity type code 1'' NPI, while the group practice would receive an 
``Entity type code 2'' NPI. If either is a covered health care 
provider, that covered health care provider must apply for an NPI.
    ``Entity type code'' determinations will be made according to the 
following:
    [sbull] An individual human being furnishes health care. The 
described individual is a health care provider and will be assigned an 
NPI with an ``Entity type code'' of 1.
    [sbull] An organization furnishes health care. The described 
organization is a health care provider and will be assigned an NPI with 
an ``Entity type code'' of 2.
    [sbull] An organization health care provider subpart, as described 
earlier in this section, is a health care provider and will be assigned 
an NPI with an ``Entity type code'' of 2.
    Hereafter in this preamble, we include these subparts in our 
references to health care providers unless there is a reason to 
distinguish them.
    An NPI will be used to identify the health care provider on a 
health care claim or equivalent encounter information transaction. If 
an organization health care provider consists of subparts that are 
identified with their own unique NPIs, a health plan may decide to 
enroll none, one, or a limited number of them (and to use only the 
NPI(s) of the one(s) it enrolls). A health plan may not require a 
health care provider or a subpart of an organization health care 
provider that has an NPI to obtain another NPI for any purpose. Links 
among the various NPI types may be made and maintained by health plans 
and other users of the NPS data, but will not be maintained in the NPS.
    The data to be collected by the NPS for health care providers are 
described in section II. C. 2. of this preamble, ``Data Elements and 
Data Dissemination.'' The NPS will capture data elements for health 
care providers with an ``Entity type code'' of 1 (individuals) that are 
different from those that it will capture for those with an ``Entity 
type code'' of 2 (organizations) because the data available to search 
for duplicates (for example, date and place of birth) are different. 
The NPS will ensure the uniqueness of the NPI by assigning only one NPI 
to a health care provider with a distinct string of data in the NPS. 
The NPS will contain the kinds of data necessary to adequately 
categorize each entity to which it assigns an NPI. An NPI will be a 
lasting identifier for the health care provider to which it has been 
assigned. For health care providers with an ``Entity type code'' of 1, 
the NPI will be a permanent identifier, assigned for life, unless 
circumstances justify deactivation, such as a health care provider who 
finds that his or her NPI has been used fraudulently by another entity. 
In that situation, the health provider can apply, and will be eligible, 
for a new NPI, and the previously assigned NPI will be deactivated. For 
health care providers with an ``Entity type code'' of 2, the NPI will 
also be considered permanent, except in certain situations such as when 
a health care provider does not wish to continue an association with a 
previously used NPI, or when a health care provider's NPI has been used 
fraudulently by another. In those situations, the health care provider 
that holds the NPI can apply, and be eligible for, a new NPI, and the 
previously assigned NPI will be deactivated. A new NPI will not be 
required for change of ownership, change from partnership to 
corporation, or change in the State where an organization health care 
provider is incorporated; indeed, ownership and incorporation 
information will not be contained in the NPS. A new NPI will not be 
required when there is a change in an organization health care 
provider's name, Employer Identification Number, address, Healthcare 
Provider Taxonomy classification, State of licensure, or State license 
number. Instead, the health care provider will supply that information 
to the NPS and the data in the NPS about these entities will be 
updated. After a corporate merger, the surviving organization may 
continue to use its NPI. A health care provider's NPI will not be 
deactivated if that health care provider is sanctioned or barred from 
one or more health plans. When an organization health care provider is 
disbanded, the organization health care provider's NPI will be 
deactivated. If a previously deactivated organization health care 
provider is later reactivated, its previous NPI will be reactivated.
3. NPI Standard

Proposed Provisions (Sec.  142.402(a))

    The May 7, 1998, proposed rule (at 63 FR 25328) described our 
proposal for the standard health care provider identifier. We proposed 
the NPI standard as an 8-position alphanumeric identifier. It would 
include as the 8th position a numeric check digit to assist in 
identifying erroneous or invalid NPIs. The check digit would be a 
recognized International Standards Organization (ISO) standard. The 
check digit algorithm would be computed from an all-numeric base 
number. Therefore, any alpha characters that may be part of the NPI 
would be translated to a specific numeric before the calculation of the 
check digit. The NPI format would allow for the creation of 
approximately 20 billion unique identifiers. It would be an 
intelligence-free identifier. In the May 7, 1998 proposed rule, we also 
proposed the type of data included in the file containing identifying 
information for each health care provider.
    In addition to the description of the NPI standard, this section of 
the May 7, 1998, proposed rule discussed several other points on which 
we received comments:
    We noted that we proposed the 8-position alphanumeric format rather 
than a longer numeric-only format in order to keep the identifier as 
short as possible while providing for an identifier pool that would 
serve the industry's needs for a long time.
    We listed selection criteria for the standard and discussed 
candidate identifiers, including the National Association of Boards of 
Pharmacy number, the Social Security Number, and the Employer 
Identification Number.
    We noted that the USA Registration Committee approved the NPI as an 
International Standards Organization card issuer identifier in August 
1996 for use on standard health identification cards.
Comments and Responses on the NPI Standard
    Comment: Several commenters on the format of the NPI expressed 
general support for our proposal or specific support for an 8-position 
alphanumeric identifier. Very few of these commenters gave a reason for 
support of the 8-position alphanumeric format. A strong majority of 
commenters recommended instead that the NPI be a 10-position numeric 
identifier, because a 10-position identifier would yield an adequate 
pool of identifiers and would not exceed the length permitted for 
identifiers in the standard transactions proposed under HIPAA. A few 
other commenters recommended a 9-position numeric identifier. Several 
commenters who favored a numeric identifier stated that if additional 
capacity for NPIs were needed in the future, additional numeric digits 
should be added at that time. Commenters who preferred a numeric 
identifier were very specific in listing its advantages. They stated 
that a numeric identifier--
    [sbull] Is more quickly and accurately keyed in data-entry 
applications;
    [sbull] Is more easily used in telephone keypad applications;
    [sbull] Does not require translation before application of the 
check digit algorithm,

[[Page 3442]]

and thus uses the full ability of the check digit algorithm to detect 
keying errors;
    [sbull] Is compatible with ISO identification card standards for a 
card issuer identifier (discussed below), while an alphanumeric 
identifier is not; and
    [sbull] Will require less change for systems that currently use a 
numeric identifier.
    Response: We find the stated advantages of a 10-position numeric 
identifier convincing. We have revised proposed Sec.  142.402 (now 
Sec.  162.406(a)) to provide that the NPI will be a 10-position numeric 
identifier, with the 10th position being an ISO standard check digit. 
The use of a 10-digit numeric NPI and our initial assignment strategy 
will allow for 200 million unique NPIs. We estimate 200 million NPIs 
would last approximately 200 years, allowing for health care provider 
growth, as discussed later in the preamble of this final rule in 
section V.D., ``Specific Impact of the NPI.'' If additional capacity 
for NPIs is needed in the future, additional numeric digits will be 
added to the identifier at that time. A modification to the NPI format 
would be accomplished through rulemaking. A 10-position numeric 
identifier is specified in Sec.  162.406(a).
    Comment: Some commenters asked that we clarify how the NPI would 
appear when used as a card issuer identifier on a standard health care 
identification card. Commenters also asked that we clarify any 
modification made to the check digit algorithm to allow the NPI to be 
used as a card issuer identifier.
    Response: In December 1997, an American National Standard for a 
Uniform Healthcare Identification Card was approved by the National 
Committee for Information Technology Standards (NCITS), which is a 
standards-developing organization accredited by the American National 
Standards Institute. The specification for this standard, NCITS.284, is 
available from the American National Standards Institute, 11 West 42nd 
Street, New York, New York 10036. One identifier field on the standard 
health care identification card is the card issuer identifier. A card 
issuer identifier is an identifier for an entity that issues a health 
care identification card. In most cases, the entity issuing a health 
care identification card would be a health plan; in some cases, 
however, the entity could be a health care provider. We note that, 
under HIPAA, health care providers are neither required to issue health 
care identification cards, nor to use the NCITS.284 standard card. The 
NCITS.284 standard requires that the first five digits of the card 
issuer identifier be ``80840,'' where the initial two digits, 80, 
signify health applications, the next three digits, 840, signify United 
States. The remainder of the card issuer identifier identifies the 
entity that issued the card. In August 1996, the USA Registration 
Committee, a standards-developing organization accredited by the 
American National Standards Institute, approved the NPI as an 
identifier for a card issuer for use on a standard health care 
identification card. If the NPI is used to identify the card issuer on 
a card that complies with NCITS.284, the card issuer identifier would 
consist of 15 positions as follows: ``80840,'' signifying health 
applications in the United States, followed by the 10-position NPI (the 
9-position identifier portion of the NPI, followed by the NPI check 
digit).
    We note that the initial five digits ``80840'' would be required 
with the NPI only when the NPI is used as a card issuer identifier on a 
standard health care identification card. However, in order that any 
NPI could potentially be used as a component of the card issuer 
identifier on a standard health care identification card, the NPI check 
digit calculation must always be performed as though the NPI is 
preceded by ``80840.'' This is easily accomplished by including a 
constant in the check digit calculation when the NPI is used without 
this prefix. The NPI check digit is calculated using the ISO standard 
Luhn check digit algorithm, a modulus 10 ``double-add-double'' 
algorithm. The specification for calculation of the NPI check digit 
will be made available on the CMS Web site (http://www.cms.hhs.gov). 
The specification will explain how to compute the check digit and how 
to verify an NPI using the check digit, both when the ``80840'' prefix 
is present and when it is not.
    Comment: A strong majority of commenters supported our proposal 
that the NPI be intelligence-free. A few commenters stated that an 
intelligence-free identifier would not meet their needs because their 
systems use the facility provider type, which is coded as part of the 
identifier in some current systems.
    Response: If the NPI were to include intelligence, that is, coded 
information about the health care provider, as part of the identifier, 
a new NPI would have to be issued any time the coded information about 
the health care provider changed. This would undermine the lasting 
nature of the NPI. For this reason we agree with the large majority of 
commenters that the NPI not contain intelligence about the health care 
provider.
    Comment: A small number of commenters stated that the Taxpayer 
Identifying Number (TIN) should be selected, or reconsidered, as the 
standard unique health identifier for health care providers.
    Response: The TIN is the identifier under which the health care 
provider reports a United States tax return to the Internal Revenue 
Service (IRS). It can be an SSN, assigned by the Social Security 
Administration, or an IRS Individual Taxpayer Identification Number 
(ITIN), assigned by the IRS, or an EIN, assigned by the IRS. A large 
number of commenters on the ``Data'' section of the May 7, 1998, NPI 
proposed rule stated their opposition to dissemination of the SSN 
except in strictly controlled situations that fully comply with the 
Privacy Act. Use of the SSN or the TIN as the standard unique health 
identifier for health care providers would require the wide 
dissemination and use of the SSN or TIN in the HIPAA transactions under 
conditions that would not be protected by the Privacy Act. The majority 
of commenters did not support the use of the SSN as the standard unique 
health identifier for health care providers for individuals.
    Comment: The National Council for Prescription Drug Programs 
requested that we make several clarifications regarding our reference 
to the National Association of Boards of Pharmacy (NABP) number, which 
we discussed as a candidate identifier in the May 7, 1998, proposed 
rule.
    Response: As requested, we note that the NABP number has been 
renamed the National Council for Prescription Drug Programs (NCPDP) 
Provider Number. In 1997, the NCPDP and the NABP mutually severed the 
contract made in 1977. The NCPDP has full responsibility for 
maintenance of the pharmacy file. The NCPDP Provider Number is issued 
solely by NCPDP. All references to the NABP number should be changed 
instead to the NCPDP Provider Number.
    Comment: A small number of commenters stated that the proposed NPI 
would not meet one or more of the selection criteria for standards or 
would not be consistent with the law because it would not reduce the 
administrative costs of providing and paying for health care. These 
kinds of comments cited the high costs of developing and operating a 
new system for health care provider enumeration.
    Response: Elsewhere in this preamble, we discuss how the collection 
of health care provider data and the enumeration of health care 
providers can be satisfactorily accomplished with the NPI and how those 
associated costs can be kept to a minimum. We acknowledge

[[Page 3443]]

that organizations will incur costs in the move to a standard 
enumeration process. After the initial implementation, however, we 
believe that the costs will diminish significantly, and that long-term 
use of a standard identifier will be cost-effective.

Final Provisions (Sec.  162.406(a))

    We are adopting the NPI format of an all-numeric identifier, 10 
positions in length, with an ISO standard check-digit in the 10th 
position (Sec.  162.406(a)). The NPI will not contain intelligence 
about the health care provider. This format and our assignment strategy 
will allow for at least 200 million unique NPIs.
4. Effective Date and Compliance Dates

Proposed Provisions (Sec.  142.410)

    The May 7, 1998, proposed rule proposed the compliance dates for 
the standard unique health identifier for health care providers.
    The May 7, 1998, proposed rule proposed that:
    [sbull] Each health plan that is not a small health plan must 
comply with the requirements of Sec.  142.104 and Sec.  142.404 by 24 
months after the effective date of the final rule.
    [sbull] Each small health plan must comply with the requirements of 
Sec.  142.104 and Sec.  142.404 by 36 months after the effective date 
of the final rule.
    [sbull] Each health care clearinghouse and health care provider 
must begin using the NPI by 24 months after the effective date of the 
final rule.
Comments and Responses on Effective Date and Compliance Dates
    Comment: An overwhelming number of commenters requested that there 
be an extended period of time between the publication of the NPI final 
rule and the date the implementation period for the NPI would begin. 
Commenters stated that their resources were fully committed to 
millennium issues and that those resources could not be used to address 
the numerous changes needed to implement the NPI until after the 
millennium work was satisfactorily completed. Some commenters asked 
that we publish the final rule on Standards for Electronic Transactions 
before any of the other rules.
    Response: Work on the millennium is complete. Many commenters are 
undoubtedly expending resources at this time in implementing the HIPAA 
Privacy Rule (65 FR 82462 and 67 FR 53182), the Transactions Rule (65 
FR 50312 and 68 FR 8381), the Security Rule (68 FR 8334) and the 
Employer Identifier Rule (67 FR 38009). The reader should note that we 
published the Transactions Rule (65 FR 50312) before any of the other 
HIPAA final rules. The National Provider System (NPS) will be a large, 
complex system. Its development cannot be finalized until publication 
of this final rule. The NPS must operate efficiently and be capable of 
performing many operations. It must undergo testing to ensure proper 
operation of all functions and must pass a variety of stress tests. To 
ensure adequate time for completion of system development and testing, 
we set the effective date of this final rule to be 16 months after 
publication in the Federal Register. Covered entities will need to be 
in compliance no later than 24 months after the effective date (36 
months for small health plans). While the purpose of this extended 
effective date is to allow HHS sufficient time for NPS development and 
testing, it will also permit health care entities sufficient time to 
accommodate changes needed in order to implement the NPI.

Final Provisions (Sec.  162.404)

    We set the effective date and compliance dates as follows:
    a. Effective date of this final rule. The effective date of the NPI 
is May 23, 2005. The effective date of this final rule marks the 
beginning of the implementation period for the NPI.
    b. Compliance dates of the NPI. We adopt the requirement that 
covered entities (except small health plans) must obtain an NPI and 
must use the NPI in standard transactions no later than May 23, 2007. 
Small health plans must do so no later than May 23, 2008.
    If the Secretary adopts a modification to this standard, the 
compliance date of the modification would be no earlier than the 180th 
day following the adoption of the modification. The Secretary would 
determine the actual date, taking into account the time needed to 
comply due to the nature and extent of the modification. The Secretary 
would be able to extend the time for compliance with any modification 
by small health plans by rulemaking, if he determines that an extension 
is appropriate.
5. Implementation Specifications for Health Care Providers, Health 
Plans, and Health Care Clearinghouses

Proposed Provisions (Sec.  142.404, Sec.  142.406, and Sec.  142.408)

    In section II. E., ``Requirements,'' of the preamble of the May 7, 
1998, proposed rule (63 FR 25330), we discussed the requirements that 
health plans, health care clearinghouses, and covered health care 
providers would have to meet in implementing the NPI. The proposed 
regulation text, in Sec.  142.404, stated that health plans would be 
required to accept and transmit, directly or through a health care 
clearinghouse, the NPI on all standard transactions wherever required. 
The proposed regulation text, in Sec.  142.406, stated that health care 
clearinghouses would be required to use the NPI wherever a standard 
electronic transaction requires it.
    The preamble of the May 7, 1998, proposed rule (63 FR 25330) 
states: ``In Sec.  142.408, Requirements: Health care providers, we 
would require each health care provider that needs an NPI for HIPAA 
transactions to obtain, by application if necessary, an NPI * * *'' 
Section 142.408(a) of the proposed regulation text states: ``Each 
health care provider must obtain, by application if necessary, a 
national provider identifier.'' The text of the proposed rule states, 
in Sec.  142.408(c): ``Each health care provider must communicate any 
changes to the data elements in its file in the national provider 
system to an enumerator of national provider identifiers within 60 days 
of the change.''
Comments and Responses on Requirements for Health Care Providers, 
Health Plans, and Health Care Clearinghouses
    We believe that the Congress intended that each health care 
provider be eligible for an NPI and intended to authorize the Secretary 
to require covered health care providers to obtain one. HIPAA requires 
the adoption of a standard unique health identifier for health care 
providers and directs the Secretary to specify the purposes for which 
the identifier may be used. The statute sets forth the maximum amount 
of time by which all covered entities must comply with the standards, 
leaving discretion to the Secretary to designate compliance dates 
(within the limitations of the law). We proposed in the May 7, 1998, 
proposed rule, and require in this final rule, that covered entities 
must be in compliance with the standards no later than 2 years (3 years 
for small health plans) from the effective date of the regulation. 
Thus, as of the compliance date, a covered health care provider must 
have obtained and begun to use an NPI.
    Comment: Some commenters recommended that all data about a health 
care provider in the NPS be required to be updated; others stated that 
only certain data elements should be required to be updated. Most 
indicated that data needed for unique identification should be kept 
current.

