
	HIPAAdvisory > HIPAAregs > Final Provider Identifier

Standard Unique Healthcare Provider Identifier

V. Regulatory Impact Analysis

A. Overall Impact

We have examined the impacts of this final rule as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96–354), section 1102(b) of the Social Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104–4), and Executive Order 13132. Executive Order 12866 (as amended by Executive Order 13258, which merely reassigns responsibility of duties) directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects (costs plus savings equal $100 million or more in any one year). We consider this final rule to be a major rule, as it will have an impact of over $100 million on the economy. This impact analysis shows a net savings of $526 million over a 5-year period. The RFA requires agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, nonprofit organizations are considered small entities. Small government jurisdictions with a population of less than 50,000 are considered small entities. Individuals and States are not considered small entities. Most hospitals and most other providers and suppliers are small entities, either by nonprofit status or by having annual revenues of less than the threshold published in regulations by the Small Business Administration (SBA). Effective October 1, 2000, the SBA no longer used the Standard Industrial Classification (SIC) System to categorize businesses and establish size standards, and began using industries defined by the new North American Industry Classification System (NAICS). The NAICS made several important changes to the Health Care industries listed in the SIC System: it revised terminology, established a separate category (Health Care and Social Assistance) under which many health care providers are located, and increased the number of Health Care industries to 30 NAICS industries from 19 Health Services SIC industries.

On November 17, 2000, the SBA published a final rule, which was effective on December 18, 2000, in which the SBA adopted new size standards, ranging from $5 million to $25 million, for 19 Health Care industries and retained the existing $5 million size standard for the remaining 11 Health Care industries. The revisions were made to more appropriately define the size of businesses in these industries that SBA believes should be eligible for Federal small business assistance programs. On August 13, 2002, the SBA published a final rule that was effective on October 1, 2002. The final rule amended the existing SBA size standards by incorporating OMB's 2002 modifications to the NAICS into its table of small business size standards. The final rule did not affect industries that are considered covered entities by this final rule. On September 6, 2002, the SBA published a final rule (effective October 1, 2002) that corrected the August 13, 2002, final rule. The final rule corrected errors in the August 13, 2002, final rule and contained a new table of size standards to clearly identify size standards by millions of dollars and by number of employees. Some of those revisions in size standards affected some of the entities that are considered covered entities under this final rule. For example, the SBA revisions increased the annual revenues for offices of physicians to $8.5 million (other practitioners' offices' revenues remained at $6 million) and increased the small business size standard for hospitals to $29 million in annual revenues. The regulatory flexibility analysis for this final rule is linked to the aggregate regulatory flexibility analysis for all the Administrative Simplification standards that appeared in the Transactions Rule (65 FR 50312), published on August 17, 2000, which predated the SBA changes noted above. In addition, all HIPAA regulations published to date have used the SBA size standards that existed at the time of the publication of the Transactions Rule. Because the SBA size standard changes predate the effective date of this final rule, we are using the current SBA small business size standards for the regulatory flexibility analysis for this final rule. Although the SBA has raised the small business size standards, the revised size standards have no effect on the cost and benefit analysis for this final rule. The revised standards simply increase the number of health care providers that are classified as small businesses. Although the SBA revisions changed the size standard for health plans by increasing from $5 million to $6 million in annual revenues the small business size standard, this change has a minimal effect on this final rule. Because all HIPAA administrative simplification regulations permit small health plans an additional year in which to comply with the implementation specifications and requirements, a greater number of small health plans would have the additional year, due to the SBA size standard revisions. While each standard may not have a significant impact on a substantial number of small businesses, the combined effects of all the standards are likely to have a significant effect on a substantial number of small businesses. However, this final rule will affect small businesses, such as small health care providers, health plans, and health care clearinghouses, in much the same way as it affects large businesses. Small businesses that are covered entities must meet the provisions of this final rule and implement the standard unique health care provider identifier standard. The requirements placed on small health care providers, health care clearinghouses, and health plans would be consistent with the complexity of their operations. Small health plans have an additional year in which to comply. A more detailed analysis of the impact on small businesses is part of the impact analysis that we published on August 17, 2000 (65 FR 50312), for all the HIPAA standards. In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform tothe provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area and has fewer than 100 beds. This final rule will have no more significant impact on small rural hospitals than it will have on other small health care providers. Section 202 of the Unfunded Mandates Reform Act (UMRA) of 1995 (2 U.S.C. 1532) requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditure in any one year by State, local, or tribal governments, in the aggregate, or by the private sector, of $110 million. This final rule establishes a Federal private sector mandate and is a significant regulatory action within the meaning of section 202 of UMRA. We have included the statements to address the anticipated effects of this final rule under section 202 of UMRA. This standard applies to State and local governments in their roles as covered entities. Covered entities must implement the requirements in this final rule; thus, this final rule imposes unfunded mandates on them. Further discussion of this issue is found in the previously published impact analysis for all Administrative Simplification standards (65 FR 50312).

