[Federal Register: May 7, 1998 (Volume 63, Number 88)]
[Proposed Rules]
[Page 25320-25357]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr07my98-26]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 142

[HCFA-0045-P]
RIN 0938-AH99


National Standard Health Care Provider Identifier

AGENCY: Health Care Financing Administration (HCFA), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This rule proposes a standard for a national health care
provider identifier and requirements concerning its use by health
plans, health care clearinghouses, and health care providers. The
health plans, health care clearinghouses, and health care providers
would use the identifier, among other uses, in connection with certain
electronic transactions.
    The use of this identifier would improve the Medicare and Medicaid
programs, and other Federal health programs and private health
programs, and the effectiveness and efficiency of the health care
industry in general, by simplifying the administration of the system
and enabling the efficient electronic transmission of certain health
information. It would implement some of the requirements of the
Administrative Simplification subtitle of the Health Insurance
Portability and Accountability Act of 1996.

DATES: Comments will be considered if we receive them at the
appropriate address, as provided below, no later than 5 p.m. on July 6,
1998.

ADDRESSES: Mail written comments (1 original and 3 copies) to the
following address: Health Care Financing Administration, Department of
Health and Human Services, Attention: HCFA-0045-P, P.O. Box 26585,
Baltimore, MD 21207-0519.
    If you prefer, you may deliver your written comments (1 original
and 3 copies) to one of the following addresses:

Room 309-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW.,
Washington, DC 20201, or
Room C5-09-26, 7500 Security Boulevard, Baltimore, MD 21244-1850.

[[Page 25321]]

    Comments may also be submitted electronically to the following e-
mail address: NPI@osaspe.dhhs.gov. E-mail comments should include the
full name, postal address, and affiliation (if applicable) of the
sender and must be submitted to the referenced address to be
considered. All comments should be incorporated in the e-mail message
because we may not be able to access attachments.
    Because of staffing and resource limitations, we cannot accept
comments by facsimile (FAX) transmission. In commenting, please refer
to file code HCFA-0045-P and the specific section or sections of the
proposed rule. Both electronic and written comments received by the
time and date indicated above will be available for public inspection
as they are received, generally beginning approximately 3 weeks after
publication of a document, in Room 309-G of the Department's offices at
200 Independence Avenue, SW., Washington, DC, on Monday through Friday
of each week from 8:30 a.m. to 5 p.m. (phone: (202) 690-7890).
Electronic and legible written comments will also be posted, along with
this proposed rule, at the following web site:
<http://aspe.hhs.gov/admnsimp/>.
    Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $8. As an alternative, you can view and
photocopy the Federal Register document at most libraries designated as
Federal Depository Libraries and at many other public and academic
libraries throughout the country that receive the Federal Register.
    This Federal Register document is also available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. Free public access is available on a Wide
Area Information Server (WAIS) through the Internet and via
asynchronous dial-in. Internet users can access the database by using
the World Wide Web; the Superintendent of Documents home page address
is http://www.access.gpo.gov/su__docs/, by using local WAIS client
software, or by telnet to swais.access.gpo.gov, then login as guest (no
password required). Dial-in users should use communications software
and modem to call 202-512-1661; type swais, then login as guest (no
password required).

FOR FURTHER INFORMATION CONTACT: Patricia Peyton, (410) 786-1812.

SUPPLEMENTARY INFORMATION:

I. Background

[Please label written and e-mailed comments about this section with
the subject: Background.]

    In order to administer their programs, the Department of Health and
Human Services, other Federal agencies, State Medicaid agencies, and
private health plans assign identification numbers to the providers of
health care services and supplies with which they transact business.
These various agencies and health plans, all of which we will refer to
as health plans in this proposed rule, routinely, and independently of
each other, assign identifiers to health care providers for program
management and operations purposes. The identifiers are frequently not
standardized within a single health plan or across plans. This lack of
uniformity results in a single health care provider having different
numbers for each program and often multiple billing numbers issued
within the same program, significantly complicating providers' claims
submission processes. In addition, nonstandard enumeration contributes
to the unintentional issuance of the same identification number to
different health care providers.
    Most health plans have to be able to coordinate benefits with other
health plans to ensure appropriate payment. The lack of a single and
unique identifier for each health care provider within each health plan
and across health plans, based on the same core data, makes exchanging
data both expensive and difficult.
    All of these factors indicate the complexities of exchanging
information on health care providers within and among organizations and
result in increasing numbers of claims-related problems and increasing
costs of data processing. As we become more dependent on data
automation and proceed in planning for health care in the future, the
need for a universal, standard health care provider identifier becomes
more and more evident.
    In addition to overcoming communication and coordination
difficulties, use of a standard, unique provider identifier would
enhance our ability to eliminate fraud and abuse in health care
programs.
    <bullet> Payments for excessive or fraudulent claims can be reduced
by standardizing enumeration, which would facilitate sharing
information across programs or across different parts of the same
program.
    <bullet> A health care provider's identifier would not change with
moves or changes in specialty. This facilitates tracking of fraudulent
health care providers over time and across geographic areas.
    <bullet> A health care provider would receive only one identifier
and would not be able to receive duplicate payments from a program by
submitting claims under multiple provider identifiers.
    <bullet> A standard identifier would facilitate access to sanction
information.

A. National Provider Identifier Initiative

    In July 1993, the Health Care Financing Administration (HCFA)
undertook a project to develop a provider identification system to meet
Medicare and Medicaid needs and ultimately a national identification
system for all health care providers to meet the needs of other users
and programs. Representatives from the private sector and Federal and
State agencies were invited to participate. Active participants
included:
    <bullet> Department of Defense, Office of Civilian Health and
Medical Program of the Uniformed Services.
    <bullet> Assistant Secretary for Planning and Evaluation, HHS.
    <bullet> Department of Labor.
    <bullet> Department of Veterans Affairs.
    <bullet> Office of Personnel Management.
    <bullet> Public Health Service, HHS.
    <bullet> Drug Enforcement Administration
    <bullet> State Medicaid agencies and health departments including
those of Alabama, California, Maryland, Minnesota and Virginia.
    <bullet> Medicare carriers and fiscal intermediaries.
    <bullet> Professional and medical associations, including the
National Council for Prescription Drug Programs.
    One of the group's first tasks was to decide whether to use an
existing identifier or to develop a new one. They began by adopting
criteria recommended for a unique provider identifier by the Workgroup
for Electronic Data Interchange (WEDI), Technical Advisory Group in
October 1993, and recommended by the American National Standards
Institute (ANSI), Healthcare Informatics Standards Planning Panel, Task
Group on Provider Identifiers in February 1994. The workgroup then
examined existing identifiers and concluded that no existing identifier
met all the criteria that had been recommended by the WEDI and ANSI
workgroups.
    Because of the limitations of existing identifiers, the workgroup
designed a

[[Page 25322]]

new identifier that would be in the public domain and that would
incorporate the recommendations of the WEDI and ANSI workgroups. This
identifier, which we call the national provider identifier, or NPI, is
an 8-position alphanumeric identifier.

B. The Results of the NPI Initiative

    As a result of the project on the NPI, and before legislation
required the use of the standard identifier for all health care
providers (see section I.C. Legislation, below), HCFA and other
participants accepted the workgroup's recommendation, and HCFA decided
that this new identifier would be implemented in the Medicare program.
HCFA began work on developing a national provider system (NPS) that
would contain provider data and be equipped with the technology
necessary to maintain and manage the data. Plans for the NPS included
assigning the NPI and storing the data necessary to identify each
health care provider uniquely. The NPI was designed to have no embedded
intelligence. (That is, information about the health care provider,
such as the type of health care provider or State where the health care
provider is located, would not be conveyed by the NPI. This information
was to have been recorded by the NPS in each health care provider's
record but would not be part of the identifier.)
    The NPS was designed so that it could also be used by other Federal
and State agencies and private health plans to enumerate their health
care providers that do not participate in Medicare.

C. Legislation

    The Congress included provisions to address the need for a standard
identifier and other administrative simplification issues in the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public
Law 104-191, which was enacted on August 21, 1996. Through subtitle F
of title II of that law, the Congress added to title XI of the Social
Security Act a new part C, entitled ``Administrative Simplification.''
(Public Law 104-191 affects several titles in the United States Code.
Hereafter, we refer to the Social Security Act as the Act; we refer to
the other laws cited in this document by their names.) The purpose of
this part is to improve the Medicare and Medicaid programs in
particular and the efficiency and effectiveness of the health care
system in general by encouraging the development of a health
information system through the establishment of standards and
requirements to facilitate the electronic transmission of certain
health information.
    Part C of title XI consists of sections 1171 through 1179 of the
Act. These sections define various terms and impose several
requirements on HHS, health plans, health care clearinghouses, and
certain health care providers concerning electronic transmission of
health information.
    The first section, section 1171 of the Act, establishes definitions
for purposes of part C of title XI for the following terms: code set,
health care clearinghouse, health care provider, health information,
health plan, individually identifiable health information, standard,
and standard setting organization.
    Section 1172 of the Act makes any standard adopted under part C
applicable to (1) all health plans, (2) all health care clearinghouses,
and (3) any health care providers that transmit any health information
in electronic form in connection with the transactions referred to in
section 1173(a)(1) of the Act.
    This section also contains requirements concerning standard
setting.
    <bullet> The Secretary may adopt a standard developed, adopted, or
modified by a standard setting organization (that is, an organization
accredited by the American National Standards Institute (ANSI)) that
has consulted with the National Uniform Billing Committee (NUBC), the
National Uniform Claim Committee (NUCC), WEDI, and the American Dental
Association (ADA).
    <bullet> The Secretary may also adopt a standard other than one
established by a standard setting organization, if the different
standard will reduce costs for health care providers and health plans,
the different standard is promulgated through negotiated rulemaking
procedures, and the Secretary consults with each of the above-named
groups.
    <bullet> If no standard has been adopted by any standard setting
organization, the Secretary is to rely on the recommendations of the
National Committee on Vital and Health Statistics (NCVHS) and consult
with each of the above-named groups.
    In complying with the requirements of part C of title XI, the
Secretary must rely on the recommendations of the NCVHS, consult with
appropriate State, Federal, and private agencies or organizations, and
publish the recommendations of the NCVHS in the Federal Register.
    Paragraph (a) of section 1173 of the Act requires that the
Secretary adopt standards for financial and administrative
transactions, and data elements for those transactions, to enable
health information to be exchanged electronically. Standards are
required for the following transactions: health claims, health
encounter information, health claims attachments, health plan
enrollments and disenrollments, health plan eligibility, health care
payment and remittance advice, health plan premium payments, first
report of injury, health claim status, and referral certification and
authorization. In addition, the Secretary is required to adopt
standards for any other financial and administrative transactions that
are determined to be appropriate by the Secretary.
    Paragraph (b) of section 1173 of the Act requires the Secretary to
adopt standards for unique health identifiers for all individuals,
employers, health plans, and health care providers and requires further
that the adopted standards specify for what purposes unique health
identifiers may be used.
    Paragraphs (c) through (f) of section 1173 of the Act require the
Secretary to establish standards for code sets for each data element
for each health care transaction listed above, security standards for
health care information systems, standards for electronic signatures
(established together with the Secretary of Commerce), and standards
for the transmission of data elements needed for the coordination of
benefits and sequential processing of claims. Compliance with
electronic signature standards will be deemed to satisfy both State and
Federal requirements for written signatures with respect to the
transactions listed in paragraph (a) of section 1173 of the Act.
    In section 1174 of the Act, the Secretary is required to adopt
standards for all of the above transactions, except claims attachments,
within 18 months of enactment. The standards for claims attachments
must be adopted within 30 months of enactment. Generally, after a
standard is established it cannot be changed during the first year
except for changes that are necessary to permit compliance with the
standard. Modifications to any of these standards may be made after the
first year, but not more frequently than once every 12 months. The
Secretary must also ensure that procedures exist for the routine
maintenance, testing, enhancement, and expansion of code sets and that
there are crosswalks from prior versions.
    Section 1175 of the Act prohibits health plans from refusing to
process or delaying the processing of a transaction that is presented
in standard format. The Act's requirements are not limited to health
plans; however, each person to whom a standard or implementation

