HIPAA: National Identifiers

To find more information about the National Provider Identifier (NPI), click: NPI


HIPAA includes provisions for four national identifiers: employer, provider, health plan and patient. The employer identifier has been adopted and is now in effect. The provider identifier has been adopted, the enforcement date passed and the industry continues work to adopt the number following the contingency period established by the Center for Medicare and Medicaid Services (CMS) ending May 22, 2008. CMS has not published a draft rule defining a national health plan identifier and has indicated rule development is not a priority. The national patient identifier rule development has been placed on hold indefinitely.

The development of a draft rule that designates a national patient ID has been placed on hold indefinitely. Given all of the problems with social security numbers and identity theft, patients are not supportive of the idea of the adoption of yet another identifier that may result in medical identity theft. Also, adoption of such a number has been deemed politically unpalatable by Congress and HHS. The lack of a common identifier is causing problems as the industry moves forward with expanding electronic health information exchange, but the problem will likely not be addressed under the HIPAA umbrella, at least at this point in time.

Back to Top

Identifiers: Employer

When claims are filed, employer information is used by health plans to identify the employer of the participant in the health plan and to develop coordination of benefits (COB) information. Employers may transmit information to health plans when enrolling or un-enrolling an employee as a participant in a health plan. Employers, health care providers, and health plans may need to identify the source or receiver of eligibility or benefit information.

Although the source or receiver is usually a health plan, it could be an employer. Employers, providers and health plans may need to identify the employer when making or keeping track of health plan premium payments or contributions relating to an employee. In all cases where information about the employer is transmitted electronically, it would be beneficial to identify the employer using a standard identifier.

The US Department of Health and Human Services (DHHS) adopted as the standard the employer identification number (EIN), which is assigned by the Internal Revenue Service (IRS). The EIN is the taxpayer identifying number of an individual or entity (whether or not an employer) and is nine digits separated by a hyphen, as follows: 00-0000000.

Back to Top

Identifiers: Provider

In order to administer their programs, HHS, other federal agencies, state Medicaid agencies and private health plans assigned identification numbers to the providers with whom they transact business. These various agencies and health plans, all of which are classified as health plans under HIPAA, routinely, and independently of each other, assigned identifiers to providers for program management and operations purposes. The identifiers or legacy numbers are frequently not standardized within a single health plan or across plans.

This lack of uniformity resulted in a single health care provider needing to track and use different numbers for each program and often multiple billing numbers for the same program, significantly complicating provider claims submission processes. In addition, non-standard identifier assignment or enumeration contributes to the potential for unintentional issuance of the same identification number to different health care providers.

Most health plans have to be able to coordinate benefits with other health plans to ensure appropriate payment. The lack of a single and unique identifier for each provider within each health plan and across health plans, based on the same core data, made exchanging data expensive and difficult.

All of these factors indicate the complexities of exchanging information related to providers within and among organizations and result in increasing numbers of claims-related problems and increasing costs of data processing. As the industry becomes more dependent on data automation and proceeds with health care planning now and in the future, the need for a universal, standard provider identifier becomes more and more evident.

In addition to overcoming communication and coordination difficulties, use of a standard, unique provider identifier enhances the industry’s ability to eliminate fraud and abuse in health care programs.

  • Potentially payments for excessive or fraudulent claims can be reduced by standardizing enumeration, which would facilitate sharing information across programs or across different parts of the same program.
  • A provider’s identifier would not change with moves or changes in specialty. This facilitates tracking of fraudulent provider claims over time and across geographic areas.
  • A provider would receive only one identifier and would not be able to receive duplicate payments from a program by submitting claims under multiple provider identifiers.
  • A standard identifier would facilitate access to sanction information.

HHS elected not to use the Universal Provider Identification Number (UPIN) commonly used by Medicare authorized providers. HHS also ruled out the use of tax identification and social security numbers (SSN) because of inconsistency (some provider organizations are not tax entities) and for personal privacy issues related to using an individual’s SSN.

The HHS Center for Medicare and Medicaid Services (CMS) elected to work with the industry to develop a unique provider numbering system that would eventually result in the adoption of the National Provider Identifier Rule. Active participants in advising CMS during identifier standard and rule development included the public and private sector. The new identifier numbering system, known as the National Provider Identifier (NPI), did not have the limitations of the existing identifiers and it met the criteria that had been recommended by the Workgroup for Electronic Data Interchange (WEDI) and the American National Standards Institute (ANSI).