[[Page 3444]]

    Response: In the proposed rule, the NPS was proposed to include 
many data elements that we have since decided not to include. (See 
section II. C. 2. of this preamble, ``Data Elements and Data 
Dissemination.'') We have decided that the NPS will consist entirely of 
data elements about a health care provider that are needed for 
administrative (communications) purposes and for the unique 
identification of the health care provider. We believe it is 
appropriate and necessary for the health care providers to notify the 
NPS of changes in their required NPS data, but, given limits on our 
statutory authority, we can require such notification only of covered 
health care providers.
    Comment: We received many comments concerning the length of time a 
health care provider should be allowed before it must notify the NPS of 
changes to its NPS data. Most commenters thought that the 60-day period 
was too long and believed a 15-to-30-day period was more appropriate.
    Response: The May 7, 1998, proposed rule at Sec.  142.408(c) 
proposed 60 days to allow reasonable flexibility in the time required 
for a health care provider to complete a paper form (the NPI 
application/update form) containing the update(s) and forward it to the 
NPS. We will attempt to design the NPS to be responsive and easy to 
use. We will consider a design that will allow a health care provider 
(or possibly a health care provider's authorized representative (see 
section II. B. 2., ``Health Care Provider Enumeration,'' of this 
preamble)) to communicate the health care provider's changes directly 
into the NPS over the Internet, using a secure Web-based transaction. A 
paper form (the NPI application/update form) will be developed for this 
same purpose and will be available from the NPS and from the CMS Web 
site (http://www.cms.hhs.gov) for use by health care providers. We 
realize that many health care providers may prefer to send electronic 
updates if the capability exists. According to the majority of 
commenters, health care providers should be required to communicate 
changes in their NPS data in far less than 60 days. We agree. 
Therefore, we adopt in this final rule a requirement that covered 
health care providers notify the NPS of changes in their required NPS 
data within 30 calendar days of the changes (Sec.  162.410(a)(4)).
    Comment: Several commenters indicated that health plans will need 
to know about changes in health care provider information. Commenters 
did not believe it would be fair for health care providers to have to 
notify both the NPS and the health plans in which they are enrolled of 
changes.
    Response: We agree that health plans will need to know of changes 
in the data associated with their enrolled health care providers. Most 
health plans collect more information about a health care provider than 
the NPS will collect. Therefore, we expect that health plans will still 
require health care providers to notify them of changes in this 
information. The NPS will have the capability to provide listings or 
reports of changes in NPS data in accordance with section II. C. 2. of 
this preamble, ``Data Elements and Data Dissemination.''
    Comment: Several commenters stated that the NPS should be required 
to apply updates within a specified period of time after receipt of the 
updated information from a health care provider.
    Response: We expect that the update process will be designed in a 
way that will allow the system to process updates within a reasonable 
timeframe (for example, 10 business days from receipt). The volume of 
updates at any given time may impact system performance. If changes are 
unable to be made (for example, the health care provider furnishing 
updates does not appear to match any health care provider in the NPS), 
the health care provider will receive a message that will indicate why 
the NPS is unable to update the record. The message will request that 
the problem be resolved and the information be resubmitted.
    Comment: Several commenters asked if health plans should take any 
action to notify the NPS of changes to health care provider data if 
they become aware of these changes.
    Response: Although health plans would not be required to provide 
information to the NPS to update health care provider data, we 
encourage health plans to instruct and remind their enrolled health 
care providers to notify the NPS of changes in their data.
    Comment: There were numerous comments about penalties for non-use 
of the NPI:
    [sbull] If NPIs could not be assigned to covered health care 
providers before the compliance date for those health care providers, 
and sufficiently ahead of that time to enable the health care providers 
to be capable of using the NPI in standard transactions, penalties 
should not be enforced for nonuse of the NPI.
    [sbull] Sufficient time should elapse to ensure adequate experience 
in using the NPI before penalties are assessed.
    [sbull] Financial penalties for noncompliance should not be 
assessed until 1 year after the NPI compliance dates.
    [sbull] The method of enforcing compliance with the standard should 
be made public.
    [sbull] The penalties for nonuse of a single standard and nonuse of 
multiple standards should be clarified.
    [sbull] When noncompliance forces nonpayment, the entity expecting 
payment will resolve the issue.
    Response: NPIs will be assigned to health care providers as quickly 
as possible and within the parameters of the performance criteria that 
are in effect. (See earlier comment and response for additional 
information.) HHS is preparing, and has issued in part, a separate 
regulation on enforcement of the HIPAA standards. This regulation is 
expected to address all but perhaps the last concern of these 
commenters. The regulation cannot place requirements on entities that 
are not covered entities, and the entities involved in the situation 
described in the last bullet may not be covered entities.
    Comment: Many commenters suggested that (1) health care providers 
not be required to use the NPI within the first year after the 
effective date of its adoption, although willing trading partners could 
use the NPI by mutual agreement at any time after the effective date; 
and (2) health plans should give their health care providers at least 6 
months' notice before requiring them to use the NPI.
    Response: Upon the effective date of the adoption of this standard 
(which will be 16 months after the date it is published), health care 
providers may apply for NPIs. Covered entities (except for small health 
plans) must begin using the NPI in standard transactions no later than 
24 months after the effective date. (Small health plans have 36 months 
to begin using NPIs.) These are statutory requirements that we have 
incorporated into this final rule. We believe these timeframes enable 
more than sufficient time for covered health care providers to become 
aware of their responsibilities under this final rule, to apply for and 
be assigned their NPIs, and to complete work needed to begin using 
their NPIs. Applying for an NPI up to 18 months after the effective 
date of the adoption of this standard will still give health care 
providers 6 months before the statutory compliance date arrives. We 
encourage health plans to give health care providers 6 months' notice 
before requiring them to use NPIs; however, we do not require that 
action by the health plans. How soon health care providers could use 
NPIs would depend on when they obtained the NPIs, and health plans have 
no direct control over that action.

[[Page 3445]]

We encourage all parties to work together to ensure a smooth 
transition.

Final Provisions (Sec.  162.410, Sec.  162.412, Sec.  162.414)

    All health care providers are eligible for NPIs.
    We require each covered health care provider to obtain an NPI from 
the NPS, by application if necessary, for itself and for its subparts, 
if appropriate, and to use its NPI in standard transactions. Covered 
health care providers must disclose their NPIs to other entities that 
need those health care providers' NPIs for use in standard 
transactions. Covered health care providers must communicate to the NPS 
any changes in their required data elements within 30 days of the 
change. If covered health care providers use business associates to 
conduct standard transactions on their behalf, they must require their 
business associates to use NPIs appropriately as required by the 
transactions the business associates conduct on its behalf.
    Situations exist in which a standard transaction must identify a 
health care provider that is not a covered entity. An organization 
health care provider subpart may need to be identified in a standard 
transaction but the organization health care provider may not be 
required to obtain an NPI for the subpart. A noncovered health care 
provider may or may not have applied for and received an NPI. In the 
latter case, and in the case of the subpart described above, an NPI 
would not be available for use in the standard transaction. We 
encourage every health care provider to apply for an NPI, and encourage 
all health care providers to disclose their NPIs to any entity that 
needs that health care provider's NPI for use in a standard 
transaction. Obtaining NPIs and disclosing them to entities so they can 
be used by those entities in standard transactions will greatly enhance 
the efficiency of health care transactions throughout the health care 
industry. If subparts are assigned NPIs, the covered health care 
provider must ensure that the subpart's NPI is disclosed, when 
requested, to any entity that needs to use the subpart's NPI in a 
standard transaction.
    Here are examples that illustrate the desirability for a health 
care provider that is not required to be enumerated to obtain and 
disclose an NPI:
    (1) A pharmacy claim that is a standard transaction must include 
the identifier (which, as of the compliance date, would be the NPI) of 
the prescriber. Therefore, the pharmacy needs to know the NPI of the 
prescriber in order to submit the pharmacy claim. The prescriber may be 
a physician or other practitioner who does not conduct standard 
transactions. The prescriber is encouraged to obtain an NPI so it can 
be furnished to the pharmacy for the pharmacy to use on the standard 
pharmacy claim.
    (2) A hospital claim is a standard transaction and it may need to 
identify an attending physician. The attending physician may be a 
physician who does not conduct standard transactions. The physician is 
encouraged to obtain an NPI so it can be furnished to the hospital for 
the hospital to use on the standard institutional claim.
    In the examples above, the NPI of a health care provider that is 
not a covered entity is needed for inclusion in a standard transaction. 
The absence of NPIs when required in those claims by the implementation 
specifications may delay preparation or processing of those claims, or 
both. Therefore, we strongly encourage health care providers that need 
to be identified in standard transactions to obtain NPIs and make them 
available to entities that need to use them in those transactions.
    Under Sec.  162.410 (Implementation specifications: Health care 
providers), we require each covered health care provider to:
    [sbull] Obtain from the NPS, by application if necessary, an NPI 
for itself and, if appropriate, for its subparts.
    [sbull] Use the NPI it obtained from the NPS to identify itself in 
all standard transactions that it conducts where its health care 
provider identifier is required.
    [sbull] Disclose its NPI, when requested, to any entity that needs 
the NPI to identify that health care provider in a standard 
transaction.
    [sbull] Communicate to the NPS any changes to its required data 
elements in the NPS within 30 days of the change.
    [sbull] If it uses one or more business associates to conduct 
standard transactions on its behalf, require its business associate(s) 
to use its NPI and the NPIs of other health care providers 
appropriately as required by the transactions the business associate(s) 
conducts on its behalf. (For example, a claim for a laboratory service 
will require the NPI of the laboratory and may also require the NPI of 
the referring physician. If a business associate prepares the 
laboratory claim, the business associate must use the laboratory's and 
the referring physician's NPIs. If the business associate does not 
already know the NPI of the referring physician, it may have to contact 
the referring physician to obtain his or her NPI.)
    [sbull] If it has been assigned NPIs for one or more subparts, 
comply with the above requirements with respect to each of those NPIs.
    Under Sec.  162.412 (Implementation specifications: Health plans), 
we require health plans to: use the NPI of any health care provider 
(including subparts of organization health care providers) that has 
been assigned an NPI to identify that health care provider (or subpart) 
in all standard transactions where the health care provider's (or 
subpart's) identifier is required. Health plans may not require health 
care providers that have been assigned NPIs to obtain additional NPIs.
    Under Sec.  162.414 (Implementation specifications: Health care 
clearinghouses), we require health care clearinghouses to use the NPI 
of any health care provider (including subparts of organization health 
care providers) that has been assigned an NPI to identify that health 
care provider (or subpart) in all standard transactions where that 
health care provider's (or subpart's) identifier is required.

B. Implementation of the NPI

1. The National Provider System

Proposed Provisions (Sec.  142.402)

    The May 7, 1998, proposed rule (at 63 FR 25331) described the 
National Provider System (NPS) as a central electronic enumerating 
system. The system would be a comprehensive, uniform system for 
identifying and uniquely enumerating health care providers at the 
national level. The Department of Health and Human Services (HHS) would 
exercise overall responsibility for oversight and management of the 
system.
Comments and Responses on the National Provider System
    We did not receive comments specific to our description of the NPS. 
However, commenters were emphatic that the NPS be fully tested before 
it began assigning NPIs, and that the system ensure that the same NPI 
would not be issued to more than one health care provider. Commenters 
also suggested that an option be made available by which health care 
providers could apply for NPIs electronically in lieu of completing a 
paper application form. This comment is addressed in section II. B. 2. 
of this preamble, ``Health Care Provider Enumeration.''

Final Provisions (Sec.  162.408(a))

    NPIs will be assigned to health care providers by the NPS, which 
will be a central electronic enumerating system operating under Federal 
direction. The

[[Page 3446]]

NPS will uniquely identify and enumerate health care providers at the 
national level. The NPS may enumerate subparts of organization health 
care providers.
    The NPS will be designed to be easy to use. The design will employ 
the latest technological advances wherever feasible for capturing 
health care provider data and making information available to users. 
This is discussed in section II. C. 2. of this preamble, ``Data 
Elements and Data Dissemination.''
    HHS will exercise overall responsibility for oversight and 
management of the NPS. The NPS will include a database that will store 
the identifying and administrative information about health care 
providers that are assigned NPIs. The data elements comprising the NPS 
are described and listed in section II. C. 2. of this preamble, ``Data 
Elements and Data Dissemination.''
    Identifying and uniquely enumerating health care providers for 
purposes of the NPI is separate from the process that health plans 
follow in enrolling health care providers in their health programs. The 
NPS will assign NPIs to health care providers. However, the assignment 
of the NPI will not eliminate the process that health plans follow in 
receiving and verifying information from health care providers that 
apply to them for enrollment in their health programs.
    Health care providers will submit applications for NPIs to HHS. As 
health care provider data are entered into the NPS from the 
application, the NPS will check the data for consistency, standardize 
addresses, and validate the Social Security Number (SSN) if the 
individual applying for an NPI provides it; the NPS will validate the 
date of birth only if the SSN is validated. (If a health care provider 
chooses not to furnish his or her SSN when applying for an NPI, the 
assignment of an NPI to that health care provider may be delayed and 
additional information may be requested from that health care provider 
in order to establish uniqueness.) If the NPS encounters problems in 
processing the application, appropriate messages will be communicated 
to the applicant. If problems are not encountered, the NPS will then 
search its database to determine whether the health care provider 
already has an NPI. If a health care provider has already been issued 
an NPI, an appropriate message will be communicated. If not, an NPI 
will be assigned. If the health care provider is similar (but not 
identical) to an already-enumerated health care provider, the situation 
will be investigated. Once an NPI is assigned, the health care provider 
will be notified of its NPI.
2. Health Care Provider Enumeration
    In section III of the preamble of the May 7, 1998, NPI proposed 
rule, ``Implementation of the NPI'' (at 63 FR 25331), we asked for 
comments on the entity or entities that would be responsible for 
assigning NPIs to health care providers. We explained that the HIPAA 
legislation did not contain a specific funding mechanism for activities 
related to enumeration. We asked for comments on how the enumeration 
activity and the NPS itself could be funded, and how the costs of 
enumeration could be kept as low as practicable. We presented two 
options for the enumeration of health care providers: (1) All health 
care providers, except existing Medicare providers, would be enumerated 
by a single entity. Existing Medicare providers would automatically be 
enumerated and would not have to apply for NPIs; (2) Federal health 
plans and Medicaid would enumerate their enrolled health care 
providers, and a federally-directed registry would enumerate all 
remaining health care providers. We also presented a phased approach to 
enumeration and requested public comment on it. In the phased approach, 
we proposed that enumeration would occur in the following order: (1) 
Medicare providers; (2) Medicaid, other Federal providers, and health 
care providers that do not conduct business with Federal health plans 
or Medicaid but that do conduct electronically any of the transactions 
specified in HIPAA; and (3) all remaining health care providers. The 
May 7, 1998, proposed rule also stated that phase three would not begin 
until phases one and two were completed.
Comments and Responses on Provider Enumeration
    Comment: Several commenters stated that it would cost more than our 
estimate of $50 to enumerate a health care provider; others believed 
our estimate of $50 to be reasonable. Some commenters pointed out that 
Federal and Medicaid health plans do not maintain all of the 
information about health care providers that would be required to 
assign NPIs; thus, if those health plans' prevalidated health care 
provider files were to be used to populate the NPS, costs might exceed 
$50 per health care provider in order to obtain the missing information 
needed to assign NPIs. Commenters also pointed out that the cost to 
enumerate an entity that furnishes atypical or nontraditional services 
would exceed $50.
    Response: We respond to these issues as follows:
    [sbull] We agree with the comment that there may be situations 
where information in addition to what is contained in existing health 
care provider files will be required in order to assign NPIs. For 
example, we have found that some Medicaid and Medicare provider files 
do not contain all of the information required to assign an NPI. 
Populating the NPS with existing files that lack certain required NPS 
data elements increases the cost of enumeration because additional 
resources would be needed to collect the missing information.
    [sbull] Any inconsistencies or errors that are present in health 
care provider files that are considered to be used to populate the NPS 
would be imported into the NPS as part of that process. Resolving these 
inconsistencies and errors before loading these files will require 
resources and time. This will increase the cost of enumeration and 
possibly slow the process.
    [sbull] Where the format or structure of a health care provider 
file being considered for use in populating the NPS differs from the 
format or structure of the NPS, additional costs will be incurred in 
attempting to conform that source file to the NPS.
    [sbull] As discussed in section II. C. 2. of this preamble, ``Data 
Elements and Data Dissemination,'' we are reducing the amount of health 
care provider information being captured by the NPS to only that which 
is required to uniquely identify and communicate with the health care 
provider. Some of the information that will not be collected is the 
kind that is costly to collect, such as membership in groups, 
certification and school information. Not collecting these health care 
provider data lowers the cost of enumeration.
    [sbull] On applications for NPIs from individuals, the NPS will 
verify the SSN if it is furnished on the application.
    [sbull] Problems in processing the applications will have to be 
resolved. This will increase the cost of enumeration.
    [sbull] The NPS will be designed, wherever feasible, to take 
advantage of technologies that will make its operation efficient. This 
may include the use of the Internet to accept applications and updates 
from health care providers. While up-front costs will be higher for 
some designs, the more efficient the design and operation of the NPS, 
the lower the cost of enumeration and ongoing operations.
    Medicare Part B carriers indicated in comments that it costs about 
$50 to enroll a health care provider in the Medicare program. This 
process involves reviewing and validating a

[[Page 3447]]

paper application containing far more information than will be 
collected and validated on the NPI application/update form. The NPS 
will verify the SSN only if it is furnished in applying for an NPI; the 
date of birth will be verified only if the SSN is furnished. The NPS 
will run various edits and consistency checks and will check for 
duplicate records to ensure that only one NPI is assigned to a health 
care provider and that the same NPI is not assigned to more than one 
health care provider. Enabling the receipt of Web-based applications 
and the limited validation will make the cost of enumerating a health 
care provider far less than enrolling a health care provider in a 
health plan. The majority of atypical and nontraditional service 
providers are not considered health care providers and, therefore, 
would not be eligible for NPIs. The use of modern technology to receive 
and process applications for NPIs makes it difficult if not impossible 
to attach a dollar value to the enumeration of a single provider. 
Implicit in enumeration are the costs of software, licenses, salaries, 
training, and overhead. We estimate that the combination of all of the 
above factors would reflect an average cost of enumerating a single 
health care provider to be closer to $10.
    Comment: The majority of commenters favored enumeration option 1, 
where a single entity would enumerate all health care providers except 
existing Medicare providers (who would automatically be enumerated). 
(The May 7, 1998, proposed rule recommended enumeration option 2, which 
would have required Federal health plans and Medicaid to enumerate 
their enrolled health care providers, with a federally-directed 
registry enumerating all remaining health care providers.) The 
supporters of a single enumeration entity cited the following 
advantages of option 1: (1) It would be less costly than multiple 
enumeration entities; (2) it would ensure uniform operation of the 
enumeration process, reducing inconsistencies that could lead to 
duplicate assignment of NPIs; (3) it would be less confusing to health 
care providers, particularly those that participate in multiple health 
plans; (4) it would be a single point of contact with which to do 
business and seek help and information; and (5) it would ensure 
uniformity in resolving problems and would be more capable and 
efficient in responding to data integrity issues that may require 
investigation. Comments from Federal health plans and Medicaid State 
agencies (which were the proposed enumeration entities under option 2) 
stated that they preferred not to have a role as an enumerator. Some 
Federal health plans anticipated that too many health care providers 
would request that they handle their updates and changes. Medicaid 
State agencies indicated that they would require additional Federal 
funding to assume the responsibilities of enumeration.
    Nonetheless, some commenters did support option 2. They stated that 
having Federal health plans and Medicaid State agencies enumerate their 
own health care providers had several advantages: (1) These entities 
already conduct a significant amount of enumeration activity in their 
health plan enrollment processes, which would bring a wealth of 
experience to the NPI enumeration process; (2) much of the information 
required to assign an NPI to a health care provider is already 
collected by these entities; (3) fraud detection would be enhanced 
because, as enumeration entities, they would have access to the data in 
the NPS; and (4) the initial cost of enumerating health care providers 
would be incremental to these entities, a major factor in making option 
2 less costly than option 1.
    Response: After analyzing all the comments and reviewing our 
computations as to the costs of enumeration under both options, we have 
determined that a single entity, under HHS direction, should handle the 
enumeration functions. We believe that enumeration by a single entity 
will be the most efficient option.
    While supporters of option 2 cited several advantages, the 
reluctance of the Federal health plans and Medicaid State agencies to 
undertake enumeration functions was a major factor causing us to 
support a single entity. Selection of option 2 would have required 
those Federal health plans and Medicaid State agencies to perform 
functions they were not willing to perform. Another factor in our 
decision to choose option 1 was an oversight in our cost computations. 
While our narrative discussion of costs indicated that prevalidated 
Medicare provider files would populate the NPS under both options, 
Table 5 in the Impact Analysis portion of the May 7, 1998, proposed 
rule did not reflect those savings in the cost of option 1. If those 
savings had been reflected, the cost of option 1 would have been less. 
(Please see the next comment and response regarding Medicare provider 
files.) Costs for option 2 did not include the expenses that would be 
incurred by Federal health plans and Medicaid State agencies in 
resolving problems found in their health care provider records that 
would prevent some of those records from being loaded into the NPS for 
enumeration of the health care providers. This would have increased the 
cost of option 2. Had we applied both of these cost factors, both 
options would cost about the same.
    The use of one entity, under HHS direction, to enumerate health 
care providers will ensure uniform operation of the NPS. Health care 
providers will have a single contact point for applications, updates, 
and questions. Problems will be resolved in a uniform manner. These 
factors make a single enumerator the more efficient option.
    Comment: Several commenters cautioned against loading pre-existing 
health care provider files into the NPS. They indicated that any errors 
present in those files would be carried undetected into the NPS. 
Commenters cautioned that any data to be loaded into the NPS should be 
validated, accurate, and up to date.
    Response: We agree with the commenters' recommendation that 
accurate, current data should be included in the NPS. After publication 
of the May 7, 1998 proposed rule, we reexamined the existing Medicare 
provider files in anticipation of using them to populate the NPS. Our 
reexamination revealed that some mandatory NPS data elements are not 
present in some of the Medicare files. In addition, data integrity 
problems have been identified, and reformatting some of the Medicare 
files to make them consistent with the structure of the NPS may be more 
difficult than first expected. It may require considerable time to 
update and reformat these files for NPS purposes.
    It is important to note that we are undertaking steps to update our 
existing Medicare provider files for independent business reasons. If 
we find it is feasible to use updated, accurate Medicare provider files 
to populate the NPS, we will do so, and we will notify the affected 
Medicare providers that they will not have to apply for NPIs. The NPS 
will notify the affected providers of their NPIs.
    Comment: Nearly all commenters recommended that the enumeration 
function and operation of the NPS be federally funded because a Federal 
statute mandates the adoption and use of a standard unique health 
identifier for health care providers. Many commenters stated that the 
costs cannot be borne directly by health care providers or indirectly 
by health care provider organizations and clearly stated that health 
care providers should receive NPIs at no cost. Some stated that if fees 
need to be assessed, they should come from the health plans, not the