[[Page 25323]]

specification applies is required to comply with the standard within 24
months (or 36 months for small health plans) of its adoption. A health
plan or other entity may, of course, comply voluntarily before the
effective date. Entities may comply by using a health care
clearinghouse to transmit or receive the standard transactions.
Compliance with modifications and implementation specifications to
standards must be accomplished by a date designated by the Secretary.
This date may not be earlier than 180 days after the notice of change.
    Section 1176 of the Act establishes a civil monetary penalty for
violation of the provisions in part C of title XI of the Act, subject
to several limitations. The Secretary is required by statute to impose
penalties of not more than $100 per violation on any person who fails
to comply with a standard, except that the total amount imposed on any
one person in each calendar year may not exceed $25,000 for violations
of one requirement. The procedural provisions in section 1128A of the
Act, ``Civil Monetary Penalties,'' are applicable.
    Section 1177 of the Act establishes penalties for a knowing misuse
of unique health identifiers and individually identifiable health
information: (1) A fine of not more than $50,000 and/or imprisonment of
not more than 1 year; (2) if misuse is ``under false pretenses,'' a
fine of not more than $100,000 and/or imprisonment of not more than 5
years; and (3) if misuse is with intent to sell, transfer, or use
individually identifiable health information for commercial advantage,
personal gain, or malicious harm, a fine of not more than $250,000 and/
or imprisonment of not more than 10 years.
    Under section 1178 of the Act, the provisions of part C of title XI
of the Act, as well as any standards established under them, supersede
any State law that is contrary to them. However, the Secretary may, for
statutorily specified reasons, waive this provision.
    Finally, section 1179 of the Act makes the above provisions
inapplicable to financial institutions or anyone acting on behalf of a
financial institution when ``authorizing, processing, clearing,
settling, billing, transferring, reconciling, or collecting payments
for a financial institution.''
    (Concerning this last provision, the conference report, in its
discussion on section 1178, states:

    ``The conferees do not intend to exclude the activities of
financial institutions or their contractors from compliance with the
standards adopted under this part if such activities would be
subject to this part. However, conferees intend that this part does
not apply to use or disclosure of information when an individual
utilizes a payment system to make a payment for, or related to,
health plan premiums or health care. For example, the exchange of
information between participants in a credit card system in
connection with processing a credit card payment for health care
would not be covered by this part. Similarly sending a checking
account statement to an account holder who uses a credit or debit
card to pay for health care services, would not be covered by this
part. However, this part does apply if a company clears health care
claims, the health care claims activities remain subject to the
requirements of this part.'') (H.R. Rep. No. 736, 104th Cong., 2nd
Sess. 268-269 (1996))

D. Process for Developing National Standards

    The Secretary has formulated a 5-part strategy for developing and
implementing the standards mandated under Part C of title XI of the
Act:
    1. To ensure necessary interagency coordination and required
interaction with other Federal departments and the private sector,
establish interdepartmental implementation teams to identify and assess
potential standards for adoption. The subject matter of the teams
includes claims/encounters, identifiers, enrollment/eligibility,
systems security, and medical coding/classification. Another team
addresses cross-cutting issues and coordinates the subject matter
teams. The teams consult with external groups such as the NCVHS'
Workgroup on Data Standards, WEDI, ANSI's Health Informatics Standards
Board, the NUCC, the NUBC, and the ADA. The teams are charged with
developing regulations and other necessary documents and making
recommendations for the various standards to the HHS' Data Council
through its Committee on Health Data Standards. (The HHS Data Council
is the focal point for consideration of data policy issues. It reports
directly to the Secretary and advises the Secretary on data standards
and privacy issues.)
    2. Develop recommendations for standards to be adopted.
    3. Publish proposed rules in the Federal Register describing the
standards. Each proposed rule provides the public with a 60-day comment
period.
    4. Analyze public comments and publish the final rules in the
Federal Register.
    5. Distribute standards and coordinate preparation and distribution
of implementation guides.
    This strategy affords many opportunities for involvement of
interested and affected parties in standards development and adoption:
    <bullet> Participate with standards development organizations.
    <bullet> Provide written input to the NCVHS.
    <bullet> Provide written input to the Secretary of HHS.
    <bullet> Provide testimony at NCVHS' public meetings.
    <bullet> Comment on the proposed rules for each of the proposed
standards.
    <bullet> Invite HHS staff to meetings with public and private
sector organizations or meet directly with senior HHS staff involved in
the implementation process.
    The implementation teams charged with reviewing standards for
designation as required national standards under the statute have
defined, with significant input from the health care industry, a set of
principles for guiding choices for the standards to be adopted by the
Secretary. These principles are based on direct specifications in HIPAA
and the purpose of the law, principles that are consistent with the
regulatory philosophy set forth in Executive Order 12866 and the
Paperwork Reduction Act of 1995. To be designated as a HIPAA standard,
each standard should:
    1. Improve the efficiency and effectiveness of the health care
system by leading to cost reductions for or improvements in benefits
from electronic health care transactions.
    2. Meet the needs of the health data standards user community,
particularly health care providers, health plans, and health care
clearinghouses.
    3. Be consistent and uniform with the other HIPAA standards--their
data element definitions and codes and their privacy and security
requirements--and, secondarily, with other private and public sector
health data standards.
    4. Have low additional development and implementation costs
relative to the benefits of using the standard.
    5. Be supported by an ANSI-accredited standards developing
organization or other private or public organization that will ensure
continuity and efficient updating of the standard over time.
    6. Have timely development, testing, implementation, and updating
procedures to achieve administrative simplification benefits faster.
    7. Be technologically independent of the computer platforms and
transmission protocols used in electronic transactions, except when
they are explicitly part of the standard.
    8. Be precise and unambiguous, but as simple as possible.
    9. Keep data collection and paperwork burdens on users as low as is
feasible.

[[Page 25324]]

    10. Incorporate flexibility to adapt more easily to changes in the
health care infrastructure (such as new services, organizations, and
provider types) and information technology.
    A master data dictionary providing for common data definitions
across the standards selected for implementation under HIPAA will be
developed and maintained. We intend for the data element definitions to
be precise, unambiguous, and consistently applied. The transaction-
specific reports and general reports from the master data dictionary
will be readily available to the public. At a minimum, the information
presented will include data element names, definitions, and appropriate
references to the transactions where they are used.
    This proposed rule would establish the standard health care
provider identifier and is the first proposed standard under HIPAA. The
remaining standards will be grouped, to the extent possible, by subject
matter and audience in future regulations. We anticipate publishing
several more separate documents to promulgate the remaining standards
required under HIPAA.

II. Provisions of the Proposed Regulations

[Please label written and e-mailed comments about this section with
the subject: Provisions.]

    In this proposed rule, we propose a standard health care provider
identifier and requirements concerning its implementation. This rule
would establish requirements that health plans, health care providers,
and health care clearinghouses would have to meet to comply with the
statutory requirement to use a unique identifier in electronic
transactions.
    We propose to add a new part to title 45 of the Code of Federal
Regulations for health plans, health care providers, and health care
clearinghouses in general. The new part would be part 142 of title 45
and would be titled ``Administrative Requirements.'' Subpart D would
contain provisions specific to the NPI.

A. Applicability

    Section 262 of HIPAA applies to all health plans, all health care
clearinghouses, and any health care providers that transmit any health
information in electronic form in connection with transactions referred
to in section 1173(a)(1) of the Act. Our proposed rules (at 45 CFR
142.102) would apply to the health plans and health care clearinghouses
as well, but we would clarify the statutory language in our regulations
for health care providers: we would have the regulations apply to any
health care provider only when electronically transmitting any of the
transactions to which section 1173(a)(1) of the Act refers.
    Electronic transmissions would include transmissions using all
media, even when the transmission is physically moved from one location
to another using magnetic tape, disk, or CD media. Transmissions over
the Internet (wide-open), Extranet (using Internet technology to link a
business with information only accessible to collaborating parties),
leased lines, dial-up lines, and private networks are all included.
Telephone voice response and ``faxback'' systems would not be included.
The ``HTML'' interaction between a server and a browser by which the
elements of a transaction are solicited from a user would not be
included, but once assembled into a transaction by the server,
transmission of the full transaction to another corporate entity, such
as a health plan, would be required to comply.
    Our regulations would apply to health care clearinghouses when
transmitting transactions to, and receiving transactions from, a health
care provider or health plan that transmits and receives standard
transactions (as defined under ``transaction'') and at all times when
transmitting to or receiving electronic transactions from another
health care clearinghouse. The law would apply to each health care
provider when transmitting or receiving any electronic transaction.
    The law applies to health plans for all transactions.
    Section 142.104 would contain the following provisions (from
section 1175 of the Act):
    If a person desires to conduct a transaction (as defined in
Sec. 142.103) with a health plan as a standard transaction, the
following apply:
    (1) The health plan may not refuse to conduct the transaction as a
standard transaction.
    (2) The health plan may not delay the transaction or otherwise
adversely affect, or attempt to adversely affect, the person or the
transaction on the ground that the transaction is a standard
transaction.
    (3) The information transmitted and received in connection with the
transaction must be in the form of standard data elements of health
information.
    As a further requirement, we would require that a health plan that
conducts transactions through an agent assure that the agent meets all
the requirements of part 142 that apply to the health plan.
    Section 142.105 would state that a person or other entity may meet
the requirements of Sec. 142.104 by either--
    (1) Transmitting and receiving standard data elements, or
    (2) Submitting nonstandard data elements to a health care
clearinghouse for processing into standard data elements and
transmission by the health care clearinghouse and receiving standard
data elements through the clearinghouse.
    Health care clearinghouses would be able to accept nonstandard
transactions for the sole purpose of translating them into standard
transactions for sending customers and would be able to accept standard
transactions and translate them into nonstandard formats for receiving
customers. We would state in Sec. 142.105 that the transmission of
nonstandard transactions, under contract, between a health plan or a
health care provider and a health care clearinghouse would not violate
the law.
    Transmissions within a corporate entity would not be required to
comply with the standards. A hospital that is wholly owned by a managed
care company would not have to use the standards to pass encounter
information back to the home office, but it would have to use the
standard claims transaction to submit a claim to another health plan.
Another example might be transactions within Federal agencies and their
contractors and between State agencies within the same State. For
example, Medicare enters into contracts with insurance companies and
common working file sites that process Medicare claims using government
furnished software. There is constant communication, on a private
network, between HCFA Central Office and the Medicare carriers,
intermediaries and common working file sites. This communication may
continue in nonstandard mode. However, these contractors must comply
with the standards when exchanging any of the transactions covered by
HIPAA with an entity outside these ``corporate'' boundaries.

B. Definitions

    Section 1171 of the Act defines several terms and our proposed
rules would, for the most part, simply restate the law. The terms that
we are defining in this proposed rule follow:
    1. Code set.
    We would define ``code set'' as section 1171(1) of the Act does:
``code set'' means any set of codes used for encoding data elements,
such as tables of terms, medical concepts, medical diagnostic codes, or
medical procedure codes.

