An update on the standard unique health identifier for health care providers.

One of the key Administrative Simplification components of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the requirement on the Secretary of Health and Human Services (HHS) to adopt a standard unique national identifier for health care providers. On January 23, 2004, HHS published the Final Rule that formally establishes the National Provider Identifier (the NPI) as the new standard unique health identifier for health care providers.

The primary purpose of the NPI is to uniquely identify health care providers and their subparts when conducting specific administrative transactions electronically. The new NPI will replace all other identifiers assigned to health care providers by health plans, government programs, and health care purchasers for purposes of conducting these business transactions.

NPI Characteristics

As established by the new regulations, the NPI is a numeric 10-digit identifier consisting of nine numbers plus a check-digit in the 10th position. The NPI is an intelligence-free numeric identifier. This means that the numbers do not carry other information about health care providers, such as the state in which they live or their medical specialty. The check-digit is used to avoid any potential conflicts of the NPI with other identification numbers used in the health care industry (patients, health plans, employers, etc). The NPI is accommodated in all standard transactions, and contains no coded or embedded intelligence or information about the health care provider that it identifies. The assigned NPI does not expire; and at the current rate of health care provider growth, it can continue to be assigned for 200 years.



To find additional information on NPI compliance, and related issues, go to


All health care providers, as defined in 45 CFR 160.103, are eligible for NPIs. Health care providers who transmit any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard are covered entities (45 CFR 160.103) and are required to obtain and use NPIs. Examples of health care providers include:

  • Physicians and other practitioners;
  • Hospitals, nursing homes, and other institutional providers;
  • Suppliers of durable medical equipment;
  • Pharmacies (including online pharmacies) and pharmacists; and
  • Group practices.

Health care providers who are not considered covered entities may also apply and be assigned an NPI. However, entities that do not provide health care (eg, transportation services) are not eligible to be assigned NPIs because they do not meet the definition of “health care provider” and are not subject to HIPAA regulations. Specifically exempt are billing services, value-added networks, and repricers.

Who Must Comply with
HIPAA Standards?
Who Must Get an NPI?
  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct standard transactions
  • All health care providers who conduct any of the HIPAA standard transactions
    • Individuals
    • Organizations
    • Subparts of health care providers if the subparts conduct any HIPAA standard transactions for themselves

NOTE: The size of the health care provider does NOT matter.

© Murer Consultants

In certain situations, it is possible for “subparts” of health care provider organizations (such as hospitals) to be assigned NPIs. These subparts may need to be assigned NPIs in order to conduct standard transactions on their own behalf or to meet Federal regulatory requirements related to their participation in health plans such as Medicare. The Final Rule requires covered health care providers to determine if they have subparts that may need NPIs and, if so, to obtain NPIs for the subparts or require the subparts to obtain their own NPIs. The subpart concept does not pertain to health care providers who are individuals.


The NPI final rule is clear: May 23, 2007, was the final deadline for covered entities, other than small plans, to comply with HIPAA’s NPI provisions. Small health plans will have until May 23, 2008, to comply. Implementation of the NPI Rule requires all covered entities to use the new NPI only to identify health care providers in all the HIPAA standard transactions, where applicable.

Legacy identification numbers (eg, UPIN, Blue Cross and Blue Shield Numbers, CHAMPUS Number, Medicaid Number, etc) will not be permitted. Health care providers will no longer have to keep track of multiple numbers to identify themselves in standard transactions with one or more health plans. However, the Taxpayer Identifying Number may need to be reported for tax purposes as required by the implementation specifications.

As of May 23, 2007, any covered entity that is noncompliant, and has not implemented a contingency plan, is at risk for an enforcement action. The Secretary of Health and Human Services has delegated to the Administrator of the Centers for Medicare & Medicaid Services (CMS) authority to enforce the electronic transactions, code set, security, and identifier provisions of HIPAA.

CMS will focus on obtaining voluntary compliance and use a compliant-driven approach for enforcement. When CMS receives a compliant about a covered entity that appears to allege a failure to comply with the NPI mandate, it will notify the entity in writing that a complaint has been filed. Following notification from CMS, the entity will have the opportunity to (1) demonstrate compliance, (2) document its good-faith efforts to comply with the standards, and/or (3) submit a corrective action plan.

In order to be in compliance with the NPI final rule, providers, clearinghouses, and health plans must utilize the NPI. In other words:

Providers must have and use their NPI;

Clearinghouses must accept and use NPIs; and

Health plans must accept and send NPIs in claims transactions.

Provider NPI Duties

  • Providers must be aware of contingency plans for any health plans they bill. Contingency plans may differ by health plan.
  • Providers must be aware that health plans may eliminate their contingency plans (and require an NPI on claims or other HIPAA transactions) any time before May 23, 2008.
  • Providers must work with vendors and clearinghouses with whom they contact, to make sure the NPI is being passed on to health plans.
  • Providers must play close attention to how and when health plans will be testing implementation of the NPI.
  • Providers must be aware that, for those health plans that did not establish a contingency plan, providers are required to use their NPIs now. This means that if you are not using your NPI, your claim may be rejected or denied.
  • Providers must share their NPIs with other providers with whom they do business and with health plans that request them.
  • Providers must stay closely aligned with fiscal intermediaries in order to assure there are no glitches within the technical processing of claims.

© Murer Consultants

Furthermore, NPI compliance poses great challenges, specifically for health care providers. It is essential for health care providers to work closely with other health care organizations to coordinate compliance with all HIPAA requirements, specifically with the new NPI mandates.

One of the most important practical aspects of NPI compliance is the need for providers to share NPIs upon receipt. Once providers have received their NPIs, they should share them with other providers with whom they do business, and with health plans that request them. In fact, as outlined in the current regulation, providers who are covered entities under HIPAA must share their NPIs with any entities that request them for use in standard transactions, including those who need to identify ordering or referring physicians/providers. Providers should also consider letting health plans, or institutions for whom they work (eg, a large hospital system), share their NPIs for them.

Sharing NPIs is essential to ensure proper billing transactions. All bills will require the NPIs of both primary and secondary providers. Providers are categorized as either “primary” or “secondary” providers:

Primary providers include billing, pay-to, rendering, or performing providers.

Secondary providers include supervising physicians, operating physicians, referring providers, and so on.

Accordingly, CMS strongly encourages providers to share their NPI with other health care providers to whom they refer patients; pharmacies that fill their health plans in which they are enrolled and to whom they submit prescriptions; claims; and organizations where they have staff privileges.


With the new compliance requirements related to HIPAA and the NPI, it is crucial for all health care providers and organizations to remain vigilant and ensure that the NPI process is working effectively and efficiently. Oftentimes, technology does not keep up with regulatory mandates and changes, and policy may move ahead of the practical dimension. Therefore, it is critical for all health care providers to take an active role in the issues related to the new NPI mandate in order to ensure that there are no HIPAA violations and also to guarantee that all electronic billing transactions are effectuated in a timely fashion.

Cherilyn G. Murer, JD, CRA, is CEO and founder of the Murer Group, a legal-based health care management consulting firm in Joliet, Ill, specializing in strategic analysis and business development. Murer may be reached at (815) 727-3355 or viewed on her Web site at