14 Dec 2018

The National Provider Identifier (NPI) is an under-appreciated marvel of the modern healthcare system. The federal government issues identification numbers to healthcare providers and healthcare organizations to uniquely identify them in billing claims. It sounds simple, but the NPI number has saved hundreds of millions of dollars since CMS began issuing them in 2006. The NPI number’s benefits extend beyond medical billing, giving journalists, pharma marketers, and researchers a universal language for understanding the practitioners behind 17 percent of the country’s GDP. Despite its importance, little has been written about the NPI number’s 15-year journey from idea to implementation.

I learned about the NPI number after I became involved with HCP advertising a few years ago. I was surprised by the existence of a free and open database containing such detailed information about individuals. After all, there’s no free nationwide database of attorneys, engineers, teachers, or other licensed professionals. Even in healthcare, access to similar HCP databases in other countries (like Germany’s Lebenslange Arztnummer) is often restricted. As I delved into the history of this database, I found a story about the delicate balance between politicians, the administrative state, and the private sector. Writing this article took me on a whirlwind tour of obscure regulatory filings, research databases, and the Library of Congress.

What’s an NPI?

For those who don’t know, the National Provider Identifier (NPI) is a ten-digit number given to healthcare providers and healthcare organizations. The Centers for Medicare and Medicaid Services (CMS) administer the system. Any healthcare provider (HCP) who bills Medicare or most other health systems must have an NPI number. The NPI application process requires filling out a form on the CMS website and waiting for approval. While some data elements like Social Security Numbers are hidden, the vast majority of NPI data are available to the general public through a search portal, an API, and a downloadable copy of the entire database. The database of NPI numbers is formally known as the National Plan & Provider Enumeration System (NPPES), but in this article, I call it the NPI database to keep things consistent.

The beginning

The healthcare industry knew it had a problem. It was the early 1990s, and healthcare was being left behind as computerization revolutionized other industries. The first computerized airline reservation system was introduced back in 1946. In 1975, the federal government reported that 27 percent of its recordkeeping systems were at least partially computerized; by 1985, that number had risen to 60 percent. And yet, health systems still relied on paper records. Even worse, the parts of their businesses that were computerized had trouble exchanging data with other companies’ systems. A lack of compatibility prevented further computerization in healthcare. At the provider level, HCPs had to manage paper billing and payments with a range of different health systems and other partners, including Medicare, Medicaid, the Department of Defense, Department of Veterans Affairs, state programs, private insurance companies, pharmacies, and others. Each of these organizations had its own system for identifying program participants, which led to confusion, administrative headaches, and waste. In 1990, a mismatch between physician identification numbers played a role in an Ohio computer system leaving what the Columbus Dispatch called “a trail of unpaid bills” to healthcare providers worth around $1 million. The stakes were high. The industry needed a standardized listing of providers and organizations they could all share. For health insurers and other stakeholders to commit the millions of dollars necessary to align their operations with a new system, they needed confidence that the system would be reliable, universally adopted, and supported for a long time.

1991-1993: Progress

By 1991, the industry was ready to act. The Workgroup for Electronic Data Interchange (WEDI) was established in November of that year to identify ways computer technology could be used to reduce administrative costs in the American healthcare system. This wasn’t some toothless blue-ribbon panel. WEDI leadership read like a who’s who of American healthcare, including representatives of the private health insurance industry, government agencies, and trade associations. The American Medical Association, American Dental Association, and AARP held seats on the board, as did other prominent organizations. The group was headed by Bernard R. Tresnowski, President of the Blue Cross and Blue Shield Association, and Joseph T. Brophy, who was nearing the end of his 22 years with Travelers Insurance. This dream team of healthcare innovators used emerging technology to confront serious problems.

WEDI published a sweeping set of proposals in October 1993 that offered what it described as a vision of “a health care industry transacting business electronically, using one set of electronic standards and interconnecting networks.” That goal may sound modest today, but at the time it constituted nothing less than a reshaping of the American healthcare system. WEDI pushed a rapid timeline, calling for the majority of health claims to be submitted electronically by 1996. Among the 379-page report’s suggestions was the creation of a standardized identification system for healthcare providers. The report suggested using Social Security Numbers (SSNs) as the universal identifier for individual providers and Taxpayer Identification Numbers (TINs) for organizations. WEDI called for federal legislation to protect the privacy of these provider records.

