Federal Register: July 28, 1998 (Volume 63, Number 144)


[Federal Register: July 28, 1998 (Volume 63, Number 144)]


[Page 40297-40300]



Privacy Act of 1974; Report of New System

AGENCY: Department of Health and Human Services (HHS), Health Care Financing Administration (HCFA).

ACTION: Notice of new system of records.

SUMMARY: In accordance with the requirements of the Privacy Act of 1974, we are proposing to establish a new system of records, called the ``National Provider System (NPS),'' HHS/HCFA/OIS No. 09-70-0008. We have provided background information about the proposed system in the ``Supplementary Information'' section below. Both institutional (e.g., hospitals, skilled nursing facilities) and individually identifiable (e.g., physicians and other practitioners) providers are included in the NPS database. The institutional providers' data are covered by section 1106 of the Social Security Act and the Freedom of Information Act, while the individually identifiable providers' data are also covered by the Privacy Act of 1974. Although the Privacy Act requires only that the ``routine uses'' portion of the system be published for comment, HCFA invites comments on all portions of this notice. See ``Effective Dates'' for comment period.

EFFECTIVE DATES: HCFA filed a new system report with the Chairman of the Committee on Government Reform and Oversight of the House of Representatives, the Chairman of the Committee on Governmental Affairs of the Senate, and the Acting Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB), on July 8, 1998. The new system of records, including routine uses, will become effective 40 days from the date submitted to OMB and the Congress, unless HCFA receives comments which require alteration to this notice. HCFA will also consider revisions to this notice based upon comments received on the National Provider Identifier (NPI) notice of proposed rulemaking (FR/Vol. 63, No. 88/May 7, 1998). The NPS will not become operational until sometime after the NPI final rule is published and the system is in full compliance with the requirements of the final rule.

ADDRESSES: The public should address comments to the HCFA Privacy Act Officer, Division of Freedom of Information & Privacy, Office of Information Services, Health Care Financing Administration, 7500 Security Boulevard, C2-01-11, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location by appointment during regular business hours, Monday through Friday 9 a.m.--3 p.m. Eastern Time Zone.


Patricia Peyton, Office of Information Services, Health Care Financing Administration, 7500 Security Boulevard, N3-09-16, Baltimore, Maryland 21244-1850. The telephone number is (410) 786-1812.


This system will allow better administration of all health care programs. Currently, there is no standard health care provider identifier in use in the health care industry. Health care providers are assigned multiple identifiers by the health plans in which they participate; such assignments are made routinely and independently of each other. The identifiers are frequently not standardized within a single health plan or across plans. A single health care provider may have different identification numbers for each health program, and often multiple billing numbers issued within the same program.

Nonstandard enumeration of health care providers significantly complicates health care providers' claims submission processes. It also contributes to the unintentional issuance of the same identification number to different health care providers.

Most health plans have to be able to coordinate benefits with other health plans to ensure appropriate payment. The lack of a single, unique identifier for each health care provider within each health plan and across health plans, based on the same core data, makes exchanging data both expensive and difficult.

These factors, which indicate the complexities of exchanging information on health care providers within and among organizations, result in increasing numbers of claims-related problems and increasing costs of data processing. The need for a standard health care provider identifier becomes more and more evident as we become more dependent on data automation and proceed in planning for health care in the future.

In addition to overcoming communication and coordination difficulties, use of a standard, unique health care provider identifier would enhance our ability to eliminate fraud and abuse in health care programs.

This system will issue the standard health care provider identifiers--called National Provider Identifiers (NPIs)--which will be used by Medicare, Medicaid, other Federal programs named as health plans, non-Government health plans, health care providers, and health care clearinghouses.

This initiative was mandated by the administrative simplification provisions of Pub. L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA mandates the adoption of a standard health care provider identifier and its assignment to every health care provider that transacts electronically any of the transactions specified in that law. Creation of a standard health care provider identifier and its assignment to Medicare and Medicaid providers also supports HCFA's Strategic Plan goal of data standardization.

It is important to clarify that NPS responsibilities are limited to unique health care provider identification, enumeration of those health care providers, and updating the health care provider enumeration data. Responsibility for determining whether a provider is qualified for any particular program remains the responsibility of that program. Furthermore, the creation of a national health care provider identifier should not alter the current relationship between health care providers and health plans in any fundamental way; health care providers will still be governed by each health plan's rules for program enrollment, credentialing and claims submission. The NPS will provide the means to uniquely identify and enumerate a health care provider at the national level.

