The National Provider Identifier (NPI) replaced multiple provider identifiers used previously by different payers, thereby providing a uniform standard identifier for all providers nationwide. It does not contain embedded information about the provider, such as location or specialization, and does not identify patients. A study published in Clinical Nurse Specifications puts it simply, “The NPI is a unique, unduplicated, 10-digit identification number used to identify healthcare providers who practice in HIPAA covered entities.”
Protected health information (PHI) is defined by HIPAA as information that is related to an individual's past, present, or future health conditions or healthcare and that identifies the individual or could reasonably be used to identify the individual. HIPAA provides a set of specific identifiers that, when linked with health information, qualify the information as PHI. These identifiers include patient names, addresses, birth dates, Social Security numbers, and medical record numbers. The main aspect is that PHI relates to identifiable information about the patient's health or care.
The NPI differs from PHI because it identifies healthcare providers, not patients. It is designed solely to identify the entity delivering healthcare services in electronic transactions, such as billing and claims processing.
What is the National Provider Identifier (NPI)?
The NPI is a 10-digit numeric identifier that is assigned to healthcare providers nationwide, including individual practitioners, group practices, hospitals, nursing homes, pharmacies, and other healthcare entities. A Chapter on HIPAA compliance in StatPearls notes, “The NPI is devoid of any embedded intelligence and does not carry additional meaning. NPI is unique and national, never reused, and, with the exception of institutions, a provider typically has only 1 NPI.”
This design ensures that the NPI is a neutral, unique number that solely serves the function of standard identification across all electronic transactions. Providers typically have a single NPI, but healthcare organizations or institutions may have multiple NPIs to identify different sub-parts or business units, such as surgery centers or specialized clinics within larger facilities.
The NPI replaces previous provider identifiers used by Medicare, Medicaid, and other health plans; however, it does not replace other regulatory identifiers such as the Drug Enforcement Agency (DEA) number, state license numbers, or tax identification numbers, which continue to serve their distinct purposes.
See also: What are the 18 PHI identifiers?
Types of NPI
The NPI has two main types, known as NPI-1 and NPI-2, which are used to uniquely identify healthcare providers in the United States. These two types serve different purposes and are assigned based on the provider's characteristics.
NPI-1 (Type 1 NPI)
NPI-1 is the individual NPI. It is assigned to healthcare providers who are individual practitioners, such as physicians, dentists, psychologists, nurses, and other sole practitioners. Each individual provider receives a unique 10-digit NPI that remains constant throughout their career, regardless of changes in practice location or employment status.
NPI-2 (Type 2 NPI)
NPI-2 is the organization NPI. It is assigned to healthcare organizations, such as hospitals, clinics, group practices, nursing homes, and other healthcare facilities. This type of NPI is used for billing on behalf of the organization and represents the entity as a whole.
Is the NPI considered PHI?
As the NPI is linked to providers and health care organizations, not to individuals receiving care, it does not fall within the scope of information that HIPAA’s Privacy Rule protects as PHI. The Privacy Rule aims to protect health information linked to patients, ensuring confidentiality and limiting unauthorized disclosures. Since the NPI lacks any patient-identifying or health condition information, it does not meet the criteria for PHI and is not covered by those specific privacy requirements.
While the NPI itself is not PHI, it is still subject to proper management and security under HIPAA because it is used in healthcare transactions that involve PHI. Covered entities must guard against misuse of the NPI in ways that could facilitate fraud or harm to provider reputations. This is true despite the fact that the information is publicly available, as mentioned in the Medicare Medicaid Research Review study, “Much of the supplied information, including the self-reported specialty taxonomy codes, is available in a searchable public database.”
What is an enumeration and how to apply for it?
Enumeration is the process by which healthcare providers apply for and obtain their National Provider Identifier (NPI). The CMS manages the National Plan and Provider Enumeration System (NPPES), where healthcare providers submit their applications to receive their unique NPI. CMS guidance on Administrative Simplification notes, “Under 45 CFR § 162.410(a), a covered health care provider must obtain an NPI from the National Provider System (now known as the National Plan and Provider Enumeration System (NPPES)), and use its assigned NPI to identify itself on all standard transactions it conducts where its health care provider identifier is required.”
Healthcare providers can apply for NPI enumeration by following these steps:
- Access the NPPES: Providers can visit the NPPES website (https://nppes.cms.hhs.gov/) to begin the application process.
- Choose NPI type: Providers will need to select the appropriate NPI type based on their role, whether they are an individual practitioner (NPI-1) or an organization (NPI-2).
- Complete the application: The application will require providers to provide information about themselves or their organization, such as name, address, contact details, specialty (if applicable), and other relevant data.
- Submit the application: Once all required information is provided, the provider can submit the application through the NPPES portal.
- Await NPI assignment: After the application is processed, the NPPES will assign a unique 10-digit NPI to the healthcare provider or organization. This NPI will remain the same throughout their practice or operation.
See also: Can healthcare providers disclose PHI to family members without patient consent?
Who can access NPI records?
The National Provider Identifier (NPI) records are publicly accessible through the National Plan and Provider Enumeration System (NPPES) NPI Registry. This means that anyone can search for and access NPI information for healthcare providers, including individual practitioners and healthcare organizations.
Note that while NPI records are publicly accessible, the information available through the NPPES NPI Registry is limited to the details required for identification purposes. Protected health information (PHI) and other sensitive data are not included in the publicly accessible NPI records to ensure patient privacy and compliance with HIPAA regulations.
See also: Can patients opt out of text messages containing PHI?
FAQs
What is the purpose of HIPAA Administrative Simplification?
Administrative Simplification aims to reduce the complexity and cost of healthcare administration by standardizing electronic healthcare transactions, establishing national identifiers for providers, health plans and employers, and setting standards for protecting health information.
How does the Privacy Rule affect the use of electronic health information?
It defines PHI and provides standards for how covered entities must protect and disclose health information to protect patient privacy.
How does Administrative Simplification promote interoperability?
By standardizing identifiers, transaction formats, and code sets while enforcing consistent privacy and security standards, these rules facilitate better data exchange and interoperability across healthcare providers, payers, and clearinghouses.
Kirsten Peremore
%20in%20health%20communications%20.jpg)
%20-%202024-11-04T172643.410.jpg)
%20-%202024-12-23T141010.232.jpg)