[[Page 25325]]

    2. Health care clearinghouse.
    We would define ``health care clearinghouse'' as section 1171(2) of
the Act does, but we are adding a further, clarifying sentence. The
statute defines a ``health care clearinghouse'' as a public or private
entity that processes or facilitates the processing of nonstandard data
elements of health information into standard data elements. We would
further explain that such an entity is one that currently receives
health care transactions from health care providers and other entities,
translates the data from a given format into one acceptable to the
intended recipient and forwards the processed transaction to
appropriate health plans and other clearinghouses, as necessary, for
further action.
    There are currently a number of private clearinghouses that perform
these functions for health care providers. For purposes of this rule,
we would consider billing services, repricing companies, community
health management information systems or community health information
systems, value-added networks, and switches performing these functions
to be health care clearinghouses.
    3. Health care provider.
    As defined by section 1171(3) of the Act, a ``health care
provider'' is a provider of services as defined in section 1861(u) of
the Act, a provider of medical or other health services as defined in
section 1861(s) of the Act, and any other person who furnishes health
care services or supplies. Our regulations would define ``health care
provider'' as the statute does and clarify that the definition of a
health care provider is limited to those entities that furnish, or bill
and are paid for, health care services in the normal course of
business.
    The statutory definition of a health care provider is broad.
Section 1861(u) contains the Medicare definition of a provider, which
encompasses institutional providers such as hospitals, skilled nursing
facilities, home health agencies, and comprehensive outpatient
rehabilitation facilities. Section 1861(s) defines other Medicare
facilities and practitioners, including assorted clinics and centers,
physicians, clinical laboratories, various licensed/certified health
care practitioners, and suppliers of durable medical equipment. The
last portion of the definition encompasses any appropriately licensed
or certified health care practitioners or organizations, including
pharmacies and nursing homes and many types of therapists, technicians,
and aides. It also includes any other individual or organization that
furnishes health care services or supplies. We believe that an
individual or organization that bills and is paid for health care
services or supplies is also a health care provider for purposes of the
statute.
    Section 1173(b)(1) of the Act requires the Secretary to adopt
standards for unique identifiers for all health care providers. The
definition of a ``health care provider'' at section 1171(3) includes
all Medicare providers and ``any other person furnishing health care
services and supplies.'' These two provisions require that provider
identifiers may not be limited to only those health care providers that
bill electronically or those that bill in their own right. Instead
provider identifiers will eventually be available to all those that
provide health services. Penalties for failure to use the correct
identifiers, however, are limited to those that fail to use the
identifiers or other standards in the nine designated electronic
transactions. As we discuss under a later section in this preamble,
III. Implementation of the NPI, we do not expect to be able to assign
identifiers immediately to all health care providers that do not
participate in electronic transactions.
    Our proposed definition of a health care provider would not include
health industry workers who support the provision of health care but
who do not provide health services, such as admissions and billing
personnel, housekeeping staff, and orderlies.
    We describe two alternatives for defining general categories of
health care providers for enumeration purposes. In the first, we would
categorize health care providers as individuals, organizations, or
groups. In the second, we would categorize health care providers as
individuals or organizations, which would include groups. The data to
be collected for each category of health care provider are described in
the preamble in section IV.
B. Data Elements. We welcome your comments on whether group providers
need to be distinguished from organization providers.
    Individuals are treated differently than organizations and groups
because the data available to search for duplicates (for example, date
and place of birth) are different. Organizations and groups may need to
be treated differently from each other because it is possible that a
group is not specifically licensed or certified to provide health care,
whereas an organization usually is. It may, therefore, be important to
be able to link the individual members to the group. It would not be
possible to distinguish one category from another by looking at the
NPI. The NPS would contain the kinds of data necessary to adequately
categorize each health care provider.
    The categories are described as follows:
    Individual--A human being who is licensed, certified or otherwise
authorized to perform medical services or provide medical care,
equipment and/or supplies in the normal course of business. Examples of
individuals are physicians, nurses, dentists, pharmacists, and physical
therapists.
    Organization--An entity, other than an individual, that is
licensed, certified or otherwise authorized to provide medical
services, care, equipment or supplies in the normal course of business.
The licensure, certification, or other recognition is granted to the
organization entity. Individual owners, managers, or employees of the
organization may also be certified, licensed, or otherwise recognized
as individual health care providers in their own right. Each separate
physical location of an organization, each member of an organization
chain, and each subpart of an organization that needs to be identified
would receive its own NPI. NPIs of organization providers would not be
linked within the NPS to NPIs of other health care providers. Examples
of organizations are hospitals, laboratories, ambulance companies,
health maintenance organizations, and pharmacies.
    In the first alternative for categorizing health care providers, as
described above, we would distinguish a group from an organization. We
would define a group as follows:
    Group--An entity composed of one or more individuals (as defined
above), generally created to provide coverage of patients' needs in
terms of office hours, professional backup and support, or range of
services resulting in specific billing or payment arrangements. It is
possible that the group itself is not licensed or certified, but the
individual(s) who compose the group are licensed, certified or
otherwise authorized to provide health care services. The NPIs of the
group member(s) would be linked within the NPS to the NPI of the group.
An individual can be a member of multiple groups. Examples of groups
are (1) two physicians practicing as a group where they bill and
receive payment for their services as a group and (2) an incorporated
individual billing and receiving payment as a corporation.
    The ownership of a group or organization can change if it is sold,
consolidated, or merged, or if control changes due to stock
acquisition. In many cases, the nature of the provider

[[Page 25326]]

itself (for example, its location, staff or types of services provided)
is not affected. In general, the NPI of the provider should not change
in these situations unless the change of ownership affects the nature
of the provider. (Example: If a hospital is acquired and then converted
to a rehabilitation center, it would need to obtain a new NPI.) There
may also be circumstances where a new NPI should be issued. (Example: a
physicians' group practice operating as a partnership dissolves that
partnership and another partnership of physicians acquires and operates
the practice.) We solicit comments on rules to be applied.
    We discuss the enumeration of health care providers in more detail,
in III. Implementation of the NPI, later in this preamble.
    4. Health information.
    ``Health information,'' as defined in section 1171 of the Act,
means any information, whether oral or recorded in any form or medium,
that--
    <bullet> Is created or received by a health care provider, health
plan, public health authority, employer, life insurer, school or
university, or health care clearinghouse; and
    <bullet> Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual.
    We propose the same definition for our regulations.
    5. Health plan.
    We propose that a ``health plan'' be defined essentially as section
1171 of the Act defines it. Section 1171 of the Act cross refers to
definitions in section 2791 of the Public Health Service Act (as added
by Public Law 104-191, 42 U.S.C. 300gg-91); we would incorporate those
definitions as currently stated into our proposed definitions for the
convenience of the public. We note that many of these terms are defined
in other statutes, such as the Employee Retirement Income Security Act
of 1974 (ERISA), Public Law 93-406, 29 U.S.C. 1002(7) and the Public
Health Service Act. Our definitions are based on the roles of plans in
conducting administrative transactions, and any differences should not
be construed to affect other statutes.
    For purposes of implementing the provisions of administrative
simplification, a ``health plan'' would be an individual or group
health plan that provides, or pays the cost of, medical care. This
definition includes, but is not limited to, the 13 types of plans
listed in the statute. On the other hand, plans such as property and
casualty insurance plans and workers compensation plans, which may pay
health care costs in the course of administering nonhealth care
benefits, are not considered to be health plans in the proposed
definition of health plan. Of course, these plans may voluntarily adopt
these standards for their own business needs. At some future time, the
Congress may choose to expressly include some or all of these plans in
the list of health plans that must comply with the standards.
    Health plans often carry out their business functions through
agents, such as plan administrators (including third party
administrators), entities that are under ``administrative services
only'' (ASO) contracts, claims processors, and fiscal agents. These
agents may or may not be health plans in their own right; for example,
a health plan may act as another health plan's agent as another line of
business. As stated earlier, a health plan that conducts HIPAA
transactions through an agent is required to assure that the agent
meets all HIPAA requirements that apply to the plan itself.
    ``Health plan'' includes the following, singly or in combination:
    a. ``Group health plan'' (as currently defined by section 2791(a)
of the Public Health Service Act). A group health plan is a plan that
has 50 or more participants (as the term ``participant'' is currently
defined by section 3(7) of ERISA) or is administered by an entity other
than the employer that established and maintains the plan. This
definition includes both insured and self-insured plans. We define
``participant'' separately below.
    Section 2791(a)(1) of the Public Health Service Act defines ``group
health plan'' as an employee welfare benefit plan (as currently defined
in section 3(1) of ERISA) to the extent that the plan provides medical
care, including items and services paid for as medical care, to
employees or their dependents directly or through insurance, or
otherwise.
    It should be noted that group health plans that have fewer than 50
participants and that are administered by the employer would be
excluded from this definition and would not be subject to the
administrative simplification provisions of HIPAA.
    b. ``Health insurance issuer'' (as currently defined by section
2791(b) of the Public Health Service Act).
    Section 2791(b)(2) of the Public Health Service Act currently
defines a ``health insurance issuer'' as an insurance company,
insurance service, or insurance organization that is licensed to engage
in the business of insurance in a State and is subject to State law
that regulates insurance.
    c. ``Health maintenance organization'' (as currently defined by
section 2791(b) of the Public Health Service Act).
    Section 2791(b) of the Public Health Service Act currently defines
a ``health maintenance organization'' as a Federally qualified health
maintenance organization, an organization recognized as such under
State law, or a similar organization regulated for solvency under State
law in the same manner and to the same extent as such a health
maintenance organization. These organizations may include preferred
provider organizations, provider sponsored organizations, independent
practice associations, competitive medical plans, exclusive provider
organizations, and foundations for medical care.
    d. Part A or Part B of the Medicare program (title XVIII of the
Act).
    e. The Medicaid program (title XIX of the Act).
    f. A ``Medicare supplemental policy'' as defined under section
1882(g)(1) of the Act.
    Section 1882(g)(1) of the Act defines a ``Medicare supplemental
policy'' as a health insurance policy that a private entity offers a
Medicare beneficiary to provide payment for expenses incurred for
services and items that are not reimbursed by Medicare because of
deductible, coinsurance, or other limitations under Medicare. The
statutory definition of a Medicare supplemental policy excludes a
number of plans that are generally considered to be Medicare
supplemental plans, such as health plans for employees and former
employees and for members and former members of trade associations and
unions. A number of these health plans may be included under the
definitions of ``group health plan'' or ``health insurance issuer'', as
defined in a. and b. above.
    g. A ``long-term care policy,'' including a nursing home fixed-
indemnity policy. A ``long-term care policy'' is considered to be a
health plan regardless of how comprehensive it is. We recognize the
long-term care insurance segment of the industry is largely unautomated
and we welcome comments regarding the impact of HIPAA on the long-term
care segment.
    h. An employee welfare benefit plan or any other arrangement that
is established or maintained for the purpose of offering or providing
health benefits to the employees of two or more employers. This
includes plans and other arrangements that are referred to as multiple
employer welfare