The Department of Health and Human Services is proposing, in a notice of proposed rulemaking, that the information needed to enumerate health care providers that participate in Federal health plans (e.g., Medicare, Tricare/CHAMPUS) and Medicaid be obtained from the preexisting health care provider enrollment databases of those plans. Approximately 85 percent of health care providers requiring NPIs exist in those databases. Enumerating information about the remaining health care providers requiring NPIs will be obtained from an application form. Information in the Federal health plan and Medicaid enrollment databases will be validated and reformatted into the NPS Standard Record Format so it can be loaded into the National Provider System.

The Privacy Act permits us to disclose information without the consent of individuals for ``routine uses'--that is, disclosures that are compatible with the purpose for which we collected the information. The proposed routine uses in the new system meet the compatibility criterion of the statute. We anticipate the disclosures under the routine uses will not result in any unwarranted adverse effects on personal privacy.

Dated: July 8, 1998.

Nancy-Ann Min DeParle,
Administrator, Health Care Financing Administration.



National Provider System (NPS), HHS/HCFA/OIS.




Health Care Financing Administration, Office of Information Services, HCFA Data Center, North Building, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.


As defined by section 1171(3) of the Social Security Act (the Act), a health care provider is a provider of services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Social Security Act, and any other person who furnishes health care services or supplies. For purposes of the NPS in assigning NPIs, the definition of health care provider is limited to those entities that furnish, or bill and are paid for, health care services in the normal course of business. The statutory definition of a health care provider is broad, with section 1861(u) containing the Medicare definition of an institutional provider (such as hospitals, home health agencies, etc.), and section 1861(s) containing the Medicare definition of other facilities and practitioners (such as assorted clinics, physicians, clinical laboratories, suppliers of durable medical equipment, other licensed/ certified health care practitioners). This System of Records applies only to appropriately licensed or certified individual practitioners.

While the National Provider System will also include health care providers that are organizations (e.g., hospitals, pharmacies) and groups (entities composed of one or more individuals, as described earlier), these health care providers will not be addressed further in this systems notice because they are not covered under the Privacy Act.


The system contains a unique identifier for each health care provider (the NPI, which is assigned by the NPS) along with other information about the provider. This information includes other identifiers, name(s), demographic, educational/professional data, and business address data.


Sections 1173 and 1175 of the Act, as amended by Pub. L. 104-191, authorize the assignment of a unique identifier to all health care providers and the maintenance of a database on such health care providers. Sections 1874, 1816, 1842, 1876, 1880, 1881(c)(7), 1124, and 1124A of the Social Security Act authorize the assignment of a unique number to each Medicare provider and the maintenance of a database on such providers. Sections 1902(a)(4)(A), 1902(a)(6), 1902(a)(25), 1902(a)(27), 1902(a)(49), 1902(a)(59), 1903(r)(6)(H), and 1124 of the Act authorizes the assignment of a unique number to each Medicaid provider and the maintenance of a database on such providers. With respect to physicians who furnish services for which Medicare payment may be made, section 1842(r) of the Act mandates such a system. Similarly, section 1834(j) of the Act requires durable medical equipment suppliers to obtain and renew a supplier number and limits the conditions under which HCFA may issue more than one number to a supplier (see section 131(a) of the 1994 Social Security Amendments). The Economy Act of 1932 as amended (31 U.S.C. 1535 and 1536) is the authority with respect to other Federal agencies.


The purpose of the system is to collect the information needed to uniquely identify an individual health care provider, to assign an NPI to that health care provider, to maintain and update the information about the health care provider, and to disseminate health care provider information in accordance with the provisions of the Privacy Act.


Section 552a(b) of the Privacy Act specifies a number of permitted releases for information held in systems of records. Section 552a(b)(3) permits an agency to identify additional routine uses, compatible with the purpose for which the information was collected, under which the information may be released without the consent of the individual to whom the information pertains. HCFA is identifying the following routine uses for information held in the National Provider System. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including, but not limited to, ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. Also, HCFA will require each prospective recipient of such information to agree in writing to certain conditions to ensure the continuing confidentiality of the information. More specifically, as a condition of each disclosure under these routine uses, HCFA will, as necessary and appropriate:

(a) Determine that no other Federal statute specifically prohibits disclosure of the information;

(b) Determine that the use or disclosure does not violate legal limitations under which the information was provided, collected, or obtained;

(c) Determine that the purpose for which the disclosure is to be made;

  1. Cannot reasonably be accomplished unless the information is provided in individually identifiable form,
  2. Is of sufficient importance to warrant the effect on, or the risk to, the privacy of the individual(s) that additional exposure of the record(s) might bring, and
  3. There is a reasonable probability that the purpose of the disclosure will be accomplished.