The WEDI report indicated that the idea of a uniform set of provider identifiers had the support of the healthcare industry. But under the 1993 vision, what ultimately became the NPI database would have been a heavily protected system that was only available on a need-to-know basis. Under this framework, marketers and researchers would not have broad access. Even claims processors would have been required to prove their need to access the database. To understand WEDI’s motivation, it’s important to note that the organization proposed a truly breathtaking pace of change in its report: the group wanted to see widespread adoption of its technology-enabled solutions within just a few years. Considering the NPI number wouldn’t be implemented for another 17 years, it seems likely that WEDI’s choice of SSNs/TINs was motivated by expediency.

As WEDI was putting the finishing touches on its report, the Centers for Medicare & Medicaid Services (CMS), then known as the Health Care Financing Administration, launched a project to develop a unified system of physician identifiers for public and private health systems. The group took WEDI’s suggestions seriously, but within a few months the federal workgroup decided against using SSNs and TINs. The group evaluated ten existing healthcare identification systems by focusing on four main selection criteria:

  1. “Improve the efficiency and effectiveness of the health care system.”
  2. “Meet the needs of the health data standards user community.”
  3. “Be consistent and uniform with other HIPAA and other private and public sector health data standards in providing for privacy and confidentiality.”
  4. “Incorporate flexibility to adapt more easily to changes.”

The group concluded that no existing system met their requirements. Something new would need to be created.

1994: The missing meeting

The American National Standards Institute (ANSI) had an important role in advising CMS on how to implement the technical details of the NPI system. ANSI’s Healthcare Informatics Standards Planning Panel Task Group on Provider Identifiers convened a meeting in February of 1994 to publish its vision for the NPI. CMS referenced the importance of this group during the rule-making process. Unfortunately, all records from the meeting itself have apparently disappeared. After a thorough search, I contacted ANSI directly and received the following response: “We checked with several ANSI employees for a possible copy of the meeting notes for ‘American National Standards Institute (ANSI), Healthcare Informatics Standards Planning Panel, Task Group on Provider Identifiers in February 1994,’ but we were unable to locate any.” I even visited the Library of Congress and spoke with a reference librarian who couldn’t find anything about the task force. She referred me to the Library of Congress’ specialized Science, Technology & Business Division, where reference librarians chased down a few leads but ultimately couldn’t find any notes from the meeting. It seems we’ll never know who attended this meeting or what happened.

1996: HIPAA

Healthcare has always been a contentious topic for Congress. Following a failed effort from the Clinton administration for comprehensive healthcare reform in 1994, Congress faced pressure from voters to pass a more modest set of reforms before the next election. What emerged was the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which passed in the Senate unanimously. President Bill Clinton signed it into law on August 21, 1996. The 71,000-word law covered areas from pre-existing condition coverage to patient privacy. Buried within a set of administration simplification standards was the following mandate: “The Secretary [of Health and Human Services] shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system.”  This single sentence required the creation of the NPI as well as similar databases for employers, health plans, and patients. HIPPA moved the NPI from a good idea to a legal requirement. Most media coverage of the bill’s signing ignored these provisions. That would not be the case for long.

1996-2000: Once bitten

Within months, both mainstream media outlets and civil libertarians were sounding the alarm about the government’s proposed patient identification scheme. On September 22, the Dallas Morning News ran a story titled, “Electronic index planned of all U.S. medical records. Even supporters admit privacy may be a concern.” On December 23, the Tampa Bay Times ran a cover story under the headline “Health care coding system raises concerns.” The NPI was swept up in the rhetorical battle over the patient identifier, even though the two could be implemented separately. The Tampa Bay Times quoted Donald Haines, a lobbyist for the ACLU, who described the NPI and patient identifier collectively as “an essential building block in creating an overall scheme to destroy the privacy of patient records.” The issue remained a political hot potato for years, leaving HHS caught in the middle of a fight it didn’t start. In 1998, conservative activist Phyllis Schlafly called on her readers to refuse to vote for any member of Congress who didn’t “immediately stop all federal plans to track and monitor our health or immunization records.” In July of that year, the Clinton administration backtracked on the patient identifier mandate, and a few months later, Congress included language in an appropriations bill that prohibited the creation of a national patient database (full text). In June 2000, implementation of the patient identifier was included in a draft appropriations bill, causing the commentariat to go into overdrive once again. Conservative columnist David Limbaugh dedicated his nationally syndicated June 12 column to the issue, writing, “So far, our Brave New World medical ID numbers have not been created, but soon will be if something isn’t done.” Something was done, and the proposal was defeated. In a press conference about HIPAA privacy regulations in December 2000, HHS Secretary Donna Shalala was asked if she still supported the patient identifier. She gave a carefully worded response about Congress’ need to act before saying the press conference was over.