[[Page 3448]]

health care providers, as the health plans will receive the most 
benefit from the use of the standard. There was some support for the 
collection of initial fees from health plans, health care 
clearinghouses, and other nonprovider entities to obtain data from the 
NPS; the fees would help offset the cost of maintaining the database. 
Another commenter recommended that the public sector and large health 
plans pay fees to a public-private sector trust organization. The fees 
would represent their proportion of the total health benefit dollars; 
the trust organization would administer various databases required by 
the HIPAA standards (not solely the NPS). One commenter suggested 
Federal funds be used initially, with the enumeration entity eventually 
becoming self-sufficient.
    Response: HIPAA did not provide the authority to charge health care 
providers a user fee to obtain an NPI. Federal funds will support the 
enumeration process and the NPS, at least initially. After the NPI is 
implemented, HHS will investigate the use of other funding mechanisms. 
The data dissemination process is discussed in section II.C.2., ``Data 
Elements and Data Dissemination,'' of this preamble.
    Comment: Some commenters supported the phases of enumeration as 
described in the May 7, 1998, proposed rule. Many commenters supported 
assignment of NPIs to existing Medicare providers first for these 
reasons: (1) These health care providers are the majority of the health 
care providers that conduct standard transactions; (2) the NPS is being 
developed by HHS; and (3) Medicare provider information is already 
available in HHS in the Centers for Medicare & Medicaid Services (CMS).
    Many commenters stated that health care providers that do not 
conduct the transactions specified in HIPAA should be enumerated at the 
same time as all other health care providers--all health care providers 
must be equally able to receive NPIs. Many of these commenters believed 
that costly dual systems would have to be maintained (one for health 
care providers with NPIs and one for those without) and confusion in 
the marketplace would be created if paper processors did not also 
receive NPIs within the same time frame as electronic processors.
    Other commenters suggested that NPIs be issued on a first-come, 
first-served basis.
    Some commenters suggested enumeration phases by health care 
provider type or by geographical region of the country.
    Response: The NPS will be stress tested, but even successful 
passage of the stress test will not enable all health care providers to 
apply for and be assigned NPIs at the same time.
    Covered health care providers are required to use NPIs where those 
identifiers are required in standard transactions. We expect that 
covered health care providers will be the first to apply for NPIs. We 
estimate that, on the effective date of the NPI, approximately 2.3 
million health care providers will be ready to apply for NPIs. They may 
apply for NPIs beginning on the effective date, which is May 23, 2005. 
Covered health care providers must begin to use their NPIs in standard 
transactions no later than May 23, 2007.
    We estimate that, on the effective date of the NPI, the number of 
health care providers that typically do not conduct standard 
transactions will be approximately 3.7 million. A few examples of these 
health care providers are registered nurses employed by hospitals or 
other facilities, X-ray and other technicians, and dental hygienists. 
These health care providers may apply for NPIs at any time after the 
effective date of this final rule. However, because there is no 
requirement for these health care providers to use NPIs, we do not 
expect them to apply for NPIs as soon as those that conduct standard 
transactions or those that must be identified in standard transactions.
    It may be determined some time after publication of this final rule 
that ``bulk enumeration'' of some health care providers is feasible. 
Bulk enumeration is a term used to mean mass-enumeration of a large 
number of health care providers, all at one time, from a database or 
file that uniquely identifies them in a way consistent with the 
identification criteria in this final rule. Bulk enumeration would 
eliminate the need for those health care providers to apply for NPIs. 
For example, bulk enumeration might involve a specific classification 
of health care providers that comprises the membership of a large 
professional organization, or it could involve different 
classifications of health care providers that are employed by one large 
organization health care provider. In both of these examples, the 
health care providers to be enumerated may or may not be covered 
entities. This enumeration could occur at any time, if it is feasible. 
HHS, along with the other affected entities, and working within the 
requirements of the Privacy Act, will determine the feasibility of bulk 
enumeration. Any health care provider that would be enumerated in this 
way will be notified.
    The NPS will process applications for NPIs as they are received.
    It is true that some health plans may have to maintain--for 
internal purposes--dual health care provider numbers: the NPI and the 
number(s) issued to health care providers by the health plans 
themselves. Health plans impose this burden on themselves in 
accommodating their own internal operational needs. We expect that 
health plans may decide to use NPIs for additional purposes beyond 
those required in this final rule.
    Comment: The majority of commenters made it clear that NPIs must be 
assigned and the NPS fully and successfully tested well before the 
compliance date.
    Response: We agree. The NPS will have been fully tested before it 
begins to assign NPIs. The speed of assignment of NPIs will be 
dependent in part on the complete, correct, and timely submission of 
the NPI applications.
    Comment: Several commenters stated that the application forms for 
NPIs should be retained indefinitely in a manner where the signatures 
or certification statements could be verified if necessary. Commenters 
stated that signatures or certification statements could be useful in 
prosecuting a health care provider that knowingly requested more than 
one NPI for itself.
    Response: The NPI application forms will contain a statement 
whereby the signer attests to the accuracy of the information on the 
application. Paper applications will be maintained indefinitely for 
signature or certification statement verification and audit purposes. 
Applications completed electronically will be processed only if the 
person completing the application attested to the accuracy of the 
information by ``checking'' a designated box appearing in the on-line 
application. Those electronic applications that are successfully 
processed (that is, the health care provider is assigned an NPI) will 
be maintained indefinitely in a manner whereby certification statements 
can be verified if required.
    Comment: Several commenters asked that the NPI application form be 
designed to accommodate updates to health care provider data.
    Response: We believe this is a good suggestion, particularly 
because all of the information that will be required on the application 
for an NPI will have to be updated if changes occur. Therefore, we will 
attempt to design a form that can serve both application and update 
purposes.

[[Page 3449]]

Final Provisions
    One entity will be given enumeration functions under the direction 
of HHS (option 1 as presented in the May 7, 1998, proposed rule) to 
enumerate all eligible health care providers who apply for NPIs. There 
are many advantages in using a single entity, which were discussed in 
the comment and response section above.
    The enumeration function and the development and operation of the 
NPS will be federally funded, at least for the foreseeable future. 
Under this final rule, health care providers will not be charged a fee 
to be assigned NPIs or to update their NPS data.
    If feasible, we will populate the NPS with Medicare provider files.
    Health care providers will apply for NPIs, and covered health care 
providers must apply for NPIs.
    We will attempt to design the NPI application form in order to also 
accommodate updates. The form will be available from the NPS and via 
the Internet (http://www.cms.hhs.gov).
    We will attempt to design the NPS so that it can receive and accept 
NPI applications and updates on paper or over the Internet.
    We expect that the use of modern technology to receive and process 
applications for NPIs and to apply updates to the NPS records of 
enumerated health care providers will greatly reduce our earlier 
estimates. In addition, the limited validation by the NPS of data 
reported by health care providers will further reduce NPS costs. We 
discuss the cost of operating the NPS in section V, ``Regulatory Impact 
Analysis,'' of this preamble.
    Before enumeration begins, the NPS will be fully tested. We will 
strive to ensure that the NPS functions properly and guards against 
assigning the same NPI to more than one health care provider, assigning 
more than one NPI to the same health care provider, and re-using NPIs 
(assigning to a health care provider an NPI that had at one time been 
issued to another).
    Health care providers may apply for NPIs beginning on the effective 
date of this final rule.
    At this time, we do not expect bulk enumeration of health care 
providers, except possibly of Medicare providers, as discussed earlier. 
HHS will explore the feasibility of other such enumerations. If 
considered feasible, the affected health care providers will be 
notified and will not have to apply for NPIs.
    We will consider the feasibility of allowing health care providers 
to designate authorized representatives to handle their NPI 
applications and updates.
    Applications for NPIs and updates will be retained by HHS 
indefinitely in a manner in which signatures on paper applications or 
certification statements on electronic applications can be verified if 
required.
    We will make available as much information as possible about the 
implementation of the NPI on the CMS Web site (http://www.cms.hhs.gov).
    The web site will include information about the availability and 
submission of the NPI application/update form.
3. Approved Uses of the NPI
    The preamble of the May 7, 1998, proposed rule discussed approved 
uses of the NPI. We did not receive comments that objected to those 
uses.
    By 24 months after the effective date of this final rule, covered 
health care providers, health plans (except for small health plans), 
and health care clearinghouses must use the NPI in standard 
transactions. Small health plans must do so within 36 months of the 
effective date. Covered health care providers must disclose their NPIs 
to other entities when these entities need to include those health care 
providers' NPIs in standard transactions. We encourage all other health 
care providers to do the same.
    The NPI may also be used for any other lawful purpose requiring the 
unique identification of a health care provider. It may not be used in 
any activity otherwise prohibited by law.
    Examples of permissible uses include, in addition to the above, the 
following:
    [sbull] The NPI may be used as a cross-reference in health care 
provider fraud and abuse files and other program integrity files.
    [sbull] The NPI may be used to identify health care providers for 
debt collection under the provisions of the Debt Collection Improvement 
Act of 1996 (Pub. L. 104-134, enacted on April 26, 1996) and the 
Balanced Budget Act of 1997 (Pub. L. 105-33, enacted on August 5, 
1997).
    [sbull] Health care providers may use their own NPIs to identify 
themselves in nonstandard health care transactions and on related 
correspondence.
    [sbull] Health care providers may use other health care providers 
NPIs to identify those other health care providers in health care 
transactions and on related correspondence.
    [sbull] Health plans may use NPIs in their internal health care 
provider files to process transactions and in communications with 
health care providers.
    [sbull] Health plans may communicate NPIs to other health plans for 
coordination of benefits.
    [sbull] Health care clearinghouses may use NPIs in their internal 
files to create and process standard transactions and in communications 
with health care providers and health plans.
    [sbull] NPIs may be used to identify health care providers in 
patient medical records.
    [sbull] NPIs may be used to identify health care providers that are 
health care card issuers on health care identification cards.
    We encourage health care providers that are not required to comply 
with HIPAA regulations to use NPIs in the ways listed above.
4. System of Records Notice
    A System of Records Notice (HHS/HCFA/OIS No. 09-70-0008) published 
in the Federal Register on July 28, 1998 (63 FR 40297), listed the ways 
in which data from the NPS that are protected by the Privacy Act may be 
used. Few comments were received on the System of Records Notice.
    We are including a summary of the comments below:
    Comment: One commenter believes that the data collected to assign 
NPIs to physicians should be kept to an absolute minimum. Data that are 
not required for enumeration or legitimate administrative purposes 
should not be collected. Data released beyond HHS must be released in 
accordance with the provisions of the Privacy Act, insofar as that Act 
applies to the data in question, and the Freedom of Information Act, as 
appropriate. Data in addition to those which are published in the 
Unique Physician Identification Number (UPIN) Directory should not be 
released. Most of the data collected to enumerate an individual should 
not be publicly available. Another commenter was concerned that removal 
of a health care provider's record from the NPS could result in the re-
issuance of that health care provider's NPI to another health care 
provider. The NPI must remain unequivocally unique and the NPS must 
never re-issue a previously assigned NPI. Removal of a health care 
provider's records at some point after the health care provider's death 
is reasonable, as long as there are guarantees that the health care 
provider's NPI will never be used by another health care provider or 
re-issued to another health care provider.
    Response: In section II. C. 2. of this preamble, ``Data Elements 
and Data Dissemination,'' we describe the information that we expect 
will be collected and stored in the NPS. The

[[Page 3450]]

requirements described in the comments we received on the NPS System of 
Records Notice will be met in the design and operation of the NPS and 
in the enumeration functions.
5. Summary of Effects on Various Entities
    Below is a summary of how the implementation of the NPI will affect 
health care providers, health plans, and health care clearinghouses.
a. Health Care Providers
    At this time, bulk enumeration of health care providers is not 
expected to occur. If, however, it is determined to be feasible, we 
will populate the NPS with data from Medicare provider files. If bulk 
enumeration were to occur, the affected health care providers would be 
notified of their NPIs and would not have to apply for them. Otherwise, 
in order to be assigned NPIs, covered health care providers must apply 
for NPIs. (Health care providers that are not covered entities are 
encouraged to apply for NPIs.) After applying for NPIs, health care 
providers will be assigned and notified of their NPIs by the NPS. 
Health care providers will submit a paper application or, if feasible, 
will have the option of applying for NPIs via the Internet. The NPI 
application/update form and information about health care provider 
enumeration will be available from the CMS Web site (http://www.cms.hhs.gov).
    Covered health care providers that have been assigned NPIs must 
furnish updates (changes) in their required NPS data or that of their 
subparts to the NPS within 30 days of the changes; they may use the NPI 
application/update form for this purpose. We recommend that health care 
providers notify the health plans in which they are enrolled of any 
changes at the same time they notify the NPS of these changes. (This 
recommendation does not preclude health plans from requiring 
notification of updates within a shorter time frame.)
    We encourage health care providers who have been assigned NPIs but 
who are not covered entities also to notify the NPS of changes in their 
NPS data within 30 days of the changes.
    Covered health care providers must use their NPIs to identify 
themselves and their subparts, if appropriate, on all standard 
transactions when their health care provider identifiers are required. 
We encourage all health care providers and subparts that have been 
assigned NPIs to do the same.
    Covered health care providers must disclose their NPIs and those of 
their subparts to entities that need the NPIs to identify those health 
care providers in standard transactions. We encourage all health care 
providers and subparts that have been assigned NPIs to do the same.
    Covered health care providers must require their business 
associates, if they use them to conduct standard transactions on their 
behalf, to use their NPIs and the NPIs of other health care providers 
and subparts appropriately as required by those transactions.
    Covered health care providers that are organization health care 
providers with subparts as described earlier in this preamble must 
ensure that, when NPIs are assigned to subparts, either the covered 
health care provider or the subpart (1) uses the NPIs of the subparts 
on all standard transactions when their health care provider 
identifiers are required, (2) discloses their NPIs to entities that 
need the NPIs to identify those subpart(s) in standard transactions, 
(3) communicates changes in required data elements of the subparts to 
the NPS, and (4) requires business associates of the subparts, if they 
use them to conduct standard transactions on their behalf, to use their 
NPIs and the NPIs of other health care providers and subparts 
appropriately as required by the transactions that the business 
associates conduct on their behalf.
b. Health Plans
    Health plans must use the NPI of any health care provider or 
subpart that has been assigned an NPI to identify that health care 
provider or subpart on all standard transactions when the NPI is 
required. All plans except small health plans have 24 months from the 
effective date of this final rule to implement the NPI; small health 
plans have 36 months. Health plans that need NPS data in order to 
create standard transactions will be able to obtain NPS data from the 
NPS. (See section II. C. 2. of this preamble, ``Data Elements and Data 
Dissemination.'') Use of data from the NPS in order to comply with 
HIPAA requirements is a routine use as published in the NPS System of 
Records Notice.
    HIPAA does not prohibit a health plan from requiring its enrolled 
health care providers to obtain NPIs if those health care providers are 
eligible for NPIs as discussed earlier in this preamble.
c. Health care clearinghouses
    Health care clearinghouses must use the NPI of any health care 
provider or subpart that has been assigned an NPI to identify that 
health care provider or subpart on all standard transactions when the 
NPI is required. As with health plans, health care clearinghouses will 
be able to obtain NPS data from the NPS.

C. Data

1. NPS Data Structures

Proposed Provisions (Sec.  142.402)

    In section IV. B. of the preamble of the May 7, 1998, proposed 
rule, ``Practice Addresses and Group/Organization Options,'' (63 FR 
25336), we asked for public comment on some of the data structures that 
would be captured in the NPS for each health care provider.
Comments and Responses on NPS Data Structure Concepts
    Below are the questions as posed in the May 7, 1998, proposed rule 
followed by a summary of the comments and our responses:
a. Should the NPS Capture Practice Addresses of Health Care Providers?
    Comment:
    Responding yes: Some commenters stated that they need to capture 
the multiple practice addresses of a health care provider for their 
business functions. They believe it would be best to do this once in 
the health care provider's NPS record, rather than in many local 
systems.
    Responding no: A large majority of commenters stated that the NPS 
should not capture any practice addresses or should capture only one 
physical location address per NPI. Some of these commenters believed 
that each location where a health care provider practices needs to be 
identified, but they believed locations should receive separate 
identifiers, rather than be captured as multiple addresses in the 
health care provider's NPS record. Many other commenters noted that 
health care provider practice addresses change frequently and that 
address information will be burdensome and expensive to maintain and 
will be unlikely to be maintained accurately at the national level. 
They believe that, if needed, it should be collected and maintained in 
local systems.
    Response: The NPS will capture the mailing address and one physical 
location address for each health care provider. Only one physical 
location address will be associated with each NPI. Practice addresses 
would be of limited use in the electronic matching of health care 
providers. The volatility of practice address information would make 
maintenance of the information burdensome and expensive. Collecting 
only one physical location address minimizes the burden of data 
collection and maintenance, while providing an