[[Page 25327]]

arrangements (``MEWAs'') as defined in section 3(40) of ERISA.
    i. The health care program for active military personnel under
title 10 of the United States Code.
    j. The veterans health care program under chapter 17 of title 38 of
the United States Code.
    This health plan primarily furnishes medical care through hospitals
and clinics administered by the Department of Veterans Affairs for
veterans with a service-connected disability that is compensable.
Veterans with non-service-connected disabilities (and no other health
benefit plan) may receive health care under this health plan to the
extent resources and facilities are available.
    k. The Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).
    CHAMPUS primarily covers services furnished by civilian medical
providers to dependents of active duty members of the uniformed
services and retirees and their dependents under age 65.
    l. The Indian Health Service program under the Indian Health Care
Improvement Act (25 U.S.C. 1601 et seq.).
    This program furnishes services, generally through its own health
care providers, primarily to persons who are eligible to receive
services because they are of American Indian or Alaskan Native descent.
    m. The Federal Employees Health Benefits Program under 5 U.S.C.
chapter 89.
    This program consists of health insurance plans offered to active
and retired Federal employees and their dependents. Depending on the
health plan, the services may be furnished on a fee-for-service basis
or through a health maintenance organization.
    (Note: Although section 1171(5)(M) of the Act refers to the
``Federal Employees Health Benefit Plan,'' this and any other rules
adopting administrative simplification standards will use the correct
name, the Federal Employees Health Benefits Program. One health plan
does not cover all Federal employees; there are over 350 health plans
that provide health benefits coverage to Federal employees, retirees,
and their eligible family members. Therefore, we will use the correct
name, the Federal Employees Health Benefits Program, to make clear that
the administrative simplification standards apply to all health plans
that participate in the Program.)
    n. Any other individual or group health plan, or combination
thereof, that provides or pays for the cost of medical care.
    We would include a fourteenth category of health plan in addition
to those specifically named in HIPAA, as there are health plans that do
not readily fit into the other categories but whose major purpose is
providing health benefits. The Secretary would determine which of these
plans are health plans for purposes of title II of HIPAA. This category
would include the Medicare Plus Choice plans that will become available
as a result of section 1855 of the Act as amended by section 4001 of
the Balanced Budget Act of 1997 (Public Law 105-33) to the extent that
these health plans do not fall under any other category.
    6. Medical care.
    ``Medical care,'' which is used in the definition of health plan,
would be defined as current section 2791 of the Public Health Service
Act defines it: the diagnosis, cure, mitigation, treatment, or
prevention of disease, or amounts paid for the purpose of affecting any
body structure or function of the body; amounts paid for transportation
primarily for and essential to these items; and amounts paid for
insurance covering the items and the transportation specified in this
definition.
    7. Participant.
    We would define the term ``participant'' as section 3(7) of ERISA
currently defines it: a ``participant'' is any employee or former
employee of an employer, or any member or former member of an employee
organization, who is or may become eligible to receive a benefit of any
type from an employee benefit plan that covers employees of such an
employer or members of such organizations, or whose beneficiaries may
be eligible to receive any such benefits. An ``employee'' would include
an individual who is treated as an employee under section 401(c)(1) of
the Internal Revenue Code of 1986 (26 U.S.C. 401(c)(1)).
    8. Small health plan.
    We would define a ``small health plan'' as a group health plan with
fewer than 50 participants.
    The HIPAA does not define a ``small health plan'' but instead
leaves the definition to be determined by the Secretary. The Conference
Report suggests that the appropriate definition of a ``small health
plan'' is found in current section 2791(a) of the Public Health Service
Act, which is a group health plan with fewer than 50 participants. We
would also define small individual health plans as those with fewer
than 50 participants.
    9. Standard.
    Section 1171 of the Act defines ``standard,'' when used with
reference to a data element of health information or a transaction
referred to in section 1173(a)(1) of the Act, as any such data element
or transaction that meets each of the standards and implementation
specifications adopted or established by the Secretary with respect to
the data element or transaction under sections 1172 through 1174 of the
Act.
    Under our definition, a standard would be a set of rules for a set
of codes, data elements, transactions, or identifiers promulgated
either by an organization accredited by the American National Standards
Institute or HHS for the electronic transmission of health information.
    10. Transaction.
    ``Transaction'' would mean the exchange of information between two
parties to carry out financial and administrative activities related to
health care. A transaction would be any of the transactions listed in
section 1173(a)(2) of the Act and any determined appropriate by the
Secretary in accordance with section 1173(a)(1)(B) of the Act. We
present them below in the order in which we propose to list them in the
regulations text to this document and in the regulations document for
proposed standards for these transactions that we will publish later.
    A ``transaction'' would mean any of the following:
    a. Health claims or equivalent encounter information.
    This transaction may be used to submit health care claim billing
information, encounter information, or both, from health care providers
to health plans, either directly or via intermediary billers and claims
clearinghouses.
    b. Health care payment and remittance advice.
    This transaction may be used by a health plan to make a payment to
a financial institution for a health care provider (sending payment
only), to send an explanation of benefits or a remittance advice
directly to a health care provider (sending data only), or to make
payment and send an explanation of benefits remittance advice to a
health care provider via a financial institution (sending both payment
and data).
    c. Coordination of benefits.
    This transaction can be used to transmit health care claims and
billing payment information between health plans with different payment
responsibilities where coordination of benefits is required or between
health plans and regulatory agencies to monitor the rendering, billing,
and/or

[[Page 25328]]

payment of health care services within a specific health care/insurance
industry segment.
    In addition to the nine electronic transactions specified in
section 1173(a)(2) of the Act, section 1173(f) directs the Secretary to
adopt standards for transferring standard data elements among health
plans for coordination of benefits and sequential processing of claims.
This particular provision does not state that these should be standards
for electronic transfer of standard data elements among health plans.
However, we believe that the Congress, when writing this provision,
intended for these standards to apply to the electronic form of
transactions for coordination of benefits and sequential processing of
claims. The Congress expressed its intent on these matters generally in
section 1173(a)(1)(B), where the Secretary is directed to adopt ``other
financial and administrative transactions . . . consistent with the
goals of improving the operation of the health care system and reducing
administrative costs''. Adoption of a standard for electronic
transmission of standard data elements among health plans for
coordination of benefits and sequential processing of claims would
serve these goals expressed by the Congress.
    d. Health claim status.
    This transaction may be used by health care providers and
recipients of health care products or services (or their authorized
agents) to request the status of a health care claim or encounter from
a health plan.
    e. Enrollment and disenrollment in a health plan.
    This transaction may be used to establish communication between the
sponsor of a health benefit and the health plan. It provides enrollment
data, such as subscriber and dependents, employer information, and
primary care health care provider information. The sponsor is the
backer of the coverage, benefit, or product. A sponsor can be an
employer, union, government agency, association, or insurance company.
The health plan refers to an entity that pays claims, administers the
insurance product or benefit, or both.
    f. Eligibility for a health plan.
    This transaction may be used to inquire about the eligibility,
coverage, or benefits associated with a benefit plan, employer, plan
sponsor, subscriber, or a dependent under the subscriber's policy. It
also can be used to communicate information about or changes to
eligibility, coverage, or benefits from information sources (such as
insurers, sponsors, and health plans) to information receivers (such as
physicians, hospitals, third party administrators, and government
agencies).
    g. Health plan premium payments.
    This transaction may be used by, for example, employers, employees,
unions, and associations to make and keep track of payments of health
plan premiums to their health insurers. This transaction may also be
used by a health care provider, acting as liaison for the beneficiary,
to make payment to a health insurer for coinsurance, copayments, and
deductibles.
    h. Referral certification and authorization.
    This transaction may be used to transmit health care service
referral information between primary care health care providers, health
care providers furnishing services, and health plans. It can also be
used to obtain authorization for certain health care services from a
health plan.
    i. First report of injury.
    This transaction may be used to report information pertaining to an
injury, illness, or incident to entities interested in the information
for statistical, legal, claims, and risk management processing
requirements.
    j. Health claims attachments.
    This transaction may be used to transmit health care service
information, such as subscriber, patient, demographic, diagnosis, or
treatment data for the purpose of a request for review, certification,
notification, or reporting the outcome of a health care services
review.
    k. Other transactions as the Secretary may prescribe by regulation.
    Under section 1173(a)(1)(B) of the Act, the Secretary shall adopt
standards, and data elements for those standards, for other financial
and administrative transactions deemed appropriate by the Secretary.
These transactions would be consistent with the goals of improving the
operation of the health care system and reducing administrative costs.

C. Effective Dates--General

    In general, any given standard would be effective 24 months after
the effective date (36 months for small health plans) of the final rule
for that standard. Because there are other standards to be established
than those in this proposed rule, we specify the date for a given
standard under the subpart for that standard.
    If HHS adopts a modification to an implementation specification or
a standard, the implementation date of the modification would be no
earlier than the 180th day following the adoption of the modification.
HHS would determine the actual date, taking into account the time
needed to comply due to the nature and extent of the modification. HHS
would be able to extend the time for compliance for small health plans.
This provision would be at Sec. 142.106.
    The law does not address scheduling of implementation of the
standards; it gives only a date by which all concerned must comply. As
a result, any of the health plans, health care clearinghouses, and
health care providers may implement a given standard earlier than the
date specified in the subpart created for that standard. We realize
that this may create some problems temporarily, as early implementers
would have to be able to continue using old standards until the new
ones must, by law, be in place.
    At the WEDI Healthcare Leadership Summit held on August 15, 1997,
it was recommended that health care providers not be required to use
any of the standards during the first year after the adoption of the
standard. However, willing trading partners could implement any or all
of the standards by mutual agreement at any time during the 2-year
implementation phase (3-year implementation phase for small health
plans). In addition, it was recommended that a health plan give its
health care providers at least 6 months notice before requiring them to
use a given standard.
    We welcome comments specifically on early implementation as to the
extent to which it would cause problems and how any problems might be
alleviated.

D. NPI Standard

[Please label written and e-mailed comments about this section with
the subject: NPI STANDARD.]

    Section 142.402, Provider identifier standard, would contain the
national health care provider identifier standard. There is no
recognized standard for health care provider identification as defined
in the law. (That is, there is no standard that has been developed,
adopted, or modified by a standard setting organization after
consultation with the NUBC, NUCC, WEDI, and the ADA.) Therefore, we
would designate a new standard.
    We are proposing as the standard the national provider identifier
(NPI), which would be maintained by HCFA. As discussed under the
Background section earlier in this preamble, the NPI is an 8-position
alphanumeric identifier. It includes as the 8th position a numeric
check digit to assist in identifying erroneous or invalid NPIs. The
check digit is a recognized International Standards Organization [ISO]
standard. The check digit algorithm must be computed from an all-
numeric base