Despite efforts to resurrect the idea from HIMSS, the Rand Corporation, and other experts, the statutory prohibition has been included in every appropriations bill since 1998 (literally) and is still in effect today.

1998-2004: A rule is born

Minnesota was one of the earliest supporters of the NPI. In 1996, the state passed legislation supporting the proposed NPI number. The enacting legislation revoked support for WEDI’s SSN/TIN system as the state went all-in for the NPI. Other agencies and organizations showed optimism for the NPI database. In order to implement the HIPAA mandate, CMS would need to issue a proposed rule, solicit comments, and make necessary changes before publishing a final rule. The tedious process of administrative rulemaking can take years.

CMS published its draft rule in 1998, describing what it called a “National Standard Health Care Provider Identifier.” The National Provider Identifier that emerged consisted of an 8-character alphanumeric string. Both individual and organizational healthcare providers would receive an NPI that would serve as providers’ primary means of identification in most transactions.  Large health systems were provided two years to implement the system after the final rule was published and CMS granted smaller systems an extra year. CMS worked with WEDI, ANSI, and other groups to make sure the system met industry needs without unduly burdening providers or companies. The NPI number was described as “intelligence free,” meaning the numbers don’t have meaning without visibility into the full database. This feature allows the same NPI number to follow someone through all stages of her career, even if she transitions from a registered nurse to a medical student to a physician. The specialty attached to that NPI number will change, but the number remains the same. CMS planned to maintain a database of all issued NPIs, and any data changes would be reflected therein. This structure was driven by a rule that required participants to update CMS of any changes within 30 days.

CMS faced pushback on several fronts, only a few of which are described here. Commenters complained about the collection of racial data, arguing that race was entirely unnecessary for identifying physicians. Companies filed “an overwhelming number” of comments arguing implementation in two years would be impossible because their developer teams were completely dedicated to fixing the Y2k bug. Others protested that an 8-digit alphanumeric code was too complicated and that an all-numeric code system would be easier for humans to type and for computers to process. A small number of responses suggested scrapping the concept of an NPI altogether and instead using SSNs and TINs.

Next came a long wait. In 2002, Modern Physician declared the NPI to be “stalled in rulemaking.” The same year, Health Data Management reported that HHS was “swamped” with the rulemaking process and was only given $44.2 million to finish all outstanding work on HIPAA’s administrative simplification rules, which included the NPI.

At last, CMS published its final rule on January 23, 2004. The agency made reasonable accommodations in response to criticism of the draft rule. As the agency noted in response to Y2k complainers, “Work on the millennium is complete.” Additionally, race was dropped from the database. The most notable development between 1998 and 2004 was the shift away from an eight-character alphanumeric NPI. Bowing to pressure from what CMS called “a strong majority of commenters,” CMS changed the NPI to the ten-digit number we use today. (The last digit of the NPI number is actually a check value to validate that the number is properly formatted.) There are 200 million possible NPI numbers, which CMS estimates will last 200 years. CMS noted that it plans to add additional digits to the end of the NPI once its 200-year run is completed in 2204. (Who says bureaucrats don’t have a sense of humor?) CMS estimated the NPI number would save hundreds of millions of dollars between 2007 and 2011, with even more money being saved thereafter. Robert Tennant of the Medical Group Management Association said the final rule showed that CMS “really listened closely to industry comments on the proposed rule.”

By May 2005, CMS was ready to send a final notice to providers. Large health plans were required to start using NPI numbers by May 23, 2007, and small systems were given until May 23, 2008. With the details settled, the healthcare industry undertook the difficult task of adopting the NPI number. CMS wasn’t immune to its mandate, which required the agency to configure more than 100 of its systems to support the NPI.