[[Page 3451]]

address where the health care provider can be contacted in situations 
when a mailing address is insufficient. For example, a mailing address 
containing a Post Office box number cannot be used for mail delivery by 
other than the United States Postal Service.
b. Should the NPS Assign a Location Code to Each Practice Address in a 
Health Care Provider's Record?
    Comment:
    Responding yes: A small number of commenters recommended that the 
NPS assign location codes. Most of these commenters were health plans 
that need to identify all the practice addresses of a health care 
provider. They want to use location codes as pointers to these 
addresses in a health care provider's NPS record.
    Responding no: A large majority of commenters stated that the NPS 
should collect only one physical location address of each health care 
provider and should not assign location codes. If only one physical 
location address is collected, there is no need to assign location 
codes to distinguish multiple practice addresses. Respondents noted 
several technical weaknesses of the proposed location code. They stated 
that the format of the location code would allow for a lifetime maximum 
of 900 location codes per health care provider, and this number may not 
be adequate for health care providers with many locations. The location 
code would not uniquely identify an address; different health care 
providers practicing at the same address would have different location 
codes for that address, resulting in complexity, rather than 
simplification, for business offices that maintain data for large 
numbers of health care providers.
    Response: The combination of the NPI assignment strategy described 
earlier in this final rule and the data elements contained in the 
standard claim and equivalent encounter information transaction 
eliminate the need for location codes. The NPS will not establish 
location codes.
c. Should the NPS Link the NPI of a Organization Health Care Provider 
That Is a Group Practice to the NPIs of the Individual Health Care 
Providers Who Are Members of the Group?
    Comment:
    Responding yes: Some commenters responded that they need to be able 
to associate organization health care providers who are group practices 
with the individual members of the group. They believe this association 
can most efficiently be maintained once in the NPS, rather than in many 
local systems.
    Responding no: A large majority of commenters noted that health 
care provider membership in groups changes frequently and that this 
information will be burdensome and expensive to maintain and will be 
unlikely to be maintained accurately at the national level. Some health 
plans recognize contractual arrangements that may not correspond to 
groups. Commenters believe that, if needed, membership in groups should 
be collected and maintained in local systems.
    Response: We agree that the NPS should not link the NPI of an 
organization health care provider that is a group practice to the NPIs 
of individual health care providers who are members of the group. The 
large number of members of some groups and the frequent moves of 
individuals among groups would make national maintenance of group 
membership burdensome and expensive. Contractual arrangements would be 
impractical to maintain nationally and would most likely differ from 
health plan to health plan. Most organizations that need to know group 
membership and contractual arrangements prefer to maintain this 
information locally, so that they can ensure its accuracy for their 
business purposes.
d. Should the NPS Collect the Same Data for Organization and Group 
Health Care Providers?
    Comment:
    Responding yes: A large majority of commenters stated that a 
distinction between organization and group health care providers would 
be artificial and would serve no purpose.
    Responding no: Some commenters stated that organization and group 
health care providers should be distinguished in the NPS. None of these 
commenters suggested different data that should be collected for a 
group health care provider, as opposed to an organization health care 
provider. We believe that most of these comments reflect a 
recommendation that group health care providers receive NPIs rather 
than a recommendation that different data be collected for group health 
care providers, as opposed to organization health care providers.
    Response: No commenter suggested that different data be collected 
for a group practice than for an organization health care provider and 
a strong majority of commenters stated that the same data should be 
collected. We agree that the NPS should collect the same data for group 
and organization health care providers. Groups will be enumerated as 
organization health care providers.
Comments and Responses on NPS Data Structure Alternatives
    In the May 7, 1998, proposed rule, we presented two alternatives 
for the structure of health care provider data in the NPS.
    Under ``Alternative 1,'' the NPS would capture multiple practice 
addresses. It would assign a location code for each practice address of 
an individual or group health care provider. Organization and group 
health care provider records would have different associated data in 
the NPS. Group health care providers could have individuals (such as 
physicians) listed as members of the group, and the NPS would link the 
NPIs of group health care providers to the NPIs of the individuals that 
make up the group. Under ``Alternative 2,'' the NPS would collect the 
mailing address and one physical location address for a health care 
provider. It would not assign location codes. It would not collect 
different data for organization and group health care providers. It 
would not link the NPI of an organization to the NPIs of individuals or 
any other health care providers.
    Comment: A majority of respondents preferred Alternative 2.
    Response: The comments on the four preceding questions and on the 
two alternatives indicated a strong preference for Alternative 2. We 
agree with commenters that Alternative 2 will provide the data needed 
to identify the health care provider at the national level. We agree 
that the NPS record will be based on the data described in Alternative 
2.
Final Provisions
    In the ``Final Provisions'' portion of section II. A. 2. of this 
preamble, ``Definition of a Health Care Provider,'' we describe the 
entities that will be eligible to receive NPIs. The data structures 
discussed below apply to every entity that is assigned an NPI.
    The mailing address and one practice address (physical location) 
will be collected by the NPS for each health care provider. One 
physical location address will be associated with each NPI.
    Because only one physical location address will be collected per 
health care provider, location codes will not be necessary and, 
therefore, will not be established by the NPS.
    Group practices often have many members, and individual health care 
providers often move from group to group. Maintenance of this 
information on a national level would be difficult and costly. Many 
health plans prefer to

[[Page 3452]]

collect and maintain this information themselves. Therefore, the NPS 
will not link the NPI of a group to the NPIs of individual health care 
providers who are members of that group.
    The NPS will collect the same data from group health care providers 
as it will collect from organization health care providers.
    Group practices will be considered organization health care 
providers and will be enumerated as organization health care providers.
    We will design the NPS along the lines of Alternative 2 as 
presented in the May 7, 1998, proposed rule.
2. Data Elements and Data Dissemination
Proposed Provisions
    In the preamble of the May 7, 1998, proposed rule, in section IV, 
``Data,'' we listed the data elements that we proposed to include in 
the NPS. We solicited comments on the inclusion and exclusion of those 
data elements and the inclusion of other data elements that the public 
believed appropriate. We asked how the NPS could be designed to make it 
useful, efficient, and low-cost.
    In that same section, we also posed data questions and discussed 
options for NPS data structures. Section II.C.1. of this preamble, 
``NPS Data Structures,'' contains the comments and responses and 
decisions made regarding NPS data structures. As a result of those 
decisions, some data elements that were included in the list of 
proposed data elements published in the May 7, 1998, proposed rule will 
not, in fact, be included in the NPS database. Therefore, the 
information in section II.C.1. of the preamble should be kept in mind 
in reading this section.
    In the preamble of the May 7, 1998, proposed rule, in section V., 
``Data Dissemination,'' we proposed two levels of dissemination of 
information from the NPS:
    [sbull] (1) Level I--To the entity(ies) performing the enumeration 
functions. The(se) entity(ies) would have direct access to the NPS and 
to all the data elements in the NPS; and
    [sbull] (2) Level II--To the general public. The general public 
would be able to request and receive selected data elements, excluding 
those that are protected by the Privacy Act. (Requests for Privacy Act-
protected data and Freedom of Information Act (FOIA) requests would be 
handled in accordance with existing HHS policies.)
    The May 7, 1998, proposed rule contained a table indicating the 
level of dissemination of the NPS data elements. We proposed that we 
would charge fees for data and data files, but that the fees would not 
exceed the costs of dissemination (63 FR 25338). We solicited comments 
on the information that should be available in paper and electronic 
formats and the frequency with which information should be made 
available.
Comments and Responses on Data Elements and Data Dissemination
    Comment: An overwhelming number of commenters said that the NPS 
should contain only the data elements required to communicate with and 
uniquely identify and assign an NPI to a health care provider. They 
believed this information should be the kind that could effectively be 
maintained at the national level, leaving the more complex and volatile 
data to health plans to capture and maintain, as they currently do. 
Many commenters listed the specific data elements that they recommended 
we remove from the list presented in the May 7, 1998, proposed rule. 
The majority of commenters believe that, as a result of the removal of 
the data elements not needed for enumeration and communication, the NPS 
would be easier and less expensive to maintain and would operate more 
efficiently.
    Response: To be valuable, the NPS must be accurate, up to date, and 
meet its intended purpose in the most feasible way. The NPS must 
collect information sufficient to uniquely identify a health care 
provider and assign it an NPI and must collect information sufficient 
to communicate with a health care provider. The data elements that we 
have retained are necessary to uniquely identify and communicate with a 
health care provider. Our decision to reduce the composition of the NPS 
to the data elements needed for unique identification and communication 
removes many of the data elements that were proposed to comprise the 
NPS in the May 7, 1998, proposed rule. The comments and responses that 
follow contain additional information and rationale concerning our 
decision to include or exclude certain data elements.
    Comment: Some commenters said that collecting but not validating 
certification or school information would make that information 
meaningless. Most commenters did not believe the NPS should collect 
certification or school information in the first place because it would 
not be useful in uniquely identifying the individual applying for an 
NPI. They believe that collection and validation of this information 
should continue to be done by health plans in their health care 
provider enrollment processes. Most commenters supported the collection 
of credential designation(s) (for example, M.D., C.S.W., and R.N.), 
license number(s), and State(s), which issued the license(s) for 
individual health care providers whose taxonomy classifications require 
licenses.
    Response: We agree with commenters that it would be costly to 
collect, validate, and maintain certification and school information. 
We do not believe the NPS should replicate unnecessarily the work 
carried out by health plans. We agree that health plans, which do this 
work now, should appropriately continue to do so. The NPS will capture 
an individual health care provider's license number (if appropriate), 
the State which issued the license (multiple occurrences of both data 
elements), and the credential designation(s). The credential 
designation(s) (called ``Provider's credential designation'' in the May 
7, 1998, proposed rule) will be captured in the data element ``Provider 
credential text,'' which will be a repeating field. This data element 
was renamed to make it compatible with X12N HIPAA data dictionary 
naming conventions and also to avoid giving the impression that the NPS 
will be validating the credentials. The license number and State in 
which it was issued will be useful to health plans in matching NPS 
records to their health care provider files. As a result of the 
decision not to collect certification and school information, the 
following data elements will not be included in the NPS:
    [sbull] Provider certification code;
    [sbull] Provider certification (certificate) number;
    [sbull] School code;
    [sbull] School name;
    [sbull] School city, State, country;
    [sbull] School graduation year.
    Comment: Commenters did not see value in the NPS capturing 
``Provider's birth county name.'' They believe the State name and 
country (the latter required if the health care provider was not born 
in the United States) would be sufficient for identification purposes.
    Response: We agree. The ``Provider's birth county name'' data 
element will be excluded from the NPS.
    Comment: Some commenters suggested that the ``Taxpayer Identifying 
Number'' (TIN) be added to the NPS. They believed this was needed to 
match NPS records to health plans' health care provider files and that 
it could help in unique identification.
    Response: We agree that the numbers used to report income taxes 
will be

[[Page 3453]]

useful in uniquely identifying health care providers.
    According to the Internal Revenue Service (IRS), three numbers 
(known as ``Taxpayer Identifying Numbers,'' or TINs) may be used 
(depending on circumstances) to report income taxes: (1) The Social 
Security Number (SSN), assigned by the Social Security Administration 
to individuals; (2) the IRS Individual Taxpayer Identification Number 
(ITIN), assigned by the IRS to individuals who are not eligible to 
receive Social Security Numbers; and (3) the Employer Identification 
Number (EIN), assigned by the IRS to organization health care providers 
(that is, health care providers that would not be assigned ``Entity 
type code'' 1 NPIs). For purposes of being assigned NPIs, health care 
providers will be asked voluntarily to supply their SSN or IRS ITIN (if 
they are individuals who would be assigned an ``Entity type code'' 1 
NPI), or will be required to supply their EIN (if they are 
organizations that would be assigned ``Entity type code'' 2 NPIs).
    Requesting the SSN from individual health care providers will 
dictate that we include on the NPI application/update form appropriate 
disclosure and Privacy Act statements.
    Comment: Some commenters suggested that Medicare and Medicaid 
sanction information be added to the NPS. One commenter wanted to know 
where sanction data would be housed and who would maintain these data.
    Response: The NPS will not contain sanction data or indicators that 
sanction data exist. Sanction data were not included in the data 
element list published in the May 7, 1998, proposed rule. While 
maintainers of sanction databases may incorporate the NPI into their 
databases to enable searches by NPI, the NPS will not house sanction 
information. The Web address for the Office of Inspector General 
sanctioned health care providers file is http://exclusions.oig.hhs.gov/.
    Comment: Some commenters said that ``License revoked indicator'' 
and ``License revoked date'' should be included in the NPS.
    Response: The NPS will not capture this or similar information. The 
uniqueness of the health care provider can be established without this 
information. This information would more appropriately be collected by 
health plans.
    Comment: A number of data elements were suggested to be added to 
the NPS. These included ``Owner of the provider,'' ``Practice type 
control code'' (office-based, hospital-based, Federal facility 
practice, and other), ``Source of information for certification,'' 
``Provider type,'' and ``Provider specialty code.''
    Response: The May 7, 1998, proposed rule did not propose that the 
NPS collect health care provider ownership information. This 
information is volatile and already resides on most health plans' 
health care provider enrollment files. Practice type control 
information is not required to uniquely identify or classify a health 
care provider for NPS purposes; therefore, it will not be included in 
the NPS. ``Source of information for certification'' will not be 
captured because, as explained earlier in this section, certification 
information will not be collected by the NPS. The definitions of 
``Provider type'' and ``Provider specialty code'' may differ from one 
health plan to another; the NPS will capture the type(s), 
classification(s), and area(s) of specialization as described in the 
Healthcare Provider Taxonomy Code set. By capturing this information, 
we take into account the specialty classifications as required by 
HIPAA. The taxonomy can be viewed at this Web site: http://www.wpc-edi.com/taxonomy/.
    Comment: A commenter suggested that a health care provider's ``pay-
to address'' be added to the NPS. Another commenter stated that health 
plans will use the health care provider's mailing address as the pay-to 
address. Another commenter suggested that HHS consider electronic data 
interchange (EDI) addresses for inclusion in the NPS.
    Response: In most situations, a health care provider's ``pay-to 
address'' is its mailing address. Therefore, we do not believe it is 
necessary to add a ``pay-to address'' to the NPS. Because EDI addresses 
are not standardized at this time, they will not be included in the 
NPS. The composition of the NPS will be revised if necessary in the 
future.
    Comment: Several commenters suggested adding the name of the 
establishing enumerator or agent and the name and telephone number of 
the enumerator who made the last update to the NPS. They believe that 
this information would help ensure the accuracy of the database by 
preventing multiple enumerators from updating or attempting to update 
the same records.
    Response: As discussed in section II. B. 2. of this preamble, 
``Health Care Provider Enumeration,'' there will be one entity, under 
HHS direction, that will be charged with enumeration functions. The 
decision to use a single enumerator renders the data elements proposed 
by these commenters unnecessary. The ``Establishing enumerator/agent 
number'' will not be included in the NPS.
    Comment: One commenter suggested we add ``Provider status'' and 
``Date of deactivation'' to the NPS.
    Response: In section II. A. 2. of this preamble, ``Definition of 
Health Care Provider,'' we describe the reasons why an NPI may be 
deactivated. We have added to the NPS two new data elements: ``National 
Provider Identifier deactivation reason code'' and ``National Provider 
Identifier deactivation date.'' These data elements will capture the 
information suggested by this commenter. (It should be noted that 
``Provider's date of death'' will be excluded as a data element from 
the NPS. Fact of death and resulting deactivation date will be captured 
in the two new data elements.) We have also added a data element called 
``National Provider Identifier reactivation date,'' which will capture 
the date that a health care provider's NPI is reactivated.
    Comment: Several commenters suggested adding ``Cross reference to 
replacement NPI.'' They thought it would be important to link former 
and current NPIs.
    Response: In section II. A. 2. of this preamble, ``Definition of 
Health Care Provider,'' we explain that an NPI is designed to last 
indefinitely. There may, however, be an unusual circumstance that would 
justify a health care provider's request to be issued a new, different 
NPI. In these situations, the NPS will link the new, or replacement, 
NPI to the previous NPI(s) of that same health care provider. (By 
``same health care provider,'' we mean an entity with exactly the same 
data elements, or string of NPS data.) We will add two new data 
elements to the NPS: ``Replacement NPI'' and ``Previous NPI.'' Both 
will be repeating fields (see ``Data Status'' preceding the National 
Provider System Data Elements and Data Dissemination table). When a 
user retrieves the NPS record of a health care provider, either of 
those fields may contain data. (If neither field contains data, the 
health care provider has had only one--its original--NPI.) The user can 
then retrieve the related NPS record by requesting the record of the 
NPI appearing in the ``Replacement NPI'' or the ``Previous NPI'' field, 
whichever is appropriate.
    Comment: One commenter suggested that ``Effective from'' and 
``Effective through'' dates be added for telephone numbers and 
addresses.
    Response: We expect that the NPS will be designed to associate 
dates with the information about a health care provider, thus creating 
a history of a health care provider's record. When changes are made to 
a health care provider's telephone number or address,

[[Page 3454]]

that health care provider's record will include the dates of those 
changes. ``Effective from'' and ``Effective through'' dates for 
telephone numbers and addresses may not hold true; there could be 
unexpected situations that could cause changes to occur sooner or later 
than reported. We believe it will be more accurate to include a date to 
reflect each time a change is made in this information.
    Comment: A commenter suggested that the On-line Survey 
Certification and Reporting System (OSCAR) number be maintained after 
the initial load of Medicare providers, and that the NPS include a 
``Facility type'' indicator for OSCAR providers.
    Response: As explained earlier in section II. B. 2. of this 
preamble, ``Health Care Provider Enumeration,'' we are evaluating the 
feasibility of populating the NPS with existing Medicare provider 
files. If this is done, the OSCAR number, which is a Medicare-assigned 
number, will be captured in the NPS automatically. Whether or not we 
populate the NPS with Medicare files, the NPI application/update form 
will collect health care provider identification numbers that are 
assigned by certain health plans (including Medicare) and other 
organizations. Health care providers that apply for NPIs will be able 
to furnish these numbers (``Other provider identifier'') and to 
indicate the type of number being furnished (for example, OSCAR, UPIN, 
DEA, and Medicaid) (``Other provider identifier type code''), on the 
NPI application/update form. These will be optional and repeating NPS 
data elements. The NPS will capture as many ``Other provider 
identifier'' entries and the corresponding ``Other provider identifier 
type code'' entries as are reported on the NPI application/update form. 
The NPS will apply changes or updates to the ``Other provider 
identifier'' or ``Other provider identifier type code'' when health 
care providers notify the NPS of changes to this information.
    The NPS will not require a ``Facility type'' indicator for health 
care providers with OSCAR numbers. It will collect the Healthcare 
Provider Taxonomy Code on the NPI application/update form.
    Comment: Several commenters suggested the NPS retain the health 
care provider mailing and health care provider practice (provider 
location) phone number, facsimile number, and electronic mail address 
only during the initial assignment of NPIs, and then discontinue 
maintenance of this information.
    Response: These data elements are needed for communication with the 
health care provider. HHS may need to communicate with a health care 
provider at any time during the implementation period or after. 
Therefore, these data elements will be maintained beyond the initial 
assignment of NPIs. In section II. A. 5. of this preamble, 
``Implementation specifications for Health Care Providers, Health 
Plans, and Health Care Clearinghouses,'' we are requiring health care 
providers who are covered entities to update their required NPS data, 
which includes the data elements noted in the comment above, whenever 
changes occur.
    Comment: Many commenters suggested that several data elements be 
repeated; for example: ``Provider's other name'' and ``Provider's other 
name type''; ``Other provider number'' and ``Other provider number 
type''; ``Provider license number'' and ``Provider license State''; 
``Provider classification''; the data elements associated with schools; 
and the data elements associated with credentials.
    Response: The data element table appearing in the May 7, 1998, 
proposed rule did not indicate repeating fields. In the National 
Provider System Data Elements table at the end of this section, 
repeating fields are noted as such. The NPS will contain as many 
repeating fields as there is information for ``Provider other last or 
other organization name'' and ``Provider other last or other 
organization name type code.'' As mentioned earlier, the NPS will also 
be able to accommodate multiples of other health care provider numbers 
in the data element ``Other provider identifier'' and types of other 
health care provider numbers in the data element ``Other provider 
identifier type code.'' The NPS will accommodate multiple entries for 
``Provider license number'' and ``Provider license State.'' As 
explained earlier, the school information will be excluded from the 
NPS. ``Provider credential text'' (for example, M.D. and D.D.S.) will 
be a repeating field. These repeating fields are either optional or 
situational and will not be validated.
    Comment: Many commenters asked that ``Provider's race'' be removed 
from the NPS. They did not believe it would be accurately reported. 
They stated that there are inconsistent definitions for ``race''; they 
did not understand the purpose for collecting this information.
    Response: We understand and appreciate the comments stating that 
the NPS should be capturing only what is needed for unique 
identification of and communication with a health care provider. While 
collection of race and ethnicity data could support a number of 
important research activities, this information is not needed to 
uniquely identify a health care provider; thus, we have concluded that 
the NPS is not the appropriate vehicle for collecting this information. 
Therefore, we will not collect these data elements even on an optional 
basis.
    Comment: Several commenters suggested that a number of other data 
elements be excluded from the NPS: all user-requested data elements 
(these were denoted by a ``U'' in the data element list in the May 7, 
1998, proposed rule), ``Other provider number,'' ``Other provider 
number type,'' ``Organization type control code,'' ``Provider 
certification code,'' ``Provider certification (certificate) number,'' 
``Provider license number,'' ``Provider license State,'' ``School 
code,'' ``School name,'' ``School city, State, country,'' ``School 
graduation year,'' ``Provider classification,'' ``Date of birth,'' all 
electronic mail addresses and fax numbers, ``Date of death,'' 
``Provider sex,'' and ``Resident/Intern code.''
    Response: We stated in the previous response that ``Provider race 
code'' (which was a user-requested data element in the list included in 
the May 7, 1998, proposed rule) will not be retained. We discussed all 
other data elements presented as user-requested data elements in the 
list in the May 7, 1998, proposed rule in previous comments and 
responses except for ``Organization type control code'' and ``Resident/
Intern code.'' These two latter data elements will be excluded; they 
are not needed for the unique identification of or communication with a 
health care provider.
    Comment: Several commenters questioned the use of ``optional'' data 
elements, believing that ``optional'' information will rarely be 
furnished and, if it is furnished, may not be reliable and probably 
would not be kept current.
    Response: Certain information about health care providers that is 
desirable to uniquely identify them in order to assign NPIs cannot be 
required to be furnished. ``Situational'' data elements should not be 
confused with ``optional'' data elements. ``Situational'' data elements 
are required if a certain situation, or condition, exists. ``Optional'' 
data elements do not have to be supplied at all. For example, 
``Provider other last or other organization name'' is optional. A 
health care provider may choose not to report a former name or a 
professional name. We have attempted to make as