[[Page 25329]]

number. Therefore, any alpha characters that may be part of the NPI are
translated to specific numerics before the calculation of the check
digit. The NPI format would allow for the creation of approximately 20
billion unique identifiers.
    The 8-position alphanumeric format was chosen over a longer
numeric-only format in order to keep the identifier as short as
possible while providing for an identifier pool that would serve the
industry's needs for a long time. However, we recognize that some
health care providers and health plans might have difficulty in the
short term in accommodating alphabetic characters. Therefore, we
propose to issue numeric-only identifiers first and to introduce
alphabetic characters starting with the first position of the NPI. This
would afford additional time for health care providers and health plans
to accommodate the alphabetic characters.
    1. Selection criteria.
    Each individual implementation team weighted the criteria described
in section I.D., Process for Developing National Standards, in terms of
the standard it was addressing. As we assessed the various options for
a provider identifier against the criteria, it became apparent that
many of the criteria would be satisfied by all of the provider
identifier candidates. Consequently, we concentrated on the four
criteria (1, 2, 3, and 10) that were not satisfied by all of the
options. These criteria are described below in the specific context of
the provider identifier.
    #1. Improve the efficiency and effectiveness of the health care
system.
    In order to be integrated into electronic transactions efficiently,
standard provider identifiers must be easily accessible. Health plans
must be able to obtain identifiers and other key data easily in order
to use the identifier in electronic transactions. Existing health care
provider files have to be converted to the new standard. In addition,
health care providers will need to know other health care providers'
identifiers (for example, a hospital needs the identifiers of all
physicians who perform services in the facility). To meet this
criterion, we believe the identifier should not be proprietary; that
is, it should be possible to communicate identifiers freely as needed.
Moreover, the issuer must be able to reliably issue each health care
provider only one identifier and to issue each identifier only once.
    #2. Meet the needs of the health data standards user community.
    The identifier must be comprehensive. It must accommodate all
health care provider types or must be capable of being expanded to do
so. Based on our definition of ``health care provider'', this includes
individual health care providers who are employed by other health care
providers and alternative practitioners who may not be currently
recognized by health plans. The identifier must have the capacity to
enumerate health care providers for many years without reuse of
previously-assigned identifiers. To meet this criterion, we believe
that, over time, the identifier must be capable of uniquely identifying
at least 100 million entities.
    #3. Be consistent and uniform with other HIPAA and other private
and public sector health data standards in providing for privacy and
confidentiality.
    Confidentiality of certain health care provider data must be
maintained. Certain data elements (for example, social security number
and date of birth) needed to enumerate an individual health care
provider reliably should not be made available to the public.
    #10. Incorporate flexibility to adapt more easily to changes.
    To meet this criterion, the identifier must be intelligence-free
(the identifier itself should not contain any information about the
health care provider). Intelligence in the identifier would require
issuing a new identifier if there is a change in that information. For
example, an identifier containing a State code would no longer be
accurate if the health care provider moves to another State.
    2. Candidate identifiers.
    We assessed a number of candidate identifiers to see if they met
the four specific criteria discussed above. We first assessed the
identifiers listed in the inventory of standards prepared for the
Secretary by the Health Informatics Standards Board. Those standards
are the unique physician identification number (UPIN), which is issued
by HCFA; the health industry number (HIN), which is issued by the
Health Industry Business Communications Council; the National
Association of Boards of Pharmacy (NABP) number, which is issued by the
National Council for Prescription Drug Programs in cooperation with the
NABP; and the national provider identifier (NPI), which is being
developed by HCFA.
    Unique physician identification numbers are currently issued to
physicians, limited license practitioners, group practices, and certain
noninstitutional providers (for example, ambulance companies). These
numbers are issued to health care providers through Medicare carriers,
and generally only Medicare providers have them. The unique physician
identification number is used to identify ordering, performing,
referring, and attending health care providers in Medicare claims
processing. The computer system that generates the numbers is
maintained by HCFA and is able to detect duplicate health care
providers. The unique physician identification number is in the public
domain and could be made widely accessible to health care providers and
health plans. These numbers do contain intelligence (the first position
designates a provider type, e.g., physician) and are only six positions
long, which would not be able to accommodate a sufficient number of
future health care providers. The unique physician identification
number does not meet criteria 2 and 10.
    The health industry number is used for contract administration in
the health industry supply chain, as a prescriber identifier for claims
processing, and for market analysis. It consists of a base 7-position
alpha-numeric identifier and a 2-position alpha-numeric suffix
identifying the location of the prescriber. The suffix contains
intelligence. Health industry numbers can enumerate individual
prescribers as well as institutional providers. They are issued via a
proprietary system maintained by the Health Industry Business
Communications Council, which permits subscriptions to the database by
data re-sellers and others. In addition, it does not collect sufficient
data for thorough duplicate checking of individuals. The health
industry number does not meet criteria 1, 3, and 10.
    The National Association of Boards of Pharmacy number is a 7-digit
numeric identifier assigned to licensed pharmacies. It is used to
identify pharmacies to various payers. Its first two digits denote the
State, the next four positions are assigned sequentially, and the last
position is a check digit. We cannot assess data accessibility or
privacy and confidentiality at this time because of the very limited
applicability of the number. A 7-digit numeric identifier would not
yield a sufficient quantity of identifiers, and there is intelligence
in the number. This number does not meet criteria 2 and 10.
    The NPI is intended to be a universal identifier, which can be used
to enumerate all types of health care providers, and the supporting
data structure incorporates a comprehensive list of provider types
developed by an ANSI Accredited Standards Committee X12N workgroup. It
is an intelligence-free 8-position alpha-numeric identifier, with the
eighth position being a check digit, allowing for approximately 20

[[Page 25330]]

billion possible identifiers. The NPI would not be proprietary and
would be widely available to the industry. The system that would
enumerate health care providers would be maintained by HCFA, and data
would therefore be safeguarded under the Privacy Act (5 U.S.C 552a).
The system would also incorporate extensive search and duplicate
checking routines into the enumeration process. The NPI meets all four
of these criteria.
    In addition, we examined the social security number issued by the
Social Security Administration, the DEA number issued by the Drug
Enforcement Administration, the employer identification number issued
by the Internal Revenue Service, and the national supplier
clearinghouse number issued by the Medicare program and used to
identify suppliers of durable medical equipment and other suppliers.
Neither the social security number nor the DEA number meets the
accessibility test. The use of the social security number by Federal
agencies is protected by the Privacy Act, and the DEA number must
remain confidential in order to fulfill its intended function of
monitoring controlled substances. The employer identification number
does not meet the comprehensiveness test, because some individual
health care providers do not qualify for one. The length of the
national supplier clearinghouse number is 10 positions; to expand it
would make it too long. Also, it is not intelligence-free, since the
first portion of the identifier links health care providers together
into business entities. The last four positions are reserved for
subentities, leaving only the first six positions to enumerate unique
health care provider entities.
    Based on this analysis, we recommend the NPI be designated as the
standard identifier for health care providers. It is the only candidate
identifier that meets all four of the criteria above. In addition, the
NPI would be supported by HCFA to assure continuity. As discussed in
section VII. of this preamble, on collection of information
requirements, the data collection and paperwork burdens on users would
be minimal, and the NPI can be used in other standard transactions
under the HIPAA. In addition, as discussed in sections III.B.,
Enumerators, and IX., Impact Analysis, implementation costs per health
care provider and per health plan would be relatively low, and we would
develop implementation procedures. The NPI would be platform and
protocol independent, and the structure of the identifier has been
precisely stated. The NPI is not fully operational, but it is
undergoing testing at this time, and comprehensive testing will be
completed before the identifier is implemented.
    3. Consultations.
    In the development of the NPI, we consulted with many
organizations, including those that the legislation requires (section
1172(c)(3)(B) of the Act). Subsequently, the NPI has been endorsed by
several government and private organizations:
    a. The NCVHS endorsed the NPI in a Federal Register notice on July
24, 1997 (62 FR 39844).
    b. The NUBC endorsed the NPI in August 1996.
    c. The ADA indicated its support, in concept, of the development of
a unique, singular, national provider identifier for all health care
providers in December 1996.
    d. The NUCC supported the establishment of the NPI in January 1997,
subject to the following issues being fully addressed:
    <bullet> The business needs and rationale for each identifier be
clearly established for health care, in both the private and government
sectors, as part of the identifier definition process.
    <bullet> The scope and nature of, and the rationale for, the
entities subject to enumeration be clearly defined.
    <bullet> All issues arising out of the health care industry's
review of the proposed identifier, including any ambiguities in the law
or proposed rule, be acknowledged and addressed.
    <bullet> Distribution of identifier products/maintenance to health
care providers, payers and employers be low cost and efficient. There
should be no cost to have a number assigned to an individual health
care provider or business.
    e. WEDI indicated support for ``the general concept of the NPI as
satisfying the national provider identifier requirement of HIPAA'' in a
May 1997 letter to the Secretary. WEDI further stated that the NPI is
equal to or better than alternative identifiers, but noted that it
cannot provide an unqualified opinion until operational and technical
details are disclosed in this regulation.
    f. The State of Minnesota endorsed the NPI in Minnesota Statutes
Section 62J.54, dated February 1996.
    g. The Massachusetts Health Data Consortium's Affiliated Health
Information Networks of New England endorsed the NPI as the standard
provider locator for electronic data interchange in March 1996.
    h. The USA Registration Committee approved the NPI as an
International Standards Organization card issuer identifier in August
1996, for use on magnetic cards.
    i. The National Council for Prescription Drug Programs indicated
support for the NPI effort in an October 1996 letter to the Secretary.

E. Requirements

[Please label written and e-mailed comments about this section with
the subject: Requirements.]

    1. Health plans.
    In Sec. 142.404, Requirements: Health plans, we would require
health plans to accept and transmit, directly or via a health care
clearinghouse, the NPI on all standard transactions wherever required.
Federal agencies and States may place additional requirements on their
health plans.
    2. Health care clearinghouses.
    We would require in Sec. 142.406, Requirements: Health care
clearinghouses, that each health care clearinghouse use the NPI
wherever an electronic transaction requires it.
    3. Health care providers.
    In Sec. 142.408, Requirements: Health care providers, we would
require each health care provider that needs an NPI for HIPAA
transactions to obtain, by application if necessary, an NPI and to use
the NPI wherever required on all standard transactions that it directly
transmits or accepts. The process by which health care providers will
apply for and obtain NPIs has not yet been established. This proposed
rule (in section III., Implementation of the NPI) presents
implementation options by which health care providers will apply for
and obtain NPIs. We are seeking comments on the options, and welcome
other options for consideration. In one of the options we are
presenting, we anticipate that the initial enumeration of health care
providers that are already enrolled in Medicare, other Federal programs
named as health plans, and Medicaid would be done by those health
plans. Those health care providers would not have to apply for NPIs but
would instead have their NPIs issued automatically. Non-Federal and
non-Medicaid providers would need to apply for NPIs to a Federally-
directed registry for initial enumeration. The information that will be
needed in order to issue an NPI to a health care provider is discussed
in this preamble in section IV. Data. Depending on the implementation
option selected, Federal and Medicaid health care providers may not
need to provide this information because it would already be available
to the entities that would be enumerating them. In one of the options,
health care providers would be assigned their NPIs in the course of
enrolling in the Federal health plan or in Medicaid. Both options may
require, to some degree, the

[[Page 25331]]

development of an application to be used in applying for an NPI.
    We would require each health care provider that has an NPI to
forward updates to the data in the database to an NPI enumerator within
60 days of the date the change occurs. We are soliciting comments on
whether these updates should be applicable to all the data elements
proposed to be included in the national provider file (NPF) or only to
those data elements that are critical for enumeration. For example, we
would like to know whether the addition of a credential should be
required to be reported within the 60-day period, or whether such
updates should be limited to name or address changes or other data
elements that are required to enumerate a health care provider.

F. Effective Dates of the NPI

    Health plans would be required to comply with our requirements as
follows:
    1. Each health plan that is not a small health plan would have to
comply with the requirements of Secs. 142.104 and 142.404 no later than
24 months after the effective date of the final rule.
    2. Each small health plan would have to comply with the
requirements of Secs. 142.104 and 142.404 no later than 36 months after
the effective date of the final rule.
    3. If HHS adopts a modification to a standard or implementation
specification, the implementation date of the modification would be no
earlier than the 180th day following the adoption of the modification.
HHS would determine the actual date, taking into account the time
needed to comply due to the nature and extent of the modification. HHS
would be able to extend the time for compliance for small health plans.
    Health care clearinghouses and affected health care providers would
have to begin using the NPI no later than 24 months after the effective
date of the final rule.
    Failure to comply with standards may result in monetary penalties.
The Secretary is required by statute to impose penalties of not more
than $100 per violation on any person who fails to comply with a
standard, except that the total amount imposed on any one person in
each calendar year may not exceed $25,000 for violations of one
requirement. We will propose enforcement procedures in a future Federal
Register document once the industry has more experience with using the
standards.

