
	HIPAAdvisory > HIPAAregs > Provider Identifier

Standard Unique Health Identifier for Healthcare Providers

4. Effective Date and Compliance Dates

Proposed Provisions (§ 142.410)

The May 7, 1998, proposed rule proposed the compliance dates for the standard unique health identifier for healthcare providers.

The May 7, 1998, proposed rule proposed that:

Each health plan that is not a small health plan must comply with the requirements of § 142.104 and § 142.404 by 24 months after the effective date of the final rule.
Each small health plan must comply with the requirements of§ 142.104 and § 142.404 by 36 months after the effective date of the final rule.
Each healthcare clearinghouse and healthcare provider must begin using the NPI by 24 months after the effective date of the final rule.

Comments and Responses on Effective Date and Compliance Dates

Comment: An overwhelming number of commenters requested that there be an extended period of time between the publication of the NPI final rule and the date the implementation period for the NPI would begin. Commenters stated that their resources were fully committed to millennium issues and that those resources could not be used to address the numerous changes needed to implement the NPI until after the millennium work was satisfactorily completed. Some commenters asked that we publish the final rule on Standards for Electronic Transactions before any of the other rules.

Response: Work on the millennium is complete. Many commenters are undoubtedly expending resources at this time in implementing the HIPAA Privacy Rule (65 FR 82462 and 67 FR 53182), the Transactions Rule (65 FR 50312 and 68 FR 8381), the Security Rule (68 FR 8334) and the Employer Identifier Rule (67 FR 38009). The reader should note that we published the Transactions Rule (65 FR 50312) before any of the other HIPAA final rules. The National Provider System (NPS) will be a large, complex system. Its development cannot be finalized until publication of this final rule. The NPS must operate efficiently and be capable of performing many operations. It must undergo testing to ensure proper operation of all functions and must pass a variety of stress tests. To ensure adequate time for completion of system development and testing, we set the effective date of this final rule to be 16 months after publication in the Federal Register. Covered entities will need to be in compliance no later than 24 months after the effective date (36 months for small health plans). While the purpose of this extended effective date is to allow HHS sufficient time for NPS development and testing, it will also permit healthcare entities sufficient time to accommodate changes needed in order to implement the NPI.

Final Provisions (§ 162.404)

We set the effective date and compliance dates as follows:

Effective date of this final rule. The effective date of the NPI is May 23, 2005. The effective date of this final rule marks the beginning of the implementation period for the NPI.
Compliance dates of the NPI. We adopt the requirement that covered entities (except small health plans) must obtain an NPI and must use the NPI in standard transactions no later than May 23, 2007. Small health plans must do so no later than May 23, 2008.

If the Secretary adopts a modification to this standard, the compliance date of the modification would be no earlier than the 180th day following the adoption of the modification. The Secretary would determine the actual date, taking into account the time needed to comply due to the nature and extent of the modification. The Secretary would be able to extend the time for compliance with any modification by small health plans by rulemaking, if he determines that an extension is appropriate.

5. Implementation Specifications for healthcare Providers, Health Plans, and healthcare Clearinghouses

Proposed Provisions (§ 142.404,§ 142.406, and § 142.408)

In section II. E., ‘‘Requirements,’’ of the preamble of the May 7, 1998, proposed rule (63 FR 25330), we discussed the requirements that health plans, healthcare clearinghouses, and covered healthcare providers would have to meet in implementing the NPI. The proposed regulation text, in§ 142.404, stated that health plans would be required to accept and transmit, directly or through a healthcare clearinghouse, the NPI on all standard transactions wherever required. The proposed regulation text, in § 142.406, stated that healthcare clearinghouses would be required to use the NPI wherever a standard electronic transaction requires it.

The preamble of the May 7, 1998, proposed rule (63 FR 25330) states: ‘‘In§ 142.408, Requirements: healthcare providers, we would require each healthcare provider that needs an NPI for HIPAA transactions to obtain, by application if necessary, an NPI * * *’’ Section 142.408(a) of the proposed regulation text states: ‘‘Each healthcare provider must obtain, by application if necessary, a national provider identifier.’’ The text of the proposed rule states, in § 142.408(c): ‘‘Each healthcare provider must communicate any changes to the data elements in its file in the national provider system to an enumerator of national provider identifiers within 60 days of the change.’’

Comments and Responses on Requirements for healthcare Providers, Health Plans, and healthcare Clearinghouses

We believe that the Congress intended that each healthcare provider be eligible for an NPI and intended to authorize the Secretary to require covered healthcare providers to obtain one. HIPAA requires the adoption of a standard unique health identifier for healthcare providers and directs the Secretary to specify the purposes for which the identifier may be used. The statute sets forth the maximum amount of time by which all covered entities must comply with the standards, leaving discretion to the Secretary to designate compliance dates (within the limitations of the law). We proposed in the May 7, 1998, proposed rule, and require in this final rule, that covered entities must be in compliance with the standards no later than 2 years (3 years for small health plans) from the effective date of the regulation. Thus, as of the compliance date, a covered healthcare provider must have obtained and begun to use an NPI.