[[Page 3455]]

few data elements as possible ``optional'' in the NPS.
    Comment: Several commenters suggested that data element names, 
qualifiers, and definitions be consistent with the X12N HIPAA data 
dictionary.
    Response: The NPS data element names, qualifiers, and definitions, 
wherever possible, are mappable to those in the X12N HIPAA data 
dictionary and are compatible with X12N naming conventions. We believe 
the mapping capability and naming convention compatibility are 
essentially what the commenters wanted and believe we have satisfied 
their concerns.
    Comment: Two commenters suggested that the Drug Enforcement 
Administration (DEA) number be collected from health care providers 
that have one.
    Response: The DEA number is an example of an ``Other provider 
identifier.'' The DEA number can be accommodated in this field in the 
NPS. We recognize that mapping between DEA numbers and NPIs is very 
important for the conversion of retail pharmacy files during NPI 
implementation. Therefore, we will collect the DEA number in the 
``Other provider identifier'' field if it is reported on the NPI 
application/update form and will carry the fact that it is a DEA number 
by setting the ``Other provider identifier type code'' to indicate 
that.
    Comment: Several commenters suggested that we publish a data model 
and record layout or both describing in detail the data elements, field 
lengths, format, repeating fields, and required and situational fields.
    Response: The data element table in this preamble includes an 
indication of ``required,'' ``optional,'' or ``situational'' for each 
data element, and repeating data elements are noted as such. More 
detailed information, as requested in the comment, will be posted to 
the CMS Web site (http://www.cms.hhs.gov) when it becomes available 
during the NPS design.
    Comment: Several commenters said an audit trail of NPI updates is 
needed for qualified users. This would indicate which enumerator 
updated which fields.
    Response: The NPS will construct an audit trail. We expect that the 
audit trail would include the date a change was made, the old value, 
the new value, and the initiator of the change. As stated in section 
II. B. 2. of this preamble, ``Health Care Provider Enumeration,'' there 
will not be multiple enumerators. The NPS will contain a date (``Last 
update date'') that will indicate when a change was made to a health 
care provider's record. Extracts containing NPS changes will be made 
available in HHS-determined format and media to satisfy requests from 
approved users (see later discussion in this section of the data 
dissemination strategy).
    Comment: Several Medicaid State agencies suggested that the 
Healthcare Provider Taxonomy Code set contain all health care provider 
types and specialties needed by Medicaid plans. Another commenter asked 
that the code set reflect services provided by pharmacists. Another 
stated that the code set did not contain a category for pain medicine. 
Several other commenters said the taxonomy code set is inconsistent.
    Response: Until recently, this code set was maintained through an 
open process by the National Healthcare Provider Taxonomy Committee for 
use in Accredited Standards Committee X12N standard transactions. It is 
now maintained through an open process by the National Uniform Claim 
Committee. The Web site at which the code set is available is http://www.wpc-edi.com/taxonomy/. The web site contains information on how 
changes to the code set can be requested. (Note: Pharmacy service 
providers and physicians whose specialization is ``Pain Medicine'' are 
included in the code set.) Comment: Several commenters suggested that 
the NPS contain a feature whereby the Healthcare Provider Taxonomy Code 
set classifications will be available for selection when applying for 
an NPI.
    Response: We will consider this comment in the design of the NPI 
application/update form.
    Comment: Many commenters supported the creation of an industry-wide 
forum to determine the data element content, identify the mandatory and 
optional data elements, and determine the data dissemination 
requirements of the NPS. They recommended that WEDI foster such a 
group.
    Response: WEDI is named in the Act as an external group with which 
the Secretary must consult in certain circumstances in standards 
development. To address these issues, WEDI formed several workgroups, 
which consisted of representatives from every aspect of the health care 
industry. Following the workgroups' meetings, WEDI supplied HHS with 
comments on NPS data, data dissemination, and other issues, 
supplementing the comments WEDI provided to HHS during the public 
comment period. We have considered these comments in developing this 
final rule.
    Comment: Most commenters did not favor the two-level data 
dissemination approach presented in the May 7, 1998, proposed rule but 
favored instead a three-level approach:
    [sbull] Commenters agreed that only the entity performing the 
enumeration functions and HHS should have access to the entire NPS.
    [sbull] Commenters did not want Privacy Act restrictions violated 
but believe that our approach denied health plans and certain other 
health care industry entities information that they needed in order to 
process HIPAA transactions, while it gave the general public an 
excessive--and unnecessary--amount of information. They said that 
health plans and other health care industry entities required certain 
Privacy Act-protected data in order to accurately match their health 
care provider files with NPS data to effectively implement HIPAA 
requirements. Many suggested that health plans and health care 
clearinghouses be permitted to obtain copies of the database and 
periodic update files so that they can maintain files that are 
continually consistent with the NPS. Some commenters suggested an on-
line query and response system be developed for health plans to verify 
a health care provider's NPI. Others wanted electronic transactions 
designed that could be sent to the NPS with a response returned. These 
transactions might request all available data, regional data, new 
records only, and updated records only. Some commenters suggested that 
health plans have batch and interactive access capabilities to the NPS, 
stating that health plans will require daily batch updates of new and 
changed records, particularly during the implementation period. Some 
suggested that changed records be available for electronic download 
daily and weekly, and monthly by CD ROM and diskette. Still others 
preferred that health care entities receive data through the Internet 
with secure identifiers.
    [sbull] One commenter stated the NPS data should be used strictly 
for enumeration and that no NPS data should be made available to the 
public. This commenter recommended that the public and others obtain 
NPIs from the health care providers themselves, not from the NPS. Some 
commenters believe it inappropriate for the general public to look to 
the NPS as the source of any but the most general types of information 
about health care providers. Some commenters expressed concern that 
public release of too much information (particularly, full addresses) 
could subject health care providers to receipt of junk mail and other 
unsolicited materials.
    [sbull] Commenters recommended that agreements be signed by anyone 
receiving NPS data to ensure the

[[Page 3456]]

information released would not be used for marketing or mailing list 
generation or sold or transferred to another entity.
    [sbull] Several commenters stated that personally identifiable data 
about health care providers, contained in the NPS, should be available 
to researchers for clinical and financial outcomes analyses after 
appropriate agreements are signed.
    [sbull] One commenter suggested read-only access to the NPS data 
for all users.
    [sbull] Several commenters stated that the data dissemination 
policy should be consistent with the routine uses of NPS data as 
published in the NPS System of Records Notice (63 FR 40297).
    [sbull] The three dissemination levels suggested by commenters 
were:
    [sbull] Level 1--Available to HHS and the entity with which HHS 
contracts to perform the enumeration functions.
    [sbull] Level 2--Available to health plans and certain other health 
care industry entities that require certain Privacy-Act protected data 
to match their health care provider files to NPS data.
    [sbull] Level 3--Available to the general public.
    Response: In order to keep costs low, we must make the NPS data 
dissemination strategy as efficient and uncomplicated as possible. The 
number of formats and access options will need to be limited.
    We view the NPS as a health care provider identification and 
enumeration system, capturing the information required to perform those 
functions and disseminating information needed by health plans and 
other entities to effectively carry out the provisions of HIPAA. We 
agree with the majority of commenters who stated that health plans and 
certain other health care industry entities require NPS data, including 
some data that are protected by the Privacy Act, in order to 
effectively conduct HIPAA transactions. (Privacy Act-protected data are 
those that reveal or could reveal the identity of a specific individual 
when used alone or in combination with or linked to one or more data 
elements.)
    Comment: Some commenters suggested that a health care provider be 
able to access its own NPS data through the Internet to ensure its 
accuracy and to facilitate updating the information.
    Response: This comment will be considered in the design of the NPS; 
if it is determined to be feasible, this access will be made available.
    Comment: Several commenters supported charging reasonable fees or 
subscription rates for web-based data access options; for example, HHS 
could charge an annual subscription fee for unlimited downloads and a 
different subscription fee for monthly downloads. Some commenters asked 
if on-line access charges would be based on time or on a per file 
access basis.
    Some commenters believed that usage fees should not be limited to 
the cost of producing the data but should be linked to the costs and 
value of establishing and using the NPS.
    Many commenters stated that the enumerator(s) should not have to 
pay for NPS data.
    One commenter, who had suggested the enumerator be a public and 
private sector trust, suggested that dissemination fees be established 
and administered by the public and private sector trust.
    Response: The design of the NPS will facilitate making information 
available in an efficient manner, which will involve the use of the 
Internet. We are reviewing the issue of charging fees, and intend to 
consider charging fees to the extent our authority permits.
    Final Provisions (Sec.  162.408(b) and (f))
    The NPS Data Elements Table lists the data elements that we expect 
to collect about a health care provider and which will be included in 
the National Provider System (NPS). The data element table is not 
intended to be used for data design purposes. During NPS design and 
development, the names and attributes of the data elements may be 
revised. We are including this listing to show readers the kind of 
information that we expect will be collected about health care 
providers or that will be NPS-generated (for example, the NPI) about 
health care providers. The table does not include systems maintenance 
or similar fields.
    Description of the information contained in each column of this 
table:
    Data Element Name: The name of the data element residing in the 
NPS.
    Description: The definition of the data element and related 
information.
    Data Status: The instruction for furnishing the information being 
requested in the data element. The abbreviations used in this column 
are as follows:
    Required (R): Required for NPI assignment. NPS-generated (NG): 
Generated or assigned by the NPS. Optional (O): Not required for NPI 
assignment. Situational (S): If a certain condition exists, the data 
element is required. Otherwise, it is not required. Repeat (RPT): 
Indicates that the data element is a repeating field. A repeating field 
is one that can accommodate more than one separate entry. Each separate 
entry must meet the edits, if any, designated for that data element.
    Data Condition: Describes the condition(s) under which a 
``Situational'' data element must be furnished. NOTE: The abbreviation 
NA means ``not applicable.''
    Entity Types: The ``Entity type codes'' to which the data element 
applies. See the description of the data element ``Entity type code'' 
in the table.
    Use: The purpose for which the information is being collected or 
will be used.
    I: The data element supports the unique identification of a health 
care provider.
    A: The data element supports administrative implementation 
specifications.
    Dissemination of data from the NPS is a complex process. It must be 
responsive to requests from covered entities for NPS information that 
they need in order to comply with HIPAA. We expect a high volume of 
such requests, primarily from health plans, once NPIs begin to be 
assigned. At the same time, the dissemination process must ensure 
compliance with the provisions of the Privacy Act, the Freedom of 
Information Act, the Electronic FOIA Amendments of 1996, and other 
applicable regulations and authorities, and must be consistent with the 
NPS System of Records Notice, which was published on July 28, 1998.
    We expect to make routinely available, via the Internet and on 
paper, HHS-formatted data sets that will contain general identifying 
information, including the NPI, of enumerated organization health care 
providers and subparts of such health care providers (as described 
earlier in this preamble).
    Because of complexities that are inherent in disseminating data 
from the NPS, it is necessary to eliminate from the NPS Data Elements 
Table the column that, in the proposed rule, indicated the data 
dissemination level. Our data dissemination strategy and the process by 
which it will be carried out will be described in detail at a later 
date and published in a notice in the Federal Register.

[[Page 3457]]



                                                NPS Data Elements
----------------------------------------------------------------------------------------------------------------
                                                                        Data condition
        Data element name             Description      Data  status  (situational status     Entity        Use
                                                                            only)             types
----------------------------------------------------------------------------------------------------------------
National Provider Indentifier     10-position all-     NG            NA.................  1, 2........  I
 (NPI).                            numeric
                                   identification
                                   number assigned by
                                   the NPS to
                                   uniquely identify
                                   a health care
                                   provider.
Entity type code (type of health  Code describing the  R             NA.................  1, 2........  A
 care provider assigned an NPI).   type of health
                                   care provider that
                                   is being assigned
                                   an NPI. Codes are
                                   1 = (Person):
                                   individual human
                                   being who
                                   furnishes health
                                   care; 2 = (Non-
                                   person): entity
                                   other than an
                                   individual human
                                   being that
                                   furnishes health
                                   care (for example,
                                   hospital, SNF,
                                   hospital subunit,
                                   pharmacy, or HMO).
Replacement National Provider     The most recent NPI  NG            Required if          1, 2........  I
 Identifier.                       issued by the NPS   S              provider has been
                                   to this provider.   RPT            issued a
                                   Issuance of a                      replacement NPI.
                                   Replacement NPI by
                                   the NPS would be
                                   an unusual
                                   circumstance in
                                   which the provider
                                   requested a new,
                                   different NPI for
                                   a valid reason.
                                   Issuance of a
                                   Replacement NPI is
                                   different from NPI
                                   deactivation and
                                   NPI reactivation.
Previous National Provider        The NPI that had     NG            Required if          1, 2........  I
 Identifier.                       previously been     S              provider
                                   issued to this      RPT            previously had
                                   provider.                          been issued a
                                                                      different NPI.
Provider Social Security Number   The SSN assigned by  O             NA.................  1...........  I
 (SSN).                            the Social
                                   Security
                                   Administration
                                   (SSA) to the
                                   individual being
                                   identified.
Provider IRS Individual Taxpayer  The taxpayer         O             NA.................  1...........  I
 Identification Number (IRS        identifying number
 ITIN).                            assigned by the
                                   IRS (to
                                   individuals who
                                   are not eligible
                                   to be assigned
                                   SSNs) to the
                                   individual being
                                   identified.
Provider Employer Identification  The Employer         S             Required if the      2...........  I
 Number (EIN).                     Identification                     provider has an
                                   Number (EIN),                      EIN.
                                   assigned by the
                                   IRS, of the
                                   provider being
                                   identified.
Provider last name or             The last name of     R             NA.................  1, 2........  I
 organization name.                the provider (if
                                   an individual) or
                                   the name of the
                                   organization
                                   provider. If the
                                   provider is an
                                   individual, this
                                   is the legal name.
                                   If the provider is
                                   an organization,
                                   this is the legal
                                   business name.
Provider first name.............  The first name of    S             Required if the      1...........  I
                                   the provider, if                   provider's NPI is
                                   the provider is an                 Entity type code =
                                   individual.                        1.
Provider middle name............  The middle name of   S             Required if the      1...........  I
                                   the provider, if                   provider's NPI is
                                   the provider is an                 Entity type code =
                                   individual.                        1 and the provider
                                                                      has a middle name.
Provider other last or other      Other last name by   O             NA.................  1, 2........  I
 organization name.                which the provider  RPT
                                   being identified
                                   is or has been
                                   known (if an
                                   individual) or
                                   other name by
                                   which the
                                   organization
                                   provider is or has
                                   been known.
Provider other last or other      Code identifying     S             Required if          1, 2........  I
 organization name type code.      the type of other   RPT            ``Provider other
                                   name. Codes are: 1                 last or other
                                   = former name; 2 =                 organization
                                   professional name;                 name'' contains
                                   3 = doing business                 data. Codes 1-2
                                   as (d/b/a) name; 4                 apply to
                                   = former legal                     individuals; codes
                                   business name; 5 =                 3-4 apply to
                                   other.                             organizations;
                                                                      code 5 applies to
                                                                      both.
Provider other first name.......  Other first name by  S             Required if          1...........  I
                                   which the provider  RPT            ``Provider other
                                   being identified                   last or
                                   is or has been                     organization
                                   known (if an                       name'' contains
                                   individual). This                  data and the
                                   may be the same as                 provider's NPI is
                                   the ``Provider                     Entity type code =
                                   first name'' if                    1.
                                   the provider is or
                                   has been known by
                                   a different last
                                   name only.
Provider other middle name......  Other middle name    S             Required if          1...........  I
                                   by which the        RPT            ``Provider other
                                   provider being                     last or
                                   identified is or                   organization
                                   has been known (if                 name'' contains
                                   an individual).                    data, the provider
                                   This may be the                    NPI is Entity type
                                   same as the                        code = 1, and the
                                   ``Provider middle                  provider has a
                                   name'' if the                      middle name.
                                   provider is or has
                                   been known by a
                                   different last
                                   name only.
Provider name prefix text.......  The name prefix or   O             NA.................  1...........  I
                                   salutation of the
                                   provider if the
                                   provider is an
                                   individual; for
                                   example, Mr.,
                                   Mrs., or Corporal.

[[Page 3458]]

 
Provider name suffix text.......  The name suffix of   O             NA.................  1...........  I
                                   the provider if
                                   the provider is an
                                   individual. The
                                   name suffix is a
                                   ``generation-
                                   related'' suffix,
                                   such as Jr., Sr.,
                                   II, III, IV, or V.
Provider credential text........  The abbreviations    O             NA.................  1...........  I
                                   for professional
                                   degrees or
                                   credentials used
                                   or held by the
                                   provider, if the
                                   provider is an
                                   individual.
                                   Examples are MD,
                                   DDS, CSW, CNA, AA,
                                   NP, RNA, or PSY.
                                   These credential
                                   designations will
                                   not be verified by
                                   NPS.
Provider first line mailing       The first line       R             NA.................  1, 2........  A
 address.                          mailing address of
                                   the provider being
                                   identified. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider first
                                   line location
                                   address''.
Provider second line mailing      The second line      S             Required if it       1, 2........  A
 address.                          mailing address of                 exists.
                                   the provider being
                                   identified. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider second
                                   line location
                                   address''.
Provider mailing address State    The State or         S             Required if the      1, 2........  A
 name.                             Province name in                   address has no
                                   the mailing                        State code but
                                   address of the                     contains a State
                                   provider being                     or Province name.
                                   identified. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider
                                   location address
                                   State name''.
Provider mailing address postal   The postal ZIP or    S             Required if the      1, 2........  A
 code.                             zone code in the                   address is inside
                                   mailing address of                 the United States
                                   the provider being                 or has an
                                   identified. NOTE:                  associated postal
                                   ZIP code plus 4-                   code.
                                   digit extension,
                                   if available. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider
                                   location address
                                   postal code''.
Provider mailing address country  The country code in  S             Required if address  1, 2........  A
 code.                             the mailing                        is outside the
                                   address of the                     United States.
                                   provider being
                                   identified. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider
                                   location address
                                   country code''.
Provider mailing address          The telephone        S             Required if          1, 2........  A
 telephone number.                 number associated                  provider mailing
                                   with mailing                       address has a
                                   address of the                     telephone.
                                   provider being
                                   identified. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider
                                   location address
                                   telephone number''.
Provider mailing address fax      The fax number       O             NA.................  1, 2........  A
 number.                           associated with
                                   the mailing
                                   address of the
                                   provider being
                                   identified. This
                                   data element may
                                   contain the same
                                   information as
                                   ``Provider
                                   location address
                                   fax number''.
Provider first line location      The first line       R             NA.................  1, 2........  A
 address.                          location address
                                   of the provider
                                   being identified.
                                   For providers with
                                   more than one
                                   physical location,
                                   this is the
                                   primary location.
                                   This address
                                   cannot include a
                                   Post Office box.
Provider second line location     The second line      S             Required if it       1, 2........  A
 address.                          location address                   exists.
                                   of the provider
                                   being identified.
                                   For providers with
                                   more than one
                                   physical location,
                                   this is the
                                   primary location.
                                   This address
                                   cannot include a
                                   Post Office box.
Provider location address city    The city name in     R             NA.................  1, 2........  A
 name.                             the location
                                   address of the
                                   provider being
                                   identified.
Provider location address State   The State code in    S             Required if address  1, 2........  A
 code.                             the location of                    is inside the
                                   the provider being                 United States or
                                   identified.                        has an associated
                                                                      State code.
Provider location address State   The State or         S             Required if the      1, 2........  A
 name.                             Province name in                   address has no
                                   the location                       State code but
                                   address of the                     contains a State
                                   provider being                     or Province name.
                                   identified.
Provider location address postal  The postal ZIP or    S             Required if the      1, 2........  A
 code.                             zone code in the                   address is inside
                                   location address                   the United States
                                   of the provider                    or has an
                                   being identified.                  associated postal
                                   NOTE: ZIP code                     code.
                                   plus 4-digit
                                   extension, if
                                   available.
Provider location address         The country code in  S             Required if address  1, 2........  A
 country code.                     the location                       is outside the
                                   address of the                     United States.
                                   provider being
                                   identified.