III. Implementation of the NPI

[Please label written and e-mailed comments about this section with
the subject: Implementation.]

A. The National Provider System

    We would implement the NPI through a central electronic enumerating
system, the national provider system (NPS). This system would be a
comprehensive, uniform system for identifying and uniquely enumerating
health care providers at the national level, not unlike the process now
used to issue social security numbers. HCFA would exercise overall
responsibility for oversight and management of the system. Health care
providers would not interact directly with the NPS.
    The process of identifying and uniquely enumerating health care
providers is separate from the process health plans follow in enrolling
health care providers in their health programs. Even with the advent of
assignment of NPIs by the NPS, health plans would still have to follow
their own procedures for receiving and verifying information from
health care providers that apply to them for enrollment in their health
programs. Unique enumeration is less expensive than plan enrollment
because it does not require as much information to be collected,
edited, and verified. We welcome comments on the cost of provider
enrollment in a health plan.
    NPIs would be issued by one or more organizations to which we refer
in this preamble as ``enumerators.'' The functions we foresee being
carried out by enumerators are presented in section B. Enumerators in
this preamble. The NPS would edit the data, checking for consistency,
formatting addresses, and validating the social security number. It
would then search the database to determine whether the health care
provider already has an NPI. If so, that NPI would be displayed. If
not, an NPI would be assigned. If the health care provider is similar
(but not identical) to an already-enumerated health care provider, the
information would be passed back to the enumerator for further
analysis. Enumerators would also communicate NPIs back to the health
care providers and maintain the NPS database. The number of enumerators
would be limited in the interest of data quality and consistency.
    Because the Medicare program maintains files on more health care
providers than any other health care program in the country, we
envision using data from those files to initially populate the NPF that
is being built by the NPS and would be accessed by the enumerator(s).
The data we are considering for inclusion in this file are described in
section IV. Data in this preamble.

B. Enumerators

    The enumerator(s) would carry out the following functions: assist
health care providers and answer questions; accept the application for
an NPI; validate as many of the data elements as possible at the point
of application to assure the submitted data are accurate and the
application is authentic; enter the data into the NPS to obtain an NPI
for the health care provider; research cases where there is a possible
match to a health care provider already enumerated; notify the health
care provider of the assigned NPI; and enter updated data into the NPS
when notified by the health care provider. Some of these functions
would not be necessary if the enumerator(s) is an entity that enrolls
health care providers in its own health plan and would be enumerating
health care providers at the time they are enrolling in the entity's
health plan. For example, if a Federal health plan is an enumerator,
some of the functions listed above would not have to be performed
separately from what the health plan would do in its regular business.
    The major issue related to the operation of this process is
determining who the enumerator(s) will be.
    1. Possible enumerators.
    We had several choices in deciding who should enumerate health care
providers. There are advantages and disadvantages to each of these
choices:
    <bullet> A registry:
    A central registry operated under Federal direction would enumerate
all health care providers. The Federally-directed registry could be a
single physical entity or could be a number of agents controlled by a
single entity and operating under common procedures and oversight.
    For: The process would be consistent; centralized operation would
assure consistent data quality; the concept of a registry is easy to
understand (single source for identifiers).
    Against: The cost of creating a new entity rather than enumerating
as part of existing functions (for example, plan enrollment) would be
greater than having existing entities enumerate; there would be
redundant data required for enumeration and enrollment in a health
plan.
    <bullet> Private organization(s):
    A private organization(s) that meets certain selection criteria and
performance standards, which would post a surety bond related to the
number

[[Page 25332]]

of health care providers enumerated could enumerate health care
providers.
    For: The organization(s) would operate in a consistent manner under
uniform requirements and standards; failure to maintain prescribed
requirements and standards could result in penalties which could
include suspension or debarment from being an enumerator.
    Against: A large number of private enumerators would compromise the
quality of work and be difficult to manage; the administrative work
required to set up arrangements for a private enumerator(s) may be
significant; the cost of creating a new entity rather than enumerating
as part of existing functions (for example, plan enrollment) would be
greater than having existing entities enumerate; there might be
redundant data required for enumeration and enrollment in a health
plan; the legality of privatization would need to be researched.
    <bullet> Federal health plans and Medicaid State agencies:
    Federal programs named as health plans and Medicaid State agencies
would enumerate all health care providers. (As stated earlier under the
definition of ``health plan'', the Federal Employees Health Benefits
Program is comprised of numerous health plans, rather than just one,
and does not deal directly with health care providers that are not also
health plans. Thus, the program would not enumerate health care
providers but would still require the NPI to be used.)
    For: These health plans already assign numbers to their health care
providers; a large percentage of health care providers do business with
Federal health plans and Medicaid State agencies; there would be no
appreciable costs for these health plans to enumerate as part of their
enrollment process; a small number of enumerators would assure
consistent data quality.
    Against: Not all health care providers do business with any of
these health plans; there would be the question of which health plan
would enumerate the health care provider that participates in more than
one; we estimate that approximately 5 percent of the State Medicaid
agencies may decline to take on this additional task.
    <bullet> Designated State agency:
    The Governor of each State would designate an agency to be
responsible for enumerating health care providers within the State. The
agency might be the State Medicaid agency, State licensing board,
health department, or some other organization. Each State would have
the flexibility to develop its most workable approach.
    For: This choice would cover all health care providers; there would
be a single source of enumeration in each State; States could devise
the least expensive mechanisms (for example, assign NPI during
licensing); license renewal cycles would assure periodic checks on data
accuracy.
    Against: This choice would place an unfunded workload on States;
States may decline to designate an agency; there may be insufficient
funding to support the costs the States would incur; State licensing
agencies may not collect enough information during licensing to ensure
uniqueness across States; States may not be uniform in their
definitions of ``providers.''
    <bullet> Professional organizations or training programs:
    We would enlist professional organizations to enumerate their
members and/or enable professional schools to enumerate their students.
    For: Individuals could be enumerated at the beginning of their
careers; most health care providers either attend a professional school
or belong to an organization.
    Against: Not all health care providers are affiliated with an
organization or school; this choice would result in many enumerators
and thus potentially lower the data quality; schools would not be in a
position to update data once the health care provider has graduated;
the choice would place an unfunded workload on schools and/or
organizations.
    <bullet> Health plans:
    Health plans in general would have access to the NPS to enumerate
any of their health care providers.
    For: Most health care providers do business with one or more health
plans; there would be a relatively low cost for health plans to
enumerate as part of enrollment; this choice would eliminate the need
for redundant data.
    Against: Not all health care providers are affiliated with a health
plan; this choice would be confusing for the health care provider in
determining which health plan would enumerate when the health care
provider is enrolled in multiple health plans; there would be a very
large number of enumerators and thus potentially serious data quality
problems; the choice would place unfunded workload on health plans.
    <bullet> Combinations:
    We also considered using combinations of these choices to maximize
advantages and minimize disadvantages.
    2. Options:
    If private organizations, as enumerators, could charge health care
providers a fee for obtaining NPIs, this enumeration option would be
attractive and more preferable than the other choices or combinations,
as it would offer a way to fund the enumeration function. In
researching the legality of this approach, however, we were advised
that we do not have the authority to (1) charge health care providers a
fee for obtaining NPIs, or (2) license private organizations that could
charge health care providers for NPIs. For these reasons, we chose not
to recommend private organizations as enumerators.
    The two most viable options are described below. We solicit input
on these options, as well as on alternate solutions.
    Option 1: Registry enumeration of all health care providers.
    All health care providers would apply directly to a Federally-
directed registry for an identifier. The registry, while under Federal
direction, would probably be operated by an agent or contractor. This
option is favored by some health plans, which believe that a single
entity should be given the task of enumerating health care providers
and maintaining the database for the sake of consistency. It would also
be the simplest option for health care providers, since enumeration
activities would be carried out for all health care providers by a
single entity. The major drawback to this option is the high cost of
establishing a registry large enough to process enumeration and update
requests for the 1.2 million current and 30,000 new (annually) health
care providers that conduct HIPAA transactions. The costs of this
option are discussed in section J.2.d., Enumerators, in the impact
analysis in this Federal Register document. The statute did not provide
a funding mechanism for the enumeration/update process. Federal funds,
if available, could support the registry. We seek comments on funding
mechanisms for the registry.
    This option does not offer a clear possibility for funding some of
the costs associated with the operation and maintenance of the NPS as
it becomes national in scope (that is, as the NPS enumerates health
care providers that are not Medicare providers). We solicit comments on
appropriate methods for funding the NPS under this option.
    Option 2: A combination of Federal programs named as health plans,
Medicaid State agencies, and a Federally-directed registry.
    Federal health plans and Medicaid State agencies would enumerate
their own health care providers. Each health care provider
participating in more than one health plan could choose the health

[[Page 25333]]

plan by which it wishes to be enumerated. All other health care
providers would be enumerated by a Federally-directed registry. These
latter health care providers would apply directly to the registry for
an identifier.
    The number of enumerators, and the number of health care providers
per enumerator, would be small enough that each enumerator would be
able to carefully validate data received from and about each of its
health care providers. Moreover, enumerators (aside from the registry)
would be dealing with their own health care providers, an advantage
both in terms of cost equity and data quality. This option recognizes
the fact that Federal plans and Medicaid State agencies already assign
identifiers to their health care providers for their own programmatic
purposes. It would standardize those existing processes and, in some
cases, may increase the amount of data collected or validation
performed. We have concluded that the cost of concurrently enumerating
and enrolling a Medicare or Medicaid provider is essentially the same
as the cost of enrollment alone because of the high degree of
redundancy between the processes. While there would probably be
additional costs initially, they would be offset by savings in other
areas (e.g., there would be a simplified, more efficient coordination
of benefits; a health care provider would only have to be enumerated
once; there would be no need to maintain more than one provider number
for each health care provider; and there would be no need to maintain
more than one enumeration system).
    The Federal Government is responsible for 75 percent of Medicaid
State agency costs to enumerate and update health care providers.
Because we believe that, on average, the costs incurred by Medicaid
State agencies in enumerating and updating their own health care
providers to be relatively low and offset by savings, there are no
tangible costs involved.
    Allowing these health plans to continue to enumerate their health
care providers would reduce the registry workload and its operating
costs. We estimate that approximately 85 percent of billing health care
providers transact business with a Medicaid State agency or a Federal
health plan. We estimate that 5 percent of Medicaid State agencies may
decline to enumerate their health care providers. If so, that work
would have to be absorbed by the registry. This expense could be offset
by the discontinuation of the UPIN registry, which is currently
maintained with Federal funds. The costs of this option are discussed
in section J.2.d., Enumerators, of the impact analysis.
    We welcome comments on the number of health care providers that
would deal directly with a registry under this option and on
alternative ways to enumerate them.
    This option does not offer a clear possibility for funding some of
the costs associated with the operation and maintenance of the NPS as
it becomes national in scope (that is, as the NPS enumerates health
care providers that are not Medicare providers). We solicit comments on
appropriate methods for funding the NPS under this option.
    We believe that option 2 is the most advantageous and the least
costly. Option 1 is the simplest for health care providers to
understand but has a significant Federal budgetary impact. Option 2
takes advantage of existing expertise and processes to enumerate the
majority of health care providers. This reduces the cost of the
registry in option 2 to a point where it would be largely offset by
savings from eliminating redundant enumeration processes.
    3. Fees and costs.
    Because the statute did not provide a funding mechanism for the
enumeration process, Federal funds, if available, would be required to
finance this function. We seek comment on any burden that various
financing options might impose on the industry.
    We welcome comments on possible ways to reduce the costs of
enumeration.
    While the NPS has been developed to date by HCFA with Federal
funds, issues remain as to sources of future funding as the NPS becomes
national in use. We welcome your comments on sources for this funding.
    4. Enumeration phases.
    We intend to implement the NPI in phases because the number of
potential health care providers to be enumerated is too large to
enumerate at one time, regardless of the number of enumerators. We
describe in a., b., and c. below how the process would work if option 2
were selected and in d. below how implementation of option 1 would
differ.
    a. Health care providers that participate in Medicare (including
physicians and other suppliers that furnish items and services covered
by Medicare) would be enumerated first because, as the managing entity,
HCFA has data readily available for all Medicare providers. Health care
providers that are already enrolled in Medicare at the time of
implementation would be enumerated based on existing Medicare provider
databases that have already been reviewed and validated. These health
care providers would not have to request an NPI--they would
automatically receive one. After this initial enumeration, new and non-
Medicare health care providers not yet enumerated that wish to
participate in Medicare would receive an NPI as a part of the
enrollment process.
    b. Medicaid and non-Medicare Federal health plans that need to
enumerate their health care providers would follow a similar process,
based on a mutually agreed-upon timetable. Those health plans' existing
prevalidated databases could be used to avoid requiring large numbers
of health care providers to apply for NPIs. If a health care provider
were already enumerated by Medicare, that NPI would be communicated to
the second program. After the initial enumeration, new health care
providers that wish to participate in Medicaid or a Federal health plan
other than Medicare would receive an NPI as a part of that enrollment
process. Health care providers that transact business with more than
one such health plan could be enumerated by any one of those health
plans. This phase would be completed within 2 years after the effective
date of the final rule.
    c. A health care provider that does not transact any business with
Federal health plans or Medicaid but that does conduct electronically
any of the transactions stipulated in HIPAA (for example, submits
claims electronically to a private health plan) would be enumerated via
a Federally-directed registry. This enumeration would be done
concurrently with the enumeration described in b., above. Health care
providers would apply to the registry for an NPI.
    After the first two phases of enumeration (that is, enumeration of
health care providers enrolled or enrolling in Federal health plans or
Medicaid or health care providers that do not conduct business with any
of those plans but that conduct any of the HIPAA transactions
electronically), the health care providers remaining would be those
that do not conduct electronically any of the transactions specified in
HIPAA. We refer to these health care providers as ``non-HIPAA-
transaction health care providers.'' The non-HIPAA-transaction health
care providers would not be enumerated in the first two phases of
enumeration. We do not intend to enumerate these health care providers
until all health care providers requiring NPIs by statute are
enumerated and funds are available. In some cases, these health care
providers may wish to be enumerated even though