Comment: Some commenters recommended that all data about a healthcare provider in the NPS be required to be updated; others stated that only certain data elements should be required to be updated. Most indicated that data needed for unique identification should be kept current. Response: In the proposed rule, the NPS was proposed to include many data elements that we have since decided not to include. (See section II. C. 2. of this preamble, ‘‘Data Elements and Data Dissemination.’’) We have decided that the NPS will consist entirely of data elements about a healthcare provider that are needed for administrative (communications) purposes and for the unique identification of the healthcare provider. We believe it is appropriate and necessary for the healthcare providers to notify the NPS of changes in their required NPS data, but, given limits on our statutory authority, we can require such notification only of covered healthcare providers. Comment: We received many comments concerning the length of time a healthcare provider should be allowed before it must notify the NPS of changes to its NPS data. Most commenters thought that the 60-day period was too long and believed a 15- to-30-day period was more appropriate.

Response: The May 7, 1998, proposed rule at § 142.408(c) proposed 60 days to allow reasonable flexibility in the time required for a healthcare provider to complete a paper form (the NPI application/update form) containing the update(s) and forward it to the NPS. We will attempt to design the NPS to be responsive and easy to use. We will consider a design that will allow a healthcare provider (or possibly a healthcare provider’s authorized representative (see section II. B. 2.,‘‘healthcare Provider Enumeration,’’ of this preamble)) to communicate the healthcare provider’s changes directly into the NPS over the Internet, using a secure Web-based transaction. A paper form (the NPI application/update form) will be developed for this same purpose and will be available from the NPS and from the CMS Web site (http:// www.cms.hhs.gov) for use by healthcare providers. We realize that many healthcare providers may prefer to send electronic updates if the capability exists. According to the majority of commenters, healthcare providers should be required to communicate changes in their NPS data in far less than 60 days. We agree. Therefore, we adopt in this final rule a requirement that covered healthcare providers notify the NPS of changes in their required NPS data within 30 calendar days of the changes (§ 162.410(a)(4)).

Comment: Several commenters indicated that health plans will need to know about changes in healthcare provider information. Commenters did not believe it would be fair for healthcare providers to have to notify both the NPS and the health plans in which they are enrolled of changes.

Response: We agree that health plans will need to know of changes in the data associated with their enrolled healthcare providers. Most health plans collect more information about a healthcare provider than the NPS will collect. Therefore, we expect that health plans will still require healthcare providers to notify them of changes in this information. The NPS will have the capability to provide listings or reports of changes in NPS data in accordance with section II. C. 2. of this preamble,‘‘Data Elements and Data Dissemination.’’

Comment: Several commenters stated that the NPS should be required to apply updates within a specified period of time after receipt of the updated information from a healthcare provider.

Response: We expect that the update process will be designed in a way that will allow the system to process updates within a reasonable timeframe (for example, 10 business days from receipt). The volume of updates at any given time may impact system performance. If changes are unable to be made (for example, the healthcare provider furnishing updates does not appear to match any healthcare provider in the NPS), the healthcare provider will receive a message that will indicate why the NPS is unable to update the record. The message will request that the problem be resolved and the information be resubmitted.

Comment: Several commenters asked if health plans should take any action to notify the NPS of changes to healthcare provider data if they become aware of these changes.

Response: Although health plans would not be required to provide information to the NPS to update healthcare provider data, we encourage health plans to instruct and remind their enrolled healthcare providers to notify the NPS of changes in their data.

Comment: There were numerous comments about penalties for non-use of the NPI:

If NPIs could not be assigned to covered healthcare providers before the compliance date for those healthcare providers, and sufficiently ahead of that time to enable the healthcare providers to be capable of using the NPI in standard transactions, penalties should not be enforced for nonuse of the NPI.
Sufficient time should elapse to ensure adequate experience in using the NPI before penalties are assessed.
Financial penalties for noncompliance should not be assessed until 1 year after the NPI compliance dates.
The method of enforcing compliance with the standard should be made public.
The penalties for nonuse of a single standard and nonuse of multiple standards should be clarified.
When noncompliance forces nonpayment, the entity expecting payment will resolve the issue.

Response: NPIs will be assigned to healthcare providers as quickly as possible and within the parameters of the performance criteria that are in effect. (See earlier comment and response for additional information.) HHS is preparing, and has issued in part, a separate regulation on enforcement of the HIPAA standards. This regulation is expected to address all but perhaps the last concern of these commenters. The regulation cannot place requirements on entities that are not covered entities, and the entities involved in the situation described in the last bullet may not be covered entities.

Comment: Many commenters suggested that (1) healthcare providers not be required to use the NPI within the first year after the effective date of its adoption, although willing trading partners could use the NPI by mutual agreement at any time after the effective date; and (2) health plans should give their healthcare providers at least 6 months’ notice before requiring them to use the NPI.