2004-2006: Twice shy

The next chapter centered on who would be allowed to access the newly-created NPI database. Was it going to be a need-to-know dataset for industry insiders, or would access be open to everybody in the world? Both camps had strong supporters, and the government was reluctant to offend either group. With HIPAA, Congress mandated the creation of a National Provider Identifier but punted the question of who should be allowed to use it. The text of HIPAA makes the Department of Health and Human Services responsible for coming up with a data access policy. While CMS’ final rule was painstakingly detailed about most aspects of the NPI system, it did not answer this seemingly obvious question. The rule offered only an ambiguous promise that the NPI database “would not be proprietary and would be widely available to the industry.” The agency would have to issue yet another set of guidelines to announce the terms under which the NPI database could be used. CMS did not provide itself with a deadline for issuing this policy. As 2004 rolled into 2005 and then 2006, the industry grew restless in the wake of  unending ambiguity. In a 2006 presentation, WEDI complained that the lack of guidance had “created uncertainty… and delays in industry’s ability to… prepare systems to handle transactions with NPIs.” WEDI called for CMS to publish an access plan no later than June of that year. In 2006, CMS rolled out a marketing campaign to promote the NPI among physicians that used the tagline “Get it, use it, share it” (example flyer). The “Share it” portion of the campaign only added to confusion about how NPI data could be shared. The new year came without any plan.

The agency’s hesitance to publish a dissemination policy may have owed something to the firestorm that surrounded the patient identifier. CMS had spent four years being vilified for its perceived invasion of Americans’ privacy. It would be understandable if CMS wanted to take its time before wading back into the healthcare privacy debate. The White House may have been another source of delay. Some documents from this period refer to a draft rule that was sent from CMS to the administration, but it is unclear how long the proposed policy may have languished under review. Health Data Management Magazine wrote on March 1, 2007, that CMS would not give a reason for the delay, quoting an official as saying “it’s in the clearance process.” Another possibility is that the agency was simply too busy handling its other vital responsibilities and did not prioritize something as esoteric as who, exactly, should be able to look at the NPI database, especially given its financial constraints.

2007: Battle lines

On January 24, 2007, the National Committee on Vital and Health Statistics (NCVHS) hosted a tense hearing for NPI stakeholders. NCVHS is part of HHS and provides guidance to the Secretary based on stakeholder input on a variety of topics. At the meeting, advocates for free access squared off against those pushing to keep the NPI database private. The meeting was led by Harry Reynolds of Blue Cross Blue Shield. The North Carolinian admonished both groups to keep their statements short, saying “This thing could stack up like the Atlanta airport on a Friday afternoon if we are not real careful.”

Karen Raines, representing the Federation of American Hospitals, expressed the hospital industry’s frustration with CMS’ delay and called for data sharing at least within the healthcare industry: “Given that we are now into 2007, industry access to the data in the NPPES [NPI] system is one of the most critical aspects needed to successfully achieve NPI compliance.” She said that some private companies were basing their implementation strategies on the assumption that NPI data would be freely available to companies and providers working in healthcare.

Larrie Dawkins of the Medical Group Management Association (MGMA) called for open access. “The NPI was intended to simply identify a unique provider. It now seems it’s going to be used as a secret number.” Dawkins also complained about CMS’ delay in providing guidance about data dissemination.

Mari Johnson of the AMA had a different opinion. She expressed concerns about the potential for identity theft if any internet user could access personal information about America’s healthcare providers. Simply put, the AMA’s position was “we do not support widespread access to the public at large.” Her concerns were valid. The NPI application process required HCPs to provide their Social Security Numbers, which obviously could not be openly shared. Other information, like date of birth and mailing address, could also be considered sensitive.

Another unanswered question was the proper price to charge for the data. If the database were to be made public, Johnson argued, it should follow the example of the DEA Number and charge an access fee. The DEA maintains a database of physicians who are authorized to write prescriptions. The DEA has a menu of prices for access to its database that resembles a SASS startup, with costs ranging from $525 for 5,000 queries to $59,775 for unlimited access to the entire database. CMS was openly considering charging for access, noting in its final rule, “We are reviewing the issue of charging fees, and intend to consider charging fees to the extent our authority permits.” In 2005, Kimberly Brandt, a CMS official, called the idea to charge for access “a good one.”

Several other people spoke at the hearing, and NCVHS suggested that CMS delay the final deadline for implementing the NPI mandate.