(d) Require the recipient of the information to;

  1. Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized access, use or disclosure of the record or any part thereof. The physical safeguards shall provide a level of security that is at least the equivalent of the level of security contemplated in OMB Circular No. A-130 (revised), Appendix III, Security of Federal Automated Information Systems which sets forth guidelines for security plans for automated information systems in Federal agencies,
  2. Remove or destroy the information that allows subject individual(s) to be identified at the earliest time at which removal or destruction can be accomplished, consistent with the purpose of the request,
  3. Refrain from using or disclosing the information for any purpose other than the stated purpose under which the information was disclosed, and

    (i) To prevent or address an emergency directly affecting the health or safety of an individual;

    (ii) For use on another project under the same conditions, provided HCFA has authorized the additional use(s) in writing; or

    (iii) When required by law;

(e) Secure a written statement or agreement from the prospective recipient of the information whereby the prospective recipient attests to an understanding of, and willingness to abide by, the foregoing provisions and any additional provisions that HCFA deems appropriate in the particular circumstances; and

(f) Determine whether the disclosure constitutes a computer ``matching program'' as defined in 5 U.S.C. 552a(a)(8). If the disclosure is determined to be a computer ``matching program,'' the procedures for matching agreements as contained in 5 U.S.C. 552a(o) must be followed.

Disclosure may be made:

  1. To Federal and Medicaid health plans that are enumerators, their agents, and the NPS registry for the purpose of uniquely identifying and assigning NPIs to providers.
  2. To entities implementing or maintaining systems and data files necessary for compliance with standards promulgated to comply with title XI, part C, of the Social Security Act.
  3. To a congressional office, from the record of an individual, in response to an inquiry from the congressional office made at the request of that individual.
  4. To another Federal agency for use in processing research and statistical data directly related to the administration of its programs.
  5. To the Department of Justice, to a court or other tribunal, or to another party before such tribunal, when

    (a) HHS, or any component thereof, or

    (b) Any HHS employee in his or her official capacity; or

    (c) Any HHS employee in his or her individual capacity, where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or

    (d) The United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help in the effective representation of the governmental party or interest, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected.

  6. To an individual or organization for a research, demonstration, evaluation, or epidemiological project related to the prevention of disease or disability, the restoration or maintenance of health, or for the purposes of determining, evaluating and/or assessing cost, effectiveness, and/or the quality of health care services provided.
  7. To an agency contractor for the purpose of collating, analyzing, aggregating or otherwise refining or processing records in this system, or for developing, modifying and/or manipulating automated information systems (ADP) software. Data would also be disclosed to contractors incidental to consultation, programming, operation, user assistance, or maintenance for ADP or telecommunications systems containing or supporting records in the system.
  8. To an agency of a state Government, or established by state law, for purposes of determining, evaluating and/or assessing cost, effectiveness, and/or quality of health care services provided in the state.
  9. To another Federal or state agency:

    (a) As necessary to enable such agency to fulfill a requirement of a Federal statute or regulation, or a state statute or regulation that implements a program funded in whole or in part with Federal funds.

    (b) For the purpose of identifying health care providers for debt collection under the provisions of the Debt Collection Information Act of 1996 and the Balanced Budget Act of 1997.



All records are stored on paper or magnetic media.


The records are retrieved by the NPI, employer identification number, other provider number, or as defined by query or report.


For computerized records, safeguards established in accordance with Department standards and National Institute of Standards and Technology guidelines (e.g., security codes) will be used, limiting access to authorized personnel. System securities are established in accordance with HHS, Information Resources Management (IRM) Circular #10, Automated Information Systems Security Program; and HCFA Automated Information System (AIS) Guide, Systems Security Policies; and OMB Circular No. A-130 (revised), Appendix III.


The records are retained indefinitely, except in the instance of an individual provider's death, in which case HCFA would retain such records for a 10-year period following the provider's death.


Director, Office of Information Services, Health Care Financing Administration, 7500 Security Boulevard, Baltimore, Maryland 212441850.


For purpose of notification, the subject individual should write the system manager, who will require the system name, provider name, and, for verification purposes, date of birth, and medical school (if applicable), to ascertain whether or not the individual's record is in the system. (These notification procedures are in accordance with Department regulation 45 CFR part 5b.)


Same as notification procedures. Requestors should also reasonably specify the record contents being sought. (These access procedures are in accordance with the Department regulation 45 CFR 5b.5(a)(2).)


Contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)


Information from Federal health plan and Medicaid provider enrollment forms or applications that identify health care providers and give supporting information on same.



[FR Doc. 98-20093 Filed 7-27-98; 8:45 am]