[[Page 3459]]

 
Provider location address         The telephone        R             NA.................  1, 2........  A
 telephone number.                 number associated
                                   with the location
                                   address of the
                                   provider being
                                   identified.
Provider location address fax     The fax number       O             NA.................  1, 2........  A
 number.                           associated with
                                   the location
                                   address of the
                                   provider being
                                   identified.
Provider taxonomy code..........  Code designating     R             NA.................  1, 2........  I
                                   the provider type,  RPT
                                   classification,
                                   and
                                   specialization.
                                   Codes are from the
                                   Healthcare
                                   Provider Taxonomy
                                   code list. The NPS
                                   will associate
                                   these data with
                                   the license data
                                   for providers with
                                   Entity type code =
                                   1.
Other provider identifier.......  Additional number    O             NA.................  1, 2........  I
                                   currently or        RPT
                                   formerly used as
                                   an identifier for
                                   the provider being
                                   identified. This
                                   data element will
                                   be captured from
                                   the NPI
                                   application/update
                                   form.
Other provider identifier type    Code indicating the  O             NA.................  1, 2........  I
 code.                             type of identifier  RPT
                                   currently or
                                   formerly used by
                                   the provider being
                                   identified. The
                                   codes may reflect
                                   UPIN, NSC, OSCAR,
                                   DEA, Medicaid
                                   State or PIN
                                   identification
                                   numbers. This data
                                   element will be
                                   captured from the
                                   NPI application/
                                   update form.
Provider enumeration date.......  The date the         NG            NA.................  1, 2........  A
                                   provider was
                                   assigned a unique
                                   identifier
                                   (assigned an NPI).
Last update date................  The date that a      NG            NA.................  1, 2........  A
                                   record was last
                                   updated or changed.
NPI deactivation reason code....  The reason that the  S             Required if NPI has  1, 2........  A
                                   provider's NPI was                 been deactivated.
                                   deactivated in the
                                   NPS. Codes are: 1
                                   = death of entity
                                   type ``1''
                                   provider; 2 =
                                   entity type ``2''
                                   provider
                                   disbandment; 3 =
                                   fraud. 4 = other
                                   (for example,
                                   retirement).
NPI deactivation date...........  The date that the    S             Required if ``NPI    1, 2........  A
                                   provider's NPI was                 deactivation
                                   deactivated in the                 code'' contains
                                   NPS.                               data.
NPI reactivation date...........  The date that the    NG            NA.................  1, 2........  A
                                   provider's NPI was
                                   reactivated in the
                                   NPS.
Provider birth date.............  The date of birth    S             Required if the      1...........  I
                                   of the individual                  provider's NPI is
                                   being identified.                  Entity type code =
                                                                      1.
Provider birth State code.......  The code             S             Required if born in  1...........  I
                                   representing the                   United States.
                                   State in which the
                                   individual being
                                   identified was
                                   born. X12N code
                                   lists and names
                                   will be used for
                                   this element.
Provider birth country code.....  The code             S             Required if country  1...........  I
                                   representing the                   is other than
                                   country in which                   United States.
                                   the individual
                                   being identified
                                   was born.
Provider gender code............  The code             S             Required if the      1...........  I
                                   designating the                    provider's NPI is
                                   provider's gender                  Entity type code =
                                   if the provider is                 1.
                                   a person.
Provider license number.........  The license number   S             Required for         1, 2........  I
                                   issued to the       RPT            certain ``Provider
                                   provider being                     taxonomy codes.''.
                                   identified. The
                                   NPS can
                                   accommodate
                                   multiple license
                                   numbers for
                                   multiple
                                   specialties and
                                   for multiple
                                   States. The NPS
                                   will associate
                                   this data element
                                   with ``provider
                                   taxonomy code''.
Provider license number State     The code             S             Required if          1, 2........  I
 code.                             representing the    RPT            ``Provider license
                                   State that issued                  number'' contains
                                   the license to the                 data.
                                   provider being
                                   identified. This
                                   field can
                                   accommodate
                                   multiple States.
                                   It is associated
                                   with ``provider
                                   license number.
Authorized official last name...  The last name of     R             ...................  2...........  I
                                   the person
                                   authorized to
                                   submit the NPI
                                   application or to
                                   change NPS data
                                   for a health care
                                   provider.
Authorized official first name..  The first name of    R             ...................  2...........  I
                                   the authorized
                                   official.
Authorized official middle name.  The middle name of   S             Required if the      2...........  I
                                   the authorized                     authorized
                                   official.                          official has a
                                                                      middle name.
Authorized official title or      The title or         S             Required if the      2...........  I
 position.                         position of the                    authorized
                                   authorized                         official has a
                                   official.                          title or position.
Authorized official telephone     The 10-position      R             ...................  2...........  I
 number.                           telephone number
                                   of the authorized
                                   official.
Contact person last name........  The last name of     R             ...................  1, 2........  I
                                   the person to be
                                   contacted if there
                                   are questions
                                   about the NPI
                                   application or
                                   changes in NPS
                                   data.

[[Page 3460]]

 
Contact person first name.......  The first name of    R             ...................  1, 2........  I
                                   the contact person.
Contact person middle name......  The middle name of   S             Required if the      1, 2........  I
                                   the contact person.                contact person has
                                                                      a middle name.
Contact person name suffix text.  The name suffix of   O             NA.................  1, 2........  I
                                   the contact person
                                   (for example, Jr.,
                                   Sr., II, III, IV,
                                   or V).
Contact person credential text..  The abbreviations    O             NA.................  1, 2........  I
                                   for professional
                                   degrees or
                                   credentials used
                                   or held by the
                                   contact person.
                                   Examples are M.D.,
                                   R.N., or PhD.
Contact person title or position  The title or         S             Required if the      1, 2........  I
                                   position of the                    contact person has
                                   contact person.                    a title or
                                                                      position.
Contact person telephone number.  The 10-position      R             ...................  1, 2........  I
                                   telephone number
                                   of the contact
                                   person.
Contact person mailing address    The electronic mail  S             Required if the      1, 2........  I
 electronic mail identifier.       address associated                 contact person has
                                   with the mailing                   an electronic mail
                                   address of the                     identifier
                                   contact person.                    associated with
                                                                      the mailing
                                                                      address of the
                                                                      contact person.
----------------------------------------------------------------------------------------------------------------

D. New and Revised Standards

    Comments and responses on new and revised standards can be found in 
the Transactions Rule (65 FR 50343). Generally, we may modify a 
standard after the standard has been in effect for at least a year, 
unless we determine a modification is necessary sooner in order to 
permit compliance with the standard. The Secretary may not require 
compliance with a modification until at least 180 days after the 
modification is adopted. We will consider requests for modifications to 
the standard unique health identifier for health care providers.

III. Summary of Revisions to Regulations Text

    We added a definition for ``Covered health care provider'' at Sec.  
162.402. In addition to the changes discussed above, minor 
organizational or conforming changes were made to other sections of the 
regulations text.

IV. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 30-day notice in the Federal Register and solicit 
public comment on a collection of information requirement submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the PRA requires that we 
solicit comment on the following issues:
    [sbull] Whether the information collection is necessary and useful 
to carry out the proper functions of the agency.
    [sbull] The accuracy of the agency's estimate of the information 
collection burden.
    [sbull] The quality, utility, and clarity of the information to be 
collected.
    [sbull] Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.

Sec.  162.410(a)(1) Through (a)(6) Implementation Specifications: 
Health Care Providers

    A health care provider who is a covered entity must obtain, by 
application if necessary, an NPI from the NPS and must use the NPI it 
obtained to identify itself on all standard transactions where its 
provider identifier is required. A covered health care provider must 
ensure that its subpart(s), if assigned an NPI(s), does the same. A 
covered health care provider must disclose its NPI, when requested, to 
any entity that needs the NPI to identify that health care provider in 
a standard transaction. A covered health care provider must ensure that 
its subpart(s), if assigned an NPI(s), does the same. A covered health 
care provider that has been assigned an NPI must notify the NPS of any 
changes in its required data within 30 days of the change. A covered 
health care provider must ensure that its subpart(s), if assigned an 
NPI(s), does the same. A covered health care provider that uses one or 
more business associates to conduct standard transactions on its behalf 
must require its business associates to use its NPI and other NPIs 
appropriately on standard transactions that the business associate 
conducts on its behalf. A covered health care provider must ensure that 
its subpart(s), if assigned an NPI(s), and if the subpart(s) uses one 
or more business associates to conduct standard transactions, does the 
same.

Sec.  162.412 Implementation Specifications: Health Plans

    A health plan must use the NPI of any health care provider or 
subpart in any standard transaction that requires the standard unique 
health identifier for health care providers. A health plan may not 
require a health care provider that has been assigned an NPI to obtain 
an additional NPI.

Sec.  162.414 Implementation Specifications: Health Care Clearinghouses

    A health care clearinghouse must obtain and use the NPI of any 
health care provider or subpart in any standard transaction that 
requires the standard unique identifier for health care providers.
Applicability of the PRA to the Requirements
    The emerging and increasing uses of health care EDI standards and 
transactions have raised the issue of the applicability of the PRA. The 
Office of Management and Budget (OMB) has determined that this 
regulatory requirement (which mandates that the private sector disclose 
information and do so in a particular format) constitutes an agency-
sponsored third-party disclosure as defined under the PRA.
    HIPAA requires the Secretary to adopt standards that have been 
developed, adopted, or modified by a standard setting organization, 
unless there is no such standard, or unless a different standard would 
substantially reduce administrative costs. OMB has concluded that the 
scope of its review under the PRA would include the review and approval 
of our decision to adopt or reject an established industry standard, 
based on the HIPAA criterion of whether a different standard would

[[Page 3461]]

substantially reduce administrative costs. For example, if OMB 
concluded under the PRA that a different standard would substantially 
reduce administrative costs as compared to an established industry 
standard, we would be required to reconsider our decision under the 
HIPAA standards. We would be required to make a new determination of 
whether it is appropriate to adopt an established industry standard or 
whether we should enter into negotiated rulemaking to develop an 
alternative standard (section 1172(c)(2)(A) of the Act).
    The burden associated with the requirements of this final rule, 
which is subject to the PRA, is the initial one-time burden on health 
care providers who are covered entities to apply for an NPI and later, 
as necessary, to furnish updates, and on the covered entities 
identified above to modify their current processes to implement the 
NPI. However, the burden associated with the routine or ongoing use of 
the NPI is exempt from the PRA as defined in 5 CFR 1320.3(b)(2).
    Based on the assumption that the burden associated with systems 
modifications that need to be made to implement the NPI may overlap 
with the systems modifications needed to implement other HIPAA 
standards, and the fact that the NPI will replace the use of multiple 
identifiers, resulting in a reduction of burden, commenters should take 
into consideration when drafting comments that: (1) One or more of 
these current identifiers may not be used; (2) systems modifications 
may be performed in an aggregate manner during the course of routine 
business; and/or (3) systems modifications may be made by contractors 
such as practice management vendors, in a single effort for a multitude 
of affected entities.
PRA Burden on Covered Health Care Providers
    A health care provider that is a covered entity must obtain, by 
application if necessary, an NPI from the NPS. It must use its NPI to 
identify itself on all standard transactions that it conducts where its 
provider identifier is required. In addition, the covered health care 
provider must communicate to the NPS any changes to its required NPS 
data elements within 30 days of the change. To comply with these 
requirements, these health care providers will complete the NPI 
application/update form. This form serves two purposes: it enables a 
covered health care provider to apply for an NPI and to furnish updates 
to the NPS. Application for an NPI is considered to be a one-time 
action: an NPI is considered a permanent identifier for a health care 
provider. (See section II. A. 2., of this preamble, ``Definition of 
Health Care Provider,'' for a discussion of the permanent nature of the 
NPI.) Most covered health care providers will not have to furnish 
updates in a given year; we estimate, based on information in the 
Medicare program, that approximately 12.6 percent of those health care 
providers will need to complete and submit the NPI application/update 
form in a given year. Below are our estimates for the annual burden 
hours associated with these requirements.
Applications for NPIs: Estimated Annualized Burden
    Notes: (1) Existing health care providers that are covered entities 
would be able to apply for NPIs over a 2-year period. For the estimated 
annualized burden, we have divided the number of these health care 
providers by 2 to estimate the annual burden. (2) Applying for an NPI 
is a one-time burden on a health care provider. In future years, this 
burden would apply only to new health care providers that are covered 
entities. (3) The number of health care providers will increase by 1.56 
percent annually. This is not a ``net'' percentage; it represents 
strictly the percentage of new health care providers coming into 
business annually. (4) We estimate it will take 20 minutes to complete 
the application/update form. (5) We estimate an hourly rate of $10.87, 
rounded to $11, for office staff to complete the application/update 
form.
    New health care providers come into business every year. The first 
two years would have increases of 36,124 and 37,251 in new covered 
health care providers, respectively. The number of new covered health 
care providers is 1.56 percent of the number of existing health care 
providers in the previous year.
Updates of NPS Data: Estimated Annualized Burden
    Notes: (1) We estimate that 12.6 percent of covered health care 
providers would need to furnish updates in a given year. The number of 
health care providers needing to update their data in any year is a 
percentage of the number of health care providers. (2) A health care 
provider that is a covered entity that does not have changes to its NPI 
data would not furnish updates and would, therefore, experience no 
burden. (3) We estimate it will take 10 minutes to complete the 
application/update form. (4) We estimate an hourly rate of $10.87, 
rounded to $11, for office staff to complete the application/update 
form.
    In FY 2007, we estimate there will be 1,157,821 covered health care 
providers to be assigned NPIs. One could argue that no updates will 
need to be made in FY 2007 because no covered health care provider 
would have been enumerated prior to FY 2007. (Note: No health care 
provider is required to have an NPI before 2007.) However, for FY 2007, 
we have factored in updates by adding 12.6 percent of the 1,157,821 
covered health care providers to represent--in a worst case scenario--a 
full year's worth of updates if the full 12.6 percent of the enumerated 
covered health care providers needed to provide updates within that 
same year.
    Table 1 below shows the estimated annualized burden for the PRA.

                               Table 1.--Paperwork Reduction Act Estimated Annualized Burden. Estimated Annualized Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                          Year                                 2007            2008            2009            2010            2011            Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost (Burden Hours for Total Providers).................      $5,419,027      $5,641,062        $183,050        $192,798        $204,079     $11,640,015
Cost (Update Hours).....................................        $670,165        $719,050        $759,519        $800,337        $847,167      $3,796,237
                                                         -----------------------------------------------------------------------------------------------
    Total Annualized Cost...............................      $6,089,192      $6,360,111        $942,568        $993,135      $1,051,246     $15,436,252
--------------------------------------------------------------------------------------------------------------------------------------------------------

    If feasible, to further reduce burden and plan for compliance with 
the Government Paperwork Elimination Act, we are considering the 
acceptance of applications and updates electronically over the 
Internet. We explicitly solicit comment on how we might conduct this 
activity in the most efficient and effective manner, while ensuring the 
integrity, authenticity, privacy, and security of health care provider 
information.

[[Page 3462]]

    As required by section 3504(h) of the Paperwork Reduction Act of 
1995, we have submitted a copy of this document to the Office of 
Management and Budget (OMB) for its review of these information 
collection requirements. If you comment on these information collection 
and recordkeeping requirements, please e-mail comments to Paperwork@ 
cms.hhs.gov (Attn: CMS-0045-F) or mail copies directly to the following 
two addresses:

Centers for Medicare & Medicaid Services, Office of Strategic 
Operations and Regulatory Affairs, Regulations Development and 
Issuances Group, Room C5-14-03, 7500 Security Boulevard, Baltimore, MD 
21244-1850, Attn: James Bossenmeyer, CMS-0045-F;

     and

Office of Information and Regulatory Affairs, Office of Management and 
Budget, Room 10235, New Executive Office Building, Washington, DC 
20503, Attn: Brenda Aguilar, CMS-0045-F, CMS Desk Officer.