[[Page 25334]]

they do not conduct electronic transactions. Health plans may prefer to
use the NPI for all health care providers, whether or not they submit
transactions electronically, for the sake of processing efficiency. In
addition, some health care providers may wish to be enumerated even
though they conduct no designated transactions and are not affiliated
with any health plan. Additional research is required on the time table
and method by which non-HIPAA-transaction health care providers would
be enumerated.
    d. If option 1 were selected, the Federally-directed registry would
enumerate all health care providers. With a single enumeration point
(although it could consist of several agents controlled by a single
entity, as stated earlier), we would envision enumeration taking place
in the following phases: Medicare providers; Medicaid providers and
other non-Medicare Federal providers; health care providers that do not
transact any business with the aforementioned plans but that process
electronically any of the transactions stipulated in HIPAA; and all
other health care providers (i.e., non-HIPAA-transaction health care
providers).

C. Approved Uses of the NPI

    The law requires that we specify the appropriate uses of the NPI.
    Two years after adoption of this standard (3 years for small health
plans) the NPI must be used in the health care system in connection
with the health-related financial and administrative transactions
identified in section 1173(a). The NPI may also be used as a cross
reference in health care provider fraud and abuse files and other
program integrity files (for example, the HHS Office of the Inspector
General sanction file). The NPI may be used to identify health care
providers for debt collection under the provisions of the Debt
Collection Information Act of 1996 and the Balanced Budget Act of 1997,
and for any other lawful activity requiring individual identification
of health care providers. It may not be used in any activity otherwise
prohibited by law.
    Other examples of approved uses would include:
    <bullet> Health care providers may use their own NPIs to identify
themselves in health care transactions or related correspondence.
    <bullet> Health care providers may use other health care providers'
NPIs as necessary to complete health care transactions and on related
correspondence.
    <bullet> Health care providers may use their own NPIs on
prescriptions (however, the NPI could not replace the DEA number or
State license number where either of those numbers is required on
prescriptions).
    <bullet> Health plans may use NPIs in their internal provider files
to process transactions and may use them on transactions and in
communications with health care providers.
    <bullet> Health plans may communicate NPIs to other health plans
for coordination of benefits.
    <bullet> Health care clearinghouses may use NPIs in their internal
files to create and process standard transactions and in communications
with health care providers and health plans.
    <bullet> NPIs may be used to identify treating health care
providers in patient medical records.

D. Summary of Effects on Various Entities

    We summarize here how the implementation of the NPI would affect
health care providers, health plans, and health care clearinghouses, if
option 2 were selected. Differences that would result from selection of
option 1 are noted parenthetically.
    1. Health care providers.
    a. Health care providers interacting with Medicare, another Federal
plan, or a Medicaid State agency would receive their NPIs from the NPS
via one of those programs and would be required to use their NPIs on
all the specified electronic transactions. Each plan would establish
its own schedule for adopting the NPI, within the time period specified
by the law. Whether a given plan would automatically issue the NPIs or
require the health care providers to apply for them would be up to the
plan. (For example, the Medicare program would issue NPIs automatically
to its currently enrolled Medicare providers and suppliers; data on its
future health care providers and suppliers would be collected on the
Medicare enrollment application.) The Federal or State plan may impose
requirements other than those stated in the regulations.
    The health care providers would be required to update any data
collected from them by submitting changes to the plan within 60 days of
the change. Health care providers that transact business with multiple
plans could report changes to any one of them. (Selection of option 1
would mean that the health care provider would obtain the NPI from, and
report changes to, the Federally-directed registry.)
    b. Health care providers that conduct electronic transactions but
do not do so with Federal health plans or Medicaid would receive their
NPIs from the NPS via the Federally-directed registry and would be
required to use their NPIs on all the specified electronic
transactions. Each health plan would establish its own schedule for
adopting the NPI, within the time period specified by the law. The
health care providers would be required to update any data originally
collected from them by submitting changes within 60 days of the date of
the change to the Federally-directed registry.
    c. Health care providers that are not covered by the above
categories would not be required to obtain an NPI. (These health care
providers are the non-HIPAA-transaction health care providers as
described in section 4.c. of section B. Enumerators earlier in this
preamble.) They may be enumerated if they wish, depending on
availability of funds, but they would not be issued NPIs until those
health care providers that currently conduct electronic transactions
have received their NPIs. As stated earlier, the timetable and method
by which the non-HIPAA-transaction health care providers would be
enumerated must be determined. After the non-HIPAA-transaction health
care providers are enumerated, they would be required to update any
data originally collected from them by submitting changes within 60
days of the date of the change. Those providers would report their
changes to the registry or to a Federal plan or Medicaid State agency
with which they transact business at the time of the change.
    2. Health plans.
    a. Medicare, other Federal health plans, and Medicaid would be
responsible for obtaining NPIs from the NPS and issuing them to their
health care providers. They would be responsible for updating the data
base with data supplied by their health care providers. (Selection of
option 1 would mean that Medicare, other Federal health plans, and
Medicaid would not enumerate health care providers or update their
data.)
    These government health plans would establish their own schedule
for adopting the NPI, within the time period specified by the law. They
would be able to impose requirements on their health care providers in
addition to, but not inconsistent with, those in our regulations.
    b. Each remaining health plan would be required to use the NPI to
identify health care providers in electronic transactions as provided
by the statute. Each health plan would establish its own schedule for
adopting the NPI, within the time period specified by the law. They
would be able to impose requirements on their health care providers in
addition to, but not inconsistent with, those in our regulations.

[[Page 25335]]

    3. Health care clearinghouses.
    Health care clearinghouses would be required to use a health care
provider's NPI on electronic standard transactions requiring an NPI
that are submitted on the health care provider's behalf.

IV. Data

[Please label written and e-mailed comments about this section with
the subject: DATA.]

A. Data Elements

    The NPS would collect and store in the NPF a variety of information
about a health care provider, as shown in the table below. We believe
the majority of this information is used to uniquely identify a health
care provider; other information is used for administrative purposes. A
few of the data elements are collected at the request of potential
users that have been working with HCFA in designing the database prior
to the passage of HIPAA. All of these data elements represent only a
fraction of the information that would comprise a provider enrollment
file. The data elements in the table, plus cease/effective/termination
dates, switches (yes/no), indicators, and history, are being considered
as those that would form the NPF. We have included comments, as
appropriate. The table does not display systems maintenance or similar
fields, or health care provider cease/effective/termination dates.

                  National Provider File Data Elements
------------------------------------------------------------------------
          Data elements                   Comments            Purpose
------------------------------------------------------------------------
National Provider Identifier      8-position alpha-        I
 (NPI).                            numeric NPI assigned
                                   by the NPS.
Provider's current name.........  For Individuals only.    I
                                   Includes first,
                                   middle, and last names.
Provider's other name...........  For Individuals only.    I
                                   Includes first,
                                   middle, and last
                                   names. Other names
                                   might include maiden
                                   and professional names.
Provider's legal business name..  For Groups and           I
                                   Organizations only.
Provider's name suffix..........  For Individuals only.    I
                                   Includes Jr., Sr., II,
                                   III, IV, and V.
Provider's credential             For Individuals only.    I
 designation.                      Examples are MD, DDS,
                                   CSW, CNA, AA, NP, RNA,
                                   PSY.
Provider's Social Security        For Individuals only...  I
 Number (SSN).
Provider's Employer               Employer Identification  I
 Identification Number (EIN).      Number.
Provider's birth date...........  For Individuals only...  I
Provider's birth State code.....  For Individuals only...  I
Provider's birth county name....  For Individuals only...  I
Provider's birth country name...  For Individuals only...  I
Provider's sex..................  For Individuals only...  I
Provider's race.................  For Individuals only...  U
Provider's date of death........  For Individuals only...  I
Provider's mailing address......  Includes 2 lines of      A
                                   street address, plus
                                   city, State, county,
                                   country, 5- or 9-
                                   position ZIP code.
Provider's mailing address        .......................  A
 telephone number.
Provider's mailing address fax    .......................  A
 number.
Provider's mailing address e-     .......................  A
 mail address.
Resident/Intern code............  For certain Individuals  U
                                   only.
Provider enumerate date.........  Date provider was        A
                                   enumerated (assigned
                                   an NPI). Assigned by
                                   the NPS.
Provider update date............  Last date provider data  A
                                   was updated. Assigned
                                   by the NPS.
Establishing enumerator/agent     Identification number    A
 number.                           of the establishing
                                   enumerator.
Provider practice location        2-position alpha-        I
 identifier (location code).       numeric code (location
                                   code) assigned by the
                                   NPS.
Provider practice location name.  Title (e.g., ``doing     I
                                   business as'' name) of
                                   practice location.
Provider practice location        Includes 2 lines of      I
 address.                          street address, plus
                                   city, State, county,
                                   country, 5- or 9-
                                   position ZIP code.
Provider's practice location      .......................  A
 telephone number.
Provider's practice location fax  .......................  A
 number.
Provider's practice location e-   .......................  A
 mail address.
Provider classification.........  From Accredited          I
                                   Standards Committee
                                   X12N taxonomy.
                                   Includes type(s),
                                   classification(s),
                                   area(s) of
                                   specialization.
Provider certification code.....  For certain Individuals  U
                                   only.
Provider certification            For certain Individuals  U
 (certificate) number.             only.
Provider license number.........  For certain Individuals  I
                                   only.
Provider license State..........  For certain Individuals  I
                                   only.
School code.....................  For certain Individuals  I
                                   only.
School name.....................  For certain Individuals  I
                                   only.
School city, State, country.....  For certain Individuals  U
                                   only.
School graduation year..........  For certain Individuals  I
                                   only.
Other provider number type......  Type of provider         I
                                   identification number
                                   also/formerly used by
                                   provider: UPIN, NSC,
                                   OSCAR, DEA, Medicaid
                                   State, PIN, Payer ID.
Other provider number...........  Other provider           I
                                   identification number
                                   also/formerly used by
                                   provider.
Group member name...............  For Groups only. Name    I
                                   of Individual member
                                   of group. Includes
                                   first, middle, and
                                   last names.
Group member name suffix........  For Groups only. This    I
                                   is the Individual
                                   member's name suffix.
                                   Includes Jr., Sr., II,
                                   III, IV, and V.