Response: Upon the effective date of the adoption of this standard (which will be 16 months after the date it is published), healthcare providers may apply for NPIs. Covered entities (except for small health plans) must begin using the NPI in standard transactions no later than 24 months after the effective date. (Small health plans have 36 months to begin using NPIs.) These are statutory requirements that we have incorporated into this final rule. We believe these timeframes enable more than sufficient time for covered healthcare providers to become aware of their responsibilities under this final rule, to apply for and be assigned their NPIs, and to complete work needed to begin using their NPIs. Applying for an NPI up to 18 months after the effective date of the adoption of this standard will still give healthcare providers 6 months before the statutory compliance date arrives. We encourage health plans to give healthcare providers 6 months’ notice before requiring them to use NPIs; however, we do not require that action by the health plans. How soon healthcare providers could use NPIs would depend on when they obtained the NPIs, and health plans have no direct control over that action.

We encourage all parties to work together to ensure a smooth transition.

Final Provisions (§ 162.410, § 162.412,§ 162.414)

All healthcare providers are eligible for NPIs.

We require each covered healthcare provider to obtain an NPI from the NPS, by application if necessary, for itself and for its subparts, if appropriate, and to use its NPI in standard transactions. Covered healthcare providers must disclose their NPIs to other entities that need those healthcare providers’ NPIs for use in standard transactions. Covered healthcare providers must communicate to the NPS any changes in their required data elements within 30 days of the change. If covered healthcare providers use business associates to conduct standard transactions on their behalf, they must require their business associates to use NPIs appropriately as required by the transactions the business associates conduct on its behalf.

Situations exist in which a standard transaction must identify a healthcare provider that is not a covered entity. An organization healthcare provider subpart may need to be identified in a standard transaction but the organization healthcare provider may not be required to obtain an NPI for the subpart. A noncovered healthcare provider may or may not have applied for and received an NPI. In the latter case, and in the case of the subpart described above, an NPI would not be available for use in the standard transaction. We encourage every healthcare provider to apply for an NPI, and encourage all healthcare providers to disclose their NPIs to any entity that needs that healthcare provider’s NPI for use in a standard transaction. Obtaining NPIs and disclosing them to entities so they can be used by those entities in standard transactions will greatly enhance the efficiency of healthcare transactions throughout the healthcare industry. If subparts are assigned NPIs, the covered healthcare provider must ensure that the subpart’s NPI is disclosed, when requested, to any entity that needs to use the subpart’s NPI in a standard transaction.

Here are examples that illustrate the desirability for a healthcare provider that is not required to be enumerated to obtain and disclose an NPI:

A pharmacy claim that is a standard transaction must include the identifier (which, as of the compliance date, would be the NPI) of the prescriber. Therefore, the pharmacy needs to know the NPI of the prescriber in order to submit the pharmacy claim. The prescriber may be a physician or other practitioner who does not conduct standard transactions. The prescriber is encouraged to obtain an NPI so it can be furnished to the pharmacy for the pharmacy to use on the standard pharmacy claim.
A hospital claim is a standard transaction and it may need to identify an attending physician. The attending physician may be a physician who does not conduct standard transactions. The physician is encouraged to obtain an NPI so it can be furnished to the hospital for the hospital to use on the standard institutional claim.

In the examples above, the NPI of a healthcare provider that is not a covered entity is needed for inclusion in a standard transaction. The absence of NPIs when required in those claims by the implementation specifications may delay preparation or processing of those claims, or both. Therefore, we strongly
encourage healthcare providers that need to be identified in standard transactions to obtain NPIs and make them available to entities that need to use them in those transactions.

Under § 162.410 (Implementation specifications: healthcare providers), we require each covered healthcare provider to:

Obtain from the NPS, by application if necessary, an NPI for itself and, if appropriate, for its subparts.
Use the NPI it obtained from the NPS to identify itself in all standard transactions that it conducts where its healthcare provider identifier is required.
Disclose its NPI, when requested, to any entity that needs the NPI to identify that healthcare provider in a standard transaction.
Communicate to the NPS any changes to its required data elements in the NPS within 30 days of the change.
If it uses one or more business associates to conduct standard transactions on its behalf, require its business associate(s) to use its NPI and the NPIs of other healthcare providers appropriately as required by the transactions the business associate(s) conducts on its behalf. (For example, a claim for a laboratory service will require the NPI of the laboratory and may also require the NPI of the referring physician. If a business associate prepares the laboratory claim, the business associate must use the laboratory’s and the referring physician’s NPIs. If the business associate does not already know the NPI of the referring physician, it may have to contact the referring physician to obtain his or her NPI.)
If it has been assigned NPIs for one or more subparts, comply with the above requirements with respect to each of those NPIs.

Under § 162.412 (Implementation specifications: Health plans), we require health plans to: use the NPI of any healthcare provider (including subparts of organization healthcare providers) that has been assigned an NPI to identify that healthcare provider (or subpart) in all standard transactions where the healthcare provider’s (or subpart’s) identifier is required. Health plans may not require healthcare providers that have been assigned NPIs to obtain additional NPIs.

Under § 162.414 (Implementation specifications: healthcare clearinghouses), we require healthcare clearinghouses to use the NPI of any healthcare provider (including subparts of organization healthcare providers) that has been assigned an NPI to identify that healthcare provider (or subpart) in all standard transactions where that healthcare provider’s (or subpart’s) identifier is required.