V. Regulatory Impact Analysis

A. Overall Impact

    We have examined the impacts of this final rule as required by 
Executive Order 12866 (September 1993, Regulatory Planning and Review), 
the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-
354), section 1102(b) of the Social Security Act, the Unfunded Mandates 
Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.
    Executive Order 12866 (as amended by Executive Order 13258, which 
merely reassigns responsibility of duties) directs agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). A 
regulatory impact analysis (RIA) must be prepared for major rules with 
economically significant effects (costs plus savings equal $100 million 
or more in any one year). We consider this final rule to be a major 
rule, as it will have an impact of over $100 million on the economy. 
This impact analysis shows a net savings of $526 million over a 5-year 
period.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses. For purposes of the RFA, nonprofit organizations 
are considered small entities. Small government jurisdictions with a 
population of less than 50,000 are considered small entities. 
Individuals and States are not considered small entities. Most 
hospitals and most other providers and suppliers are small entities, 
either by nonprofit status or by having annual revenues of less than 
the threshold published in regulations by the Small Business 
Administration (SBA).
    Effective October 1, 2000, the SBA no longer used the Standard 
Industrial Classification (SIC) System to categorize businesses and 
establish size standards, and began using industries defined by the new 
North American Industry Classification System (NAICS). The NAICS made 
several important changes to the Health Care industries listed in the 
SIC System: it revised terminology, established a separate category 
(Health Care and Social Assistance) under which many health care 
providers are located, and increased the number of Health Care 
industries to 30 NAICS industries from 19 Health Services SIC 
industries.
    On November 17, 2000, the SBA published a final rule, which was 
effective on December 18, 2000, in which the SBA adopted new size 
standards, ranging from $5 million to $25 million, for 19 Health Care 
industries and retained the existing $5 million size standard for the 
remaining 11 Health Care industries. The revisions were made to more 
appropriately define the size of businesses in these industries that 
SBA believes should be eligible for Federal small business assistance 
programs.
    On August 13, 2002, the SBA published a final rule that was 
effective on October 1, 2002. The final rule amended the existing SBA 
size standards by incorporating OMB's 2002 modifications to the NAICS 
into its table of small business size standards. The final rule did not 
affect industries that are considered covered entities by this final 
rule.
    On September 6, 2002, the SBA published a final rule (effective 
October 1, 2002) that corrected the August 13, 2002, final rule. The 
final rule corrected errors in the August 13, 2002, final rule and 
contained a new table of size standards to clearly identify size 
standards by millions of dollars and by number of employees. Some of 
those revisions in size standards affected some of the entities that 
are considered covered entities under this final rule. For example, the 
SBA revisions increased the annual revenues for offices of physicians 
to $8.5 million (other practitioners' offices' revenues remained at $6 
million) and increased the small business size standard for hospitals 
to $29 million in annual revenues.
    The regulatory flexibility analysis for this final rule is linked 
to the aggregate regulatory flexibility analysis for all the 
Administrative Simplification standards that appeared in the 
Transactions Rule (65 FR 50312), published on August 17, 2000, which 
predated the SBA changes noted above. In addition, all HIPAA 
regulations published to date have used the SBA size standards that 
existed at the time of the publication of the Transactions Rule. 
Because the SBA size standard changes predate the effective date of 
this final rule, we are using the current SBA small business size 
standards for the regulatory flexibility analysis for this final rule. 
Although the SBA has raised the small business size standards, the 
revised size standards have no effect on the cost and benefit analysis 
for this final rule. The revised standards simply increase the number 
of health care providers that are classified as small businesses. 
Although the SBA revisions changed the size standard for health plans 
by increasing from $5 million to $6 million in annual revenues the 
small business size standard, this change has a minimal effect on this 
final rule. Because all HIPAA administrative simplification regulations 
permit small health plans an additional year in which to comply with 
the implementation specifications and requirements, a greater number of 
small health plans would have the additional year, due to the SBA size 
standard revisions.
    While each standard may not have a significant impact on a 
substantial number of small businesses, the combined effects of all the 
standards are likely to have a significant effect on a substantial 
number of small businesses. However, this final rule will affect small 
businesses, such as small health care providers, health plans, and 
health care clearinghouses, in much the same way as it affects large 
businesses.
    Small businesses that are covered entities must meet the provisions 
of this final rule and implement the standard unique health care 
provider identifier standard. The requirements placed on small health 
care providers, health care clearinghouses, and health plans would be 
consistent with the complexity of their operations. Small health plans 
have an additional year in which to comply. A more detailed analysis of 
the impact on small businesses is part of the impact analysis that we 
published on August 17, 2000 (65 FR 50312), for all the HIPAA 
standards.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to

[[Page 3463]]

the provisions of section 604 of the RFA. For purposes of section 
1102(b) of the Act, we define a small rural hospital as a hospital that 
is located outside of a Metropolitan Statistical Area and has fewer 
than 100 beds. This final rule will have no more significant impact on 
small rural hospitals than it will have on other small health care 
providers.
    Section 202 of the Unfunded Mandates Reform Act (UMRA) of 1995 (2 
U.S.C. 1532) requires that agencies assess anticipated costs and 
benefits before issuing any rule that may result in expenditure in any 
one year by State, local, or tribal governments, in the aggregate, or 
by the private sector, of $110 million. This final rule establishes a 
Federal private sector mandate and is a significant regulatory action 
within the meaning of section 202 of UMRA. We have included the 
statements to address the anticipated effects of this final rule under 
section 202 of UMRA.
    This standard applies to State and local governments in their roles 
as covered entities. Covered entities must implement the requirements 
in this final rule; thus, this final rule imposes unfunded mandates on 
them. Further discussion of this issue is found in the previously 
published impact analysis for all Administrative Simplification 
standards (65 FR 50312).
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a final rule that imposes 
substantial direct requirement costs on State and local governments, 
preempts State law, or otherwise has Federalism implications. The 
proposed rule that proposed the NPI as the standard unique health 
identifier for health care providers was published prior to the signing 
of that Executive Order. We could not solicit comments on the effect of 
Executive Order 13132 on the adoption of the health care provider 
identifier standard.
    This final rule will have a substantial effect on State and local 
governments to the extent that those entities are covered entities. As 
early as 1993, CMS (then the Health Care Financing Administration) led 
a workgroup whose goal was to develop a provider identification system 
for all health care providers. The system was intended to meet the 
needs of the Medicare and Medicaid programs, and eventually other 
programs. State Medicaid agencies in Alabama, California, Minnesota, 
Virginia and Maryland participated in this effort, along with 
representatives from the private sector and several other Federal 
agencies. The first task of the workgroup was to decide if an existing 
identifier could be used or if a new one needed to be developed. The 
workgroup developed criteria for a unique provider identifier, examined 
existing identifiers, and concluded that a new identifier needed to be 
developed. The workgroup developed the NPI, and we proposed the NPI as 
the standard unique health identifier for health care providers in the 
proposed rule.
    States continue to hold memberships on the National Uniform Claim 
Committee and the National Uniform Billing Committee, and continue to 
be represented in the X12N and Health Level Seven standards development 
organization workgroups and committees. As a result, States have in the 
past, and continue to have, input into the development of new standards 
and the modification of existing standards.
    As stated in the previously published impact analysis in 65 FR 
50312, we do not have sufficient information to provide estimates of 
the impact of the administrative simplification standards on local 
governments.
    In complying with the requirements of part C of title XI, the 
Secretary established interdepartmental implementation teams who 
consulted with appropriate State and Federal agencies and private 
organizations. These external groups included the NCVHS's Subcommittee 
on Standards and Security, the Workgroup for Electronic Data 
Interchange (WEDI), the National Uniform Claim Committee (NUCC), the 
National Uniform Billing Committee (NUBC), and the American Dental 
Association (ADA). The teams also received comments on the May 7, 1998, 
proposed regulation from a variety of organizations, including State 
Medicaid agencies and other Federal agencies.
    We received comments from State agencies and from entities that 
conduct transactions with State agencies. Many of the comments referred 
to the costs to State and local governments of implementing the HIPAA 
standards. We believe that these costs will be offset by future savings 
(see the impact analysis of 65 FR 50350).
    Other comments regarding States reflected the need for 
clarification as to when State agencies were subject to the standards.

B. Anticipated Effects

    The Regulatory Flexibility Act of 1980 considers all 31 nonprofit 
Blue Cross-Blue Shield Health Plans to be small businesses. 
Additionally, 28 percent of HMOs are considered small businesses 
because of their nonprofit status. Doctors of osteopathy, dentistry, 
podiatry, as well as chiropractors, and solo and group physicians' 
offices with fewer than three physicians, are considered small 
businesses. Forty percent of group practices with three or more 
physicians and 100 percent of optometrist practices are considered 
small businesses. Seventy-two percent of all pharmacies, 88 percent of 
medical laboratories, 100 percent of dental laboratories, and 90 
percent of durable medical equipment suppliers are assumed to be small 
businesses as well.
    This analysis required that we use data and statistics about 
various entities that operate in the health data information industry.
    We believe the best source for information about the health data 
information industry is Faulkner & Gray's Health Data Directory. This 
publication is the most comprehensive data directory of its kind that 
we could find. The information in this directory is gathered by 
Faulkner & Gray editors and researchers who called all of the more than 
3,000 organizations that are listed in the book in order to elicit 
information about their operations. Some businesses are listed as more 
than one type of business entity because, in reporting the information, 
companies could list themselves to be as many as three different types 
of entities. For example, some businesses listed themselves as both 
practice management vendors and claims software vendors because their 
practice management software was ``EDI enabled.''
    All the statistics referencing Faulkner & Gray's come from the 2000 
edition of its Health Data Directory. It lists 78 claims 
clearinghouses, which, according to the Health Data Directory are 
entities that generally take electronic and paper health care claims 
data from health care providers and billing companies that prepare 
bills on a health care provider's behalf. The claims clearinghouse acts 
as a conduit for health plans; its activities may include batching 
claims and routing transactions to the appropriate health plan in a 
form that expedites payment.
    Of the 78 claims clearinghouses listed in this publication, eight 
processed more than 20 million electronic transactions per month. 
Another 15 handled 2 million or more transactions per month and another 
4 handled over a million electronic transactions per month. The 
remaining 39 entities listed in the data dictionary processed fewer 
than a million electronic transactions per month. Almost all of these 
entities have annual revenues of under $6 million and would therefore 
be considered small entities.
    Software system vendors provide computer software applications 
support

[[Page 3464]]

to health care clearinghouses, billing companies, and health care 
providers. In particular, they work with health care providers' 
practice management and health information systems. These businesses 
provide integrated software applications for such services as accounts 
receivable management, electronic claims submission (patient billing), 
recordkeeping, patient charting, practice analysis, and patient 
scheduling. Some software vendors also provide applications that 
translate information on paper and information in electronic records 
having no standard formats into standard electronic formats that are 
acceptable to health plans.
    Faulkner & Gray lists 78 physician practice management vendors and 
suppliers, 76 hospital information systems vendors and suppliers, 140 
software vendors and suppliers for claims-related transactions, and 20 
translation vendors (now known as Interface Engines/Integration Tools). 
We were unable to determine the number of these entities with revenues 
over $6 million, but we assume most of these businesses would be 
considered small entities.
    The costs of implementing the NPI are primarily one-time or short-
term costs related to conversion. These costs are characterized as 
follows: software conversion, cost of automation, training, 
implementation, and cost of documentation and implementation guides.
    As stated earlier in this final rule, health care providers will 
not be charged for obtaining an NPI. Covered health care providers will 
have to apply for NPIs and will have to furnish updates to the NPS when 
their required data changes. (However, if health care providers are 
enumerated through the bulk enumeration process described earlier in 
this preamble, they will not have to apply for NPIs, and they will be 
notified of their NPIs. Those that are covered health care providers 
will have to furnish updates to the NPS when their required data 
changes and will have to ensure that their subparts, if assigned NPIs 
via bulk enumeration or otherwise, do the same. These burden estimates 
are discussed in section IV, ``Collection of Information 
Requirements,'' of this preamble.) In addition, covered health care 
providers will have to bear the costs of converting to the NPI, as will 
health plans and health care clearinghouses. Health plans, health care 
clearinghouses, and covered health care providers are required to 
implement the NPI. Most of these entities meet the SBA's definition of 
small entities.
    Health plans, health care clearinghouses, and health care providers 
who are covered entities must use NPIs in standard transactions and 
must make the necessary changes and conversions in order to do so. 
Conversion will require training for staff and will require changes to 
documentation, procedures, records, and software. Some covered health 
care providers that do not already do so may choose to use the services 
of software system vendors, billing companies, and/or health care 
clearinghouses to facilitate the transition to the NPI. While there may 
be up-front costs associated with some of the required changes, the 
fact that only one health care provider number (the NPI) will be used 
in standard transactions will simplify business, improve efficiency, 
and create savings. The format of the NPI (all numeric) will facilitate 
telephone keypad entry; the check-digit in the 10th position will 
detect keying and data entry errors; and the lack of intelligence built 
into the NPI will eliminate the need to issue a new health care 
provider number (and maintain records of such issuances) whenever 
changes occur that would impact that intelligence.
    After being assigned NPIs, covered health care providers will have 
to furnish the NPS with updates to their required NPS data in the NPS 
within 30 days of the changes. It is very likely that the NPS data will 
duplicate some of the information that health care providers furnish to 
health plans when they enroll in health plans (although health plans 
traditionally collect far more information about a health care provider 
than the NPS will collect). Because health care providers must keep 
health plans apprised of updates to their data, the requirement that 
covered health care providers apprise the NPS of updates should not be 
a significant burden on those health care providers.
    The extended effective date of the NPI should allow sufficient time 
for health plans, health care clearinghouses, and health care providers 
who are covered entities to implement the changes needed to accommodate 
the NPI.
    Lastly, HIPAA gives small health plans an extra year (36 months 
instead of 24 months from the effective date) in which to implement the 
NPI.
    The May 7, 1998, proposed rule for the National Provider Identifier 
(NPI) contained a cost-benefit analysis based on the aggregate impact 
of all the HIPAA administrative simplification standards for electronic 
data interchange (EDI). The Comment/Response section related to the 
proposed aggregate analysis, and a final aggregate impact analysis, are 
contained in the Transactions Rule at 65 FR 50345. We address the 
specific impact of the NPI in section V.D. of this preamble, ``Specific 
Impact of the NPI.''

C. Alternatives Considered

Guiding Principles for Standard Selection
    As explained in the May 7, 1998, proposed rule (at 63 FR 25323), 
the implementation teams charged with designating standards under the 
statute defined, with significant input from the health care industry, 
a set of common criteria for evaluating potential standards. These 
criteria are based on direct specifications in HIPAA, the purpose of 
the law, and principles that support the regulatory philosophy set 
forth in Executive Order 12866 of September 30, 1993, and the Paperwork 
Reduction Act of 1995. These criteria also support and are consistent 
with the principles of the Paperwork Reduction Act of 1995. In order to 
be designated as a standard, a proposed standard should:
    [sbull] Improve the efficiency and effectiveness of the health care 
system by leading to cost reductions for or improvements in benefits 
from electronic HIPAA health care transactions. This principle supports 
the regulatory goals of cost-effectiveness and avoidance of burden.
    [sbull] Meet the needs of the health data standards user community, 
particularly health care providers, health plans, and health care 
clearinghouses. This principle supports the regulatory goal of cost-
effectiveness.
    [sbull] Be consistent and uniform with the other HIPAA standards--
their data element definitions and codes and their privacy and security 
implementation specifications--and, secondarily, with other private and 
public sector health data standards. This principle supports the 
regulatory goals of consistency and avoidance of incompatibility, and 
it establishes a performance objective for the standard.
    [sbull] Have low additional development and implementation costs 
relative to the benefits of using the standard. This principle supports 
the regulatory goals of cost-effectiveness and avoidance of burden.
    [sbull] Be supported by an ANSI-accredited standards developing 
organization or other private or public organization that will ensure 
continuity and efficient updating of the standard over time. This 
principle supports the regulatory goal of predictability.
    [sbull] Have timely development, testing, implementation, and 
updating procedures to achieve administrative

[[Page 3465]]

simplification benefits faster. This principle establishes a 
performance objective for the standard.
    [sbull] Be technologically independent of the computer platforms 
and transmission protocols used in HIPAA health transactions, except 
when they are explicitly part of the standard. This principle 
establishes a performance objective for the standard and supports the 
regulatory goal of flexibility.
    [sbull] Be precise and unambiguous, but as simple as possible. This 
principle supports the regulatory goals of predictability and 
simplicity.
    [sbull] Keep data collection and paperwork burdens on users as low 
as is feasible. This principle supports the regulatory goals of cost-
effectiveness and avoidance of duplication and burden.
    [sbull] Incorporate flexibility to adapt more easily to changes in 
the health care infrastructure (such as new services, organizations, 
and health care provider types) and information technology. This 
principle supports the regulatory goals of flexibility and 
encouragement of innovation.
    We assessed the various candidates for a health care provider 
identifier against the principles listed above, with the overall goal 
of achieving the maximum benefit for the least cost. We found that the 
NPI met all the principles and that no other candidate identifier met 
all the principles, or even those principles supporting the regulatory 
goal of cost-effectiveness. We received comments suggesting that we 
consider or reconsider the Taxpayer Identifying Number or the Social 
Security Number for individual health care providers and the Employer 
Identification Number for organizations as the standard unique health 
identifier for health care providers. We responded to these comments in 
section II. A. 3. of this preamble, ``NPI Standard.''
    One possible alternative in the development of the identifier was 
to allow intelligence to be included in it. We rejected this 
alternative on qualitative grounds because it meant that individuals 
might get more than one identifier in their lifetimes. Cost 
considerations also contributed to our decision.
    If intelligence were built into the identifier, the operating cost 
of the enumeration system would rise for several reasons. First, 
additional information would need to be collected and verified so that 
the intelligence in the identifier would be accurate. Secondly, new 
identifiers for individuals and organizations would need to be assigned 
because the embedded intelligence would change.
    The cost to health plans would also increase. First, their systems 
might need to be adapted to use the intelligence in the identifier. 
Secondly, they would have to keep track of the more frequent changes in 
identifiers, and revise their processes accordingly.
    An intelligent identifier would also be more expensive for health 
care providers. They would have to reapply for identifiers if the 
information in the intelligence changed. Additionally, they would have 
to revise their systems to change their identifiers every time they 
changed.
    These quantitative reasons support our choice not to include 
intelligence in the identifier.
Need to Convert
    Because there is no standard health care provider identifier in 
widespread use throughout the industry, adopting any of the candidate 
identifiers would require covered entities to convert to the new 
standard. In the case of the NPI, covered entities will have to convert 
because this identifier is not in use presently. As we pointed out in 
the May 7, 1998, proposed rule in our analysis of the candidates, even 
the identifiers that are in use are not used for all purposes or for 
all health care provider classifications. The selection of the NPI does 
not impose a greater burden on the industry than the nonselected 
candidates, and presents significant advantages in terms of cost-
effectiveness, universality, uniqueness, and flexibility.
Complexity of Conversion
    Some existing health care provider identifier systems assign 
multiple identifiers to a single health care provider in order to 
distinguish the multiple identities the health care provider has in the 
system. For example, in these systems, the health care provider may 
have a different identifier to represent each contract or provider 
agreement, practice location, and specialty or health care provider 
classification. Since the NPI is a unique identifier for a health care 
provider, it will not distinguish these multiple identities. Systems 
that need to distinguish these identities will need to use data other 
than the NPI to do so. The change to using other data will add 
complexity to the conversion to the NPI (or to any other standard 
health care provider identifier), but it is necessary in order to 
achieve the goal of unique identification of the health care provider.
    The complexity of the conversion will also be significantly 
affected by the degree to which health plans' processing systems 
currently rely on intelligent identifiers. For example, a health plan 
may route claims to different processing routines based on the type of 
health care provider by keying on a health care provider type code 
included in the identifier. Converting from one unintelligent 
identifier to another is less complex than modifying software logic to 
obtain needed information from other data elements. However, the use of 
an unintelligent identifier is required in order to meet the guiding 
principle of ensuring flexibility.
    Specific technology limitations of existing systems could affect 
the complexity of conversion. For example, some existing health care 
provider data systems use a telephone keypad to enter data. Data entry 
of alpha characters is inconvenient in these systems.
    Comments were strong in suggesting that the NPI be an all-numeric 
identifier, be 10 positions in length, and include a check-digit in the 
10th position. (See section II. A. 3. of this preamble, ``NPI 
Standard,'' for a full description of comments on the characteristics 
of the identifier.) As stated in that section, in response to comments, 
we changed the format of the NPI to an all-numeric number, 10 positions 
in length, with a check-digit in the 10th position. There will be no 
intelligence about the health care provider in the number. This format 
satisfies the comments for easier data entry and the need for a number 
that will be short enough to fit into most existing data formats.
    The selection of the NPI does not impose a greater burden on the 
industry than the nonselected candidates.

D. Specific Impact of the National Provider Identifier

    In the May 7, 1998, proposed rule (at 63 FR 25349), we included a 
section that related to the specific impact of the health care provider 
identifier. That section of the proposed rule also indicated the 
Federal, State, and private costs associated with the enumeration 
options set out in the proposed rule.
Proposed Provisions
    The May 7, 1998, proposed rule for the National Provider Identifier 
(NPI) contained a cost-benefit analysis based on the aggregate impact 
of all the HIPAA administrative simplification standards for electronic 
data interchange (EDI). The response to comments on the proposed 
aggregate analysis is contained in the Transactions Rule (at 65 FR 
50345). The Transactions Rule also includes an updated impact analysis 
(at 65 FR 50350).