[[Page 25336]]


Organization type control code..  For certain              U
                                   Organizations only.
                                   Includes Government--
                                   Federal (Military),
                                   Government--Federal
                                   (Veterans),
                                   Government--Federal
                                   (Other), Government--
                                   State/County,
                                   Government--Local,
                                   Government--Combined
                                   Control, Non-
                                   Government--Non-
                                   profit, Non-
                                   Government--For
                                   Profit, and Non-
                                   Government--Not for
                                   Profit.
------------------------------------------------------------------------
Key:
I--Used for the unique identification of a provider.
A--Used for administrative purposes.
U--Included at the request of potential users (optional).

    We need to consider the benefits of retaining all of the data
elements shown in the table versus lowering the cost of maintaining the
database by keeping only the minimum number of data elements needed for
unique provider identification. We solicit input on the composition of
the minimum set of data elements needed to uniquely identify each type
of provider. In order to consider the inclusion or exclusion of data
elements, we need to assess their purpose and use.
    The data elements with a purpose of ``I'' are needed to identify a
health care provider, either in the search process (which is
electronic) or in the investigation of health care providers designated
as possible matches by the search process. These data elements are
critical because unique identification is the keystone of the NPS.
    The data elements with a purpose of ``A'' are not essential to the
identification processes mentioned above, but nonetheless are valuable.
Certain ``A'' data elements can be used to contact a health care
provider for clarification of information or resolution of issues
encountered in the enumeration process and for sending written
communications; other ``A'' data elements (e.g., Provider Enumerate
Date, Provider Update Date, Establishing Enumerator/Agent Number) are
used to organize and manage the data.
    Data elements with a purpose of ``U'' are collected at the request
of potential users of the information in the system. While not used by
the system's search process to uniquely identify a health care
provider, Race is nevertheless valuable in the investigation of health
care providers designated as possible matches as a result of that
process. In addition, Race is important to the utility of the NPS as a
statistical sampling frame. We solicit comments on the statistical
validity of Race data. Race is collected ``as reported''; that is, it
is not validated. It is not maintained, only stored. The cost of
keeping this data element is virtually nil. Other data elements
(Resident/Intern Code, Provider Certification Code and Number, and
Organization Type Control Code) with a purpose of ``U'', while not used
for enumeration of a health care provider, have been requested to be
included by some members of the health care industry for reports and
statistics. These data elements are optional and do not require
validation; many remain constant by their nature; and the cost to store
them is negligible.
    The data elements that we judge will be expensive to either
validate or maintain (or both) are the license information, provider
practice location addresses, and membership in groups. We solicit
comments on whether these data elements are necessary for the unique
enumeration of health care providers and whether validation or
maintenance is required for that purpose.
    Licenses may be critical in determining uniqueness of a health care
provider (particularly in resolving identities involving compound
surnames) and are, therefore, considered to be essential by some.
License information is expensive to validate initially, but not
expensive to maintain because it does not change frequently.
    The practice location addresses can be used to aid in investigating
possible provider matches, in converting existing provider numbers to
NPIs, and in research involving fraud or epidemiology. Location codes,
which are discussed in detail in section B. Practice Addresses and
Group/Organization Options below, could be assigned by the NPS to point
to and identify practice locations of individuals and groups. Some
potential users felt that practice addresses changed too frequently to
be maintained efficiently at the national level. The average Medicare
physician has two to three addresses at which he/she practices. Group
providers may have many more practice locations. We estimate that 5
percent of health care providers require updates annually, and that
addresses are one of the most frequently changing attributes. As a
result, maintaining more than one practice address for an individual
provider on a national scale could be burdensome and time consuming.
Many potential users believe that practice addresses could more
adequately be maintained at local, health-plan specific levels.
    Some potential users felt that membership in groups was useful in
identifying health care providers. Many others, however, felt that
these data are highly volatile and costly to maintain. These users felt
it was unlikely that membership in groups could be satisfactorily
maintained at the national level.
    We welcome your comments on the data elements proposed for the NPF
and input as to the potential usefulness and tradeoffs for these
elements such as those discussed above.
    We specifically invite comments and suggestions on how the
enumeration process might be improved to prevent issuance of multiple
NPIs to a health care provider.

B. Practice Addresses and Group/Organization Options

    We have had extensive consultations with health care providers,
health plans, and members of health data standards organizations on the
requirements for provider practice addresses and on the group and
organization data in the NPS. (It is important to note that the NPS is
designed to capture a health care provider's mailing address. The
mailing address is a data element separate from the practice address,
and, as such, is not the subject of the discussion below.) Following
are the major questions relating to these issues:
    <bullet> Should the NPS capture practice addresses of health care
providers?
    For: Practice addresses could aid in non-electronic matching of
health care providers and in conversion of existing provider number
systems to NPIs. They could be useful for research specific to practice
location; for example, involving fraud or epidemiology.
    Against: Practice addresses would be of limited use in the
electronic identification and matching of health care providers. The
large number of practice locations of some group

[[Page 25337]]

providers, the frequent relocation of provider offices, and the
temporary situations under which a health care provider may practice at
a particular location would make maintenance of practice addresses
burdensome and expensive.
    <bullet> Should the NPS assign a location code to each practice
address in a health care provider's record? The location code would be
a 2-position alphanumeric data element. It would be a data element in
the NPS but would not be part of the NPI. It would point to a certain
practice address in the health care provider's record and would be
usable only in conjunction with that health care provider's NPI. It
would not stand alone as a unique identifier for the address.
    For: The location code could be used to designate a specific
practice address for the health care provider, eliminating the need to
perform an address match each time the address is retrieved. The
location code might be usable, in conjunction with a health care
provider's NPI, as a designation for service location in electronic
health transactions.
    Against: Location codes should not be created and assigned
nationally unless required to support standard electronic health
transactions; this requirement has not been demonstrated. The format of
the location code would allow for a lifetime maximum of 900 location
codes per health care provider; this number may not be adequate for
groups with many locations. The location code would not uniquely
identify an address; different health care providers practicing at the
same address would have different location codes for that address,
causing confusion for business offices that maintain data for large
numbers of health care providers.
    <bullet> Should the NPS link the NPI of a group provider to the
NPIs of the individual providers who are members of the group?
    For: Linkage of the group NPI to individual members' NPIs would
provide a connection from the group provider, which is possibly not
licensed or certified, to the individual members who are licensed,
certified or otherwise authorized to provide health care services.
    Against: The large number of members of some groups and the
frequent moves of individuals among groups would make national
maintenance of group membership burdensome and expensive. Organizations
that need to know group membership prefer to maintain this information
locally, so that they can ensure its accuracy for their purposes.
    <bullet> Should the NPS collect the same data for organization and
group providers? There would be no distinction between organization and
group providers. Each health care provider would be categorized in the
NPS either as an individual or as an organization. Each separate
physical location or subpart of an organization that needed to be
identified would receive its own NPI. The NPS would not link the NPI of
an organization provider to the NPI of any other health care provider,
although all organizations with the same employer identification number
(EIN) or same name would be retrievable via a query on that EIN or
name.
    For: The categorization of health care providers as individuals or
organizations would provide flexibility for enumeration of integrated
provider organizations. Eliminating the separate category of group
providers would eliminate an artificial distinction between groups and
organizations. It would eliminate the possibility that the same entity
would be enumerated as both a group and an organization. It would
eliminate any need for location codes for groups. It would allow
enumeration at the lowest level that needs to be identified, offering
flexibility for enumerators, health plans or other users of NPS data to
link organization NPIs as they require in their own systems.
    Against: A single business entity could have multiple NPIs,
corresponding to its physical locations or subparts.
    Possible Approaches:
    We present two alternatives to illustrate how answers to the
questions posed above would affect enumeration and health care provider
data in the NPS. Since the results would depend upon whether the health
care provider is an individual, organization, or group, we refer the
reader to section II.B.3., Definitions, of this preamble.
    Alternative 1:
    The NPS would capture practice addresses. It would assign a
location code for each practice address of an individual or group
provider. Organization and group providers would be distinguished and
would have different associated data in the NPS. Organization providers
could have only one location per NPI and could not have individuals
listed as members. Group providers could have multiple locations with
location codes per NPI and would have individuals listed as members.
    For individual providers, the NPS would capture each practice
address and assign a corresponding location code. The NPS would link
the NPIs of individuals who are listed as members of a group with the
NPI of their group.
    For organization providers, the NPS would capture the single active
practice address. It would not assign a corresponding location code.
    For group providers, the NPS would capture each practice address
and assign a corresponding location code. The NPS would link the NPI of
a group with the NPIs of all individuals who are listed as members of
the group. A group location would have a different location code in the
members' individual records and the group record.
    Alternative 2:
    The NPS would capture only one practice address for an individual
or organization provider. It would not assign location codes. The NPS
would not link the NPI of a group provider to the NPIs of individuals
who are members of the group. Organization and group providers would
not be distinguished from each other in the NPS. Each health care
provider would be categorized as either an individual or an
organization.
    For individual providers, the NPS would capture a single practice
address. It would not assign a corresponding location code.
    For organization providers, each separate physical location or
subpart that needed to be identified would receive its own NPI. The NPS
would capture the single active practice address of the organization.
It would not assign a corresponding location code.
    Recent consultations with health care providers, health plans, and
members of health data standards organizations have indicated a growing
consensus for Alternative 2 discussed above. Representatives of these
organizations feel that Alternative 2 will provide the data needed to
identify the health care provider at the national level, while reducing
burdensome data maintenance associated with provider practice location
addresses and group membership. We welcome comments on these and other
alternatives for collection of practice location addresses and
assignment of location codes, and on the group and organization
provider data within the NPS.

V. Data Dissemination

[Please label written and e-mailed comments about this section with
the subject: Dissemination.]

    We are making information from the NPS available so that the
administrative simplification provisions of the law can be implemented
smoothly and efficiently. In addition to the health care provider's
name and NPI, it is important to make available other information

[[Page 25338]]

about the health care provider so that people with existing health care
provider files can associate their health care providers with the
appropriate NPIs. The data elements we are proposing to disseminate are
the ones that our research has shown will be most beneficial in this
matching process. The information needs to be disseminated to the
widest possible audience because the NPIs would be used in a vast
number of applications throughout the health care industry.