National Plan and Provider Enumeration System

The National Plan and Provider Enumeration System (NPPES) and Identity & Access (I&A) have Multifactor Authentication (MFA) for user registration and user login now to protect our providers' Personal Identifiable Information (PII) data and make our systems more secure.

The NPPES team added additional Micro Services to further break down our code. 

NPPES updated the password change notifications, the notifications are now sent to Primary Email on record.

NPPES Removed electronic health record (EHR)/Health Information Technology for Economic and Clinical Health (HITECH) from our supported applications within I&A. 

NPPES: The system contains a unique identifier for each health care provider (the NPI, which is assigned by the NPPES) along with other information about the provider including: Provider Name, Sex, Social Security Number (SSN), Tax Identification Number (TIN), Individual Taxpayer Identification Number (ITIN), Date of Birth (DOB), Place of Birth, Address and Phone numbers, professional and commercial data. Additionally, demographics like race and ethnicity may be stored as optional fields.

Identity & Access (I&A): The system contains account information along with other information about the external user. The users of the NPI system include Providers, Enumerators, Centers for Medicare & Medicaid Services (CMS) Staff, and the healthcare Industry. Information includes name, DOB, SSN, phone number, employer information, and relationships to provider organization(s) and individual provider(s) in NPPES. The I&A system is a module within the NPPES security boundary. Users are required to get an I&A account to access the NPPES system. The NPPES system also obtains updated Provider/User information from CMS' Provider Enrollment Chain and Ownership System (PECOS). They share an application program interface (API) with PECOS that is within the CMS boundary. PECOS has 'Write' privileges to provide updated information through the API and this information later gets stored in the NPPES database.

NPPES also stores internal user log in credentials and passwords for authentication purposes. The log in credentials comprise the User ID and Password and the users are System Administrators (CMS employees and direct contractors).

The Centers for Medicare and Medicaid Services (CMS) has developed the NPPES that provides unique National Provider Identifiers (NPIs) for health care providers and health plans. NPIs are expected to be used across the health care industry and government health care programs; Computer systems that serve providers, health care plans, Medicare and Medicaid are the target users of these NPIs. NPPES has a Public Search page that can use non-PII information as search criteria to stream- line their search. 

The users of the NPI system include Providers, Enumerators, CMS Staff, and the healthcare Industry. 

NPPES permanently stores PII and non-PII to identify individual and organizational Providers. NPPES enumerates providers by assigning them an NPI. The NPPES system collects and stores the following Provider information: Provider Name, Sex, SSN, TIN, Individual Taxpayer Identification Number (ITIN), DOB, Place of Birth, Address and Phone numbers, professional and commercial data. Users can update their PII after proper authentication and validation to access their accounts in the NPPES system.

NPI information can be retrieved by searching using NPI, Tracking id, SSN, TIN, and Employer Identification Number (EIN).

• Social Security Number
• Name
• E-Mail Address
• Phone Numbers
• Taxpayer ID
• Date of Birth
• Mailing Address
• Passport Number
• Other - User/System Admin credentials- User ID and password; TIN; ITIN; race; ethnicity; sex; NPI

• Employees
• Public Citizens
• Other - Public citizens who are health care providers

The purpose is to collect the information needed to uniquely identify an individual health care provider, to assign an NPI to that health care provider, to maintain and update the information about the health care provider, and to disseminate health care provider information in accordance with the provisions of the Privacy Act.

The primary purpose for the collection of the user/system administrator credentials is for authentication of the system users to prevent unauthorized access of the system.

To assist in accurately identifying providers and avoid duplication of providers/records.

Routine uses of records maintained in the system include supporting another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in a program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs.

Reference:  Notice Privacy Act of 1974; Report of a Modified or Altered System of Records 

Under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law (Pub. L.) 104-191, NPPES was established and published in the Federal Register (FR) at 63 FR 40297 (July 28, 1998). Authority for maintenance of this system is given under §§ 1173 and 1175 of the Act; as amended by Public Law 104-191, authorize the assignment of a unique identifier to all health care providers and the maintenance of a data base containing the information they furnished in their application for an NPI.  

Authority for maintenance of this system is given under §§ 1173 and 1175 of the Act; as amended by Public Law 104-191, authorize the assignment of a unique identifier to all health care providers and the maintenance of a data base on containing the information they furnished in their application for an NPI.

E.O. 9397

Database checks required by CMS Rule 6028 FC and 42 CFR §424.518, including screening against SSN, the NPI, the National Practitioner Data Bank (NPDB) licensure, an Office of the Inspector General (OIG) exclusion; taxpayer identification number; tax delinquency; and the death of individual practitioner, owner, authorized official, delegated official, or supervising physician. The Direct Contractor shall also check individuals for felony convictions. To complete these checks, CMS will provide access to the NPPES, NPDB, and Medicare Exclusion Database (MED).

Authority for maintenance of this system is given under §§ 1173 and 1175 of the Act; as amended by Public Law 104 -191, authorize the assignment of a unique identifier to all health care providers and the maintenance of a data base on containing the information they furnished in their application for an NPI.

Authority for maintenance of this system is given under §§ 1173 and 1175 of the Act; as amended by Public Law 104 -191, authorize the assignment of a unique identifier to all health care providers and the maintenance of a data base on containing the information they furnished in their application for an NPI.

• National Plan and Provider Enumeration System

• Online
• Hard Copy Mail/Fax

• Within the OPDIV
• Other Federal Entities

• Members of the Public

• OMB approval number: 0938-0931
  • Expiration Date: 03/31/2028

• Within HHS: Within HHS we share Provider Information to PECOS to automatically update Provider data.  
• Other Federal Agency/Agencies: Information is disclosed to Department of Justice, Office of Inspector General to conduct ongoing investigation, and to the Federal Bureau of Investigation (FBI) (only on request) to conduct any ongoing investigations.
• State or Local Agency/Agencies: Information is disclosed to state agencies to allow for identifying enumerated providers to validate information and conduct ongoing investigations.

