The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification required adopting a standard for a unique health identifier for healthcare providers.
The NPI Final Rule, published on January 23, 2004, established the NPI unique identification number as this standard.
Covered healthcare providers, health plans, and clearinghouses must use NPIs in administrative and financial transactions.
The Centers for Medicare & Medicaid Services (CMS) developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers.
For more information on how to apply for an NPI, visit https://nppes.cms.hhs.gov/NPPES/Welcome.do.
What Is an NPI?
A National Provider Identifier (NPI) is a 10-digit numeric identifier that does not contain information about you, such as the State where you practice, your provider type, or your specialization.
Your NPI will not change, even if your name, address, taxonomy, or other information changes.
In HIPAA standard transactions, the NPI must be used in place of other provider identifiers, such as a Provider Transaction Access Number (PTAN), Online Survey Certification & Reporting (OSCAR), and National Supplier Clearinghouse (NSC).
Benefits of an NPI
Benefits of an NPI include:
- Simple electronic transmission of HIPAA standard transactions
- Standard unique health identifiers for health care providers,
health care plans, and employers - Efficient coordination of benefit transactions
What an NPI Doesn’t Do
Obtaining an NPI will not:
- Change or replace your current Medicare enrollment or
certification process - Enroll you in a health plan
- Ensure you are licensed or credentialed
- Guarantee payment by a health plan
- Require you to conduct HIPAA transactions
Who May Obtain an NPI?
All healthcare providers (physicians, suppliers, hospitals, and others) may obtain an NPI. Healthcare providers are individuals or organizations that render healthcare as defined in 45 CFR §160.103,
- a provider of services as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u),
- a provider of medical or health services as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s), and
- any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Who Must Obtain an NPI?
All healthcare providers who are HIPAA-covered entities, whether individuals or organizations, must obtain an NPI.
A HIPAA-covered entity is a:
- Healthcare provider that conducts certain transactions in electronic form
- A Healthcare clearinghouse
- A Health plan (including commercial plans, Medicare, and Medicaid)
with a HIPAA standard transaction, even if you use a business associate to do so.
For more information and to access a tool to help you determine whether you are a covered entity, refer to https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.html.
Do You Need an NPI to Enroll in Medicare?
Yes. If you apply for Medicare enrollment, you must have an NPI and furnish it on your enrollment application. An enrollment application without an NPI will be rejected.
The table below provides examples of typical healthcare providers who are HIPAA-covered entities.
| Individuals | Organizations |
|---|---|
| Physicians | Ambulance Companies |
| Physical Therapists | Clinics |
| Pharmacists | Group Practices |
| Nurses | Health Maintenance Organizations (HMOs) |
| Dentists | Home Health Agencies (HHAs) |
| Chiropractors | Hospitals |
| Laboratories | |
| Nursing Homes | |
| Pharmacies | |
| Residential Treatment Centers | |
| Suppliers of Durable Medical | |
| Equipment (DME) |
Who May Not Obtain an NPI?
Any entity that does not meet the definition of a health care provider as defined in 45 CFR §160.103 may not apply for an NPI. Such entities include billing services, value-added networks, re-pricers, health plans, health care clearinghouses, and non-emergency transportation services.
What Are the Health Care Provider NPI Categories?
For NPI enumeration purposes, there are two categories of healthcare providers: Entity Type 1 (Individual) and Entity Type 2 (Organization).
Entity Type 1: Individual Health Care Providers, Including Sole Proprietors
Individual health care providers may receive NPIs as Entity Type 1. As a sole proprietor, you must apply for the NPI using your Social Security Number (SSN), not an Employer Identification Number (EIN), even if you have an EIN.
As a sole proprietor, you may receive only one NPI, like any other individual. For example, if a physician is a sole proprietor, the physician may receive only one NPI (the individual’s NPI).
The following factors do not affect whether a sole proprietor is an Entity Type 1:
- Number of different office locations
- Whether you have employees
- Whether the Internal Revenue Service (IRS) issued an EIN to you so your employees’ W-2 forms can reflect the
EIN instead of your Taxpayer Identification Number (which is your SSN)
NOTE: A sole proprietor is not an incorporated individual because the sole proprietor did not form a corporation. If you are a sole practitioner or solo practitioner, it does not necessarily mean you are a sole proprietor, and
vice versa.
Entity Type 2: Organization Health Care Providers
Organization health care providers are group health care providers and are eligible for NPIs as Entity Type 2. They may have a single employee or thousands of employees. For example, an incorporated individual may be the only health care provider employed by that organization provider (the corporation that they formed).
Some organizations’ health care providers have components that function independently from their “parent” organization. These components may furnish different types of health care or have separate physical locations where health care is furnished.
These components and their physical locations are not legal entities but part of the organization’s health care provider (which is a legal entity). The NPI Final Rule refers to the components and locations as subparts.
An organization’s health care provider can obtain its subparts’ NPIs. If a subpart conducts any HIPAA standard transactions (that is, separately from its parent), it must obtain its own NPI.
Subpart determination ensures that entities within a covered organization are uniquely identified in HIPAA standard transactions with Medicare and other covered entities.
For example, a hospital offers acute care, laboratory, pharmacy, and rehabilitation services. Each subpart may require its own NPI because each one sends its standard transactions to one or more health plans.
NOTE: Subpart delegation does not affect Entity Type 1 health care providers. As individuals, these healthcare providers cannot designate subparts and cannot be considered subparts.
What If You Are an Individual, Incorporated Health Care Provider?
If you are an individual who is a healthcare provider and who is incorporated,
you may need to obtain an NPI for yourself (Entity Type 1) and an NPI for your corporation or LLC (Entity Type 2).
How to Keep Your NPI Number Private?
If your NPI is stolen, you may be allocated millions of dollars in fraudulent claims or hundreds of phony prescriptions before you or anybody else recognizes what has occurred.
If this happens, you may be the subject of a government investigation to rule you out as a suspect and discover if you are responsible for the fraud.
While the inquiry is underway, the CMS will likely stop paying you. This may severely impact your money, reputation, and, as a result, your career.
However, you can perform a few preventions right now to avoid having your NPI stolen and perhaps also to prevent large-scale healthcare fraud.
Keep an eye on your surroundings. Be careful while disclosing your NPI. If you tell your NPI loudly, be wary of who uses it and for what purpose.