What is an NPI in Healthcare?
An NPI in healthcare is a ten-digit numeric National Provider Identifier issued by the Centers for Medicare and Medicaid Services (CMS) that must be used by HIPAA covered healthcare providers in all Part 162 transactions. In certain circumstances, an NPI in healthcare can also be issued to healthcare providers who are not covered by HIPAA.
Prior to the passage of HIPAA, healthcare providers used a variety of codes to identify themselves in healthcare transactions (eligibility checks, authorization requests, claims and billing, etc.). The codes could be in different formats and of differing lengths depending on the type(s) of healthcare services being provided, industry standards, and/or the requirements of the paying entity.
In 1993, the Health Care Financing Administration (now the CMS) undertook the task of replacing the COBRA-mandated Unique Physician Identification Number (UPIN) with a new identification system for all healthcare providers participating in the Medicare and Medicaid programs. The outcome was an eight-digit alphanumeric identifier that distinguished between individual providers and organizations.
Use of an NPI in Healthcare Mandated in HIPAA
One of the objectives of HIPAA was to simplify the administration of healthcare transactions by standardizing codes and identifiers used in healthcare transactions. To achieve this objective, Congress instructed HHS to adopt standards “providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” (42 USC §1320d-2).
The instruction to use an NPI in healthcare applies to all HIPAA covered healthcare providers – not just those who participate in Medicare and Medicaid programs. Initially, HHS proposed adopting the eight-digit alphanumeric identifier that had been developed a few years earlier. However, due to the volume of comments arguing alphanumeric identifiers do not simplify healthcare transactions, HHS adopted a ten-digit NPI in 2004.
The standard requiring the use of an NPI in healthcare now appears in Subpart D of 45 CFR Part 162. The standard not only requires healthcare providers to obtain and use an NPI from the National Plan and Provider Enumeration System (NPPES), but also to ensure that any other healthcare provider they contract with also obtains and uses an NPI – even if the contracted healthcare provider does not qualify as a HIPAA covered entity.
Penalties for Violations of the NPI Standard
Covered healthcare providers that fail to use – or incorrectly use – an NPI in healthcare can be fined by CMS in the same way as OCR can fine healthcare providers for failing to comply with the Privacy, Security, and Breach Notification Rules. For this reason, healthcare providers that subcontract healthcare transactions to a business associate are advised to monitor the business associate’s compliance with the NPI standard.
It is also the case that healthcare providers can be fined and/or imprisoned for submitting NPI applications that “knowingly and willfully” contain false or fraudulent information. In these cases, the penalties are up to $250,000 and/or five years imprisonment for an individual, and up to $500,000 for an organization. HHS’ Office of Inspector General can also pursue damages of twice the gross gain obtained from a false NPI application.
Because of the risk that an inadvertent error could expose healthcare providers to financial penalties, corrective action plans, and potential exclusion from federal health programs, individuals and organizations who are unsure what an NPI in healthcare is, or who have concerns the NPI is not being used in compliance with HIPAA, should seek advice from an independent compliance professional.