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. The proposed rule that proposed the NPI as the standard unique health identifier for health care providers was published prior to the signing of that Executive Order. We could not solicit comments on the effect of Executive Order 13132 on the adoption of the health care provider identifier standard. This final rule will have a substantial effect on State and local governments to the extent that those entities are covered entities. As early as 1993, CMS (then the Health Care Financing Administration) led a workgroup whose goal was to develop a provider identification system for all health care providers. The system was intended to meet the needs of the Medicare and Medicaid programs, and eventually other programs. State Medicaid agencies in Alabama, California, Minnesota, Virginia and Maryland participated in this effort, along with representatives from the private sector and several other Federal agencies. The first task of the workgroup was to decide if an existing identifier could be used or if a new one needed to be developed. The workgroup developed criteria for a unique provider identifier, examined existing identifiers, and concluded that a new identifier needed to be developed. The workgroup developed the NPI, and we proposed the NPI as the standard unique health identifier for health care providers in the proposed rule. States continue to hold memberships on the National Uniform Claim Committee and the National Uniform Billing Committee, and continue to be represented in the X12N and Health Level Seven standards development organization workgroups and committees. As a result, States have in the past, and continue to have, input into the development of new standards and the modification of existing standards. As stated in the previously published impact analysis in 65 FR 50312, we do not have sufficient information to provide estimates of the impact of the administrative simplification standards on local governments. In complying with the requirements of part C of title XI, the Secretary established interdepartmental implementation teams who consulted with appropriate State and Federal agencies and private organizations. These external groups included the NCVHS's Subcommittee on Standards and Security, the Workgroup for Electronic Data Interchange (WEDI), the National Uniform Claim Committee (NUCC), the National Uniform Billing Committee (NUBC), and the American Dental Association (ADA). The teams also received comments on the May 7, 1998, proposed regulation from a variety of organizations, including State Medicaid agencies and other Federal agencies. We received comments from State agencies and from entities that conduct transactions with State agencies. Many of the comments referred to the costs to State and local governments of implementing the HIPAA standards. We believe that these costs will be offset by future savings (see the impact analysis of 65 FR 50350). Other comments regarding States reflected the need for clarification as to when State agencies were subject to the standards.