[[Page 3466]]

    One section of the impact analysis that was published in the May 7, 
1998, proposed rule for the NPI (at 63 FR 25351) contained a discussion 
of the costs of enumerating health care providers under each of the two 
enumeration options that were described in the proposed rule. Table 5, 
entitled ``Enumeration Costs: Federal, State, and Private,'' was 
included in this part of the impact analysis in the proposed rule. This 
table compared the costs for each of the two proposed enumeration 
options. Below we respond to the comments received about that part of 
the impact analysis.
Comments and Responses on the Specific Impact of the National Provider 
Identifier
    Comment: One commenter stated that the pharmacy industry will not 
see huge gains in the standardization of the NPI for prescriber and 
pharmacy because de facto standard identifiers exist for these two 
provider types.
    Response: We agree that the pharmacy industry may not realize the 
benefits from standardization of health care provider numbers as 
quickly as other segments of the health care industry because the 
pharmacy industry already uses numbers to identify health care 
providers and pharmacies. However, once NPIs are assigned to health 
care providers and once the entire health care industry begins to use 
the NPI, we believe the pharmacy industry will see the benefits of 
replacing its de facto standards with the national standard. The Drug 
Enforcement Administration (DEA) number was established by the DEA to 
identify those who prescribe or store controlled substances. It is the 
pharmacy industry's de facto identifier for prescribers. In developing 
the NPI, we considered several existing identifiers as candidates for 
the national health care provider identifier. One of those considered 
was the DEA number. However, the use of the DEA number as a national 
health care provider identifier does not fit the scope for which the 
DEA number was established. In addition, the DEA number is not 
available to all health care providers and, as a result, would not be 
appropriate as the national health care provider identifier. The 
National Council for Prescription Drug Programs (NCPDP) provider 
number, formerly called the National Association of Boards of Pharmacy 
(NABP) number, is the pharmacy industry's de facto identifier for 
pharmacies. This number was also considered a candidate for the 
national health care provider identifier, but did not meet two of the 
criteria deemed necessary for a standard identifier: it would not yield 
a sufficient number of identifiers and it contained intelligence.
    Comment: Several commenters suggested revisions to our definitions 
of ``HIPAA-transaction health care provider'' and ``non-HIPAA-
transaction health care provider.'' They found the terms confusing.
    Response: We agree and do not use those terms in this final rule.
    Comment: One commenter asked that we insert the word ``costs'' 
after ``start-up'' and ``outyear'' in Table 5 headings and definitions.
    Response: This comment is not applicable, as we do not include 
Table 5 in this final rule. We refer the reader to the discussion under 
``Final Provisions'' in this section.
    Comment: One commenter stated that we did not factor in atypical 
service providers that are exclusive to the Medicaid program.
    Response: The Medicaid program's atypical and nontraditional 
service providers were included in Table 5 in the May 7, 1998, proposed 
rule. However, as explained in section II. A. 2, ``Definition of Health 
Care Provider'' in this preamble, most of them do not meet our 
definition of health care provider. Therefore, they are not included in 
our analyses in this final rule.
    Comment: Several commenters stated the estimate that 5 percent of 
health care providers participating in Federal health plans and 
Medicaid would have updates each year is conservative and that the 
number is more like 12 to 15 percent. Another commenter believes it to 
be even higher.
    Response: We have not seen documentation that would convince us our 
estimate was incorrect at the time the May 7, 1998, proposed rule was 
published. In the proposed rule, we estimated that 5 percent of the 
health care providers who are covered entities that conduct business 
with Federal health plans or Medicaid would require updates each year, 
and that 15 percent of the remaining health care providers that are 
covered entities (those that do business only with private insurers) 
would require updates each year. In general, health plans (including 
Federal health plans and Medicaid) collect more information from their 
enrolled health care providers than the NPS will collect when a health 
care provider applies for an NPI. Thus, there is more information 
subject to change for health care providers that are enrolled in a 
health plan. This fact could explain why health plans sometimes have a 
greater percentage of updates than what we estimated for NPI purposes 
in the proposed rule, and could have been the basis on which the 
comment was made. The proposed rule did not include calculations for 
updates for health care providers who are not covered entities; we 
would expect that percentage would not exceed 15 percent. We computed 
the weighted average of the percentages of health care providers that 
would require updates that were used in the proposed rule (using 15 
percent for these health care providers). We have concluded that 
approximately 12.6 percent of all existing health care providers will 
have updates each year.
    Comment: Several commenters said that erroneous assumptions were 
used in stating that the costs to Federal health plans (including 
Medicare) and Medicaid would be zero for enumerating their own health 
care providers. The costs would be substantial.
    Response: We acknowledge that there would have been costs to 
Medicaid State agencies and to Federal health plans in manipulating and 
reformatting their health care provider files and transferring them to 
CMS for loading into the NPS. There would also have been ongoing costs 
to Medicaid State agencies and other Federal health plans to obtain 
NPIs for their health care providers under option 2. In manipulating 
and reformatting the files, problems could be discovered in some of the 
health care provider records that would require investigation and 
resolution. The costs of investigating and resolving these problems 
were not recognized earlier and, therefore, were not considered in the 
May 7, 1998, proposed rule.
    Comment: One commenter stated that the costs for option 1 as shown 
in Table 5 did not reflect the savings that would have accrued by 
preloading Medicare provider files into the NPS.
    Response: While the narrative portion of the impact analysis did 
mention that Medicare provider files would be preloaded into the NPS 
under both options 1 and 2, the commenter is correct in that this was 
not reflected in Table 5 for option 1. However, as stated earlier in 
this preamble, Medicare provider files will be loaded into the NPS only 
if it is feasible to do so.
Final Provisions
    We stated in the May 7, 1998, proposed rule that we cannot 
determine the specific economic impact of the NPI (and individually, 
each HIPAA administrative simplification standard may not have a 
significant impact). The overall impact analysis (65 FR 50355) made it 
clear that, collectively, all the standards will have a significant 
impact of over $100 million on the economy.

[[Page 3467]]

The implementation costs and benefits of the NPI were factored into 
that overall impact analysis.
    However, that impact analysis used certain assumptions that have 
not been realized. For example, it was assumed that all of the HIPAA 
standards would be issued and effective at about the same time, so that 
covered entities would be making their system changes at one time. For 
various reasons, standards have been issued and effective over a much 
longer period of time than expected. For example, the transaction and 
code set standards were published in 2000 and must be implemented by 
October 2003. Security standards are to be implemented by April 2005, 
and the NPI must be used by 2007.
    Because the compliance dates cover such an extended period of time, 
we will estimate part of the overall cost and savings for health plans 
and health care providers that can be attributed to the NPI. We 
continue to use the impact analysis previously referenced as the set of 
total costs and savings.
    Because the standards for transactions and codes sets, the employer 
identifier, and security have already been published, we assume that 
covered entities have already made significant system investments. 
Because they were aware that the NPI was an upcoming standard, they may 
have also made some accommodations in their systems to be able to use 
the NPI when it is assigned. The NPI has already been identified as a 
future identifier in the implementation specifications for the 
transaction standards.
    There will still be costs and savings related to the implementation 
of the NPI by health plans and health care providers. These will, 
however, be small in comparison to those for transaction standards and 
security. The NPI affects only a small part of the system and business 
processes for any covered entity.
    We estimate that the NPI would entail 10 percent of the costs and 5 
percent of the savings for health plans. Health plans would need to 
make some system changes from their current identifiers to the NPI. 
They would save in not having to maintain a system of identifiers that 
exist today. We would estimate that for health care providers, the NPI 
would represent 5 percent of the costs and 10 percent of the savings. 
Health care providers need only to substitute the NPI for their current 
identifier(s). They reap greater savings by not having to keep track of 
separate identifiers for each health plan and possibly for each 
location, address, or contractual arrangement. (However, as noted 
earlier in this preamble, health plans may require health care 
providers to use identifiers other than the NPI for uses other than 
standard transactions.)
    Looking at the overall impact analysis, while 2007 is the initial 
year for using the NPI, it would be the analogous to the first year of 
the overall impact analysis, in which most of the costs are incurred. 
Using the figures from above, we make the following estimates for 2007:

             Table 2.--Costs of Implementing the NPI in 2007
        [In millions of dollars, rounded to the nearest million]
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Health Plans:
  2002 Cost from Impact Analysis...............................     -146
  2002 Savings.................................................       24
  2007 Net for NPI for Health Plans............................     -122
Health Care Providers:
  2002 Cost from Impact Analysis...............................      -79
  2002 Savings.................................................       61
  2007 Net for NPI for Health Care Providers...................      -18
------------------------------------------------------------------------


    Note: The figures in Table 2 have been adjusted to reflect 
dollars expressed for 2007.


    We perform the same calculations for the next 4 years. This yields 
the following results:

                               Table 3.--Costs of Implementing the NPI, 2007-2011
                            [In millions of dollars, rounded to the nearest million]
----------------------------------------------------------------------------------------------------------------
               Year                     2007         2008         2009         2010         2011        Total
----------------------------------------------------------------------------------------------------------------
Health Plan Costs.................          146          146          134            0            0          426
Health Plan Savings...............           24           49           73           91          103          341
Provider Costs....................           73           73           67            0            0          213
NPI Application and Update Costs..            6            6            1            1            1           15
Provider Savings..................           61          122          183          219          256          840
Net Savings.......................         -140          -55           54          309          358          526
NPS Costs.........................           91            9            9            9            9          128
----------------------------------------------------------------------------------------------------------------


    Note: The figures in Table 3 have been adjusted to reflect 
dollars expressed for each year.

    All costs of NPS development and operation (which include the costs 
of enumerating health care providers and maintaining their information 
in the NPS, and the costs of disseminating NPS data to the health care 
industry and others, as appropriate) are Federal costs. As mentioned 
earlier in this preamble, HHS will contract for system development and 
for the enumeration, update, and data dissemination activities. We 
estimate the following costs for operations of the National Provider 
System (NPS), keeping in mind that the NPS will enumerate both covered 
and noncovered health care providers, and that health care providers 
are not being charged for obtaining NPIs.

E. Affected Entities

Health Care Providers
    Health care providers and subparts, as appropriate, will apply for 
NPIs. Health care providers that are covered entities must begin to use 
NPIs in standard transactions no later than 24 months after the 
effective date of this regulation; and they must ensure that their 
subparts, if assigned NPIs, do the same. Covered health care providers 
that need to be identified on standard transactions must disclose their 
NPIs, upon request, to entities that are required to use those health 
care providers' NPIs on standard transactions. Covered health care 
providers must ensure that their subparts, if assigned NPIs, do the 
same. Any negative impact on health care providers generally would be 
related to the initial implementation period. They would incur 
implementation costs for converting systems, especially those that 
generate electronic claims, from current health care provider 
identifiers to the NPI. Some health care providers would incur those 
costs directly and others would incur them in the form of fee increases 
from billing associates and health care clearinghouses.
    Covered health care providers will have to use their NPIs on 
standard claims transactions and any other standard transactions that 
they conduct; they will have to ensure that their

[[Page 3468]]

subparts, if assigned NPIs, do the same. They will also have to obtain 
and use the NPIs of other health care providers if those NPIs are 
needed on those transactions. If covered health care providers' 
subparts are assigned NPIs, the covered health care providers must 
ensure that their subparts do the same. This will be a more significant 
implementation workload for larger organization health care providers, 
such as hospitals, that will have to capture the NPIs for each health 
care provider practicing in the hospital if those health care providers 
need to be identified on hospital claims. However, these health care 
providers are accustomed to maintaining these types of data. Some 
health care providers will need access to the NPIs of other health care 
providers in order to identify those health care providers on standard 
transactions. In this regard, we encourage all health care providers to 
obtain NPIs and, when requested, to disclose their NPIs to covered 
entities that need them for inclusion on health care transactions. Some 
health care providers, particularly ones that do not do business with 
large health plans, may be resistant to obtaining NPIs and providing 
data about themselves to a national database.
    Claims processing and timely payments to health care providers 
could possibly be affected as health plans transition to the NPI. We 
encourage health plans to conduct outreach efforts in order to minimize 
disruptions in claims processing and timely payment.
    Covered health care providers are required to also furnish updates 
to their required NPS data within 30 days of the changes. Covered 
health care providers must ensure that their subparts, if assigned 
NPIs, do the same. (We encourage other health care providers to do the 
same.) The vast majority of health plans issue identifiers to the 
health care providers with which they conduct business in order to 
facilitate the electronic processing of claims and other transactions. 
The information that health care providers must supply in order to 
receive an NPI is significantly less than the information most health 
plans require from a health care provider in order to enroll in a 
health plan. We will attempt to make the processes of obtaining NPIs 
and updating NPS data as easy as possible for health care providers, 
reducing duplication of effort wherever possible and making the 
processes as automated as possible. Neither the statute nor this final 
rule requires charging health care providers (or their subparts) to 
receive NPIs.
    After the compliance date, health care providers will no longer 
have to keep track of and use different identifiers with different 
health plans when conducting standard transactions. This should 
simplify health care provider billing systems and processes and reduce 
administrative expenses. A standard identifier should facilitate and 
simplify coordination of benefits, resulting in faster, more accurate 
payments.
Health Plans
    HIPAA does not prohibit health plans from requiring their enrolled 
health care providers to obtain NPIs.
    Health plans will have to modify their systems to use the NPI. This 
conversion will have a one-time cost impact on Federal, State, and 
private health plans and is likely to be more costly for health plans 
with complex systems that rely on intelligent provider numbers. 
Disruption of claims processing and payment delays could result. 
However, health plans will be able to schedule their implementation of 
the NPI and other standards in a manner that best fits their needs, as 
long as they meet the deadlines specified in this and the other final 
rules that implement the administrative simplification provisions. Upon 
the NPI compliance dates, health plans' coordination of benefits 
activities should be greatly simplified because all health plans will 
use a unique standard health care provider identifier for each health 
care provider. In addition, utilization review and other payment 
safeguard activities will be facilitated, since health care providers 
would use only one identifier and could be easily tracked over time and 
across geographic areas. Health plans currently assign their own 
identification numbers to health care providers as part of their 
enrollment procedures, and this practice would no longer be necessary. 
Existing enumeration systems maintained by Federal health programs 
could be phased out, and savings would result. Health care 
clearinghouses will face impacts (both positive and negative) similar 
to those experienced by health plans. However, implementation will 
likely be more complex, because health care clearinghouses deal with 
many health care providers and health plans. Health care providers that 
are not covered entities that do not wish to apply for NPIs will 
necessitate the need for health care clearinghouses to accommodate 
health care provider identifiers in addition to the NPI.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

List of Subjects in 45 CFR Part 162

    Administrative practice and procedure, Electronic transactions, 
Health facilities, Health insurance, Hospitals, Incorporation by 
reference, Medicare, Medicaid, Reporting and recordkeeping reports.

0
For the reasons set forth in the preamble, 45 CFR subchapter C part 162 
is amended as follows:

PART 162--ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation continues to read as follows:

    Authority: Secs. 1171 through 1179 of the Social Security Act 
(42 U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191, 
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 
2033-2034 (42 U.S.C. 1320d-2 (note)).


0
2. A new subpart D is added to read as follows:
Subpart D--Standard Unique Health Identifier for Health Care Providers
Sec.
162.402 Definitions.
162.404 Compliance dates of the implementation of the standard 
unique health identifier for health care providers.
162.406 Standard unique health identifier for health care providers.
162.408 National Provider System.
162.410 Implementation specifications: Health care providers.
162.412 Implementation specifications: Health plans.
162.414 Implementation specifications: Health care clearinghouses.

Subpart D--Standard Unique Health Identifier for Health Care 
Providers


Sec.  162.402  Definitions.

    Covered health care provider means a health care provider that 
meets the definition at paragraph (3) of the definition of ``covered 
entity'' at Sec.  160.103 of this subchapter.


Sec.  162.404  Compliance dates of the implementation of the standard 
unique health identifier for health care providers.

    (a) Health care providers. A covered health care provider must 
comply with the implementation specifications in Sec.  162.410 no later 
than May 23, 2007.
    (b) Health plans. A health plan must comply with the implementation 
specifications in Sec.  162.412 no later than one of the following 
dates:
    (1) A health plan that is not a small health plan--May 23, 2007.
    (2) A small health plan--May 23, 2008.
    (c) Health care clearinghouses. A health care clearinghouse must 
comply with the implementation specifications in Sec.  162.414 no later 
than May 23, 2007.

[[Page 3469]]

Sec.  162.406  Standard unique health identifier for health care 
providers.

    (a) Standard. The standard unique health identifier for health care 
providers is the National Provider Identifier (NPI). The NPI is a 10-
position numeric identifier, with a check digit in the 10th position, 
and no intelligence about the health care provider in the number.
    (b) Required and permitted uses for the NPI.
    (1) The NPI must be used as stated in Sec.  162.410, Sec.  162.412, 
and Sec.  162.414.
    (2) The NPI may be used for any other lawful purpose.


Sec.  162.408  National Provider System.

    National Provider System. The National Provider System (NPS) shall 
do the following:
    (a) Assign a single, unique NPI to a health care provider, provided 
that--
    (1) The NPS may assign an NPI to a subpart of a health care 
provider in accordance with paragraph (g); and
    (2) The Secretary has sufficient information to permit the 
assignment to be made.
    (b) Collect and maintain information about each health care 
provider that has been assigned an NPI and perform tasks necessary to 
update that information.
    (c) If appropriate, deactivate an NPI upon receipt of appropriate 
information concerning the dissolution of the health care provider that 
is an organization, the death of the health care provider who is an 
individual, or other circumstances justifying deactivation.
    (d) If appropriate, reactivate a deactivated NPI upon receipt of 
appropriate information.
    (e) Not assign a deactivated NPI to any other health care provider.
    (f) Disseminate NPS information upon approved requests.
    (g) Assign an NPI to a subpart of a health care provider on request 
if the identifying data for the subpart are unique.


Sec.  162.410  Implementation specifications: Health care providers.

    (a) A covered entity that is a covered health care provider must:
    (1) Obtain, by application if necessary, an NPI from the National 
Provider System (NPS) for itself or for any subpart of the covered 
entity that would be a covered health care provider if it were a 
separate legal entity. A covered entity may obtain an NPI for any other 
subpart that qualifies for the assignment of an NPI.
    (2) Use the NPI it obtained from the NPS to identify itself on all 
standard transactions that it conducts where its health care provider 
identifier is required.
    (3) Disclose its NPI, when requested, to any entity that needs the 
NPI to identify that covered health care provider in a standard 
transaction.
    (4) Communicate to the NPS any changes in its required data 
elements in the NPS within 30 days of the change.
    (5) If it uses one or more business associates to conduct standard 
transactions on its behalf, require its business associate(s) to use 
its NPI and other NPIs appropriately as required by the transactions 
that the business associate(s) conducts on its behalf.
    (6) If it has been assigned NPIs for one or more subparts, comply 
with the requirements of paragraphs (a)(2) through (a)(5) of this 
section with respect to each of those NPIs.
    (b) A health care provider that is not a covered entity may obtain, 
by application if necessary, an NPI from the NPS.


Sec.  162.412  Implementation specifications: Health plans.

    (a) A health plan must use the NPI of any health care provider (or 
subpart(s), if applicable) that has been assigned an NPI to identify 
that health care provider on all standard transactions where that 
health care provider's identifier is required.
    (b) A health plan may not require a health care provider that has 
been assigned an NPI to obtain an additional NPI.


Sec.  162.414  Implementation specifications: Health care 
clearinghouses.

    A health care clearinghouse must use the NPI of any health care 
provider (or subpart(s), if applicable) that has been assigned an NPI 
to identify that health care provider on all standard transactions 
where that health care provider's identifier is required.

Subpart F--Standard Unique Employer Identifier

0
3. In Sec.  162.610, paragraph (c) is added to read as follows:


Sec.  162.610  Implementation specifications for covered entities.

* * * * *
    (c) Required and permitted uses for the Employer Identifier.
    (1) The Employer Identifier must be used as stated in Sec.  
162.610(b).
    (2) The Employer Identifier may be used for any other lawful 
purpose.

    Authority: Secs. 1171 through 1179 of the Social Security Act 
(42 U.S.C. 1320d--1320d-8), as added by sec. 262 of Pub. L. 104-191, 
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat. 
2033-2034 (42 U.S.C. 1320d-2 (note)).

(Catalog of Federal Domestic Assistance Program No. 93.774, 
Medicare--Supplementary Medical Insurance Program.)

    Dated: October 16, 2003.
Tommy G. Thompson,
Secretary.
[FR Doc. 04-1149 Filed 1-22-04; 8:45 am]
BILLING CODE 4120-01-P