CMS promulgated the rule that defines the requirements of the new NPI and developed a repository, the National Plan and Provider Enumeration System (NPPES), which is used to capture health care provider data and is equipped with the technology necessary to maintain and manage the data. The NPPES was designed to be able to accept health care provider data in a way that uniquely identifies a health care provider and assigns the provider an NPI.

Two categories of health care providers are defined in the final rule for enumeration purposes which was finalized January 23, 2004, with an effective date of May 23, 2007.

  • NPIs with an ‘‘Entity type code’’ of 1 are issued to health care providers who are individual human beings. This type of NPI is generally called an individual NPI. Examples of health care providers with an ‘‘Entity type code’’ of 1 are physicians, dentists, nurses, chiropractors, pharmacists, and physical therapists. For this entity type code, the NPI serves as a permanent identifier, assigned for life, unless circumstances justify deactivation, such as a health care provider who finds that his or her NPI has been used fraudulently by another individual or entity.
  • NPIs with an ‘‘Entity type code’’ of 2 are issued to health care providers other than individual human beings, that is, organizations or parts of organizations. Examples of health care provider organizations with an ‘‘Entity type code’’ of 2 are: hospitals, home health agencies, clinics, skilled nursing facilities, laboratories, ambulance companies, pharmacies, group practices, suppliers of durable medical equipment, etc. The Type 2 NPI is commonly referred to as a subpart NPI. This type of entity may have subparts which are not in and of themselves legal entities. The legal entity is the organization health care provider of which they are a subpart.
  • It needs to be noted that providers governed when a subpart or Type 2 NPI was needed. This is not something that could be mandated by a health plan, including the states and CMS. The only exception is in the area of durable medical equipment (DME). Because of other existing federal laws, CMS did have the authority to require health care provider organizations to assign a subpart number to DME organizational subparts.
  • The standard unique identifier for health care providers is the NPI. The NPI is a 10-position numeric identifier, with a check digit in the 10th position, and no intelligence about the health care provider in the number. NPI’s begin with either a 1 or a 2 so there are up to 200 million numbers for providers.
  • The National Plan and Provider Enumeration System (NPPES) does the following:

(a) Assign a single, unique NPI to a provider or subpart provided that sufficient information is supplied to uniquely identify that provider or subpart.

(b) Collect and maintain information about each provider that has been assigned an NPI and perform tasks necessary to update that information (providers are required to update any required information within 30 days of any change).

(c) If appropriate, deactivate an NPI upon receipt of information concerning the dissolution of the health care provider that is an organization, the death of the health care provider who is an individual or other circumstances justifying deactivation.

(d) If appropriate, reactivate a deactivated NPI upon receipt of appropriate information.

(e) Not assign a deactivated NPI to any other health care provider.

(f) Disseminate what has been deemed appropriate NPPES stored provider information upon request (available through an alternate database effective September 6, 2007).

(g) Assign an NPI to a subpart of a health care provider on request if the identifying data for the subpart are unique.

  • A separate CMS maintained database has been implemented that contains most of the information stored in NPPES. Because the NPI information is available under the Freedom of Information Act (FOIA) to anyone who requests it, CMS elected not to include individual tax identification numbers, social security numbers and date of birth in the publicly available database.
  • A download of the CMS NPI database will be available one week after the availability of on-line access.
  • NPPES can be accessed at https://nppes.cms.hhs.gov/

Back to Top

Identifiers: Health Plan

No standard has been set for identifying health plans but there are indications that the same numbering methodology established for the NPI will be used for the national health plan identifier except that the number would begin with an 8. It is expected the NPPES will be used to enumerate plans as well. At this time, CMS has indicated that the development of the national health plan identifier standard is not a priority and no time line has been set to begin work on the draft rule.

Back to Top

Identifiers: Patient

Congress and CMS have elected to place a permanent hold on developing a national patient identifier. This may change given the push to move to expanded health information exchange because unique patient identification is a critical issue, but it is unlikely that a national patient identifier will be the solution any time soon.

Back to Top

v2 2016