On May 30, 2007, CMS published the long-awaited data access policy in the Federal Register. The agency came down on the side of open access. The only fields that would not be visible to the public would be Social Security Number and date of birth. Everything else in the database would be free to download. Twenty-one years after Congress deferred judgement on the question of NPI data access in HIPAA, CMS found a way to shift responsibility back to the legislature. CMS said it was required to make the information available due to the Freedom of Information Act, which Congress passed in 1966. CMS referred to “an extreme urgency” to make NPI data available to the healthcare industry to facilitate the full implementation of the NPI.

2008: Go-live

On April 2, 2007, CMS bowed to requests from NCVHS and others to delay the NPI mandate by 12 months. That meant May 23, 2008 would be the new implementation deadline. The delay in the data dissemination policy was cited by health systems as one of the justifications for delay. MGMA said the extension “was due in part to CMS’ failure to publish their data-dissemination policy in a timely manner.”

During the dissemination dilemma, healthcare providers and health systems were applying for and receiving their NPI numbers. An examination of media reports throughout 2006 shows a steady uptick in the number of issued NPI numbers. Even so, problems were encountered at the provider level. One physician wrote to Family Practice to complain about the NPI registration process: “The NPI Web site, application process, and customer support are mediocre at best. The site is a disappointing kludge; the navigation is awkward, the terminology ambiguous, and it is susceptible [to] crashing.”

According to Modern Healthcare, the NPI’s launch date saw a sharp but temporary uptick in rejected claims, mostly in Medicare and Medicaid. Given the scale of the NPI mandate and how badly things could have gone, that’s not a bad outcome. Associations, employers, and the government worked hard to make sure that people who needed an NPI number were made aware of the requirement.

2008-present: Success

Huge volumes of medical claims are processed using NPI numbers every day. Existing physicians have signed up for their NPI numbers, and students in med school and other training programs are encouraged to sign up when entering the workforce. The NPI number has achieved its purpose.

CMS has kept pace with changing technology. Healthcare providers can now apply for an NPI number online. Anyone can browse the NPI database on the CMS website, download the whole thing, or access data elements using the API.

In terms of size, the NPI database compares favorably to other physician databases. Writing in the Journal of Oncology Practice, Kirkwood et al. compared the NPI database to other physician databases. While the study focused solely on oncologists, the results say good things about the quality and reach of NPI data.

Beyond patient care

NPI numbers are used in ways the original 1993 task force members couldn’t have predicted.

In addition to the core NPI database, CMS regularly releases data to the public that is individually identifiable at the physician level using NPI numbers. For example, patients and researchers can see aggregated claims information from Medicare showing what drugs a given doctor prescribes and what procedures she performs. The Physician Compare dataset provides quality scores at the NPI-level. An interesting exception to the rule is the Open Payments database. Open Payments is a listing of all marketing-related payments made by industry to physicians. Open Payments was mandated by the Affordable Care Act, which explicitly forbids CMS from providing NPI numbers in the dataset (though ProPublica was able to reassign NPIs to Open Payments).

Researchers and journalists at the Washington Post, ProPublica, and elsewhere use the data to examine important issues related to the American healthcare system. Google Scholar lists more than 2,000 papers using the phrase “National Provider Identifier.” Numerous SEO-minded webmasters make data from the NPI database available on their own ad-supported sites. Check out these Google results for examples.

Healthcare marketing

CMS did not reference targeted advertising in any of its documents surrounding the creation of the NPI number, but it didn’t take long for healthcare marketers to make the most of the new database. In 2010, Liu et al. filed a patent to use NPI numbers as a component of building target lists for drug makers. They were not the last such patent application. Today, it is commonplace for healthcare advertisers to generate lists of NPI numbers, which enables publishers to define and target a specific audience of healthcare providers. BulletinHealthcare regularly runs ad campaigns that are targeted by NPI. There are even programmatic ad exchanges like LayerRx (a BulletinHealthcare partner) that conduct live auctions for digital ads using nothing more than a website visitor’s NPI number, determining a winner and delivering an ad in a fraction of a second.

The road to 2204

The NPI number is proof that public-private cooperation can bring about positive, lasting results. CMS worked tirelessly for years to implement NPI and the rest of the HIPAA mandates, and industry partners like WEDI were instrumental in shaping the final product. The NPI database has made the US healthcare system more efficient, given researchers an added tool, and made HCP-focused marketing more effective and measurable to traceable outcomes. Despite the uncertainty along the way, the NPI number is set to leave a lasting mark on the healthcare landscape. 2204, here we come.