B. Anticipated Effects

The Regulatory Flexibility Act of 1980 considers all 31 nonprofit Blue Cross-Blue Shield Health Plans to be small businesses. Additionally, 28 percent of HMOs are considered small businesses because of their nonprofit status. Doctors of osteopathy, dentistry, podiatry, as well as chiropractors, and solo and group physicians' offices with fewer than three physicians, are considered small businesses. Forty percent of group practices with three or more physicians and 100 percent of optometrist practices are considered small businesses. Seventy-two percent of all pharmacies, 88 percent of medical laboratories, 100 percent of dental laboratories, and 90 percent of durable medical equipment suppliers are assumed to be small businesses as well. This analysis required that we use data and statistics about various entities that operate in the health data information industry. We believe the best source for information about the health data information industry is Faulkner & Gray's Health Data Directory. This publication is the most comprehensive
data directory of its kind that we could find. The information in this directory is gathered by Faulkner & Gray editors and researchers who called all of the more than 3,000 organizations that are listed in the book in order to elicit information about their operations. Some businesses are listed as more than one type of business entity because, in reporting the information, companies could list themselves to be as many as three different types of entities. For example, some businesses listed themselves as both practice management vendors and claims software vendors because their practice management software was "EDI enabled." All the statistics referencing Faulkner & Gray's come from the 2000 edition of its Health Data Directory. It lists 78 claims clearinghouses, which, according to the Health Data Directory are entities that generally take electronic and paper health care claims data from health care providers and billing companies that prepare bills on a health care provider's behalf. The claims clearinghouse acts as a conduit for health plans; its activities may include batching claims and routing transactions to the appropriate health plan in a form that expedites payment. Of the 78 claims clearinghouses listed in this publication, eight processed more than 20 million electronic transactions per month. Another 15 handled 2 million or more transactions per month and another 4 handled over a million electronic transactions per month. The remaining 39 entities listed in the data dictionary processed fewer than a million electronic transactions per month. Almost all of these entities have annual revenues of under $6 million and would therefore be considered small entities. Software system vendors provide computer software applications supportto health care clearinghouses, billing companies, and health care providers. In particular, they work with health care providers' practice management and health information systems. These businesses provide integrated software applications for such services as accounts receivable management, electronic claims submission (patient billing), recordkeeping, patient charting, practice analysis, and patient scheduling. Some software vendors also provide applications that translate information on paper and information in electronic records having no standard formats into standard electronic formats that are acceptable to health plans. Faulkner & Gray lists 78 physician practice management vendors and suppliers, 76 hospital information systems vendors and suppliers, 140 software vendors and suppliers for claims-related transactions, and 20 translation vendors (now known as Interface Engines/Integration Tools). We were unable to determine the number of these entities with revenues over $6 million, but we assume most of these businesses would be considered small entities. The costs of implementing the NPI are primarily one-time or short-term costs related to conversion. These costs are characterized as follows: software conversion, cost of automation, training, implementation, and cost of documentation and implementation guides. As stated earlier in this final rule, health care providers will not be charged for obtaining an NPI. Covered health care providers will have to apply for NPIs and will have to furnish updates to the NPS when their required data changes. (However, if health care providers are enumerated through the bulk enumeration process described earlier in this preamble, they will not have to apply for NPIs, and they will be notified of their NPIs. Those that are covered health care providers will have to furnish updates to the NPS when their required data changes and will have to ensure that their subparts, if assigned NPIs via bulk enumeration or otherwise, do the same. These burden estimates are discussed in section IV, "Collection of Information Requirements," of this preamble.) In addition, covered health care providers will have to bear the costs of converting to the NPI, as will health plans and health care clearinghouses. Health plans, health care clearinghouses, and covered health care providers are required to implement the NPI. Most of these entities meet the SBA's definition of small entities. Health plans, health care clearinghouses, and health care providers who are covered entities must use NPIs in standard transactions and must make the necessary changes and conversions in order to do so. Conversion will require training for staff and will require changes to documentation, procedures, records, and software. Some covered health care providers that do not already do so may choose to use the services of software system vendors, billing companies, and/or health care clearinghouses to facilitate the transition to the NPI. While there may be up-front costs associated with some of the required changes, the fact that only one health care provider number (the NPI) will be used in standard transactions will simplify business, improve efficiency, and create savings. The format of the NPI (all numeric) will facilitate telephone keypad entry; the check-digit in the 10th position will detect keying and data entry errors; and the lack of intelligence built into the NPI will eliminate the need to issue a new health care provider number (and maintain records of such issuances) whenever changes occur that would impact that intelligence.

After being assigned NPIs, covered health care providers will have to furnish the NPS with updates to their required NPS data in the NPS within 30 days of the changes. It is very likely that the NPS data will duplicate some of the information that health care providers furnish to health plans when they enroll in health plans (although health plans traditionally collect far more information about a health care provider than the NPS will collect). Because health care providers must keep health plans apprised of updates to their data, the requirement that covered health care providers apprise the NPS of updates should not be a significant burden on those health care providers.

The extended effective date of the NPI should allow sufficient time for health plans, health care clearinghouses, and health care providers who are covered entities to implement the changes needed to accommodate the NPI. Lastly, HIPAA gives small health plans an extra year (36 months instead of 24 months from the effective date) in which to implement the NPI.

The May 7, 1998, proposed rule for the National Provider Identifier (NPI) contained a cost-benefit analysis based on the aggregate impact of all the HIPAA administrative simplification standards for electronic data interchange (EDI). The Comment/Response section related to the proposed aggregate analysis, and a final aggregate impact analysis, are contained in the Transactions Rule at 65 FR 50345. We address the specific impact of the NPI in section V.D. of this preamble, "Specific Impact of the NPI."

C. Alternatives Considered Guiding Principles for Standard Selection

As explained in the May 7, 1998, proposed rule (at 63 FR 25323), the implementation teams charged with designating standards under the statute defined, with significant input from the health care industry, a set of common criteria for evaluating potential standards. These criteria are based on direct specifications in HIPAA, the purpose of the law, and principles that support the regulatory philosophy set forth in Executive Order 12866 of September 30, 1993, and the Paperwork Reduction Act of 1995. These criteria also support and are consistent with the principles of the Paperwork Reduction Act of 1995. In order to be designated as a standard, a proposed standard should:

Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic HIPAA health care transactions. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden.
Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses. This principle supports the regulatory goal of cost-effectiveness.
Be consistent and uniform with the other HIPAA standards—their data element definitions and codes and their privacy and security implementation specifications—and, secondarily, with other private and public sector health data standards. This principle supports the regulatory goals of consistency and avoidance of incompatibility, and it establishes a performance objective for the standard.
Have low additional development and implementation costs relative to the benefits of using the standard. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden.
Be supported by an ANSI-accredited standards developing organization or other private or public organization that will ensure continuity and efficient updating of the standard over time. This principle supports the regulatory goal of predictability.
Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster. This principle establishes a performance objective for the standard.
Be technologically independent of the computer platforms and transmission protocols used in HIPAA health transactions, except when they are explicitly part of the standard. This principle establishes a performance objective for the standard and supports the regulatory goal of flexibility.
Be precise and unambiguous, but as simple as possible. This principle supports the regulatory goals of predictability and simplicity.
Keep data collection and paperwork burdens on users as low as is feasible. This principle supports the regulatory goals of cost-effectiveness and avoidance of duplication and burden.
Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and health care provider types) and information technology. This principle supports the regulatory goals of flexibility and encouragement of innovation.

We assessed the various candidates for a health care provider identifier against the principles listed above, with the overall goal of achieving the maximum benefit for the least cost. We found that the NPI met all the principles and that no other candidate identifier met all the principles, or even those principles supporting the regulatory goal of cost-effectiveness. We received comments suggesting that we consider or reconsider the Taxpayer Identifying Number or the Social Security Number for individual health care providers and the Employer Identification Number for organizations as the standard unique health identifier for health care providers. We responded to these comments in section II. A. 3. of this preamble, "NPI Standard."

One possible alternative in the development of the identifier was to allow intelligence to be included in it. We rejected this alternative on qualitative grounds because it meant that individuals might get more than one identifier in their lifetimes. Cost considerations also contributed to our decision.

If intelligence were built into the identifier, the operating cost of the enumeration system would rise for several reasons. First, additional information would need to be collected and verified so that the intelligence in the identifier would be accurate. Secondly, new identifiers for individuals and organizations would need to be assigned because the embedded intelligence would change. The cost to health plans would also increase. First, their systems might need to be adapted to use the intelligence in the identifier. Secondly, they would have to keep track of the more frequent changes in identifiers, and revise their processes accordingly.

An intelligent identifier would also be more expensive for health care providers. They would have to reapply for identifiers if the information in the intelligence changed. Additionally, they would have to revise their systems to change their identifiers every time they changed.

These quantitative reasons support our choice not to include intelligence in the identifier.

Need to Convert

Because there is no standard health care provider identifier in widespread use throughout the industry, adopting any of the candidate identifiers would require covered entities to convert to the new standard. In the case of the NPI, covered entities will have to convert because this identifier is not in use presently. As we pointed out in the May 7, 1998, proposed rule in our analysis of the candidates, even the identifiers that are in use are not used for all purposes or for all health care provider classifications. The selection of the NPI does not impose a greater burden on the industry than the nonselected candidates, and presents significant advantages in terms of cost-effectiveness, universality, uniqueness, and flexibility.

Complexity of Conversion

Some existing health care provider identifier systems assign multiple identifiers to a single health care provider in order to distinguish the multiple identities the health care provider has in the system. For example, in these systems, the health care provider may have a different identifier to represent each contract or provider agreement, practice location, and specialty or health care provider classification. Since the NPI is a unique identifier for a health care provider, it will not distinguish these multiple identities. Systems that need to distinguish these identities will need to use data other than the NPI to do so. The change to using other data will add complexity to the conversion to the NPI (or to any other standard health care provider identifier), but it is necessary in order to achieve the goal of unique identification of the health care provider.

The complexity of the conversion will also be significantly affected by the degree to which health plans' processing systems currently rely on intelligent identifiers. For example, a health plan may route claims to different processing routines based on the type of health care provider by keying on a health care provider type code included in the identifier. Converting from one unintelligent identifier to another is less complex than modifying software logic to obtainneeded information from other data elements. However, the use of an unintelligent identifier is required in order to meet the guiding principle of ensuring flexibility.

Specific technology limitations of existing systems could affect the complexity of conversion. For example, some existing health care provider data systems use a telephone keypad to enter data. Data entry of alpha characters is inconvenient in these systems.

Comments were strong in suggesting that the NPI be an all-numeric identifier, be 10 positions in length, and include a check-digit in the 10th position. (See section II. A. 3. of this preamble, "NPI Standard," for a full description of comments on the characteristics of the identifier.) As stated in that section, in response to comments, we changed the format of the NPI to an all-numeric number, 10 positions in length, with a check-digit in the 10th position. There will be no intelligence about the health care provider in the number. This format satisfies the comments for easier data entry and the need for a number that will be short enough to fit into most existing data formats. The selection of the NPI does not impose a greater burden on the industry than the nonselected candidates.