Sep

7

Welcome and an NPI Update

Welcome to the new Apgar & Associates, LLC blog. There is a considerable amount of activity going on in healthcare today in the areas of privacy, security, development of health information exchange (HIT) technology standards, etc. This is my opportunity to provide updates and my two cents (as well as personal commentary) on what is happening out there and what organizations are likely interested in as initiatives move forward on the national, state and local level.

One of the big deals right now is the scramble to move solely to the national provider identifier (NPI) by the May 2008 deadline, the official end to the CMS contingency period. By May 23, 2007 all providers (individuals and organizations/subparts) were required to obtain NPI numbers. Now it’s a matter of communicating those numbers and transitioning from legacy numbers or legacy numbers combined with the NPI to just NPIs.

Communication is probably one of the most important aspects of meeting that infamous May 2008 deadline. Also of importance is knowing (especially if you’re a provider) when health plans will be cutting over to just NPI only and will reject claims if the legacy number is also sent. As an example, the Oregon Medicaid agency, the Oregon Department of Human Services, has announced that only NPI numbers will be accepted on or after January 1, 2008. In Oregon as with some other states (and health plans), paper claims submitted will also need to include the provider’s NPI even though this is not necessarily a rule requirement (and yes, health plans can require this).

The long awaited CMS NPI database is now available and the bulk download file will be available sometime next week. A colleague of mine, Martin Jensen with the Health IT Transition Group, conducted an initial analysis of the quality and completeness of the data in the CMS database. He also commented on the functionality. His analysis primarily focused on Type 2 or subpart NPIs but I think organizations will find similar issues with the Type 1 NPIs. You can find Martin’s commentary at: http://blog.hittransition.com/2007/09/bad-data-better.html. It’s worthwhile reading for those attempting to use the CMS NPI database.

Oregon is embarking on its own project to develop an NPI database for Oregon providers that fills in some of the gaps in the CMS data (such as the lack of complete legacy numbers, the addition of needed addresses, the connections between individual providers and organizations they are affiliated with or work for which isn’t complete in the CMS database), the quality issues and the security issues (CMS provides none). The repository will include the needed data, including the individual tax ID or social security number for providers using the social security number as their tax ID. The repository will also be secure and available only to health plans, providers and their business associates.

Another benefit of the Oregon repository is it will provide a method for providers to authenticate other providers before sending them patient information. It provides identifiers, license number, a static address to preventing provider impersonation (allowing the provider to only send the patient information to a set address rather than one provided over the phone), the type of practice, etc. – all of those elements needed to authenticate the provider is who he/she says he/she is and that the provider really has a reason to access the patient’s information.

This doesn’t mandate the provider exchange the data. It does, though, provide a method of authenticating the requestor which doesn’t exist today and has lead to a number of trust issues (not to mention the HIPAA Security Rule requirement to authenticate individuals or entities before allowing them access to PHI. The security and the strength of the authentication will be enhanced in the future through use of digital certificates, etc. No go-live date has been set yet but, when available, it represents a significant ROI for the providers and health plans (as was strongly noted by a senior representative from Oregon Health Sciences University (OHSU)). More to come on this subject…

My parting words about NPI – be aware the data available from CMS has flaws and is not complete. If you elect to use the data, just be aware of the issues and take them into account when loading the data into your systems. Also, communication is one of those musts. Providers need to know when health plans (public and private) will begin to require transactions only include the NPI and all need to be sharing information, testing and following a well articulated contingency plan. The lack of a plan and time line can null and void a covered entity’s ability to take advantage of the CMS set contingency period. Good luck to all as we attempt to move to a one identifier system for all HIPAA covered transactions!

Chris Apgar, CISSP President