For approved disclosures, PII tracking elements are in place and follow the process defined in the DUA. PII is available for public search on the NPPES NPI Registry site. Examples of disclosed PII are name, phone number, and address. DUAs track the PII that is disclosed, when it is disclosed, who it is disclosed to, and for what purpose.

NPPES NPI Registry

This process accounts for the date, nature, and purpose of each disclosure and the name and address of the recipient.

The Privacy Act statement listed on the website provides notifications to individuals of the provisions for individuals to provide consent for a data collection. The submission of the data is mandatory for an individual provider to participate in the Medicare program.

If an individual wants to inquire if their PII is included in this CMS information system, they should write the system manager listed on this document, who will require the system name, provider name, and, for verification purposes, DOB, and medical school (if applicable), to ascertain whether the individual’s record is in the system.

During invalid log in attempts the user receives a message that the user ID or password is incorrect. This message is indicative of the fact that the system stores user/administrative log in and passwords for authentication purposes.

NPPES:  Information collected via the NPPES web site (internet) or paper application.  Notification of NPI given via e-mail (if application was via web) or paper letter if application was via paper.  Information is provided on the paper form and on the web screens regarding the Certification Statement and the Privacy Act Statement. 

I&A: Information is collected via the I&A web site (internet). Notification is given via e-mail.  Access to I&A is provided through systems that contain Certification Statements and the Privacy Act Statement (such as PECOS and EHR IP).

Since the system also stores user Log in credentials and passwords, there is no opt-out for this information collection.

The information disclosed on the NPI Registry and in the downloadable files are Freedom of Information Act (FOIA)-disclosable and are required to be disclosed under the FOIA and the eFOIA amendments to the FOIA. There is no way to ‘opt out’ or ‘suppress’ the NPPES record data for health care providers with active NPIs.

Reference: 
Data Dissemination

PII is required for assigning an NPI. Consent is not required from individuals whose PII is already in the system when major changes occur to the system and /or the purpose and disclosure of data changes from its original purpose and disclosure. The reason for not asking for user consent is because the data is already within the security boundaries of CMS and all system changes are approved by the Business owner. System Notifications will be posted of any major enhancements to the system.

The same holds true for user/system administrator credentials and passwords that are stored by the system for authentication purposes.

Individuals should contact the CMS IT Service Desk at 410-786-2580 to submit an incident request if they believe their PII has been inappropriately obtained, used, or disclosed. This is in accordance with the CMS Breach Notification Procedures.

The system also stores user log in credentials and passwords for authentication purposes. If users forget their credentials or password, they can contact the IT help desk to resolve their issue.

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.

If it is believed that a HIPAA-covered entity or its business associate violated an individual's (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, the individual may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.

Anyone can file a health information privacy or security complaint. The complaint must:

Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal. Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause".

Furthermore, the individual can contact the system manager named in this document to dispute any inaccuracy of the PII in the system, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification.

Providers are asked to verify/certify that the data they entered in the NPPES system is accurate before submission. Users can view their records and can edit some fields or request other fields to be updated as appropriate. PII fields can be updated when required through the individual user accounts that are created in the NPPES system. Access to these accounts is provided after proper authentication of the user. PII is stored in the individual accounts which also include user log in credentials and passwords for authentication purposes.

In addition, when Providers update their information in the Provider, Enrollment, Chain and Ownership System (PECOS), the PECOS system can update the NPPES system with the new information through an API system that resides within the security boundaries of CMS. This process helps in the storage of accurate and updated data 

• Users: Users need access to the PII in the system to verify the accuracy of their information. If they need to update the data, they can do so with the interventions of CMS and verification. User credentials and passwords that are stored in the system can be changed by contacting the CMS IT Help Desk or via NPPES web application.
• Administrators: Administrators need access to PII for Data correction, maintenance, problem resolution.  Administrators monitor the changes in the user credentials and passwords, as they are stored by the system.
• Developers: Developers need to access PII for Problem resolution and testing purposes.
• Contractors: Direct contractors need access to PII for Data entry and validation. Validation of the user/admin credentials is also done as the system also stores user Log in credentials and passwords for authentication/Validation purposes.
• Others - Law enforcement: CMS approved recipients for fraud detection

The following controls limit a user’s access to the type, amount, or categories of PII necessary to perform their job functions.

• AC-5 Separation of duties: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion.
• AC-6 Least privilege: Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions.
• AC-6(5): The organization restricts privileged accounts on the information system to defined personnel or roles (defined in the applicable security plan). The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions.
• AC-6(10) Prohibit Non-Privileged Users from Executing Privileged Functions. Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.

System records are housed in both active and archival files in accordance with CMS data and document management policies and standards including GRS 3.2. National Archives and Records Administration (NARA), General Records Schedule (GRS) 3.2 states that CMS will destroy/delete when 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later.

The records in the NPPES system are retained indefinitely.

NPPES secures PII by implementing a multi-tiered architecture using multiple types and layers of firewall and intrusion detection technology.  

• Administrative controls: Access to the data is granted on a 'need to know' basis. External audits are used to verify/validate all implemented controls. CMS Standards are followed for software and hardware, as well as data protection and maintenance.
• Technical controls: user identification, passwords, security tokens, firewalls, virtual private networks, and intrusion detection systems.
• Physical controls: guards, identification badges, key cards, cipher locks and closed-circuit televisions.

NPPES and I&A have Multifactor Authentication for registration and login to protect our providers' data.